‘Biometrics’ describes the physiological and behavioral characteristics of individuals. This could be fingerprints, voice, face, retina and iris patterns, hand geometry, gait or DNA profiles. Biometrics are deployed by governments – including national ID schemes, voter registration and at borders. Biometrics are also being used in development and humanitarian initiatives eg. refugee registration, and by private companies eg. banks.
There are two parts to the employment of any biometric system. Firstly, biometric technologies capture and store characteristics in a database in order to identify an individual. Secondly, the information in this database is cross-referenced to verify or authenticate an individual’s identity in a range of contexts eg. when accessing government services, or crossing borders, to enable an individual to vote, access bank accounts, access health services etc.
In the past few years, there has been an uptake in countries launching expensive and data intensive biometric programmes, such as the Aadahar project in India and biometric voting systems across Africa, as well as in the development and humanitarian sector.
What is the problem
When adopted in the absence of strong legal frameworks and strict safeguards, biometric technologies pose grave threats to privacy and personal security, as their application can be broadened to facilitate discrimination, profiling and mass surveillance. The varying accuracy and failure rates of the technology can lead to misidentification, fraud and civic exclusion.
Biometric data can identify a person for their entire lifetime. This makes the creation of a biometric database problematic, as they have to anticipate risks far into the future – whether that be a change in political situation or regime, a future data breach, or the development of technology meaning that biometrics can be used for more purposes, and could reveal more information and intelligence about individuals than is currently possible.
A global industry is fueling the biometrics boom. But these systems are expensive, and the procurement of such systems by governments is deeply opaque. It is often unclear how the systems actually work and therefore why and how they fail, and how the lessons learned are reflected upon, and there is also a lack of clarity of duties and responsibilities of different parties, particularly when they are being deployed in a legal and regulatory void.
What is the solution
Privacy International and partners have observed that governments are keen to develop data-intensive projects, but often lack any pre-assessment of the risks, or consideration for securing the personal data those projects generate. Purported benefits of the systems are stated without the necessary baseline studies to back up the claims.
Governments and non-state actors in other sectors adopting biometric systems need to ask, why do this at all? What problem is a biometric database trying to solve? How will it succeed? Has it succeeded? Or have new risks been created? It is no use throwing technology at a problem that is not technical and there may be other ways to solve the perceived problem.
There must be more transparency and public discussion of the privacy implications and the measures put in place to protect individual’s biometric data.
What PI is doing
Closely tied with our work on identity and surveillance, PI is working with partners in our International Network and experts, we are undertaking research, advocacy and policy work on areas including, biometrics and elections, biometric national identity systems, biometric migration systems, and biometric identification schemes in the development and humanitarian sector, amongst others. This works enables us to:
- Scrutunise the motivations of states and nonstate actors adopting biometric systems and assess whether biometric systems actually solve the socio-economic problems they are claimed to.
- Advocate for stronger protections on individual’s biometric information, starting with ensuring there is a robust and effective data protection legal framework in place, which upholds biometric data as sensitive data that requires higher safeguards.
- Campaign for procurement of biometric technology based on public justifications, including cost and motivation, and public debate, so that the procurement of biometric technology is more transparent.
Hold companies selling biometric technologies accountable for privacy and security impacts.