Biometrics Working Group (BWG) - Privacy Issues and Biometrics

HOME | TERMS | CONTACT US | SITE MAP

The National Technical Authority for Information Assurance

ABOUT US

PRODUCTS & SERVICES

PUBLICATIONS

POLICY & TECHNOLOGIES

FIND A .....

You are here: CESG > Policy and Technologies > BWG > Management Summaries > MS06

Biometrics

Management Summaries

Reference Documentation

Privacy Issues and Biometrics - MS06

This summary addresses the subject of the protection of the personal rights of those whose data are processed by biometric systems, and which lies beyond the protection of personal data alone. A crucial question is whether or not biometric data are to be seen as personal data, as the full panoply of European and national regulation is only enforceable for personal data. In most cases biometric data must be regarded as personal data within EU and national legislation, since the biometric data provides a direct or indirect link to the data subject in almost all cases, which is the deciding factor.

Principles

Depending on how a system is deployed, biometrics can either threaten or protect the privacy of individuals. The protection enhancing role is particularly valid in view of the special properties of biometrics, which are linked to the individual for life, unlike PINs and Passwords which are only indirectly and weakly linked to a person. Therefore, by using biometrics, other types of personal data can be better protected from theft and misuse than by traditional means.

We need to understand the dichotomy of both the threat and protection potential of biometrics when discussing it in terms of privacy: on one hand, biometrics as potential personal data which needs to be protected in the same way as any other personal data, on the other hand biometrics as a new and better means to protect other personal data in the context of data security. Biometrics can therefore be both an object and a tool in the different aspects of this discussion.

In a positive way biometrics can be seen as privacy enhancing because:

Biometric authentication can provide stronger personal binding of access rights to personal data than traditional means like PINs and passwords, e.g. better access control to areas where personal data is held,

Protection of Identity Theft: ensuring personal data can be linked exclusively to the right person and therefore can only be used in the name of the right person.

In a negative way, biometrics can present a potential threat to privacy because:

If an individual’s biometric identity becomes compromised on a given system, the biometric characteristics are not amenable to change in the straightforward way that a password can be changed.

If biometrics are regarded as a very strong means of authentication, proof of misuse by impostors may become very difficult to establish.

There are some common principles that must be considered when implementing biometrics in real world applications according to European law. It is important to note that in some Member States, legal specifics will lead to different interpretations. However, some of the commonly understood aspects are listed below with examples of the questions that lie behind the principles:

Proportionality principle: is the use of biometric justified in the context of the application, or could other means of authentication equally well fulfil the requirements without the need for personal data?
Potential Risk of Discrimination: does the biometric system in place offer a high quality especially in terms of sensible false-matches, false non-matches and failure to enrol-rates? Do objective test reports exist as well as evaluation and certification in order to judge its level of reliability and security objectively?
Improper Use/Scope Limitation/Function Creep: Is the use of the biometric data actually restricted to the basic purpose for which the data had been collected originally? Has the user given (explicit) consent to process his or her biometric data, or is there a legal provision in place which allows the data to be used?
Possible covert obtaining of biometric data and monitoring: Does the operator have to provide notification to subjects of the use of, e.g. video surveillance along with AFR-system, and is the user aware that his or her biomet-ric data is being collected? If not, is there a legal dispensation that allows the data to be collected covertly?
Specific data warranting protection: Is the biometric data able to reveal more than identification information about the person e.g. health or ethnic data, and did the user have the opportunity to give his or her explicit con-sent? Has the operator properly taken into account the legitimate interests of the data subject set against his rightful interests as data controller?

Privacy Enhancing Technologies (PET) in the context of biometric data

The aim of PET is to institute measures that protect privacy through the elimination or reduction of personal data without loss of functionality of the IT-system. This concept applies to biometrics from two standpoints: firstly, the implementation and application of biometrics has to conform to a proper privacy regime in order to be privacy enhancing. Secondly, biometrics themselves can be privacy enhancing. For instance, the European Initiative on Privacy Standardisation in Europe speaks in its final report, of biometrics as a tool of Privacy Enhancing Technologies¹ . The main question from the PET standpoint is whether or not “identity” is necessary for each of the processes of the information system? In many cases, it is not necessary to know the user’s identity (as distinct from the validation of their credentials) in order to grant privileges. Nevertheless there are some situations in which the user must reveal his or her identity to allow verification. In these cases, some general rules can be suggested, i.e. for instance:

Use as little personal data as is necessary for the aim of authentication,
If using personal data, protect the date from disclosure (e.g. encryption),
Delete personal data as soon as possible,
Anonymize personal data whenever possible,
Do not use central databases where not required ²,
Give users control over their personal data (“identity protector”),
Make use of evaluation and certification to create a guaranteed level of trust.

General privacy assessment of a biometric system

Apart from the principles mentioned above that assess a biometric system with regard to privacy and the potential risks, the overall security of the system and the achievable protection of the biometric data in use has to be considered. For instance the latent risk of misuse of central databases must be considered, especially when access rights are not thoroughly restricted and controlled, and means and managing of encryption are not strong enough. When decentralized storage is used, the user can more easily keep control over his or her data, though misuse of data remains possible e.g. getting access to the data on a card. Systems should be designed and implemented with due regard to security considerations.

See also:

Management Summary MS05 – Legal Issues and Biometrics

¹ CEN/ISSS Final report, 4.26
² Central databases are prohibited e.g. in Germany according to the use of biometrics in ID-cards and passports.

Back to Management Summary Index

The UK Biometric Working Group, managed by CESG, supports the UK government and provides advice and information about the implementation and use of biometric authentication systems.
For further details telephone +44 (0) 1242 221491 extension 34124

This CESG Website is maintained for your personal use and viewing. Access and use by you of this site constitutes acceptance of our terms and conditions which take effect from the date of first use. Click here for our terms and conditions

CESGweb@cesg.gsi.gov.uk