230 likes | 244 Views
This article provides a technical introduction to biometrics and explores its applications. It then discusses biometrics from a legal perspective, focusing on privacy and data protection regulations. The article also examines the concerns and ethical implications of biometric technologies. The legal framework, including the European Convention on Human Rights and the Data Protection Directive, is analyzed. The principles of fair collection, purpose, proportionality, and legitimate processing are explored in relation to biometric data.
E N D
Introduction to biometrics from a legal perspective Yue Liu yuli@jus.uio.no Mar. 2007 NRCCL, UIO
Agenda • Technical introduction to biometrics • Biometric applications • Biometrics from a legal perspective: privacy/data protection • Relevant legal regulations • Discussion: friend or foe?
Definition: • Biometric technologies are automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic. ---J. Wayman
biometrics • Behavior: voice, keystroke, gait, signature… • Physiological Fingerprint, iris, facial, retina, palm… DNA? Not externally observable
biometrics • Verification (authentication): • are you whom you claim to be? • one to one match • Central or decentralized database • Identification: • Who are you? • One to many match • Central database
Authentication methods • Something you have: card token key • Something you know: password, PIN • Something you are: biometrics
Biometric applications • Verification: PRIVIUM (iris), • Identification: EURODAC (fingerprint), US chain stores, • Both: EU Passport (facial recognition)
Privacy impact assessment • Are users aware of the system’s operation? • Is the system optional or mandatory? • Is the system used for verification or identification? • Is there are central database? • What kind of PET is being used? • What kind of biometric technology is adopted? • Is the data collector private or public sector? • In what capacity are data subjects interact with the system? • Is it a large scale application or a small scale application? • …….
Biometric concerns • Function creep • Ethical concerns • Overkill the task • Disclose sensitive information • Pervasive surveillance; covert collection • Lower privacy awareness: for convenience • Hacking of central storage and wide likeability • Can biometrics make us safer? • Deprived the right to anonymity • Permanent ID theft • …
Legal framework • Very little specific biometric regulations • European convention on Human rights (ECHR) • Data Protection Directive (95/46/EC)
Privacy: the right to be left alone • ECHR art8(1) Everyone has the right to respect for his private life and family life, his home and correspondence. Dimensions: • informational • Physical • Decisional • Proprietary
ECHR art8(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with thelaw and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Data protection Directive • Defines rights and obligations with respect to the processing of personal data • any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;“
Personal data • Personal data any information relating to an identified or identifiable natural person (art2 a) • An identifiable person is one can be identified directly or indirectly in particular by reference to an identification number or one or more factors that specific to his physical, physiological, and mental(…) identity Biometric image and biometric template as personal data?
Principle: fair collection • personal data must be processed fairly and lawfully(art6 a ) • Data subject must be informed, consent is needed unless under certain conditions: national security, defense. Public interests… Covert surveillance should not be allowed generally: facial recognition
Principles: purpose and proportionality • Legitimate Purpose (ar6b):(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. • Proportionality (art6.8.14.15) personal data must be adequate, relevant and not excessive in relation to purpose
Legitimate processing • Art7 • personal data may be processed only if: • consent • necessary for the performance of a contract • necessary for compliance with a legal obligation • necessary in order to protect the vital interests of the data subject, • necessary for the performance of a task carried out in the public interest or in the exercise of official authority • necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed
proportionality • When the collection of biometric data is necessary?(less obtrusive alternative? Balance?) • Messing v. Bank of America, Swedish school, UK • How to avoid function creep? • Is consent enough? ( opt in or opt out)
Security measures • Art17 • Appropriate security measures must be taken to protect personal data against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
Misconceptions of biometrics Accuracy, ID theft, central storage Risks: enrollment, transmission, storage, raw data, reversible template, id theft, indisputable evidence, permanent ID theft Safe guards of misuse of biometrics: encryption, smart card A right to argue?
Friend or foe? • When can biometric compatible with the EC data protection directive? • When can biometrics be a friend to our privacy? • Is it just a problem of trading off between privacy and security?
Thank you for your attention! • Reading list: • Art29 data protection working party, working document on biometrics at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp80_en.pdf • JRC(IPTS) Biometrics at the frontiers: assessing the impact on society. At http://europa.eu.int/comm/justice_home/doc_centre/freetravel/doc/biometrics_eur21585_en.pdf