Biometrics, or the measurement of physiological or behavioral characteristics for authentication or identification, has potential for enormous positive impact on such areas as law enforcement, data protection, counter-terrorism and border security.
Yet concerns about privacy have given some people pause. When considering biometrics, it’s important to understand the difference between anonymity and privacy – and why it matters.
“People sometimes confuse privacy and anonymity,” says John Mears, Senior Fellow, Homeland Security Solutions at Leidos. ‘Many don’t understand the difference, and the relationship of the two things to the concept of trust.” For Mears, being recognized in an encounter at a store or while walking down the street can be embarrassing in certain situations, especially if you can’t remember the other person’s name, but that’s the extent of it. “There’s no harm in somebody recognizing me,” he says. “My privacy hasn’t been invaded because I’m walking down the street or going to the store.”
In fact, privacy doesn’t require anonymity and anonymity doesn’t guarantee privacy. “For instance,” Mears says, “those robo-calls I get in the evenings sure feel like an invasion of privacy at dinner time, but I know they have no idea to whom they are speaking when – or if – I answer.” In this case, anonymity didn’t guarantee privacy. As a result, Mears says that he’s begun to screen calls based on caller-ID. “I’ve learned to mistrust caller IDs that I don’t recognize,” he says.
Which brings up another important point – the relationship between anonymity, privacy, and trust. “Knowing someone is necessary but not sufficient to trusting them,” Mears says. “I’ll take calls from people and companies I know and trust – unless they abuse that trust in some way.” Whether you decide to trust a person or a company or not depends fundamentally on being able to identify them and to associate their behavior with their identity uniquely. This is true not only for individuals, but also for companies or countries.
For instance, trusting a foreign national to enter into a country depends on biometrically identifying them, and associating past records about that person with that unique identity. We don’t necessarily know if the person is traveling under an assumed name or with a stolen passport, but the biometrics will reveal the truth. While biometric identification currently legally applies to foreign travelers crossing borders, Mears says that he’d like to see it apply to all travelers, including citizens. “I’d like some assurance that someone can’t steal my biometric-enabled ePassport and board a plane illegally with it, just because the thief claims he’s a citizen, and therefore exempt from verification.” Of course this brings us back to questions of privacy and anonymity and trust for the process. “Why should I trust someone I barely know on the other side of the world and not trust our own national travel security processes?” Mears asks. Especially when there are so many protections in place.
“In the U.S., we have no less than 29 federal laws covering protections of various aspects and definitions of privacy,” says Mears. “There is no guarantee of anonymity in any of our laws.” In the case of biometrics, the loss of anonymity itself isn’t harmful; it’s what happens when someone is identified that counts. For identified bad people, we want protection for the rest of society. For innocent people, we want protection from fraud and unnecessary invasions of privacy. Strong identity helps sort them out in either case. “Strong identity concepts, pervasively implemented, are keys to a high-functioning society.”
Whether you are a government or a company, how do you maintain the public’s trust when implementing strong identity practices that include biometrics? At the highest level, the answer to this question revolves around communications, being transparent about identity policies, and periodically verifying adherance to those policies. In the case of the government, agencies involved in identity verification practices publish privacy impact assessments, which are publicly available. Companies aren’t subject to such regulations, so the International Biometrics and Identity Association, as well as the Biometrics Institute and the Security Industry Association have published recommended best practices for trustworthy companies. Generally they state that organizations should provide notice of when and where biometrics are being used and for what purpose, and be transparent with their customers or users in defining what is collected and for how long it can be stored, and on whether information can be shared and with whom. With the right transparent policies in place, rigorous biometrically-verified identity can be both beneficial to society, as well as preserving of privacy and trust.
Stuart Andrews has been writing about technology and enterprise IT for 20+ years, writing for many of the UK’s best-known newspapers, magazines, and websites.