Biometrics knows no borders, it must be subject to extreme vetting

Biometrics knows no borders, it must be subject to extreme vetting

25 October 2017

From unlocking a smartphone or getting through an airport, the use of an iris, fingerprint, or your face for identity verification is already widespread, and the market for it is set to rocket. While the technology is not new, its capability and uses are. As people, biometrics offers us much, but risks ultimately only serve data-hungry industries and government agencies: in the name of efficiency and security, it has the potential to bring chaos and vulnerability.

Obtaining reliable biometric data is becoming easier. Beyond everyday smartphones, new biometrics acquisition technologies already exist which can collect biometrics from a distance, while targets are on the move and without their knowledge. Facial recognition cameras which can work from a distance on multiple people have been on sale for years. Idemia, one of the world’s largest biometrics companies, even sells a system which can capture iris biometrics form a distance of over a meter. While such systems are unlikely to be reliable for a while — no one should doubt that they’ll continue to improve.

Easier acquisition means less intrusiveness and less waiting time. This is being marketed for places like airports, where it means that instead of waiting in line at the airport to scan your face at an electronic passport gate, a sensor could do it while passengers are on the move, eliminating any need to stop. The UAE is currently planning to integrate such “at a distance” biometric technology at 96 e-gates and 94 e-counters.

But while the use of biometrics in this way may start at the airport, it’s unlikely to end there: by removing practical obstacles to increased security measures, it also expands their use to other areas of public life. While this may start with the need to fight terrorism, and eventually to identify immigrants or people claiming social benefits, the fact that the technical infrastructure will already be in place means that it can be used for anything.

Soon, it could be a requirement to verify your identity using biometrics to go into a government building, take public transport, set foot in a shopping centre, or go into an upmarket area of town. For public health reasons, it will be possible to track, stop, or punish people buying fast food, putting on a bet, or buying alcohol and cigarettes.

Automated analysis techniques can be used to identify suspicious movements and patterns, assign risk ratings to people, and add people to watchlists — some of which already contain more than a million people — without any significant human intervention.

Governments are already investing heavily in biometrics recognition. Last year a study by Georgetown Law Center on Privacy and Technology found that 1 in 2 adults in the US were already in a law enforcement facial recognition network. China is planning to integrate a nationwide database with a facial recognition system, Russia, home to one of the most advanced facial recognition applications, has recently installed 5000 facial recognition cameras in Moscow. The Australian Prime Minister last week signaled his eagerness to use facial recognition cameras for public safety in public spaces such as shopping malls, while the UK has already used facial recognition cameras at a number of large public events, including the European football champions league final. Bangladesh is reportedly planning to buy 50,000 new CCTV cameras, some with facial recognition capabilities.

Sharing is of all this data already common place within and between governments. The US border police shares biometric data not just with other US agencies, but with other governments. The EU is also planning to centralise its biometrics verification system in order to easier share data across the Union, while Russia and China also share biometric data through regional security cooperation agreements. Biometrics and behaviour data amassed by industry will also continue to be an irresistible intelligence target for government agencies through sharing requirements and surveillance programmes.

With the push for international cooperation on terrorism and migration, it may only be a matter of time before watchlists of millions and datasets of billions of people compiled in part by corrupt officials, repressive regimes, and dodgy algorithms will be being shared around every corner of the world, with little chance for individuals of redress.

Not only will some of this data be wrong or lead to discrimination, it will also be a massive target for hackers. As major attacks on IT systems continue to be daily news, including large scale thefts of extremely sensitive biometric data, regular breaches of government and industry held biometric data are arguably inevitable.

But between such a devastating breach of biometric data, out of control surveillance databases, and a consumer apartheid enforced by industry, there is a clear alternative. Privacy International and many others continue to fight against such short-sighted data excesses by promoting strong data protection regulations, exposing risky intelligence sharing, investigating industry’s role in collecting data, and pushing for reforms in parliaments and through the courts. But it is public vigilance and debate that will to keep it in check. Soon, there will be calls for biometric recognition to be used even more widely to identify terrorists and illegal immigrants: while the list of what follows that may be limitless, public acquiescence and indifference cannot be.