Signature (unit, name, etc.) Introduction to biometrics from a legal perspective Yue Liu [email protected] Mar. 2007 NRCCL, UIO

Signature (unit, name, etc.)

Introduction to biometrics from a legal perspective

Yue Liu

[email protected]

Mar. 2007

NRCCL, UIO


Agenda

• Technical introduction to biometrics • Biometric applications• Biometrics from a legal perspective: privacy/data

protection• Relevant legal regulations• Discussion: friend or foe?


Definition:

• Biometric technologies are automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic.

---J. Wayman


biometrics

• Behavior:

voice, keystroke, gait, signature…• Physiological

Fingerprint, iris, facial, retina, palm…

DNA?

Not externally observable


biometrics

• Verification (authentication): – are you whom you claim to be? – one to one match– Central or decentralized database

• Identification: – Who are you? – One to many match– Central database


Authentication methods

• Something you have: card token key• Something you know: password, PIN• Something you are: biometrics


Function process


Biometric applications

• Verification: PRIVIUM (iris),• Identification: EURODAC (fingerprint), US chain

stores,• Both: EU Passport (facial recognition)


Privacy impact assessment

• Are users aware of the system’s operation? • Is the system optional or mandatory?• Is the system used for verification or identification?• Is there are central database?• What kind of PET is being used?• What kind of biometric technology is adopted?• Is the data collector private or public sector?• In what capacity are data subjects interact with the system?• Is it a large scale application or a small scale application?• …….


Biometric concerns

• Function creep• Ethical concerns• Overkill the task• Disclose sensitive information• Pervasive surveillance; covert collection• Lower privacy awareness: for convenience• Hacking of central storage and wide likeability• Can biometrics make us safer?• Deprived the right to anonymity• Permanent ID theft• …


Legal framework

• Very little specific biometric regulations• European convention on Human rights (ECHR)• Data Protection Directive (95/46/EC)


Privacy: the right to be left alone

• ECHR art8(1)

Everyone has the right to respect for his private life and family life, his home and correspondence.

Dimensions: – informational– Physical– Decisional– Proprietary


ECHR art8(2)

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.


Data protection Directive

• Defines rights and obligations with respect to the processing of personal data

• any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;“


Personal data

• Personal data any information relating to an identified or identifiable natural person (art2 a)

• An identifiable person is one can be identified directly or indirectly in particular by reference to an identification number or one or more factors that specific to his physical, physiological, and mental(…) identity

Biometric image and biometric template as personal data?


Principle: fair collection

• personal data must be processed fairly and lawfully(art6 a )

• Data subject must be informed, consent is needed unless under certain conditions: national security, defense. Public interests…

Covert surveillance should not be allowed generally: facial recognition


Principles: purpose and proportionality

• Legitimate Purpose (ar6b):(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

• Proportionality (art6.8.14.15) personal data must be adequate, relevant and not excessive in relation to purpose


Legitimate processing • Art7• personal data may be processed only if:• consent• necessary for the performance of a contract• necessary for compliance with a legal obligation • necessary in order to protect the vital interests of the data

subject, • necessary for the performance of a task carried out in the

public interest or in the exercise of official authority • necessary for the purposes of the legitimate interests pursued

by the controller or by the third party or parties to whom the data are disclosed


proportionality

• When the collection of biometric data is necessary?( less obtrusive alternative? Balance?)

• Messing v. Bank of America, Swedish school, UK • How to avoid function creep? • Is consent enough? ( opt in or opt out)


Security measures

• Art17• Appropriate security measures must be taken to

protect personal data against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access


Misconceptions of biometrics

Accuracy, ID theft, central storage

Risks: enrollment, transmission, storage, raw data, reversible template, id theft, indisputable evidence, permanent ID theft

Safe guards of misuse of biometrics: encryption, smart card

A right to argue?


Friend or foe?

• When can biometric compatible with the EC data protection directive?

• When can biometrics be a friend to our privacy?• Is it just a problem of trading off between privacy and

security?


Thank you for your attention!

• Reading list:• Art29 data protection working party, working

document on biometrics at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp80_en.pdf

• JRC(IPTS) Biometrics at the frontiers: assessing the impact on society. At http://europa.eu.int/comm/justice_home/doc_centre/freetravel/doc/biometrics_eur21585_en.pdf

Documents

Signature (unit, name, etc.) Introduction to biometrics from a legal perspective Yue Liu [email protected] Mar. 2007 NRCCL, UIO