The path ahead

Going forward, geopolitical uncertainties, the rise of AI-driven fraud, and the potential of quantum computing (possibly weakening some widely used existing encryption algorithms) introduces new risks that call for the development of more secure and privacy-minded solutions to handle our digital identities.

Still, a more expansive use of biometric data in these solutions, also pose risks to the individual. The issue of centralized storage of biometric data, which we have addressed in this report, is subject to considerable debate. If a criminal actor would manage to break into a database that contains unprotected biometric data, it will not only be a case of theft, but they would potentially manage to acquire the entire digital persona of numerous persons.

This is why, while there is no absolute ban on the central storage of biometric data, most government authorities prefer decentralized approaches and assert the need for extraordinaire protective measures if centralized storage is used. However, there is a path going forward for companies that aim to store biometric data centrally. What the Norwegian Data Protection Authority have pointed to in this report, is that the company must evaluate if it is necessary and proportional to store biometric data centrally and to thoroughly document the reasoning for this, including proper risk assessments of the specific protective mitigations.

Another important point of discussion in this report, is the use of relatively new and novel technology like homomorphic encryption. For SALT, this is a critical component in their solution and they present an innovative use case for the technology. The Norwegian Data Protection Authority sees its potential in enhancing the security of encrypted data, as well as its potential use in other areas that can benefit from analysing and processing data while preserving confidentiality.