framework

Introduction

Blanket statements on biometrics and privacy are often misleading, failing to capture the nuances involved in different types of deployments. Certain types of biometric deployments are more prone than others to lead to privacy-invasive uses, while other types of deployments have little if any bearing on privacy. Biometrics are neither a protector nor an enemy of privacy; instead, the type of deployment determines the relation between biometrics and privacy.

The BioPrivacy Application Impact Framework is a valuable tool in determining the potential privacy impact of a biometric deployment. Assessing a biometric deployment through the BioPrivacy Impact Framework illustrates the areas where greater risks are involved, such that appropriate precautions and protections can be enabled.

BioPrivacy Application Impact Framework

Lower risk of privacy invasiveness

Greater risk of privacy invasiveness

Overt	1. Are users aware of the system's operation?	Covert
Optional	2. Is the system optional or mandatory?	Mandatory
Verification	3. Is the system used for identification or verification?	Identification
Fixed Period	4. Is the system deployed for a fixed period of time?	Indefinite
Private Sector	5. Is the deployment public or private sector?	Public Sector
Individual, Customer	6. In what capacity is the user interacting with the system?	Employee, Citizen
Enrollee	7. Who owns the biometric information?	Institution
Personal Storage	8. Where is the biometric data stored?	Database Storage
Behavioral	9. What type of biometric technology is being deployed?	Physiological
Templates	10. Does the system utilize biometric templates, biometric images, or both?	Images

Applying the BioPrivacy Impact Framework: A Case Study

Overt vs. Covert. Deployments in which users are aware that biometric data is being collected and used, and acquisition devices are in plain view, are less privacy-invasive than surreptitious deployments. User consent is a key principle of privacy-sympathetic deployment, and it is difficult to consent to covert systems. Covert biometric systems, if deployed, should only be deployed in environments where a highly compelling interest is present.

Opt-in vs. mandatory. A biometric system in which enrollment is mandated, such as a public sector program or one designed to encompass a company’s employees, bears a more direct relationship to privacy risks than an opt-in system. Mandatory systems come under more suspicion as they are imposed on a user as opposed to being selected by the user. Appropriate protections for mandatory and opt-in systems should be developed.

A midpoint on the opt-in vs. mandatory continuum is whether any sanction is applied to non-compliance with the biometric system. If the decision not to enroll results in any sort of punitive measure, it is not truly voluntary, and would be more prone to inappropriate usage.

Verification vs. identification. A system capable of performing 1:N searches can be considered more susceptible to privacy-related abuse than a 1:1 system. A 1:N biometric system would be necessary for use in any indiscriminate large-scale searches. Protections regarding 1:N usage may need to be more strict than more employed in 1:1 usage.

Fixed duration vs. indefinite duration. In deployments where such an option exists, the use of biometrics for a fixed duration is less likely to have a negative impact on privacy than one deployed indefinitely. This applies in particular to public surveillance deployments, which are comparatively more likely to bear a questionable relation to privacy than other biometric deployments. When deployed for an indefinite duration, the risk of scope creep increases; biometric surveillance may be viewed as commonplace as opposed to an exceptional event. An event-driven as opposed to open-ended use of biometrics is less likely to have a negative impact on privacy.

Of course, the majority of biometric deployments, such as securing network login or PC login, are only meaningful when deployed indefinitely. Indefinite use in these applications is unlikely to result in a reduction of personal privacy, and may increase informational privacy.

Public vs. private sector. Public sector biometric usage can be seen as more risky than private sector due to the possibility of state or government abuse. Government collection of biometric data without proper controls and restrictions is highly problematic. On the other hand, private sector companies may be more tempted to share or link personal data for marketing or profiling purposes. Suitable protections should be developed for each type of environment.

Individual, customer, student, traveler, employee, citizen. An individual’s roles vary according to the people and institutions with whom they interact. A person is a citizen (or resident) in their dealings with the government or state, an employee in their dealings with an employer, a customer when party to certain types of a commercial transaction (credit issuance, for example), and a great variety of environments is an anonymous individual.

Although privacy rights are fundamental regardless of the institution with whom the person is interacting, they are not identical in all environments. Reasonable expectations of privacy are dependent on the capacity in which a person is interacting with another person or institution: anonymous individual, customer, student, traveler, citizen, employee, prisoner. To counteract this, biometric systems deployed in each of these environments should be designed and controlled according to the potential risks involved for the user population. Above all, to enable a person to maintain his or her separate "identities", data residing in separate biometric systems should not be linked or amalgamated without explicit, informed permission of the individual.

Enrollee ownership of biometric data vs. institutional ownership. Deployments in which the user maintains ownership over his or her biometric information are more likely to by privacy-sympathetic than those in which the public or private institution owns the data. User control over collection, usage, and disposal of biometric information is not possible in every deployment, especially in entitlements programs or other public sector uses.

Personal storage vs. Template database. A biometric system which stores information centrally is clearly more capable of being abused than one in which biometric information is stored on a user’s PC or even on a smart card. The privacy risks involved in biometric systems are heavily informed by the location of template storage and processing.

Behavioral vs. physiological biometric. Behavioral biometrics are much less likely to be deployed in a privacy-invasive fashion, as technologies such as voice-scan and signature-scan can be easily changed by altering a signature or using a new pass phrase. Behavioral biometrics are very rarely used in 1:N applications, which are less privacy-sympathetic than 1:1. Physiological biometrics are much harder to mask or alter, and can be collected without user compliance.

Templates vs. identifiable images or samples. Biometric systems in which identifiable biometric images or samples are retained are more likely to bear privacy risks than those which retain only templates. Biometric templates are generally only of value when processed through a vendor algorithm, and cannot be linked with a specific biometric characteristic without dedicated processing. Biometric images are generally identifiable, and can be associated with a specific individual based on visual or aural inspection.

Conclusion. The BioPrivacy Impact Framework provides a means of assessing the privacy risks involved in a real or proposed biometric deployment. A private-sector biometric application in which the user retains ownership of his or her biometric information is much less likely to negatively impact user privacy than a covert public identification system; the precautions taken in each system will be proportional to the potential risks related to the use of that system. Though there are many additional factors to assess, such as the political climate and legal backdrop for biometric usage, the existing Impact Framework provides a starting point for intelligent assessment and categorization of biometric systems.

Next: BioPrivacy Technology Risk Ratings