Go-Ahead for MaaS Providers to Collect User Biometrics in Russia
Russian taxi and short-term car rent providers will be given a legislative permission to use the biometric technology ahead of other industries.
A bill issued by the federal government in this November, due in March 2022, states that such companies will be allowed to use personal biometrics for user identification and authentication purposes. While the regulators reserved details for the future, it is known that Russia aims to leverage use of biometric authentication to up to 80% of all passenger trips by 2030. The biometric technology’s vital role in future hassle-free travels is generally acknowledged. “Potentially, using biometrics can leverage quality of user verification which, in turn, can simplify user registration procedure,” said Ivan Nikitin, chief product officer and chief analytics officer at BelkaCar.
To the authorities, a stronger yet rationale can be road safety because both industries are reputedly attractions for bad drivers. According to Moscow’s department of transport, drivers in carsharing and ride-hailing are, correspondingly, twice and thrice as likely to cause an accident as private car drivers. Other studies such as the one conducted by the University of Prosecutor’s Office of Russian Federation suggested that this reputation is caused, to a large extent, by a fraction of illegal service users, typical examples of whom are teenagers or street racers using a high-jacked carsharing user account and taxi drivers who use another driver’s ride-hailing account because they don’t qualify for this job. “Carsharing user identification issue exists, indeed, because hijacked consumer accounts can easily be bought online [in Russia],” said Evgeniya Ponomareva, senior business development manager at Kaspersky. “Taxi drivers are also regularly caught on passing their ride-hailing accounts on to other drivers.”
Although a number of obstacles were put before the malefactors in the past two or three years, new incidents of misconducts continue to emerge with a worrisome frequency because the companies lack a technical capability to spot out such instances. Besides, policies such as sorting out user groups with higher accident rates discriminate against some of the good users, for example, younger drivers with no driving history. Biometric authentication can resolve these conflicts.
However, before the government can reach whatever it aims at with the new bill, issues in public trust, data practices and cyber-security must be resolved, interviewed specialists say. Otherwise, the initiative would face new risks in security and people’s unwillingness to use biometric options as well. A fresh example of the latter can be Moscow’s subway facial payment project that failed to expand beyond early adopters. Launched city-wide last October with cameras installed on turnstiles for passenger authentication and facial payments, it initially enjoyed much enthusiasm which, however, later transformed into a rather sluggish uptake by mainstream passengers. In the first six weeks after the launch, some 160,000 trips employed the biometric service, translating into approximately 1-in-2,000 subway trips.
While it is too early to draw definitive conclusions, a lack of adequate legislative protection of personal data and privacy is a possible root cause evidenced in many studies. Without it, people shun giving out sensitive information such as their biometric features. In practice, the average user can do little to find out if a certain service provider sticks to good practices for data management, said Vladimir Pedanov, CEO at Autovisor. In this situation, most consumers found their choices on the history of data breaches and a company’s reputation.
The taxi and carsharing providers are now facing the same and other challenges. One instance is a lack of a unified approach to data management at the market players. “There’s a number of difficulties of integrating the feature into information systems of the companies,” Nikitin said, “While the modus operandi of user data collection, processing and storage remains unclear both technically and legislatively. Currently, we’re waiting for the [future] subsidiary legislation to clarify requirements, available options and time frames.”
Also, good levels of overall cyber-security must be ensured by the companies before implementing biometric features, Ponomareva said. “Using biometrics can improve driver identification but this may not be enough,” she said. “Unless a proper level of cyber-security is achieved by the providers, the risks of by-passing biometric authentication will persist as well as risks of data leakages and server and app hacks.” In the worst-case scenarios, existence of vulnerabilities can inspire new criminal schemes involving biometrics. She suggested that automakers and vehicle electronics suppliers must redirect development efforts from physical safety to cyber-security of vehicles and seek compliance with the future standard WP.29.
Similarly, other stakeholders including software developers and service providers must seek to improve overall security and the regulation should also provide incentives for it. The biometric technology is no more than a link in the chain which is only strong when all the links are.
