PEOPLE ARE in effect giving up a piece of their bodies when they provide personal biometric data, meaning tight controls are needed to ensure the data is properly used, according to the Irish Council of Bioethics.
The council this morning publishes a considered opinion, “Biometrics: Enhancing Security or Invading Privacy?”
The substantial document raises important questions about the increased use of biometric data, such as fingerprints, iris scans and voice recognition, as a proof of identity.
In it the council expresses serious concerns about how personal biometric information is collected and stored and whether there are sufficient controls on who can have access to it.
The increased use of biometric data for comparatively trivial reasons encouraged the publication, according to council director, Dr Siobhán O’Sullivan.
It was also because Ireland has a growing number of companies developing biometric technologies, particularly around Dublin’s Digital Hub.
“It is a little-known fact that Dublin is the European hub for biometrics,” she said, adding that 10 to 12 companies are already operating here. “Biometrics are put forward as a way of enhancing personal security, but we also wanted to see what the threats were,” Dr O’Sullivan said.
“The ubiquity of biometrics begs the question whether any of us can lead truly private lives anymore.” Use of biometrics required the surrender of “pieces of people’s bodies effectively”.
While there were situations where biometrics could enhance security, there were worries about its overuse, and its application in situations not commensurate with the potential risk.
The compulsory application of the technology was also a concern, she said. “We think that is a very serious issue where there is compulsory application of biometrics.”
All Irish passports issued since 2005 carry biometric information, a chip that contains a digitised version of the passport photo. It was impossible to travel to places such as the US now without this biometric data, she said.
But it was also in use to control access to buildings and for monitoring employee time and attendance, usually by scanning a thumb print, she said. A south Dublin school had proposed its use to monitor student attendance. For this reason it was necessary to consider controls on its use. The council was not looking for new legislation, Dr O’Sullivan said. The Minister for Justice set up a committee 12 months ago to review provisions of the existing Data Protection Act.
“What we are saying is we would like to see the use of biometrics reflected in the Data Protection Act in light of that review,” she said.
The council raised questions about the type of information collected and whether the amount collected was actually required, how information was stored and whether there was any inappropriate sharing of that information.
It concluded any use of biometrics should be matched to the assumed risk. “We want to see that any system introduced is proportional to the perceived risk involved,” she said.
It also suggests there should be a balance between individual rights and those of society as a whole.
“The [council] recommends that where the common good is to be used as an explanation for using biometrics, then a detailed justification must be provided.” This was particularly true where its use was compulsory.
It argues that information collected should not be shared without cause, should not be held for longer than necessary and when no longer needed should be deleted.
Biometrics should also be applied in an open and transparent way so that people understand the consequences of their decision to participate or not.
KEEPING TRACK: HOW BIOMETRICS WORKS
EXAMPLES OF biometrics already in use in Ireland and abroad include fingerprint recognition for building access, secure computer log-on and monitoring of employee time and attendance by companies such as Tesco, Dunnes Stores and the Cavan and Galway county councils.
The Abbey Theatre uses biometric time and attendance systems. When introduced and then challenged by some union members, the Labour Court in a judgment regarded the system as "ongoing normal change" and recommended acceptance of its use.
Irish schools have begun piloting fingerprint recognition as a way to control school access, monitor attendance and give access to services such as the library. The system automatically produces a text message or e-mail to notify parents of their child's absence or lateness.
In 2008 Griffith College introduced fingerprint readers to enforce class attendance by non-EU students, who as a condition of their visas must attend at least 80 per cent of classes.
Since 2005 Irish passports include chips that support facial recognition by providing a duplicate picture of the passport holder.
Buywayz Ltd uses a voice-recognition system allowing farmers to conduct business with the company over the phone. A stored voiceprint is used to confirm the identity of a customer before an order can be placed.
A UN refugee programme on the Pakistani-Afghan border uses an anonymous biometric database to manage the allocation of aid. An iris reader tracks who has received food parcels and warns if a person already received one.
The Pakistani government developed an integrated database containing 80 million citizens as part of its national identification programme using both face and fingerprint recognition systems. It provides huge data mining capabilities, for example the ability to link members of a family.