Of the three jurisdictions discussed in this paper, each has a completely different framework for the data protection and privacy of biometrics. In the Republic of India, the Aadhaar Act and other legislation does not provide comprehensive data protections and privacy for the Aadhaar program and its use of biometric data.
The EU, as discussed, has an omnibus data protection and privacy policy that is comprehensive and also includes specific language regarding biometrics processing, including automatic processing. As such, the EU has protective data protection and privacy regulations already in place for any member country that builds or employs biometrics, or more broadly, a digital biometric identity system.
The U.S. has a patchwork of focused, sector-based regulation that applies unevenly in regards to data protection and privacy for biometrics, including a lack of broadly applicable data protection and privacy legislation on the use specifically of digital biometric identity systems. While the REAL ID Act does include some aspects of identity systems, it leaves biometric use up to the states, and therefore does not act as a unifying regulatory framework for biometrics or for all digital identity systems. Additionally, the REAL ID Act is not a data protection regulation, nor was it meant to function as such. In the US, some data protection for biometrics comes from the Privacy Act of 1974, which has numerous exceptions, some comes from sectoral law, such as HIPAA, and some comes from state law, which is very limited in scope at this time. In order to further analyze India’s approach to biometric policy and privacy, it is useful to investigate a central issue area of biometric policy, which is that of Consent.
5.1 Consent and biometrics
Consent is a core issue in regards to biometrics and identity, and amidst the myriad potential issues, Consent is readily among the most contested of them. If there is no fundamental Consent for individuals regarding biometrics and identity, then autonomy and human freedoms can be at risk, depending on existing protections, and how well those protections are enforced. As with the differing standards for privacy, there also is no single standard, global definition in use for Consent regarding use of biometrics. Additionally, “Consent” is simply one small practitional aspect within a much larger framework, needed to assure data protections generally, as well as specifically according to standards such as OECD’s Fair Information Practices.
143 But it is a particularly important aspect, as it affects voluntariness and issues of autonomy. (As discussed elsewhere in this paper, Fair Information Practices provide the baseline for most global privacy law, and although the principles do not cover all privacy rights, it is a globally accepted baseline.
144).
In India, the
Aadhaar Act and other existing regulations do not provide robust Consent provisions in regards to the collection of biometrics; it should be noted that the Act stands in opposition to the India Supreme Court interim decision regarding voluntariness,
145 a decision that
Aadhaar Act contravenes. The provision in Indian law that Consent can be accomplished “through any electronic means” leaves substantial loopholes through which, the broad principles underlying Consent, and all associated processes can be trivialized. This is a foundational problem in India regarding
Aadhaar and Consent.
Considering health use cases in India specifically, healthcare information is deemed to be sensitive data under India sectoral law.
146 India’s healthcare biometric landscape has a high total numbers of users; as discussed, more than one billion, and now
Aadhaar is tied to increasing numbers of medical programs. Because
Aadhaar enrollment is now mandatory to receive most government benefits, and because well over 80% of the population is in the
Aadhaar system, national health policy has incorporated, and expects
Aadhaar information to be input into the medical system, which includes a new e-Health system tied to mobile phones.
147
When enrollment and possession of the Aadhaar is made mandatory, in government benefits and other settings, and when the Aadhaar activity is linked to many aspects of individuals’ lives over a lengthy span, all located in one centralized database, Consent becomes a highly significant issue. Ideally, well-thought through policies need to be in place to provide meaningful checks and balances for individuals. In India, the early emphasis has been on reducing inefficiencies, not on protecting privacy or autonomy. The loss of autonomy regarding Consent has been deeply felt, and now needs to be addressed.
One example of the difficulty of making
Aadhaar mandatory for health services is in the newly-mandatory use of
Aadhaar for women and others in India who are being rescued from prostitution, who cannot receive rehabilitative services until they have enrolled in
Aadhaar. One prominent legal scholar said the anonymity of these women was the first casualty.
148 Due to the social structure and other factors in India, women and others may have been born into prostitution, or may have been the victims of human trafficking. Those who want to be rescued from that life already have many hurdles to overcome, not the least of which is social stigma and shame
149; the requirement of loss of anonymity in seeking health services adds to the obstacles facing these individuals, and is not acceptable on a human level.
The Council of Europe’s
Convention on Action against Trafficking in Human Beings specifically discusses the need to protect the private life of and identity of victims, including victims who are children.
150 Rijken and Koster (2008) argue that victims of trafficking must be provided with specialized medical care as well as legal aid, and need to be given assistance regarding the “juridical consequences of filing a complaint and testifying against perpetrators.” They also discuss in detail the extent to which identity documentation plays a role in acquiring testimony against the perpetrators for state purposes. The authors advocate a “victim centered approach,” where the goals of granting robust assistance to victims first and foremost take precedence over the goals of government in identifying victims [
47].
But these vulnerable individuals are not the only casualties of coerced Consent for
Aadhaar in India. For example, in 2016 the state of Maharashtra mandated that the
AEBAS (
Aadhaar Enabled Biometric Attendance System, which is connected to all central government offices) be used in all government-run hospitals in the State. This requirement applied to health workers. Numerous articles about problems and negative reactions among health workers across India have been published. In one hospital, 22 doctors refused to use the biometric attendance system, and by way of protest, were absent from duty, [
48] alleging that the system was discriminatory. One issue was that the
AEBAS system allows for real-time attendance data to be stored in the
Aadhaar central database, which employees and officials can view [
49].
The privacy challenges in such a detailed, centralized, transactional database open to external government and employer access are significant. Note the fundamental differences between allowing for biometric authentication in a small silo, not tied to an extensive identity database of life patterns, and that of binding biometric authentication to
Aadhaar – while linking the work check-in for instance, to the rest of an individual’s life activities such as banking, health, marriage, and more. Even though biometrics are involved in both instances, the privacy implications are different. In the India example, there is simply no fundamental privacy redress for affected individuals, and the issue of a lifelong, government-controlled, central tracking database of life, financial, health, and work activities is something that fuels the darkest of Orwellian fears.
151 If specific regulations constraining uses of the biometric system and centralized database are absent, new -- and mandatory -- uses will simply grow, based on what has already been seen in the
Aadhaar system.
The mandatory
Aadhaar checkins by physicians are an example of ‘Coerced Consent,’ which arises in situations where an individual believes, is led to believe, or is allowed to believe - that in order to receive a perceived benefit, that he or she must Consent. In the EU, coerced Consent is a policy issue addressed by law.
152 In US Consent policy, the subject of ‘Coerced Consent’ is discussed in selected areas handling high sensitivity matters, which are often related to the use of genetic information in labor situations, or medical research. For example, the following FDA statement relates to patient Consent, and the issue of coercion:
Consent documents should not contain unproven claims of effectiveness or certainty of benefit, either explicit or implicit, that may unduly influence potential subjects. Overly optimistic representations are misleading and violate FDA regulations concerning the promotion of investigational drugs [21 CFR 312.7] or investigational devices [21 CFR 812.7(d)] as well as the requirement to minimize the possibility of coercion or undue influence [21 CFR 50.20].
153
Note that the FDA’s conception of consent describes the high quality of the information needed for those making the consent decision. This is foundational to consent that is well-educated by facts, thus creating the ability for an individual to make an informed consent decision.
“Coerced Consent” is going to need to be on the policy watch-list globally. Reducing inefficiencies, including in health care settings, should not come at the expense of conditioning a person’s employment on having an enrolled biometric, or for that matter, provisioning treatment on the production of identification. Other options can, and should be made available, so as to avoid such outcomes, both in technical and policy solutions presented. While the gaining of Consent in biometric use cases is critical, such Consent given does not then translate to a blanket protection of privacy, however, such Consent gained has a proper place in asserting biometric policy.
154
Regarding biometrics-specific consent policies, in the United States, specific biometrics Consent policy exists just in State law. In the European Union, (and those nations with current EU adequacy status),
155 the GDPR and to a lesser degree, the conventions of the Council of Europe (COE)
156 have ensured that “Consent” will be a meaningful part of biometrics deployment specifically, after the 2018 implementation of the GDPR. In Europe, obtaining Consent in general is the basis of most privacy and human rights-focused laws, decisions, and discussion. Obtaining “Consent” has been a critical thread in the fabric of national European data protection laws, since the 1970s, with the role of Consent continually evolving toward more stringent standards. Consent was eventually recognized in the European Charter of Fundamental Rights, Article 8(2), which states that personal data of an individual can be processed “on the basis of the Consent of the person concerned, or some other legitimate basis laid down by law.”
157 Given this strong legislative background, it is not surprising that biometrics gathered from data subjects would eventual warrant specific Consent requirements.
The new GDPR requirements for Consent include the requirement that the consent be informed; speaking broadly, there can also be applications regarding Consent for the use and processing of sensitive data. Biometric data as defined in the GDPR is considered sensitive data, and therefore, will require Consent as part of the sensitive data category.
158 Additional privacy provisions would still apply around the processing aspect of the biometric data.
159 The older EU 95/46 standards were interpreted by Article 29 Working Party
160 at length, and included an analysis of Consent in the context of e-cards, which is worth reading in the context of biometrics even though this law will be replaced by the GDPR, because it lays out the foundational EU ideas about Consent in data processing and in sensitive data categories.
161
Terms of the GDPR state that all biometric use conditions will require special processing under the sensitive data category.
162 There are however, exceptions, including in certain health care areas, and based on the definition of Consent in the GDPR. The primary impact of the EU decision to include biometrics data as a sensitive data category in the GDPR is bound to have profound policy impacts in the biometrics world. The impact will be most keenly experienced by entities based in, or doing business with, Europeans. The GDPR biometric policy will also impact any company self-certifying under the EU-US Privacy Shield/Swiss-US Privacy Shield,
163 because these companies will have to follow GDPR provisions regarding biometrics.
The study of biometric use and interactions within Europe’s Consent model, particularly in the healthcare sector, can be deemed to be important. The use of biometric systems for the identification of patients has already begun in Europe. Healthcare providers within individual EU member countries, for example, Ireland, are introducing the use of biometric into health provider settings. A typical scenario is that patients will enroll in the biometric system, and provide personal biometric information, for the stated purpose of identity verification, in relation to their record and for anti-fraud purposes. Healthcare providers in EU member countries will have to comply with GDPR requirements in 2018, including those who provide allied services in healthcare settings, which will require attention to processing controls.
164
In Europe, if a health care provider requires a patient to enroll in single-provider biometric silo (which they can do), patients in EU settings should, on the basis of both the existing Data Privacy Directive and the GDPR, receive other supporting privacy rights, such as access, transparency, and correction. And the processing of the biometric data will still have to comply with all applicable EU standards. Although protections will exist due to EU omnibus privacy regulations, prior to any further dispersions of healthcare biometric installations, EU member states would greatly benefit from encouraging respective EU healthcare sectors to devise specific ‘best practices’, and ‘ethical data use’ guidelines.
The US does not have any consolidated regulatory framework across sectors focused only on biometric Consent policies. As discussed earlier, some laws touch on biometrics held by sectoral entities, like the federal government. But sectoral laws, like the Privacy Act of 1974, do not mention biometrics specifically. The only specific law regarding explicit Consent for biometrics is currently at the state level, for example, the Illinois state law BIPA requiring Consent specifically for biometrics collection. BIPA, however, does not have a complex Consent policy. To find mature Consent policy examples in the US, one has to study policy assertions apart from biometrics. The US Food and Drug Administration (FDA) has a detailed description of Consent, for example, which specifies all that must be done to ensure that the Consent is meaningful, voluntary, and not coerced.
165 Generally, any federally-funded entity falling under the Common Rule,
166 is going to display a Consent policy, at the most sophisticated of levels. However, such presentation of a Consent policy could not be interpreted, either directly, or indirectly, as a Consent policy that would fully cover, or apply to the use of digital biometric identity in any simple or straightforward way.
When biometrics are used in non-research healthcare settings for authentication or identification, generally the Consent documents for human subjects research rules do not apply. This is because research Consent documents are generally not required for non-research healthcare provider activities, and research Consent documents are focused on the actual health research, not the identity documentation of the patient or research subject. It is a gap in the regulatory structure.
Consent has become a point of contention in US health care settings that require biometric enrollments for patients. In Florida, a 2016 bill was put forward that would have required that hospitals “biometrically confirm the identity of Medicaid patients.”
167 The proposal would have allowed hospitals to access the state driver’s license database to verify patient driver’s license identification. The Florida Hospital Association opposed the provision, and raised substantive legal and privacy concerns [
51]. Public hospitals in the US are prevented from mandatory biometric requests due to laws preventing provisioning of treatment based on identification. Biometrics installations at private US healthcare providers such as private hospitals may not be subject to the same requirements, however.
168 Some healthcare providers in the US have strongly urged patients to provide biometric-based authentication or verification, with apparently little attempt made to ensure patient knowledge of voluntariness of enrollment. [
52] There is currently a policy void regarding this issue, which is, by itself, significant.
Intriguingly, in the US, biometric identification of patients has broadly been put forward as a “solution” to challenges, such as identity theft associated with the provision of medical services [
53].
169 Identity theft challenges apply to Europe as well. However, discussion of biometric template takeover, spoofing (or falsifying) of biometric identity, full biometric identity takeover, data breach risks, and other significant complications to the patient biometric systems, are almost never included in discussions around implementations [
55].
170 Weak security and policy understanding of biometric technology can create weak oversight situations where imposters have an opening to harden a spoofed or acquired false biometric identity.
171 It is rare to find straightforward risk/benefit discussions related to patients’ biometric identifiers - including in relevant Notice of Privacy Practices (NPPs). It is also rare to find media articles mentioning problems with biometrics security in healthcare settings in the US. Later in this article, untraceable biometrics are discussed as an important area for future work that could help attenuate some present and future challenges in this area.
In thinking about India’s Consent policies in the context of those in the EU and the US, particularly in a health care use context, each jurisdiction does have some legislative language around Consent and the Sensitivity of Health Data. However, how the legislative language is contextualized in terms of definitions of Consent and procedures is what separates the jurisdictions in available privacy protections. Ultimately, the significant inter-links of the Aadhaar and the tracking of enrollees’ activities in a centralized database with extensive government capacity for access to that database are unparalleled in any other legal jurisdiction discussed in this paper. Mandatory biometrics use propositions in India need to be addressed directly and with some urgency, and especially so in the health services context.
5.2 Biometric legislation
In the case of digital identity systems, formal data protection and privacy legislation is a must; voluntary guidance or voluntary principles are not an acceptable substitute.
172 The same can be said of digital biometrics identity systems. Among current regulations, the EU GDPR provides the highest level of current protections. Other legal jurisdictions generally have either weaker protections, or no protections at all.
173 India has not passed data protection regulation, although it has drafted such legislation. As discussed, the US has some federal and state legislation that touches on aspects of either identity or biometrics, and sometimes both, as in the REAL ID Act; however, the US does not have specific, focused federal legislation around the broad use of biometric data.
In non-EU jurisdictions, much progress is possible if serious attempts at legislation aimed at improving data protections and privacy specifically for biometrics use, including digital biometric identity data, are undertaken. There is no doubt that economic and cultural differences impact deployment of digital identity systems and biometrics as well as policies around those systems. The US, for example, will have to take a different approach to legislation than India based on multiple factors such as the structure of existing federal legislation and the state of development of biometrics in each country. However, that is not enough of an excuse for the US and India to avoid working on the challenging issue of passing new legislation. In India in particular, because the Aadhaar is already pervasive and used in a central database, data protection and privacy legislation specific to Aadhaar is important, and urgent, for India to put in place.
Generally, low income, middle income, and high-income countries have different levels of development and may not be able to physically support the same kinds of technologies, systems, or policies. Some countries may not have the same cultural conceptions of individual privacy rights. Nevertheless, despite the many types of legislation that might be appropriate for any given economic jurisdiction or region, several core legislative concepts stand out. These concepts may be used across cultural and economic boundaries.
5.2.1 Do no harm
Digital biometric identity systems have power, and once granted, that power can be used for good or otherwise. Adding biometrics to an identity scheme (digital or paper-based) simply increases the power of the identity scheme by increasing belief in the accuracy of the system to be able to uniquely identify or authenticate a person. As such, the Do No Harm mandate is of primary importance in all identity systems, particularly those using biometrics. The joint ID4D Principles on Identity have been discussed in this paper. These principles are important because they are aimed at developing countries; fortunately, these principles do indeed include principles relating to privacy and non-discrimination. However, they do not include a Do No Harm principle. It is the most important missing element of the principles, and the addition of Do No Harm to these principles is of great importance and would improve the principles considerably.
What constitutes harm? Different political, economic, and cultural contexts exist for digital biometric identity systems, so it can be expected that different types of harm will arise, each unique to the system that it is situated in. In practice, Do no Harm means that biometrics and digital identity should not be used by the issuing authority, typically a government, to serve purposes that could harm the individuals holding the identification. Nor should it be used by adjacent parties to the system to create harm.
Examples of harm include identifying highly sensitive divisions amongst populations (such as ethnicity, religion, or place of origin). Just by attaching that data to a unique biometric is a substantive harm in and of itself. To use an identity system to discriminate against, harass, deny services improperly, or otherwise cause harm based on distinctions such as age, gender, or socioeconomic status as revealed by a place of residence constitutes harm. In India, it is a great harm existing today to provision the delivery of rehabilitative services to women and others attempting to escape prostitution on having been enrolled in the
Aadhaar program. As discussed in the Consent section of this paper, the
requirement of loss of anonymity in seeking rehabilitative or health services adds to the obstacles facing these individuals and is not acceptable on a human level.
174
Another type of harm can arise from the politics of identity. Some identity systems have been tied to the politics of a government or an ethnic faction of a government. It is very difficult to de-link identity systems from the government that issues the ID, but every effort should be made to de-link e-ID systems from the politics of the government or faction in power.
175 A disturbing political use of identity cards is found in the haunting case of Rwanda. It is widely acknowledged that Rwanda’s ID card, which included ethnicity on the face of the card, was used to facilitate mass genocide against the Tutsis in 1994 [
3,
58]. This is the ultimate harm, and all efforts should be taken to avoid it in the future. Identity systems, no matter what form they come in, paper or digital, must work for the public good and must do no harm. And identity systems, due to their inherent power, can cause harm when placed into hostile hands and used improperly. Great care must be taken to prevent this misuse.
Do No Harm requires rigorous evaluation, foresight, and continual oversight.
5.2.2 Policy before technology
More than any other factor, the underlying cause of India’s current problems with Aadhaar are a result of the lack of appropriate regulation of the Aadhaar ID system before its widespread deployment into the Indian population. Legislating in reverse is extremely difficult. When the technology for the Aadhaar system -- including the collection of biometrics -- was discussed as a potential program, legislation regulating the targeted and limited use of the Aadhaar identity and data should have been put forward as a mandatory step prior to any widespread technical deployment or biometric enrollment of residents. As discussed in this article, although several iterations of acceptable privacy legislation have been drafted in India, including in 2010 as the technology was being initially deployed, none of the legislation has passed. The lack of protective policy from 2010 onward has allowed the Aadhaar ID to go from voluntary to now mandatory in many situations without appropriate data privacy protections. As of today, the Aadhaar ID system is subject to considerable mission creep, and there are concerns about how it might be used in the future. It is very unclear if India will pass data protection legislation for the Aadhaar system.
When advanced digital biometric ID systems are discussed, Estonia is frequently cited as an examplar of a modern digital identity system in addition to
Aadhaar.
176 However, the two systems are different. Estonia, as a member of the European Union, already had a robust policy system in place before it put its e-ID, or digital identity, technology system in place. Because of the underlying EU data protection and privacy rules, Estonia is obliged to comply with all EU law, including EU data privacy directives. Estonia’s e-ID will fall under the GDPR biometric processing protections and mandates discussed in this paper, and it will be subject to other sensitive information categories. Estonia’s e-ID system has an omnibus set of legislative rules to follow, including privacy rules, data security rules, redress rules, and many more. Estonia had
policy before technology, and that has made it a fairer system, not subject to the same abuses as India’s
Aadhaar system, which put technology before policy.
The US is not immune to challenges arising from the “policy before technology” issue. In Federal agencies, the E-Government Act of 2002 requires “policy before technology” evaluations – for example, agencies must publish Privacy Impact Assessments (PIA) for public review prior to developing, procuring, or creating new uses of technologies [
59]. This is beneficial, as future uses of biometric technology at the federal level that are proposed should conceivably be made public prior to their installation and use. However, this is limited in that Privacy Impact Assessments (PIA) are published regarding government uses of technologies; also, the publication of a PIA does not guarantee that a bad program will not move forward. The US, as discussed, has widely deployed biometrics in non-federal sectors such as healthcare. Almost all of these deployments have occurred without specific biometric legislation preceding the deployment of the technology. As discussed in this paper, there is no federal law that protects biometric data specifically collected for example, by schools, hospitals, commercial entities, or other non-federal entities. And when a US federal agency delays its publication of a Privacy Impact Assessment, it makes it nearly impossible for individuals to assess what the federal government is planning.
5.2.3 The role of ethical data use guidelines for biometrics
In addition to formal legislation, it would be beneficial for all stakeholders --industry, privacy and civil liberties NGOs, identity experts, academics, and interested citizens and individuals --- to convene as stakeholders in order to craft “ethical data use guidelines” under the support of a well orchestrated multi-stakeholder process. These guidelines could, for example, cover very narrow use cases where regulatory rules presently do not offer specific guidance related to best practices, conceiving and establishing procedures, and administrative controls. For example, a specific set of “ethical data use guidelines” regarding the collection of patient biometric data by health care providers could be made to emerge useful practical guidance - in addition to the formal protections of the GDPR.
An important policy document to consider comes from the European Data Protection Supervisor (EDPS), which, in 2015, published a watershed opinion regarding data ethics and privacy.
177 The opinion set forth four overarching principles:
1.
Future-oriented regulation of data processing and respect for the rights to privacy and to data protection.
2.
Accountable controllers who determine personal information processing.
3.
Privacy conscious engineering and design of data processing products and services.
4.
Empowered individuals.
178
The opinion specifically triggered the launch of a new EU Data Protection Ethics Board - with the goal of defining “new digital ethics” and stimulating “open and informed discussion in and outside of the EU, involving civil society, designers, companies, academics, public authorities, and regulators.” The opinion sets out in clear terms the next steps that could and should be taken regarding biometrics policy. In many contexts -- more applicable to jurisdictions outside the EU than inside the EU -- there exists interest to support the presence of such discussions. Structural and financial support for such activities will need to be put into place, or support will need to be provided by the EU Central Authority, or by other countries.
However, for long-term success to occur, rules and procedures need to be in place that provide ‘checks and balances’ to ensure input and process control, enforcement, and representation of interests.
179 The National Consumer Council in the UK published an important 15-point checklist for self-regulatory schemes in 2000 that remains worthy of attention [
62]. The checklist offers requirements for a “credible” self-regulatory scheme. These same principles, although initially written as applicable to self-regulatory schemes, can also apply to multi-stakeholder processes with the stated purpose of crafting ethical data use guidelines.
Despite the potential for failure, [
56] it is nevertheless important for industry and consumer-focused stakeholders to convene, allowing each stakeholder to put forward an independent contribution, in order to look at multiple, narrow use-case scenarios regarding biometrics use and data ethics. In many respects, ethical data use guidelines for very narrow use cases have more possibility of success, particularly when approached from narrow use cases. One example of a narrow use case is ethical data use guidelines for biometric health identity data used in formal health care settings, such as a hospital or doctor’s office. In all jurisdictions, one important use case could be on ethical data practices around particularly sensitive ethnic data.
It would, over the long term, be helpful to have open, joint stakeholder discussions amongst countries with large-scale biometrics installations so as to share solutions, findings from relevant encounters, amassed expertise, discuss concerns and challenges, and engage in forward-thinking policy construction
180 relating to ethics, data protection, and privacy. The idea of crafting ethical data use guidelines in the area of privacy would need to be inclusive of standards, which could differ markedly depending on geography, Fair Information Practice standards (FIPs),
181 key provisions in the GDPR, the ID4D Principles on Identification, among others could potentially be discussed. Other types of standards that could be drawn from could include very precise standards from the ISO, which would include, for example, the standard on cross jurisdictional and societal aspects of biometrics, JTC 1/SC 37/WG 6, or identity management and privacy technologies, JTC 1/SC 27/WG 5, by way of example.
5.2.4 Privacy by design
Digital identity systems and systems that use biometrics need to be designed in such a way that they cannot fail, even when political regimes and the will of legislators do [
63]. This core concept, derived from the Privacy by Design school of thought,
182 is particularly important in the case of biometrically-enhanced digital ID systems. If an individual can be uniquely identified by a strong biometric like an iris scan, there is a great burden on the designers of that system to ensure failsafes for the individuals who hold that identity. This kind of design is becoming more technically possible, but there is not yet a deployment that would sufficiently protect identity holders from abuse of the identity by those in power. All jurisdictions would benefit from an approach that considers privacy by design in biometric identity systems. However, it is important to note that while all jurisdictions would benefit from an approach that considers privacy by design in biometric identity systems, it should not be seen as a substitute for legislation or other protections.
The technique of biometric encryption and “untraceability” provides a starting point for the kind of privacy by design work that might ensure that an digital ID or other biometric use could not be misused by a government in power, or a company. Ann Cavoukian, former Privacy Commissioner of Ontario, Canada, when in office had the prescience to craft and adopt a policy for biometric technology use in the late 1990s [
66]. The protections are remarkable for their time and include use of untraceable biometrics supported by policy. This came about when the City of Toronto wanted to install biometrics use in order to reduce fraud in public services. Commissioner Cavoukian crafted a policy proposal for the government, and urged formal legislation to enshrine those practices.
The IPC proposal stated the following:
The biometric (in the case of the City of Toronto, it was a finger scan) should be encrypted;
The use of the encrypted finger scan should be restricted to authentication of eligibility, thereby ensuring that it is not used as an instrument of social control or surveillance;
The identifiable fingerprint cannot be reconstructed from an encrypted finger scan stored in the database, ensuring that a latent fingerprint (that is, one picked up from a crime scene) cannot be matched to an encrypted finger scan stored in a database;
The encrypted finger scan itself cannot be used to serve as a unique identifier;
The encrypted finger scan alone cannot be used to identify an individual (that is, in the same manner as a fingerprint can be used);
Strict controls on who may access the biometric data and for what purposes should be established;
The production of a warrant or court order should be required prior to granting access to external agencies such as the police or government organisations;
Any benefits data (personal information such as history of payments made) are to be stored separately from personal identifiers such as name or date of birth.
The Social Assistance Reform Act of Ontario, Canada was passed in 1997.
183 The legislation required the following:
-
That biometric information collected under the Act must be encrypted;
-
The encrypted biometric cannot be used as a unique identifier, capable of facilitating linkages to other biometric information or other databases;
-
The original biometric must be destroyed after the encryption process;
-
The encrypted biometric information only can be stored or transmitted in encrypted form, then destroyed in a prescribed manner;
-
And, no program information is to be retained with the encrypted biometric information.
The final legislation also included a specific provision that the full gamut of administrators of the biometric system could implement
a system that can reconstruct or retain the original biometric sample from encrypted biometric information, or that can compare it to a copy or reproduction of biometric information not obtained directly from the individual.
While the final regulation was not as complete as the initial IPC recommendations, it stands as a groundbreaking and forward-looking piece of biometric regulation. The regulation is important for its technical protections combined with the policy protections of not allowing for biometric reconstruction or transactional tampering. Additionally, the legislation kept the data in a localized “silo,” requiring that the data not be networked into other databases or a larger system, thus keeping linkages from occurring. For example, the social assistance data would not be readily accessible by potential employers. The City of Toronto achieved its goal of reducing fraud, and the IPC achieved its goal of protecting consumer privacy.
Today many potential opportunities exist to use technical biometric protections in a way that enhances consumer privacy, dignity, and autonomy. However, the best practices, knowledge, and discussion must be public, ongoing, and robust in order for this to occur.
Many additional principles for legislation exist. This has been by no means a complete list. OECD Fair Information Practices, Europe’s GDPR, the ID4D Principles on Development, India’s Group of Experts’ report, and the Do No Harm principle – all of these stand as important sources for legislative guidance in the area of digital biometric identity.