The surveillance of cross-border traffic, especially through the use of biometric technology, has become more popular in the wake of the ‘9/11’ terrorist attacks and the ensuing war on terrorism. As part of efforts to enhance security, governments around the world are investing large sums of money and human resources in biometric technology, which also act to accelerate the use of biometrics among private-sector entities. Technologies that previously had difficulty in surviving even their pilot stages (Australian Government, 2004; European Commission’s Joint Research Centre, 2005) were suddenly ‘good enough’ to be installed across vulnerable points of entry into a variety of countries, not only in the United States but also in many other Western and Asian countries (Ploeg, 2005).

Although biometric data have long been used in the realm of criminal proceedings such as in fingerprinting and DNA profiling, such data are increasingly being used by governments and private entities as a way of ascertaining individual identity in other contexts. Reference measures have expanded from the traditional types mentioned above to involve multiple human characteristics, such as the use of the facial image, iris, retina hand prints, and so on.¹ The use of biometrics is not restricted exclusively to travel and identity documents but extends also into commercial and other private sector domains, such as e-passports holding both the user’s personal information and facial image;² fingerprints taken as a legal requirement for getting a visa, but not stored anywhere on the visa;³ paying a chain store’s bill by scanning the purchaser’s fingers (Jain and Pankanti, 2006); access control of an oil depot using employee fingerprints⁴ and checking in at the airport using a passenger’s iris.⁵ These systems seem different in their purpose and procedure, but each uses biometric technology in some way.

Biometric technology is not new. Quantitative measurement of biological human traits for the purpose of identification dates back to at least the 1880s, though the use of human characteristics to recognise people has arguably always been an integral part of human society. The first concrete record of the use of biometrics was a form of fingerprinting used in China in the 14th century, as reported by the Portuguese explorer Joao de Barros. Chinese merchants used fingerprints to settle business transactions, and Chinese parents used fingerprints and footprints to differentiate children from one another (Garfinkel, 2000). Despite its long history, biometrics never became a distinct field until a French police officer named Alphonse Bertillion sought to solve the problem of identifying convicted criminals by devising a system of physical body measurements (anthropometry) (Cole, 1999; Beavan, 2001). Bertillion’s system included such measures as skull diameter and arm and foot length. ‘Bertillion realised that even if names changed and even if a person cut his hair or put on weight, certain elements of the body remained fixed’ (Garfinkel, 2000: 39). This system was called anthropometrical signalment and was very basic in its implementation. Nevertheless, it was a huge breakthrough and was adopted by prisons and police stations within national borders and across the world. Some drawbacks were found when this system was applied to a large population where no automatic means were applied, and anthropometrical signalment was found not to be totally unique. The true biometrics system⁶ began to emerge in the 1960s, coinciding with the emergence of computer systems (Bolle et al., 1996). The nascent field experienced an explosion of activity in the 1990s, and it began to surface in everyday applications in the early 2000s (National Science and Technology Council, 2006b).

Radical, diverging positions are held on the issue of whether biometric technology is dangerous to individual privacy and democracy in general. On the one hand, biometrics is seen by Clarke as one of the most serious among the many technologies of surveillance that are threatening the freedom of individuals and of societies (Clarke, 2001). Chandrasekaran has also claimed that ‘[in] most cases the biometric technology is impersonal’ (Chandrasekaran, 1997). It enables the bringing together of disparate pieces of personal information about an individual. If the technology meets with widespread success, individuals may find that they are required to provide a biometric identifier in unexpected and unwelcome future circumstances. In contrast, others maintain that biometrics constitutes a potential solution to privacy by safeguarding identity and integrity, and could even be privacy-enhancing when combined with cryptography techniques (Woodward, 1997). It has been further claimed that ‘[b]iometrics would put a sudden and complete stop to as much as 80% of all fraud activity’ (Milbank, 1995: B1).

Beyond this debate, the pressing need for Western democracies to strengthen security and re-assess foreign policy, particularly in the aftermath of ‘9/11’ and similar terrorist operations, such as those in Madrid (2004) and London (2005), gave rise to a host of proposals for using biometrics. Implicit in these proposals was that enhancing security unavoidably requires some ‘trade-offs’ with respect to civil liberties and privacy (Dersgowitz, 2002). Opponents to the ‘trade-off’ arguments respond in two ways. One opponent is Ann Cavoukian, Ontario’s Information and Privacy Commissioner, who has called attention to the necessity of balancing the key factors involved in the debate. She argues that:

On a more abstract level, there exists a political and philosophical discussion about the use of biometric technology which aims to understand how diverging assessments of biometrics, function in the public construction of the technology involved (Ploeg, 2005). This discussion does not seek to counter the constructions of technology by claiming that technology in itself is neutral, or that the degree of its threat to privacy depends on the specific use to which it is being put; instead, it is claimed that technology is highly political and normative (Winner, 1986; Adam, 1998). The main idea is that technology is the outcome of social processes and choices, and is continually in the process of being made (Ploeg, 2005).

It has been argued that ethical scrutiny begins with care for the other, and to relieve and to prevent suffering. The lesson taught by traditional bioethics should now apply to biometric technology (Mordini and Petrini, 2007). The effects of technology on the lives of people are studied, focusing not only on the immediate but also on the long-term social implications of biometric technology (Ashbourn, 2006).

Academic legal research on the use of biometric technology is relatively new and quite insufficient compared with the public debate. When the doctoral research project that this book represents began in early 2005, there had been (to my knowledge) little systematic and/or comprehensive study of biometrics from a legal perspective, although several articles, book chapters, and reports touched upon the topic.¹⁰ In 1998, Prins, a renowned legal scholar, was one of the first to analyse the impact of biometric technology on the area of fundamental rights as laid down in the European legal context (Prins, 1998). She set down some tentative first steps towards insight into the legal consequences of, as well as conditions for, the application of biometric technologies. She discussed issues related to fundamental rights, legal requirements for security measures, and the status of evidence. However, her analysis left quite a lot of issues open to discussion, which underlined the need for further study.

Three years later, Grijpink made another attempt at addressing the issues raised by biometrics and privacy law (Grijpink, 2001). With a solid technical background, he attempted to clarify the concepts and practical applications of biometrics, and put forward a number of basic rules to accommodate the use of biometric technology in a legally acceptable manner. However, the issues of how the law should be interpreted or improved in response to the technology were largely left untouched.

Official documents subsequently appeared. In August 2003, the ‘Article 29 Data Protection Working Party’¹¹ adopted a working document on biometrics. The working document reflects the view of the EU member states’ data protection authorities on biometric systems and data protection, and it puts forward several recommendations for the development of such systems (Article 29 Data Protection Working Party, 2003). The Organisation for Economic Co-operation and Development (OECD) also focused on the matter and released in April 2004 a report on the use of biometric-based technologies (Working Party on Information Security and Privacy, 2004). In 2005, the Institute for Prospective Technology Studies at the European Commission’s Joint Research Centre also published a report in which the impact of biometrics, including legal aspects, was described (European Commission’s Joint Research Centre 2005). As part of that wo...