Skip to main content
TopAIThreats home TOP AI THREATS
Governance Concept

Biometric Data

Measurable physical or behavioural characteristics used to identify or authenticate individuals.

Privacy & Surveillance Discrimination & Social Harm

Definition

Biometric data comprises measurable physical or behavioural characteristics — including fingerprints, facial geometry, iris patterns, voice prints, gait, and keystroke dynamics — used to identify, verify, or authenticate individuals. Unlike passwords or tokens, biometric identifiers are intrinsic to the individual and cannot be changed if compromised. In the context of AI, biometric data serves as both an input (for training recognition systems) and an output (as the target of identification or surveillance). The sensitivity of biometric data has led to its classification as a special category of personal data under regulations such as the GDPR and the EU AI Act.

How It Relates to AI Threats

Biometric data is central to threats within the Privacy & Surveillance domain. Biometric exploitation occurs when AI systems collect, process, or repurpose biometric identifiers without informed consent — including the use of facial recognition in public spaces, voice analysis in call centres, or emotion detection in workplace environments. Mass surveillance amplification leverages biometric systems at scale, enabling real-time identification of individuals across camera networks. Within Discrimination & Social Harm, biometric systems have demonstrated differential accuracy across demographic groups, with higher error rates documented for women and individuals with darker skin tones.

Why It Occurs

  • Biometric systems offer perceived convenience and security advantages over knowledge-based authentication
  • AI advances in computer vision and audio processing have made biometric recognition accurate enough for mass deployment
  • Biometric data is collected passively in many environments (CCTV, device sensors) without explicit user action
  • Once biometric identifiers are compromised, they cannot be reset or replaced unlike passwords
  • Regulatory frameworks governing biometric data collection and use vary significantly across jurisdictions

Real-World Context

The Clearview AI controversy (INC-20-0001) revealed that the company had scraped billions of facial images from public websites and social media platforms to build a biometric identification database, which was then sold to law enforcement agencies. This occurred largely without the knowledge or consent of the individuals whose biometric data was collected. Multiple jurisdictions have since taken enforcement actions, including fines under the GDPR and orders to delete data. The case prompted broader regulatory attention to the use of biometric data in AI-powered surveillance and identification systems.

Related Incidents

INC-20-0001 critical 2020-01

Clearview AI Mass Facial Recognition Scraping

INC-24-0006 medium 2024-05

OpenAI Voice Mode Resembling Scarlett Johansson Without Consent

INC-23-0013 high 2023-12

FTC Bans Rite Aid from Using Facial Recognition Technology

Related Threat Patterns

Biometric Exploitation Privacy & Surveillance Mass Surveillance Amplification Privacy & Surveillance

Related Terms

Facial Recognition Mass Surveillance Data Protection
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-02-14