1 Introduction
Introduction to biometrics, surveillance, discipline and control
Biometric technology (from the Greek: bios, life and metron, measurement) identifies individuals automatically using their biological or behavioural characteristics. In many jurisdictions, itās routinely deployed for passports, voting and access to secure premises ā all cases where personal identity plays an essential role. It has yet to gain wide-spread acceptance in what may be considered everyday areas of our lives; but this is changing, particularly when it comes to the retail sector.
Formal identification and authentication systems are becoming ever more crucial for peopleās dealings with both public and private institutions. The relationship between the individual and the state, as well as his or her wider social and economic environment, will inevitably change as a result of these systems. The process of collecting and organizing information is now a tremendous source of economic, political and cultural power. Data makes us more malleable, easier to predict and highly prone to influence. For retailers and marketers, being able to understand their customersā habits, preferences and aversions ā so that they can predict their needs and provide more targeted sales pitches ā is the Holy Grail.
The leading organizations are the ones that have tracked us most extensively, have profiled us most accurately and have the power to anticipate our next move. Governments are also claiming access to a growing number of biometric identification systems. These schemes involve considerable expenditure and the financial implications for both government and business are substantial. Biometrics is a global growth industry; and the worldwide market for these services is said to have reached $16.5 billion by 2017.1
Proponents argue that formalized identity management systems offer the potential to combat terrorism, fraud, corruption and other illegal activities. Such systems also offer the means to establish strategic partnerships between the state and citizens.2 Failure to register people and provide identity documents is thought to have detrimental effects for both the individual and the state; thus, many countries are establishing national ID systems and exploring the role they play in political, economic and social development (ITU, 8). Modern biometric technologies offer the promise of improved authentication, establishing confidence in individual claims about identity.
Critics complain that the creation of an extensive central register of personal information controlled by government will increase opportunities for the state to abuse citizens, for example by searching health records for evidence of genetic diseases to deny benefits or targeting immigrants and other minorities. Itās apparent that any such scheme is fraught with enormous challenges and risks. At a minimum, many fundamental concepts such as privacy, autonomy and government accountability will shift. Indeed, contemporary society has already witnessed a substantial shift in the responsibility for public order away from the centralized administrative state towards global corporations and systems.
Yet the complexity of government administration in the modern world is now a major problem for most countries.3 Governments in developing states are expected to carry out many of the same functions as first-world countries, including āproviding universal access to healthcare and education, implementing know your customer (KYC) rules for financial institutions, and administering a wide variety of transfer programsā.4 Digital technologies can mitigate some of the problems caused by paper-based registers, including duplications, forgery, false acceptances and false rejections.
As identification technology evolves, so do identification systems. Many of these programs link identities with biometric data across all sectors ā nationwide and even globally ā to create powerful ābig dataā systems and networks of identity. āBig dataā refers to very large data sets and the tools and procedures used to manipulate and analyse them.5 The market sees big data as a way to target advertising, insurance providers use it to optimize their offerings, and Wall Street bankers use it to read the market. Incorporating biometric technologies in big data systems is useful for the growth of e-government, as well as providing public and private services, including voter verification, government transfers and banking. The electronic capture and storage of data can also reduce costs and human error, while increasing administrative efficiency.
Generally speaking, there are three ways in which authentication technologies operate: by assessing something that somebody knows, like a password; by assessing something that somebody has, like a key card; or, by assessing something that somebody is, or is not, which is where biometrics comes into play.6 Biometrics can be defined as the automated method of identifying or authenticating the identity of an individual based on physical or behavioural characteristics. It relies on the notion that the human body is its own identifier.7 Itās more reliable than traditional authentication techniques, like passwords, tokens, and PIN-based methods, because it canāt easily be lost, damaged, forgotten or stolen.8
Biometrics is at the centre of an evolving set of policies and practices related to determining oneās identity; and establishing oneās identity is central to achieving any number of contemporary policy goals, from stopping criminals to increasing efficiencies within the welfare system.9 Widespread fingerprinting is controversial in most Western nations but in developing countries where births are routinely undocumented, people often lack official identification, and many canāt sign their names, so fingerprints can be a personās only opportunity to secure a bank account.10 A fingerprint can therefore become a personās PIN, or signature, for depositing money into savings accounts, taking out loans, and even buying funeral insurance, life insurance or crop insurance.11
Security concerns are a fundamental impetus behind the implementation of identification systems in many nations. In this context, we see them deployed for border management (i.e. to control immigration/migration flows or to monitor travel); law enforcement (i.e. for use by police or other enforcement officials for purposes of identification, investigation or reporting); and to curb the ability of extremists and criminals to conduct illicit activities.12 Not only are they assisting governments to track criminal activity, in some jurisdictions theyāre even helping bystanders to detect and report on crime.
The use of biometric identification can pose significant privacy problems; and the interests of governments and citizens often conflict. Perhaps, for example, the government wants to be able to identify and track the movements of certain people using biometrics. Yet citizens might not be comfortable with the government collecting and storing this information in a database. Similarly, DNA evidence could be collected and used to make determinations about whether or not to provide a person with health-care insurance, based on genetic conditions.13 In each case, there is a conflict between the ability of private and public-sector entities to collect, use, store and share this information, and the individualās interest in keeping it private.
Privacy can be broadly divided into three zones: physical privacy as it relates to the person (i.e. the body); territorial or spatial privacy; and informational privacy, or the freedom of an individual to limit certain information about himself. All three are engaged when it comes to biometrics. The first of these, physical privacy, protects our right to be free from non-consensual contact with another. Liberal assumptions about privacy presume that individuals have a right of dignity, autonomy and bodily integrity and thus are able to decide who and what can have access to their physical selves, and in what manner. Yet these expectations are challenged by biometric systems that can capture personal information from a distance, without the knowledge or consent of the subject.
The second domain of privacy recognizes that individuals must have the right to private spaces within which they can engage in intimate personal acts. This right has a long history in American constitutional law; and the courts have continued to locate the privacy doctrine in real property protections, particularly when it comes to the notion of physical intrusion, and respect for the sanctity and privacy of the home.14 Furthermore, a personās expectation of privacy will only be deemed āreasonableā when it is supported by the right to exclude others, which evolves directly from real property law.15
The boundaries of the third zone of privacy, informational privacy, are the most difficult to define. Informational privacy protects the right of an individual to limit access to personal information about herself. Thus, it relates to secrecy, and the idea that an individual has a reasonable expectation of privacy in personal information that may tend to reveal intimate details about her lifestyle and personal choices. Profiling ā whereby one captures information about an individual and then uses it to anticipate who may pose a security threat and thus who should be subject to further monitoring or other pre-emptive measures ā not only threatens the personās right to āinformational self-determinationā but it also jeopardizes a linchpin of our legal system: the presumption of innocence and the right to equal treatment under the law.16
Technological innovation has meant that the amount of personal information that can be recorded, stored and shared is virtually limitless. In addition, private actors are now playing a critical role in the collection and aggregation of personal information. As a result, our concerns about privacy now centre on personal information that is not necessarily intimate and that may be collected at any time by either the private sector or the state.17 Moreover, information collected in one context can easily migrate to others.18 This understanding of privacy is highly contextual in the sense that myriad factors influence whether we consider it necessary, or even appropriate, to control or limit access to personal information.
This is problematic when one considers the common-law approach to privacy, which largely focuses on the question of whether one has a āreasonable expectation of privacyā in the information itself. This approach can be criticized for treating data privacy as an āall-or-nothing affairā.19 One either has a reasonable expectation of privacy ā in which case, the state is restricted from collecting the data ā or one does not ā whereby the state may do what it will.20 Yet because there is no bright-line test for how, and to whom, information should be disclosed in the modern world, the common law framework for privacy protection in the management of personal information is outdated. There is no longer the overriding concern of protecting some particular class of information, or even the specific place in which it may be collected; but rather the need to regulate the context in which data can be accessed, shared and used.21
At the same time, though we must not lose sight of the fact that there is still a connection between electronic surveillance, biometric systems, and the infringement of oneās reasonable expectation of privacy. For example, the potentially lifelong association of biometric traits with an individual, and their connection with identity records, can lead to the conclusion that the individual belongs to a group with certain access rights and benefits, or to a group that should be denied those benefits.22 This means that people can be denied access to systems and resources, like jobs, health care or insurance; and that the failure to enrol, or be identified, may render an individual unable to leave the country, homeless or even stateless.
This phenomenon is facilitated by persistent closed-circuit television (CCTV) monitoring, inter-agency databases linked to national identity cards, and biometric measurements used for international travel, among other things. A major threat, which has not yet fully materialized, is omnipresent, around...