Sberbank is fraudulently getting its clients to agree to biometric ID usage

Note: this is a translation of this article https://habr.com/ru/post/457686/

TL;DR: Sberbank is getting consent for collecting and using your biometric data without properly informing their clients about it.

Introduction

There is a Unified Biometric System in Russia, which is controlled by Rostelekom. Sberbank is against the UBS since it has its own system in which there are already “Millions” of clients.

But wait…

Did millions of Sberbank clients in Russia really gave their informed consent to provide their biometric data?

Do they know about it?

I recently “gave consent” (not consciously, of course), and I want to tell you about it.

Procedure

Everything began when “Sberbank Online” app offered me to give them my biometric data. I’ve repeatedly pressed “Not now” button, but didn’t refuse entriely, because I wanted to know more about how it will be collected.

Later I’ve visited Sberbank to withdraw my money from my bank account. And something miraculous happened.

Cashier asked me to insert my bank card into the terminal to confirm my withdrawal procedure. I’ve looked at the terminal and there was a really small message which contained something about biometrics.

This was my justified and informed consent: the cashier said “Insert your card”.

One more time: the glorious Sberbank system (“Blockchain”, “Big Data”, “Machine learning”) just showed a message “He should sign the agreement”. This message was shown to the cashier and she, without explaining anything, just said “Enter your PIN and agree”.

Message for the money withdrawal looks differently, of course.

Could I entirely read what exactly I was agreeing to? Of course not. This is a small screen, and the agreement, I think, is fairly long. Is it OK to collect consents that way? Of course not. It should have been a justified and informed consent.

Sberbank support

“Blockchain”, “Big Data” and “Machine learning” couldn’t help a support agent to get the information about whether or not I’ve given my consent. They told me to call the hotline.

The hotline said that in fact I’ve given my consent, but they can’t tell me where and when. Small wonder.

Conclusions

  1. Sberbank collects your consent on biometric data usage with a terminal and a PIN code.
  2. Don’t think that you will be able to actually read it, there will be 2-3 lines of text at the most.
  3. Of course the cashier won’t explain you anything about what you’re signing (and it’s not clear if she actually knows about it either)
  4. That’s why Sberbank has millions of clients who “agreed” to send their biometric data.

Leave a comment

Your email address will not be published.