Privacy Issues in the Application of Biometrics

1
Privacy Issues in the Application of Biometrics

• Marina Gavrilova

2
Outline

• Introduction
• Privacy from the philosophical concept to human
  rights
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

3
Introduction

• Biometric methods of authentication offer a more
  secure link between a specific individual and a
  non-human entity. Numerous trials and deployments
  demonstrate the wide range of possible
  application
• restriction of access to physical spaces and
  electronic resources to those individuals who
  have been previously cleared
• denying the opportunity for potential fraudsters
  to assume multiple identities
• enforcing accountability for individuals
  undertaking electronic transactions
• matching facial images from CCTV cameras to
  databases of criminals

4
Introduction

• Concerns appear to centre on the threats to the
  end users privacy.
• For many, the widespread use of biometric
  technologies in films and the perception of these
  techniques as perfect have reawakened the fears
  of an all-knowing computer systems able to track
  every citizen and consumer, perhaps placing the
  reputation of the individual at risk.
• Also, the future possibilities of the use of DNA
  data in tracking people, and in the linking of
  biometrics with parallel developments in other
  surveillance technologies.

5
Introduction

• Both during the 2nd WW and under post-war Central
  and Eastern European governments had manually
  operated filing systems tracked dissident
  citizens and members of minorities. S
• Such motions where first codified in the 1950
  European Convention of Human Rights (ECHR).
• Two decades later, with the commercialization of
  large mainframe computers, the first laws to
  protect personal data about individuals were
  drafted, based upon an internationally agreed
  framework but with a local interpretation.

6
Introduction

• With the expansion of the European Union, the
  need for harmonization of these laws required a
  European-wide legal consensus.
• The 1995 Personal Data Directive and its
  transposition into national laws offers the
  legislative underpinning to any discussion about
  the use of biometrics in modern systems in
  Europe.
• However, its approach predated the age of the
  Internet, and its complexity rendered it opaque
  to the average person.

7
Introduction

• Biometric technologies are almost unique as a
  security mechanism in the need for cooperation by
  the end user to ensure their correct operation.
• Some user concerns can be addressed directly, for
  example by studies into any health and safety
  issues, although it is clear that attitudes may
  take time to change.
• Those concerns that are less clearly articulated
  will require more extended studies.

8
Outline

• Introduction
• Privacy from the philosophical concept to a
  human right
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

9
Privacy- from philosophical concept to a human
right

• The notion of individual privacy appears to be a
  modern phenomenon.
• In less mobile societies with poor roads, few
  people would venture outside their immediate
  neighborhood and the arrival of fairs or
  itinerant travelers was subject to closely
  circumscribed laws.
• In these societies, the daily lives of the
  ordinary people were led without much privacy.
  I.e., the strong Puritan tradition in the 17th
  century in England and the American colonies
  seemed to encourage a surveillance by ones
  neighbors.

10
Privacy- from philosophical concept to a human
right

• Shapiro regards the partitioning of rooms in a
  household as the first step to a culture of
  privacy and individuality.
• Next, in 18th and 19th century improvements in
  road quality and the creation of a canal and
  railway network (the latter going in hand with
  the first electronic communications the
  telegraph).
• The rapid urbanization of much Western Europe and
  parts of the USA completed the options for many
  citizens to move outside of their place of birth
  and schooling, to assert an individuality apart
  from their kinship groups.
• The second half of the 19th century saw the
  introduction of the census and codification of
  laws on recording births, marriages, and deaths.

11
Privacy- from philosophical concept to a human
right

• 19th century was the time for the first use of
  biometric identities for tracking and recording
  criminals using file systems.
• Initially this aimed to collect as much
  information about externally visible features and
  easily measurable dimensions, Bertillons
  anthropometry being the most celebrated scheme.
  This short-lived approach was superseded a few
  years later by the discovery of the remarkable
  individuality of fingerprints.
• By the turn of 19th century, Scotland Yard had
  embarked on the use of the hugely successful
  Galton-Henry classification system and the
  fingerprint as a key forensic tool had arrived.

12
Privacy- from philosophical concept to a human
right

• With the questioning of the power of a state to
  affect all facets of the life of the citizen, one
  part of the personal privacy debate has started.
  The other aspect, that of giving individuals a
  right over the way the information about them is
  collected and used was a remain less pressing for
  another half century.
• In 1950, the participating states to the Council
  of Europe articulated a response in Article 8 of
  the ECHR guaranteeing a right of privacy
• Everyone has the right to respect for
• his private and family life, his home and his
  correspondence.
• The Convention offered individual redress against
  governments abusing their authority by an
  ultimate personal appeal to the European Court of
  Human Rights in Strasbourg.

13
Privacy- from philosophical concept to a human
right

• The increasing prosperity of the 50s and early
  60s was accompanied by a belief in the benefits
  of technological progress and organizational
  efficiency. In particular, governments in Europe
  were attracted to the potential of
  computerization of records, such as social
  welfare payments.
• But the climate of thought amongst Europeans
  changed. Although the events of 68 were
  characterized as a rebellion by the youth of
  Europe, other currents of opinion were
  questioning the wisdom of concentrating power,
  and the information on which power is built
  without countervailing checks and balances.

14
Privacy- from philosophical concept to a human
right

• The worlds first data protection act, passed in
  the German state of Hessen in 1970 was directed
  at offering this check on the operations of a
  regional government, but as more countries
  recognized the need for such legislation, the
  scope widened to take in commercial use of
  personal data as well.
• Increasingly, the limitations of national laws in
  a rapidly globalizing world led to calls for an
  international system for data protection, to
  protect against states with no laws or inadequate
  laws from becoming data heavens with no
  controls on the processing of data.

15
Privacy- from philosophical concept to a human
right

• Although these agreements were influential in
  determining the course of subsequent laws such
  as the first UK Data Protection Act in 1984 by
  1990 it was clear to the European Commission that
  the lack of a common framework, under which
  personal information could be gathered,
  processed, stored, transmitted and disposed of
  securely, was likely to impede the commercial
  development of both existing and novel services.

16
Privacy- from philosophical concept to a human
right

• Over the course of the following 5 years, the
  Commission agreed the principles for an EU-wide
  directive of 1995. This required governments in
  each of the countries to transpose the directive
  into national law by 1998 (http//ec.europa.eu/jus
  tice_home/fsj/privacy/ )
• In spite of this recent agreement, there have
  already been calls to make changes in the light
  of experience in applying the framework
  directive.

17
Outline

• Introduction
• Privacy from the philosophical concept to a
  human right
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

18
The European Personal Data Directive

• This directive establishes 8 Principles of
  personal data protection which determine the
  legality of the processing of such data. Personal
  data must be
• Processed fairly and lawfully
• Collected for specified and lawful purpose and
  not processed further in ways that are
  incompatible with these (the finality
  principle).
• Adequate, relevant and not excessive in relation
  to the purposes for which they are collected or
  processed.
• Accurate (and where necessary kept up to date).

19
The European Personal Data Directive

• Not kept longer than is necessary for the stated
  purposes (that is in a form that permits
  identification of the data subjects).
• Processed in accordance with data subjects
  rights.
• Secure (against accidental or unlawful
  destruction, accidental loss, alteration,
  unauthorized disclosure or access, using measures
  that have regard to the state of the art and
  costs of implementation, and ensuring that a
  level of security is maintained that is
  appropriate to the risks represented by the
  processing and the nature of the personal data to
  be protected).
• May only be transferred to those countries that
  ensure an adequate level of protection for
  personal data.

20
Applying the directive and national laws to
biometric systems

• Although Data Protection Commissioners recognize
  that biometrics offers a challenge to the legal
  framework on personal data and privacy, to date
  only 3 have explicitly considered the ground
  rules for operation of biometric-enabled systems.

21
Applying the directive and national laws to
biometric systems

• More recently, CNIL, the French data protection
  commission, has undertaken a major study into the
  privacy implications of biometrics.
• It found that there was a lack of reliable
  information about how biometric-enabled systems
  operate in practice and confirmed that, in
  general, technologists and data controllers were
  not aware of the rights of end users.
• In view of the potential harm that could result
  to end users from systems not designed in
  accordance with data protection principles, CNIL
  has proposed a number of measures.

22
Applying the directive and national laws to
biometric systems

• In its 2001 annual report, CNIL categorized
  applications using biometrics into two broad
  groups
• There was no problem with systems where the
  template storage is under the end users control,
  e.g. stored on a card, a PC, or a cell phone in
  the possession of the user.
• The second class, where the template is stored in
  a centralized database, is more complex. Where
  the biometric record is of a type that leaves no
  trace or is not easily captured without the
  cooperation of the end user (such as eye-based
  systems or those applying hand geometry devices),
  integrators can use these methods, provided that
  the usual data protection principles, such as
  finality and proportionality are observed. In
  contrast, centralized template storage using
  biometrics that leave a trace or can be easily
  obtained (such as systems with face, fingerprint,
  or DNA recognition) should only be applied in
  high security systems.

23
Applying the directive and national laws to
biometric systems

• The European Commission funded BIOVISION roadmap
  project to review the biometric context of the
  directive and national laws, and provide initial
  materials towards the definition of a code of
  conduct for applications making use of a
  biometric in a privacy-compliant manner.
• A parllel activity is being undertaken by the UK
  government managed Biometric Working Group.

24
Biometric data as personal data

• Perhaps the aspect of personal data protection
  law that has been debated most extensively is
  the question of application of the law to
  biometrics. To what extent is biometric data
  personal data within the meaning of the
  directive and the national laws?
• The directive defines personal data to be any
  information relating to an identifier or
  identifiable natural person, making the
  distinction with legal entities such as
  companies. Furthermore, it amplifies the
  definition by stating that an identifiable person
  is one who can be identified directly or
  indirectly, I particular by reference to
• An identification number or
• To one or more factors specific to his physical,
  physiological, mental, economic, cultural, or
  social identity

25
Biometric data as personal data

• Possible personal data that relate to the
  implementation of biometric can include
• The image or record captured from the sensor at
  the initial enrollment.
• Any transmitted form of the image or record
  between sensor and processing systems.
• The processed data
• The stored image or record or template
• Any accompanying data collected at the time of
  enrollment
• The image or record captured from the sensor
  during normal operation of the biometric
• Any transmitted form of the image or record at
  verification or identification
• The template obtained from the storage device.
• Any accompanying data obtained at the time of
  verification or identification.
• The result of matching process
• Any updating of the template in response to the
  identification or verification.

26
Biometric data as personal data

• Situations where biometric data is not treatable
  as personal data are likely to be relatively
  rare.
• One case where data is unlikely to fall within
  this definition is for a biometric application
  where all of the following conditions are met
• The identity of a previously enrolled individual
  is only represented by a one way template with
  no possibility if reconstruction of the original
  record.
• The template could also be generated by a
  sufficient number of other subjects in the
  population
• The template is stored on a card (or token) held
  by the end user.
• The comparison, at verification, of the output of
  the sensor with the template, is made on the card
  (or token) itself.
• All images and records relating to the enrollment
  are securely disposed of at the time of
  enrollment.

27
Biometrics and sensitive data

• Article 8 of the personal data directive lists
  the following special categories of data that
  demand specific additional attention
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Processing of data concerning health or sex life
• In general, the subject should have given
  explicit consent to the processing of such data,
  although there are a number of exemptions from
  this requirement. Note that data relating to
  offences, criminal convictions or security
  measures may only be carried out under the
  control of an official authority.

28
Biometrics and sensitive data

• Those aspects that might impact on the operation
  of biometric methods are racial or ethnic origin
  and data relating to health. It is inevitable
  that the initial photographic image captured by
  the camera in a face recognition system will have
  some indication of race.

29
Biometrics and sensitive data

• Most biometric systems have been developed,
  validated and tested by organization in the USA
  and Europe. It is not inconceivable that the
  algorithms that are used operate preferentially
  for ethnic groups that are highly represented in
  those geographical areas and that, for example,
  directed represented searches for templates of
  facial images relating to non-Caucasians could be
  successfully initiated albeit with results
  outputted on a probabilistic basis.

30
Proportionality principle

• A fundamental principle in European law is that
  of proportionality, which some writers maintain
  would rule out the use of biometric method, if
  the objective could be achieved in some other,
  less privacy-threatening way.
• Jan Grijpink describes how a hand geometry device
  is likely to be acceptable for access to
  buildings critical for the operation of an
  organization, whereas access control by means of
  fingerprint biometric to a secondary school might
  be more difficult to justify.

31
First principle compliance fair and lawful
processing

• Processing of personal data needs to be carried
  out in a fair and lawful manner. This includes
  the act of obtaining the biometric data in the
  first place. Convert collection of biometric data
  is not permitted unless it falls within one of
  the defined exemptions. Wherever possible, the
  subjects consent should be sought, since that
  consent removes many of the problems for an
  agency deploying a biometric- enabled system.

32
4th principle compliance - accuracy

• By their very nature, biometric systems could
  occasionally return a false accept and with it
  the possibility of an inaccurate record of
  activity against another individual.
• Whether this is considered as a failing in
  accuracy or in security (the 7th principle), the
  system designer and implementer should take
  appropriate steps to ensure that the personal
  data of the individual whose identity has been
  assumed is not compromised.

33
7th principle compliance - security

• Requires the controller (the person or agency)
  that determines the purposes and means of
  processing of the personal data) to implement
  appropriate technical and organizational measures
  to protect the personal data against
• Unlawful destruction or accidental loss
• Alteration
• Unauthorized disclosure or access
• And all other unlawful forms of processing.
• in particular where the transmission involves a
  network. If processors are different from
  controllers they must provide guarantees that the
  security measures are carried out. In addition, a
  legal contract must be in place between the
  controller and the processor. The measures must
  take account of the state of the art and assess
  the costs and risks involved.

34
8th principle compliance transfer to third
countries

• Transfer of data to those countries that have an
  adequate level of protection is not allowed
  except under specific conditions (Article 25 of
  the Directive)

35
Article 8 of the European Human Rights Convention

• Everyone has the right to respect for his private
  and family life, his home and his correspondence.
• There shall be no interference by a public
  authority with the exercise of this right except
  such as in accordance with the law and is
  necessary in a democratic society in the
  interests of national security, public safety or
  the economic well-being.

36
Article 8 of the European Human Rights Convention

• Wadham and Mountfield comment that the second
  test of accordance with the law requires
• The need for a specific legal rule to authorize
  this interference
• Adequacy of access to the specific law by an
  individual
• The law must be sufficiently precisely formulated
  to allow the individual to foresee the
  circumstances under which the law could be
  applied.
• Challenges to the legality of biometric schemes
  based upon this right could arise in government
  applications, where the personal data directive
  offers exemptions, e.g. in national identity
  schemes, for security systems in critical
  infrastructures, in the criminal justice system
  and in the provision of medical services.

37
Outline

• Introduction
• Privacy from the philosophical concept to a
  human right
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

38
The role of privacy-enhancing technologies

• Many innovative services will use personal data
  in order to improve customer experience as well
  as providing valuable feedback to the service
  provider.
• The European Commission recognized the benefits
  of such innovation, but was also concerned that
  consumers might not appreciate the significance
  of agreeing to such reuse of personal data.
• It has promoted Privacy-Enhancing Technologies
  (PETs) that would provide a measure of
  protection. Their studies distinguished 2 types
  of PET
• Where the design of biometric-enabled system is
  tailored to be privacy-respecting using the best
  available technologies.
• Where measures are offered to the end users
  individually to enable them to protect their
  privacy.

39
The role of privacy-enhancing technologies

• Biometric devices could be designed in accordance
  with PET principles (now there is one system
  only).
• For biometric enabled systems to be designed for
  privacy and security, the customer for the
  deployment and the customers system designers
  need to consider such requirements from the
  inception of a project.
• Example of the first type it stores the template
  only on the card held by the user.

40
Outline

• Introduction
• Privacy from the philosophical concept to a
  human right
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

41
Looking to the future

• Countries in the EU have chosen to transpose the
  Personal Data Directive in different ways,
  thereby adding to the confusion that the
  harmonization of laws was meant to address.
• Some states, e.g. UK, Netherlands, decided in
  general to follow the wording of the directive,
  applying it to both the public and private
  sectors, clearly identifying the exemptions for
  government activities in the areas of national
  security, criminal justice, health etc.
• Germany has delineated its national law into two
  sections that deal with private and public
  applications separately.
• The Irish bill amends the pre-existing
  legislation on a cause-by-clause basis in order
  to conform to the 1995 directive.
• The detail in Swedish national law makes explicit
  the right to revoke at any time a previously
  given consent for processing of personal data if
  they are of the sensitive class or if they are to
  be transferred to certain third countries.

42
Looking to the future

• Among the possibilities that are under
  consideration are
• A statement of purpose of installation, with
  rationale for use of biometric over conventional
  means of authentication.
• A maximum time-scale within which controller will
  respond to any questions.
• A statement in respect of opt-in or opt-out
  opportunities for end uses together with any
  rights afforded to the end users in respect of
  all personal data held on them.
• Stated retention periods of personal data.
• Any accesses permitted for third parties,
  including those permitted for lawful authorities.
• Any Privacy Impact Assessment that may have been
  made prior to deployment
• Specification of procedures to ensure secure
  disposal of the personal data in the event of
  withdrawal of the system.
• Details of the external audit of the system and
  whether this will be available to the public or
  end users.
• Review procedures and dates for re-examination of
  the operation of the system.

43
Outline

• Introduction
• Privacy from the philosophical concept to a
  human right
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

44
Social and Psychological Context of the
Application of Biometric Methods

• Many individuals are fearful of the introduction
  of biometrics. Questionnaire studies show wide
  differences in the response to proposals such as
  the replacement of PIN with a fingerprint or the
  use of an eye identification method.

45
Social and Psychological Context of the
Application of Biometric Methods

• Some components of the fear of biometrics were
  identified by Simon Davies in 1994. Since then,
  many other commentators have added to the list.
• The de-humanization of people by their reduction
  to bytes on a computer.
• The high integrity of identification reverses the
  natural relationship of government serving
  citizens and society.
• Fear of society being increasingly driven by a
  technocracy, rather than a democratically elected
  government.
• A system that would entrench fraud and
  criminality through technologically secure
  systems.
• The methods are the mechanism foretold in
  religious prophecies.

46
Social and Psychological Context of the
Application of Biometric Methods

• The impact of Hollywoods association of
  biometric methods with spies, advanced military
  hardware, and science fiction may have increased
  these concerns, portraying these as perfect
  technologies in the service of powerful
  organizations.
• The first stage in addressing these concerns is
  to gather these issues from all sections of the
  target population and to organize them in ways
  that allow further investigatiion.

47
Social and Psychological Context of the
Application of Biometric Methods

• Victoria Belotti has developed a model based upon
  the need of users to have feedback on, and then
  exert control over, four elements in complex
  environments
• Capture of personal information into the system
• What happens once the information is in the
  system
• Who and what processes will make use of it
• For what purpose they will use that personal
  information.
• Further research by Anne Adams has centered even
  more on the end users perspective on the
  transfer of personal information to organizations.

48
Social and Psychological Context of the
Application of Biometric Methods

• Further research by Anne Adams has centered even
  more on the end users perspective on the
  transfer of personal information to
  organizations. Here the end user has three
  principal concerns
• That the trust she places in the receiver of the
  personal data is not misplaced.
• That the risk-benefit analysis she makes of the
  usage to which that data is put is correctly
  assessed.
• That her judgment as to the sensitivity of the
  information is correctly made.

49
Social and Psychological Context of the
Application of Biometric Methods

• One approach to ensuring that such issues are
  considered during the system design is to carry
  out a Privacy Impact Assessment at an early stage
  of process (i.e. requirements capture stage).
• Innovative trailing of new technologies that
  balance the technical and human aspects, has been
  under way for many years. Predominantly in
  Scandinavian countries.
• Future biometric-enabled systems will have a
  higher likelihood of success if they take account
  of such approaches.

50
Outline

• Introduction
• Privacy from the philosophical concept to a
  human right
• The European Personal Data Directive
• The role of privacy-enhancing technologies
• Looking to the future
• Social and psychological context of the
  application of biometric methods
• Conclusions

51
Conclusions

• Users view on privacy implications of the
  application of biometrics may be only part of
  package of concerns. Situationally determined
  models of privacy are a first step towards a
  richer. More comprehensive model for response of
  individuals to the introduction of biometrics.
  Such a model will be a valuable input to
  socio-technical designs of biometric systems that
  give equal weight to the social dimension and to
  issues of performance, standardization, etc.

52
References

• J. Wayman et al. Biometric Systems. Technology,
  Design and Performance Evaluation, Springer 2005.
• European Commission Data protection
  http//ec.europa.eu/justice_home/fsj/privacy/