Behavioural biometrics flag fraud but invade privacy

In August 2018, banks and merchants had begun tracking the physical movements users make with input devices - keyboard, mouse, finger swipes - to aid in blocking automated attacks and suspicious transactions. In some cases, however, sites are amassing tens of millions of identifying "behavioural biometrics" profiles. Users can't tell when the data is being collected. With passwords and other personal information used to secure financial accounts under constant threat from data breaches, this approach is valuable for security. However, privacy advocates are concerned about how the data will be used in future because it can also expose medical conditions. Early adopters include the Royal Bank of Scotland, which uses software designed by New York company BioCatch, some Nordic banks, which use software made by Palo Alto-based BehavioSec, and some large retailers, who use software from New York start-up Forter. American Express has also adopted BioCatch for new accounts, while MasterCard acquired NuData, a company working in this are, in 2017. Behavioural biometrics are also built into security software sold by IBM to retailers and banks. Privacy laws such as Europe's GDPR contain exceptions for security.
tags: biometrics, behaviour, banks, retail, Forter, BioCatch, NuData, IBM, GDPR, monitoring, fraud prevention, security

writer: Stacy Cowley
publication: New York Times


What is Privacy International calling for?

People must know

People must be able to know what data is being generated by devices, the networks and platforms we use, and the infrastructure within which devices become embedded.  People should be able to know and ultimately determine the manner of processing.

Limit data analysis by design

As nearly every human interaction now generates some form of data, systems should be designed to limit the invasiveness of data analysis by all parties in the transaction and networking.

Control over intelligence

Individuals should have control over the data generated about their activities, conduct, devices, and interactions, and be able to determine who is gaining this intelligence and how it is to be used.

We should know all our data and profiles

Individuals need to have full insight into their profiles. This includes full access to derived, inferred and predicted data about them.

We may challenge consequential decisions

Individuals should be able to know about, understand, question and challenge consequential decisions that are made about them and their environment. This means that controllers too should have an insight into and control over this processing.