Biometric technologies, which
use a digitised form of unique physical features such as
fingerprints or iris patterns, are becoming more widely available
and could make keys, photocards and Pins a thing of the
past.
At present, much of the technology is developmental, but
biometric applications are proliferating and some of the more basic
systems are already on the market.
The UK is one of 27 countries signed up to the
US Visa Waiver Programme, which demands that
all passports contain a machine-readable chip with the passport
holder's details and a biometric identifier, such as a digital
photograph.
Accordingly, from 2007, all new UK passports will incorporate
biometric data in an embedded microchip, and by next summer
10 UK airports will be using iris scanning
technology, with a planned roll-out for all 141 UK ports and
airports.
The private sector too is starting to take advantage of the
technology, as the commercial benefits of biometrics become more
tangible. The Pictet and Cie Swiss bank in Geneva is
already using iris scanning technology to control employee access
to its offices. And some European casinos have installed facial
recognition technology with the aim of identifying unwanted or
banned customers.
The main advantages companies can gain from using biometric
systems are:
● They promise a high degree of reliability because it is
impossible (short of amputation or mutilation) to lose or forget
biometric traits, and very difficult to copy, distribute or misuse
them
● They are very simple to use, because individuals do not need
to remember passwords or Pins
● System integrity is strong because no two people share all the
same biometric traits and it is nigh on impossible to reproduce
them, which in turn reduces the potential for fraud and enhances
security.
But the use of biometrics carries certain legal implications.
Most significantly, biometrics pose new and complex questions about
compatibility with individuals' rights to privacy. Companies need
to be sure that any biometric system they propose to introduce will
not fall foul of data protection or human rights laws.
In simple terms, biometric systems are based either on
verification or identification, and they are either voluntary or
compulsory. The privacy implications vary considerably in each
case.
Verification systems operate by verifying that a person is who
he or she claims to be. At its most basic, this means using a
fingerprint biometric to verify that a person seeking access to a
building or bank account is authorised to do so.
Identification systems go a great deal further, comparing
information about one person with information about many (held on a
database) for the purpose of identifying who that person is (known
as a "one-to-many" match). An example of an identification system
is the
national DNA database, which is run by the
Forensic Science Service to identify offenders and victims using
crime scene DNA samples.
When the national DNA database was established in 1995, the
taking of samples was controlled closely and quite limited. Now,
DNA samples can be taken from anyone arrested and detained by the
police in custody, and non-intimate samples (such as a mouth swab)
can be taken without consent.
DNA records can be retained even if the arrested person is
cleared, and, indeed, even if they are not prosecuted. Importantly
(and in some cases controversially), these developments have only
been made possible by specific legislative changes.
The use of any biometric system must comply with the
European Convention on Human Rights and with
the Data Protection Directive. In the UK, these
laws take the form of the Human Rights Act and the Data
Protection Act.
The Human Rights Act states that we are all entitled to respect
for our private life, and interference with this by the government
is only permitted in specific circumstances. The courts have made
it very clear that "private life" does not only apply to life
outside work. It will also apply in the workplace.
The Data Protection Act regulates the way that organisations
process information that identifies us. It requires, for example,
that the use of such information (including biometric data) must be
"fair" and limited to specific purposes, which have been notified
to the individual when they handed over their personal data.
In the context of biometric technologies, two overriding
principles will apply in every case: proportionality and
transparency.
Proportionality requires that interference with someone's
private life, or the use of their biometric data, must be
justifiable by the benefits of the scheme. This usually means
balancing the rights of the individual with the rights of the
organisation or the public at large. Transparency means making it
clear how and why information will be used, and not going beyond
this without prior agreement.
In legal terms, biometric data is no more intrinsically
"private" than any other personal data. However, the law requires
that the purpose of a biometric scheme must be clear from the
outset and that the use of biometric information must be
proportionate to the benefits that the scheme is likely to
offer.
Companies planning to roll out biometric systems will need to
think carefully about how they collect information, how they store
it and how and when it can be accessed or matched.
In particular, for example, many individuals would reasonably be
concerned if biometric data were to be used by companies for
commercial gain. There are also some complex legal issues that will
arise if biometric data is shared or transmitted, particularly if
it is transferred outside Europe.
In practice, companies will need to establish very clearly
whether a biometric scheme is voluntary or compulsory (and what the
consequences would be if an employee refused to participate in a
voluntary scheme) whether the scheme operates by means of
verification or identification and whether the use of biometric
information is compatible with the purposes of the scheme.
There is also the issue of function creep - that is, whether
different uses of information may emerge in the future which were
not contemplated when the scheme was set up.
Companies will need to consider what methods they will have to
put in place to ensure the security of any biometric information
they hold and the cost of implementing these measures.
Finally, and perhaps most importantly, companies should consider
how they will allay users' concerns about the use of their
biometric data. No doubt some will be worried that the use of
biometric data will somehow infringe their rights to privacy and
enable fraudsters to use it to commit crimes or steal their
identities. This is perhaps the biggest obstacle to overcome - the
biometric hardware put in place will only be successful if users
are willing to provide their data.
It is arguable that one of the reasons why the use of biometric
technologies has not been as extensive as one might imagine is that
the "Big Brother" connotations have had a major impact on public
perception.
Biometric technologies are likely to play a big role in the
development of commercial security over the coming years, but it is
imperative for companies to think through the legal issues first,
or risk falling foul of increasingly complex legislation.
● Marcus Turle is a partner in the technology law group of
City law firm Field Fisher Waterhouse
Brown drums up support for biometrics
UK public favours biometrics increase
David Lacey’s
security blogThe latest ideas, best practices, and
business issues associated with managing security
Comment on this article:
computer.weekly@rbi.co.uk