1 Trillion Mobile Biometric Transactions by 2022; What Can Go Wrong?

A new report by Acuity Market Intelligence forecasts that by 2022 the growing worldwide popularity of smartphones and biometrics will mean mobile biometrics will enable one trillion transactions annually. That is quite a lot, considering it is equal to every living person conducting one such transaction every three days. I do not currently know a single person who has purchased anything using mobile biometrics, and advanced economies like the USA still face challenges when adopting more basic payment technologies like PIN numbers for credit card purchases. Checking the detail, Acuity state there will be “1.37 trillion biometrically secured payment and non-payment transactions”, which makes me wonder what is the quid pro quo for the non-payment transactions, given that the word ‘transaction’ literally means an exchange between two parties. However, whilst the number and significance of mobile biometrics can be exaggerated, it is evident that some people believe there will be a huge rise in the use of mobile biometrics. That is why Acuity will be selling their report to businesses who believe they will be earning a slice of a pie worth USD50bn by 2022.

Despite my skepticism, the Acuity report may potentially underestimate the rate of adoption of mobile biometrics, at least in some parts of the world. Last year an IEEE cybersecurity survey found that 70 percent of respondents believed mobile payments would be secure enough to overtake the use of cash and credit cards by 2030. That survey may understate the case for mobile payments because the respondents were biased towards Western countries, whilst it is developing nations like India that have the motivation and the political resolve needed to switch to a cashless society.

Let us assume many people will soon be making payments and conducting other transactions using mobile biometrics. What can go wrong?

1. From the Team That Brought You…

Maybe you heard about some recent data breaches. The breaching of data occurs so often that it could be described as fashionable. The strain caused by these breaches is contributing to a significant decline in the usefulness of passwords. Nobody can recruit or afford enough cybersecurity personnel because not enough cybersecurity professionals are being trained in the first place, and why should they do honest work when it is much more profitable to steal? Put simply, all the people who engineered today’s short-sighted and inadequate data security regimen are going to be responsible for implementing controls over tomorrow’s biometric data. The risks being taken with personal data are rising much more rapidly than the human or organizational competence to deal with them. Human beings have not yet worked out how to prevent data breaches from becoming a routine occurrence, and there is no reason to believe that the collation of even more personal data will change that.

2. Privatize the Gains, Socialize the Costs

One great way to get a competitive advantage is to pocket all the revenues from a service you offer, whilst somebody else is made to pay for the cost of delivering it. In this context, taking a risk with data should also be seen as a kind of cost, and this cost is connected to the more obvious expenditure required for security. A private business, such as a bank, may aim to keep all the money it receives from customers whilst not paying for the costs it generates elsewhere. Telcos, who are often treated as infrastructure providers that are analogous to utilities, are often on the wrong end of this divorce between revenues and costs. Financial institutions have been passing their burdens to telcos by placing too much reliance on SMS messages as a means to verify their customers. Google spends lots of money on lobbying for net neutrality because they do not want to receive bills for all the internet traffic they stimulate, although this also generates a burden for network infrastructure. So who do we think is buying Acuity’s report, and what will their attitude be to carrying the costs associated with securing mobile biometrics? If those firms fail to protect customer data, then telcos will be left with an even greater weight to carry on behalf of society.

3. Be Thankful We’re Not Getting All the Government We’re Paying For

In the quote above, humorist Will Rogers aptly captured how government overreach is sometimes only countered by government wastefulness. Advocates of data protection will often cite the objectives stated in laws and regulations like they are matters of fact, and so ignore how even holy commandments can be completely ignored in practice. Some of the laws designed to protect people from the abuse of their data have been amongst the most ineptly worded, most poorly enforced and most credulous that humanity has ever been subject to. How else should we describe the work done by the European Commission, which failed to comply with their own data protection law for a period of 14 years, as was found obvious by the highest European court, but not noticed by a single national data protection regulator within the EU? The European Commission breached their own law by signing an empty data protection agreement with a US government that was also failing to comply with its own laws on data gathering, most disturbingly when it ordered US telcos to hand over massive amounts of data. Now imagine these same nincompoops and dissemblers overseeing the protection of lots of biometric data routinely communicated over telecommunications networks…

4. West Is Best?

Sometimes progress only comes at a price. Although Western governments often fail to keep their over-ambitious promises about data protection, developing nations will forge ahead because their populations have more pressing needs. We will witness protracted debates delaying the implementation of biometric technology in countries like Australia, where there has been a recent political fuss about the selling of facial recognition data to big companies like telcos. But based on the quality of legislation in these countries so far, and the frequency with which those laws have been broken, the likeliest result is that a lot of jibber jabber will deliver little of worth. In the meantime, the Indian government is racing ahead with its national facial biometric program and will learn from experience – good and bad – about how to use the data to tackle fraud and corruption whilst giving many citizens access to new services. There are bound to be mistakes, and sometimes individuals will suffer, but the scale of the needs being addressed will make it easier for the population of a developing country to tolerate temporary shortcomings so long as there are tangible benefits for the majority of people. This should lead to an inversion of assumptions about which societies lead global change, and there is a danger that the trial and error to be experienced in developing countries will be adversely affected by know-nothing ‘experts’ who are blind to the routine failures of the West.

So that is what can go wrong. Given that human beings are imperfect, and they make mistakes, how confident do you feel about the rapid adoption of mobile biometrics for the processing of transactions? I find the prospect to be terrifying.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.
  • William V

    I agree with most of your thoughts. Mobile biometrics in Western countries might be closer than you think though. In Belgium the major banks and all three telco’s have created a consortium to facilitate authentication using a biometrics app (https://www.belgianmobileid.be/en). It allows you to log in to homebank and approve payments with an app instead of a card reader. The app allows you to use the fingerprint scanner instead of a pin, and I have to say I know several people who use the fingerprint instead of a pin for convenience. No need at all for your bank card pin code anymore. Below a screenshot of ING homebank, they even recommend the app as being more secure than a card reader (not sure if that is a valid claim). https://uploads.disquscdn.com/images/c06cda62c0910c2c078516d3f39ec2690beef9922451eabf4afbe9652b7b7d23.png