Talking About Biometrics and Privacy

Have you heard about biometrics and wondered what they are or how they are used? This brief summary will provide a starting place to help understand why biometrics are increasingly being mentioned in conversations about identification and security.

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

 

What is a biometric?

A biometric, or biometrics, are biological (usually anatomical and physiological) and behavioural characteristics that can be measured and used for recognition. Biometrics are commonly used as an automated method of identifying individuals based on measurable characteristics.

 

What types of biometrics are there?

Biometrics span a wide range of individually-specific characteristics including: fingerprints, hand geometry, voice recognition, face measurements, iris scans, and DNA. The reason as to why these characteristics are used for biometrics is the simple reason that they are all unique to each individual, usually determined by each person’s unique genetic makeup. As a result, no two people will have the same fingerprints, face dimensions or DNA, making it easy to discern individuals from each other or to identify specific people from a database.

All of these forms of biometrics are in varying stages of development. Dactyloscopy, or fingerprint identification, dates back to over a century, whereas iris scans and DNA identification are much more recent introductions to the biometric identification process.

 

How and where are biometrics collected and used?

The iris, the face, DNA, and even fingerprints require sophisticated methods of differentiation and identification, since a person cannot differentiate and identify someones iris or DNA just by looking at it. Biometrics are generally used for security and identification purposes, and are used to restrict access to physical locations and to information, or to determine an individuals presence in a database. Fingerprinting, a common form of biometric, is used by law enforcement when building a database of criminal offenders.

Biometrics are usually collected through the use of sensors. Sensors in the form of scanners can take fingerprints, sophisticated cameras can be used for face recognition, and telephones can be used for voice recognition. Biometric technology is currently in use by law enforcement, at airports, and even in the workplace. Biometrics is even in use at Disney World theme parks to speed up the process of entering its parks by season-pass holders.

In Canada, biometric identification has been in use by some of its agencies for quite some time. Canada has been collecting the fingerprints of refugee claimants, detainees, and individuals ordered to be deported from Canada. The Canada Border Services Agency (CBSA) has been collecting the fingerprints of detainees and people under removal order from Canada since 1993.

Since 2006, fingerprinting and iris scans have been required for staff at the Canadian Air Transport Security Authority who work in secure areas at airports. “Trusted traveler programs” such as NEXUS and CANPASS have been offered by the CBSA for a number of years. These programs collect and store traveler biometrics such as iris scans to confirm the identities of “low-risk travelers”.

As of 2013, the “Temporary Resident Biometrics Project” (Citizenship and Immigration Canada) requires some foreign nationals to give their fingerprints and photographs with their applications to enter Canada.

In the United States, police have been actively collecting biometric data on the job with devices such as the “Mobile Offender Recognition and Information System” (MORIS). MORIS is a smartphone app that collects fingerprints and iris scans. In recent years the U.S. Federal Bureau of Investigation (FBI) has been developing what they call the “Next Generation Identification” database which contains fingerprints, palm prints, iris scans, voice data, and photographs.

Smartphones have also begun to incorporate biometric technology. Apple’s iPhone as an example now has the capability to store a user’s fingerprint to access the smartphone instead of the use of a password.

 

Are biometrics accurate?

Biometric identification is considered accurate, but the accuracy rates vary depending on the particular biometric and the means of data collection. Biometric accuracy is further reinforced when a number of biometric identification methods are used in tandem, reducing the margin of error dramatically. That being said, it is possible for an error to occur, or for a person to be mismatched with someone else. Face recognition, for example, can be complicated by simple things such as the wearing of a hat or the use of glasses. And although the likelihood is low, the consequences of false negatives (where a correct identification fails to be made) or false positives (where an individual is falsely identified as someone else, on for example, a no-fly list or watch list), may be severe for individuals.

There are instances when biometrics can be rendered inaccurate. One of the few times that biometric accuracy can be negatively affected is in the biometric process itself – that is, not due to the person’s trait, but in the way in which it is collected and stored. An error in the fingerprinting process or during an iris scan can potentially render the collection of that data useless. These kinds of collection errors may be reduced by improved equipment, improved collection practices, and well-trained collection agents. Thus, errors may be reduced through the use of expert finger printers, by collecting prints from more fingers, or by automated (computerized) collection through the use of scanners.

 

Do biometrics present risks to privacy?

Biometrics most certainly do present potentially damaging risks to privacy. The collection and storage of individually identifiable data combined with new technology presents new challenges as questions arise regarding the state of privacy in the modern age of surveillance. Biometrics can be very useful against identity theft, fraud, terrorism, and other crimes, yet the potential problems that arise from biometrics collection and use are concerning.

The “Domain Awareness System” in New York City is a network of over 3000 surveillance cameras throughout the city. The system can be used by law enforcement to go back and view recordings in the event of a crime, a useful tool in crime prosecution. When combined with face recognition technology, the character of the system changes dramatically. The daily routine of every person recorded on those surveillance cameras can be tracked physically, and their biometric identifiers stored without their consent or knowledge.

With iris scans, consent is essentially unavoidable since in order to scan an individual’s iris the scan needs to be performed from a very close proximity. Technology is currently being developed that will be capable of retrieving iris scans in a crowd from a distance of 10 metres. This development will raise further questions about privacy and consent, and how much of your personal information is available to prying eyes. With a camera that can scan a person’s iris from 10 metres away, there is no physical barrier forcing the scanner to request consent anymore.

Whenever data is considered valuable enough to collect and store, threats arise to its security and integrity. Biometrics involve very unique and personal data (which cannot be changed) that identifies each individual. If the information stored in a digital file were accessed and used maliciously, the results could be devastating. These issues add a new dimension to concerns about identity theft, since your biometric identifiers cannot be reissued or replaced.

In response to the increased use of biometric data in everyday life, the Office of the Privacy Commissioner of Canada (OPC) makes a number of recommendations with regards to biometric collection and use. Among its proposals, the OPC recommends that:

• Summaries of biometric data are recorded rather than images in order to prevent the use of biometric data for unauthorized purposes
• Biometric data be stored locally rather than in central databases in order to reduce the risk of data loss and the inappropriate cross-linking of data across systems
• The use of biometric data to authenticate the identity of individuals rather than the use of biometrics to identify individuals. Authentication involves “one-to-one” matching against a set of biometric data rather than using a sample against all records within a database.

 

Resource links for more information:

Scientific American (2013). “Biometric security poses huge privacy risks.”

Electronic Frontier Foundation. “Biometrics” 

Subcommittee on Biometrics, United States National Science and Technology Council. “Biometrics Frequently Asked Questions.” 

Office of the Privacy Commissioner of Canada. (2013). Automated Facial Recognition in the Public and Private Sectors. 

Also, see our TalkRights post listing news articles and academic resources to learn more about the ways biometrics are discussed in Canada and beyond.