As biometric verification systems sweep across business, questions are being asked about what’s happening to all that personal information – and just who has access to it


You’re not still tweeting, are you? As anyone with an eye on tech, an interest in social media or a teenage daughter will tell you, Snapchat is where it’s at right now. The image messaging mobile app currently has about 150 million active daily users – all of whom send ‘snaps’ or messages (if you’re still a noob) made up of a photo or short video, usually with snappy lense filters and effects added on. Those ‘lenses’ are what make Snapchat so charming and so addictive. However, they rely on facial recognition software… And that’s becoming a huge legal problem for the company.

In May, two users in the US state of Illinois filed a class action lawsuit alleging that Snapchat has been storing information that makes them susceptible to identity theft. And this, they say, is in violation of the Illinois Biometric Information Privacy Act (BIPA) – a little-known law that’s about to cause major headaches for the world’s biometrics firms. The plaintiffs claim that Snapchat collected, stored and used their biometric identifiers and information without providing prior notice or obtaining written consent, and failed to provide a publicly available written policy.

Snapchat denies these allegations, with its privacy policy stating that its lenses rely on object recognition, which uses an algorithm designed to ‘understand the general nature of things that appear in an image’. According to the company: ‘It lets us know that a nose is a nose or an eye is an eye. But object recognition isn’t the same as facial recognition. While lenses can recognise faces in general, they can’t recognise a specific face.’

The charges – which Snapchat has dismissed as ‘frivolous lawsuits’ – are the tip of a fast-growing iceberg, with tech giants Google and Facebook facing similar claims based on that obscure Illinois law.

Under the BIPA, companies must obtain written consent from customers before collecting their biometric data, and – in a timely echo of SA’s own Protection of Personal Information (POPI) Act of 2013 – those companies may not sell that data and must declare a point at which they will destroy it. The BIPA states that damages of $5 000 may be awarded per violation.

According to the law, ‘social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual. Therefore, once compromised, the individual has no recourse, and is at heightened risk for identity theft’.

The great strength of biometric security, then, is also potentially its greatest weakness. As a password system, biometric verification is as good as it gets. In a 2015 academic paper, Pennsylvania State University associate professor Brian Lennon wrote: ‘The technical function of the password is to thwart time in the name of security. To verify – by means of an invariant linguistic signature – that for the purpose of access to resources, I am the same user I was yesterday.’

Biometric user verification uses your biology – something that’s unlikely to change, except by horrific accident or deliberate (and extensive) cosmetic design – to make and keep that exact promise. Your face is yours alone. Your voice is yours alone. Your fingerprints are yours alone. The question that the Snapchat lawsuit is asking, however, is are those biometrics really yours at all?

With that being said, biometrics are sweeping across Africa and it’s easy to see why. Consumers find it difficult to keep passwords secure and up to date, as evidenced by security firm SplashData’s amusing annual worst passwords list. (Hint: If you’re using ‘passw0rd’, ‘letmein’ or ‘1234’ as yours, it’s time you changed it.) Biometrics, on the other hand, are convenient (your fingerprints are with you wherever you go) and, of course, almost impossible to forge.

Last year May, Investec Private Bank became the first SA bank to use voice biometrics. Absa followed shortly after, using voice biometrics to verify private banking clients’ identities when they execute phone banking transactions through the Absa call centre.


The company stated on its website: ‘The secure voice biometric technology means accessing your account has become faster (no lengthy call with consultants), smarter (authenticates your identity using the biometrics in your voice – voiceprint – to access your account) and safer (no need for passwords and you deal directly with your account). This service will enhance your security and offer you a seamless banking-by-phone experience.’

The Payments Association of South Africa announced in July that it was working with Visa and MasterCard to develop a standard for using biometric authentication on payment cards. The standard will include fingerprint verification and palm, voice, iris and facial biometrics. It will also introduce an interoperable method for recording biometric information. In essence, this means that the fingerprints linked to your Absa card will work on a Standard Bank fingerprint scanner.

However, the question of who owns that information still remains. Once your fingerprint is in their system, can Absa, Standard Bank, Visa or MasterCard sell that information on to marketers and advertisers, as so many companies do with telephone numbers and other personal details? The short answer is no. The POPI Act includes biometrics under the umbrella of personal information, defining it as ‘a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood-typing, fingerprinting, DNA analysis, retinal scanning and voice recognition’.

Your biometric information, then, will enjoy the same privacy protection as your other personal information as soon as the POPI law comes into effect. But when will this happen?

‘We don’t know for sure,’ says John Giles, managing attorney at corporate law firm Michalsons. ‘Nobody does. We are waiting for the President [Jacob Zuma] to proclaim the date, which will only be after the appointment of the information regulator. The commencement date could even be announced when the information regulator is appointed.

‘We anticipate that the POPI commencement date will be towards the end of 2016 but no later than 24 May 2017. Bear in mind that there is a one-year grace period that could be used by the information regulator to begin the work. We currently anticipate that you will have to comply with POPI from about the end of 2017 and the information regulator will start enforcing POPI from then,’ says Giles. Meanwhile, SA companies that use biometric verification systems will continue to look nervously to places such as Illinois and India.


In March, India passed a measure that will allow federal agencies to access the biometric data of its citizens. This is the largest repository of biometric information linked to a national identity card system. Nearly 1 billion biometric ID cards – known as Aadhaar cards – have been issued in India over the course of the last six years. The database stores fingerprints and iris scans of every account holder, and labels each with a 12-digit ID number.

‘From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account – all these transactions get logged against the centralised database,’ says Pranesh Prakash, policy director of Bangalore’s Centre for Internet and Society.

Speaking to Reuters, executive director of the centre Sunil Abraham put it in even starker terms. ‘Maintaining a central [biometric] database is akin to getting the keys of every house in Delhi and storing them at a central police station,’ he says. ‘It is very easy to capture iris data of any individual with the use of next-generation cameras. Imagine a situation where the police are secretly capturing the iris data of protesters and then identifying them through their biometric records.’

As citizens of a globally connected world, we already give so much of our private information away – whether it’s our mobile phone numbers, purchasing patterns (just ask your credit card company) or internet browsing habits (hello, Google). Are we ready to give our faces and fingerprints away as well? Depending on how events in Illinois, India and the information regulator’s office go, we may not have much of a choice.

By Mark van Dijk
Illustration: Mr.Xerty © www.nomastaprod.com