Privacy, Security Clash as Companies Seek Proof Users Are Human

The rise of AI and deepfakes is pushing companies from banks to health-care providers to explore new age biometric tools which promise to spot impersonators compromising personal accounts, setting up a Faustian bargain trading privacy for system security.

A growing array of authentication solutions, dubbed “liveness detection” tools, has followed the explosion of remote customer onboarding and staff hiring—accelerated by the Covid-19 pandemic and accompanied by a new era of social engineering and digital impersonations, recently using artificial intelligence. New York’s Department of Financial Services advised companies in October and November to deploy identity authentication tools that can withstand AI-generated deepfakes, including technology with liveness detection or texture analysis.

OpenAI Inc. CEO Sam Altman’s Tools for Humanity Corp. launched the Orb that it says creates a unique code based on images of an iris. Identity-verification provider Regula Forensics Inc. says it combines texture analysis and facial movement to determine whether someone is real. German facial recognition company BioID uses a motion-analysis algorithm that it says can validate whether the face detected is real.

As authentication technology develops along with the sophistication of AI deepfakes, privacy regulators and plaintiffs’ firms are poised to determine whether it can fit within growing privacy compliance requirements. Organizations pursuing stronger authentication tools risk collecting and retaining more sensitive data, which could open up liability under laws such as Illinois’ Biometric Information Privacy Act.

“There is a push on the one hand to do more authentication—for good reasons. But there’s also some compliance concerns about, is this generally proportionate? And are there particular local rules that you need to abide by in order to do it lawfully?” said Mark Young, partner and vice-chair of Covington & Burling LLP’s data privacy and cybersecurity practice group in London.

Authentication Push

Stolen and spoofed credentials have been the root cause of most cyberattacks in the last decade or so, said Jeremy A. Grant, managing director of Technology Business Strategy at Venable LLP. That’s why federal and state agencies have, in recent years, released guidance on sharper authentication standards.

“It’s an anomaly when a major incident happens and some sort of a compromised identity isn’t part of it,” said Grant, who under President Barack Obama established the National Program Office for the National Strategy for Trusted Identities in Cyberspace.

Identity-related threats have ranged from presentation attacks—where individuals rely on masks or pictures held up in front of the camera to appear as somebody else—to injection attacks, where deepfake streams are fed directly into the camera input.

Injection attacks have been used to convince IT help desks to change someone’s credentials or add a device onto an account to avoid multi-factor authentication, said Adam Isles, principal and head of cybersecurity at The Chertoff Group and former US Department of Homeland Security official. Deepfakes have also been used to convince employees to share confidential information or transfer large sums of money.

“We see cases where deepfakes have been used, combined with a lot of knowledge of the organization, essentially to trick a help desk into saying, ‘Well, this must be the real user. We’ll reset their credentials,’” Isles said.

That’s why ensuring that individuals are live and real—and who they claim to be—should be a priority for businesses with “a serious security program,” said Phil Venables, chief information security officer at Google Cloud, adding that many are already re-examining their on-boarding and help desk processes.

The Privacy Twist

Companies must strike a “careful balance” between heightened security requirements and regulatory regimes that demand proportionality and minimization of data collection, Young said.

In the US, organizations relying on liveness checks have already been targeted by lawsuits alleging violations of biometric privacy laws including Illinois’ BIPA. Globally, privacy regulators’ scrutiny of authentication mechanisms, especially those requiring biometric data, has also grown.

European Union authorities have expressed concern about the data Tools for Humanity collects with its orb, which “allows anyone to verify their humanness while still protecting their individual privacy,” according to the company’s homepage. Despite that promise, Spain and Portugal’s regulators ordered the company to temporarily stop collecting personal data from EU users. The German authority on Thursday ordered Tools for Humanity to delete data collected in violation of the GDPR.

In October, the Ireland Data Protection Commission launched an inquiry into airline Ryanair Holdings PLC’s processing of biometric data as part of its own customer-verification process, which includes a liveness check. Customers that booked flights on third-party websites were required to submit pictures of their identification documents, take a selfie, and “perform some actions” in front of a camera.

Organizations seeking the right balance may need to tailor a menu of security solutions to match regional standards and their threat profile. This can include adding some non-technological steps, including training and involving business teams to share information and help the chief information security officer defend the network.

“Really, it has to be a hand-in-glove operation,” Isles said.

Where technology that involves biometric data collection may be necessary, organizations should prioritize solutions with privacy-enhancing designs, Grant said. Some liveness detection tools operate on users’ devices, keeping the data in place instead of sending it to a server, for instance.

“A lot of it comes to architectural decisions like, are you creating a big database of faces and checking against them,” Grant said. “Or are you just doing a quick match and then deleting all of the data instantly?”

Still, some organizations continue to grapple with deploying authentication systems that predate generative AI deepfakes, such as multi-factor authentication. These vulnerabilities are still exposing them to numerous cyberattacks and following lawsuits.

“When I look at how much we struggle, globally, to implement even basic security features like MFA and get it right,” a widespread, successful adoption of liveness technology on a timely basis feels like “a losing battle,” Grant said.