At a recent biometrics conference, Dr. Myra Gray, the director of the Department of Defense Biometrics Task Force, discussed the impending arrival of “ubiquitous biometrics.“ She emphasized that biometrics are being widely used for national security, physical access control, and individual identification for countless types of transactions. As this particular conference was focused on implementation of Homeland Security Directive 24 mandating interoperability between certain governmental biometric systems, she and others spoke of the value of ubiquitous biometrics for national security and everyday conveniences.
Dr. Gray is correct about the rapid expansion of the use of biometrics in the public and private sectors. Yet, risks certainly exist, and the laws designed to protect individual privacy vary widely. In some countries, such as the U.S., no federal laws mandate specific protections to mitigate privacy risks in biometric systems, but states appear to be stepping in with their own laws. In others, biometric use must be expressly authorized by data protection authorities—and such authorities only allow certain “no trace“ biometrics when stringent requirements are met.
Expanding biometric uses: ID management, fraud prevention, and customer convenience
Companies tout today’s biometric systems as scalable, accurate, and cost-effective and as the best practical way to ensure the accurate identification of an individual and minimize identity theft. More than 100 companies in the UK and Middle East are using a facial recognition system for employee access to construction sites and airports. With a link into the payroll systems, these companies claim reduced paperwork, enhanced accuracy, and elimination of “buddy punching,“ i.e., one person clocking in for another. One company claims a four percent reduction in wage payments resulting from minimized wage fraud. Iris recognition systems now capture an iris from three feet away, with people in motion walking toward the scanner. One system can capture the irises of 50 people per minute as they clock in at busy job sites. Medical centers are using biometrics for access to patient records and to confirm patient identity. National Australia Bank is using voice authentication for certain types of phone banking; Middle East banks are using iris recognition at ATMs, and Japanese banks are using palm vein systems, which are hygienic no-touch systems that use infrared light to scan the vein pattern inside one’s hand at ATMs.
Palm-vein and fingerprint biometric systems are being used for employee computer login credentials. In its transition to electronic health records, one medical center in Florida implemented a fingerprint system for employee single sign-on to 25 different applications, with a net savings from the full transition of $500,000. Another biometric system, BioLock, offers a fingerprint system that, the company states, can literally protect every mouse click. An employee scans a fingerprint to log on and scans again for each attempt to access a sensitive transaction, such as a wire transfer, with all attempts logged and users identified.
Schools in the United Kingdom are using children’s fingerprints in libraries and cafeterias. Colleges in the UK are using facial recognition to track class attendance. To minimize fraud in the graduate school admissions process, the LSAT exam collects fingerprints and the GMAT exam collects palm-vein biometric data in more than 100 countries. Apple® iPhoto® and other photo-sharing sites are using facial recognition to match all the faces of a particular individual and group them together into a folder that may conveniently be uploaded to the Web. A company in the Netherlands offers fingerprint biometrics for customer access to fitness centers and swimming pools, linked into payment systems to deny access to anyone whose payment is late. The system can be used by hotels instead of a room key; family members may use their fingerprints for room access and room charges. This system is being used in lieu of loyalty cards; purchases are tracked via fingerprint for coupons and product specials.
With all the proclaimed benefits of biometrics, risks do exist. After all, if an individual’s biometric data is stolen, he or she has no real recourse—he cannot change his fingerprint. Plus, biometrics are being used for automated decision-making in areas that significantly affect our lives, such as boarding a plane, entering a job site, or tracking employee hours for payroll, not to mention law enforcement activities. A stolen identity, spoofed fingerprint, or a mismatch of biometric data to someone else’s personally identifiable information (PII), all of which have occurred, can result in significant hardship to an individual. The laws around biometrics vary widely, from a free-for-all approach with no laws specifically related to the privacy of biometric data to almost complete bans on certain biometric systems.
U.S. laws concerning biometrics
In the U.S. public and private sectors, various general privacy laws exist that also cover biometrics. For example, the U.S. Government is subject to the Privacy Act of 1974, E-Government Act, Federal Information Security Management Act (FISMA), and numerous OMB memoranda collectively mandate that data only be collected where it’s necessary and relevant, that agencies publish privacy impact assessments analyzing and explaining mitigation measures for privacy risks, and that they publish privacy policies and implement comprehensive information security programs, among other things. In the private sector, sector-specific general laws would cover biometric data, such as HIPAA and the Financial Services Modernization Act (Gramm-Leach Bliley Act). However, no federal law exists that directly addresses privacy issues in the use of biometric data, e.g., whether children’s fingerprints should be used in schools or libraries, what security must surround biometric data, what notice should be given, and whether consent must be obtained.
Illinois has implemented such a law. The Biometric Information Privacy Act, 740 ILCS 14/ (effective 3 Oct. 2008), prohibits private companies from collecting most forms of biometric data unless requirements are met. Companies must develop written public policies establishing retention schedules for permanently destroying biometrics when the initial purpose for which they were collected has been satisfied, or at the latest, three (3) years after the individual’s last interaction with the company. Before collecting biometrics, companies must provide certain notification to data subjects and receive a written release from the subject. Companies are prohibited from selling or otherwise profiting from biometric data and are prohibited from disclosing biometric data to third parties without receiving the subject’s explicit consent, with few exceptions. Certain security standards must also be met.
A bill introduced in January 2010 in New Hampshire, HB1409, was even more restrictive. Government agencies and private entities would have been prohibited from using identification cards (other than employee identification cards) and identification systems that require biometric data. They would have been prohibited from requiring an individual to provide biometric data as a condition to obtaining services from or doing business with that entity. Virtually all biometrics would have been covered under the bill, e.g., fingerprints, facial recognition, iris recognition, hand geometry, keystroke dynamics, voice recognition, and DNA. Trade groups opposed it and it was ultimately voted down, yet a proposal of such restrictive legislation suggests that, in the absence of federal law, state legislators may step into the biometric privacy arena in the same way they propelled state laws coast-to-coast concerning data breaches.
European Union laws regarding biometrics
The EU approach stems from the understanding that privacy is fundamental to a functioning civil society and democracy. In addition to identity theft, the authorities fear exactly what Dr. Gray spoke of—ubiquitous biometrics and interoperability of biometric systems. The more ubiquitous this data becomes and the more systems interoperate, i.e., the more one system can read the data contained in other systems, the more likely that data collected for one purpose will be used for other purposes unbeknownst to the data subject. European authorities are concerned about the true loss of privacy; for example, with ubiquitous facial recognition biometric technology, a photo of a peaceful protester could be matched, one-to-many, against a central database; the protester could be identified, then tracked and retaliated against for his/her beliefs. In continental Europe, the typical U.S. corporate model of a biometric system—with an off-the-shelf biometric system collecting images that are then transferred into a central database held in the U.S. or in a conveniently offered cloud somewhere—is frequently rejected by data protection authorities.
Biometric systems in the EU must comply with the EU Data Protection Directive 95/46/EC, member state laws implementing the directive, and, in addition, biometric-specific laws and guidance. The Article 29 Working Party has issued guidance, “Working document on biometrics,“ adopted 1 August 2003, as have certain countries, such as France, Belgium, and Slovenia. In several countries, the use of biometrics must be specifically authorized by the data protection authority, e.g., in France, Portugal, and Greece. In many other countries, even without a requirement of prior authorization, a company would be wise to contact authorities to discuss the biometric system before implementation, e.g., Germany. If not, and if the DPA later finds that the system violates law, sanctions could be applied, including possibly the deletion of the biometric data collected, or criminal penalties if willful violations are found.
How to comply with the myriad EU requirements around biometrics? Setting aside general data protection requirements, the authorities tend to focus on several areas when evaluating biometrics:
- Proportionality: “Proportionality has been the main criterion in almost all decisions“ by data protection authorities when evaluating biometrics. Art. 29 Working Party “Working document on biometrics,“ adopted 1 Aug. 2003, § 3.2. Proportionality entails an analysis of whether the use in question fulfills the desired purpose, whether it is truly necessary or whether a less intrusive measure could achieve the same purpose equally effectively, and whether it is appropriate, i.e., whether the use stands in reasonable relationship to the intrusions it will cause. Chris Kuner, “Proportionality Principle,“ BNA Privacy & Security Law Report, 2008. In countries that rigidly apply this principle, mere customer convenience will likely be insufficient; authorities seek a strong justification for biometric use, such as nuclear power plants and airports. The French Data Protection Authority (CNIL) apparently found that the GMAT exam’s use of palm vein technology, which it considers to be a “no trace“ biometric, met this threshold; the GMAT uses the palm vein data to protect graduate business schools and school applicants from test impersonations to ensure fairness in the admissions process.
- Biometric types: DPAs are less likely to approve biometrics that leave a trace, i.e., that the user leaves behind wherever he goes, such as a fingerprint or DNA, or that may be collected without a data subject’s knowledge or consent, as facial recognition systems now allow. The CNIL has stated that trace biometrics are only justified by a “particular imperative requirement for security.“ “Biometric systems and the French Data Protection Act,“ by Guillaume Desgens-Pasanau, head of the CNIL Legal Department, published by DataGuidance, Nov. 2009. Authorities are more likely to accept “leaving trace technologies,“ through which a biometric template is embedded into a microchip on a card maintained by the data subject. Id. “No trace“ biometrics are most often approved, i.e., biometric systems where the data subject does not leave a trace behind and for which the data cannot be collected surreptitiously, such as palm vein, hand geometry and voice recognition.
- Security: Biometrics require heightened security measures, but, in addition, should include the following features:
- Keep only the numeric template, not the raw images, to mitigate the risk of another organization misusing the image for other purposes, from identity theft, to a government agency applying their own algorithms to match the image one-to-many against others in their databases. If the company only retains the numeric template and it’s encrypted, the data would be useless if stolen. The GMAT and EasySecure, the company in the Netherlands offering fingerprints for facility center access and loyalty cards, only retain an encrypted template.
- Use a unique algorithm in the extraction of the template from the raw image, which limits interoperability. In other words, do not use the off-the-shelf algorithm in template creation, but tweak it so that the data cannot be read and matched by other biometric systems.
- Logically separate the biometric data from other PII in databases so that the biometric data is not associated with PII in the database but only a de-identified unique identifier that, when appropriate, can be matched with the PII.
Given current technologies, biometrics are rapidly being implemented, but companies face risks posed by the inherent sensitivity of a measure of an individual’s behavioral and physiological characteristics and the consequences in the event of data loss, misuse, or accidental mismatch. Furthermore, they face risks posed by the variety of applicable laws and the unknown future laws that could be enacted, such as that proposed in New Hampshire. These risks can be mitigated with careful planning. Companies should design the more stringent privacy and security controls into new biometric systems. They should choose the least intrusive biometric to fit their particular needs, retain only numeric templates, properly secure data with encryption, avoid interoperability, and of course, fulfill the usual requirements, such as implementing comprehensive information security programs, providing effective notice to data subjects, and capturing consent before biometric collection. In doing so, companies may confidently discuss their systems with European regulators and U.S. legislators, explaining the promise of their biometric system to actually protect identity and enhance consumer convenience.
