Identifying ourselves through our faces and fingerprints is part of everyday life. Biometric features are used to log into our computers, enter the office and gym, unlock our mobile phones and even make payments or access our internet banking.
Since the discovery of the usefulness of biometric systems, there has been a significant development in their use from public security to private security. After the September 11, 2001 attacks in the United States, the demand for biometric surveillance systems has increased and therefore cameras have been included in public spaces to prevent terrorist attacks and detect criminals.
Decades ago, Jain and his team (in the book Biometrics: Personal Identification in Networked Society) described the deterrent effects of biometric systems on crime and fraud, the increased streamlining of business processes, and the protection of critical resources. For example, casinos in the United States have been detecting scammers for years by comparing images with photos of people arrested or kicked out of casinos.
In our study, we explained that the increasing use of biometric systems left behind a period when they were used for security purposes and irregularly. Now users are customers, employees and simple citizens.
This broad context initiates an important social debate about the privacy and security of these systems.
Some multinational companies such as Amazon, IBM and Microsoft denied the use of facial recognition systems in a way that violates human rights after the events that occurred in the USA with the death of George Floyd.
IBM has stopped offering facial recognition software, saying it opposes and does not tolerate the use of any technology for mass surveillance, racial profiling, and violations of human rights and freedoms.
Amazon has imposed an extended one-year moratorium on facial recognition technology for police use and is asking the U.S. government to regulate the ethical use of such technology.
Microsoft has stated that it will not sell facial recognition technology to US police departments until national regulation of these technologies is made on the basis of respect for human rights.
Another prominent element in such technologies is possible errors.
It has been demonstrated by various studies that the algorithms of facial recognition systems misclassify people according to their skin color, age and gender.
An example of this was the Amazon Rekognition facial recognition test conducted by the American Civil Liberties Union (UCLA), in which they compared photos of members of the United States Congress with 25,000 photos of convicted persons. 28 false positives in their results: 28 members of Congress were identified by the system as people convicted of a crime. The results of black-skinned individuals were disproportionate to white-skinned individuals.
In an era of convergent technological advancement, where different devices fluently and agilely exchange data, the demand for so-called biometric privacy is increasing. Companies have significant restrictions on the use of biometric data.
IBM emphasizes the need for specific regulation for each use of such technologies, taking into account both end users and the purpose of the biometric recognition system. This distinction is essential because, for example, facial recognition systems that help emergency medical services quickly identify victims of a natural disaster should not be deployed in the same way as facial recognition systems fitted to cameras in police vehicles. .
The World Bank organization, in its handbook on biometric systems, has set a number of requirements for the protection of such data and states:
1. It should be preventive, not corrective. That is, you need to conduct a risk analysis before, during and after the system is implemented to anticipate potential threats.
2. Privacy is given by default. This means that the user does not have to actively protect their data, but the system must protect it as it enters the system.
3. Confidentiality should be included in the design at all stages from acquisition to processing and in limited connectivity scenarios.
4. It should offer complete functionality. This means there is a balance between security and privacy without sacrificing one or the other.
5. Every step of the system must have end-to-end security.
6. It should offer visibility and transparency.
7. Personal privacy must be respected.
Security is an instrumental concept, a tool that makes it possible to exercise rights and freedoms. The protection of freedom of expression and assembly and the principles of equality are some of the challenges that States as guarantors of the rights of their citizens are focusing on regulating, in particular to control the use of biometric systems by their political entities.
Therefore, we show that rather than banning a technology with useful applications for society, directing legislative efforts in terms of privacy is directed towards specific regulations according to data use and application sectors.
The question is not about deciding whether individuals should have more security and less privacy, or vice versa, but rather knowing how to identify risks and threats, taking into account uses and applications. This makes it possible to enjoy the benefits of biometric systems in the field of security, respecting fundamental rights and public freedoms, which in turn reduces public concern.
Michelle Madeline Blackberry Room
and Carmen Jordá Sanz (**) – Chat (***)
Camilo José Cela University Professor of Criminology and Security (**) Camilo José Cela University Director of the Department of Criminology and Security. (***) Speech is a non-profit organization that aims to share ideas and academic information with the public. This article is reproduced here under a Creative Commons license.
A picture is worth a thousand words. We should add to this statement that images are transformed into (digital) data in today’s society and data is the new oil in the economy.
On any given day, we pass by many cameras without realizing it: security cameras of shops, banks, traffic cameras on the streets.
Nor can we forget the cell phone cameras and computers in front of which we work or read books. If you give me any advice, put a label in front of it so you don’t get upset or in trouble if spyware accesses and activates your computer without your permission.
Also, in addition to the above, our features or biometric data can be obtained from a simple photo or video. To put it in a way, it’s like our fingerprint but in this case it has features of the face. Therefore, biometrics is becoming the largest workforce for our privacy.
Biometrics presents new risks and challenges. Technology makes life easier for us, it gives us more security in all aspects, but we must be aware of the additional risk that each new use or improvement causes loss of privacy and privacy. By the way, once climbed steps, it will be difficult to descend again.
Therefore, the use or selection of a technology is not a superficial issue. The decision must be made after a study of proportionality and necessity has been done.
Turning to biometrics, we find new scenarios for its use. Its new uses range from airport security to student identification in online education to verify that there is no identity theft in an exam—the Spanish Data Protection Agency (AEPD) has released a corresponding report.
The most recent example is the announcement that this technology has been implemented in dozens of workplaces by a large Spanish supermarket company. The purpose is to identify people who have a banning decision that prohibits the company or its employees from entering stores, and who have finalized penalties or injunctions against them.
The decision of the chain of stores causes controversy and doubts. The AEPD has already launched an investigation to confirm that the facial recognition system complies with regulations. Can our biometric data be processed?
First of all, it should be said that biometric data is personal data. Therefore, they are regulated and protected by European regulations for the protection of personal data, both by the European Data Protection Regulation (RGPD) and by the Spanish adaptation of the Organic Law on data protection and guarantee of digital rights (LOPDGDD). .
Biometric data can be basic data (so to speak) or specially protected data if the biometric data is intended to uniquely identify a natural person, as stated in the regulation. This distinction is not trivial. The processing and type of data will determine not only the legitimacy of their processing, but also the obligations and guarantees that the person responsible for such processing will have to enforce.
If biometric data is considered as special category data, its processing requires the explicit consent of the user.
If biometric data is considered essential, the data controller can rely on a legitimate interest.
Initially, the supermarket chain seems to accept this last assumption. However, we do not know the details of the project. Whoever is going to process this data (whether it’s supermarkets, a security company or a university) needs to know the system that will be used to find out if they will be processing essential or specially protected data.
In any case, before implementing a biometric system, data controllers must do what is called a data protection impact assessment.
The aim of this study is to analyze the risks associated with the necessity and proportionality of the system. In short, to determine that the system does not seriously affect the privacy of the people it is dealing with and to ensure that security, reputation, privacy, etc. It is a self-assessment to identify risks. may have the use of technology.
If this self-assessment turns out to be negative, the regulations themselves require consultation with the relevant data protection agency to determine whether the system can be brought to light.
Nor should we forget the ethical aspect of this technology and the problems currently associated with so-called artificial intelligence biases. What can happen with false positives? Is the technology for installing these systems that reliable?
Source: Exame
