7
Privacy Law Computer Law & Security Report Vol. 17 no. 3 2001 ISSN 0267 3649/01/$20.00 © 2001 Elsevier Science Ltd. All rights reserved 154 Biometrics offers many alternatives for protecting our privacy and preventing us from falling victim to crime. Biometrics can even serve as a solid basis for safe anonymous and semi-anonymous legal transactions. In this article Jan Grijpink clarifies which concepts and practical applications this relates to. A number of practical basic rules are also given as a guide to proceeding in a legally acceptable manner when applying biometrics. PRIVACY LAW BIOMETRICS AND PRIVACY Jan Grijpink INTRODUCTION The term ‘biometrics’ is taken to mean the identification of individuals based on a physical characteristic using informa- tion technology.Checking people’s identities visually using a passport photo or a description would not normally be described as biometrics.We do, however, speak of biometrics if the check is performed using a computerized system.These days, information technology makes it possible to quickly dig- itize physical characteristics so that we can either depict them as an image or subject them to calculations.This can be done with the contour of a hand or a finger, a fingerprint or the pattern of an iris. Even variable physical characteristics can be used for biometric identification of an individual, such as his voice, the way he moves his hand when writing his sig- nature, or his rhythm when typing certain words on a key- board.Checking someone’s identity using biometrics involves comparing a previously measured physical characteristic with the result of a new measurement at the time and place of the check.The result of the previous measurement can be registered in the verifying authority’s information system, or on a chipcard held by the person being checked. Up to now only little use is being made of biometrics.This is first and foremost a consequence of its lack of familiarity, not least because the necessary information technology has not been available at a reasonable price for very long. But there are also prejudices against biometrics and all sorts of negative images about intrusion into people’s private lives and damage resulting from crime. Uncertainty about the legal permissibility of using biometric data also plays a role here. 1 This should not come as a surprise, given that there are many conceivable biometric applications, each of which have dif- ferent legal implications and effects on privacy.The question of whether the use of biometrics gives rise to additional risks or provides better protection and more privacy depends on the specific application. Upon closer examination, even the legal status of a biometric detail depends on the application. The purpose of this article is to make that difference more transparent, also in legal terms, in order to give a clearer indi- cation of what the special significance of biometrics in an information society can mean to the protection of people’s private lives and fraud prevention.A number of practical basic rules are also given as a guide to proceeding in a legally acceptable manner when applying biometrics. This article mainly deals with the use of biometric data with the purpose of checking someone’s identity during transactions (admission, ordering, payment, agreement) using computerized systems, on the spot and instantaneous, both for the protection of individuals and for crime prevention. Certain biometric technologies such as DNA are not (yet) suitable for this purpose, and are therefore not addressed here. The use of biometrics in criminal proceedings, for the identification of mortal remains and in investigations into people’s origin, descent or health also falls beyond the scope of this article. Although biometrics provides both protection against fraud and other crime and the protection of people’s private lives, the emphasis of this article will be placed on the priva- cy aspects.The article is laid out as follows. First of all, three examples are given containing elements that will later be placed in a broader perspective.The usefulness and necessity of biometrics are explained as are two general aspects: the legal status of a biometric detail and the various methods that can be used to check a person’s identity.This will be followed by an explanation of the various characteristics of biometric applications, and some practical basic rules will be formulat- ed. Some conclusions are also given. SOME EXAMPLES OF THE APPLICATION OF BIOMETRICS The first example describes the checking of someone’s iden- tity using biometrics and a chipcard. When this chipcard is issued, the card issuer has calculated a biometric template based on the future card user’s hand contour, for instance, and has placed it on the chipcard.The card issuer can main- tain a central register of all issued chipcards with the unique card numbers and the biometric templates of the card hold- ers.This is not, however, necessary, as a reference template calculated on the basis of the unique card number and the accompanying template would be sufficient to establish at a later date whether the card is authentic and still contains the original biometric template.At the time of the check, the per- son being checked inserts his card into a reader, which, hav- ing verified that the card is authentic, compares the chipcard template with the result of the new reading. 2 When issuing the chipcard, the card issuer can check the identity of the future card user on the basis of a valid identity

Privacy Law: Biometrics and privacy

Embed Size (px)

Citation preview

Page 1: Privacy Law: Biometrics and privacy

Privacy Law

Computer Law & Security Report Vol. 17 no. 3 2001ISSN 0267 3649/01/$20.00 © 2001 Elsevier Science Ltd. All rights reserved

154

Biometrics offers many alternatives for protecting our privacy and preventing us from falling victim to crime.Biometrics can even serve as a solid basis for safe anonymous and semi-anonymous legal transactions. In thisarticle Jan Grijpink clarifies which concepts and practical applications this relates to. A number of practicalbasic rules are also given as a guide to proceeding in a legally acceptable manner when applying biometrics.

PRIVACY LAWBIOMETRICS AND PRIVACYJan Grijpink

INTRODUCTIONThe term ‘biometrics’ is taken to mean the identification ofindividuals based on a physical characteristic using informa-tion technology. Checking people’s identities visually using apassport photo or a description would not normally bedescribed as biometrics.We do, however, speak of biometricsif the check is performed using a computerized system.Thesedays, information technology makes it possible to quickly dig-itize physical characteristics so that we can either depictthem as an image or subject them to calculations.This can bedone with the contour of a hand or a finger, a fingerprint orthe pattern of an iris. Even variable physical characteristicscan be used for biometric identification of an individual, suchas his voice, the way he moves his hand when writing his sig-nature, or his rhythm when typing certain words on a key-board.Checking someone’s identity using biometrics involvescomparing a previously measured physical characteristicwith the result of a new measurement at the time and placeof the check.The result of the previous measurement can beregistered in the verifying authority’s information system, oron a chipcard held by the person being checked.

Up to now only little use is being made of biometrics.Thisis first and foremost a consequence of its lack of familiarity,not least because the necessary information technology hasnot been available at a reasonable price for very long. Butthere are also prejudices against biometrics and all sorts ofnegative images about intrusion into people’s private livesand damage resulting from crime. Uncertainty about the legalpermissibility of using biometric data also plays a role here.1

This should not come as a surprise, given that there are manyconceivable biometric applications, each of which have dif-ferent legal implications and effects on privacy.The questionof whether the use of biometrics gives rise to additional risksor provides better protection and more privacy depends onthe specific application. Upon closer examination, even thelegal status of a biometric detail depends on the application.The purpose of this article is to make that difference moretransparent, also in legal terms, in order to give a clearer indi-cation of what the special significance of biometrics in aninformation society can mean to the protection of people’sprivate lives and fraud prevention.A number of practical basicrules are also given as a guide to proceeding in a legallyacceptable manner when applying biometrics.

This article mainly deals with the use of biometric datawith the purpose of checking someone’s identity duringtransactions (admission, ordering, payment, agreement) usingcomputerized systems, on the spot and instantaneous, bothfor the protection of individuals and for crime prevention.Certain biometric technologies such as DNA are not (yet)suitable for this purpose, and are therefore not addressedhere.The use of biometrics in criminal proceedings, for theidentification of mortal remains and in investigations intopeople’s origin, descent or health also falls beyond the scopeof this article.

Although biometrics provides both protection againstfraud and other crime and the protection of people’s privatelives, the emphasis of this article will be placed on the priva-cy aspects.The article is laid out as follows. First of all, threeexamples are given containing elements that will later beplaced in a broader perspective.The usefulness and necessityof biometrics are explained as are two general aspects: thelegal status of a biometric detail and the various methods thatcan be used to check a person’s identity.This will be followedby an explanation of the various characteristics of biometricapplications, and some practical basic rules will be formulat-ed. Some conclusions are also given.

SOME EXAMPLES OF THE APPLICATIONOF BIOMETRICSThe first example describes the checking of someone’s iden-tity using biometrics and a chipcard. When this chipcard isissued, the card issuer has calculated a biometric templatebased on the future card user’s hand contour, for instance,and has placed it on the chipcard.The card issuer can main-tain a central register of all issued chipcards with the uniquecard numbers and the biometric templates of the card hold-ers. This is not, however, necessary, as a reference templatecalculated on the basis of the unique card number and theaccompanying template would be sufficient to establish at alater date whether the card is authentic and still contains theoriginal biometric template.At the time of the check, the per-son being checked inserts his card into a reader, which, hav-ing verified that the card is authentic, compares the chipcardtemplate with the result of the new reading.2

When issuing the chipcard, the card issuer can check theidentity of the future card user on the basis of a valid identity

MayJune CLSR.qxd 4/26/01 11:07 AM Page 154

Page 2: Privacy Law: Biometrics and privacy

155

Privacy Law

card, but this is in fact unnecessary. In the first case, the cardissuer knows who the card holder is. In the second case usecould be made of an anonymous3 chipcard that facilitates anaccurate personal check without revealing precisely who thecard holder is. Both types of checking a person’s identity bio-metrically with a chipcard can be used, for instance, to autho-rize access or to establish a person’s agreement to atransaction.This can be done offline in a local application, oronline as part of a central application operated remotely.

The second example illustrates that biometrics can alsobe used without a chipcard.The example is a museum appli-cation designed to prevent people from remaining in thebuilding after it closes.This is an offline local application ofbiometric recognition of visitors using a biometric template.The biometric template is linked to a one-off pin code select-ed by the visitor himself.This pin code is necessary becausethe ‘point of reference’ of a unique chipcard number is notavailable in this application. The self-selected pin code indi-cates which templates have to be mutually compared.Without that pin code a comparison of templates is not reli-able, because measurements of the same physical characteris-tics of the same person always show minor differences. Forthis reason, two measurement values that are in close prox-imity to each other do not necessarily originate from thesame person. Because this application does not register anyother information about the visitor and the one-off pin codeis selected by the person himself, the visitor’s anonymity isguaranteed. The application works as follows. A visitor canonly enter the building once he has entered the self-selectedpin code and the access computer has calculated a biometrictemplate based on the shape of his hand, for instance. He willonly be able to leave the building again once he has re-entered his pin code and the computer has not detected anymajor deviation between the biometric measurements relat-ed to that pin code upon his arrival and departure.The com-puter then deletes both the self-selected pin code and thetwo biometric templates. A check is made to establishwhether all readings have been deleted every evening whenthe museum closes. If not, all visitors to the museum have notyet left the building. If a visitor is indeed found in the buildingafter closing time, it is possible to establish whether that per-son is the one that the museum staff are looking for by check-ing with the biometric characteristic that remains in thecomputer.

In this example the use of biometrics is entirely anony-mous,but accurately indicates whether a visitor has remainedin the building after the museum has closed.By using the per-son-related character of a biometric detail we can electroni-cally, without human intervention, establish that the sameperson has arrived and departed, without needing to knowthe exact identity of the visitor concerned.This emphasizesthe fact that an accurate check of a person’s identity can inprinciple even be made using an anonymous biometric detail.For the significance of biometrics for the protection of priva-cy, it is important to be aware that anonymous biometrics canbe just as accurate as personalized and semi-anonymous bio-metrics, because the biometric characteristic is always per-son-related.

The third example is an application at an airport that isdesigned to detect suspect luggage, and to prevent peoplefrom being supplanted between the moment they check inand the moment they board the aircraft.At the moment that

the passenger checks in, his biometric template is calculatedand stored in a temporary file for the flight in questiontogether with the (unique) numbers of the boarding pass andany luggage labels. When the passenger is due to board theaircraft, as part of the safety check the template is recalculat-ed and compared with the template in the temporary file thataccompanies that particular boarding pass. If the discrepancybetween the measured values is too big, it is desirable to con-duct a further identity check to establish whether that personhas been supplanted. If the comparison shows that this is notthe case, the biometric data are immediately deleted. If, at thetime of departure, there is still an unmatched biometric detailleft in the temporary register, the accompanying luggage canbe traced and taken off the aircraft.This luggage apparentlydoes not belong to one of the passengers who have boarded,and represents a safety risk. Because boarding passes areissued in people’s names once proof of identity has been ver-ified, this application makes use of personalized biometrics.However, if the personalized biometric data are deletedimmediately after they have been used, this application ofbiometrics does not invade people’s privacy.The advantage ofpersonalized biometrics in this application is that in cases ofdoubts about someone’s identity or unattended luggage, theairport staff immediately know who they need to look for. Inthe event of a deliberate act, the biometric characteristic leftbehind can be used to prove who was involved in the incident.

USEFULNESS AND NECESSITY OF BIOMETRICSBiometrics derives its significance from the person-relatednature of the physical characteristic that serves as the pointof recognition. In comparison with the customary non-per-son-related methods to check someone’s identity such as pincodes, passwords, electronic signature or encryption keys,biometrics therefore has a number of general advantages,which — depending on the application — make the recogni-tion of an individual person accurate whilst simultaneouslyprotecting people’s privacy:• you always carry a biometric template with you, you can’t

leave it at home.• a biometric characteristic cannot be transferred to some-

one else unobtrusively.• a detached biometric characteristic cannot be traced back

to the person from whom it originates without additionalclues.

• biometric techniques are not subject to recognition errorsdue to faulty observation resulting from preconceptions,distraction or tiredness, for instance.

These general advantages are, however, accompanied bysome disadvantages. Because a biometric reading does notyield precisely the same template on each occasion, biomet-rics does not provide complete certainty in identifying thelegal holder of a biometric characteristic. The more closelytwo measurements resemble each other, the more probable itis that both values relate to the same person. In biometricapplications one can decide which measurement discrepan-cies are acceptable to be still able to assume that the valuesoriginate from the same person. But many biometric systemswill consider two perfectly identical values as a fraud.Thus, ifthe measurement value of someone else closely resembles my

MayJune CLSR.qxd 4/26/01 11:07 AM Page 155

Page 3: Privacy Law: Biometrics and privacy

Privacy Law

156

measurement value, he may be able to pass himself off as me.The more accurately we configure the calculation, the lesschance there will be of this happening, but the chance of mynot being recognized increases accordingly! The extent towhich this can be accepted depends on the situation and theapplication.

The advantages of biometrics over human checks are,however, of overriding importance:• If we want to guarantee people’s privacy when checking

people’s identities.• A biometric check can even be accurate with the offline,

local use of an anonymous physical characteristic, withor without a chipcard.

• If one may expect many human recognition errors in aconcrete situation. For instance, if one has to check largenumbers of people quickly, over a long period of time orfrom a distance.

In situations where it is necessary to guarantee absolute privacy, or where there is a significant chance of mistakenidentity or identity fraud or the consequences of this couldbe very serious, biometrics is indispensable. People are grad-ually becoming aware that the use of biometrics thereforehas to be advanced, and that governments will have to dowhatever they can to diminish the potential negative effectsof biometrics.

THE LEGAL POSITION OF A BIOMETRICDETAILTo properly understand the social significance of biometrics,we need to make a distinction between a person-relateddetail (= derived from the body) and a personal detail (= canbe traced back to a person). Many people intuitively feel thata person-related detail must also be a personal detail asdefined by Dutch (and European) privacy legislation. Ananonymous biometric characteristic, i.e. a detached biometrictemplate without anything in common with the source, can-not be regarded as a personal detail because it cannot betraced back to the person from whom the measured valueoriginated, or this can only be done with disproportionateeffort.A good example of anonymous biometrics is dirty glass-ware in a restaurant. It is a hopeless task to trace a fingerprinton one of the glasses to a restaurant diner who has alreadyleft. One will never be able to find him. This could explainwhy we don’t concern ourselves too much with this glass-ware in practice.

A biometric personal characteristic is therefore by defini-tion person-related, but is not necessarily a personal detail.The decisive factor regarding the legal position of a biometricdetail is therefore whether it can be traced back to the rightperson, if necessary making a good deal of effort. For this pur-pose we have to look at the application as a whole ratherthan only at the biometric detail on its own, removed fromthe context.We therefore have to take account of all the sur-rounding technical,procedural and organizational provisions.If a biometric detail within an application is truly anonymous,it is safe so say that its use does not in legal terms fall withinthe constraints set by privacy legislation for the use of per-sonal data.There are no legal obstacles to the use of anony-mous biometrics. From the perspective of protectingpeople’s privacy in society, anonymous and semi-anonymousbiometric applications4 in particular will in the future have

major significance. For a biometric detail does not lose itsanonymous character for a verifying authority if anotherauthority — e.g. the card issuing authority — knows exactlywho the person concerned is but may only reveal that infor-mation to a competent authority with the approval of the lawor the court. Many biometric applications do, however, usebiometrics registered in people’s names (personalized bio-metrics), even if the purpose of the application can beachieved just as well with anonymous biometrics. Biometricswill not realize its full social significance until we recognizeand utilize the wide-ranging possibilities offered by theanonymous use of biometrics.

RECOGNITION METHOD AND PRIVACYThe implications of biometrically checking people’s iden-

tities for their privacy and the prevention of fraud is signifi-cantly determined by the method used for the recognition ofan individual.We make two different distinctions.

The first distinction, identification or verification, relatesto the envisaged knowledge concerning a person’s identity.There are two alternatives:• establishing precisely who someone is (identification).• establishing whether a person is the right person, for

instance the same person as expected (verification).The establishment of a person’s true identity involves anactual investigation into someone’s identity, and is there-fore something that is rarely done in the Netherlands out-side of criminal law enforcement and immigration. It isdeemed sufficient to establish whether a person is thesame person as expected, by ascertaining whether severalpieces of information belong to the same person, for exam-ple.This is often erroneously referred to as ‘identification’:in actual fact it yields no more than a verification. Verifi-cation is less far-reaching than identification because weremain unsure whether a person actually is who he says heis. But in many social situations, such as the museum exam-ple given above, this is sufficient. In that example, a verifi-cation provides sufficient guarantees against someoneremaining in the building unnoticed after it has closed. Byusing the person-related character of a biometric detail wecan electronically — i.e. without human intervention —establish that the same person has arrived and departedwithout needing to know the exact identity of the visitor.This emphasizes the fact that an accurate personal verifi-cation can in principle even be made using an anonymousbiometric detail.

The second distinction, inclusion or exclusion, relates toanother basic approach to checking someone’s identity:• We can positively establish whether someone is indeed

the right person. This is referred to as the ‘inclusive’use ofa recognition technique.

• We can negatively establish that someone is not the rightperson. This is referred to as the ‘exclusive’use of a recog-nition technique.

In the actual practice of biometrics this difference hasmajor implications, especially when it comes to comparingtwo images of a physical characteristic, for instance two fingerprints. A single point of difference is sufficient to ex-clude someone with one hundred percent certainty! On theother hand, inclusive use never gives one hundred percent certainty, even though that certainty does of course grow

MayJune CLSR.qxd 4/26/01 11:07 AM Page 156

Page 4: Privacy Law: Biometrics and privacy

157

Privacy Law

with each point of similarity that is ascertained.When usingonly one biometric template, it is only possible to perform an‘inclusive’ check. If it is necessary to establish immediatelythat someone is not the right person (exclusion), at least twodifferent templates have to be used.After all, in a case of mis-taken identity, the chance of two physical characteristicsbeing relatively just as close together is virtually ruled out.Anaccurate exclusion is thus just as possible as when using asingle biometric image.

The ‘exclusive’ use of a biometric characteristic to estab-lish that someone is not the same person barely penetratesinto people’s private lives, but inclusively establishing a per-son’s identity does. Information technology does in fact makethe least radical form of checking someone’s identity biomet-rically, the exclusive use of anonymous biometrics, technical-ly feasible. Therefore, from the a privacy perspective it isnotable that there is in practice a spontaneous preference forthe most radical form, the inclusive use of personalized bio-metrics. We see here a mission for those who endorse theissue of privacy.

TYPES OF BIOMETRICSBiometrics calls for tailor-made solutions: technical, organi-zational and legal.There are many different biometric tech-niques and forms of applications, but no single one ofthem is suitable for all problems relating to checking a per-son’s identity. The legal aspects also differ between formsof application.There are no legal obstacles to certain formsbecause the anonymity that has been achieved renderssuperfluous other measures for protecting people’s priva-cy. For other forms, wide-ranging legal requirements haveto be met. It is not yet clear whether these will have to bestrengthened in the future, but there is certainly no casefor weakening them.

In addition to the different recognition methods distin-guished above, a distinction can also be made between vari-ous biometric techniques and aspects of application.

Variable or fixed physical characteristicsFixed physical characteristics can be more successfullycopied and imitated than variable characteristics.A personcan also himself change a variable physical characteristicwithout this being noticed, thus avoiding identification.This is useful if a person is under threat, but will generallyfail to offer an adequate solution for situations in which itpays to pass oneself off as two different people. This will, for example, meet with success in an application thatuses a biometric template calculated from a variable physical characteristic to prevent someone from present-ing himself twice as a different person, thus acquiring twodifferent authorizations. Adapting the variable physicalcharacteristic results in two different templates, thusensuring that this biometric check against double identi-ties fails. A person can also ensure that he is not recog-nized by deliberately changing the movement he makeswhen writing his signature, in order to pass himself off as someone else in an emergency procedure. If consider-able advantage can be gained by doing this, it is better touse an unchangeable physical characteristic when check-ing someone’s identity.

Image of a physical characteristic or a template calculated from itWith an image of someone else’s fingertip, a person can passhimself off as someone else when checked. This approachcould even be used to spuriously suggest someone’s involve-ment in a transaction or action.These situations cannot occurif use is made of a template for the purpose of checkingsomeone’s identity. A template is a biometric number calcu-lated from a number of unique characteristics, found in a fin-gerprint, for instance. Because the other informationcontained in the image is not used in the calculation, it is notpossible to retrospectively calculate the original image of thefingerprint from the biometric number (template). For thisreason there is not much that can be done to cheat with a bio-metric template, certainly if it is difficult to establish who themeasured value originated from and which formula was usedto calculate the number. In the Dutch regulations no distinc-tion is yet made between biometric images and biometrictemplates, but there are already countries that (want to) for-bid the central storage of biometric images, or imposestricter regulations on the central storage of biometric imagesthan will apply to the central storage of templates.

Central or decentralized storageAt the one extreme, there is the decentralized storage of asingle biometric detail on a single chipcard placed in thehands of the person from whom the biometric detail origi-nates.This makes it possible, for example, to check from adistance and offline whether the actual user of the chip-card and its lawful holder are one and the same person.Thisis a possible use of biometrics that facilitates privacy-friendly applications. The other extreme consists of thestorage of all biometric data in a single central file foronline checking of people’s identities. ‘Central’ in this con-text means that all stored biometric details can be directlyaccessed and compared with each other. The biometricdetails can be physically concentrated at the same location,but this is not necessary.This central file makes it possibleto perform additional checks that would not be possiblewith separate chipcards alone. The administrator of a cen-tral file of biometric images can, for example, immediatelyestablish whether a person is already included in the file,but under a different name. The distinction between cen-tral/decentralized is of legal importance because centralstorage involves more social risks.

Anonymous or by name (‘personalized’)If biometric data cannot be traced back to individuals (anony-mous) there are in principle no (Dutch or European) legalobstacles to using them. There are no (Dutch or European)regulations that set requirements for applications that makeuse of anonymous biometrics.The situation is different whenit comes to personalized biometrics. In this case the biomet-ric detail is placed in someone’s name, or the name can beestablished with some — but not disproportionate — effort.Dutch (and European) privacy legislation provides for variousprotection regimes that cover biometric personal data,depending on their degree of vulnerability and the purposeof their processing.

MayJune CLSR.qxd 4/26/01 11:07 AM Page 157

Page 5: Privacy Law: Biometrics and privacy

Privacy Law

158

Voluntary or compulsoryCompulsory cooperation with checking someone’s identityusing biometrics imposed by the government or by privatebodies requires a legal basis. In the private sector the volun-tary use of personalized biometrics is in principle permitted,unless the biometric characteristic can be used to establishsomeone’s race or origin.Then only necessity counts.As longas this is not the case, it is sufficient to operate regulations inthe area of contracts, in which people must work within theconstraints of the privacy legislation if biometric personaldata are used. But when is voluntary cooperation truly volun-tary? This is not solely determined by market conditions, butalso by the existence of a fully-fledged alternative facilitywithout biometrics, so that true freedom of choice is possi-ble. If on a really voluntary basis, even a public authority mayuse biometrics without such use being explicitly provided forby the law.

Small-scale or large-scaleIn a small-scale application, the uniqueness of the physicalcharacteristic is less important because the chance of twoindividuals having virtually the same physical characteristicreduces as the target group becomes smaller. An importantlegal point is that the large-scale application of biometricsappears to qualify sooner for preventative government con-trol or another form of regulation because the risks to privacyand the risk of falling victim to crime are more difficult tomanage, and there are more opportunities to deliberatelypassing oneself off as someone else. Currently many biomet-ric techniques are vulnerable to fraud and privacy issues ifapplied on a large scale. Small-scale applications are less riskyand will in principle be more likely to promote privacy, cer-tainly if a large number of small-scale applications are gradu-ally developed which make increasing use of differentbiometric techniques and application types. A large numberof small-scale applications offer a double advantage to theprotection of privacy and the prevention of crime: one canreduce the consequences of an identity fraud that has notbeen detected to a minimum, and subsequently have moreopportunities to unmask a successful impostor.

Open or closed target groupA closed target group is one in which the people that pass abiometric checkpoint are expected to return to the samecheckpoint within a short period of time. In a closed group ofthis nature, the chance of two virtually identical measurementsarising that could possibly lead to mistaking a person’s identityis smaller than with open target groups.Within closed groups asimple application using anonymous biometrics yields a checkin which an outsider has very little chance of successfully pass-ing himself off as one of the members of the group.

This list of the different aspects of biometric applicationsis not exhaustive. Its purpose is to point out that biometricsfacilitates a wide range of applications, some of which giverise to few and some to many legal questions. Small, ‘exclu-sive’, anonymous biometric verifications are more suitablefor promoting privacy. Moreover, there are few obstacles tothese applications in legal terms, even when used voluntarilyby public authorities. If applied on a large scale, many bio-metric techniques are vulnerable to fraud and privacy issues

currently. Compulsory, large-scale applications of personal-ized biometrics therefore need not to be implemented with-out careful consideration and very strict security measures.Much attention should be given to the legal aspects of theseapplications.Already, the current Dutch (and European) pri-vacy legislation provides for strict requirements for applica-tions of this nature.

Because the development of the technology is by nomeans complete, and the number of operational applicationsof biometrics is still limited, it is not yet possible to gain anoverall view of the social risks involved. For this reason it isnot yet clear whether governments in the European Unionwill impose further regulations on the use of biometrics inthe next few years.

BASIC RULES FOR THE USE OF BIOMETRICSA number of basic rules can offer a frame of reference regard-ing the question of which biometric applications are legallyacceptable. If in doubt about the legal permissibility of a con-crete application, in the Netherlands advice can be soughtfrom the Dutch Data Protection Authority.

The basic rules are set out below in the form of a check-list, which does not, however, profess to be complete.

Sectoral boundariesOne of the fundaments of the protection of privacy is thatdata from a certain sector cannot automatically be used inanother sector. The use of biometrics should therefore notautomatically be permitted to exceed the sectoral boundariesthat have come about in practice and been sanctioned by law.The sectors in question include banking,health care and,edu-cation, and, in the public sector, taxes or civil affairs. A bio-metric application therefore requires clear boundaries,regardless of whether it has a private or public character.Applications with a supra-sectoral character call for explicitpublic approval because the implications for the protectionof privacy could become apparent only gradually and over awider area than people may initially have anticipated.A regu-lation by law could supply the necessary approval.

Clear, recognizable and permissible objectiveThe purpose of the use of biometric data must be made clearand recognizable to all involved,by displaying an explanatorytext at the place of use, for instance. In the case of a govern-ment application, democratic decision-making usually resultsin sufficient familiarity because a generally binding regulationis usually required for the application.An unlimited objectiveis not sufficient to permit the use of biometric data, and nei-ther is an application with several mutually irreconcilableobjectives. The mutual balance of power between the cus-tomer and the company plays an important role when assess-ing the permissibility of the objective of an application in thebusiness area.

Proportionality The use of biometrics should be proportional. In other words,there must be a reasonable relationship with the objective for

MayJune CLSR.qxd 4/26/01 11:07 AM Page 158

Page 6: Privacy Law: Biometrics and privacy

159

Privacy Law

which it is used.The use of biometrics should not in principlebe chosen if the objective can also be reached using other, lessradical means.Access to important buildings can be checkedusing the shape of a person’s palm (protecting secrets, pre-venting theft or violence),but a less radical alternative must besought for secondary schools.The objective should, for exam-ple, also justify the involuntary nature of a biometric applica-tion.The principle of ‘anonymous biometrics, unless’ could beregarded as an example of the application of the proportional-ity rule. If the job can be done without personalization,anony-mous biometrics must be chosen.

SubsidiaritySubsidiarity means not having to take things ‘higher up’unnecessarily. What an entrepreneur can do himself mustnot be done at trade level or by the government.What canbe done by the municipal government should not be takenover by the provincial or national government.This gener-al principle holds equally true for biometrics. What can be done at sectoral level must not be tackled with a gener-al solution. If a biometric application can meet its objec-tive without a centrally accessible biometric database, abiometric characteristic should be stored exclusively on achipcard.

Precise delineation of the target groupThe target group of a biometric application must be clearlydefined (in advance). This is especially important to thepermissibility of the application and communication withthat target group. This also determines the way in whichthe legal relationship between the parties can be substanti-ated. If the target group is the entire population of a munic-ipality, the obvious approach will be to impose regulationvia legislation or local by-law. If it concerns the personnelof a company or the clientele of a shop, the rules and agree-ments could be laid down in the employment contract orgeneral terms and conditions respectively. A precisedescription of the target group facilitates (external) moni-toring of the data collection process.

SecurityIn Dutch law a breach (only) becomes an offence if the bio-metric detail is protected against unauthorized alteration orperusal. A lot of attention should therefore be paid to thesecurity of the application. Procedural and organizationalsafety risks must also be addressed.

External supervisionIt may be desirable to have the use of biometric data super-vised by an independent party. This is important in caseswhere the law calls for demonstrable due diligence on thepart of the administrator.

Partly in view of the limited practical experience and tech-nical development, it is not yet possible to give an indicationof the limits to the use of biometrics. This brief set of basicrules could be further developed on the basis of the practicalapplications used by the government and the business com-munity. Biometrics require tailor-made solutions, also when itcomes to the law.

CONCLUSIONSBiometrics will in due course be of great significance to theprotection of privacy and the prevention of crime. People aregradually becoming aware that the use of biometrics there-fore has to be advanced,and that governments will have to dowhatever they can to diminish the potential negative effectsof biometrics.

From the perspective of protecting people’s privacy insociety, anonymous and semi-anonymous biometric applica-tions in particular will in the future have major significance.For a biometric detail does not lose its anonymous characterfor a verifying authority if another authority — e.g. the cardissuing authority — knows exactly who the person concernedis but may only reveal that information to a competent author-ity when required to do so by law or by court order.

No new rules or measures are needed for anonymousbiometrics as such.5 It is not yet clear which legislation orgovernmental intervention is required for semi-anonymousand personalized biometrics. Does the central storage ofpersonalized biometric images have to be subjected torestrictions or forbidden, as has already happened in somecountries? Will the legal obligation for people to prove theiridentities have to be extended to the issuers of biometricchipcards with a view to combating identity fraud? If so, reg-ulations and measures will be needed to legally and practi-cally enable the card issuers to verify the accuracy of theproof of identity presented to them.

The person-related nature of biometrics by no meansimplies that it is impossible to tamper with a biometric verifi-cation.The actual sensitivity of biometrics to privacy intrusionand fraud differs between situations and depends on the select-ed combination of technique and method of application,including the surrounding organization and procedures.Emergency procedures triggered by the malfunctioning of anelectronic verification system are notoriously problematic. Inthese cases people invariably fall back on defective methodswith a significant chance of errors occurring, such as a visualidentity check based on a photograph or directly derivinginformation from an unverified or unverifiable document.Insiders know how prone people are to seeing what theyexpect to see, and how difficult it is to differentiate betweenlookalikes. Moreover, it is important to bear in mind that —unlike the situation in the analogue era — it is not the verifierbut the person being verified who has the upper hand.After all,he is one hundred per cent certain of being able to activate anemergency procedure, by imperceptibly using someone else’schipcard, for example, or by pretending that he has lost hiscard.The security and the reliability of a computerized biomet-ric recognition system depend only partly on the biometrictechnique itself,or the information systems involved.

The design of a biometric application involves a largenumber of implicit choices that determine the effectivenessof the application, its sensitivity to fraud and the conse-quences for personal privacy.These should not be left to thetechnicians. Many biometric solutions are still sensitive tofraud and privacy issues when used in large-scale, personal-ized applications.This is why small-scale, anonymous biomet-ric verifications are presently of strategic importance.Moreover, there are few obstacles to these applications inlegal terms,even when used voluntarily by public authorities.

MayJune CLSR.qxd 4/26/01 11:07 AM Page 159

Page 7: Privacy Law: Biometrics and privacy

Privacy Law

160

The recognition methods of exclusion (‘that is not him’)and verification (‘he is the same person, but I don’t knowwho he is’) can effectively be combined in small-scale appli-cations, certainly if the target group is more or less closed. Inthese cases simple technology and procedures are sufficient.If it is possible to keep the biometric detail anonymous,decentralized offline checking of people’s identities can alsobe effectively done by a small organization using a small-scaleapplication of its own.This provides adequate protection inmany practical situations. There are in any event no legalproblems regarding these types of biometric applications.

A large number of small-scale, sector-restricted applica-tions offer a double advantage to the protection of privacyand the prevention of crime: one can reduce the conse-quences of an identity fraud that has not been detected to aminimum, and subsequently have more opportunities tounmask a successful impostor. In addition, sector-restrictedapplications offer more legal protection against unlimitedlinking of personal details using biometric templates,because Dutch (and European) privacy laws give rights(complaint, correction, removal) that can be independentlyexercised in every sector, thus reinforcing each other.Within a small-scale application the voluntary use of bio-metrics can be more easily handled because non-biometricexceptions for people who really object to this method ofchecking one’s identity can be better controlled.These con-siderations illustrate that biometrics requires tailor-madesolutions.

JJaann GGrriijjppiinnkk, Dr mr J.H.A.M. Grijpink is Principal Advisor atthe Directorate for Strategy Development of the DutchMinistry of Justice.

This article was written in his private capacity. He wouldlike to thank Prof. mr J.E.J. Prins, mr A. Patijn, mr L. Mutsaersand H. van der Heijden for their contributions to this article.

The Dutch version of this article was published in:Privacy en Informatie, 2000, nr 6, pp. 244-250.

BibliographyRobert van Kralingen, Corien Prins and Jan Grijpink, Hetlichaam als sleutel, [‘The body as a key’] legal considerationsof biometrics, ITER series no. 8, Samson,Alphen aan de Rijn,November 1997.J.H.A.M.Grijpink, Identiteitsfraude als uitdaging in een infor-matiesamenleving, [‘Identity fraud as a challenge in an infor-mation society’] in: Security 12, no. 4 April 1999,Amsterdam,Keesing Bedrijfsinformatie.J.H.A.M. Grijpink, Biometrie als anonieme bewaker van uwidentiteit, [‘Biometrics as an anonymous guardian of youridentity’] in: Security 12, no. 5 May 1999,Amsterdam, KeesingBedrijfsinformatie.J.H.A.M. Grijpink, Identiteit als kernvraagstuk in een infor-matiesamenleving, [‘Identity as a key issue in an informationsociety’] in: Handbook for Fraud Prevention, Samson,Alphen a/d Rijn, November 1999, chapter Fraud and integrity,no. E 4010.J.H.A.M. Grijpink, Wie is wie in een informatiesamenleving:[‘Who’s who in an information society’:‘the case for a chainapproach’], in: Management and Informatie, 8th volume, no.2 May 2000, Samson Bedrijfsinformatie,Alphen a/d Rijn.J.H.A.M. Grijpink, Recht en biometrie, juridische spelregelsvoor biometrische toepassingen, [‘The law and biometrics,legal rules of play for biometric applications’] in: SecurityManagement, 5th volume, Samson , September 2000.J.H.A.M. Grijpink, Checklist Biometrische Persoonsherkenning[Biometric recognition of individuals: in a quest for tailor-madesolutions],in:Checklists Information Management (loose leaf),Ten Hagen & Stam,Den Haag,December 2000 (the English textcan be downloaded from <http://www.interpol.int>).

FOOTNOTES1For this reason,on 18 May 2000 the Dutch Data Protection Authorityorganized an initial social discussion on the use of biometrics.2The safest way of doing this is to compare the templates in thechipcard rather than in the chipcard reader in order to make itmore difficult to imitate the verification.3‘Anonymous’ means that it is not possible to establish who some-body is.‘Semi anonymous’ means that at least one authority knowswho the cardholder is, but this cannot be established by any otherverifying authorities.4‘Anonymous’ means that it is not possible to establish who

somebody is. ‘Semi-anonymous’ means that at least one authorityknows who the cardholder is,but this cannot be established by anyother verifying authorities.5This does not imply that no new law is required for anonymouslegal transactions, also if use is presently made of anonymous bio-metrics.The scope for anonymous legal transactions in Dutch lawis presently limited.The worldwide character of electronic marketsdoes in fact call for a firmer legal basis for anonymous legal trans-actions. See: Jan Grijpink and Corien Prins, New legal rules foranonymous transactions? (to be published shortly).

MayJune CLSR.qxd 4/26/01 11:07 AM Page 160


Trust, Privacy and Biometrics

Trust, Privacy and Biometrics

Technology
Www.ipc.on.ca Biometrics and The Privacy Paradox Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Privacy & Identity: The Promise & Perils

Www.ipc.on.ca Biometrics and The Privacy Paradox Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Privacy & Identity: The Promise & Perils

Documents
CSCI E-170: Computer Security, Privacy and Usability Hour #2: Biometrics

CSCI E-170: Computer Security, Privacy and Usability Hour #2: Biometrics

Documents
Law Enforcement Biometrics Market in Germany 2014-2018

Law Enforcement Biometrics Market in Germany 2014-2018

Software
PowerPoint Presentation - Biometrics and Privacy

PowerPoint Presentation - Biometrics and Privacy

Documents
THE INTERSECTION OF PRIVACY LAWS AND BIOMETRICS

THE INTERSECTION OF PRIVACY LAWS AND BIOMETRICS

Documents
Part 1 Ideas for themes/topics/misconceptions 1.Biometrics – Reality and Myths 2.Biometrics in Real Life 3.Biometrics –privacy

Part 1 Ideas for themes/topics/misconceptions 1.Biometrics – Reality and Myths 2.Biometrics in Real Life 3.Biometrics –privacy

Documents
Biometric Encryption: Emerging Privacy-Enhancing Technologies · 2009. 8. 24. · • This paper discusses privacy- enhanced uses of biometrics, with a particular focus on the privacy

Biometric Encryption: Emerging Privacy-Enhancing Technologies · 2009. 8. 24. · • This paper discusses privacy- enhanced uses of biometrics, with a particular focus on the privacy

Documents
Class 13 Internet Privacy Law European Privacy

Class 13 Internet Privacy Law European Privacy

Documents
Special Report: Biometrics in Law Enforcement · Special Report: Biometrics in Law Enforcement. ... Biometrics Research Group, Inc. defines bio-metrics as ... fingerprint identification

Special Report: Biometrics in Law Enforcement · Special Report: Biometrics in Law Enforcement. ... Biometrics Research Group, Inc. defines bio-metrics as ... fingerprint identification

Documents
Biometrics Surveillance and Privacy final · Biometrics, surveillance and privacy 2016 The research leading to these results has received funding from the European Union as part of

Biometrics Surveillance and Privacy final · Biometrics, surveillance and privacy 2016 The research leading to these results has received funding from the European Union as part of

Documents
Privacy Law Fundamentals

Privacy Law Fundamentals

Documents
Privacy Issues in the Application of Biometrics Marina Gavrilova

Privacy Issues in the Application of Biometrics Marina Gavrilova

Documents
Privacy Law

Privacy Law

Documents
Biometrics and Law Enforcement

Biometrics and Law Enforcement

Documents
Informational Privacy, Privacy Law, Consent, and Norms

Informational Privacy, Privacy Law, Consent, and Norms

Documents
Catalyzing Privacy Law

Catalyzing Privacy Law

Documents
Programmed Privacy Promises: P3P and Web Privacy Law

Programmed Privacy Promises: P3P and Web Privacy Law

Documents
Anonymous Biometrics: Privacy Protection of Biometric Templates

Anonymous Biometrics: Privacy Protection of Biometric Templates

Documents
BIOMETRICS The Issue of Privacy in an Increasingly Secure World By: Joanna Moser

BIOMETRICS The Issue of Privacy in an Increasingly Secure World By: Joanna Moser

Documents
Biometrics and Privacy - courses.cs.washington.edu

Biometrics and Privacy - courses.cs.washington.edu

Documents
Special Report: Biometrics in Law Enforcement · Law enforcement biometrics refers to applica-tions of biometric systems which aids policing. Biometrics Research Group Inc. projects

Special Report: Biometrics in Law Enforcement · Law enforcement biometrics refers to applica-tions of biometric systems which aids policing. Biometrics Research Group Inc. projects

Documents
Accenture Biometrics Privacy Positive Match

Accenture Biometrics Privacy Positive Match

Documents
MA Privacy Law

MA Privacy Law

Technology
Exploiting multimodal biometrics in e privacy scheme for electronic health records

Exploiting multimodal biometrics in e privacy scheme for electronic health records

Business
Addressing Biometrics Security and Privacy Related

Addressing Biometrics Security and Privacy Related

Documents
(2007) Biometrics and Privacy

(2007) Biometrics and Privacy

Technology
Strong Key Derivation from Biometrics Benjamin Fuller, Boston University/MIT Lincoln Laboratory Privacy Enhancing Technologies for Biometrics, Haifa January

Strong Key Derivation from Biometrics Benjamin Fuller, Boston University/MIT Lincoln Laboratory Privacy Enhancing Technologies for Biometrics, Haifa January

Documents
Law Enforcement Biometrics Market in North America 2014-2018

Law Enforcement Biometrics Market in North America 2014-2018

Software
Privacy Policy, Law and Technology Privacy Law

Privacy Policy, Law and Technology Privacy Law

Documents