The Illinois Supreme Court just handed down a ruling on customer privacy (see this article) that at first blush seems like an obvious win for customers like you and me. But it’s not that simple.
First off – biometrics is a term used increasingly these days as if it’s one thing – which it’s not. Wikipedia offers this very thorough description. the image they use in the Wikipedia page is from Walt Disney World, where I spent years helping out with their MagicBand project now known as MyMagic+. The reason this is such a good example in the context of this recent Illinois Supreme Court case, is that the biometric data captured by Walt Disney World is not the same as a fingerprint. This gets to the core of why this Illinois Supreme Court case is more complex than it seems at first blush.
The other key element of this is that while companies are highly interested in, and focused on technology for the sake of security (largely to reduce fraud), the other end of that is the Customer Experience. Customer Experience needs to aim to reduce friction and make things as smooth and effortless as possible while still maintaining customer trust. If the Customer Experience doesn’t have enough security – customers will abandon the experience, as you might expect. According to Experian 27% of customer abandonment is a result of “lack of visible security.”
Back to biometrics – if Walt Disney World were capturing fingerprint information – information that could be linked back to a database to identify people, like someone on the FBI Most Wanted list, that would be one thing. But that’s not the case. The biometric data they are capturing is not enough to do that sort of “reverse lookup” to see who someone is. Walt Disney World is only storing about a dozen data points of the biometric to Authenticate (which is different from Verification and Identification as you may remember from a prior blog post – here).
So Disney is using the biometric for Authentication, like a password, and the reason they do that is so someone doesn’t take their ticket or MagicBand (or other method used for park entry) and “throw it over the fence” to let friends use the same ticket, since tickets can be re-used throughout the day.
Because the biometric in the case of Walt Disney World is not something that could be used for a reverse lookup, or an “Identification”, there is no personally identifiable information (PII) in the data, and thus it poses zero privacy risk to the customers they call Guests.
That’s why this Illinois case is so important, and potentially dangerous.
Until people are clear about the distinction between Verification, Authentication, and Identification as it relates to biometric data, there is a high risk of a “witch hunt” type of environment when it comes to privacy. What seems likely, if not inevitable, is having a bright line distinction between which biometric information is PII data, and which is not, so that it is very clear where privacy should, and should not be raised as an issue. Someone or some group is likely to create a set of standards for this so that like KYC/AML or ISO, it’s a clear standard that people can say they comply with to some range or spectrum of levels, like 1-5 where 1 would be zero PII, and 5 is PII, and with some room between the two for different types of use cases.
Because there is a spectrum of privacy and biometric data, and where the PII line is crossed, there need to be a variety of solutions to meet the needs of different organizations. At places like airports, the biometric probably needs to have PII so the airport can Identify the person with a reverse lookup, whereas most organizations will want to start with Verification (in which the customer voluntarily submits PII to verify that they are who they say they are – what AuthenticID calls First Mile Verification), and then Authentication with whatever rigor makes sense.
Because this is such a three-dimensional model of security, privacy, and Customer Experience, organizations will need to choose what is best for them. AuthenticID allows companies of every size to personalize the Verification and Authentication process, both for Customer Enrollment (which directly impacts revenue) and various aspects related to fraud (which saves money from fraud loss – which is a multi-trillion dollar problem globally).
Other companies say they offer the same or similar service as AuthenticID, but no one offers a service as fast (under ten seconds in most cases instead of minutes or hours with error-prone manual checking), 43% better ability to automate a decision compared with the next closest competitor, and automated tamper detection and industry low false rejection rate. And if any of those terms don’t make sense – we are happy to spell them out in plain english with clear use case examples.
Let us know if you would like more information about biometrics, or our Verification and Authentication services.