Beruflich Dokumente
Kultur Dokumente
Contents ............................................................................Page
I. Introduction........................................................................ 2
I. Introduction
II. Biometrics
A. Biometrics Overview
B. Terminology
4. Verification
Biometric systems conduct verification by comparing a new
biometric to one or more biometrics previously enrolled in the system. 6
Typically, this process involves collecting a sample, converting that
sample into a template and comparing that template to other templates
that were previously collected.
Verification is used to confirm whether an individual is who he or
she claims to be. This type of transaction is usually connected to a
process governing physical and/or logical access to an organization’s
resources.
There are two primary measurements of the effectiveness of
verification:
Whether the claims of the system are trusted above the claims
of the individual?
5. Identification
Biometrics systems engage in “identification” when they attempt
to determine the identity of an individual end user. The identification
process involves collecting a biometric, generating a biometric template
and comparing the template to an entire collection of existing biometric
templates.
Identification is used to determine whether or not a person is
“known.” This can be valuable information, particularly in situations
where an organization cannot or for various reasons chooses not to ask
the individual to identify him or herself. There are two primary
categories of identification: Open set and closed set.
Open-Set
In “open-set” identification (sometimes referred to as a
“watchlist”) there is no guarantee that a record of the individual’s
biometrics is contained in the existing set of biometric within the
organization’s data collection. In order to identify the new biometric,
the system must search for a match across the entire data collection.
There are two measurements of accuracy for open-set identification
systems:
Closed-Set
Identification is “closed-set” if the individual’s biometrics are
known to exist in the database. The primary method of assessing the
accuracy of a closed-set identification system is the “Identification
Rate,” the rate at which an individual in a database is correctly
identified.
6. Verification & Identification
Verification and identification are related processes. Verification
involves the comparison of a single template to another single template
(the asserted identity by the individual is used to select the existing
template to compare). Identification seeks, in effect, to reverse this
process by using the new template and all of the existing templates to
determine the identity of the individual facing the system.
Just as with verification, in conducting identification, the system
is only technically able to determine within a given statistical probability
whether the new template does or does not match existing templates.
Although the label “identification” is used, the specific activity that
takes place is an automated comparison based on statistical
probabilities. The management, oversight and assessment of the process
and effect of an identification system should include awareness of the
statistical nature of the matching process and should integrate that
awareness into policies and procedures that frame use of the system.
C. Biometric Modalities
The environment;
Ergonomics;
1. Fingerprint Recognition
2. Face Recognition
options and potential match errors and use the information about these
options and potential errors to inform the decision-making process of the
biometric system. Limitations in technology are not in themselves
absolute barriers to privacy protective system design and operations.
Limitations such as lighting conditions, the quality of photographs that
might be used, and varying facial expressions, should be identified,
understood, and the likely effects of those limitations should be
measured and accommodated so that both the individual and the
organization can accurately assess the significance of the system’s
functioning and place the results into the proper context.
3. Iris Recognition
4. Hand/Finger Geometry
a) Speaker recognition
b) Dynamic Signature
6. Summary
D. Functional Architecture
III. Privacy
A. Introduction
20 Robert Ellis Smith, Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth
Rock to the Internet (Sheridan Books, Providence, RI, 2000 ) (Privacy Journal, 2004) 6.
B. Concepts of Privacy
22 Daniel J. Solove (with Marc Rotenberg & Paul M. Schwartz), Information Privacy Law
2nd edition (Aspen Publishing Co., 2006): 1.
2. The US Constitution
The US Constitution does not use the term “privacy” directly.
Read as a whole, however, the Constitution does contain many
prominent provisions that deliver privacy protections. These provisions
include: The First Amendment protects against disclosure of group
membership; the Third Amendment protects the home; the Fourth
Amendment protects against unreasonable government searches of
personal spaces, possessions and the body; and the Fifth Amendment
protects against forced self-disclosure of information. In 1965, the US
Supreme Court formally declared a Constitutional right to privacy drawn
from the “zones” of freedom created by these individual rights.
Incorporating a constitutional analysis into a technology review
may seem too theoretical or impractical to conduct. At a general level,
however, each of the “zones” signifies a principle and a circumstance
that could arise in the use of biometric data. For example, the Fourth
Amendment’s focus on unreasonable search and seizure includes a
review of the individual’s expectation of privacy. The Individual must
have an actual expectation of privacy (subjective test) and that
expectation must be reasonable in that circumstance (objective test).
Even if a strict Fourth Amendment analysis is not triggered, an
assessment of privacy expectations should be considered to better
inform the development, operation and, ultimately, the acceptance of
the biometric technology implementation.
The focus of the privacy analysis would likely be on the
circumstances of the collection of the biometric and the full array of
subsequent use of the biometric data within that system and within any
other system that may share the same data. While a direct
constitutional analysis will not likely appear in a routine privacy
assessment, the issues and principles found in the Constitution are
23 For additional information on torts, see generally, “tort” in Black's Law Dictionary
(8th ed. 2004); See also: <www.law.cornell.edu/wex/index.php/Tort>.
24 Anita L. Allen-Castellitto and Richard C. Turkington, Privacy Law: Cases and
Materials: (Thomson West, 2002): 58; see also William L. Prosser, “Privacy,” 48 Calif. L.
Rev. 383 (1960).
New approaches like California’s with broad reach and specific triggering
events suggest a need for a different level of planning on the part of
organizations regarding the collection and use of personal information,
particularly in light of the number and volume of data breaches. 26
Every biometric system exists within a legal jurisdiction and many
may exist across multiple jurisdictions ― federal, state, and local. There
are different ways to identify relevant jurisdictions: By the location of
the physical hardware, by the location of individual participants
(including temporary or transitory locations), and/or by the location
from which the system owner benefits. The laws of each place that is
relevant to the system should be reviewed and incorporated into the
strategy and design of system operation and administration.
26 Robert Ellis Smith, Compilation of State and Federal Privacy Laws, 2002 Edition: 1,
50-51.
EU, and APEC frameworks share principles for limiting the collection of
personal information, ensuring accuracy and relevance, ensuring
articulation and announcement of the purpose for the collection, use
limitations, transparency or “openness” as to actual processing of
personal information, “individual participation” — granting the
individual data subject the right to know whether personal information
is being collected about him or herself, the right to request a copy of
the personal information, and the right to challenge the accuracy and
necessity of the data - including the opportunity to have the data
erased. 27
Just as biometric systems may exist in multiple jurisdictions
within a nation, an individual system may also cross international
boundaries. International connections may exist through the physical
equipment used by the system, the information contained in the system,
the individuals using the system, and/or the individuals related to
information that is used by the system. For system design and operation,
territoriality may seem immaterial given the geographically independent
nature of distributed architecture. For privacy protection, all laws across
the entire footprint of the system should be accommodated and
incorporated.
6. Summary
Biometric technology and privacy both have long histories and are
constantly evolving. Information technology is fueling today’s privacy
discussion just as it did in the 19th century. Privacy is driving a review of
the fundamentals of technology in an effort to align capability with
intention. Understanding the history of biometrics and the source of
privacy frames the application of privacy principles to biometric
D. Information Privacy
1. Personal Information
Personal information is any information that could be used in any
way to identify an individual.
This definition is scoped broadly to include all information that
relates to an individual (note the word “could” and the repeating word
“any” in the definition). “Personal” can be driven by both content
(information that itself identifies an individual — name, etc.) and intent
(uses of even non-identifying data for the purpose of identifying an
individual).
Data that may not appear to be “personal information” can
become “personal information” through use. If data that does not
directly identify an individual is used in combination with other data
that also does not directly identify an individual, and if the resulting
combined data could be used to identify an individual, intentionally or
otherwise, then the data becomes “personal information” and privacy
issues may exist and should be addressed. The privacy impact of
combining data for the purpose of identifying individuals reaches as far
as the intent to identify.
Biometric information is personal information through its content
(biometric information is collected from an observation of the
individual) and through its use (the general purpose of a biometric
system is to recognize individuals). A privacy assessment of a biometric
system should start with the direct use of biometric information and
expand to cover all uses of all data that become part of an identification
and decision-making process related to individuals. (Note how the other
data becomes personal information through the connection to the
biometric information.)
As a general matter, where there is biometric information there is
personal information and a privacy assessment should be conducted to
analyze the impact that the use of this data may have on individual
privacy interests. Even though a biometric system may contain biometric
data that cannot be guaranteed to identify a specific individual, the
nature of biometric data and the intent in collecting that data is still
covered by the definition of “personal information” definition and
should trigger a privacy assessment.
Once the information is determined to be “personal information,”
the information privacy analysis focuses on how that information is used
- specifically, whether the information is used “appropriately.”
2. Appropriate Use
Appropriate use is a use founded in law or sound, legitimate
public policy, is clearly articulated, previously disclosed, and related to
the purpose of original collection.
The collection and use of personal information should be based on
a legal authority (through law or agreement). The details of that
authority should be articulated and available to the individual data
subjects before the initial collection. All subsequent use (including use
by other systems/organizations) should be consistent or logically
connected with the authority that framed the original transaction.
One of the underpinnings of the “appropriate use” test is the
concept of delegation. An individual makes an initial determination to
participate in a system or program based on that individual’s
understanding of what he or she is giving and what he or she is getting in
return. In non-voluntary situations such as law enforcement activities
this delegation exists at a societal level: The individual chooses to locate
within the jurisdiction governed in part by the law enforcement
activities and agrees to contribute a certain amount to those law
enforcement activities in order to receive the lifestyle offered in return.
An information privacy assessment of a biometric system should
define the context and authority of the original collection of biometric
information, demonstrate that all system functionality (including
information sharing) is grounded in a legal authority, that the details
were articulated and available to the individual prior to collection, and
that all uses of the personal information are within the scope of the
original authority.
Uses may change over time and privacy protections can be applied
to evolving situations. One of the most important privacy considerations
to keep in the forefront of the ongoing management of a biometric
3. Special Categories
In the US, the determination of what use is “appropriate” is also
shaped by different subject matters and settings of the personal
information. These additional considerations are defined by those
subject matters for which there is heightened concern for how the use
of information might affect individuals. The below topics represent
those areas of heightened concern to privacy protection. Even if it is
clear that a particular law from one of these areas will not apply to a
biometric system, a thorough privacy assessment should include a review
of the applicability of each topic to address any concerns, however
general they may be.
4. Summary
Privacy as a term can signify many different concepts, some
overlapping at times. The extraordinary advances and popularity of
information technology bring one conceptualization of privacy ―
information privacy ― to the forefront of the privacy protection
discussion. The touch point of privacy and biometric technologies is in
the nature and use of information. Biometric systems use information
generated from observing individuals to recognize a particular
individual. Since personal information is any information that could be
used in any way to identify an individual, biometric information is
personal information even in those situations where the identity of the
individual associated with the biometric information is unknown.
The purpose of a privacy assessment is to ensure that personal
information (biometric information) is used appropriately. The
determination of whether a biometric system uses personal biometric
information appropriately is driven by the purpose of the system and the
context in which that system operates. A thorough planning effort for
the use of biometric technology should include a comprehensive privacy
assessment to detail any issues that might arise during actual use. The
privacy assessment should be conducted at the earliest stage of system
development and throughout the life of the system and data to
accommodate changes over time.
The nature of an information privacy protection assessment can
best be understood through a presentation of its functional architecture.
The discussion that follows presents the discrete elements of the
functional architecture of information privacy and sets the stage for the
structured integration of privacy protection into the implementation of
biometric technology presented at the conclusion of the paper.
E. Functional Architecture
1. Current Status
All systems exist along a “life cycle.” As a general matter,
systems are conceived, designed, developed, tested, implemented,
operated, and migrated (either redesigned to fit changing needs or
dismantled). Biometric systems follow this same general path. The later
in the life cycle the assessment starts, the greater the potential cost of
accommodating privacy protections. If the privacy assessment of a
biometric system is initiated in the earliest stages, then privacy
protections can be integrated into the design of the system and evolve
as the biometric system itself evolves.
authority of the organization and the specific authority for the program
office that manages the system. The purpose for the system should align
with the program office’s specific authority, and the organization’s
general authority.
If a system is designed for a particular purpose and a privacy
assessment reveals that the system fails to advance that purpose, and/or
is furthering a different purpose instead, then the collection and use of
personal information may fall outside the organization’s authority, and
may in fact negatively impact privacy protections.
4. Function (Use)
In a privacy assessment, “use” is a companion to “data” and is
measured by intended value and purpose of the result. Information
privacy protection enforces the appropriate use of personal information.
In order to determine whether the actual use of personal information is
appropriate, a privacy review would compare the results of the use of
personal information to the stated purpose and determine whether the
actual use successfully achieves the stated purpose of the collection. In
those situations where the privacy assessment is conducted later in the
system life cycle - once the system is operational - the assessment of use
would compare the actual use at the time of the assessment to the
expected use as determined at the time of data collection and identify
any disparity. A differential between actual and anticipated use that is
not supported by a demonstrated support path showing a correlating
shift in expectations (and possibly authority) may indicate that the
system is negatively affecting privacy protection. The gap will certainly
indicate that privacy reviews should be more closely integrated into the
management of the system to avoid future gaps in awareness.
5. Technology
Biometric technology raises privacy concerns primarily because of
the personal nature of biometric information. Other technologies also
7. Documentation
A privacy assessment should review all existing system
documentation. A review of documentation serves two purposes. First, it
identifies the understanding of what information the system collects and
uses; and second, through distribution, it demonstrates the expectations
that were set with those who may have privacy interests in the system.
As with the other elements, a privacy assessment should compare the
actual information and actual use with that in the documentation. Any
gaps that are identified may indicate a potential negative impact on
privacy protections.
A. Collection
1. Documentation
The documentation of a biometric system should describe the
purpose and scope of the system, the data collected, and how that data
is used. The documentation should also include all training and
educational materials for operators of the system and any public
material communicated to the individuals enrolling.
One of the primary principles of privacy protection is that
personal information collected for one purpose should only be used for
that purpose and not for other purposes. Documentation demonstrates
the initial expectation of the owners, the operators, and the individual
users of the system and creates a set point for the expectations that will
guide future evaluations of the system. In order to manage expectations
4. Technology
The privacy assessment should review any use of other privacy
sensitive technologies. For example, the wireless transfer of biometric
data. Each specific technology and combination of technologies may
raise a unique set of privacy issues to address. It is crucial to identify all
uses of all technologies in order to understand how personal data will be
used and how any privacy risks to this data are communicated to those
using the system.
B. Conversion
C. Storage
procedures guiding the use and significance of the system will also
inform this decision and should all be made part of the privacy
assessment.
The assessment of the “appropriate use” of stored personal
information generally translates to an information security analysis of
whether unauthorized persons access the data and the reliability of
control and maintenance over the data itself.
D. Comparison
E. Decision
A. Public Concerns
28 Paul Rosenzweig, Alane Kochems, and Ari Schwartz article entitled, “Biometric
Technologies: Security, Legal, and Policy Implications,”
<http://www.cdt.org/security/20040621biometric.pdf>; See also: NSTC Subcommittee
on Biometrics, “Biometrics Overview” 7 February 2006.
A. Subcommittee on Biometrics
B. Department Leads
Toby Milgrom Levin and Anna Slomovic of the DHS Privacy Office
for reviewing the document and providing numerous helpful
comments.