People tend to think that digital copies of our biological features, stored in a government-run database, are problems of a dystopian future. But governments around the world are already using such technologies. Several countries are collecting massive amounts of biometric data for their national identity and passport schemes—a development that raises significant civil liberties and privacy concerns.
Biometric identifiers are inherently sensitive data. As European privacy watchdogs have said, biometrics changes irrevocably the relationship between body and identity, because they make the characteristics of the human body “machine-readable” and subject to further use. This is why such identification schemes become particularly dangerous when used with unreliable biometric technologies that can misidentify individuals.
Regulators in several jurisdictions continue to romanticize the security and accuracy of face, fingerprint, and iris automatic recognition biometric technologies. But the existence of a significant amount of falsified biometric identification documents raises questions as to whether these technologies are too unreliable to prevent fraud, thus providing individuals and governments with a false sense of security.
Automatic Face Recognition in Border Control
Biometric data of individuals’ faces has been used since 2007 at various European border checks. Eleven airports in the United Kingdom now have e-passport gates that scan EU travelers’ faces and compare them to measurements of their facial features (i.e. biometrics), stored on a chip in their biometric passports. Although error rates of state-of-the-art facial recognition technologies have been reduced over the past 20 years, these technologies still cannot identify individuals with complete accuracy. In an incident in 2011, the Manchester e-passport gates let through a couple that had mixed up their passports. The UK Border Agency subsequently disabled the Manchester gates and launched an investigation.
Similar e–passport gates have been introduced in Australia and New Zealand. During the early stages of testing in Australia, the technology showed a six to eight percent error rate. Moreover, this technology also misidentified two men who exchanged passports. Nevertheless, the government refused to disclose the final error rates, citing security concerns.
Digital Fingerprint Recognition
U.S. law requires visitors to submit biometrics to a central database in the form of a digital fingerprint when seeking a visa or when entering the country. EU law further requires all passports for 26 countries in the Schengen area (the borderless zone within European countries) to contain digital fingerprint data on a chip.
The United Kingdom—a non-Schengen country—contemplated introducing fingerprints voluntarily as part of a biometric passport 2.0, but ultimately decided against it. The UK government was preparing to launch a biometric national identity card, for which it gathered fingerprints from 15,000 volunteers for the project. But the new government “didn‘t believe IDcards would work“ and physically destroyed the pilot identity databases. However, in 2010, the UK National Policing Improvement Agency also conducted a pilot test to provide police officers with digital fingerprint scanners that could remotely match individuals’ fingerprints against a central database. The outcome of this project is unknown and, when questioned, the agencyrefused to disclose the error rates that resulted from its tests.
In the Netherlands, the database storage of digital fingerprinting for travel documents washalted following questions over the reliability of the biometric technology. The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections (cases in which there is a “no-hit” for a lawful holder of a travel document) is too high to warrant using fingerprints for verification and identification. Currently, only fingerprints onto Radio Frequency Identification (RFID) chips in ID documents are being collected.
A German court recently asked the EU Court of Justice for a preliminary ruling on the legality of biometric passports with RFID chips, which are readable from a distance. The German court questioned whether the EU regulation that requires biometric passports in Europe is compatible with Charter of Fundamental Rights of the European Union and the European Convention of Human Rights.
In France, a report last year disclosed the questionable security of biometric passports. It showed that 10 percent of biometric passports were fraudulently obtained for illegal immigrants or people looking for a new identity. Following the issues with respect to biometric passports in the various EU countries, Members of the European Parliament have queried the European Commission about the reliability of these biometric passports.
Iris Scan Identification
In preparation for the UK’s national ID card scheme, the UK government noted that there was little research indicating the reliability of iris scan identification. The government initially relied upon unpublished and unverified results from an airport trial. There were concerns that “hard contact lenses,” “watery eyes and long eyelashes” could prevent accurate scanning. The government then asked the National Physical Laboratory (NPL) to test the technology. The NPL chief research scientist stated in the news that “technologies like iris scanning are accurate enough for the ID cards application but only provided they are implemented properly and one has appropriate fall-back processes to deal with exceptional cases.” But a study has shown that it is difficult to enroll disabled individuals into an iris database. The success of enrollment also significantly varies depending on race and age, suggesting further errors if the technology were implemented. Additional testing of iris scanners has been initiated by the U.S.Department of Homeland Security.
In summary, governments have failed to support their claim that such technologies actually improve security. These governments have not proved that the technology is reliable enough to prevent fraud. Of course, the reliability of the technology is only one aspect of the different problems around governments’ collection of biometrics, including privacy, security, profiling, discrimination, and other civil liberties. EFF will continue monitoring this issue. Stay tuned!
Katitza Rodriguez is EFF’s international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF’s International Program also focuses on cybersecurity at the intersection of privacy, freedom of expression, and copyright enforcement.