Part I 1 Introduction
1.1 Background
1.1.1 Development of Biometrics
Heightened security concerns arising from the growth of various forms of crime, including identity theft and terrorism, have led to increased interest in the development and application of âtechnologies of surveillanceâ (Lyon, 2001). These are technologies that â following the definition of âsurveillanceâ given by Lyon, a definition which is adopted for the purposes of this book â facilitate the âcollection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been collectedâ (Lyon, 2001: 2). Technologies often have an inherent logic or bias which may strongly influence the way in which they are being used. The bias of technologies of surveillance is essential to augment surveillance capabilities. Thus, to some extent, the development of surveillance is also driven by new forms of technology (Bygrave, 2002). A prominent form of such technology is the rapidly expanding use of biometrics, that is, identification and authentication technologies based on unique characteristics of individual human bodies. Biometrics, though, is not exclusively a surveillance technology; beyond surveillance biometrics is also being developed and applied in a range of other contexts including personal computing, entrance security, and automated banking. Nonetheless, it is mainly in relation to their surveillance and control potential that biometric applications are attracting controversy. They are seen by some as part of an array of surveillance technologies that have advanced to the point where they now collectively possess the capability to threaten the most basic democratic notions of individual autonomy and privacy (Nuger and Wayman, 2004a).
The surveillance of cross-border traffic, especially through the use of biometric technology, has become more popular in the wake of the â9/11â terrorist attacks and the ensuing war on terrorism. As part of efforts to enhance security, governments around the world are investing large sums of money and human resources in biometric technology, which also act to accelerate the use of biometrics among private-sector entities. Technologies that previously had difficulty in surviving even their pilot stages (Australian Government, 2004; European Commissionâs Joint Research Centre, 2005) were suddenly âgood enoughâ to be installed across vulnerable points of entry into a variety of countries, not only in the United States but also in many other Western and Asian countries (Ploeg, 2005).
Although biometric data have long been used in the realm of criminal proceedings such as in fingerprinting and DNA profiling, such data are increasingly being used by governments and private entities as a way of ascertaining individual identity in other contexts. Reference measures have expanded from the traditional types mentioned above to involve multiple human characteristics, such as the use of the facial image, iris, retina hand prints, and so on.1 The use of biometrics is not restricted exclusively to travel and identity documents but extends also into commercial and other private sector domains, such as e-passports holding both the userâs personal information and facial image;2 fingerprints taken as a legal requirement for getting a visa, but not stored anywhere on the visa;3 paying a chain storeâs bill by scanning the purchaserâs fingers (Jain and Pankanti, 2006); access control of an oil depot using employee fingerprints4 and checking in at the airport using a passengerâs iris.5 These systems seem different in their purpose and procedure, but each uses biometric technology in some way.
Biometric technology is not new. Quantitative measurement of biological human traits for the purpose of identification dates back to at least the 1880s, though the use of human characteristics to recognise people has arguably always been an integral part of human society. The first concrete record of the use of biometrics was a form of fingerprinting used in China in the 14th century, as reported by the Portuguese explorer Joao de Barros. Chinese merchants used fingerprints to settle business transactions, and Chinese parents used fingerprints and footprints to differentiate children from one another (Garfinkel, 2000). Despite its long history, biometrics never became a distinct field until a French police officer named Alphonse Bertillion sought to solve the problem of identifying convicted criminals by devising a system of physical body measurements (anthropometry) (Cole, 1999; Beavan, 2001). Bertillionâs system included such measures as skull diameter and arm and foot length. âBertillion realised that even if names changed and even if a person cut his hair or put on weight, certain elements of the body remained fixedâ (Garfinkel, 2000: 39). This system was called anthropometrical signalment and was very basic in its implementation. Nevertheless, it was a huge breakthrough and was adopted by prisons and police stations within national borders and across the world. Some drawbacks were found when this system was applied to a large population where no automatic means were applied, and anthropometrical signalment was found not to be totally unique. The true biometrics system6 began to emerge in the 1960s, coinciding with the emergence of computer systems (Bolle et al., 1996). The nascent field experienced an explosion of activity in the 1990s, and it began to surface in everyday applications in the early 2000s (National Science and Technology Council, 2006b).
1.1.2 Public Debates
The nature and diversity of subjects that can be explored in an analysis of biometrics and its social/legal implications makes it a particularly interesting field of study. Although much debate about the technology appeared before the dramatic changes brought about due to â9/11â, the relevance of such debates appears only to have increased. Apart from the technological aspects, the public debate on biometrics focuses on privacy and body-integrity issues.7 Contributors to the ongoing debate are drawn from the perspectives of politics, law, philosophy, and ethics (Woodward, 1997; Etzioni, 1999).
Radical, diverging positions are held on the issue of whether biometric technology is dangerous to individual privacy and democracy in general. On the one hand, biometrics is seen by Clarke as one of the most serious among the many technologies of surveillance that are threatening the freedom of individuals and of societies (Clarke, 2001). Chandrasekaran has also claimed that â[in] most cases the biometric technology is impersonalâ (Chandrasekaran, 1997). It enables the bringing together of disparate pieces of personal information about an individual. If the technology meets with widespread success, individuals may find that they are required to provide a biometric identifier in unexpected and unwelcome future circumstances. In contrast, others maintain that biometrics constitutes a potential solution to privacy by safeguarding identity and integrity, and could even be privacy-enhancing when combined with cryptography techniques (Woodward, 1997). It has been further claimed that â[b]iometrics would put a sudden and complete stop to as much as 80% of all fraud activityâ (Milbank, 1995: B1).
Beyond this debate, the pressing need for Western democracies to strengthen security and re-assess foreign policy, particularly in the aftermath of â9/11â and similar terrorist operations, such as those in Madrid (2004) and London (2005), gave rise to a host of proposals for using biometrics. Implicit in these proposals was that enhancing security unavoidably requires some âtrade-offsâ with respect to civil liberties and privacy (Dersgowitz, 2002). Opponents to the âtrade-offâ arguments respond in two ways. One opponent is Ann Cavoukian, Ontarioâs Information and Privacy Commissioner, who has called attention to the necessity of balancing the key factors involved in the debate. She argues that:
At the heart of this debate is the balance between human rights and civil liberties, including privacy, and the intrusion on these rights in the name of public safety. We may have to rethink this balance. And that should come as no surprise. The balance between security and privacy has never been static, shifting in favour of security whenever weâre faced with significant threats to public safety.
(Cavoukian, 2001: 1)
Schneier and Sobel respond in another way: âfor any security proposal, regardless of its implications for privacy and other civil liberties, we must ask âis the security solution worth it?ââ (Schneier, 2003: 14 and 15). Furthermore, â[l]iberties are far easier to give away than to get backâ (Schneier, 2003: 243) and âtrade-offs made in the emotional aftermath of 9/11 will be with us for years, if not decadesâ (Sobel, 2002: 362). They go on arguing that privacy is diminished with little subsequent benefit, since very little has been put forward in terms of substantive security benefits.
On a more abstract level, there exists a political and philosophical discussion about the use of biometric technology which aims to understand how diverging assessments of biometrics, function in the public construction of the technology involved (Ploeg, 2005). This discussion does not seek to counter the constructions of technology by claiming that technology in itself is neutral, or that the degree of its threat to privacy depends on the specific use to which it is being put; instead, it is claimed that technology is highly political and normative (Winner, 1986; Adam, 1998). The main idea is that technology is the outcome of social processes and choices, and is continually in the process of being made (Ploeg, 2005).
It has been argued that ethical scrutiny begins with care for the other, and to relieve and to prevent suffering. The lesson taught by traditional bioethics should now apply to biometric technology (Mordini and Petrini, 2007). The effects of technology on the lives of people are studied, focusing not only on the immediate but also on the long-term social implications of biometric technology (Ashbourn, 2006).
1.1.3 State of Legal Research
The legal debate on biometric technology is generally restricted to the context of informational privacy, although occasionally physical privacy may also be relevant. Biometrics is treated as a technology that generates and processes a new type of personal data. In addition to general data privacy legislation, there are several legal initiatives to develop specific biometric regulations. For instance, there is âsoft lawâ, exemplified by the Privacy Code of the Biometrics Institute in Australia. There are, for instance, legislative initiatives in the United States at the state level such as the Biometric Identifier Privacy Act passed by the State of New Jersey Senate.8 Simultaneously, biometrics-related issues are beginning to emerge in concrete legal disputes that generate considerable regulatory controversy. Both in Europe and in the United States, there are now quite a large number of biometrics-related cases brought before the courts or the data protection authorities.9
Academic legal research on the use of biometric technology is relatively new and quite insufficient compared with the public debate. When the doctoral research project that this book represents began in early 2005, there had been (to my knowledge) little systematic and/or comprehensive study of biometrics from a legal perspective, although several articles, book chapters, and reports touched upon the topic.10 In 1998, Prins, a renowned legal scholar, was one of the first to analyse the impact of biometric technology on the area of fundamental rights as laid down in the European legal context (Prins, 1998). She set down some tentative first steps towards insight into the legal consequences of, as well as conditions for, the application of biometric technologies. She discussed issues related to fundamental rights, legal requirements for security measures, and the status of evidence. However, her analysis left quite a lot of issues open to discussion, which underlined the need for further study.
Three years later, Grijpink made another attempt at addressing the issues raised by biometrics and privacy law (Grijpink, 2001). With a solid technical background, he attempted to clarify the concepts and practical applications of biometrics, and put forward a number of basic rules to accommodate the use of biometric technology in a legally acceptable manner. However, the issues of how the law should be interpreted or improved in response to the technology were largely left untouched.
Official documents subsequently appeared. In August 2003, the âArticle 29 Data Protection Working Partyâ11 adopted a working document on biometrics. The working document reflects the view of the EU member statesâ data protection authorities on biometric systems and data protection, and it puts forward several recommendations for the development of such systems (Article 29 Data Protection Working Party, 2003). The Organisation for Economic Co-operation and Development (OECD) also focused on the matter and released in April 2004 a report on the use of biometric-based technologies (Working Party on Information Security and Privacy, 2004). In 2005, the Institute for Prospective Technology Studies at the European Commissionâs Joint Research Centre also published a report in which the impact of biometrics, including legal aspects, was described (European Commissionâs Joint Research Centre 2005). As part of that wo...