| Biometrics at the Super
Bowl: A BioPrivacy Assessment
During Super Bowl week of January 21,
2001, a facial-scan system was deployed at Raymond James Stadium in
Tampa Bay, Florida. The system, positioned at turnstiles in the complex,
acquired faces of event attendees and compared them against a database
of "known felons, terrorists and con artists provided by multiple
local, state and federal agencies."
As the following BioPrivacy Assessment
shows, several characteristics of this deployment are associated with
increased privacy risk. To counter this, the following steps would be
necessary to reduce the potentially harmful impact of this deployment:
- Full and open disclosure of the
system's proposed usage prior to deployment (Best Practice 9)
- Clear, explicit signage positioned to
inform users prior to system interaction (Best Practices 10,11)
- Protections against storage and/or
misuse of collected data (Best Practice 3, 5)
- Full system oversight and auditing by
independent parties (Best Practice 6)
- Verification of non-retention of data
(Best Practice 15)
- Verification of system dismantling
after event (Best Practice 25)
- Disclosure of criteria used to
determine matches (Best Practice 22)
- Penalties for noncompliance with the
above minimum protections (Best Practice 6)
Overt 
Covert
Risk:
9/10
Although
the acquisition devices (cameras) may have been in plain view, the fact
that automated recognition technology was in use was not made clear. The
biometric element, then, was covert. From a privacy perspective, this
type of usage is more likely to become problematic.
|
Opt-in 
Mandatory
Risk:
8/10
The
system was mandatory inasmuch as entry into the complex/facility
required passage through a biometrically monitored turnstile. The
ability to opt-out is seen as a privacy benefit, but was not present in
this environment.
|
Verification 
Identification
Risk:
9/10
Surveillance
applications, by definition, are identification applications - the user
is not claiming an identity, and a the user's biometric data is compared
against a database in order to locate a match.
|
Fixed Duration  Indefinite Duration
Risk:
3/10
The
system was in place from January 21-28, then removed. The fixed duration
is beneficial from a privacy perspective, but the 1-week length is
fairly substantial.
|
Private
Sector
Public Sector
Risk:
8/10
The
system was used by local, state, and federal officials to conduct
searches for known "felons, terrorists, and con artists."
|
Individual
- Customer  Employee - Citizen
Risk:
2/10
The
users whose facial-scan data was compared were under no compulsion to
attend the event, and were effectively acting in the capacity of a
customer. All other factors being equal, the use of biometrics in a
"customer" environment, where coercion is minimal if at all
existent, is unlikely to pose a major privacy risk.
|
User Ownership 
Institutional Ownership
Risk:
5/10
For
the period during which the user's data was compared, the data was
institution-owned. On the other hand, the data was discarded unless the
search resulted in a match, so the duration of ownership was limited. On
the whole, the privacy impact was moderate.
|
Personal Storage
 Template
Database
Risk:
7/10
In
this type of application, data is stored and processed in a centralized
fashion. The fact that biometric templates were discarded after
comparison is a mitigating factor.
|
Behavioral 
Physiological
Risk:
5/10
Because
physiological characteristics are less subject to change than
behavioral, they are less contingent on user consent and cooperation.
The use of facial-scan, which is a comparatively indistinct and less
accurate physiological biometric, is a mitigating factor.
|
Templates
Images
Risk:
5/10
The biometric system was predicated on the
comparison of match templates (acquired from individuals interacting
with acquisition devices) against a template database. Resolving
duplicate matches requires recourse to facial images, although these are
only returned in case of a "hit".
|
|