Companies in the financial and retail space are collecting "behavioral biometrics" through sensors in phones or code on websites to help decipher if the user is who they claim to be on the device, according to The New York Times. Because passwords are so easily attainable by bad actors, the extra layer of oversight could be the safeguard that derails fraud.
Swipes, taps and login times are all accounted for in the metrics. Software from companies like BioCatch is used to construct profiles of consumers based on their gestures and then compares it to the record every time a user comes back to a site or app, according to the report. The system has a 99% accuracy rating when detecting imposters. However, different factors can contribute to inconsistencies in gestures like being tired, drunk, injured or distracted.
Critics of behavioral biometrics say the additional oversight is a privacy violation because only a few companies choose to tell customers how or when they're being tracked.
In a world where every thought is tweeted, every text message recorded and many Facebook accounts still active after Cambridge Analytica, it's hard to know what information should be kept private.
It's a paradox anyone who lives in the digital age has to deal with. Users relinquish personal data to participate on social media, yet getting upset when an organization collects too much data is something every company has to grapple with.
Even when consumers think they're doing the best practices in terms of their online security, it's very difficult to hide information from anyone. Regulations like GDPR and California's latest privacy bill are putting the right to privacy back in the hands of consumers.
However, even with legislation in place companies are making assumptions about what data qualifies as personal data, and some believe people aren't able to accurately analyze data to gain personal insights.
Right now most behavioral biometric use cases are in the workplace, to monitor employees and detect potential insider activity, according to Merritt Maxim, principal analyst at Forrester, in an email to CIO Dive.
Organizations that want to transition behavioral biometrics to monitor customers carry a risk and have to work to ensure the data they're surveilling is not personal information, he said. But some jurisdictions may claim activity, through clicks and mouse movements to be personally identifiable information, which could be a breach of privacy trust.
Collaborating with legal counsel is important to protect how these biometrics are collected, stored and retained. In doing so, it could force organizations to change their consent policies to include "explicit customer consent for behavioral data collection," Maxim said.