From September 30, 2023, the collection, storage and processing of biometric data of Russians will be carried out only within the framework of a Single Biometric system. Banks have already transferred biometrics to the EBS and will retain only limited access, and data owners are sounding the alarm against the background of fakes spreading on the network.

One of the main misconceptions is the news that it was possible to refuse to collect or transfer biometrics only until September 1. But there are also a lot of disputes regarding the safety of data within the framework of the EBS, including among cybersecurity experts.

Let’s start with a simple one, because not everyone understands what biometrics is and how it is used in our lives.

Biometric data is information that characterizes the physiological and biological characteristics of a person. Knowing them, it is possible to establish the identity of a person. This definition is fixed by law.

Biometrics is divided into 2 types:

  1. Statistical – unique data that does not change. These include height, DNA, fingerprints, faces, eyelid and iris patterns.
  2. Dynamic – actions that we perform involuntarily. These include voice, gait, and so on. They can change over the course of a lifetime, but they are also more difficult to fake.

Biometrics are already everywhere

Most myths and worries about the collection and storage of biometric data are too hyperbolized. Biometrics has been used for a long time, in one form or another.

Biometric data is already part of the user authentication system, an additional step. They are offered to pay for purchases, transportation, and log in to any accounts using biometrics. Sberbank is actively developing in this area with biometric payments. Of course, this is the future, this is additional authentication, therefore, increasing the reliability of the same payment systems.

– Evgeny Lifshits, head of the Cybersecurity Agency

Biometric data as an authentication method has significant advantages over our usual passwords, SMS codes, etc. – they are safer and more difficult to fake, and even more difficult to steal, because they are stored in an impersonal form.

This was the catalyst for the active introduction of biometrics in the financial sector. For example, the BEAC has long offered to log in to the application by fingerprint, confirm transactions by voice, perform transactions at an ATM with facial identification.

EBS is just a new part of a large system

Biometrics was collected, processed and stored even before the appearance of a Single biometric system, which, by the way, was created on the initiative of the Central Bank and the Ministry of Finance, and started working on December 30, 2021, but did not receive a large pace of development.

Since September 30, 2023, the composition of biometric data and the rules for their collection remain the same. Only the storage location will change. Now only the EBS will work with biometrics, to which banks have already transferred the information stored in their own databases.

The authors of the initiative believe that this approach to working with biometric data is more correct. The data will be stored in one database, reduced to a single form and depersonalized, which is especially important. Even a leak of the biometric database will not provide attackers with any opportunities, because it will be simply impossible to establish an identity using a digital fingerprint.

As for the positive changes, they also exist. Citizens whose biometric data is stored in the EBS will be able to receive government and commercial services remotely, as well as pay for travel and buy goods, paying for them “with their own face”.

Security of biometrics in the EBS – is it possible to talk about it?

Data leaks have already become a habit and their number continues to grow. The introduction of revolving fines should solve the problem to some extent, but at the moment it persists. In addition, the attackers are much more interested in biometric data and they will look for ways to get hold of them.

First of all, the owners of biometrics should worry about the safety of their data on their own, because there are many cases when users themselves are to blame for their data getting into the network. With biometrics, it will be more difficult to fix the situation, in other words, a person will immediately get hooked. With the help of a digital fingerprint, attackers can gain access to confidential information and even interfere in personal life, let’s recall the recent scandals around deep fake technology.

I think we all remember perfectly well what happened to the simple personal data of users of various large services: they simply “merged” into the network and fell into the hands of scammers. This is the result of negligence to your personal data, first of all. Remember how many times you signed a paper or ticked the box next to “consent to the processing of personal data”. And you can’t check how securely they will be stored, no matter on the delivery server or in the database of a medical institution. If institutions or private companies receive biometric data, they can use the information for surveillance, tracking and control, thereby violating the user’s personal privacy.

Evgeny Lifshits

Unfortunately, it is simply impossible to completely exclude the possibility of a leak from a private or public database. But representatives of the EBS claim that storing biometrics in an impersonal form is the highest degree of protection. The digital fingerprint will be impossible to identify, that is, it will not be possible to find the owner.

Should I take biometrics or refuse it?

In Russia, since December 29, 2022, a law has been in force prohibiting organizations from forcing citizens to take biometrics and discredit those who refused. The delivery of biometrics is mandatory only in one case – the conduct of judicial and operational investigative measures. The lack of biometrics in the EBS limits only one thing – the ability to remotely receive public services.

There are currently two ways to submit biometric data:

  1. Standard biometrics is given through the application “Public Services Biometrics”.
  2. Confirmed biometrics are handed over at the offices of banks, a list of which is available on the official website of the EBS. You must have a passport and SNILS with you.

But you can refuse to transfer biometrics to the EBS at any time and in any convenient way, despite all the fake news. To begin with, it is worth checking the availability of the submitted biometric data in your personal account on the portal “Public Services”. If they are available and you want to refuse, you can apply both remotely in the same personal account, and in the nearest branch of the MFC.