The security of our modern information society increasingly depends on the ability to accurately identify people. That way, they can conduct transactions, prove something, or lay claim to something. Also, institutions and authorities want to know for sure that they are dealing with the right person. Biometric data makes it possible to recognise somebody on the basis of a unique physical characteristic. For that reason biometrics will become an indispensable element of countless settings and processes. In this article the chairman of The Netherlands Biometrics Forum (NBF) sets out the Forum’s vision on the safe and reliable use of biometrics from the perspective of its social responsibility, in the form of a number of recommendations.
In today’s society it is becoming more and more important to be able to accurately recognise people in order to enhance the security of our information society. Equally important is it for someone to be able to prove something or to prevent someone else from stealing their identity or property. The fact that biometric data enables us to recognise a person by a unique physical characteristic indicates that biometrics will become indispensable in the future and will be used in a wide range of processes and settings.
What is biometrics?
The NBF defines biometrics as recognising a person based on a physical characteristic using information technology. Information technology makes it possible to quickly digitise physical characteristics in order to compare them with previously stored data. As well as technical and organisational aspects, the user’s safety and the protection of his personal privacy play a major role in the use of this technology.
Restrictions of biometrics
Biometrics is not a panacea: they are not infallible and can be imitated and misused. Biometrics also has another inherent limitation. It can link a person to a document or detail, but it doesn’t say anything about the accuracy of that document or detail, or whether the link itself is accurate. Establishing someone’s identity implies making a statement about the accuracy of a document or detail linked to a person and about the biometric link itself. That is something biometrics cannot do. In spite of that, biometrics is an important additional tool to identify people or to verify someone’s identity if used in combination with other personal data and instruments.
New technologies are inevitably affected by teething troubles, which – particularly in the initial phase – makes it especially easy for someone to commit identity fraud. Ultimately, biometric technologies must gain broad public acceptance. It would be regrettable if confidence in biometrics was put unnecessarily to the test in the initial stage as a result of ill-advised and risky applications. The NBF strives to contribute to the best of its ability in this area by looking into the issue of the social acceptance of biometrics, for example.
Who is involved in biometrics?
The person who is recognised on the basis of his biometric characteristics can assume various roles – those of citizen, operator, manufacturer/supplier and legislator.
In his dealings with the government, the person who is recognised on the basis of his biometrics is referred to in this document as a citizen. Citizens can occupy various positions: subject (for the payment of taxes), free citizen (for electing and being elected, right of association) or government client (when applying for permits, passports, etc.). Combinations of these positions are possible too.
For a safe and reliable service, private organizations, institutions, companies and public bodies can use and, in exceptional situations, even require the use of biometrics to accurately recognise clients and employees. Those organizations are referred to in this document as the operators of a biometric system. Operators can be regarded as controllers, as defined in the Dutch Personal Data Protection Act. System administrators and operational staff work under their authority.
Some companies are manufacturers or suppliers of biometric products. These companies are responsible for the technical and functional quality, including the provision of effective security for biometric equipment. Other than that, the operator is responsible for the safety and reliability of the application as a whole, including organisation, procedures and personnel.
Finally, the government can be designated as legislator, in that capacity creating the rules that guarantee equal preconditions and provisions for the safe and reliable use of biometrics for all.
Biometrics applications in The Netherlands
In The Netherlands, we are currently witnessing the emergence of more and more small- and large-scale biometrics applications in which sometimes convenience and service are being emphasized and at other times security, protection or law enforcement. In that context four areas can be distinguished in which biometrics are applied, and in which numerous biometrics applications are already available:
- the public sector (for identity management and border control, for example);
- the private sector (large-scale access control, logistics processes, payment transactions, etc.);
- organizations and institutions (for example swimming pools, discos, museums, clubs);
- personal applications (PC/laptop access, security for cars and homes, etc.).
What can and cannot be solved by biometrics?
Many people find it difficult to fathom the technology needed for biometric person recognition because it is based on the laws of probability and thus necessarily leads to erroneous recognition (the extent of which depends on the tolerances set by the operator himself) giving rise to incorrectly linking people with documents or details. Biometrics cannot make any statements about the accuracy of those documents or details either. For that reason – contrary to what many people think – biometrics cannot tell you who somebody is, but only give you the probability that somebody is the person you expect.
The applications themselves feature risks as well, but those risks can be limited with appropriate measures in given situations. Our inability to control organisational and human factors means that biometrics can only be applied on a large scale if organised with a great deal of effort, in such a way that an application is sufficiently safe for the intended purpose. For that reason, biometrics as a standalone instrument will not lead to people being infallibly recognised. Biometrics quickly gains in reliability and security when used in combination with other biometric or non-biometric instruments, such as a PIN code. That substantially reduces the chance of deception (known as spoofing). It does, however, always relate to the entirety of an application, including technology, organisation, procedures and not least to the extent to which people cooperate or, conversely, have a vested interest in errors or misuse.
When is biometrics useful and justified?
Biometrics is useful and justified in a number of cases:
- Biometrics can only recognise people, it cannot be used to establish identities. Biometrics is especially useful when we need to know for sure that the person we are dealing with is the same person as the person we expect, or when someone has to prove something about him or prevent someone else from stealing his identity.
- In view of the security level required in a particular setting, the use of biometrics must be absolutely necessary for the envisaged purpose and not replaceable by other, lesser measures. Therefore, it is especially important to actively discourage trivial uses of biometrics.
- Biometrics can only be justified if the application is transparent and it is not possible to use a person’s biometric characteristic outside of that application.
- Biometric characteristics should always be securely managed, in such a way that:
▪ it is impossible to re-use biometric characteristics outside of the application in which they are managed;
▪ the application in which the biometric characteristic was created and is managed is can be clearly distinguished from the biometric characteristic itself.
The NBF sets out to bring about a clear understanding of the significance, benefits and constraints of biometric technologies among all those involved and to encourage the development of:
- technologies that prevent a biometric characteristic from leaking to applications other than the one in which it originated;
- technologies that make it possible to trace the origin of a biometric detail if, despite all prevention efforts, the information does leak out.
Rights regarding biometrics applications
A person is entitled to:
- certainty that the biometrics application will be solely used for its intended purpose, by clearly distinguishing between what people are obliged to do and what is voluntary;
- a simple and straightforward objections and complaints procedure, for example if somebody is wrongly rejected, or when the biometric verification is not appropriate, given that application’s specific purpose;
- a fallback procedure – at least proportionate to the risk – in case a person is unable to take part or the technology malfunctions;
- an adequate set of preventive measures to avert the theft or misuse of their biometric data or related identity;
- the biometric system’s operator active support of a biometric system including compensation for damages and rehabilitation in the event of someone’s biometric data or related identity being stolen or misused;
- disclosure by the administrator of the application as to who has viewed his biometric characteristics;
- explicit measures (apart from criminal proceedings) taken against a person who attempts to misuse somebody else’s biometric characteristics or has succeeded in doing so.
Governmental measures regarding the application of biometrics
The law needs to be supplemented as for the prevention of misusing of biometric data and identities. The following points are also important:
- A compulsory register must be introduced at a national centre for the registration of personal data with biometric characteristics, to which the abuse of biometric identities or biometrics applications can be reported and requests can be made to correct errors. This central body must actively guard against any unnecessary and unsafe storage of biometric characteristics. The centre should check whether the operator has put sufficient measures in place to prevent theft or misuse of the biometric data he is administering.
- Critical and socially sensitive applications must be certified, and certification standards must be developed if not yet available. For other applications the use of certified biometric products must be promoted and again, certification standards must be developed if not yet available.
- Each biometrics application must specify the constraints within which the relevant biometric data can be used.
- The storage of biometric characteristics is only permitted if the application in question requires it and the biometric characteristics are stored in a scrambled and encrypted form. It should be impossible to re-use those biometric characteristics outside of that application.
- The public and private sectors must always use biometrics in combination with other biometric or non-biometric instruments, such as a PIN code, in order to substantially reduce the risk of deception (spoofing). Because of this, the use of a separate biometric characteristic (e.g. ‘fingerprint only’) must be advised against.
- It should only be permitted to link a file containing biometric characteristics to external databases in situations provided for by law. Additionally, biometric data in internal databases will in principle have to be stored in a scrambled and encrypted form, if possible without a direct link to biographical data.