Biometrics: meeting ethical and legal challenges
Biometrics is a growing field – these technologies are increasingly used to identify people in a range of contexts and scenarios, including in criminal justice and travel. The COVID19 crises have exacerbated this trend. Speaking at a recent Westminster electronic forum policy conference on this topic, Isabelle Moeller, CEO of the Biometrics Institute, explained: “During the pandemic, it has become clear that contactless interaction is a priority. . We have also seen an increase in remote integration, not only for government, but also for banks and businesses everywhere. “
However, as its use increases, so do ethical and legal concerns. This includes data protection – regarding highly personal information collected and stored and the potential for technologies such as facial recognition to be negatively biased against minority groups.
Implementation of biometrics
During the electronic forum, Moeller highlighted the important benefits offered by biometrics for “national security, both in the prevention and investigation of terrorism, and in border management, anti-fraud and facilitation. of digital identity ”.
She believes that organizations can mitigate ethical issues related to biometrics by following “best practice” policies when implementing these technologies. These should revolve around the “three laws of biometrics” advocated by the Biometrics Institute, which are “politics must come first, followed by process and then technology”. The policy stage must analyze potential issues such as proportionate use and human rights, while the process puts in place safeguards to ensure that they are protected when the technology is used. “Only then do you really have to think about the technology,” she added.
According to Moeller, organizations often rush to implement biometric solutions without asking questions about them. “Then biometrics are blamed when in reality it was probably a lack of policy or process,” she said.
She also noted that many biometric technologies are unbiased regarding demographic differences such as gender and race and are “normally very efficient and accurate in individual verification mode”.
The key to making sure these types of problems do not occur is to “understand the technology”, especially the algorithm used. Additionally, it is always important for organizations to consider whether biometric technology is proportionate and whether there is a viable alternative before embarking on this path.
Its underlying message was that organizations considering introducing biometrics must have a comprehensive strategy and process to do so, especially when there is currently a lack of regulations and standards in this area.
Update of legislation and standards
Jessica Figueras, Vice President of the UK Cyber Security Council, then gave a presentation on biometric regulation in the UK and how this area needs to evolve. As it stands, there is only protection for the use of fingerprints and DNA in the UK, which means the regulations urgently need to be updated. It is “a classic case of technology exceeding the capacity of society to keep pace.”
She described legislation introduced by the decentralized Scottish government last year which establishes a Scottish Biometrics Commissioner, who “shows the way forward”. This is mainly due to the fact that this Commissioner covers a much more comprehensive range of biometric technologies than in the UK, such as gait analysis, voice analysis and facial expressions. However, Figueras noted that the field of biometrics is evolving so rapidly that even this legislation does not cover very recent developments in areas such as keystroke recognition.
Another aspect of this legislation is that “it very explicitly considers the impact on equality and vulnerable citizens and also requires that commissioners work with a wide range of public bodies and that the citizens’ voices of stakeholders / users be integrated into the process, ”Figueras said.
She therefore hopes that the UK government will follow the path taken by the Scottish administration, especially as the use of biometrics in the private sector “raises pressing questions”. Among private players, they often use these technologies in public spaces, such as shopping malls and venues, as well as user ID for online services.
Introducing such practices and regulations is only one side of the equation, according to Figueras. The practical challenge of ensuring the implementation of these rules is significant and requires “very specialized skills” which “are incredibly scarce and very expensive”. This includes areas such as algorithmic inspection.
This lack of qualified surveillance services may have the effect of slowing “the rate of development of biometric technology and will give society a chance to keep pace.”
Privacy design and algorithmic bias
In the final section of the session, Philip James, partner, global privacy and cybersecurity group at law firm Eversheds Sutherland, discussed the legal issues surrounding algorithms and biometric data. He said organizations need to be very aware of these issues as the public is increasingly aware of the use of biometrics and algorithms – the benefits and the risks.
In terms of the EU’s General Data Protection Regulation (GDPR), which the UK has incorporated into its laws since Brexit, all biometric data is generally considered ‘special category data’. It is essentially information “which is controlled more strictly because it has a greater sensitivity”. This means that organizations will have to make the case that data should not be categorized in this way. “The goal and the context are always key,” commented James.
He stressed that organizations should carefully follow the conditions set out in Article 9 of the GDPR (processing of special categories of personal data) to ensure that they remain compliant when collecting biometric data. He cited an opinion published by the Information Commissioners Office (ICO) on a case in which police used facial recognition technologies to identify potential criminals in a crowd. These actions were deemed to be illegal because the police did not follow the correct processes regarding this type of data. Unless there are exceptions, such as the detection and prevention of an illegal act, in most situations the processing of biometric data requires “explicit consent” from the data subjects.
James also advised organizations using biometric technologies to have a data protection officer to ensure that data in that particular category is handled properly, and to involve business and legal parties from the start “because this will ensure the best outcome to hopefully mitigate risk and ensure the investment is well targeted.
Biometrics offers many benefits to society, and these technologies will only increase in the years to come. However, organizations must implement these technologies in a prudent and controlled manner, ensuring that they do not fall prey to ethical and legal issues.