Biometrics were once the stuff of action movies. The hero employs contact lenses to pass a retinal scanner, or makes fake fingerprints out of a waxy substance that he wears over his own prints. Maybe he has a high-tech recording device in order to pose as someone else for voice recognition patterns.

The reality of biometrics isn’t quite as action-packed, but it is every bit as concerning, especially to privacy and security experts. For much the same reason that hackers started going after Social Security numbers instead of credit card numbers or bank account information—namely, that your Social Security number is usually a one-time issue that’s with you for life and therefore won’t be changed or expire—your biometric information is a permanent part of you. You won’t be cancelling your fingerprints and ordering new ones, for example, if a thief makes off with them.

At the same time, that’s what security advocates also like about biometrics. They can’t easily be copied, no matter what a Hollywood spy movie tells you, and they’re largely unique to you in a way that a number or a password isn’t. Or are they? Some industry watchers believe stored biometrics pose a serious threat to consumers in this record-setting era of data breaches; if your Social Security number has been a huge payday for a hacker, imagine what getting his hands on a copy of your fingerprints or a blood sample could be worth.

Fortunately, reality is yet again less exciting than fiction. When your fingerprints are taken for comparison purposes, which lets you press your fingertip to a scanner in order to later prove your identity, most companies are actually storing the encrypted authorization code that this generates, not a copy of your actual fingerprints.

So what’s the real concern? If the biometric information itself isn’t stored where a hacker could get to it, why aren’t more companies employing this highly secure form of identification?

There are a number of concerns right now with the lack of regulation, meaning the law hasn’t yet caught up to the technology. Are companies who gather your physical data allowed to sell it to advertisers the way they can sell your address? Is a company who takes a blood sample obligated to run health screens on it and inform you of a medical condition? For that matter, is your insurance company allowed to alter your coverage because the eye scan you gave your bank reveals early stages of glaucoma? Those might seem like far-fetched and somewhat ridiculous questions for now, but without regulations to clarify it, skeptics say we have every right to be concerned.

As with all new forms of technology, there’s going to be a lapse between deploying the technology in the real world of the consumer sector and discovering what laws we need in order to protect us. Hopefully, previous gaps in the technology-regulation sphere will serve as a guide to speeding up that process.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.