Biometric Technology for identification / authorization has originated from applications of Border Control, Visa Information, Crime prevention, Access Control etc. While there does not seem to be any specific policies, laws or regulations exclusively for the mobile applications of biometrics, it is apparent that one has to take cognizance of the existing ones and apply to mobile phones. In this context, we will present a broad view of the existing policies laws and regulations prevailing in the USA.
Privacy and Personal issues
Only a small percentage of people cannot be enrolled using fingerprint technology because their finger ridges have become dry, worn with age, or worn from using corrosive chemicals. Some sections of people have reservations to enroll associating fingerprinting with criminal investigations or considering touching a scanner as unhygienic. There is also concern that fingerprints collected for one purpose could be used to track an individual’s activities elsewhere.
Use of biometric methods does involve intrusion into one’s privacy in varying degrees. On the other hand it has been established beyond doubt that biometrics do offer another layer of security, though it may not be 100 % efficient, as is the case with any other authentication or identification system .Therefore a pragmatic approach to this issue would be to draw up a spectrum of authentication and identification depending on the purpose.
The General Services Administration (GSA) recently recognized this fact when establishing “Levels of Trust” for EAuthentication. Importantly, the GSA levels include the ability for government to allow individuals to be authenticated pseudonymously. (See OMB Memo 04-04 to Federal Agencies - http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf).
Most interactions with the government fall somewhere in between expectations of complete anonymity and a detailed investigation. If there is no true spectrum of authentication choices (from anonymity to pseudonymity to full identity) for use, all expectations of privacy will erode simply because government will be forced to treat every interaction as investigative. In properly determining how best to enhance both liberty and security, it is useful, therefore, to have some basic principles for assessing a particular biometric technology. Such a code of principles ought to include the following:
• Enrollment in biometric systems should be overt instead of covert
• Biometric systems are better used for verification rather than identification..
• Biometric systems should be designed to operate with local storage of the data (e.g., on card templates) rather than with central storage. Centralized storage of biometric data raises privacy concerns and also tends to permit more ready mission creep. Clearly for some technologies and applications local storage will not be feasible—but to the extent it is practicable, local storage should be preferred.
• Similarly, we should prefer biometric systems that are “opt in” and require a person to consent, rather than those that are mandatory. Mandatory applications should be exceptions to this rule.
• For privacy and security reasons, one should prefer biometric systems that reduce the biometric to a template, rather than maintaining a stored image. Generically, templates are harder to falsify. Images, however, may be somewhat easier to encrypt. In the end, the choice will very much depend on the application.
• Similarly, where feasible, biometric systems should consider the use of forms of verified pseudonymity, where the authorization for use by the identified individual is conveyed while the identity is concealed unless and until suitable authorization for piercing the veil of anonymity is received.
• Any biometric system should have strong audit and oversight programs to prevent misuse.
• One must take care to monitor, audit, and periodically test the enrollment process. Enrolled data should also be subject to routine secondary review to identify those mistakenly enrolled in the first instance.
• Have in place a suitable secondary identification system for use when the primary biometric system fails or provides an inconclusive result. It will not do, for example, for the backup to a biometric system to be a simple, insecure, signature-verification.
In the end, biometric technologies can be privacy-neutral. They can and should be designed with appropriate protocols to ensure privacy before they are implemented. Those protocols can both be part of the hardware (and thus designed into the system) and enhanced through operational guidelines and systems oversight that address privacy concerns.
US Government guidelines on privacy related to Biometrics
Two documents of interest to serve as guidelines in understanding and implementing privacy aspects in biometrics are discussed below. Detailed documents are available in the link http://www.biometrics.gov/docs/privacy.pdf
1. Privacy & Biometrics – Building a Conceptual Foundation issued by National Science and Technology Council (NSTC), last updated on September 15, 2006.
This document seeks to connect privacy and biometrics at a structural level so that both fields can be understood within a common framework.
2. “Privacy Technology Implementation Guide” issued on August 16, 2007 by Homeland Security offers assistance to technology managers and developers in understanding privacy protections as they design, build, and deploy operational systems.
Reference:
http://www.docstoc.com/docs/22684506/BIOMETRIC-TECHNOLOGIES-SECURITY--LEGAL-/
http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf
http://www.biometrics.gov/docs/privacy_guide_ptig.pdf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment