Title: CONCLUSIONS

Conclusions

This report analysed in detail the steps of a biometric authentication process and stressed that at all times the functionalities of biometrics, i.e. identification and verification, should be properly distinguished and understood. Specific models of application which are suggested in section should be kept in mind in order to facilitate the debate about the use and regulation of biometrics. These models can be summarised in five main types, according to the purposes for which the biometrics are used, the controller(s) and the type of control over the biometrics. The main types which were found and described are a government controlled ID model (Type I), an access control model (Type II), a public-private (mixed) model (Type III), a convenience model (Type IV) and a surveillance model (Type V). Control over the biometrics differs in each of these types and an appropriate regulation for many of these types, such as for example for the multilateral control and use of biometrics in travel documents or for the use of biometrics by employers for access control purposes of employees, is not in place yet. At the same time, the research describes that the decisions of the Data Protection Authorities show a great diversity in criteria and requirements applied to biometric systems, often leading to contrary decisions for similar systems. This does not at all concur with the harmonisation attempted by the Privacy Directive. The proportionality criterion which is invoked by these authorities is an area of further research. In addition, appropriate terms for the biometric process should be used. The standardisation work in general and the work on a harmonised vocabulary for biometrics, such as which is presently ongoing in ISO/JTC 1 SC 37, is indispensable for a good debate and understanding of the critical aspects of biometrics.

The report emphasised the various quality factors in the biometric capture and extraction process, in particular the system errors and failures in relation to both the verification and identification mode. It stressed that notions of FMR and FNMR become complex if biometrics are used in the identification mode as it is in that case not clear which reference template in the list with matches over the threshold really belongs to the individual. Especially in identification mode, the values of FMR(T) and FNM(T) are approximated calculations over the biometric variability of the identifiers within a population. These values are not calculated for each separate individual (as this is practically not feasible) and are also not dependant from the position of the compared templates in the feature vector phase space. The comparison functionality of biometric systems in the identification mode has therefore intrinsic limitations. Parties involved in the biometric process and regulators should understand this and the interpretation of the expected or promised values shall be made with care.  

This document has also further explored how biometrics may eventually become a primary and interoperable key under which other data can be categorised and stored. The use of biometric identifiers in the context of large scale databases, such as in Eurodac, VIS and SIS II, and the cooperation set forth in the Prüm Treaty, support this premise. The European Data Protection Supervisor opposes such use, as well as other experts in various reports. Especially interoperability with systems outside the EU (Type I b Government controlled ID model), between law enforcement and private systems (Type III Mixed model) and in intelligence led policing (Type V Surveillance model), should be addressed appropriately and needs an adapted framework.

The report argues that protecting biometrics should start at the place where the biometric data are collected, i.e. the collection device. Anno 2007, there are still many biometric data scanners, in particular fingerprint scanners, which do not provide for any data encryption at all and which are not adequately protected from spoof attacks and data interception attempts. From the scanners which have no encryption, the fingerprint images could be reconstructed as described in this report.  

The document stressed various other privacy problems in relation with biometrics, such as the difficulties in reaching data quality or the fact that not only captured biometric samples but also the biometric templates may contain sensitive information about someone’s health. The report contains in this respect an extensive overview of biometric methods and related information about someone’s health condition in captured biometric samples that could also be included in templates as no systematic research has been carried out so far with respect to remaining additional information in such templates.

The report finally underlined the advantages of biometrics, as biometrics remain an undeniably unique tool to link an individual to the digital world and made recommendations as to making an efficient use of this new technology. In order to combine the advantages while minimising the risks of abuse of biometric data, the concept of encapsulated biometrics is described. According to this concept, the biometric data remain under the control of the data subject, and the data subject has increased decision powers as to when and for what purposes its biometrics are going to be used. This type of use of biometrics could well be combined in a Type 3 IMS system for user-controlled context-dependent role management, as described in earlier deliverables of FIDIS.