Biometrics and Privacy

The End of The World as We Know It or The White Knight of Privacy?

Biometrics – Security and Authentication

Biometrics Institute Conference

Sydney

Malcolm Crompton
Federal Privacy Commissioner

20 March 2002

Biometrics and Privacy - The End Of The World as We Know It Or The White Knight Of Privacy?

Executive Summary

The next part notes the range of claims – the solution to everything or the end of the world, as we know it – that are made about the interaction of privacy and biometrics. It goes on to identify and explore impacts on privacy through the collection and use of biometric information. These include or depend on:

·        the extent of personal information collected and stored in the context of a biometric application;

·        the extent of choice for people about whether to provide biometric information;

·        the fact that biometrics are a powerful identification tool but also can go powerfully wrong; and

·        potential for greater and possibly covert collection of very sensitive information in the course of ordinary transactions.

·        bodily privacy in the collection of biometrics;

·        openness and choice in the collection of biometrics;

·        anonymity;

·        potential for data linkage and function creep; and

·        potential for biometric information to act as a universal unique identifier.

Introduction

Biometrics is a generic term that refers to a wide range of measures of biological data. The use of biometrics is not new. The signature has been used for authentication for a very long time. The use of fingerprints in law enforcement can be dated back to 1879, when a French policeman named Alphonse Bertillon suggested that people could be precisely identified by carefully measuring different parts of the body. Although his original approach was to record a wide array of body measurements, including the tilt of the forehead and length of the right ear, the system was fine tuned to a photograph, with a quick physical description alongside a set of fingerprints. [1]

This enthusiasm for biometrics as the best way of uniquely identifying someone took off from there and what was once a trickle has now become a flood. A whole range of well-known and new biometrics is being used and experimented with. These include fingerprints, hand geometry, face, voice, iris, keystroke recognition, and DNA. [2]

The Electronic News reported in December 2001 that the total non-automated fingerprint identification systems biometrics markets would climb from US$66 million in 2000, to US$900 million by 2006. [3] ZDNet Australia reported in the same month that hardware sales are projected to increase tenfold to more than US$590 million in 2003 and that biometric consulting and integration revenues could reach nearly $1.8 billion. [4] Business Review Weekly on 28 February 2002 reported that the Washington based International Biometric Industry Association expects the biometrics market including recognition technology based on fingers, hands, eyes, faces, voice and hand-written signatures to turnover US$66 million in 2003 up from US$100 million in 2000. [5]

Biometrics are showing their presence in Australia. A small sample includes:

• Edith Cowan University in Western Australia has installed fingerprint scanning technology to secure the PCs controlling access to campus buildings. [6]
• Melbourne’s Crown Casino and the Australian Customs service are trying out facial recognition technology using one of America’s most popular systems called Face-IT. [7]
• Australia’s CSIRO is at the forefront of face recognition technology and is developing The System for Quick Image Search or SQUIS. [8]
• NSW Police Service, casinos and retailers are using the face recognition application CrimeCapture by ImageWare.

What are the reasons for this explosion of interest in and use of biometrics?

The quest for ever more efficient and fraud proof means of authentication has been one of the main driving forces. Another has been the drive for better means of identifying criminals and suspects for law enforcement reasons. The attraction of biometric information is that it is potentially hard to forge and it uniquely identifies a person, the Andrew Niccol film Gattaca notwithstanding.

Also, biometric information can be stored on computers. Developments in technology have made the use of biometrics as an identity tool more feasible. Its limitations before the advent of computers is amply demonstrated by the problems the French authorities encountered when the Mona Lisa went missing in 1911. Although the fingerprint identification from a thumbprint left on the glass of the painting implicated one Vicenzo Perrigia, the identification was no use in locating him because of the chaotic filing system the authorities had been using since they began collecting prints almost 20 years before. [9] The ability to store and organise massive amounts of data in databases on fast computers has the potential to solve this problem. Increasing processor speed and access times for disk and memory and improved compression of algorithms has improved the performance of identification and authentication systems using biometrics enormously. Templates are taking up increasingly few bytes and can be matched at ever increasing speeds and with greater accuracy. [10]

As governments and business organisations rely increasingly on electronic remote communication for interaction and commercial transactions, remote electronic methods of authentication are needed. Examples of these kinds of transactions include use of ATMs and commerce on the Internet. The PIN number has become one of the main ways of remote authentication. However people are being swamped by PIN numbers, which they lose or forget, or handle in an insecure way.

Biometrics are also being explored as a means of assisting people who are unable to use conventional means of accessing systems or services. For example, the National Australia Bank has launched its first voice activated ATM, which aims to improve access to ATMs for the blind, visually impaired and aged. [11]

In addition, the technology needed to implement a biometric system is becoming available at lower cost. A key reason for this is that biometrics systems can increasingly be integrated with existing systems. For example, face recognition and iris systems can operate with cameras on multimedia computers. [12] An article in Security Electronics in February announced an agreement to combine Visionic’s Face-It technology with Nice Systems’ digital recording system to enhance the use of face recognition technology on video surveillance cameras, in real time. [13] Increasing interoperability via the newly released biometric application programming interface standard of BioAPI, is likely to remove a long standing obstacle to growth. [14]

And of course, since September 11, governments have been driven to explore biometrics, and in particular face recognition, for surveillance purposes and as a way of identifying people who are a threat to security.

The horse has clearly bolted. It is too late to turn back the tide of biometric technology. The burgeoning of use of biometrics has been accompanied by increasing expressions of alarm from some privacy advocates and civil rights groups about the threats to privacy this poses.

There are in fact mixed views among the various interest groups about whether the use of biometrics is privacy enhancing or privacy invasive. Some in the biometrics industry argue that biometrics are without doubt the answer to threats to privacy resulting from identity theft. For example, Richard E Norton of the International Biometric Industry Association (IBIA) says:

‘Simply put, it’s getting harder and harder to preserve personal privacy without using biometrics. It’s a misperception that biometrics somehow compromise privacy; in actuality, they are the best way to lock up a record and ensure that an identity cannot be stolen. Biometrics are designed to give the user total control over who has access to his or her information, and provide a clear audit trail if someone tries to obtain data from a record. Which would consumer rather have – a system like we have now, with your name, social security number, birth date, address and phone number available to anyone who has PIN, password, or “hacked” access to customer records, or a system that prevents a record from being penetrated unless it’s unlocked through biometric verification? Privacy advocates are on thin ice here, especially when they claim that a record can be compromised or stolen. A biometric cannot be reverse-engineered to find out who you are, and it cannot be used to link records together – in fact, the technology by definition prevents it. Finally, you can’t be an impostor by using someone’s biometric; the template is dynamic, and the data is encrypted. Biometrics raise the bar against fraud and abuse at no cost to privacy.’ [15]

Others with an interest in privacy also argue that if properly constructed, biometric systems have the potential to act as Privacy Enhancing Technologies (PETs). A discussion paper released by the Information Privacy Commissioner, Ontario, Canada states;

‘Biometrics need not subvert informational privacy. A pro-privacy position should not be construed as anti-biometric. The technology can actually be privacy enhancing if systems are designed with that objective in mind.’ [16]

In a similar vein, the Ontario Information and Privacy Commissioner, has challenged industry to develop Security Technologies Enhancing Privacy, or STEPs. [www.ipc.on.ca/english/pubpres/ext-pub/steps.htm]. [17]

On the other hand some privacy advocates and others have described the use of biometrics as a major threat to privacy and some even describe it as the end of the free world as we know it. For example, Roger Clarke writes:

‘Biometric technologies, building as they do on a substantial set of other surveillance mechanisms, create an environment in which organisations have enormous power over individuals. Faced with the prospect of being alienated by employers, by providers of consumer goods and services, and by government agencies, individuals are less ready to voice dissent, or even to complain.

This is completely contrary to the patterns that have been associated with the rise of personal freedoms and free, open societies. It represents the kind of closed‑minded society that the Soviet bloc created, and which the free world decried. The once‑free world is submitting to a ‘technical imperative’, and permitting surveillance technologies to change society for the worse. Biometrics are among the most threatening of all surveillance technologies, and herald the severe curtailment of freedoms, and the repression of ‘different‑thinkers’, public interest advocates and ‘troublemakers’. ’ [18]

All of these perspectives have a relevant bearing on how to think about biometrics.  Another perspective that needs to be kept in mind as well is that at the same time as the use of biometrics may pose a threat to privacy; there are many possible benefits to individuals, including the possibility of better protection from identity theft and the convenience of not having to remember multiple PINs or passwords.

The task I have as the Privacy Commissioner, along with other Commissioners, is to engage actively with the issue. We need to consider what can be done to protect privacy while still achieving the benefits that biometrics is capable of bringing to society and to individuals. Indeed, wherever possible, the real objective should be to seek ways of ensuring that biometric technologies achieve these benefits while actually enhancing privacy.

To answer these challenges, some careful analysis is needed. Relying on untested or interest driven assumptions about biometrics will not result in good privacy solutions.

So what I would like to explore in this paper is the question of just what is the threat to privacy that the use of biometrics poses? Are the issues unique? Or are the threats similar to the ones posed by a number of other techniques of identification and authentication? How should the threats to privacy be tackled? Are current laws and approaches adequate or are there reasons why new approaches are needed?

Much will depend on the use that is made of biometric systems and the kind of biometric used. Biometrics can be put to a range of uses. One kind of biometric use, DNA testing, has potential use as a predictor of disease or disability. The use of DNA poses its own unique issues, which are being explored in a joint inquiry run by the Australian Law Reform Commissioner, and Australian Health Ethics Committee [19] and I do not propose to consider them in this paper.

What is privacy?

I will begin by considering what privacy is.

In 1890, in what is now regarded as the key early modern writing on privacy, Samuel Warren and Louis Brandeis popularised Judge Cooley’s suggestion that privacy is the ‘right to be let alone’ [20] and argued for the need for a legal protection of this right in the face of ‘recent inventions and business methods’.

While the face of the world and business methods have changed, the Warren and Brandeis formulation remains one the simplest and most meaningful answers to the question of ‘what is privacy?’

Some fundamental part of human dignity requires privacy.  Privacy is part of the claim to personal autonomy.  It supports the various freedoms that democratic countries value.  As then Professor Zelman Cowen said in the 1969 Boyer lectures:

‘A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars’. [21]  

The International Covenant on Civil and Political Rights [22] is one of a number of international instruments that recognise privacy among the basic rights.  Article 17 states:

‘No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.’

David Banisar [23] of EPIC suggests privacy can be divided into four separate but related concepts:

• Information privacy – involving rules for the handling of personal data
• Bodily privacy – protection of our physical selves against invasive procedures
• Privacy of communications – security and privacy of mail, telephones etc
• Territorial privacy – setting limits on intrusions into domestic and other environments.

The development of new businesses and technology has lead to court cases where more complexities about ‘the right to be let alone’ were debated – including the notion that this right needed to be weighed against the public’s right to know about things of legitimate public concern.

It is often the case that, privacy is something that arouses more thought and interest in its absence or when it is threatened than in its presence. Prince Edward, a member of the British royal family illustrated this when he was quoted as saying on the eve of his marriage that you do not value your privacy until you have lost it.

Another point worth making is that people often do not value other people’s privacy until their own is threatened. A good example of this is to be found among the Tasmanian police force that remained apparently uninterested while the legislation was going through the Tasmanian Parliament to establish forensic procedures for contributing to the CrimTrac DNA database (for criminals and suspects who might have done nothing more than be stopped for a Random Breath Test).  The Police have developed a sudden interest in privacy issues now that the Government is proposing that they contribute their own DNA samples to a database [24] , as have the Victorian Police. [25]

Biometrics and the privacy risks

So what is it about the use of biometrics that threatens our ability to be ‘let alone’, our dignity, our chance for anonymity and solitude? Does use of biometrics raise the spectre of big brother watching our every move so that there is never the chance to be on our own?

At one level, the extent to which biometrics threaten (or enhance) privacy depends on the use to which they are put. Some uses appear to have the potential for greater privacy threats or enhancements to privacy than others. However, it is not possible to be too dogmatic about this.  The actual level of the threat or enhancement will vary according on the particular context.

Use of biometrics for authentication may have a low level of privacy risk provided that the authentication system involves the individual knowingly exercising a choice to enrol in a system and the system does not require the authenticating body to hold large amounts of information about an individual except that necessary to establish that the person is who they say they are.

Use of biometrics for identification has the potential to be more privacy invasive in cases where it involves the identifying organisation holding large amounts of information about individuals that it may or may not need, or that the individual may or may not know about. In the case of identification in a criminal context, it often involves bodily intrusive methods of collection from suspects, for example DNA sample collection, iris recognition, or in some cases fingerprints, especially where giving the sample is not voluntary.

Use of biometrics for surveillance is likely to be a major privacy concern, particularly when carried out covertly. A key principle of privacy is that generally speaking people should have control over their personal information. People have no control if identifiable information about them is collected without their knowledge. Some biometrics are particularly capable of being collected covertly. These include facial or appearance characteristics, voice characteristics and keystroke behaviour.

Other privacy risks arise regardless of the proposed use. Some of the privacy risks result from the nature of biometric information. Biometric information provides information about a person that is unique (or very close to unique). Also, the initial biometric information is inseparable from the person so is hard to forge.

These great strengths however, are also the source of key privacy risks and weaknesses, especially if systems are not properly designed and/or regulated. As is the case with all unique identifiers, it is easy and very tempting to use the one identifier in a whole range of contexts and then to link the information for purposes other than the original purpose for collection (otherwise known as function creep). We have already seen the debates about this around the proposal for an Australia Card. [26] Public interest advocates in the US are keen to ensure that ‘the same thing didn’t happen with biometric information that happened with Social Security numbers.’ [27]

This particular problem also provides a demonstration of where suitable design may be able to resolve it.  The number of different biometrics that can be collected about each individual is probably limited only by our imaginations.  The number of technologies for processing and protecting each of these is also large.  Collection and use of a different biometric using a different technology for each of the different purposes is one way of technologically limiting or even preventing such linkage.  An iris recognition technology might be used solely to facilitate a payments system; a palm scan might be the technology used for accessing one workplace while voice recognition might be the way to unlock the car door.  This is similar to the different “personas” that some people use for conducting different parts of their lives online.

Uniqueness and difficulty to forge also make a biometric a potentially powerful authentication or identification tool. But the down side is that there is a risk that it will be impossible for a person to repudiate a transaction or repair the situation if something has gone wrong. As one commentator says about biometrics:

’. . it doesn’t handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn’t a digital certificate, where some trusted third party can issue her with another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there’s no going back to a secure situation.’ [28]

These features also make it difficult for a person to escape from situations of misuse in the hands of individuals or governments with malign intent. A powerful example of misuse was in Argentina, which was one of the first countries to adopt the Bertillonage system. One police officer evangelised the practice of keeping records of fingerprints. The first person was convicted of murder based on fingerprint evidence gathered at the scene of the crime in 1892. Nearly 80 years later, the Argentine police were using a system called Digicom to track down “dissidents” in the streets of Buenos Aires. Combining digital processing with radio technology the system scanned in fingerprints and relayed the information from police cars back to a central database. Each individual had a national identity card with a photo on the front and a complete set of fingerprints on the back. The Digicom system enabled the Videla government to keep tabs on Argentina’s population, thirty thousand of which “disappeared” between 1976 and 1981.

Another privacy risk that comes from collecting information from a person’s body is that the information may reveal more information than just identity regardless of the intended use. Some of this is very sensitive. For example, voice can reveal emotions; the face may reveal information about a person’s emotions and health. Iris recognition and retinal scans may also reveal information about a person’s health. (Talk to any iridologist).

Aside from unintended collection of this information it seems that there are already products on the market that aim to collect this kind of information, for example to detect deception through voice. The authors of “At face value” predict that biometrics used to expose emotions, though voice, face and keystrokes dynamics will have great influence in the future because these characteristics can be measured without consent. Examples of where they are likely to be used include particularly in multimedia contexts to collect more information from a person than they intend and for e‑commerce or telemarketing for example, to influence the purchase patterns of customers. [29]

A further privacy risk that seems bizarre but which cannot be dismissed is the possibility that people may mutilate other people’s body parts in order to use someone else’s biometric identity for criminal purposes, for example, access to money, or buildings.

Other privacy risks arise from the nature of the technology used for biometrics.

The effectiveness and efficiency of current biometric uses depends on computer technology and electronic devices. This means that most of the privacy risks associated with computer technology also apply to biometric systems. Systems that involve storage of data on, and processing and transmission using, computer technology are subject to hacking and unauthorised access, use and disclosure. Although it may be difficult for a person to fake a finger print, or a voice, or their hand, there is a view among a number of commentators that it could be relatively simple for a person to hack into a system and copy the digital image of biometric and replay it whenever he or she wishes to pass as the person whose image it is. [30]

Although human characteristics may be unique, all technologies so far developed for measuring them have built in tolerance. This is because of the inaccuracy of the techniques and the different circumstances under which a biometric may be presented. This tolerance results in false acceptances FAR or false rejections FRR. Privacy risks resulting from this include:

• People from groups that have human characteristics that are less pronounced than average, or different may have a higher risk of false rejection leading to discrimination, such as denial of services, or other embarrassing situations. Examples of this are that people from some groups, for example manual workers have finger prints worn out or less pronounced.
• False acceptances can affect the quality of the data collected. The data collected will be assigned to the authorised person even though it is not about them, so the quality of the data will be affected. For example, a person may be registered as having visited a particular place when they did not.

The concern is that there may be a false illusion of Fort Knox around biometric systems, which may leave individuals in vulnerable or impossible positions when things go wrong. As the authors in “At face value” point out

‘It is important to stress that, when biometrical systems are used, there is always a fraction of false acceptances. Corruption of personal data due to false acceptances will occur. The use of biometrics however might create the illusion that the personalization is always correct.’ [31]

An example of this has been in relation to finger print matching where recently the reliability of fingerprint matches has been questioned in court. [32]

In some cases the nature of the technology will limit the ability of a person to remain anonymous. For example, if a telephone network relies on voice recognition to get access to it people may no longer have the option of using a payphone to remain anonymous.

Finally, the intense focus on human characteristics that biometrics give rise to may lead to increased knowledge about the relationship between human characteristics and other habits, behaviours or emotions. For example, it could be discovered that people with red hair are more likely to buy financial products, or people with low voices are more likely to join a particular political party. It is not hard to imagine the possible misuse of this kind of information.

All these considerations show just how important design and policy stance are in considering the use of biometrics. As Privacy Commissioner, I strongly support applications of such technologies in ways that produce benefits that include privacy enhancement. Where this is not possible, strong and explicit justification, strong external monitoring and clear accountability are the minimum requirements that should be considered. Legislation is one of a number of ways of addressing these questions.

Application of the Privacy Act 1988 to biometrics

There is an array of laws in Australia that protect privacy both at the Federal and State and Territory level.  In this section of the paper I will be focusing on just one of these laws, the Privacy Act 1988 (Cth) (the Privacy Act).  The analysis that follows is a further exploration of the impact that the increasing use of biometric information may have on privacy and in part as well as an exploration of the protection that the Privacy Act offers for the use of biometrics. 

In this analysis I will point to a few areas in the interface between biometrics, privacy and the Privacy Act that raise issues or need to be carefully monitored. I note in this regard that the Government has announced that the Privacy Commissioner will review the operations of the new private sector provisions in the Act two years after they commence, that is in December 2003.

Coverage of the Privacy Act

The Privacy Act covers Commonwealth public sector agencies and a fair part of the private sector. It is worth noting that this coverage leaves some gaps. For example, not all State or Territory public sectors are covered by State or Territory public sector legislation. Also, in the private sector, the Privacy Act does not cover most of the activities that employers carry out in relation to employee records. This could be of concern because biometric systems have a number of potential uses in the employment context, unless Federal and State workplace relations law provides sufficient protection.

The Government has announced that it will review in conjunction with the States existing Commonwealth, State and Territory laws to consider the extent of privacy protection for employee records and whether there is a need for further measures. The findings of this review are expected to feed into the general review of the Privacy Act mentioned earlier. [33]

Is biometric information personal information?

The Privacy Act applies to ‘personal information’. A threshold question is whether biometric information is personal information. The Privacy Act defines personal information to be:

‘Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form of not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’ (Section 6)

Biometric information is clearly information about ‘an individual’. On the question of whether biometrics is identifying information the authors of “At face value” which include Dr Borking from the Registratiekamer in the Netherlands say that:

‘In the context of biometrical identification it can also be argued that this person is generally identifiable, since the biometrical data is used for identification or authentication, at least in the sense that the person concerned is distinguished from any other person.’

The authors go on to say that with this approach, the identifiability of the person does not depend on the availability of other data, which – jointly or separately – allow the person concerned to be identified. [34]

Of course the use of biometrics generally involves a number of transformative processes that involve manipulation of the data and may include mathematical transformation of the information into a code. The authors of “At face value” conclude that:

‘There is no reason to think that what applies to the human characteristic itself, would not apply to the digital representation of that characteristic, the templates which are composed on the basis of these representations, and to any subsequent transformation. As the process continues, the amount of detail will change, but the unique link with the person concerned is kept. It is reasonable therefore to conclude that the data involved will remain personal data in most, if not all stages of their processing.’ [35]

Threats to bodily privacy

The Privacy Act regulates information privacy in the Commonwealth public sector and the private sector nationally. It does not directly address the issue of bodily privacy which is often addressed elsewhere in general law or statute law. However, both the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector require that information be collected in a way that is not unreasonably intrusive. This may be adequate a protection in many cases but is unlikely to be an adequate in cases where a person has no choice about whether or not to give a biometric.

The issue of choice is likely to arise where governments are considering use of biometric.  The first step in building in privacy here is to take account of at the decision-making phase. There will be some contexts for example, in law enforcement, where there will appear to be prima facie arguments for mandatory collection of biometric information. Even in these cases I strongly encourage a systematic consideration of issues such as any alternatives available, who the measure will affect, whether it is proportional to the problem and what safeguards might be needed. This approach is discussed in more detail in a paper I presented last year to an Australian Institute of Criminology Conference in 2001. [36] One approach in cases where a government may require a person to provide a biometric in intrusive circumstances is to have a separate law governing the circumstances. For example, there are separate laws in some States where individuals are required under new laws to give DNA samples for law enforcement reasons there are separate laws. [37] In other cases, governments as well as private sector organisations are to be encouraged to build in choice and to think about necessary safeguards.

In the private sector, uses of biometrics that involve bodily intrusive collection methods are likely to be strongly resisted by consumers. However, consumer resistance is only possible where the market gives them real choice. The extent to which the market provides real choice to consumers in the privacy area is a matter on which I am currently keeping a close eye, in relation to a number of areas of operation of the new private sector provisions.

Knowledge of Collection important

The first step in allowing or encouraging people to exercise choice is to make sure they know they have a choice in the first place.  The Privacy Act can play an important role here. 

Both the IPPs and the NPPs require that information be collected by lawful and fair means (IPP 1, NPP 1.2). Generally speaking, in the Guidelines to the National Privacy Principles and in the Plain English Guidelines to the Information Privacy Principles, we have interpreted this to mean that information must not be collected covertly, although exceptions have been made for investigations of criminal offences. [38] Both the IPPs and the NPPs require an agency or organisation collecting personal information to take reasonable steps to tell, or ensure that a person is aware of, certain information (IPP 2, NPP 1.3,) when collecting personal information directly from the person. The NPP 1.5 includes the same requirement when collecting from third parties.  This would generally speaking require an organisation or agency to make a person aware that it has collected biometric information.

Revelation of emotional and other sensitive information

The policy approach in the private sector provisions of the Privacy Act is to require an organisation to get the individual’s consent before it collects information of a sensitive nature (NPP 10). IPP 3, which applies to Commonwealth agencies, may give some protection. IPP 3 requires that collection not intrude to an unreasonable extent on the personal affairs of the individual.  However, it may be argued that in the context of a government agency collecting biometrics that a stronger requirement is needed. For example, the law might need to require that a person, generally speaking should have the choice about whether to give biometric information or the law might possibly allow collection of a biometric when specifically authorised or required by law. This is an important issue because Commonwealth public sector agencies are increasingly interested in use of biometrics systems for a range of security and other reasons.

What protection the NPPs would give depends on the question of whether biometric information is ‘sensitive information’ as defined in the Privacy Act. If biometric information is ‘sensitive information’ then, generally speaking, private sector organisations could only collect biometric information with the individual’s consent. Sensitive information is personal information that is:

‘Information or an opinion about an individual’s:

·        racial or ethnic origin;

·        political opinions;

·        membership of a political association; or

·        philosophical beliefs; or

·        membership of a professional, or trade association; or

·        membership of a trade union; or

·        sexual preferences or practices; or

·        criminal record; or

health information. (section 6)

There appears to be nothing inherent in a biometric that would make it sensitive information under the Privacy Act. It would only become sensitive because it reveals information that falls within the definition.

Use of biometrics usually involves the capture or measurement of a human characteristic and the creation of a template. In some cases, at the stage of collecting the ‘raw’ or unprocessed template, the biometric information could be regarded as containing information that relates to a person’s race or possibly their state of health. Examples of this might be that raw facial recognition data could reveal skin colour (although it is questionable whether this is necessarily determinative of race, but it may be used to form an opinion nonetheless), or certain signs of illness. If general surveillance videos are used to collect facial information, it could also incidentally pick up a whole range of intimate personal information about a person’s behaviour including information about a person’s sexual practices or preferences. Iris recognition and retinal scans would definitely involve collecting health information in the view of an iridologist. It seems also that the quality of a fingerprint could be affected by race, gender, occupation and age. [39] Although this is usually discussed in the context of false rejections, it seems to me that this feature of finger prints could also be used as an illustration of another way that biometrics can reveal more information about a person than simply the characteristic.

Once the information is transformed beyond the raw or unprocessed template, it is unlikely that the information indicating skin colour or state of health age etc could be derived from the data. [40]

Information collected though voice recognition that is another kind of biometric that could be easily collected covertly would be unlikely to reveal health information. Information about emotions, which could come from facial recognition, keystrokes or voice recognition, would not fall within the definition of sensitive information unless, for example, it reveals psychiatric information.

Given the potential sensitivity around what biometric information may reveal about a person and the potential for the easy covert collection of a number of these characteristics it could be argued that starting point should be collection with explicit consent and real choice about whether to provide it, including other viable options besides providing it. Once again, this is an issue that I am keeping a close eye on in a number of areas of operation of the private sector provisions. Where choice is not an option then a much more stringent consideration of privacy risks is required. In the absence of choice privacy will be best protected if approaches such as the following are built in: 

• systems to be set up in such a way that use of information for other purposes is impossible without specific authorisation in law;
• identifying biometric information, or links that can re-identify details derived from biometric information to be segregated from other personal information to the greatest extent possible;
• security measures take account of privacy risks;
• decision-making not to be based on biometric information alone;
• decision to proceed dependant on whether these measures can be in place;
• specific authorisation in law for use of a biometric system; and
• strong accountability and transparency mechanisms, such as audit arrangements, complaints handling etc.

Anonymity

Biometrics, by their nature, are generally inconsistent with anonymity. Yet the starting point for privacy is the ability of citizens to go about their business freely and unobserved. This issue has not been directly addressed in the IPPs governing Commonwealth agencies. However, the NPPs covering the private sector include a principle (NPP 8) that requires organisations to give individuals the option of not identifying themselves when entering transactions with an organisation where is it lawful and practicable to do so. This is a protection not included in the OECD guidelines or EU Directive and so it is a fairly untested principle.

The key will be determining practicality. Adopting a biometric system is likely to require a very large investment. If agencies and organisations do not consider the possibility of building in anonymity or at least ‘pseudonymity’ from the start, and if biometrics technology developers do not build in the possibility of interacting anonymously or pseudonymously in from the start as far as possibility non-practicality is likely be a foregone conclusion. NPP 8 will be a lame dog because retrospective building in anonymity will simply not be practicable in many cases. For this aspect of privacy risk to be adequately addressed systems developers, agencies and organisations will need to consider anonymity well before the question of individual complaint under the Privacy Act becomes an issue.

Similar issues have arisen in relation to the use by Commonwealth agencies of Public Key Infrastructure (PKI). To address these and other privacy issues arising out of the development of the Gatekeeper PKI trust framework, the National Office for the Information Economy (NOIE) has developed Gatekeeper privacy requirements and also asked the Privacy Commissioner to develop best practice guidelines for Commonwealth agencies to help them to design and implement PKI application and processes when using Gatekeeper digital certificates with individual clients.

Gatekeeper privacy requirement 12 reads:

‘The CA [certification authority] shall have the ability to provide anonymous or pseudonymous certificates where appropriate. Gatekeeper policy requires a PKI design that enables individuals to: choose to use any Distinguished Name in a certificate, except where it would be impracticable to do so; and conduct pseudonymous transactions except where the agency demonstrates that it is impracticable to do so.’

Guideline 9 of the Primacy Commissioner’s guidelines Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to communicate or transact with individuals (issued in December 2001) reads:

‘Agencies should provide their clients with anonymous and pseudonymous options for transacting with them, to the extent that this is not inconsistent with the objectives and operation of the relevant online application.’ [41]

The PKI Guidelines also provide an additional protection here by requiring at Guideline 1 that:

‘Agencies should allow their clients to choose whether to use PKI for a particular transaction and to offer them alternative means of service delivery.’

These Guidelines at least alert agencies to the need to consider and implement anonymity when considering the use of PKI. However, given that in many cases the object of PKI and biometrics is for authentication, the possibility of anonymity might seem impossible. I suspect the key to this conundrum will be in lateral thinking about how the technology might be developed. Dr George Tomko, Chairman of Photonics Research, Ontario has some ideas about how biometric encryption can be used to de-identify information in a database. [42] The issue of using Privacy Enhancing Technologies to achieve privacy protection through anonymity has been of major interest to the Information Privacy Commissioner, Ontario Canada and the Registratiekamer, the Netherlands. They have examined the issue in detail in a two-volume report, Privacy-Enhancing Technologies: The Path to Anonymity. These volumes examine the question in detail. Of particular interest is the work outlined in volume II, in which the Registratiekamer in conjunction with the TNO Physics and Electronics Laboritory looked in close technical detail at the components of information systems and reached conclusions about which components did or did not require identity to successfully function. It goes on to consider how information systems can be set up to specifically take into account these conclusions. [43] I would strongly recommend that all developers of information systems involving personal information, and particularly those developing biometrics systems take a close look at this work.

Potential for linking data and function creep

Because human characteristics collected are unique (even if the measures are not necessarily accurate) there is considerable potential for the data collected from biometrics to be used as a unique identifier. The privacy issues associated with unique identifiers are not new and are widely recognised. They were canvassed widely and loudly in the Australian community in relation to the proposal for an Australia Card in the 1980s. In response to these concerns, when the Government instead strengthened the use of tax file numbers (TFNs), it also enacted special legislation to give legislative protections, including strong penalties for misuse, making production of a TFN voluntary albeit with some incentive to produce it. The Privacy Commissioner has the power to monitor the records of the Commissioner of Taxation to ensure that he or she is not using tax file number information for purposes beyond his or her powers and to ensure that he or she is taking adequate measures to prevent the unlawful use or disclosure of the tax file number he or she holds. The Privacy Commissioner also has the power to audit the records of TFN recipients for security, accuracy and compliance with guidelines the Office has issued (see section 28 of the Privacy Act). Despite the original intention to constrain the use of tax file numbers successive parliaments have expanded the authorised uses for tax file numbers to assistance agencies and for superannuation purposes. For example, many people are now generally ineligible to receive social security payments unless they have provided their tax file number.

It is possible that the lack of an all encompassing unique identifier in Australia has contributed to a lower incidence of identity theft than that found in the US where the social security number has enabled a whole range of information about a person to be linked and the fraudulently appropriated.

So far it has been governments that have had the ability to generate the kind of unique identifiers that pose the greatest privacy threat. IPPs 9, 10 and 11 place some restrictions on use or disclosure for purposes other than the particular purpose of collection. Consent, awareness, authorisation by law, law enforcement and some other public interest reasons are exceptions to this rule.

The new private sector provisions recognise the potential for government identifiers to be taken up by the private sector and used as their own unique identifier. NPP 7 stops private sector organisations from adopting, using or disclosing Commonwealth government identifiers. However, the NPPs do not address directly the possibility of private sector organisations developing and using biometric information as unique identifiers and for it to be used by a number of private sector organisations to link data collected for one purpose to data collected for other purposes and then used for tracking a person or for yet another purpose.

The potential for function creep gives rise to the question of whether there may need to be additional legislative or other measures around the use of identifiers to address the threats biometrics may pose as a unique identifier. The State of Texas has adopted this approach for both public and private sectors, with quite stiff penalties for breach [44] . The technical solutions proposed by Tomko are another. Taking away the temptation for function creep by de-identifying the information or taking other steps to make linking and function creep impossible may be the answer. [45]

It is hard to predict if a particular biometric or biometric technique will emerge as a unique identifier. For example, the handwritten signature is in widespread use in our society but it has not emerged as such an identifier in advanced technologies. It will be a matter of keeping a close eye on whether a particular biometric technique does look like emerging as a unique identifier. I intend to contribute to this surveillance.

Security

IPP 4 and NPP 4 both require organisations to take reasonable steps to protect the information they hold from misuse, loss and from unauthorised access, modification or disclosure.

Making these principles practical and effective, however, may take more work. For example, it may be important to develop biometric security standards to ensure that the requirements of these principles are met effectively and measurably. This is one of a number of areas raised in this paper where the Biometrics Institute could make a very valuable contribution.

As is the case for anything else, though, the greater the prize the greater the incentive to steal or otherwise abuse it and the greater the potential harm to individuals. This is the “Fort Knox” syndrome illustrated so well by the James Bond film Goldfinger. Biometric techniques, as with other powerful new technologies, may emerge with these characteristics in personal data protection, especially if one of the techniques begins to dominate.  The situation is also far from static. Yesterday’s Fort Knox rapidly becomes tomorrow’s open door.  For example, 128-bit encryption took over from 58 bit as the Internet “standard” only a few years ago yet 256 bits is already being discussed as needed in the near future.

The question of whether the security principles in the NPPs and the IPPs are up to these challenges again need to be monitored closely. The two-year review at the end of 2003 will be an early opportunity to do so in the case of the NPPs.

Error rate – illusion of accuracy

IPP 8 requires Commonwealth agencies to take steps that are reasonable in the circumstances to ensure that the information they use is accurate up to date and complete. In formation agencies collect must be up to date and complete (IPP 3). NPP 3 requires private sector organisations to take reasonable steps to make sure that the personal information they collect, use or discloses is accurate, complete and up to date. This would seem to require agencies and organisations to consider for example, the False Rejection Rates and False Acceptance Rates of their biometric systems. This could mean, depending on the use for the biometric system, close attention to the False Acceptance Rate, particular, because false acceptances are the most likely to compromise the accuracy of personal information held on a biometric system. On the other hand, organisations and agencies would need to minimise the False Rejection Rate where acceptance is the key to eligibility for a benefit of a key service or benefit. Minimising False Rejection Rates will also be critical where a person has no choice about giving the biometric.

Given that there will always be some room for error, the right of a person to get access to the personal information an agency or organisations holds about them and to challenge or alter a result if it is wrong will be critical. NPP 6 and IPP 6 require organisations and agencies to give a person access to their personal information and to correct it if it is wrong. However, in addition to this there may need to be additional mechanisms to ensure that a person is able, in a relevant forum, to challenge a decision or evidence based on a faulty or inaccurate biometric result. This will be particularly important where a wrong result may have a major impact on a person’s life. The forum could include in court, or via a Privacy Commissioner, or other administrative mechanism. In addition, as part of the principle of openness (required by NPP 5), biometric developers and users should be open about the accuracy of their technology.

Conclusions

This paper is my first major engagement with the privacy issues relating to biometrics. It is clear from this engagement that biometrics have the potential to benefit individuals and society and indeed could have privacy enhancing capabilities. However, it is also very clear that that the potential of biometrics to be a privacy-enhancing tool will only be realised, and the potential risks to privacy prevented, if very close attention is paid to privacy from the time that a biometrics system is a ‘twinkle in the eye’. This means that agencies and organisations must consider, from the outset, the privacy risks that a proposed use of biometrics will pose and what privacy-enhancing options there might be. It also means that those developing biometric software, hardware and other technology must also build privacy protection and privacy enhancement into the structure of system. One important key will be identifying when knowledge of a person’s identity will be necessary and when it will not, and then building the system so that components that require identity are kept separate from those that do not. Another will be building in structures that make linking of data for purposes other than the original purpose impossible.

If these measures are in place, the burden on regulation and law will be that much lighter.

The Privacy Act is a practical starting point for regulation. But it is light touch legislation and at least so far as the private sector goes, is in its very early stages of operation. The Privacy Act aims to give individual’s control over their personal information by a number of means including information, consent in some circumstances and relying on market forces for people to be able to exercise choice about who they enter into transactions with and who they do not. Whether this approach is adequate or whether more is needed will be a question I will be tracking closely for the purposes of the review of the legislation in two years time.

Where biometrics are to be used in circumstances where people do not have choice about participation in systems using biometrics, including where there may be covert use of biometrics, adequate privacy protection will require strong legal protection including appropriate mechanisms for accountability. Legal protections could include: specific measures which:

• systems to be set up in such a way that use of information for other purposes is impossible without specific authorisation in law;
• identifying biometric information, or links that can re-identify details derived from biometric information to be segregated from other personal information to the greatest extent possible;
• security measures take account of privacy risks;
• decision-making not to be based on biometric information alone;
• decision to proceed dependant on whether these measures can be in place;
• specific authorisation in law for use of a biometric system; and
• strong accountability and transparency mechanisms, such as audit arrangements, complaints handling etc.

It will be an interesting journey and will require constant vigilance and imagination on all sides if this fast moving area of biometrics is to realise its potential be the white knight of privacy.