Reliance on biometrics like fingerprints, face recognition and voice recognition are becoming an inescapable part of life in Thailand. Whether applying for an ID, getting a SIM card or even entering the country, both Thais and foreigners must give up their biometric information to both the government and private sector.
While some methods of using biometrics for identity authentication are more convenient, the mass storage of this data comes with security risks and privacy concerns.
Many forms of biometric verification have been replicated by hackers, and once a person's biometric data has been breached, unlike a password, there are no ways to change a face or fingerprint (save for extreme measures).
"From a security standpoint, biometric data will be exposed to the same risks as any other type of data," says Stephan Neumeier, managing director for Asia-Pacific at Kaspersky Lab.
"It can be used, directly or indirectly, to identify a particular individual and because of this nature, we can consider this data as among the most sensitive type of data any organisation can deal with. This is the reason why the number of cybercriminals targeting the data may be higher than other data types."
ONLY WHEN NECESSARY
Sutee Tuvirat, a committee member of Thailand Information Security Association (Tisa), says Tisa will submit a letter of concern regarding the storage of biometric data to Prime Minister Prayut Chan-o-Cha.
Currently, the storage of large amounts of biometric data is widespread in the government and private sectors, without what Mr Sutee deems proper data protection measures, which risk violating the EU's GDPR (European Union's General Data Protection), a regulation that levies fines on companies that mishandle data of EU citizens, even those outside the EU.
Thailand has its own data protection law, the Personal Data Protection Act (PDPA), modelled after the GDPR, but it does not come into effect until May 2020.
Section 26 of the PDPA classifies biometric data as special data and those who violate its security and privacy regulations could face a maximum fine of 5 million baht and a prison sentence.
Tisa is urging the prime minister to revisit each state agency's rules and regulations on how to store biometric data and whether they violate citizens' rights under the constitution.
In the government, biometric data is primarily held by the Interior Ministry (for national ID cards), Foreign Ministry (for biometrics collected at entry points) and the National Broadcasting and Telecommunications Commission (NBTC).
Regulations or guidelines to store biometric data for the private sector currently depend on the industry, where the Bank of Thailand handles the financial sector and the NBTC telecoms.
Tisa says it is most concerned about the security practices and regulations of the Foreign Ministry and the NBTC.
Prinya Hom-anek, a cybersecurity expert and secretary-general of Tisa, says if these biometrics are leaked, hacked or stolen, then criminals can track highly important people or fake identities.
He suggests biometric data not be kept in centralised computer servers where it could be hacked but instead inside a chip, like the ones found in National ID cards and passports.
Arthit Suriyawongkul, coordinator of the Thai Netizen Network, a nonprofit advocacy group for digital rights, says security and privacy for biometrics is a mixed bag, depending on the industry or agency.
He says the Bank of Thailand has done a great job providing rules and guidelines for the financial sector, while the industry itself is aware of the severe consequences of data breaches.
However, he claims the NBTC has not held up that standard and biometric data stored by telecom companies and the NBTC itself may be at risk.
Siam Commercial Bank plans to launch palm vein biometrics for identification and authentication for payment.
Just last year, True Move H, the nation's second largest telecom, lost personal data of about 46,000 customers that included scans of ID cards and passports.
"The banks are pushing for the collection of biodata because it could make it easier to get new customers to create accounts, like the ones in rural areas, but for telecoms, it's the regulator that is forcing the operators to collect data that does not really benefit their business," Mr Arthit says.
"The NBTC created a lot of regulations in terms of collecting biometric data, but not in terms of protecting it."
He worries this potential security deficit could lead to a crisis in digital authentication as almost all industries rely on telecoms as an authentication system.
The biometrics stored in national ID cards could be used by a criminal to swap out SIM card information if the ID is lost or stolen. And because most online services use text messages to mobile numbers to verify accounts, the criminal could gain access to the victim's Google account or even online banking platforms.
The NBTC has responded to the concerns of privacy and security advocates, insisting its existing system is safe and secure.
Korkij Danchaivichit, deputy secretary-general of the NBTC, says the existing system for SIM registration, known as two-snap face recognition, is only for verifying identity through the smart ID card's chip.
Mr Korkij shows how to use the biometric verification system to register new SIM cards.
That means the system will recheck what biometric data already exists on the ID card's chip and the NBTC system will not seek new biometric data from SIM buyers or even store the biometric data for the NBTC's use.
Through the existing biometric verification system for new SIM buyers, each buyer has to insert their ID card into the face recognition card reader at a telecom operator store. The system will verify the face of the buyer compared to the one in the ID chip.
"We are using smart ID cards in the proper way to serve socioeconomic security," Mr Korkij says. "We have no plans to store biometric data of mobile users for our own use. The registration system is to protect good citizens, not criminals. However, no system is perfect."
The agency considered switching to a fingerprint system, but found it too impractical and costly.
NBTC commissioner Prawit Leesathapornwongsa says both face recognition and fingerprint systems have about 80% accuracy.
"People may be secretly photographed for face recognition fraud, or have their fingerprints stolen via materials they've touched," he says.
SIM cards bought online present the biggest issue, where it is easiest to fool facial recognition software.
The government's recent invocation of Section 44 allowed the NBTC to spend its USO funds for the telecom sector for cases related to security. It also freed up the budget of telecoms to use the extra cash for bolstering their own security measures for data storage.
One of the latest innovations unveiled during the Bangkok Fintech Fair 2019 is ‘Face Pay’, which uses facial recognition technology for payment at vending machines.
Some sources in the industry say the government is preparing to re-register all SIM cards, both new and existing ones, being used by people in the three Deep South provinces as a stricter method of verification. This recheck is expected to start in August because of security concerns over the ongoing civil conflict in the region.
However, the plan has yet to be enforced because mobile operators have not signed off on it.
Mr Korkij rejected this suggestion, saying he does not know about such a plan. It is more likely the NBTC will push mobile operators to keep customers' call data records for a longer period than required, which is currently 90 days, he says.
Amidst the worry and speculation, Somying Thainimit, a professor of electrical engineering at Kasetsart University and a specialist in biometrics, says she welcomes a future more reliant on biometric data.
"I think the positives outweigh the negatives and we will be more secure in the long run," Ms Somying says. "The accuracy of all recognition software is so much better than it used to be and constantly improving, so I think biometrics will be used more over time."
For instance, most fingerprint data is stored as a code that can later be re-rendered as an image, but only with the right methods, making it difficult to steal. However, some entities still store fingerprints as an image file.
She finds the technology to be relevant to humans and more intuitive, which should encourage more people to use the technology because it is convenient.
Those concerned about privacy are likely in the minority, she says.
"I think Eastern countries have much different concerns from Western countries," says Ms Somying. "People here have very little concern over giving information to the government or corporations."
SAFE ENOUGH FOR BANKS
Thakorn Piyapan, head of digital banking and innovation at Bank of Ayudhya (BAY), says biometric authentication systems are difficult to crack because everyone has unique characteristics, unlike passwords.
Take facial recognition as an example. This technology cannot be fooled by merely holding up photos or videos of data owners. It is so sophisticated it can verify the positions of face parts, says Mr Thakorn.
Facial recognition technology is more complicated than scanning a picture, and the National Digital ID's biometric system meets Identity Assurance Level 3.2 standards, he says.
Facial recognition technology is set to become the most common digital authentication method used by Thai banks.
Facial recognition is set to become the most common digital authentication method used by Thai banks, with 10 institutions testing out the technology in the Bank of Thailand's regulatory sandbox, and BAY is among them.
Siam Commercial Bank plans to use palm veins, a contactless biometrics technology, for identification and authentication for payments. The bank is testing the digital payment technology on a closed-loop basis. The technology is expected to be rolled out later this year.
Mr Thakorn says it is crucial for banks to develop both technology and security to offer a smooth digital experience to customers and build their confidence.
Additional reporting by Somruedi Banchongduang and William Hicks