Biometric systems

9.64 Biometric systems enable unique behavioural or physiological attributes of people to be used for identification and authentication.[126] Major biometric technologies include finger scanning, facial recognition, iris and retinal scanning, finger geometry, voice recognition and dynamic signature verification.[127] Other biometric technologies include ear geometry, body odour measurement, keystroke dynamics and gait recognition.[128] In addition, palm vein biometric systems are being developed for application in Automated Teller Machine (ATM) transactions.[129]

9.65 In a typical biometric system, a biometric device, such as a finger scanner, is used to take a biometric sample from an individual.[130] Data from the sample are then analysed and converted into a biometric template, which is stored in a database or an object in the individual’s possession, such as a smart card.[131] Later biometric samples taken from the individual then can be compared to the stored biometric information to determine who the individual is (identification, or one-to-many matching) or to attempt to authenticate or verify that an individual is who he or she claims to be (verification, or one-to-one matching).[132] One-to-one systems currently provide higher accuracy of matches, although the accuracy of biometric systems varies greatly between systems.[133]

9.66 Biometric technologies have existed for decades.[134] The use of biometric technologies is increasing, however, because of globalisation, developments in information technology, and the desire to identify individuals in order to manage security threats such as terrorism.[135] Biometric systems enable the identity of an individual to be ascertained or authenticated with a fair degree of certainty. Further, advances in biometric technologies mean that biometric systems are now automated, allowing for ‘mass identity checks within seconds … with a sufficient degree of certainty’.[136] For this reason, biometric technologies are increasingly used in identification systems, along with other passwords or identity objects, such as smart cards.[137]

9.67 Since 2003, members of the European Union have been required to take fingerprints from all asylum seekers over the age of 14. These fingerprints are then compared to those in a centralised database to determine whether an asylum seeker has previously sought asylum in another Member State.[138] In addition, in 2003, the International Civil Aviation Organisation (ICAO) published ‘a global, harmonized blueprint for the integration of biometric identification information into passports and other Machine Readable Travel Documents (MRTDs)’. The ICAO standards require MRTDs to include a facial image in a contactless chip.[139]

9.68 Biometric systems are also being introduced by the Australian Government. For example, in 2003, legislation was passed enabling officials to collect certain types of biometric information from non-citizens in Australia.[140] The legislation aims to ensure that non-citizens are identified accurately in order to enable officials to prevent identity fraud in the visa application process, to determine which non-citizens are of national security concern, and to detect forum shopping by visa applicants.[141] Further, in October 2005, the Australian Government introduced the ‘ePassport’—a passport with an embedded microchip containing, among other things, a digitised facial image of the passport holder.[142] From 2007, those holding an ePassport could use an automated border security system called ‘SmartGate’ in two airports in Australia. The SmartGate system uses facial recognition technology to perform the customs and immigration checks normally performed by Australian customs officers.[143] Australian ePassport holders will also be able to participate in the United States Visa Waiver Program.[144]

9.69 Biometric systems increasingly are being used or contemplated by organisations, including in methadone programs, taxi booking services, ATMs and online banking, and access to buildings.[145]

9.70 The use of biometric technologies raises a number of privacy concerns. These may vary according to the context in which the biometric information is collected and the type of biometric system in operation.[146] Some of the general concerns are as follows.

9.71 First, there is a concern that widespread use of biometric systems will enable extensive monitoring of the activities of individuals.[147] This is so particularly if the same form of biometric information is used to identify individuals in a number of different contexts—that is, if a type of biometric information is used as a unique multi-purpose identifier.[148] Secondly, there is a concern that biometric technologies, such as facial recognition technologies, may be used to identify individuals without their knowledge or consent.[149] Thirdly, there is a concern that biometric information could reveal sensitive personal information, such as information about a person’s health or religious beliefs.[150] Fourthly, there is a concern that the security of biometric systems could be compromised and that biometric information stored in a central or local database, or on an object in the possession of an individual, could be acquired by those wishing to use it for some kind of gain.[151] Finally, the accuracy and reliability of many biometric systems are still unknown,[152] causing some to express concern about the potentially serious consequences for an individual who is falsely accepted or rejected by a biometric system.[153]

9.72 The Council of Europe has cautioned that biometric systems should not be implemented for the mere sake of convenience.[154] It has recommended that before introducing a biometric system

the controller should balance the possible advantages and disadvantages for the data subject’s private life on the one hand and the envisaged purposes on the other hand, and consider possible alternatives that are less intrusive for private life.[155]

[126] Biometrics Institute, Biometrics Institute Ltd <www.biometricsinstitute.org> at 5 May 2008; Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 10–11; Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [16].

[127] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 4.

[128] Ibid, 4.

[129] Fujitsu, R&D—Fujitsu Palm Vein Technology (2007) <www.fujitsu.com/global/about/rd/200506palm-vein.html> at 24 April 2008.

[130] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 17.

[131] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [16]; Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 17.

[132] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 17.

[133] See, eg, Y Wei Yun, The ‘123’ of Biometric Technology (2002), 91–93.

[134] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [8].

[135] Ibid, [12].

[136] Ibid, [8].

[137] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 13–14.

[138] European Commission, EURODAC: The Fingerprint Database to Assist the Asylum Procedure (2004).

[139] International Civil Aviation Organization, ICAO Recommendation <mrtd.icao.int> at 24 April 2008.

[140]Migration Act 1958 (Cth) ss 5A, 40, 46, 166, 170, 172, 175, 188, 192.

[141] Explanatory Memorandum, Migration Legislation Amendment (Identification and Authentication) Bill 2003 (Cth).

[142] A Downer (Minister for Foreign Affairs), ‘Australia Launches ePassports’ (Press Release, 25 October 2005).

[143] Australian Customs Service, SmartGate (2006) <www.customs.gov.au/site/page.cfm?u=4243> at 4 September 2006.

[144] United States Government Department of State, Visa Waiver Program (VWP) (2006) <travel.state.gov/visa/temp/without/without_1990.html> at 24 April 2008.

[145] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 240.

[146] M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002).

[147] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 12.

[148] M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002). Multi-purpose identifiers are discussed further in Ch 30.

[149] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 12–13.

[150] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), 6; M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002).

[151] Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 13–15.

[152] Ibid, 36.

[153] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005); Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 10.

[154] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [107].

[155] Ibid, [107].