So as evidenced by all my work into payment conversions, I’m really interested in convenience and limiting my inventory size at any cost. Enter Amazon One. It’s a infrared palm scanning service that lets you pay at Whole Foods and I think Panera.
I don’t use Amazon very often, but for work related things I do have an account with a credit card attached, so I set it up in about 5 minutes and gave them the biometric data for both of my hands in store.
I know it makes people really uncomfortable to surrender any biometric data to big tech. The gut reaction makes sense. What I’m curious about is why rationally is it an issue?
I literally don’t care about my biometric data. It’s a foundationally stupid way to identify a person, because it can’t be updated if it’s compromised. I’ll never attach anything I can’t afford to lose to biometrics, because it’s 100% only a matter of time before my palm scan, fingerprints, retina scan, and even DNA gets “leaked” to bad actors.
The worst case scenario for me is that everyone else cares about biometrics so much that when it inevitably does leak, I can get in on a class action lawsuit against Amazon. Oh darn.
So my question is, if it’s convenient and it doesn’t matter, why do we care?
Personally I think the danger comes from the misconceptions people have about biometrics. If you ask any random person on the street or even somebody in tech “is using a biometric a secure form of identification?” the answer is going to be something along the lines of “of course!”.
I know plenty of people in tech that comment that biometrics are a perfect solution to securing things, just look at iPhone! It’s only people that understand and think about security that really know what the deal is.
The pervasive misconception that biometrics are a perfect solution for security and not just identification is furthering the authority of the machine. The authority of the machine is a concept that has been a growing concern of mine for quite some time. I don’t think there is any service or industry that will take your word over the computer for anything. As more people accept biometric identification as some sort of secure authentication mechanism, the authority of the machine grows stronger.
Someone using your biometric to purchase apple juice at the store is a minor inconvenience to you. Someone else building a system like in India where they say okay we’re going to tie all government services and even ordinary business transactions to a biometric identifier, the potential impacts and cost of sorting out a fraudulent transaction could be literally life-threatening. Getting booked into the hospital or getting a procedure or surgery or even getting medication that’s critical… delays or miscommunications or misidentification in these instances could be lethal.
The problem isn’t with Amazon One it’s that the use of biometrics for payment automatically makes other people feel that biometrics are safe and secure and totally fine. If Amazon One is accepting payment with a palm scan, then surely it will be totally fine to use similar biometric technology to secure other things with. It’s the snowball effect in action.
Technology is iterative and builds on itself. The more a false belief about a particular technology persists, the more systems will implement that technology and it will grow. The impacts of that false belief grow right along with it, from a minor inconvenience to a major life-changing or potentially life-ending catastrophe.
Everybody gets that you can simply dispute a credit card charge, but if someone bought something at Amazon One with your palm scan, are you going to convince Amazon that it wasn’t you? Who’s going to believe you? What’s the process even? Sure, right now your Amazon account links to a credit card and if you wanted to you could dispute it with the credit card company… But then you’re putting your entire Amazon account at risk if you do that. Possibly even your ability to use Amazon services in the future.
Of course these are all minor issues… for now. It’s tomorrow’s biometric I’m more worried about.
Very small real world example:
My kid’s Microsoft Surface laptop can use a fingerprint to log in. Both parents and the kid all enrolled their fingerprints. At first it was fine. A year after doing this, when my kid tried to log in, it was a 3-way toss-up which human was actually “identified” by the machine. I ended up removing the biometric login and went to PINs and passwords instead.
Small inconvenience, like you say, @amal . But it also made me worry that family members could be mis-identified for more important things using biometrics for identification and authentication.
I saw the palm scanners at Whole Foods recently, and my kid said, “Look, now you don’t need a payment implant!”
I passed on enrolling. I had a gut feeling that this didn’t feel secure, and Amal explained it so eloquently!
That’s all fair, and I also worry about that future. I don’t think I’m substantively contributing to it’s arrival by using it though. I get “if everyone thinks that way then you are!” but realistically I know lots of people are going to take the bait uninformed.
I mine as well enjoy our inevitable hell, since I can’t change it
To be clear, it’s not the users I worry about taking the bait… it’s the admins, executives, and implementors of new systems that lean on unfounded ideas like “it has to be secure because look it’s used everywhere” to influence system design decision making.