Biometrics is one of the key technologies that underpins critical security applications. Biometrics techniques automatically measure and compare an individual's unique physical or behavioural attributes, such as their fingerprint, voice, iris pattern or signature.
An increasing number of companies are developing biometric security products. The recent incorporation by Microsoft of a biometric API (application program interface) into its Windows 2000 server operating system is likely to inject new life into the development and marketing of biometric products. Research firms have predicted that there will be widespread use of biometric devices within a couple of years (See, e.g., "My face is my passport" in Personal Computer World, August 2001, pp. 128-132.).
One key point to note at the outset is that biometric systems can be divided into two distinct groups: verification systems and identification systems. Verification systems are used to verify that a person is the right person without identifying them. Verification is key for online business. Being able to rely on the identity of your counterparty in an outline contract is essential to ensure that a contract is effectively made. (The legal status of digital signatures is addressed below). By contrast, an identification system works by storing the biological image or template on a database. It then checks the user's feature against the stored information to identify the person concerned.
The most commonly used Biometric techniques involve the measurement of external physical characteristics. Such techniques are critical for criminal investigation as well as for commercial dealings. For example,
- Fingerprint recognition - of them all, this is probably the most common technique. The most commonly known use is in the field of criminal law where a suspects fingerprints are taken to see if they match those taken at a crime scene. Fingerprinting is becoming increasing used as a means of security and in defence and immigration spheres. Reliability is estimated to be 99.9%.
- Iris recognition - This is the most accurate form of identification but also the most complex, by which the patterns in the coloured ring of tissue that surrounds the pupil are analysed.
- Facial recognition - This is also a commercially viable technique, frequently referred to as CFR; Computerised Facial Recognition. Face recognition technology maps the unique measurements of a face using a number of reference points such as the centre of the eyes, the bridge of the nose and cheekbone locations.
- Hand geometry recognition - Here, a scan is taken of the shape and characteristics of a person's hand. Although not perhaps as common as fingerprinting, it is used across Europe and the USA in airports, computer facilities, government buildings and some hospitals.
- Voice recognition - Increasingly used by police and investigatory agencies, voice recognition does not use the tone of the voice itself but isolates certain characteristics that produce speech.
The application of Biometric technologies does not stop there. Scientists are in the process of research in areas such as body odour recognition, where the body odours are analysed by recognising the mixture of volatile chemicals given off by an individual.
Whilst the human body is a great source of unique identifying data, the collection and analyis of such data raises questions of privacy and human rights. Is it right that to gain access to premises an individual should be required to submit to an eye scan? And having done so, what information is being processed to decide whether that individual may enter?
Legal Right to Privacy
In the UK, there is no privacy law as such. There are however a number of measures to protect an individual's privacy.
- Data Protection Act 1998 - As biometric devices process information that will verify or identify an individual, their use gives rise to a number of data protection issues. This act seeks to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data, and to prevent the restriction or prohibition of the free flow of personal data between Member States for privacy reasons. The processing of biometric information by automated biometric security devices falls under the act. If the biometric information used for identification/verification can be used to determine the racial or ethnic origin or health of the person, it will be subject to the more restrictive "sensitive personal data" regime. The use of biometric techniques will therefore have to comply with the act. In relation to biometric information, the Information Commissioner has stated that:"[t]he holding of biometric information--and in particular finger scans--raises genuine concerns about the safeguards that will be in place to ensure that this information is not made available for purposes other than those identified with the identity card scheme".
- The Human Rights Act 1998 - Article 8 is of particular importance to employers who monitor their workforce. Basically, everyone has the right to respect for his private and family life, his home and his correspondence. All public bodies, including the courts and tribunals, have to act in a manner that is compatible with the provisions of the ECHR, unless primary legislation makes this impossible. In the U.K. Court of Appeal Decision: Douglas and others v. Hello! Ltd although Brooke L.J. did not rule on the issue he appeared to favour the view that judges should develop the common law to give appropriate recognition to Article 8(1) rights and, in doing so, to take into account the positive duties identified by the ECHR. Lord Justice Sedley was more robust in his approach and if his and Brooke L.J's comments are followed by the UK courts, the common law should develop to secure respect for an individual's private life. At the moment, however, it is difficult to predict the approach which the U.K. courts will adopt when balancing the principles of legality and proportionality against the individual's right to privacy.
New European Legislative Initiatives
Separately from the issues of privacy, there is no doubt that the three security pillars of identity, authentication and non-repudiation are strengthened by biometrics. In the EU, legislative measures have been introduced to encourage and facilitate the use of such techniques in order to promote e-commerce.
- E-Commerce Directive - This is one of the initiatives of the EU designed to encourage e-commerce. A draft proposal is expected from the UK government following the conclusion of their consultation exercise on the Directive's implementation in the UK. Member States have until 17 January 2002 to implement it and given the relatively early stage of implementation, it is difficult to foresee with any degree of certainty what the effects of the directive will be, especially on those commercial electronic systems that use biometric systems. The best that can be said at present is that to the extent that a restriction on the use of biometric systems, imposed by a Member State of the E.U., impedes e-commerce, this could contravene the directive.
- Digital Signatures Directive - The UK (along with 6 other Member States) have partially implemented this Directive. One of its aims is to ensure legal recognition of what it terms "advanced" electronic signatures in Europe. An "advanced" electronic signature is created using a secure electronic signature creation device and is to be given the same legal status as a traditional signature. Unless a further technical step is made to link the biometric identifier with data/documents to which it is attached in such a way that any attempt to change the data would be detectable, it is likely that under this legislation a biometric identifier can be used as a digital signature.
Biometric devices present an opportunity to introduce another level of security into many systems and also to increase confidence in e-commerce. The EU is keen to encourage e-commerce in general and Biometric devices should be in a position to take advantage of this. Undeniably biometric devices will present both privacy and data protection issues that will have to be addressed. Provided, however, that the issues are considered in advance and appropriate safeguards put in place, biometric devices may be cast in the role of gamekeeper rather than poacher--operating to secure rather than endanger data protection and individual privacy.
Written by Mark O'Conor and Lisa Comber. Due to be published in MIS Magazine in January 2002.
Important - The information in this article is provided subject to the disclaimer
. The law may have changed since first publication and the reader is cautioned accordingly.