Download ppt - Privacy Issues in the Application of Biometrics Marina Gavrilova

Privacy Issues in the Application of Biometrics

Marina Gavrilova

Outline Introduction Privacy – from the philosophical concept to

human rights The European Personal Data Directive The role of privacy-enhancing technologies Looking to the future Social and psychological context of the

application of biometric methods Conclusions

IntroductionBiometric methods of authentication offer a more secure

link between a specific individual and a non-human entity. Numerous trials and deployments demonstrate the wide range of possible application:

restriction of access to physical spaces and electronic resources to those individuals who have been previously cleared;

denying the opportunity for potential fraudsters to assume multiple identities;

enforcing accountability for individuals undertaking electronic transactions;

matching facial images from CCTV cameras to databases of criminals

IntroductionConcerns appear to centre on the threats to the end user’s

privacy.

For many, the widespread use of biometric technologies in films and the perception of these techniques as “perfect” have reawakened the fears of an all-knowing computer systems able to track every citizen and consumer, perhaps placing the reputation of the individual at risk.

Also, the future possibilities of the use of DNA data in tracking people, and in the linking of biometrics with parallel developments in other surveillance technologies.

IntroductionBoth during the 2nd WW and under post-war Central

and Eastern European governments had manually operated filing systems tracked dissident citizens and members of minorities. S

Such motions where first codified in the 1950 European Convention of Human Rights (ECHR).

Two decades later, with the commercialization of large mainframe computers, the first laws to protect “personal data” about individuals were drafted, based upon an internationally agreed framework but with a local interpretation.

IntroductionWith the expansion of the European Union, the need

for harmonization of these laws required a European-wide legal consensus.

The 1995 Personal Data Directive and its transposition into national laws offers the legislative underpinning to any discussion about the use of biometrics in modern systems in Europe.

However, its approach predated the age of the Internet, and its complexity rendered it opaque to the average person.

IntroductionBiometric technologies are almost unique as a

security mechanism in the need for cooperation by the end user to ensure their correct operation.

Some user concerns can be addressed directly, for example by studies into any health and safety issues, although it is clear that attitudes may take time to change.

Those concerns that are less clearly articulated will require more extended studies.

Outline Introduction Privacy – from the philosophical concept to a

human right The European Personal Data Directive The role of privacy-enhancing technologies Looking to the future Social and psychological context of the


Privacy- from philosophical concept to a human right

The notion of individual privacy appears to be a modern phenomenon.

In less mobile societies with poor roads, few people would venture outside their immediate neighborhood and the arrival of fairs or itinerant travelers was subject to closely circumscribed laws.

In these societies, the daily lives of the ordinary people were led without much privacy. I.e., the strong Puritan tradition in the 17th century in England and the American colonies seemed to encourage a surveillance by one’s neighbors.


Shapiro regards the partitioning of rooms in a household as the first step to a culture of privacy and individuality.

Next, in 18th and 19th century improvements in road quality and the creation of a canal and railway network (the latter going in hand with the first electronic communications – the telegraph).

The rapid urbanization of much Western Europe and parts of the USA completed the options for many citizens to move outside of their place of birth and schooling, to assert an individuality apart from their kinship groups.

The second half of the 19th century saw the introduction of the census and codification of laws on recording births, marriages, and deaths.


19th century was the time for the first use of biometric identities for tracking and recording criminals using file systems.

Initially this aimed to collect as much information about externally visible features and easily measurable dimensions, Bertillon’s anthropometry being the most celebrated scheme. This short-lived approach was superseded a few years later by the discovery of the remarkable individuality of fingerprints.

By the turn of 19th century, Scotland Yard had embarked on the

use of the hugely successful Galton-Henry classification system and the fingerprint as a key forensic tool had arrived.


With the questioning of the power of a state to affect all facets of the life of the citizen, one part of the personal privacy debate has started. The other aspect, that of giving individuals a right over the way the information about them is collected and used was a remain less pressing for another half century.

In 1950, the participating states to the Council of Europe articulated a response in Article 8 of the ECHR guaranteeing a right of privacy:

“Everyone has the right to respect for his private and family life, his home and his correspondence. “

The Convention offered individual redress against governments abusing their authority by an ultimate personal appeal to the European Court of Human Rights in Strasbourg.


The increasing prosperity of the 50s and early 60s was accompanied by a belief in the benefits of technological progress and organizational efficiency. In particular, governments in Europe were attracted to the potential of computerization of records, such as social welfare payments.

But the climate of thought amongst Europeans changed. Although the events of ’68 were characterized as a rebellion by the youth of Europe, other currents of opinion were questioning the wisdom of concentrating power, and the information on which power is built without countervailing checks and balances.


The world’s first data protection act, passed in the German state of Hessen in 1970 was directed at offering this check on the operations of a regional government, but as more countries recognized the need for such legislation, the scope widened to take in commercial use of personal data as well.

Increasingly, the limitations of national laws in a rapidly globalizing world led to calls for an international system for data protection, to protect against states with no laws or inadequate laws from becoming “data heavens” with no controls on the processing of data.


Although these agreements were influential in determining the course of subsequent laws – such as the first UK Data Protection Act in 1984 – by 1990 it was clear to the European Commission that the lack of a common framework, under which personal information could be gathered, processed, stored, transmitted and disposed of securely, was likely to impede the commercial development of both existing and novel services.


Over the course of the following 5 years, the Commission agreed the principles for an EU-wide directive of 1995. This required governments in each of the countries to transpose the directive into national law by 1998 (http://ec.europa.eu/justice_home/fsj/privacy/ )

In spite of this recent agreement, there have already been calls to make changes in the light of experience in applying the framework directive.




The European Personal Data Directive

This directive establishes 8 Principles of personal data protection which determine the legality of the processing of such data. Personal data must be:

1. Processed fairly and lawfully2. Collected for specified and lawful purpose and not

processed further in ways that are incompatible with these (the “finality” principle).

3. Adequate, relevant and not excessive in relation to the purposes for which they are collected or processed.

4. Accurate (and where necessary kept up to date).

The European Personal Data Directive

5. Not kept longer than is necessary for the stated purposes (that is in a form that permits identification of the data subjects).

6. Processed in accordance with data subject’s rights.7. Secure (against accidental or unlawful destruction,

accidental loss, alteration, unauthorized disclosure or access, using measures that have regard to the state of the art and costs of implementation, and ensuring that a level of security is maintained that is appropriate to the risks represented by the processing and the nature of the personal data to be protected).

8. May only be transferred to those countries that ensure an adequate level of protection for personal data.

Applying the directive and national laws to biometric systems

Although Data Protection Commissioners recognize that biometrics offers a challenge to the legal framework on personal data and privacy, to date only 3 have explicitly considered the ground rules for operation of biometric-enabled systems.


More recently, CNIL, the French data protection commission, has undertaken a major study into the privacy implications of biometrics.

It found that there was a lack of reliable information about how biometric-enabled systems operate in practice and confirmed that, in general, technologists and data controllers were not aware of the rights of end users.

In view of the potential harm that could result to end users from systems not designed in accordance with data protection principles, CNIL has proposed a number of measures.


In its 2001 annual report, CNIL categorized applications using biometrics into two broad groups:

There was no problem with systems where the template storage is under the end user’s control, e.g. stored on a card, a PC, or a cell phone in the possession of the user.

The second class, where the template is stored in a centralized database, is more complex. Where the biometric record is of a type that leaves no trace or is not easily captured without the cooperation of the end user (such as eye-based systems or those applying hand geometry devices), integrators can use these methods, provided that the usual data protection principles, such as finality and proportionality are observed. In contrast, centralized template storage using biometrics that leave a trace or can be easily obtained (such as systems with face, fingerprint, or DNA recognition) should only be applied in high security systems.


The European Commission funded BIOVISION roadmap project to review the biometric context of the directive and national laws, and provide initial materials towards the definition of a code of conduct for applications making use of a biometric in a privacy-compliant manner.

A parllel activity is being undertaken by the UK government managed Biometric Working Group.

Biometric data as “personal data”

Perhaps the aspect of personal data protection law that has been debated most extensively is the question of application of the law to biometrics. To what extent is biometric data “personal data” within the meaning of the directive and the national laws?

The directive defines personal data to be “any information relating to an identifier or identifiable natural person”, making the distinction with legal entities such as companies. Furthermore, it amplifies the definition by stating that an identifiable person is one who can be identified directly or indirectly, I particular by reference to:

An identification number; or To one or more factors specific to his physical,

physiological, mental, economic, cultural, or social identity


Possible personal data that relate to the implementation of biometric can include:1. The image or record captured from the sensor at the initial enrollment.2. Any transmitted form of the image or record between sensor and processing

systems.3. The processed data4. The stored image or record or template5. Any accompanying data collected at the time of enrollment6. The image or record captured from the sensor during normal operation of the

biometric7. Any transmitted form of the image or record at verification or identification8. The template obtained from the storage device.9. Any accompanying data obtained at the time of verification or identification.10. The result of matching process11. Any updating of the template in response to the identification or verification.


Situations where biometric data is not treatable as personal data are likely to be relatively rare.

One case where data is unlikely to fall within this definition is for a biometric application where all of the following conditions are met:

The identity of a previously enrolled individual is only represented by a “one way” template with no possibility if reconstruction of the original record.

The template could also be generated by a sufficient number of other subjects in the population

The template is stored on a card (or token) held by the end user.

The comparison, at verification, of the output of the sensor with the template, is made on the card (or token) itself.

All images and records relating to the enrollment are securely disposed of at the time of enrollment.

Biometrics and sensitive data

Article 8 of the personal data directive lists the following special categories of data that demand specific additional attention:

Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Processing of data concerning health or sex lifeIn general, the subject should have given explicit consent to the

processing of such data, although there are a number of exemptions from this requirement. Note that data relating to offences, criminal convictions or security measures may only be carried out under the control of an official authority.


Those aspects that might impact on the operation of biometric methods are racial or ethnic origin and data relating to health. It is inevitable that the initial photographic image captured by the camera in a face recognition system will have some indication of race.


Most biometric systems have been developed, validated and tested by organization in the USA and Europe. It is not inconceivable that the algorithms that are used operate preferentially for ethnic groups that are highly represented in those geographical areas; and that, for example, directed represented searches for templates of facial images relating to non-Caucasians could be successfully initiated – albeit with results outputted on a probabilistic basis.

Proportionality principleA fundamental principle in European law is that of

proportionality, which some writers maintain would rule out the use of biometric method, if the objective could be achieved in some other, less privacy-threatening way.

Jan Grijpink describes how a hand geometry device is likely to be acceptable for access to buildings critical for the operation of an organization, whereas access control by means of fingerprint biometric to a secondary school might be more difficult to justify.

First principle compliance – fair and lawful processing

Processing of personal data needs to be carried out in a fair and lawful manner. This includes the act of obtaining the biometric data in the first place. Convert collection of biometric data is not permitted unless it falls within one of the defined exemptions. Wherever possible, the subject’s consent should be sought, since that consent removes many of the problems for an agency deploying a biometric- enabled system.

4th principle compliance - accuracy

By their very nature, biometric systems could occasionally return a false accept and with it the possibility of an inaccurate record of activity against another individual.

Whether this is considered as a failing in accuracy or in security (the 7th principle), the system designer and implementer should take appropriate steps to ensure that the personal data of the individual whose identity has been assumed is not compromised.

7th principle compliance - security

Requires the controller (the person or agency) that determines the purposes and means of processing of the personal data) to implement appropriate technical and organizational measures to protect the personal data against:

Unlawful destruction or accidental loss; Alteration; Unauthorized disclosure or access; And all other unlawful forms of processing.;in particular where the transmission involves a network. If

processors are different from controllers they must provide guarantees that the security measures are carried out. In addition, a legal contract must be in place between the controller and the processor. The measures must take account of the state of the art and assess the costs and risks involved.

8th principle compliance – transfer to third countries

Transfer of data to those countries that have an adequate level of protection is not allowed except under specific conditions (Article 25 of the Directive)

Article 8 of the European Human Rights Convention

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being.

Article 8 of the European Human Rights Convention

Wadham and Mountfield comment that the second test of accordance with the law requires:

The need for a specific legal rule to authorize this interference Adequacy of access to the specific law by an individual The law must be sufficiently precisely formulated to allow the

individual to foresee the circumstances under which the law could be applied.

Challenges to the legality of biometric schemes based upon this right could arise in government applications, where the personal data directive offers exemptions, e.g. in national identity schemes, for security systems in critical infrastructures, in the criminal justice system and in the provision of medical services.




The role of privacy-enhancing technologies

Many innovative services will use personal data in order to improve customer experience as well as providing valuable feedback to the service provider.

The European Commission recognized the benefits of such innovation, but was also concerned that consumers might not appreciate the significance of agreeing to such reuse of personal data.

It has promoted Privacy-Enhancing Technologies (PETs) that would provide a measure of protection. Their studies distinguished 2 types of PET:

1. Where the design of biometric-enabled system is tailored to be privacy-respecting using the best available technologies.

2. Where measures are offered to the end users individually to enable them to protect their privacy.

The role of privacy-enhancing technologies

Biometric devices could be designed in accordance with PET principles (now there is one system only).

For biometric enabled systems to be designed for privacy and security, the customer for the deployment and the customer’s system designers need to consider such requirements from the inception of a project.

Example of the first type: it stores the template only on the card held by the user.




Looking to the futureCountries in the EU have chosen to transpose the Personal Data

Directive in different ways, thereby adding to the confusion that the harmonization of laws was meant to address.

Some states, e.g. UK, Netherlands, decided in general to follow the wording of the directive, applying it to both the public and private sectors, clearly identifying the exemptions for government activities in the areas of national security, criminal justice, health etc.

Germany has delineated its national law into two sections that deal with private and public applications separately.

The Irish bill amends the pre-existing legislation on a cause-by-clause basis in order to conform to the 1995 directive.

The detail in Swedish national law makes explicit the right to revoke at any time a previously given consent for processing of personal data if they are of the sensitive class or if they are to be transferred to certain third countries.

Looking to the futureAmong the possibilities that are under consideration are: A statement of purpose of installation, with rationale for use of biometric

over conventional means of authentication. A maximum time-scale within which controller will respond to any

questions. A statement in respect of ”opt-in” or “opt-out” opportunities for end uses

together with any rights afforded to the end users in respect of all personal data held on them.

Stated retention periods of personal data. Any accesses permitted for third parties, including those permitted for

lawful authorities. Any Privacy Impact Assessment that may have been made prior to

deployment Specification of procedures to ensure secure disposal of the personal data

in the event of withdrawal of the system. Details of the external audit of the system and whether this will be

available to the public or end users. Review procedures and dates for re-examination of the operation of the

system.




Social and Psychological Context of the Application of Biometric Methods

Many individuals are fearful of the introduction of biometrics. Questionnaire studies show wide differences in the response to proposals such as the replacement of PIN with a fingerprint or the use of an eye identification method.


Some components of the fear of biometrics were identified by Simon Davies in 1994. Since then, many other commentators have added to the list.

The de-humanization of people by their reduction to bytes on a computer.

The high integrity of identification reverses the “natural” relationship of government serving citizens and society.

Fear of society being increasingly driven by a technocracy, rather than a democratically elected government.

A system that would entrench fraud and criminality through technologically secure systems.

The methods are the mechanism foretold in religious prophecies.


The impact of Hollywood’s association of biometric methods with spies, advanced military hardware, and science fiction may have increased these concerns, portraying these as perfect technologies in the service of powerful organizations.

The first stage in addressing these concerns is to gather these issues from all sections of the target population and to organize them in ways that allow further investigatiion.


Victoria Belotti has developed a model based upon the need of users to have feedback on, and then exert control over, four elements in complex environments:

Capture of personal information into the system What happens once the information is in the system Who and what processes will make use of it For what purpose they will use that personal

information.Further research by Anne Adams has centered even

more on the end user’s perspective on the transfer of personal information to organizations.


Further research by Anne Adams has centered even more on the end user’s perspective on the transfer of personal information to organizations. Here the end user has three principal concerns:

That the trust she places in the receiver of the personal data is not misplaced.

That the risk-benefit analysis she makes of the usage to which that data is put is correctly assessed.

That her judgment as to the sensitivity of the information is correctly made.


One approach to ensuring that such issues are considered during the system design is to carry out a Privacy Impact Assessment at an early stage of process (i.e. requirements capture stage).

Innovative trailing of new technologies that balance the technical and human aspects, has been under way for many years. Predominantly in Scandinavian countries.

Future biometric-enabled systems will have a higher likelihood of success if they take account of such approaches.




ConclusionsUsers’ view on privacy implications of the

application of biometrics may be only part of package of concerns. Situationally determined models of privacy are a first step towards a richer. More comprehensive model for response of individuals to the introduction of biometrics. Such a model will be a valuable input to socio-technical designs of biometric systems that give equal weight to the social dimension and to issues of performance, standardization, etc.

ReferencesJ. Wayman et al. Biometric Systems. Technology,

Design and Performance Evaluation, Springer 2005.

European Commission – Data protection: http://ec.europa.eu/justice_home/fsj/privacy/