1 / 23

Introduction to biometrics from a legal perspective

Introduction to biometrics from a legal perspective. Yue Liu yuli@jus.uio.no Mar. 2007 NRCCL, UIO. Agenda. Technical introduction to biometrics Biometric applications Biometrics from a legal perspective: privacy/data protection Relevant legal regulations Discussion: friend or foe?.

thimba
Télécharger la présentation

Introduction to biometrics from a legal perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to biometrics from a legal perspective Yue Liu yuli@jus.uio.no Mar. 2007 NRCCL, UIO

  2. Agenda • Technical introduction to biometrics • Biometric applications • Biometrics from a legal perspective: privacy/data protection • Relevant legal regulations • Discussion: friend or foe?

  3. Definition: • Biometric technologies are automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic. ---J. Wayman

  4. biometrics • Behavior: voice, keystroke, gait, signature… • Physiological Fingerprint, iris, facial, retina, palm… DNA? Not externally observable

  5. biometrics • Verification (authentication): • are you whom you claim to be? • one to one match • Central or decentralized database • Identification: • Who are you? • One to many match • Central database

  6. Authentication methods • Something you have: card token key • Something you know: password, PIN • Something you are: biometrics

  7. Function process

  8. Biometric applications • Verification: PRIVIUM (iris), • Identification: EURODAC (fingerprint), US chain stores, • Both: EU Passport (facial recognition)

  9. Privacy impact assessment • Are users aware of the system’s operation? • Is the system optional or mandatory? • Is the system used for verification or identification? • Is there are central database? • What kind of PET is being used? • What kind of biometric technology is adopted? • Is the data collector private or public sector? • In what capacity are data subjects interact with the system? • Is it a large scale application or a small scale application? • …….

  10. Biometric concerns • Function creep • Ethical concerns • Overkill the task • Disclose sensitive information • Pervasive surveillance; covert collection • Lower privacy awareness: for convenience • Hacking of central storage and wide likeability • Can biometrics make us safer? • Deprived the right to anonymity • Permanent ID theft • …

  11. Legal framework • Very little specific biometric regulations • European convention on Human rights (ECHR) • Data Protection Directive (95/46/EC)

  12. Privacy: the right to be left alone • ECHR art8(1) Everyone has the right to respect for his private life and family life, his home and correspondence. Dimensions: • informational • Physical • Decisional • Proprietary

  13. ECHR art8(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with thelaw and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

  14. Data protection Directive • Defines rights and obligations with respect to the processing of personal data • any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;“

  15. Personal data • Personal data any information relating to an identified or identifiable natural person (art2 a) • An identifiable person is one can be identified directly or indirectly in particular by reference to an identification number or one or more factors that specific to his physical, physiological, and mental(…) identity Biometric image and biometric template as personal data?

  16. Principle: fair collection • personal data must be processed fairly and lawfully(art6 a ) • Data subject must be informed, consent is needed unless under certain conditions: national security, defense. Public interests… Covert surveillance should not be allowed generally: facial recognition

  17. Principles: purpose and proportionality • Legitimate Purpose (ar6b):(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. • Proportionality (art6.8.14.15) personal data must be adequate, relevant and not excessive in relation to purpose

  18. Legitimate processing • Art7 • personal data may be processed only if: • consent • necessary for the performance of a contract • necessary for compliance with a legal obligation • necessary in order to protect the vital interests of the data subject, • necessary for the performance of a task carried out in the public interest or in the exercise of official authority • necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed

  19. proportionality • When the collection of biometric data is necessary?(less obtrusive alternative? Balance?) • Messing v. Bank of America, Swedish school, UK • How to avoid function creep? • Is consent enough? ( opt in or opt out)

  20. Security measures • Art17 • Appropriate security measures must be taken to protect personal data against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access

  21. Misconceptions of biometrics Accuracy, ID theft, central storage Risks: enrollment, transmission, storage, raw data, reversible template, id theft, indisputable evidence, permanent ID theft Safe guards of misuse of biometrics: encryption, smart card A right to argue?

  22. Friend or foe? • When can biometric compatible with the EC data protection directive? • When can biometrics be a friend to our privacy? • Is it just a problem of trading off between privacy and security?

  23. Thank you for your attention! • Reading list: • Art29 data protection working party, working document on biometrics at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp80_en.pdf • JRC(IPTS) Biometrics at the frontiers: assessing the impact on society. At http://europa.eu.int/comm/justice_home/doc_centre/freetravel/doc/biometrics_eur21585_en.pdf

More Related