The relationship between biometrics and privacy is entirely shaped by the design of the systems and the framework within which private and personal data is handled. Unfortunately, in developing countries, including ours, the adoption of biometrics has not been accompanied by an adequate discussion of privacy concerns. Biometrics can be a staunch friend of privacy when the technology is used to control access and restrict unauthorized personnel from gaining access to sensitive personal information.
Privacy Risks Surrounding Biometric Data Usage
Biometric data is intrinsic to a person and cannot be easily changed if compromised. The most pressing and significant privacy risks concerning the extensive use of biometric data are:
- Unauthorized Access and Data Breaches: Since biometric data is often stored in centralized databases, it becomes a prime target for hackers. If breached, the consequences are severe because, unlike passwords, biometric data cannot be reset or replaced. Additionally, biometric data collected for one purpose, for instance, unlocking a phone or entering a building can later be used for unintended purposes, often without the individual’s consent. This allows organizations to expand the use of biometric data, diluting individuals’ control over their data and can lead to a loss of privacy. The lack of transparency exacerbates the risks of function creep and misuse.
- Identity Theft and Fraud: Even though biometric data is often considered more secure than traditional passwords, it is not foolproof. Technologies like facial recognition and fingerprint sensors have been successfully spoofed using photos or synthetic versions of a person’s biometrics. If an individual’s biometrics are replicated by a malicious actor a malicious actor replicates an individual’s biometrics, it can lead to identity theft, where fraudsters gain access to secure areas, accounts, or sensitive information.. Unlike traditional credentials like passwords or credit card numbers, biometrics cannot be reset once compromised. If stolen, individuals have no recourse for revoking or replacing their biometric identifiers, which could result in long-term privacy risks and identity theft.
- Consent and Lack of Control: One of the biggest privacy concerns is that biometric data can be collected without a person’s knowledge or consent. For instance, facial recognition cameras in public places or fingerprint sensors at work may scan individuals without explicit consent, eroding the ability of individuals to control when and where their data is captured. In some cases, individuals may be coerced into providing their biometric data, whether by employers, government agencies or service providers. Employees may be forced to use fingerprint time clocks,or citizens may be required to provide biometrics for national identification programs, with almost no choice but to opt-out.
- Discrimination and Bias: Many biometric systems, particularly facial recognition algorithms, have been shown to exhibit racial and gender biases. Studies have demonstrated that facial recognition is often less accurate for people of colour and women, leading to false matches or unfair treatment. This could result in wrongful arrests, denial of services, or discriminatory surveillance.
- Third-Party Sharing and Commercialization– Companies that collect biometric data often use it for commercial purposes, including selling it to third parties, such as advertisers, insurance companies, or data brokers. This commercialization of biometric data without individuals’ knowledge or consent raises concerns about how deeply personal information is being used for profit.
- Cross-Border Data Transfers: Biometric data collected in one jurisdiction may be shared or transferred to other countries with less stringent data protection laws. This can increase the risks of misuse, particularly when data is sent to governments or corporations in regions with lower privacy standards.
Reasonable Expectation of Privacy and Biometric Data
The sphere of privacy stretches at one end to those intimate matters to which a reasonable expectation of privacy may attach. It expresses a right to be left alone. The right to privacy exists when there is a reasonable expectation of privacy. Data such as medical information would be a category to which a reasonable expectation of privacy attaches. There may be other data that falls outside the reasonable expectation paradigm. A reasonable expectation of privacy does not cover face photographs for the purpose of identification. Barring unpublished intimate photographs and photographs pertaining to confidential situations, there will be no zone of privacy regulations protecting normal facial photographs meant for identification. Face photographs are given by people for driving licenses, passports, and voter ID, among others, and reveal no information.
The expectation of privacy varies across datasets in the Aadhaar Act, which distinguishes between demographic information, optional demographic data, and core biometric information, like fingerprints and iris scans. The Aadhaar Act primarily utilises non-sensitive demographic information where privacy expectations are low. Core biometrics, collected for public authentication, do not intrude on individuals’ reasonable expectation of privacy, as fingerprints and iris scans are merely identifiers.
As the authentication of identity entails the collection, processing, sharing, storage, and ultimately purging of biometric data, the Supreme Court has advised government agencies and commercial entities to establish a “compelling legitimate purpose” in using such data, given its significant impact on the “right to privacy” of citizens. The legal definition of “reasonable expectation of privacy” is critical in determining how privacy protections apply, particularly with the increasing use of biometrics.
To address this, the legal framework surrounding the reasonable expectation of privacy must evolve, keeping in mind the following considerations:
- Scope of Data Collection: Biometric data is often collected in settings where privacy risks are overlooked. The reasonable expectation of privacy should recognise that biometrics are unique, immutable identifiers, hence necessitating stronger consent and transparency. Legal definitions must differentiate between consent-driven biometric use and surveillance-driven collection.
- Informed Consent and Control: The legal framework should require explicit and revocable consent for biometric collection and use. The concept of reasonable expectation of privacy should include the individual’s ability to control their biometric data, i.e. who collects it, how it is stored, and its usage. Organizations collecting biometrics must clearly explain the purpose of data collection and potential third-party sharing.
- Public Spaces and Private Spaces: The assumption that individuals have a lower expectation of privacy in public space needs reconsideration. Courts should recognise that individuals do not expect constant tracking in public and may have heightened privacy expectations in public spaces such as airports and corporate offices.
- Biometric Data as Personally Identifiable Information (PII): Since biometric data is distinct and irrevocable, its treatment as sensitive Personally Identifiable Information (PII) is likely to become more central to privacy laws. The reasonable expectation of privacy in biometrics should reflect the fact that these identifiers cannot be changed if breached or misused, unlike passwords or credit card numbers.
- Duration of Storage and Data Security: Regulations should address how long biometrics can be stored and individuals’ rights to request deletion, as underscored in the DPDP Act. At the time of collection, individuals must be informed about the collection procedure, the intended purpose of the collection, the reason why the particular data set is requested and who will have access to their data. Additionally, the retention period must be justified, and individuals must be given the right to access, correct,and delete their data at any point in time, a procedure that is familiar to the opt-out option.
- Security Standards: Given the sensitivity of biometric data, laws should impose strict security and encryption standards for its storage and transfer. A failure to ensure adequate protection of biometrics will violate the reasonable expectation of privacy if an individual assumes their unique identifiers are being properly safeguarded.
Looking Ahead
In today’s digital age, the significance of biometric data surpasses traditional personal information, heightening privacy concerns. Privacy protection does not demand the prohibition of data collection but emphasizes the need for clear, provable guarantees that biometric data will only be used for approved purposes. In any of the programmes employed, it is imperative that the state takes strong data privacy measures to prevent theft and abuse. It is vital that state action ascertains security vulnerabilities while developing an identification system.
A reasonable expectation of privacy must be central to any framework governing biometric data, recognising that these identifiers require stronger consent and transparency. Programs involving biometric data should differentiate between consent-driven collection and surveillance practises, ensuring the maintenance of individuals’ control over their data.
1 Comment
Pingback: Your Smartwatch Isn’t Helping: It’s Stressing You Out - Quatro Hive