Experts slam storing of biometric data
Tisa to raise issue with prime minister
Cybersecurity experts have condemned the government for storing citizens' biometric data like eye and facial images that are at high risk for data leaks and identity theft.
The theft of biometric data is extremely harmful for individuals because one cannot change his or her bio identity, said the Thailand Information Security Association (Tisa).
The group will bring its concerns to the prime minister, and a member of Tisa's committee will personally sue in the Administrative Court on the grounds that the government is violating citizens' rights under the constitution.
The Foreign Ministry and the National Broadcasting and Telecommunications Commission (NBTC) are the top two targets of the suit.
"We would like to let policymakers know how dangerous it is to keep biometric data unnecessarily, in particular iris and face recognition images," Suthi Tuvirat, a Tisa committee member, said at a recent seminar on biometric data collection.
According to Tisa, the Foreign Ministry is taking great risks by mandating keeping iris data in addition to face images and 10 fingerprints on new passports.
Moreover, the biometric database is operated and managed by a foreign firm that won the project to store the highly sensitive data. The firm has been sued by the Estonian government in the past for losing its data.
In Europe, countries only use two fingerprints to authenticate a person's identity. Elsewhere, San Francisco became the first city to ban the use of facial recognition.
Mr Suthi said the NBTC is another state agency that overruled the constitution's Section 32 to keep biometric information of citizens without their consent, as the regulator uses SIM registration with fingerprints.
If there is a need to keep highly sensitive data that might violate personal data or citizens' rights, Section 32 requires an endorsement that needs to pass a public hearing in the House of Representatives.
Both the Foreign Ministry and the NBTC follow their own rules and regulations, and not the act that violates the constitution.
"Biometric data leaks, 10 fingerprints, iris and face scanning will cause harm to victims of data breaches and they cannot recover as in other cases where they could simply change a password or replace a lost passport," said Prinya Hom-anek, a cybersecurity expert at Tisa.
Biometrics should be used to identify a person but not as "authentication of a person" to access resources or services, he said.
If these biometrics are leaked or are hacked or stolen, hackers can track highly important people, or make fake identities using the leaked info. This can impose high personal risks, as evidenced by the fact that hackers can use facial recognition to track the location of their targets, the same way police can use facial recognition to track down criminals.
The biometric authentication system is badly designed and will lead to catastrophic consequences, Mr Prinya said.
The recent Personal Data Protection Act also allows the government to keep biometric data in contravention of the constitutional law in Section 32.
Mr Suthi said the government must consider how to store biometric data and take measures to ensure governance, transparency and auditing for data owners, and provide compensation for those effected by biometric data loss.
The problem not only pertains to government: convenience stores use facial recognition, while banks employ the technology to open bank accounts.