When the first smartphone was released in the 1990s, it was nowhere near as technologically advanced as the smartphones released in the last decade. In the last decade, consumers have been presented with smartphones from brands such as Google, Apple, Samsung, Sony, Huawei and HTC.
As smartphones became more accessible, easy to use and convenient, Australian consumers began purchasing and utilising smartphones more and more. One form of technology that has enabled the accessibility and ease of use is biometric technology in smartphones for purposes ranging from identification, verification, authorisation and authentication.
A biometric is any unique, biological characteristic that can be measured to identify and verify a human being. In the popular mind, biometrics have typically been associated with Hollywood spy movies or crime scenes and criminals. Yet biometrics have mainly been used in Australia on a national level by the Australian government to screen travellers at border checkpoints and, more recently, on a national scale for identity matching capabilities. The focus of this report, however, is the more recent application of biometrics – that is, in smartphones – and the implications of this.
The use of biometrics in smartphones has been promoted as a benefit to Australian consumers, aimed to make smartphones more accessible, simple to use and secure, as opposed to the use of PINs, passcodes or passphrases, which are often difficult to remember and easily compromised.
Biometric systems are not entirely secure. General biometrics systems can be subject to security breaches, while smartphone biometrics tend to be securely located within a smartphone. Recent breaches have proven that even the new iPhone X Face ID can be compromised. An important thing to note is that once compromised, biometrics cannot be changed like a password can.
The most relevant legislation that applies to smartphone biometrics is the Privacy Act 1988 (Cth). The Act seeks to balance out the protection of individuals’ privacy versus that of the interests of entities in performing their functions and activities.1 The Act includes biometrics under its definition of sensitive information,2 which is important in the context of potential data breaches.
The previous point links with another privacy implication of the use of smartphone biometrics, which is the use of biometrics in identifying consumers without their knowledge, especially if consumers are unaware of how their biometric data is being stored and shared.
Through reviewing surveys, peer-viewed and non-peer-reviewed texts, government and industry papers, as well as conducting interviews with a range of industry professionals, what remains consistent is that smartphone biometrics, although convenient and simple to use, have enormous privacy implications that affect consumers if compromised.
As such, it is crucial for government and industry to ensure that consumers are adequately informed of just how severe the worst implications of smartphone biometric data capturing capabilities really are. Consumers should also be empowered to take a more proactive role in understanding more about their biometric data. This includes being made aware of what biometric data is, how it is stored on their smartphone, how secure it is, the ways in which their captured biometric data is being used and can be used, as well as the implications of this.