Every day, a staggering amount of biometric data gets collected around the world by airports, banks, telecommunications, stores, hospitals, government agencies, and a score of other entities. As biometric technology gets even more tightly woven into the fabric of daily life, people have grown comfortable with the idea of presenting themselves for biometric capture. Perhaps a little too comfortable — hardly anyone does so with a moment’s thought anymore.
The increasing adoption of biometrics should prompt people to become more concerned about regulation. Who is performing oversight functions on all activities that employ biometrics? Who is governing the standards that underpin the technology? What is being done to ensure accuracy, security, and privacy?
The need for a regulatory framework and standards for biometric technologies cannot be overstated. Biometric data is packed with sensitive personal information that can be used to identify individuals, pinpoint their locations, and even offer a glimpse into their emotional states. This makes it a tempting target for cybercriminals and state-sponsored hackers, who can use it for surveillance, political repression, blackmail, identity theft, and other malicious purposes.
Championing Consumer Protection
One agency that’s at the vanguard of regulating the technology is the Federal Trade Commission (FTC), the US agency responsible for enforcing consumer protection laws, which has been taking decisive steps to impose order on the use of the technology.
In 2020, the FTC settled with a company called which sold smart padlocks that could be unlocked using biometric data, such as fingerprints. The agency accused the company of making misleading claims about the security of its products, including claiming that its locks were "unbreakable," which turned out to be false.
The agreement prohibited the company from making false claims and ordered it to conduct a top-to-bottom security training program. It also required the company to get periodic third-party assessments and an annual compliance certification.
Then, in 2021, the agency entered into an out-of-court settlement with the developer of a photo storage app, which it sued for alleged misuse of facial recognition. The FTC accused the app of collecting facial images without consent, which it then allegedly used to train its algorithms. In addition, the app developer also failed to disclose its use of facial recognition in its privacy policy, which is in violation of the FTC Act.
Stepping up its game, the FTC further expanded its reach on May 18, 2023, with a unanimous decision that targeted healthcare apps violating privacy practices. More importantly, the agency issued a comprehensive policy statement addressing the misuse of biometric data in marketing and advertising initiatives.
This landmark policy aims at commercial entities leveraging customers' biometric data to sell technologies, which directly conflicts with FTC's mission to maintain privacy, enhance data security, and minimize potential biases.
Elaborated under Section 5 of the FTC Act, the policy statement provides a clear legal framework for the application of biometric technology for identification purposes. It goes a step further to specify instances where the misuse of this technology, particularly practices that may lead to unwarranted "surveillance", will invoke regulatory action. This recent move by FTC underscores its commitment to reigning in improper use of biometric technologies and upholding consumer protection in the evolving digital age.
Setting the Biometric Standards
Although non-regulatory, the National Institute of Standards and Technology (NIST), is playing an important role in the development of standards for interoperability and accuracy. Already, it has created several technical reports and guidelines outlining best practices and recommendations for biometric-based digital ID systems.
The NIST has come up with the Special Publication (SP) 800-76 series, which details technical specs for Personal Identity Verification (PIV) cards in use by federal employees and contractors. The said cards employ biometric data, such as fingerprints, to verify the identity of the cardholder. The publication specifies the format and content of the biometric data, as well as the security protocols for protecting that data.
In addition to these technical reports, NIST also conducts research and development programs meant to drive improvements and spur innovation in biometrics. It recently launched the "Face Recognition Vendor Test" (FRVT) program, which evaluates facial recognition algorithms submitted by vendors. This program is proving to be very valuable in identifying areas for improvement and providing benchmarks for measuring the accuracy of different systems.
Promoting Ethical Use and Sharing Knowledge
The Biometrics Institute, a non-profit organization, actively promotes the responsible and ethical use of biometric technology. As part of this mission, it serves as a neutral platform where members, ranging from biometrics users and vendors to academics and privacy advocates, can exchange knowledge and information. The Institute organizes events, seminars, and training sessions that focus on the various aspects of biometrics, such as technological advancements, ethical considerations, privacy impacts, and regulatory trends.
To assist its members in navigating the potential issues that may arise from implementing biometric systems, the Biometrics Institute has developed a Privacy Guideline. This comprehensive guideline helps organizations to consider key factors such as compliance with privacy laws, the rights of individuals, data security, and the principles of transparency and accountability.
By setting such standards, the Institute plays a crucial role in promoting the responsible use of biometric technology globally, helping to shape a future where biometrics support societal benefits without compromising individual privacy.
Harmonizing Data Protection
The EDPB provides guidelines, recommendations, and best practice documents to promote the uniform application of the General Data Protection Regulation (GDPR) across the EU, including those that relate to the processing of biometric data. Given the sensitive nature of biometric data, these guidelines are crucial for ensuring that businesses, public authorities, and individuals understand their rights and obligations when using biometric technologies. The EDPB's role in providing these crucial insights helps to build trust and confidence in the use of biometric technologies, whilst ensuring that fundamental privacy rights remain protected.
On May 17, 2023, the EDPB adopted the definitive version of its Guidelines on the application of facial recognition technologies in the sphere of law enforcement. Specifically designed to guide lawmakers at both the EU and Member State levels, these guidelines also provide valuable direction for law enforcement authorities and officers directly involved in deploying and using facial recognition technology.
This notable development underscores the EDPB's proactive role in shaping policy, providing vital guidance on the use of biometric technologies in law enforcement, and ensuring the protection of individual privacy rights in an increasingly digital society.
Advocating for Proper Use and Privacy
The International Biometrics + Identity Association (IBIA) is a non-profit organization championing the proper use of biometric technology to improve security, privacy, and convenience. It works with policymakers, government agencies, and private sector stakeholders in laying down standards for biometric technology.
The IBIA has developed several technical specifications for biometric systems, such as standards for data interchange and encryption. As a staunch advocate of the use of privacy-enhancing technologies in biometric systems, the IBIA has developed guidelines for the use of biometric systems in airports, calling on authorities to minimize the collection and storage of biometric data, and ensure that the data is encrypted and protected from unauthorized access.
In addition to developing standards and guidelines, the IBIA also works with lawmakers and other stakeholders in lobbying to legislate the responsible use of biometric technology, and the protection of individual privacy and civil liberties. The IBIA is strongly pushing for safeguards in the use of biometric technology in law enforcement, border security, and immigration control.
Biometrics is one of the most beneficial technologies known to man and is only becoming more pervasive every day. The remarkable growth of the technology should be accompanied by a serious concern for proper oversight and standardization to ensure protection of privacy and civil liberties, ensure accuracy and fairness, ensure interoperability, and build trust and transparency.
These organizations' proactive measures provide a sturdy foundation for the secure, beneficial, and privacy-respecting deployment of biometric technologies, shaping a future where we can confidently embrace these advancements without compromising our fundamental rights to security and privacy.