Security.and.Privacy
Yue Liu, University of Oslo, Norway
Abstract
The increasing use of biometric technology is often accompanied by grandiose claims about its ability to enhance security and the debate.over the perceived threats.that it poses to the notion of privacy. By focusing on the security and privacy concerns the biometric technology raises, this chapter.gives critical analysis on the complexities involved through rational discussions, technology assessment and case examples. It
clarifies the prevalent misconceptions concerning the biometric technology and finds
that biometric technology alone can not provide an answer to security issues. The inherent nature of biometric technology provides enormous potential for undermin- ing privacy. However, security and privacy are not necessarily two contradictory concepts where biometrics is concerned.
Introduction
Across the various contexts in which it is applied, biometric.technology (here- inafter also termed “biometrics”) raises multiple rational concerns. This chapter aims to give some idea of the complexities involved in biometric technology by focusing on the security and privacy concerns it raises. To what extent do and will biometrics affect privacy and security? Exactly what is the special nature of bio- metric data compared with other personal data? Is the increasing use of biometrics just a question of “balance” or “trade-off” between privacy and security? It is with these sorts of questions that this chapter is concerned. In tackling such questions, the chapter also aims to clarify some of the misconceptions that inform parts of the legal discourse around biometrics.
Background
Put simply, biometric technology involves the use of automated methods for veri- fying or recognizing the identity of a living person based on their physiological or behavioral characteristics.1 Most people get to know about biometrics from what they
observe in science-fiction movies like Spielberg’s Minority Report, in which people
are regularly subjected to eye scans for identification, control, and/or advertising purposes when they take public transport, enter office buildings, or simply walk in
the street. Seductive claims also have been made about the ability of biometrics to
defeat terrorism and organized crime. Biometrics figure increasingly as the center-
piece technology in implementing counterterrorist policy.
Much technology inspires not only hope but also fears, and development of innova- tive technology has almost always raised new legal concerns. This is certainly true in the case of biometric technology. Increasing use of biometrics has led to fears of an acceleration in the speed at which our society becomes a surveillance society with scant room for personal privacy and autonomy. Doubts also have been raised about the level of security that increased use of biometrics can actually deliver. It further is feared that the loss of privacy may lead in turn to a host of other problems, such as increasing social stigma, discrimination in employment, barriers to gaining health insurance and the like. With the growing use of biometrics, it is of paramount importance that discussions about the ethical, social, and legal implications of the technology take place. In such discussions so far, privacy and security concerns often
To begin with, the chapter outlines the special nature of biometric technology and biometric data. It then discusses the relationship between biometric technology and privacy. Following on from this, the relationship between biometric technology and security is analyzed in the light of technology assessment and case examples. The
final section presents conclusions.
Special.Nature.of.Biometric.Technology.and..
Biometric.Data.
Generally speaking, biometric technology involves using part of the human body
or behavior as mechanisms for human identification or authentication. Fingerprints,
irises, faces, retinal images, veins, and voice patterns are all examples of actual or
potential biometric identifiers. These data are collected by sensor devices, trans-
formed into digital representations and then, via algorithms, the data become so- called biometric templates. These biometric templates are then stored somewhere for later matching against other collected data.3
As indicated above, the matching can be used for either authentication or identification
purposes. Biometric authentication involves a “one-to-one” (1:1) search whereby a live biometric sample presented by a person is compared to a stored sample previ-
ously collected from that individual, and the match confirmed (Cavoukian et al.,
2007, p.6) This sort of match answers the question, “is the person who they claim to be?” In this process, no searching or matching of a central database is neces-
sary, though such a database can still be used, provided that some other identifiable
data, such as a serial number, are used to “look up” an individual in the database.
In contrast, biometric identification refers to the ability of a computer system to
uniquely distinguish an individual from a larger set of individual biometric records
on file (Cavoukian et al., 2007, p.6) This also is known as a “one-to–many” (1:
N) search designed to determine identity based solely on biometric information. This sort of match intends to answer the question, “who is the person?” To support
identification, a central database must be built containing a large set of individual
biometric records. So theoretically a central database of biometric records could al-
low the system controller to find out who the person is provided the latter is already
registered in the central database. During the matching process, the live biometric sample will be compared with all the registered biometric samples in the central database. Upon a successful match, the person’s identity will be released from the central database.
The.“Bio”.Nature.of.Biometric.Data.and.Biometric..
Technology
Compared with knowledge-based or token-based methods of authentication/iden-
tification, biometric technology is unique in the sense that it uses part of the human body or behavior as the basis of the authentication and/or identification method. What is the significance of the fact that a body-related characteristic is used as an identifier or verifier? To answer this question, we need to first investigate what
biometric data are.
Genetic.and.Health.Related.Data
The raw information at the heart of biometrics is by its very nature personal. It is intimately connected to the individual concerned (the “information subject”). If
one takes the most popularly used and known form of biometric information—fin-
gerprints—as an example, it has been claimed that even a fingerprint too smudged
for ordinary identification could provide forensic scientists with sufficient DNA4
to construct a “DNA fingerprint,”5 thus providing investigators with a powerful
new tool in the search for evidence of crime. Moreover, there is a rather large body of work tracing the genetic history of population groups through the study of their
fingerprint-pattern characteristics.6 It also has been proven that there exists a mys-
terious linkage between certain fingerprints and certain birth defects and diseases
(Woodward 1997b). From examining a person’s retina or iris, a medical expert can
determine that the person may be suffering from common afflictions like diabetes, arteriosclerosis and hypertension; further, unique diseases of the iris and the retina
also can be detected.7
However, the informational status of the biometric templates that are generated and
applied in identification/authentication systems is somewhat unclear. As indicated
above, a biometric template is digitalized data of a person’s physical or behavioral characteristics, not the raw information or image itself. The template is generated by application of a given algorithm. There is as yet no solid proof that the templates themselves actually contain medical information, though they are very likely to do so. A template is as unique as the raw biometric data from which it is generated. It is possible to reconstruct from a template the part of the raw biometric data that is used for creating the template.8 Generally, templates will only contain information
necessary for comparison. However, what is necessary for comparison is neither fixed
nor predetermined. As the biometric template should retain the special features of the
relatively unique and permanent features which are related to genetic information or health (Bromba, 2006). However, it is not certain if the information captured in
the template would be sufficient for medical diagnostic purposes. Nonetheless, it is
still reasonable to claim that there is generally a link between biometric information and genetic and/or health information. The latter has been widely recognized as sensitive information about individuals and, quite often, their relatives.
It has been claimed by one observer that “[b]iometrics is not a branch of medicine but rather a special form of mathematical and statistical science” (Ploeg,1999, p. 43). The same observer goes on to state that “we should perhaps not expect to be able to determine any intrinsic meaning of biometric data, or the biometric body in
general, but investigate quite specifically what uses and practices biometrics will
become part of” (Ploeg,1999, p. 43). According to another observer, “with almost all biometric devices, there is virtually no personal information contained therein.
From my fingerprint, you can not tell my gender, you can not tell my height, my
age, or my weight. There is far less personal information exposed by giving you my
fingerprint than by showing you my driver’s license” (Wayman, 1998, p. 11).
At first glance, these statements seem to make sense, but they are based on the as-
sumption that technology will stop developing. It is true that there is presently no
verified report about easy and fast disclosure of health information directly from biometric data; moreover, possible linkage between biometric data and health
information is only reported in relation to certain kinds of biometric data. Yet as the technology develops, it is quite reasonable to predict that such disclosure and linkage may be possible in the future. The potential is clearly present. Hence, the long-term problem here is whether the data controller (i.e., the person/organization in possession of the biometric data) will make such linkages.
It could be countered that even if biometric data have the potential to disclose sen- sitive information, they are not designed to be used that way, so there is no need
to worry. However, biometric features make it difficult to escape from situations
of misuse in the hands of individuals or governments – with or without malicious
intent. “Function creep” can occur; indeed, many privacy advocates contend that
function creep is inevitable. For example, Simon Davies opines:
The history of identification systems throughout the world provides evidence of
“function creep”—application to additional purposes not announced, or perhaps even intended, at the commencement of the scheme. [...] The existence of a relatively high-integrity scheme would create irresistible temptations to apply it widely, and inter-relate many hitherto separate collections of personal information (Davies, 1994, p. 44).
An additional purpose can be valuable or detrimental to society, but the point here is that the potential of biometric data cannot be restricted by the purposes for which they are/were originally used. There is no absolute guarantee that biometric data
will not be used for revealing health information, though it would take a significant
technological shift to go from current biometric systems to systems that reveal such information (Feldman, 2003, p. 667).