Biometrics – coming to a body part of you
We are all a little more discerning about where our private information is going. But how do we do this when some of it can be read right off our faces? Stuart Corner explores the ins and outs of biometrics.
“You are all individuals” says the Christ character in the Monty Python movie Life of Brian to an adoring crowd, which refutes this by replying in unison, “We are all individuals.”
But Brian was right. Every human being is unique, even identical twins. No two human beings are identical. Facial features have long been used to identify an individual; think back to those wanted posters in old western movies. The first attribute used to scientifically and confidently identify an individual in modern times was the fingerprint. It was used by US authorities in 1910 to secure a conviction.
However, Chinese records from the Qin Dynasty (221-206 BCE) detail the use of handprints as evidence in burglary investigations.
These achievements pale in comparison to what can be achieved with today’s biometrics technology. We are all happy to access our smartphones with fingerprint or facial recognition, and less happy about the widely publicised use of the latter by retailers Bunnings, Kmart and The Good Guys to identify people entering one of their stores.
But that isn’t even the half of it. Almost every personal attribute you can think of—and some you never would—is being investigated or actively exploited to uniquely identify you from every other one of the eight billion inhabitants of this planet.
Before we look at some of the myriad ways in which your parts, or the way you speak, walk or move your eyes are being exploited to identify you, it’s worth exploring some of the issues raised by the revelations about Bunnings et al.
Rage against the retailer
There are three main issues: consent, accuracy and obscurity.
Although the stores do carry notices informing shoppers that the technology is in operation, they are not prominent.
CHOICE surveyed more than 1,000 Australians about their awareness of facial recognition technology in March and April 2022. It found 76% of people were unaware that retailers were using facial recognition technology. However the publicity following from CHOICE’s ‘outing’ of these companies will have changed that.
Choice lodged a formal complaint with the Office of the Australian Information Commissioner (OAIC) and the OAIC announced on 12 July it would investigate the complaint. This follows an OAIC determination in October 2021 that 7-Eleven had used facial recognition when it was “not reasonably necessary for its functions and without adequate notice or consent.”
The second concern is accuracy. It’s one thing to use facial recognition at the passport gate under controlled conditions where the technology has a photo on file and knows who it is supposed to recognise. It’s much more challenging to image someone moving through a store and match them to a database of, potentially, thousands of facial images.
To reliably achieve this ‘on the fly’ recognition, a dedicated and sophisticated installation is needed.
Dubai International Airport has implemented such a system, one that is able to reliably recognise people on the move from their face. It requires them to walk through a tunnel that mimics those underwater aquarium tunnels by surrounding them with virtual fish. The idea is that people will look around at the fish enabling the system’s 80 cameras to capture multiple different facial images and hence deliver reliable, accurate recognition of individuals.
Thirdly, consumers have no knowledge of how the stores are handling the data gathered though facial recognition. University of the Sunshine Coast cyber intelligence lecturer Dr Dennis Desmond, was reported summing up the issues. “Is it being stored locally? Is it being stored off site? How is it being transmitted? Is it being stored in an encrypted format? Or is it in plain digital text or binary that could potentially be breached? If it’s being shared? How is it being shared? How often?”
Many means of recognition
Facial recognition is today the most widely deployed technology able to recognise individuals without their active involvement, but there are a surprising number of others in various stages of development. Used in combination they will certainly increase the accuracy of detection.
Every ear is unique, even those on the same person. There is reported to be a prototype car seat that can identify the person sitting on it. Iris recognition is well established, but apparently eye movements are also unique to each individual, as is body odour.
But identifying someone from personal attributes, facial or otherwise, is just the beginning. Back in 2009 a startup, Affectiva, was promoting its emotion detection technology as a market research product, offering real-time emotional reactions to ads and products. Today that company claims to be able to build up a complete view of human behaviour, action, and thought, by “combining facial expression data with measures of physiological arousal, brain activity, eye tracking and more.”
And in 2019, The Guardian reported: “Amazon, Microsoft and IBM now advertise ‘emotion analysis’ as one of their facial recognition products.”
Another technique for recognising individuals is skull conductivity. In 2016 researchers in Germany developed a technique they called SkullConduct that was able to identify a person because the way sound passes through each person’s skull is unique. It could be useful to personalise a VR headset or smart spectacles to the wearer.
According to the Biometrics Institute there are 16 personal attributes that can be used to identify an individual. Skull conductivity is not one of them, but in addition to those already described, and well-known ones like iris scans, it lists:
– Scleral veins in the eye: the sclera is the white part of the eye and when the eyeball turns either to the left or the right a network of veins is displayed.
– Retinas: the network of blood vessels in the retina is unique: even the two eyes of an individual are different.
– Finger geometry: the shape and surface area of each finger, its length, width, thickness and the distance between the fingers.
– Hand geometry: Hand geometry biometric systems measure the salient features of finger geometry, the surfaces of the hand and its side profile.
– Gait: physique, stride length and width, speed of movement, the angles formed by the joints at the hip, knee and ankle as well as the angles of the torso, thighs and feet can be captured on cameras for analysis.
– Veins: The arrangement of veins in fingers and hands form a unique pattern that can be used to identify an individual.
– Typing: Individual keyboard operators can be differentiated by characteristics such as the time taken to select, depress and release certain keys or sequence of keys, the underlying dynamics and rhythm of the keystrokes, the dexterity of each hand and common recurring errors.
The Biometrics Institute was founded in 2001 to promote the responsible and ethical use of biometrics and related technologies and its website is a good source of information on the ethical issues surrounding the use of biometrics.
The laws of biometrics
It has also developed three laws of biometrics to “prompt people using biometrics to remember the fundamentals of applying the technology responsibly and ethically.”
The laws are as follows:
Policy comes first: any use of biometrics is proportionate, with basic human rights, ethics and privacy at its heart.
Process follows policy: safeguards are in place to ensure decisions are rigorously reviewed, operations are fair and operators are accountable.
Technology guided by policy and process: know your algorithm, biometric system, data quality and operating environment and mitigate vulnerabilities, limitations and risks.
The Institute conducts an annual survey to “provide an insight into trends and developments from the past year as well as a forecast of what to expect in the future.”
In July it announced the results of its most recent survey. The full survey is restricted to members, but a summary is freely available.
From the responses the institute said: “digital identity remained the most significant development in the use of biometrics, followed by border control/security, artificial intelligence, national identity and digital wallets/driving licences. Digital identity is a topic that is dominating the discussions at our member events including the conversations amongst our border management community.”
A focus on digital identity
A digital identity is the information used by computer systems to represent a person, organisation or device. As the implementation of facial recognition by 7-Eleven and others demonstrates, the use of biometrics is largely unregulated, unless and until its use breaches some other regulation. The survey found strong support for this to change.
According to the Biometrics Institute: “There has been much discussion of licencing biometric applications in the industry and overall, just over half of these industry representatives (54%) agreed that all new or revised biometric applications (private or public) should be licenced prior to implementation.”
Clearly, biometric technology holds the potential to be a reliable means of creating and maintaining digital identity and there are moves afoot to legislate its use in Australia. The Digital Transformation Agency has done much work on digital identity, creating a Trusted Digital Identity Framework
In October 2021 an exposure draft of a Trusted Digital Identity Bill 2021 was circulated, but the bill was not introduced before Parliament was prorogued in April 2022.
A post on the proposed legislation from the Parliamentary Library, shortly after the election, outlined the system and detailed criticisms about architecture, security and biometrics, saying: “It is likely that the system will be progressed during the [current] Parliament [but] many variables will depend on how the incoming Labor Government responds to criticisms.”
In particular, it said: “The documentation available to date has been criticised for its lack of detail about some aspects, such as biometrics,” and “documentation available to date is ‘opaque on details’ about the proposed use of biometric matching.”
In a digital world, reliable and secure digital identity will be essential and biometrics—the digitisation and recognition of unique personal attributes—will clearly be key to any digital identity system, but there are many hurdles to be overcome before such a system, governed by legislation, is in place in Australia.
Until then, the ability of organisations to digitise, store, use and possibly abuse your unique personal attributes will be governed by the Privacy Act, which 7-Eleven was found by OAIC to have breached.
However, as the OAIC noted in its decision, although the definition of ‘sensitive information’ under the Privacy Act extends to “biometric information that is to be used for the purpose of automated biometric verification or biometric identification and biometric templates,” the Act does not define either ‘biometric information’ or ‘biometric templates’.