Good and bad takes on Amazon’s in-store biometrics

I’m seeing a lot of takes (some good, some bad) about Amazon’s incentive to register palm prints for its stores in exchange for $10. A 🧵on some of the biometrics and tech behind this – and why some of the takes get implications wrong 👇🏽

For starters, it’s an imbalance on whether it entices certain demographics to give up personal biometric data in return for $10.

This kind of asymmetric power *needs* to be looked at closely, on how that data is used in the future.

“Amazon stores biometrics in the cloud”

What is often not appreciated in this is that biometrics are often stored as mathematical templates; equivalent to “hashes”. A biometric hash CANNOT be used to reconstitute the original hand, fingerprint, or palm print. This is low risk.

If you think of traditional methods of storing passwords, they are often “salted” (add some random data) and then “hashed”.

This is also often how biometric templates are stored. ✅

If there’s a data breach, the templates are useless to a hacker in reusing at a different place.

⚠️ However, this is ONLY secure and private if the company registering biometrics ONLY stores this as a biometric template. It should NOT store the original image/picture of the hand or palm print. 🖐

The analogy here is similar to passwords, where best practice is to never store the original plaintext password, and to only ever store it as a salted and hashed version of the password. ✅

So even if Amazon or any other system stores biometric templates in the cloud, the risk is the same as losing securely stored password hashes: they are useless to a hacker.

It’s all the OTHER data with personal information that’s more useful to hackers.

How does Amazon One compare to on-device biometrics like Apple Touch ID or Face ID? 🤔

The main difference is Touch/Face ID can ONLY be used for 1:1 matching with a single person.

Something like Amazon One which is a central system can be used for 1:1 matching (“give me access to my own account”)

But it can also be used for 1:many matching (“does this palm ✋ print belong to a known fraudster?”)

(How and who decides who is a “known fraudster”?)

Then there’s how Amazon One works, or most biometrics in general.

As a biometrics operator, you want to prevent fraudsters from taking a picture and showing it to a scanner.

⛔️ This is a risk with finger and palm prints…if someone is targeting a specific individual.

As a fraudster though, you’d want to maximise returns and minimise the effort.

Lifting physical finger or palm prints at large scale is *hard* to do.

Amazon uses vein prints, which also can check for something called “liveness”: it’s not just a static image, but can also see if there’s realistic motion that would happen with blood flowing through an actual human’s palm.

This makes it very hard to spoof by a fraudster.

Even if someone had my fingerprints or palm prints, that’s not the same kind of data as my vein patterns.

And even if they had pictures of my vein patterns, it’s hard to spoof the motion associated with vein prints.

TL;DR: the way Amazon One uses vein prints from a palm ✋is secure and follows best practices.

SHOULD they be doing this and whether it’s creepy is a different question that comes down to what’s acceptable in this context by society and users.

(E.g., people don’t mind doing this for passports or border control. They also have no choice in that scenario, whereas Amazon One biometrics is an opt-in programme)

If you’ve stuck by this far (thank you 🙏🏽), would YOU register and give your biometrics to Amazon for entering their grocery stores?

Originally tweeted by Ankur Banerjee (@ankurb) on 6 August 2021.


How the NHS Covid Pass scheme actually works

Out of London for the first time in a year or so, on a short trip to France.

I was able to scan my Covid-19 vaccine record from the NHS App into the French “TousAntiCovid” app.

Much like the UK, there are two modes: one for domestic use, and one for travel.

In general, the QR codes in vaccine passports generated in Europe contain name, DOB, date of jab, kind of vaccine etc. This is an EU-wide standard also used within the NHS app.

When I scan the NHS code into the French TousAntiCovid (“everyone against Covid”) app, it has two modes: one for domestic use in France that visually displays only the QR code and name. This is for showing in restaurants, bars, etc.

And a separate “border mode” which contains the same details, but visually shows additional bits such as DOB (to match against a passport) and date of jab (to check whether enough time has passed to be considered fully vaccinated)

Note that in both the cases, the underlying QR code has ALL of the data from the text/PDF version, so anyone could theoretically make a different QR code scanner up to read and reveal all of the data.

By default though, the QR codes visually reveal less private info than PDF

Within the UK for domestic use for instance, the NHS has a separate app called the Covid-19 Verifier app (iOS version here in the App Store:

A really forward-looking decision taken by the NHS Covid Verifier app is that it does NOT show the underlying personal data; it just returns a yes/no result.

This is by far more privacy-preserving than asking someone to show their details on a PDF or paper or card.

The *domestic* NHS Covid QR codes uses the following criteria when showing yes/no:

1. Positive PCR test in last 6 months
2. Fully vaccinated
3. Negative lateral flow test in last 48 hours

When it returns a yes/no it doesn’t give which of the above 3 reasons it was based on

One thing to note about the domestic passes is that criteria 1 and 2 are usually more likely to be true.

Criteria 3 (negative rapid test) is easily faked, because it’s based on a self-reported result.

Then there’s the behavioural challenge. The DHSC wants venues to use the NHS Covid Verifier app to check these status. Scanning each code, which takes say 10-30 seconds.

If you imagine a crowd of 1000s at a venue, the more likely behaviour (and as reported at Wimbledon and Wembley), is to just ask people to show the actual text on PDF or app 🤷🏽‍♂️

Which ultimately defeats the purposes of the privacy-preserving Verifier app.

And if there’s an easy loophole through the negative rapid test, it undermines the faith in whether the Verifier app can be trusted.

There are two options here:
1. Continue on the honour system, and hope people don’t lie when reporting rapid test results (what we do right now)

2. Carry out an ID check as well as some form of verified check on rapid test result, e.g., the result must be logged with a photo of the test kit to prove what the result was. Although I imagine this intrudes on privacy and could reduce the number of people taking rapid tests.

Having worked in digital identity and biometrics for a while, my immediate reaction to any new initiative is to think of “how will people try to game the system?”

Because what years of behavioural research on this has shown is that there are some people who ALWAYS try to fake.

So the question always changes to one of behavioural psychology and systemic risk: in a given system (say this domestic passport), how many users do you think will try to game the system?

And how much %age of these people who are trying to game the results can the system absorb?

Originally tweeted by Ankur Banerjee (@ankurb) on 1 August 2021.