A wide array of biometrics schemes are being introduced, with a complete disregard for security and privacy of the people they are being imposed upon. Now even school-children are being trained to submit to biometric measurement, and to accept continuous surveillance as part of life.
This document expresses the APF's policy in relation to biometrics. In brief, the APF's policy is that all biometric schemes should be the subject of a moratorium. That is to say that no biometric schemes should be implemented, and existing schemes should be oulawed, until and unless comprehensive laws have been brought into effect to regulate them, their use has been demonstrated to be justified, and their design has been certified to be compliant with the law.
A biometric is meant to be a measure of some aspect of a human being that is unique. Few if any biometrics are actually unique; but the technology providers promote the myth, and user organisations happily believe it. A great many biometric schemes have been invented, and most have failed and disappeared. Those currently in the market include fingerprints, hand geometry, iris scans and so-called 'face recognition'.
In general, biometric schemes involve a 'reference measure' being acquired for a person, together with an identifier such as their name, and stored somewhere. Subsequently, 'test-measures' can be compared against the reference measure. The measurements are always inaccurate, and the matching is always 'fuzzy'; so results should be expressed as probabilities. That is administratively inconvenient, however, so biometric systems determine a Yes/No result, based on some more or less arbitrary threshhold.
Biometrics can be used for authentication. In this case, a test-measure is compared against a single reference-measure, and the decision is either that the person is accepted as being the right one, or rejected. Alternatively, biometrics can be used for identification, in which case the test-measure is compared against large numbers of reference-measures. Authentication uses are error-prone, and identification uses are highly error-prone, in some cases such as 'face recognition', hugely so.
Biometrics have been proposed for such uses as determining guilt or innocence, recording attendance (e.g. by school-students, employees, or people on parole, or on remand), control ling access to secure areas, checking that a token (such as a passport or credit-card) is being presented by the person it was issued to, and identifying people (e.g. at border-crossings).
There are boundary cases that can be defined to be biometrics or not. For example, 'face recognition' technologies are not based on any unique identifier, and do not recognise faces. Despite their appalling error-rates, however, they are treated by most observers as though they were biometrics.
There are also closely related areas, in particular what might be called 'imposed biometrics'. These are techniques for imposing a unique identifier onto a human being. They include brands, RFID tags in tightly-attached devices such as bracelets and anklets, and embedded chips. Such 'imposed biometrics' are not expressly addressed in this document.
Biometrics are imposed on people by powerful organisations. No meaningful consent is involved. In some circumstances, the biometric measures may be acquired even without the person's knowledge.
Biometrics invade the privacy of the physical person, because they require people to submit to measurement of some part of themselves. In many circumstances, people are required to degrade themselves, and submit to an act of power by a government agency or corporation, e.g. by presenting their face, eye, thumb, fingers or hand, or having body tissue or fluids extracted, in whatever manner the agency or corporation demands.
Biometrics invade the privacy of personal behaviour, because they are a key part of schemes that provide government agencies and corporations with power over the individual, which not only acts as a deterrent against specific undesirable behaviours, but also chills their behaviour generally.
Biometrics invade the privacy of personal data, because biometric measurements produce highly sensitive personal data, and that data is then used, and in many cases stored and re-used, and is available for disclosure, e.g. by the Australian government to other governments including the U.S. immigration and national security agencies.Biometric schemes are seriously insecure. Biometric technologies are generally able to be subverted in order to produce an 'artefact', by which is meant a means of performing 'masquerade'. In other words, biometric measures can be used by some other person to commit identity fraud or outright identity theft, and to create and 'plant ' false evidence.
Because biometrics are so highly privacy-invasive, it is totally inappropriate for organisations to implement schemes without conducting very careful design, carefully demonstrating the effectiveness of the scheme and the ineffectiveness of alternatives, performing privacy impact assessments (PIAs), and preparing cost-benefit analyses that show conclusively that the benefits justify the costs and disbenefits to all parties involved, including and especially the people it is imposed on.
For the reasons discussed below, most schemes are not effective, and have enormous downsides that impact on the people involved. Most potential biometric schemes would fail the test, and should not be implemented. Those that have been implemented should be subjected to critical assessment. This would result in the abandonment of many existing schemes.
Biometrics tries to impose rigid technology on soft human biology, in enormously varying contexts. Among many other challenges, the nominally unique features are mostly three-dimensional, and vary over time, and hence it is simply not feasible to 'capture' a representation of the features into digital form in a consistent manner. The equipment has to cope with many different environmental conditions (such as the strength and angle of light, and the humidity and temperature). It is impossible to force standard manual procedures on lowly-paid security staff.
The comparisons performed between measures ignore all the subtleties and reach a decision that is more or less arbitrary. A proportion of people (perhaps 2-5%, or at least 400,000 Australians) are 'outliers' whose measures will always be problematical (e.g. because their fingerprints are faint, or worn down). A further serious problem is that many people only sullenly accept the imposition, and some (both innocent people and troublemakers) actively resist it and seek to subvert it.
The consequences of these problems is that there are many errors, and tolerance-ranges have to be set quite high. Errors that are 'false-negatives' mean that the system doesn't achieve its primary objective. False-positives, on the other hand, waste time and resources.
The large numbers of false-positives and false-negatives rebound on the subjects much more than on the scheme sponsors. Everyone that is subject to such errors suffers at least inconvenience and embarrassment. There are much more serious imposts on some people, who are falsely accused of misbehaviour or crime, unjustifiably detained by authorities, miss their plane, etc.
Few people understand how biometric systems work, and hence very few people are in any way capable of prosecuting their innocence. Very few of the staff administering biometric systems, or their supervisors, are capable of carrying on a sensible conversation about the errors involved.
Proponents of biometrics spread misinformation, suggesting that biometric schemes are necessary to combat terrorism. This is simply false (e.g. Schneier 2001, Ackerman 2003, Clarke 2003). Terrorists are defined by the acts that they perform, not by their biometric. Virtually no terrorist act, ever, anywhere, would have been prevented had a biometrics scheme been in operation.
Far from solving masquerade and identity theft, biometrics are actually part of the problem. People tend to treat biometrics as though they were highly reliable. So people are highly unlikely to detect a successful masquerade that subverts biometric technology.
Added to that, many biometric schemes involve reference-measures and test-measures being exposed in the data-gathering equipment, networks, intermediate storage and long-term storage. Particularly in long-term storage, the data is highly attractive, and it is impossible to prevent unauthorised uses and 'function creep' to new purposes.
Biometrics lays the foundation for corporations and the State to extend their power over individuals. People are cowed by the knowledge that their actions are monitored and recorded. Organisations are in position to deny access to services, premises and transport to people who whose identity they are unable to authenticate, or who they (rightly or wrongly) deem to be a particular person whom they have blacklisted. Widespread application of biometrics could see these powers extended to something so far only seen in sci-fi novels and films – outright identity denial.
The protections that are needed against the ravages of biometrics include:
There is an almost complete absence of such protections. There are virtually no statutory protections in place.
A Biometrics Privacy Code has been published, and accepted by the Privacy Commissioner – and has been almost completely ignored by technology providers and user organisations. The Code was produced by the so-called Biometrics 'Institute'. But that organisation is merely an industry association, and one that grossly compromises accepted principles by including both sellers and buyers inside a single lobby-group. And the purpose of the 'Institute' in publishing its Code was to forestall formal regulation. The public interest has been relegated to the role of an onlooker.
Biometrics technologies are far too dangerous for their unregulated use to be permitted. A ban must be imposed on the application of biometrics technologies until and unless a comprehensive and legally enforced regulatory regime has been established. Existing applications of biometrics must be withdrawn and not permitted back into operation until they have established compliance with that protective regime.