Biometric Data
Your Face Is Not a Password — It's a Permanent Secret You Can Never Change
Every password you've ever used can be reset, but the geometry of your face, the rhythm of your heartbeat, the whorls on your fingertips — those are issued once, with no recovery option.
The Idea
Biometric data occupies a strange and underappreciated category in the privacy landscape. Unlike a compromised email address or a leaked password, biometric identifiers cannot be rotated. You cannot issue yourself a new iris pattern after a data breach the way you can generate a new password. This asymmetry — permanent data, impermanent security — is what makes biometrics categorically different from every other kind of personal information. The deeper issue is that biometrics are simultaneously more convenient and more fragile than we tend to assume. Face unlock, fingerprint sensors, and voice recognition feel seamless precisely because they offload authentication to something you already carry. But that convenience papers over a structural problem: the data doesn't stay on your device. It flows into corporate databases, border control systems, employer attendance platforms, and loyalty programmes — often with terms of consent so broad they're effectively meaningless. What's genuinely underappreciated is the inference problem. Raw biometric data isn't just used for identification. Gait analysis can suggest neurological conditions. Micro-expressions captured by cameras can be used to infer emotional states. Voice patterns can signal anxiety. The body, it turns out, leaks far more information than a fingerprint. When we consent to biometric data collection, we're rarely consenting to what the data will eventually be used to reveal — because the inference capabilities keep expanding long after the data was originally collected.
In the World
In 2021, a company called Clearview AI was found to have scraped more than three billion facial images from social media platforms without consent, building a searchable database that it sold primarily to law enforcement agencies. The implications became vivid when journalists began testing it: a photo of a stranger's face could return their name, address, and social media history within seconds. What made Clearview particularly unsettling wasn't the surveillance itself — face recognition technology had existed for years — it was the retroactive reach. People who had posted photos a decade earlier, before this kind of search existed, suddenly found themselves enrolled in a permanent identification system they'd never agreed to. The data had been collected in one context (sharing a photo with friends) and repurposed in a fundamentally different one (law enforcement identification). This is what privacy scholars call contextual integrity violation: information behaves differently when it moves between contexts, and biometric data moves silently. Several US states subsequently sued Clearview and won settlements requiring the company to restrict access. Illinois, under its Biometric Information Privacy Act — one of the strictest such laws in the world — allowed individuals to sue directly. Clearview was banned from selling its database to most private companies in the US. But the images already scraped remain scraped. There is no delete button on a face.
Why It Matters
Most of us have already handed over biometric data — to unlock our phones, board a flight, clock into work, collect a gym membership, or cross a border. The question isn't whether to engage with biometric systems at all; for most people in most places, that ship has sailed. The more useful question is whether you understand what you're actually exchanging. The practical upshot is this: when you're asked for biometric data, it's worth treating it with the gravity of a permanent disclosure, not a temporary convenience. Ask whether the system genuinely requires it — often a PIN or card would do — and where the data is stored and for how long. Opt out when the option exists. Prefer systems that store biometric templates locally on a device rather than on a remote server. More broadly, this is a prompt to think about the gap between what data is collected and what it will eventually be used to infer. The body has always been legible to those close enough to read it. What's new is the scale, the permanence, and the fact that the reading is now automated, sold, and largely invisible.
A Question to Ponder
If the value of a biometric identifier comes precisely from its uniqueness and permanence, who should have the right to decide when and where that identifier gets used — and does consent given once, in one context, ever really transfer to another?
Get a new one of these every morning.
Start learning with Thinkable