A previous blog post introduced the subject of biometric security, covering how identity is established using biological inputs such as fingerprints, palm veins, and features of the face, iris or retina. Both the technologies involved in biometrics and the governing legal frameworks are changing. Here we focus on the behavioral side of biometrics and explore how these can be of interest to attorneys and why a behavioral biometrics expert witness may be able to assist in pending litigation.
What are behavioral biometrics?
Start with a definition. In behavioral biometrics, identity is inferred from how the user interacts with the computing device. The user behaviors which can participate in the biometric identification are dizzyingly large and expanding. Examples include the rhythm of key strokes, how the mouse is moved, and the details of how the subject walks. Recently increased connections with the physiology of the subject make possible the use of additional behavioral biometrics, such as the electrocardiogram, electroencephalogram, and heart sounds.
The concept behind behavioral biometrics is not new: using the specifics of how Morse code is made by a person and a telegraphic key had been imagined as a means of identification since the dawn of the radio communications. Different telegraphers had unique styles in their dots and dashes, which could be used for identification.
It’s important to contrast behavioral biometrics with device fingerprinting, an approach already employed by financial institutions. Device fingerprinting characterizes a user from aspects of the devices they use. Beyond the device’s model number, it is often easy to infer the hardware configuration, operating system, applications installed and locations of regularly-used networks. Suspicion is raised if the access does not match what was recorded in the past.
Behavioral biometrics is all about human behavior. How is a fine level of discernment of the user’s movements and habits possible? Much of the capability comes from the accelerometers and gyroscopic sensors (usually MEMS based) which have become common in all phones. These reveal details of how people hold their phones when using them, how they carry them, type, scroll, and even the way they walk.
Why do behavioral biometrics matter?
The cost of unauthorized access to computer systems is vast. Here are two examples:
- A study by McAfee and the Center for Strategic and International Studies put the global cost of cybercrime at between $445 and $608 billion in 2017.
- The Wannacry ransomware forced 40 hospitals in the UK to suspend normal services when it was released. Worse, a full two years after its release, it is still active in 103 countries, especially within health-care organizations.
The promise of the new behavioral biometrics is frictionless security. A phone senses how hard a user’s finger is pressing on the screen and the way gestures like “swipes” are performed. On-board gyroscopes easily reveal the angle at which the phone is held. These data are (unsurprisingly) fed to machine learning systems in the cloud which provide sophisticated analysis and pattern recognition.
Nexuses of behavioral biometrics and the law
Unlike passwords, biometric data is not secret. Biometric systems are also prone to errors. These can be false positives, where the algorithm verifies the identity incorrectly, or false negatives, where an authorized user is denied access. Such error rates could matter in litigation and a behavioral biometrics expert witness might assist on such a case.
Biometric data is protected personally identifiable information. EU guidance dating back to 2012 recommends that it be treated as “sensitive” information, rather than merely “personal data.” The recently enacted General Data Protection Regulation (GDPR) prohibits processing of biometric data unless people provide explicit consent. Exceptions to this rule are narrow.
In the US, the Illinois Biometric Information Privacy Act (BIPA) prohibits companies from collecting biometric information from individuals without notice and written consent. This legislation passed in 2008 in response to the growing use of biometric technology in the business and security-screening sectors. Specifically, lawmakers were concerned about companies like Pay By Touch which, in the early 2000s, brought biometric authentication to payment systems. When Pay By Touch entered bankruptcy, the sale of its assets put consumers’ biometric information at risk. BIPA contains a private right of action that allows any person “aggrieved” by a violation of the act to bring a claim against the offending party for $1,000 or actual damages per negligent violation, and $5,000 or actual damages per intentional or reckless violation.
The rate of innovation in the area of behavioral biometrics is substantial. UnifyID is promising 99.999% accuracy in user identification. Their algorithm combines 100 attributes derived from a person’s motion and the pose of their phone, WiFi, GPS and Bluetooth data. Predictably, machine learning is also part of their product. Their goal is to deliver such precision without requiring conscious user interaction.
A similar approach is offered by Behaviosec. Their continuous authentication scheme has 35 million users in Europe. Banks are major clients. In the inevitable patent disputes that are going to occur in this field a behavior biometrics patent expert witness will likely be utilized on the issues of validity and infringement.
Behavioral biometrics is growing rapidly to address the cybercrime menace. It strengthens online security against increasingly sophisticated attacks, while improving the user and customer experience. These technologies will likely require the services of a qualified behavioral biometrics expert witness.