Biometric technology and privacy concerns are often perceived as being at odds with each other. The public frequently hold negative associations with biometric technology, yet biometric verification systems if done correctly need not be a threat to privacy or liberty. My hope here is to trigger debate between those of us who hold concerns about privacy, and an industry that is eager to find new applications for an emergent technology.
Let me start by talking a bit about privacy. It’s my view that many people are not rational when deciding what is or isn’t a threat to privacy. Many privacy campaigners get frustrated when the public and media seemingly ignore what we consider to be the biggest threats. Many of us have now realised that if people can’t see what happens to their data then they often don’t pay an interest in it. As the old saying goes, out of sight is out of mind.
To give you an example, we are now trying to raise concern about census information collect by the British government being trafficked through legal loop holes in ‘Section 39 of the ‘Statistics and Registration Service Act 2007’. Getting people excited about ‘Section 39 of the Statistics and Registration Service Act’ here in the UK is almost impossible. What does wind some people up is Lockheed Martin’s involvement. The idea of a US arms company secretly gaining information plays into anti-American sentiments. Sadly these sentiments trump the more realistic privacy concern of information being shared by British institutions within the country under British law.
Biometrics technology has a habit of triggering the same sort of response that a census worker knocking on the door might. Many folk have an emotive response when asked to hand over a bit of their biometric information. Often the biometric aspect of a system distracts people from what we consider the real privacy threat – mainly the logging and tracking of users interacting with a system, and the subsequent dissemination of information collected to external bodies.
To understand why biometric technology invokes such reactions we have to consider the visceral nature of having an attribute of your body captured. There is something about this physical process that seems instinctively intrusive to people. This sense of intrusion causes people to react in a manner that information shared behind their back doesn’t. Even the language of capturing biometrics suggests an infringement of freedom – that something about your person has been taken from you.
When we start to think about people’s emotive reaction to privacy issues we can understand why Google’s Street View ran into problems. People don’t like a strange car driving down their street and taking pictures of their property. This contrasts sharply with the mass retention of search terms by Google that I personally consider a far bigger privacy issue, but which only excites a minority. Yet this isn’t the only reason people dislike biometrics. Sadly they have become associated with many systems that are a threat to privacy.
Governments have consistently used claims based on biometric technology as a cover to establish systems that not only provide a verification service, but also control identity. Tony Blair claimed that “biometrics give us the chance to have a secure identity”, the Indian UID project claims biometrics help create a universal identity, and the Malaysian biometric MyKad ID card has been used to differentiate between people on the basis of their religion. In doing this governments have associated biometrics with attempts to control identity, and control people.
The organisation NO2ID, for which I work, defeated the British National Identity Scheme. The entire purpose of this scheme was to collect biometric and personal data of the entire population of the UK, to build the National Identity Register. Knowledge is power and a government that controls a national population register controls society. If you can’t legally interact with society and services on a day to day basis unless you are on the system, then your interactions are automatically governed by the bureaucratic rules established to govern the system.
Such schemes are inevitably popular with bureaucracies, oppressive states and governments. Not only do such organisations get to set the rules, but they get to generate an income from them. This is sustained either by directly charging citizens to enrol on the system or through general taxation. Globally a range of issues from under-age drinking, immigration to the distribution of aid have been used as justification for establishing governmental control over Identity. Such is the extent of this phenomena that quite a few campaigners now kick up a fuss at the very mention of biometric technology, whether or not the specific application is or isn’t a realistic concern. These government funded projects that use biometrics are starting to define biometric technology as an instrument of control.
It need not be this way. When designing a system there is no necessity to have a centralised register that logs and tracks each time a biometric verification occurs. Such logging and surveillance need not be a function of any biometric system. Biometric technology holds the possibility of enhancing privacy by reducing the need for us to provide multiple sources of personal information for the process of verification. It is possible to use a smart card platform to build a system where the encrypted biometric information is held only on a card, and only compared to local gathered scan, not a centralised database. Once you have been enrolled on such a system you do not need to leave a data trail every time you engage with it for the process of verification.
Entrepreneurs and campaigners need to work together to promote and encourage privacy friendly biometric solutions. Government projects that attempt to define identity and track citizens may provide great business opportunities for the select few lucky enough to win big projects, but they restrict the wider markets’ ability to provide biometric solutions. I mean why would anyone have invested in a privacy friendly process of age verification here in the UK when our Home Office was threatening to impose its monolithic monopoly on the market? Globally many governments don’t ‘do’ privacy, maybe if we roll back the database state and allow industry to create privacy friendly solutions together we can.
What are your privacy concerns about using biometrics? Please share them in the comments section below.