Identity is increasingly confirmed by something a person is rather than something they know. A face, a voice, the particular patterns of a fingerprint: these are used, more and more, to verify that a person is who they claim to be. The appeal is obvious. They are convenient, and they are difficult to forge.

But they have a characteristic that distinguishes them sharply from older ways of confirming identity, and it deserves attention. A traditional credential can be changed. If a password is exposed, it is replaced, and the exposed version becomes worthless. A biometric cannot be changed. A person has one face and one voice. If the record of them is exposed, there is no replacement to issue.

This makes the permanence of biometric information a particular kind of exposure. Most exposure can, in principle, be addressed: information can be removed, reduced, made harder to reach. Biometric information, once it has been captured and has circulated, is exposed for good. The problem cannot be undone, only managed.

It is compounded by how widely such information is now collected. A face and a voice are recorded in many ordinary settings, and the more places that hold a person's biometric record, the more points exist at which it could be exposed. Each is permanent in the same way.

This is not an argument against biometric verification, which is genuinely useful. It is a reason to treat biometric information as a distinct category in any assessment of exposure, and a uniquely serious one.

With most exposure, the question is what can be removed. With this, the question is different and harder. It is knowing what has been captured, understanding where it sits, and accepting that the appropriate response is careful management rather than removal, because removal is not available.