By Patrice Caine, Chairman and CEO of Thales Group
Name me a game-changing technology that hasn’t incited a heated debate…I’ll wait. Not that debate isn’t a good thing, it most definitely is – but it’s poorly argued stances that often grab the headlines, split public opinion, and erode trust.
So how do we reach a rational analysis of biometrics technologies and their impact on society? To my mind, the first thing to do is to clear up three sources of confusion; what it means, how it’s used, and how secure it is.
“Biometrics” still unfortunately has negative connotations to many, linked closely to totalitarian images of mass surveillance. But recognising a person from their physical characteristics is not necessarily negative, or even particularly new. Civilisations have been doing this in some way since the second millennium BC, although fingerprinting only became a standard police practice until the late 19th century.
There’s no getting away from the fact that the permanence and individually identifiable nature of biometric data separates it from other kinds of data. But that doesn’t automatically make it more sensitive than other types of personal information. Your location data, for instance – or your bank details – would likely spark more of a reaction from the typical user if they were stolen, compared to your face. Don’t forget many of us have likely posted that publicly of our own free will anyway.
The two primary uses of biometric data – authentication and identification – have little to do with one another. Authentication is about providing a secure way for an individual to prove their identity, and there are various use cases that most of us have got used to. Biometric passports, for example, have been with us for some time, and using our faces or fingerprints is a common practice now to unlock our smartphones. But biometric identification is another matter, and it’s distorting the public debate to such an extent that some people are starting to confuse the two.
Identification for some crosses a line, because it is about identifying a person in a crowd, for example, with no action taken by them, and in some cases simply because they happen to be in a public space. As we know, misuse of these applications comes with risks attached, such as invasion of privacy or the restriction of individual freedoms. But these risks are no more serious or unavoidable than the risks around many other technologies. The difference is that society chooses to limit the risks for those through a combination of regulation and technical improvements, and we must do the same with biometrics.
In terms of security, biometric data is typically encrypted to protect it from unauthorised access. Encryption involves transforming the data into a coded form that can only be deciphered with a specific key. This ensures that even if the encrypted biometric data is intercepted, it remains unreadable and unusable without the proper decryption key. Advanced encryption algorithms and techniques are employed to safeguard biometric information, adding an extra layer of protection.
Authentication, which is the primary use of biometric data, relies on secure protocols and processes. When biometrics are used for authentication purposes, such as unlocking a smartphone or accessing a secure facility, the biometric data is compared against a stored template. This comparison takes place within secure systems and does not involve transmitting the raw biometric data. The stored templates are often encrypted and stored in a secure manner, further protecting the biometric information.
To mitigate the risks associated with biometrics, technological advancements in areas such as data encryption continue to improve the security of biometric systems. Additionally, tighter regulations and governance frameworks are crucial in ensuring the responsible and secure use of biometric data. The UK Government’s Science and Technology Committee, through its ongoing inquiry into the governance of artificial intelligence, is working towards developing robust frameworks that address security concerns and protect individuals’ privacy rights.
The UK debate around biometrics has witnessed significant developments. One notable example is the controversy surrounding the use of facial recognition technology by police forces. In 2019, the South Wales Police faced a legal challenge over the deployment of facial recognition systems, raising concerns about legality, effectiveness, and potential privacy infringements. Another instance is the scrutiny around the use of biometric data in schools, where it is used for things like meal payments. In 2018, a secondary school’s trial of facial recognition technology sparked criticism.
The Metropolitan Police has come under similar criticism and legal pressure, and alongside South Wales commissioned research that was published in March 2023 by the National Physical Laboratory (NPL), finding that when the Live Facial Recognition is used at a threshold setting of 0.6 or above, there is a “substantial improvement” in its accuracy compared to previous iterations, with fewer false positives.
The efforts and advancements made in securing biometric data should be acknowledged. By combining encryption, secure protocols, and appropriate governance frameworks, we can strike a balance between maximising the benefits of biometrics and safeguarding individual privacy and security. It will take an open and well-informed dialogue to successfully shape responsible and effective use of biometrics in the UK and beyond.