Ethics is the key to responsible biometrics

When used responsibly, biometrics provides powerful identity management and protection capabilities, mitigating the risks for users and organisations of credential theft and unauthorised access to digital and physical assets. But it can also be used in ways that lead to ethical concerns, including activities such as mass identification for demographic profiling.

Businesses must take responsibility for all aspects of their operations. If a business is deploying technology in an irresponsible way — using facial recognition for mass identification, for example — there are probably going to be other indicators in the way they do business.

Ultimately, it’s up to biometric vendors and the wider industry to drive and promote the responsible use of biometrics, and to push back when a customer wants to use the technology in a way that isn’t ethical or morally responsible. When considering a biometric program, look at who your vendors do business with and what projects they support their technology being used for.

There are two main use cases for deploying biometrics: verification of someone’s identity to confirm they are who they say they are or identifying someone, such as finding a person of interest from a security camera feed. In both cases, there is a responsibility to act ethically and within the law. However, this is challenging as the ethical and legal frameworks are developing in parallel with the technology. I believe a biometric program must be founded on consent, with users given clear information about how and where their biometric information is being used, as well as the value or benefits they receive from its use.

Using biometrics to verify identity

The use of biometrics to log into systems and devices entered the mainstream with the advent of fingerprint and facial recognition systems in many consumer devices. But these types of biometric applications have been used for many years.

When an organisation chooses to use biometrics to secure a system, there must be informed consent on the part of the people providing their fingerprint, face or other identifying characteristic to create a credential. That credential should only ever be used for the specific purpose for which it is intended. For example, if an employer, or some other party, uses facial recognition as a form of authentication, then the user’s biometric data or other identifying data should not be used for some other purpose or passed on to a third party without consent.

There is some community concern that biometric markers — which are immutable — may end up falling into the wrong hands and used for identity theft. This concern has given rise to suspicion about the use of biometrics, particularly facial recognition, for surveillance purposes.

VIEW ALL

Australia’s Privacy Act and the supporting Australian Privacy Principles are clear about the obligation to inform people when identifying information is collected and how it’s stored, shared and used. And while these are legal obligations, they also make ethical sense. There are also global standards that guide the use and applications of biometric technology, including ISO/IEC 24745:2022, which defines the principles of confidentiality, integrity and privacy protection of biometric information to protect users and systems from the misuse of biometric data and credentials.

Using biometrics to identify a person of interest

When public events are videoed or photographed, it’s possible for those images to be used to create a biometric database. For example, a photographer could shoot thousands of images at a community sporting event and load those images into a biometric matching engine so people can find photos of themselves. However, while there is a benefit to the participants who can find their photos, it is unlikely the users have consented to being in a biometric matching system.

Event organisers need to ask questions about the retention and use of participant photographs. This includes things like the use of biometric recognition and the ability for individuals to have images removed from the biometric database. And access to the database should also be gated so it can’t be searched by parties whose motives may not be in line with the intended purpose of the data.

When a government agency, business or a not-for-profit organisation collects biometric data it must do so with the full and explicit knowledge of the parties involved. That data must only be used for a specific, declared purpose and not used for some other, previously undisclosed application.

Responsible biometrics is an extension of good identity governance. You wouldn’t expose personal information or usernames and passwords to a third party. It’s important to apply the same principle to biometric credentials and data. And it’s up to vendors and consultants to take a leadership position and ensure biometric systems are only put in the hands of responsible users for ethical purposes.

Blair Crawford, CEO and co-founder, Daltrey.