Images of City2Surf spectators are landing in vast biometric engines

When Australians attend the event and their photos are taken and uploaded into Sportograf’s biometric registration system. Each of the photos is subjected to a facial recognition system that maps their faces. This is the start of the issue, as people may not be aware that their images are being placed into a system that is easily accessible by so many other people.

Why is open access to biometric data a time bomb?

Also, spectators’ images may unknowingly be captured in the background, uploaded and searchable, without the opportunity for them to consent. People can then find their face, or a someone that strongly resembles them, using a selfie or an image of someone they have. 

Once they have found a match for the picture they are looking for, the selfie is erased (as per Sportograf’s privacy policy) but the images in the biometric registration system are retained.

It’s possible for a stalker to track someone, for instance a participant or a minor who is captured as a spectator, by accessing the images as they aren’t secured behind any sort of authentication. The images could be used to create a deep fake of the person, to confirm they were in the location of the event, and also they are accessible anywhere in the world.

How can the participants be protected?

Participants, who have registered and agreed to the terms and conditions, are unlikely to have read the details and fully understand the extent to which they have consented. This raises the key question of how biometric technology is outpacing the community’s understanding of its application, as we have seen recently with the Bunnings example.

The responsible use of biometric technology is an imperative. Vendors of technology that can impact the security and privacy of people need to think through all potential consequences. Biometric programs must be built on a foundation of consent, where people must opt in based on a clear understanding of the scope and the value to the person opting in.

There are a lot of standards that already exist to guide the use and applications of biometric tech like ISO/IEC 24745:2022, which defines the principles of confidentiality, integrity, and privacy protection of biometric data to make the use of biometrics safer. The focus should be on the adoption of these standards to protect the integrity of the users’ security and privacy.

Blair Crawford is the CEO and co-founder of Daltrey.