Reports and Publications
OPC Guidance Documents
Data at Your Fingertips
Biometrics and the Challenges to Privacy
Canadians are witnessing a growing interest among government and private-sector organizations in adopting systems that use biometric characteristics to automatically identify people or verify their identity. But whether a fingertip, a face or an iris is being scanned, what’s being collected is personal information about an identifiable individual.
And that makes it our interest too.
The Office of the Privacy Commissioner of Canada has prepared this primer on biometrics and the systems that use them. It also describes some of the privacy implications raised by this emerging field, as well as measures to mitigate the risks.
What is biometrics?
The Canadian government is expanding its use of biometrics. For example, iris images are used in the CANPASS and NEXUS border clearance programs, fingerprints and iris scans are used to control access to secure areas in airports, and digital facial images are being proposed for electronic, or e-passports.
Originally, the word “biometrics” meant applying mathematical measurements to biology. Nowadays, the term refers to a range of techniques, devices and systems that enable machines to recognize individuals, or confirm or authenticate their identities.
Such systems measure and analyze people’s physical and behavioural attributes, such as facial features, voice patterns, fingerprints, palm prints, finger and palm vein patterns, structures of the eye (iris or retina), or gait.
Biometric data is collected at a starting point, referred to as the time of enrolment. Identities can subsequently be established or authenticated when new data is collected and compared with the stored records.
The most common example of a biometric is an ID photo used in a passport, driver’s licence or health card. Simply put, a person’s facial image is captured and stored, so that it can later be compared against another picture or a live person.
Biometric technology is typically used to identify individuals, or to verify that they are authorized to do certain things, such as driving a car or gaining access to a secure or restricted zone.
The physical and behavioural features that are recorded in a biometric system (for example, the person’s face, fingerprints or voice) are referred to as “biometric characteristics.” Unlike the personal data used in conventional (non-biometric) ID documents, these characteristics can serve as the foundation for robust and reliable identification systems.
Many biometric characteristics, for instance, can be highly distinctive, with little or no overlap between individuals. Fingerprints, irises and DNA are among the most distinctive characteristics, while facial features may be more similar among different people.
Certain physical characteristics, such as fingerprints and irises, also tend to be stable over time and difficult to alter. By contrast, other biometric characteristics, such as faces, change over time and can be further varied through cosmetics, disguises or surgery.
Biometric data is personal
Biometric systems record personal information about identifiable individuals. That means their use by the federal government falls under the provisions of the Privacy Act. Personal biometric data may also be collected, used or disclosed by private-sector organizations, which may fall under the jurisdiction of the Personal Information Protection and Electronic Documents Act, or PIPEDA. Both the Privacy Act and PIPEDA are overseen by the Office of the Privacy Commissioner of Canada.
Increasingly, the issues raised by biometric systems are also drawing the attention of privacy commissioners in Canada’s provinces and territories.
The Privacy Challenges
The special nature of the characteristics used in biometric systems can present privacy challenges that might not arise with traditional identification methods, such as paper documents.
Privacy principle: People should be informed if their personal information is being collected.
One concern is the covert collection and use of biometric data, simply because the data is publicly accessible.
Facial information, for example, can easily be captured without individuals being aware they are being photographed. Fingerprints can also be easily collected because people leave latent prints when they touch hard surfaces. New iris-based systems can also surreptitiously gather images of people's eyes from a distance of up to two metres. Similarly, palm and finger vein patterns can be captured covertly when people pass their hands over hidden recording devices.
Another privacy concern arises when a biometric trait collected for one purpose is used without a person’s knowledge and consent for a different purpose.
Privacy principle: Personal information should only be used for the purpose for which it was collected.
In biometrics, the potential for multiple uses stems from the fact that some characteristics, such as fingerprints, are relatively permanent and highly distinctive. That makes them a very convenient identifier that is both constant and universal.
Once this identifier is collected and stored in a database, it can easily be accessed and matched against future samples, even if they are collected in entirely different contexts.
While citizens often favour such cross-matching when police use fingerprints to track down suspects, the same technique can also rob innocent people of their right to live their lives in anonymity and freedom from surveillance.
Another privacy concern relates to the secondary information that may be found in biometric characteristics that were initially collected for a different primary purpose.
Privacy principle: Personal information should only be collected for a clearly identified purpose.
For example, iris images used in authentication systems can divulge additional information about a person's health, while the wearing down of fingerprints might suggest information about an individual’s occupation or socio-economic status.
The most powerful example is DNA, which not only identifies a unique individual, but also reveals a wide range of health information.
Designing a Biometric Initiative
Canada does not currently have a policy on the use of biometrics by the government or the private sector. As such, there are no minimum standards for privacy, the mitigation of risk, or public transparency.
Even so, the Office of the Privacy Commissioner of Canada is persuaded that many of the approaches now widely used to strengthen privacy protections in other fields could and should also be applied to initiatives that use biometrics.
First and foremost, it is imperative for any government or private-sector organization proposing the use of a measure that could have implications for people’s personal information to take privacy considerations into account from the start.
It is far more effective to build privacy solutions into the very fabric of the initiative than to try to add them later.
In addition to reviewing Privacy Impact Assessments, the Office of the Privacy Commissioner of Canada may also conduct privacy audits of government or other organizations, to ensure their activities are consistent with privacy laws. In the event that an individual files a complaint about a biometric program, the Office can also conduct an investigation and make recommendations aimed at strengthening privacy safeguards.
Privacy concerns should, moreover, be addressed at all stages of the lifecycle of an initiative, from its design through its implementation, evaluation and even dismantling.
Privacy Impact Assessments
A Privacy Impact Assessment is a process intended to help organizations consider the impact that a new or substantially modified initiative can have on people’s privacy, especially when personal information is being collected. The process is useful for any organization, and our Office encourages companies to go through the exercise. Tools and guidance can be found on our website.
The process is mandatory in the public sector, however. Federal institutions proposing a program, policy or service with implications for privacy are required to submit a Privacy Impact Assessment to our Office for review. We often work with the institution to offer advice and recommendations for strengthening privacy safeguards.
Passport to privacy
Passport Canada has worked with our Office for several years to identify and mitigate privacy risks associated with the deployment of an e-passport containing biometric information on an electronic chip. Through the Privacy Impact Assessment process, we stressed the need to:
- restrict the data stored on the chip to only that essential for passport purposes;
- secure the information stored on the chip;
- ensure proper disposal;
- avoid the development of centralized databases containing biometric information;
- foster citizen awareness and buy-in through public information campaigns.
Is it appropriate? The four-part test
No stamp of approval
Our Office applies the four-part test for appropriateness in several ways, including in investigations.
In 2008, for instance, the test helped clarify the issues in a complaint about the Law School Admission Council’s practice of collecting thumbprints of people writing a standardized admission test for law schools. The council said the collection aimed to deter cheaters who hoped to slip in substitute test writers.
We concluded, however, that a thumb stamp was not essential for authenticating the identity of test writers, and not effective in the way it was being used. This resulted in a disproportionate invasion of privacy.
By definition, any collection of personal information has implications for privacy. Initiatives can also affect privacy in other ways, including affecting people’s human dignity or expectations of anonymity.
Therefore, before deploying a new system, (including a biometric one) with implications for privacy, an organization should be able to clearly justify the prospective privacy intrusions. To guide this analysis, our Office encourages organizations to apply a four-part test. Adapted from a 1986 Supreme Court of Canada decision in R. v. Oakes, the test weighs the appropriateness of a potentially privacy-invasive measure in light of four questions:
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Would the loss of privacy be proportionate to the benefit gained?
- Is there a less privacy-invasive way of achieving the same end?
Because there are privacy issues associated with all biometric systems, a proposed system should not be adopted simply because it appears to be the most convenient or cost-effective option.
Instead, organizations proposing a biometric solution have to determine what specific problem they hope to solve, and whether the proposed system is essential for satisfying the need.
Think of it as "biometrics when necessary, but not necessarily biometrics.”
Experience and formal testing have shown that biometric systems can fail for various reasons, including turning up false matches or non-matches, and failing to properly capture biometric information.
Indeed, failure rates of one percent are common for many systems. Organizations considering biometric solutions must weigh the impact of such rates on the potential success of their program.
It’s also important to remember that even low failure rates can have a significant impact when a system is scaled up to involve thousands or even millions of people.
A second consideration is whether the proposed biometric system is likely to be effective in meeting the identified need. Different biometric characteristics have attributes that can make them more or less appropriate for specific purposes.
For example, facial recognition systems are popular, in part because of the wide availability of passport photos and other facial images in databases – not to mention pictures that can be captured covertly. And yet, because facial features are neither permanent nor unique, facial recognition systems cannot be counted on to identify people with a high degree of certainty.
All biometric systems involve some loss of privacy because personal information is stored and used for authentication. In analysing the appropriateness of a proposed biometrics measure, a third consideration is whether the resulting loss of privacy would be proportional to any anticipated benefit. If the benefit is relatively minor, such as an increase in convenience or a slight cost saving, then the loss of privacy may not be appropriate.
In testing for proportionality, organizations should bear in mind that certain biometric characteristics are more privacy-sensitive than others. Fingerprints, for example, are especially sensitive because they can be collected covertly, linked across applications and databases, and used in law enforcement. Any proposal to use fingerprints in a biometric initiative would, therefore, have to promise extraordinary benefits.
A toast to privacy
Consider the “carding” of young people wanting to enter a bar. Currently, most establishments ask for a traditional ID document, such as a driver’s licence. The licence includes a date of birth, which verifies that the patron is of legal drinking age, and a photo to authenticate that the person at the door is the rightful holder of the licence.
The problem, from a privacy perspective, is that the licence contains far more data than required for the carding purpose, including the individual’s name, address and sometimes even certain medical conditions.
There are, however, better alternatives. For instance, patrons could carry an anonymous credential document that simply states they are of legal drinking age, but contains no other personal information. An otherwise anonymous fingerprint match is then used to prove that the patron at the door actually owns the document. No further personal information comes into play.
The fourth factor in weighing a biometrics proposal is to consider whether less privacy-invasive methods could achieve the desired goals.
The bigger picture
In considering the deployment of a new biometric system, organizations, especially government institutions, should also reflect on the bigger picture.
Almost any biometric system will have some impact on people or society. The question is whether it dovetails with the values of the affected community in particular, and a free and democratic society in general. Is the proposed system, in short, in the best interest of Canadians?
In many situations, for example, traditional identification documents containing facial photographs are adequate for the identified purpose. Indeed, research on face recognition has shown that humans examining a facial image can often perform as well as automatic biometric systems.
Other forms of authentication that do not collect biometric information may also work for certain tasks. For instance, smart cards can be used to confirm a person’s identity or claim of entitlement to a specific product or service. When combined with other measures such as secret passwords, such cards can offer effective authentication without the need for biometric characteristics.
If a proposed biometric system can be justified against the four-part test, it is imperative that it be designed, implemented, evaluated and even eventually dismantled in a way that takes privacy into account.
Our Office and other organizations concerned with the privacy implications of biometric systems have proposed several principles that would help strengthen privacy safeguards for such systems.
Recording summary information
Some systems record biometric information as raw data. For fingerprints, for example, raw data consists of an image of the print itself, which could be obtained with a traditional ink-and-press technique or a modern finger scanner.
A more privacy-sensitive alternative, however, is to extract certain information from the biometric characteristic, and to record only a “template,” or mathematical summary of it.
In the case of fingerprints, it is common to extract and record only information about specific key features. When a new fingerprint is subsequently collected for matching, the same extraction is repeated and the features are compared.
Recording only summary information is more privacy-friendly because some personal information is discarded after the data extraction.
Templates may also be confined to unique and specific applications. This makes it more difficult to match summary data across applications, especially if different – perhaps proprietary – feature extraction methods are used. This, in turn, helps reduce the risk of unauthorized or inappropriate data matching.
Further, recording only key feature information reduces the likelihood of biometric data being used for unforeseen secondary purposes. For example, health information is unlikely to be extracted from raw images of a person’s iris if only a summary of the biometric information is recorded.
Technologies already exist to transform biometric information into templates that are specific to a single purpose. Examples of such private biometric schemes include biometric encryption, cancellable biometrics and biometric tokens. Our Office supports the development and adoption of such privacy-protective techniques.
Verification, not identification
Another privacy-friendly principle is to use biometric information for verification rather than identification.
In a verification implementation, a person makes a claim about an identity, perhaps by presenting an ID document, and the claim is verified with a biometric characteristic, such as by matching a fingerprint image to one stored on a smart card.
This requires a “one-to-one” match between a newly presented biometric sample and one that was previously recorded and stored. Biometric information of other people is not involved in the verification process. If the storage device is lost or stolen, the personal information of only one individual is at risk.
By contrast, an identification implementation works by comparing a new fingerprint or other biometric sample against all the records in a database. This “one-to-many” matching, which involves the biometric information of numerous other people, raises privacy concerns because of the heightened risk of false matches and data breaches.
Whenever possible, biometric information should be stored locally rather than in central databases. Local storage can include computer systems used by individuals, or security tokens, such as smart cards, held by end users.
Centralized storage heightens the risk of data loss or the inappropriate cross-linking of data across systems. Local storage, by contrast, gives individuals more control over their personal information.
Privacy is fundamentally about choice and control. The enjoyment of privacy includes choosing what personal information to reveal, to whom and why.
Biometric systems used to manage access to a program or service may involve some narrowing of options – and, thus, an erosion of control. In order to secure a passport, for example, a person must consent to the use of a facial image.
The government’s use of biometric systems adds a further dimension to this erosion of control. In many types of interactions with the state, individuals have no choice but to relinquish personal information – often sensitive information, sometimes in significant amounts. Indeed, personal data is generally the currency exchanged for government programs, services or entitlements.
Many forms of biometric information, such as fingerprints and facial images, can also be collected without a person’s knowledge, let alone consent. They can, therefore, be used to surreptitiously monitor and track people’s movements and behaviour.
For all these reasons, it is imperative that government institutions and other organizations think carefully before proposing initiatives that call for the collection, use or disclosure of biometric information.
The challenge is to design, implement and operate a system that actually improves identification services, without unduly compromising privacy. Organizations have choices, and they need to make the right ones.