In November, Interpol arrested a fugitive smuggler using a new biometric security system it plans to deploy across its 196 member countries.
The colorlessly named “Biometric Hub” collates Interpol’s existing fingerprint and facial-recognition data into one place, allowing border control and frontline officers to query criminal biometric records in real time.
The system is backed with certain privacy guarantees, but questions remain about the extent of its reach, and of any organization’s ability to keep a tight hold over such privileged data.
“This is going to be a super high-value target for somebody to get access to,” John Gallagher, vice president at Viakoo, worries. “Any time you put together such valuable information, it’s obviously going to get hacked and leaked.”
The First Criminal Caught by Biometric Hub
Just a couple of weeks ago, a group of migrants was crossing the Balkans on their way to Western Europe. In their midst was a fugitive migrant smuggler.
The group encountered a police check in Sarajevo, Bosnia and Herzegovina.
“Wanted on organized crime and human trafficking charges since 2021, the smuggler presented himself as a fellow migrant under a false name, using a fraudulent identification document to avoid detection,” Interpol recounted in a press release.
Unfortunately for the fugitive, this police check was among the first to utilize the new Biometric Hub out in the field. “When the smuggler’s photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country. He was arrested and is currently awaiting extradition.”
There’s little doubt that the Biometric Hub will streamline Interpol’s criminal background checks. But does it provide sufficient security and privacy checks for the citizens who aren’t trying to perform crimes across borders?
Concerns Over Biometric Policing
To assuage fears of a sci-fi dystopia, Interpol explained on Wednesday that its new biometrics system will abide by its “robust” data protection framework.
Of note, the agency added that “biometric data run through the Hub in a search is not added to INTERPOL’s criminal databases, is not visible to other users and any data that does not result in a match is deleted following the search.”
Dark Reading has reached out for comment to Interpol, and the vendor supporting Biometric Hub — Idemia — but hasn’t yet received a response as of this publication.
Besides privacy, Gallagher points out, a system containing the most sensitive identifying information belonging to the most dangerous criminals out there is an inevitable target for cyberattackers. And a breach of such a system wouldn’t be unprecedented.
In 2019, for example, a 23-gigabyte leak at a company contracted by UK police and other government agencies led to the exposure of somewhere around one million fingerprint and facial recognition records. Elsewhere, background checks have been accessed from the US Department of Homeland Security, images have been stolen from Customs and Border Patrol, and more.
“I’m not saying that authorities are doing the wrong thing here — I think they are doing the right thing,” Gallagher says. Then he predicts all the many ways the system could fail.
“How frequently do things like the cameras themselves malfunction? And what happens if somebody gets to the camera network? Internet of Things (IoT) devices are the easiest in the universe to hack into,” he says.
“My argument is that, in a few years, biometrics won’t be trusted,” he warns. “Because I pass a camera 100 times a day in my enterprise, and that enterprise might not be securing that camera data very well.”
Source: www.darkreading.com