Signature (unit, name, etc.) Introduction to biometrics from a legal perspective Yue Liu...

Signature (unit, name, etc.)

Introduction to biometrics from a legal perspective

Yue Liu

yuli@jus.uio.no

Mar. 2007

NRCCL, UIO

Agenda

• Technical introduction to biometrics • Biometric applications• Biometrics from a legal perspective: privacy/data

protection• Relevant legal regulations• Discussion: friend or foe?

Definition:

• Biometric technologies are automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic.

---J. Wayman

biometrics

• Behavior:

voice, keystroke, gait, signature…• Physiological

Fingerprint, iris, facial, retina, palm…

Not externally observable

biometrics

• Verification (authentication): – are you whom you claim to be? – one to one match– Central or decentralized database

• Identification: – Who are you? – One to many match– Central database

Authentication methods

• Something you have: card token key• Something you know: password, PIN• Something you are: biometrics

Function process

Biometric applications

• Verification: PRIVIUM (iris),• Identification: EURODAC (fingerprint), US chain

stores,• Both: EU Passport (facial recognition)

Privacy impact assessment

• Are users aware of the system’s operation? • Is the system optional or mandatory?• Is the system used for verification or identification?• Is there are central database?• What kind of PET is being used?• What kind of biometric technology is adopted?• Is the data collector private or public sector?• In what capacity are data subjects interact with the system?• Is it a large scale application or a small scale application?• …….

Biometric concerns

• Function creep• Ethical concerns• Overkill the task• Disclose sensitive information• Pervasive surveillance; covert collection• Lower privacy awareness: for convenience• Hacking of central storage and wide likeability• Can biometrics make us safer?• Deprived the right to anonymity• Permanent ID theft• …

Legal framework

• Very little specific biometric regulations• European convention on Human rights (ECHR)• Data Protection Directive (95/46/EC)

Privacy: the right to be left alone

• ECHR art8(1)

Everyone has the right to respect for his private life and family life, his home and correspondence.

Dimensions: – informational– Physical– Decisional– Proprietary

ECHR art8(2)

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Data protection Directive

• Defines rights and obligations with respect to the processing of personal data

• any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;“

Personal data

• Personal data any information relating to an identified or identifiable natural person (art2 a)

• An identifiable person is one can be identified directly or indirectly in particular by reference to an identification number or one or more factors that specific to his physical, physiological, and mental(…) identity

Biometric image and biometric template as personal data?

Principle: fair collection

• personal data must be processed fairly and lawfully(art6 a )

• Data subject must be informed, consent is needed unless under certain conditions: national security, defense. Public interests…

Covert surveillance should not be allowed generally: facial recognition

Principles: purpose and proportionality

• Legitimate Purpose (ar6b):(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

• Proportionality (art6.8.14.15) personal data must be adequate, relevant and not excessive in relation to purpose

Legitimate processing • Art7• personal data may be processed only if:• consent• necessary for the performance of a contract• necessary for compliance with a legal obligation • necessary in order to protect the vital interests of the data

subject, • necessary for the performance of a task carried out in the

public interest or in the exercise of official authority • necessary for the purposes of the legitimate interests pursued

by the controller or by the third party or parties to whom the data are disclosed

proportionality

• When the collection of biometric data is necessary?( less obtrusive alternative? Balance?)

• Messing v. Bank of America, Swedish school, UK • How to avoid function creep? • Is consent enough? ( opt in or opt out)

Security measures

• Art17• Appropriate security measures must be taken to

protect personal data against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access

Misconceptions of biometrics

Accuracy, ID theft, central storage

Risks: enrollment, transmission, storage, raw data, reversible template, id theft, indisputable evidence, permanent ID theft

Safe guards of misuse of biometrics: encryption, smart card

A right to argue?

Friend or foe?

• When can biometric compatible with the EC data protection directive?

• When can biometrics be a friend to our privacy?• Is it just a problem of trading off between privacy and

security?

Thank you for your attention!

• Reading list:• Art29 data protection working party, working

document on biometrics at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp80_en.pdf

• JRC(IPTS) Biometrics at the frontiers: assessing the impact on society. At http://europa.eu.int/comm/justice_home/doc_centre/freetravel/doc/biometrics_eur21585_en.pdf

Signature (unit, name, etc.) Introduction to biometrics from a legal perspective Yue Liu...

Documents

Yuli Arisandi Sekolah Menengah Negeri Pertama 2 Wanadadi

Oil Pollution oProfessor Erik Røsæg oScandinavian Institute of Maritime Law oerik.rosag@jus.uio.no ofolk.uio.no/erikro

Mortgages, maritime liens, retention and arrest oProfessor Erik Røsæg oScandinavian Institute of Maritime Law oerik.rosag@jus.uio.no ofolk.uio.no/erikro

Yuli Nugraeni, Endodontist David Buntoro Kamadjaja, Oral Surgeon Haryono Utomo, Orthodontist

Shipowner’s liability oProfessor Erik Røsæg oNordisk institutt for sjørett oerik.rosag@jus.uio.no ofolk.uio.no/erikro

Yuli Asmara T. Implementasi Nilai-Nilai Hak 279 JH Ius

IMO Polarkode – Status og utfordringer; et sjørettsperspektiv oProfessor Erik Røsæg oNordisk institutt for sjørett oerik.rosag@jus.uio.no ofolk.uio.no/erikro

Marce y yuli 10 3

1 C workshop #4 Casting, Libraries, Financial Applications By: Yuli Kaplunovsky, yuli@magniel.com, (408) 309 4506

Yuli Lestari 10505002

by Yuli Ye - University of Toronto T-Space · Yuli Ye Doctor of Philosophy Graduate Department of Computer Science University of Toronto 2013 One central question in theoretical computer

Yuli Gunawan Libre

Latest Project Updates & Posts on EB5Projects · EB5Projects.com Yuli Kaplunovsky Yuli is associated with YuliLaw.com, a law firm based out of California. Read more on EB5Projects.com

Deepwater Horizon - some observations oProfessor Erik Røsæg oScandinavian Institute of Maritime Law oerik.rosag@jus.uio.no ofolk.uio.no/erikro

Yuli - Kuliah Blok 4 - Mekanisme Dan Penatalaksanaan Nyeri

Case Revisi 16 Sept Dr Yuli

Robert Chin (Chen Yuli)

Page 1 Page 2 Penulis Kun Setyaning Astuti Suroso Yuli Sectiorini

Ships, Nationality and Registration oProfessor Erik Røsæg oScandinavian Institute of Maritime Law oerik.rosag@jus.uio.no ofolk.uio.no/erikro

Yuli - Rate Adaptation