Identifying Legal Concerns in the Biometric Context

• Author: Yue Liu
• Position: Norwegian Research Centre for Computers and Law Faculty of Law University of Oslo
• Pages: 45-54

Key words: biometrics, data protection, privacy, identification, authentication

Page 45

1. Introduction

Biometric-based personal verification or identification systems (Wayman, J. L 2000) that use physiological or behavioural trait are becoming increasingly popular, with the unprecedented rate of recent advances in information technologies (Wayman, J. L.2000 and Miller, B. 1988). Commercial and government entities are the two main forces that embrace the technology. Japanese cell phone manufacturers have begun including fingerprint readers into their devices to prevent unauthorised use (Phred, D. 2004). Biometric payment systems using finger scanning technology are now in wide use in American chain stores. (Rinehart, G. 2006) Norway and Sweden became the second and the third countries in Europe to introduce biometric passports using facial recognition and the RFID chips. More and more people are obliged to accept the biometric technology as an authentication method without really understanding or thinking about the consequences. Both technicians and legal professionals are still concerned about the permissibility of using biometrics on a large scale, especially from a privacy perspective.(Johnson , M.L.2004 and Ashbourn, J.2004) Understanding the law and policy concerns is therefore necessary for both technicians and lay people. This new technology is sparking new laws and causing old legal doctrines to be revaluated and reapplied by the nation's law and policy makers.

The use of biometric technology as a key component of an overall strategy to improve national security and reduce fraud has been adopted by several legislative and regulatory initiatives. The new technological reality of biometrics has forced us to explore further what is required for safeguarding the basic human rights of privacy and to ensure the optimal results for society. Given that there are many conceivable biometric applications, it is true that "whether the use of biometrics gives rise to additional risks or provides better protection and more privacy depends on the specific application" (Grijpink, J. 2001) However it is also true that without strict legal regulations it is unlikely that adequate concerns about privacy will be addressed when adopting the biometric applications.

This paper aims to contribute to the debate by examining the law and policy concerns of biometric applications from a privacy perspective. The legal concerns being touched upon in this short paper are by no means exhaustive. Through the analysis and discussion of the various legal initiatives or arguments in the biometric context, hopefully it will be able to give a hint of the complexities involved in biometric technology by focusing on several controversial legal issues.

2. Legal status of biometric data

The legal significance of biometric data, including raw biometric images and biometric templates, has been discussed by many legal and non legal professionals. Although there were different views about whether a biometric template should be regarded as personal data, or personal related data (Grijpink, J. 2001), or anonymous data (Prins, C.1998), there is no denying that raw biometric data is personal data in the sense of the EU directive. In the report to the European Commission, Paul de Hert (2005) had given a clear clarification as to why a biometric template should also be regarded as personal data. ¹ It will be tedious to repeat it here as basically we Page 46 have similar arguments. Hence the starting point of our discussion is biometric data including raw image and templates, should be regarded as personal data covered by the Data Protection Directive.

2.1. Is biometric data sensitive personal data?

A question which has not received enough analysis is when should biometric data be regarded as sensitive personal data? Corien Prins (1998) claimed that "in certain situations the use of biometrical data could imply use of sensitive personal data". The question is then, in what situations would this arise?

Article 8 of the Directive states that processing of "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life" should receive "explicit consent" of the data subjects unless in certain listed circumstances. It indicates that personal data, which can reveal the above listed information, should be regarded as sensitive personal data. The data protection working party held that some biometric data could be considered as sensitive in the meaning of Article 8 of Directive 95/46/EC, when it reveals racial or ethnic origin or data concerning health. But whether a processing contains sensitive data is a question of appreciation which can only be determined by specific biometric characteristics used in the biometric application itself. (Data Protection Working Party , 2006) They proceeded to give the example of facial image as obvious sensitive data and then stopped to give any further clarification. What are the specific criteria for determining the sensitiveness of biometric data? When exactly should it be regarded as "reveals racial or ethnic origin or data concerning health"? The guidance here is nebulous. It may be tempting as the working party suggested, to leave the freedom of appreciation to judges for deciding whether the biometric data being used is sensitive or not. However as the technology develops, this suggestion does not seem to be so appropriate, especially when taking into account that the understanding of the biometric technology among people, including judges other than scientific experts, is still quite limited.

One of the most prevalent privacy concerns about biometric data is based on the fact that biometric data is disproportionate to the task at hand. A single piece of biometric data often consists of two categories of information: information usable for authentication and information not usable for authentication. Information usable for authentication includes information such as: Genotypic information, Randotypic information (sometimes called phenotypic, but without genetic parts), Behavioural information, Information about "unchanging marks". (Bromba.M, 2003) Genotypic information is completely determined by genetics. With respect to data protection, genotypic information seems to be the most controversial since it might reveal relationships to other persons, race, or even a potential disease. For instance, Dr. Marvin M. Schuster has discovered a "mysterious relationship" between an uncommon fingerprint pattern, known as a digital arch, and a medical disorder called CIP. Based on a 7 year study, he found that 54 percent of CIP patients have this rare digital arch fingerprint pattern. (Hancock, E. and Hendricks, M 1996) While still controversial within the scientific community, several researchers have reported a link between fingerprints and homosexuality. (Cytowix, R.E. 1996)

Randotypic information is completely random, and behavioural information is completely determined by training. Unchanging marks may be scars, tattoos, or a chronic disease. (Bromba, M.2003) Among these, "genotypic information" and "unchanging marks" can be relevant to racial, ethic or health information. Information about a chronic disease will also be included because permanence is one of the basic characteristics of biometric information. Information not usable for authentication may include an acute disease. Although at present not all biometric data has been reported to be able to reveal sensitive information, the basic components of biometric information indicate unlimited potential possibilities. It is reasonable to infer as science develops, more sensitive information will be disclosed by the application of biometric information, by a fast analysis of technique equipment and this information may or may not be relevant, for the purpose the data has been collected.

How about the biometric template then? There are two possible ways that one may trace sensitive information from the biometric template: first, trace the raw biometric data from biometric template; second get sensitive information directly from the template. So are they technically possible? The possibility of reconstructing raw data from the biometric template has been discussed by many scientific experts. Suppose some relevant information is available, it has been proven that it is indeed possible to reconstruct those parts of the raw data information which is used for authentication. (Soutar, C 2002) Such data, as analysed above, may include sensitive information, so the biometric template actually includes relevant sensitive information. The second possibility of using the biometric template directly, to trace the sensitive information has not been discussed so far as the author has been able to discern, while it has been discussed as a security issue by some researchers. (Bromba, M 2003) Hence, it will be premature to make an assumption so early, without consulting scientific expertise. The progress report of convention 108 by the Consulting Committee(Consultative Committee 2005) states: "the choice of data Page 47 be extracted in generating a template should avoid revealing sensitive data as, in general, these data will not be able to verify the data subject's identity or identify him or her." This requirement seems to be contradictory to the above analysis as it indicates that the Consulting Committee considered it possible to separate the "sensitive part" of biometric data from...