In most fields of technology, as new ideas and methodologies take root, parallel activities seek to introduce standards, best practice and a community approach to development. A popular example may be found in the World Wide Web Consortium, which seeks to develop open standards, protocols and guidelines for the web. In the field of biometric technology, standards have taken a very long time to emerge. And, those that do exist are not necessarily adhered to.
Large scale biometric applications, such as border control for example, have historically tended to blaze their own trail, establishing what they see as de facto standards. There are related standards, such as the International Civil Aviation Organisation recommendations for passports for example, but little in the way of accepted best practice or considerations around societal impact.
The need for biometrics use standards is important due to the societal impact of the wide scale application of this technology. For example, personal identity management tools based on biometrics, smart cards or RFID, have the potential to erode the relationship between citizen and state. Under the justification of defeating terrorism and organised crime, citizens are forced into a procedure with which they have little sympathy that may appear devoid of any logic, by what comes across as a ‘nanny State’.
Today, literally millions of individuals are having their biometrics taken and registered into databases of which they have little knowledge. Furthermore, this information is routinely shared between agencies and correlated with additional information from various data sources, building an effective profile, or persona for the individual, of which they are of course unaware.
The problem is that such activities may lead to incorrect inferences and data errors, which are likely to go unchecked and yet result in unexpected consequences. For example, when crossing a border, incorrect information or assumptions based upon a name or a profile may lead to an individual being denied entry or even arrested and interrogated, for reasons that they will not understand. In such a situation, it will be difficult for the individual to challenge the profile which is held for them.
Furthermore, and somewhat ironically, such developments uncover new opportunities for fraud, as the criminally inclined manipulate their cyber identities, knowing that their details will be picked up by these systems and fed into the mix. This may be viewed as an interesting perversion of the concept of Identity Theft. A situation exacerbated by our over-confidence in related technologies.
As curator of the Biometrics Research portal, I have sprearheaded two initiatives to attempt to make internationally agreed standards become the norm.
- The first would be the need to introduce a Biometrics Constitution to ensure the ethical and responsible use of the technology. This document would provide a framework of guiding principles to which those responsible for the design and installation of biometric systems, implementing agencies, including customs and immigration, and users may readily subscribe. It describes, in plain language, operational processes, data management, privacy and data protection, user psychology and, among other things, the importance of clarity of purpose when using biometric data.
- The second initiative is a proposal for the creation of an International Identity Foundation, a body which would act as a centre of excellence for identity management, including the use of biometrics. The need for such a body exists due to the ever growing sea of data being produced by both government agencies and commercial entities with respect to individual identity. Problems may arise as the data are increasingly shared across agencies and borders, particularly the case when we seek to apply ‘intelligence’. As a result, the potential for errors increases almost exponentially.
The consequence of not establishing a common framework and associated protocols is perhaps more serious than many might suppose. This is partly due to the mushrooming scale of applications, individual records and the myriad of interconnections being established. Their very existence increase the probability of errors, especially when key technical factors remain poorly understood. In addition, a lack of clarity of purpose conspires to limit the effectiveness of many operations. The claim that the introduction of such widespread measures is somehow defeating serious crime and terrorism, is one that is increasingly disputed. It is time to take stock of the situation and revise our thinking in several key areas.