Biometrics
Biometrics
Introduction
Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall. Businesses now use biometrics to regulate access to buildings and information. Governments are contemplating the inclusion of biometric identifiers in passports, driver's licenses, and possibly a future national ID card. Digital video surveillance is spreading in private and public places.
However, biometric technologies incite fears of constant supervision, profiling and control, leading to a loss of individuality, privacy and freedom. Many people feel uneasy being scanned and are alarmed about having their bodily data digitally stored in large databases along with sensitive personal information. Many questions arise: Can we trust the accuracy of biometric technology? Who controls the collection of biometric data? And who has access to the databases and for what purpose?
This webpage addresses issues surrounding biometric technologies and their implications for individual privacy.
See also: National ID card
F.A.Q.
Contents |
What are biometric systems?
Biometric systems are automated, mostly computerized systems using distinctive physio-biological or behavioural measurements of the human body that serve as a (supposedly) unique indicator of the presence of a particular individual.
The October 2003 Interim Report of the Standing Committee on Citizenship and Immigration defines biometrics as "the technology that takes physical or behavioural characteristics of individuals and converts them into digital data. They are then encrypted into a system, which can be an individual card, from which subsequent comparisons are made".
More definitions:
Most biometric systems do not only measure and record biometric characteristics of a person, but match the obtained biometric data to a database containing additional information about the individual in question, depending on the purpose of the system in use. This database can contain membership information, health information, access rights etc. The possibilities are virtually endless.
Another characterisation of biometric systems is the distinction between one-to-one (1 to 1) matching and one-to-many (1 to n) matching. The former is often called 'verification' or 'authentication', the latter 'identification', although the terminology varies in biometrics literature. One-to-one matching means that the biometric data obtained by the on-the-spot scan is matched to only one sample stored in a database or card chip. If the scan and the sample match, the person is positively identified. One-to-many matching means that the biometric data obtained by the on-the-spot scanner is matched to a multitude of stored samples and the system is trying to find the right match, or at least the best match.
More information about the distinction between the two methods can be found at Avanti website.
Other resources
Is biometric information necessarily associated with an identifiable individual?
Yes. It is the very purpose of biometric data to establish a connection between an individual and additional identification information, for example a name or a membership number.
Proposals to implement an encryption regime for biometric data do not alter the fact that even encrypted biometrical data are associated with an identifiable individual, although the association is not normally discernible by someone that doesn't possess the decryption key. Therefore, encrypted biometric data is different from 'anonymized' personal data, where for example the purchase history of a customer is stripped of the customer's name and thus impersonalized. Whereas anonymized data cannot be traced back to the originating individual once the link to that individual is destroyed, biometric data is always traceable to the originating individual.
For what purposes are biometrics used?
Biometrics have actual and possible uses wherever it is necessary to authenticate or identify an individual. Biometric access systems aim to substitute 'manual' authentication and identification with an automated system.
Uses of biometric systems can be divided into three major categories, however, the boundaries between these categories are permeable and biometric systems often fall within more than one category.
Firstly, biometric systems can be used as physical access granting systems. The biometric identifier serves as the key to open doors to buildings and vehicles or to gain access to computers and other devices.
Secondly, biometric systems can be used to establish entitlement to services and rights that are restricted to a certain group of individuals. In this case, the service or right in question is only provided or granted to individuals that are identified as belonging to the group of recipients and rights holders. Examples include social services (prevention of welfare fraud), the right to vote (voter registration), right of abode and work (immigration), and all kinds of private membership services or contractual rights.
Thirdly, biometric systems can be used for the recording and association of facts. Such uses include employee attendance monitoring, surveillance of public places, forensics, archiving and retrieving personal information such as health records.
Another overview of various uses of biometric systems:
Are photographs biometric information?
Speaking of biometrics, people often think of fingerprints, iris scans, hand geometry and DNA samples. Photographs are often viewed as not falling under the definition of biometrics as biometrics have to include some form of automated recognition system. While this view might be valid with respect to analogue photography, it is not so with digital photography. Given improvements in digital scanning technologies, even traditional photographs should be treated as biometric information.
Is my signature biometric information?
As with photographs, people tend not to think of signatures as biometric data. This can be true for analogue renditions of signatures, but even then signatures can be scanned and stored digitally.
When signatures are used as biometric identifiers, the systems collecting the data often not only collect the image of the signature, but record the letter sequence, timing and pressure patterns as unique identifying information of the person giving the signature. While this additional information may not collectible from paper signatures, the use of digital signature pads becomes more and more widespread, as anyone who ever received a UPS or Purolator delivery knows.
Who is allowed to collect my biometric information?
The answer depends on what kind of biometric information is being collected, and under what circumstances. Also, a distinction has to be made between consensual and non-consensual collection of biometric information.
Consensual collection
Anyone can collect and store biometric data, if a person validly consents to its collection. With respect to digital photographs, this is already done on many occasions: Biometric data are being collected by credit card companies (photo credit cards), passport authorities (passports), motor vehicle departments (driver's license), universities (student cards), libraries (patron cards), public transportation (bus passes) etc.
Non-consensual collection
Non-consensual collection of biometric data can be divided into overt collection (with the knowledge of the individual, but against his or her will) and clandestine non-consensual collection (collection unbeknownst to the individual).
Overt non-consensual collection of biometric data occurs most frequently in surveillance and forensic contexts. The collection of data is conducted by police, court officers or representatives of government agencies and has to be mandated by statutory or common law in order to be legal.
Overt non-consensual surveillance is also conducted by private entities (e.g. CCTV systems visible to patrons). Surveillance proponents might argue that private surveillance systems that are not hidden to the customer constitute consensual collection of biometric data. However, this argument is weak as the alternative is not to enter the premises at all. This might not be a viable option if someone needs to return an item or has to contact an employee in person. In addition, unless there is a warning of the use of surveillance systems before the patron enters the premises, the collection of data potentially has already taken place by the time the patron spots the cameras.
It has to be said that in the private surveillance context, the photos and video images gained by surveillance systems are seldom used to automatically identify individuals. This requires digital image capturing and sophisticated recognition software. However, it can be expected that future technological developments make the transformation of surveillance systems into instant identification systems more likely.
Clandestine non-consensual collection of biometric data is also mostly conducted in the course of surveillance and during forensic investigations. Surveillance may be conducted by police (e.g. videotaping demonstrators) or by private entities (hidden CCTV, private investigators). Biometrics also play a big role in forensic investigations, where police tries to establish facts (e.g. presence at a crime scene) in connection to known or unknown individuals.
What problems arise when biometric data are collected with consent of the individual?
There are two major problems with the consensual collection of biometric data.
Firstly, consent is not always given freely, especially in situations where the service that requires the collection of biometric data is essential. For example, if the monopolist public transportation company requires the collection of a digital photograph for issuing monthly bus passes, there is no real choice regarding collection of the biometric identifier, unless the person in question is able to afford a car or willing to pay the higher rates of single tickets. The problem of free consent also arises when biometric data is collected by employers, universities, passport authorities and motor vehicle departments. Where the alternative to giving biometric information in these cases is losing the job, not attending university, not traveling or not driving a car, consent cannot be considered meaningful.
Secondly, even if consent is given freely, problems can arise with the subsequent use of the information. Because biometric data is stored digitally, it shares the main attributes of all digital information: it is easily copied, it is easily communicated, it is easily searchable and it is easily altered. If a government agency or even a private entity take a digital photograph of an individual and store it digitally alongside with other personal information, the individual loses control over the data. Even if the individual in question initially consented to the collection of the data, what does this mean in terms of duration of the storage? Who is allowed to access the data and how is it protected against unauthorised access? To whom is it communicated and for what purpose? These and other questions remain in many cases unanswered.
How reliable are biometric systems?
The reliability of biometric systems depends on a number of factors, including the scale of operation and purpose of the system. It depends on what biometric identifier is used (fingerprints, retinal scans, voice or face recognition etc.) and in what way the biometric data is matched against the reference database. It also depends on whether the system uses one-to-one authentication or one-to-many identification (see: What are biometric systems?). One-to-one identification is generally considered more reliable, since the biometric data is only matched against one stored sample, as opposed to a great number of samples in one-to-many identification systems.
Biometrics experts measure the reliability of biometric systems by looking at two measurements: false accept rates and false reject rates. False accepts are cases where the system grants access to a person that should have been rejected. False reject rates are cases where the system denies access to a person that should have been accepted.
When using biometric systems, the system administrator faces a trade-off: If the system is set to produce a very low rate of false accepts, this usually comes at the price of increasing the rate of false rejects. Unauthorized individuals are kept out, but a lot of authorized individuals are denied access. Conversely, if the system is set to produce a low rate of false rejects, the rate of false accepts increases. Few authorized individuals are denied access, but this is at the cost of accepting more unauthorized individuals.
Despite widespread belief, biometric systems are far from being foolproof. Biometric systems with false accept rates and false reject rates of 1% are considered reliable now, although such a rate means that out of 1000 individuals, 10 are falsely denied access and 10 are falsely granted access.
Proponents of biometrics claim that reliability can be improved by combining multiple biometric identifiers. But the general trade-off between false rejects and false accepts remains, regardless of how many identifiers are used. In fact, under certain circumstances the use of multiple identifiers can significantly increase the false reject rate without significantly decreasing the false accept rate.
Why are biometrics controversial?
Biometrics are controversial for many reasons.
The first controversial issue is the collection of the biometric data themselves. Most people regard the measuring of their bodily features as more or less intrusive. Individuals often perceive the collection of biometric data as being catalogued and 'reduced to biometrics' or 'even reduced to a number'. Moreover, many people view the collection of certain identifiers such as fingerprints or facial patterns as stigmatizing and feel being treated 'like a criminal'. While psychological factors plays an important role in these perceptions, they should not be dismissed lightly as being 'merely emotional'. To many, the sense of privacy manifests itself in a feeling of intrusion or exposure.
Another issue has to do with the fact that biometric data are digitally stored. Digital information is easily copied, transmitted, altered and searched. Biometric databases can be merged or cross referenced with other biometric or non-biometric databases gain even more information about individuals. Biometric data are particularly useful for data mining and cross referencing of databases, since they represent a unique identifier that does not change over time. While names, addresses, membership numbers or user handles can change, biometric data stays fixed, making it an extremely reliable and thus a valuable 'commodity'.
Another problem is posed by the fact that biometric data cannot easily be substituted because every person has only one set of biometric identifiers throughout their life. Unlike credit cards, passports and driver's licenses, which can be relatively easily invalidated and replaced in case of loss or theft, such a replacement is not possible with biometrics. Once a biometric identifier is compromised, it stays compromised. Therefore, all attempts to use biometric identifiers instead of replaceable identifiers must raise concerns.
Further controversy is caused by the automation of identification processes. Biometrics make it possible to discard the human factor and let scanners and computers take over the task of identification, and with it ultimately the task of granting or denying certain rights. While the whole point of using biometrics is avoiding human error (and even corruption), questions remain: What happens if the technology fails? Who programs and watches the machines? Who is accountable? The more authorities and private entities transfer important decisions over to computer systems, the more damage is done when the systems fail ('you can't argue with a machine').
See also: Biometrics and Policing: Comments from a Privacy Perspective (pages 10-12)
Could reliance on biometric systems alleviate the problem of identity theft?
Biometrics have the potential to provide public and private entities with additional means to identify individuals and therefore to make it harder for criminals to gain access to personal information in order to defraud credit card companies, banks, retailers or government agencies.
However, ID theft occurs in a number of different ways, as a result of a number of different "leak-points" - including theft by those with access to the data, and hacking into computer databases. Even the strongest biometric system of authentication cannot close all of the gaps which make ID theft possible. See PIAC's 2003 report on identity theft for more information on how ID theft occurs.
Moreover, biometric systems are not foolproof. As with all security enhancing systems, success is only temporary. Certainly, increased use of advanced biometrics could make it harder for the 'ordinary fraudster' to commit identity theft. However, more sophisticated circumvention methods will be developed by people with enough resources and criminal energy. This will amount to a 'weapons race' that can be already observed in other fields of security technology, such as copyright protection software. Usually, one does not have to wait long until the latest technological security gadget is cracked, inspiring the development of new security measures, and so on.
Furthermore, the widespread belief that biometric identification is the solution to identity theft can have a detrimental effect on people's awareness of the remaining dangers. If biometric systems are overly trusted, people are likely to act less carefully. Also, with increased reliance on biometrics, it is harder to correct errors or reverse consequences of identity theft that occurred despite heightened security.
An additional concern is that biometrics will only replace one devil with another. Even if biometric systems turn out to be a useful weapon against false impersonations, their widespread use might come at the expense of privacy rights. The trade-off then will be between decreasing the rates of identity theft and increasing the invasion of the private sphere.
Online Resources - Biometrics
Privacy Commissioners and Ombudspersons
Other:
This page last updated: June 2, 2007
Webpage URL: http://www.cippic.ca/index.php?page=biometrics/