On Device vs. On Server – Whose Risk is Lower?

After the recent release of the Nok Nok Labs sponsored PwC Legal whitepaper Biometrics and Privacy On Device vs On Server matching, I felt now was a good time for me to wade into this debate.
 
These are my opinions and do not necessarily represent the opinions of Diamond Fortress Technologies, Inc. (DFT). ONYX, DFT’s core technology is agnostic toward on device and on server matching; however, ONYX provides more value when on server matching is the requirement. ONYX produces fingerprint imagery from smartphone cameras capable of 1:N matching off device (or on device), whereas, embedded fingerprint sensors on mobile devices do not.
 
I’d like to isolate aspects of this debate and address them individually over the course of several posts. Today, I want to focus on the notion that the risk of data breach is lower in the on device setting.
 
A biometric data breach involves risk for the individual whose identity has been compromised, but also for the entity that requested the data, whose applications are storing the data, whether on a server or on a device. The risks are obvious: for the individual, stolen biometric data can lead to a stolen identity, resulting in significant financial loss; for the entity, liability for those losses can be significant depending on the steps (or lack thereof) they’ve taken to ensure a breach would not happen. There are other ancillary damages for both, not the least of which is reputation.
 
Per se, as an individual, whether your data is stolen from a central server or off your device is irrelevant, your data remains just as stolen, the risk of catastrophic financial loss is the same. This statement does not address perceived opportunity cost re the hacker, but it also ignores the trove of additional data the hacker may derive from the device. I’ll address those shortly.
 
Per se, as an entity, whether data is stolen from a central server or off device dramatically impacts the entity’s risk. Obviously the on device breach typically involves liability to a single individual versus an on server breach involving liability to potentially millions.
 
I posit the biggest risk being addressed by the advocates of on device matching is the perceived risk to the entity, but it’s being disingenuously couched as a benefit to the individual. Further I believe it’s a short-sided approach by the industry i.e. more is to be gained than lost in an on-server approach, I’ll address this in subsequent posts.
 
In PwC’s paper they state the following re on device matching: “This lowers the level of risk because a hacker is more likely to target a single database repository where they could access the data of that multitude of individuals, rather than a specific individual’s device where they would only access that particular individual’s data.”.  This statement addresses perceived opportunity cost of the attacker, It assumes attackers would prefer to have the data of millions rather than of a select individual, and it ignores current fraud trends: social engineering, spearfishing, these are personal, direct individual attacks. It ignores the fact that breaching an individual’s phone versus a server is likely to yield much more immediately useful and valuable information, a fact PwC seems to reluctantly acknowledge with this statement: “It must be noted however, that in the event of a successful attack on a specific device, the data accessed is likely to provide a more detailed profile of the device’s owner due to the wealth of personal data generally stored on an individual’s device”.
 
Would be fraudsters are learning combing through the stolen data of millions to find a worthwhile target is far more time consuming and less rewarding than carefully selecting a high value target. Harvesting a stack of data from a server is usually still not enough to wreak the havoc they intend, but the goldmine they’ll find on an individual’s phone most certainly is.
 
If that is true, and a single high value target can be breached faster and yield more benefit is the risk really lower to the individual? I think not. The fact is as the security industry we cannot realistically expect data on a device we cannot control, that may be rooted, and physically insecure (how many times have you left your phone on a table in a restaurant while you went to the restroom?) to be more secure than data on servers in a high security, disaster proof, data center that only a select few vetted and monitored security experts have direct access to.
 
The data is largely out of expert control in the on device setting, it is left to novice individuals to protect, the same individuals it is claimed such a system is better for, primarily because the term control is being conflated with privacy as a subset of security. A weapon in the hands of the untrained is just as likely to injure the wielder as anyone else, control does not equal security, control is not de facto a benefit.
 
However, I think there’s a case for both implementations and even a hybrid model. I too concede the server side storage of biometric data has risks; that is inherent with the storage of any and all data. The server vs. device argument suffers from what most arguments do, the tendency to look at things in a binary way, versus a spectrum. This is a product of economic drivers, some companies focus on device others on server, so it benefits them to paint the differing approach in a pejorative light.
 
Regardless, I still favor the on server approach generally. Only time will tell, but I believe that opportunity cost will actually continue to drive hackers to attack on a direct, individual basis. On device, the wall is easier to breach and the treasures are greater.