Assessing the Risks to Privacy in Biometric Implementations  

Introduction:  Privacy Defined

Biometrics is a general term for measurements of humans designed to be used to identify them or authenticate that they are who they claim to be (Clarke, 2001).  Many biometric technologies have been developed in the last few decades, and the technologies have already been applied in a variety of settings.  According to Clarke (2001), biometric technologies have extremely serious implications for human rights in general, and privacy in particular.  

Some fundamental part of human dignity requires privacy.  Privacy is part of the claim to personal autonomy. It supports the various freedoms that democratic countries value.  As cited by Crompton (2003), Professor Zelman Cowen said in the 1969 Boyer lectures, “A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars.”  

The term privacy can apply in various ways and take on different meanings depending upon the context.  As referred to by Crompton (2003), David Banisar of EPIC suggests, “privacy can be divided into four separate but related concepts:

· Information privacy - involving rules for the handling of personal data
· Bodily privacy - protection of our physical selves against invasive procedures
· Privacy of communications - security and privacy of mail, telephones etc
· Territorial privacy - setting limits on intrusions into domestic and other environments.”  

The development of new businesses and technology has lead to court cases where more complexities about “the right to be let alone” were debated - including the notion that this right needed to be weighed against the public's right to know about things of legitimate public concern (Crompton, 2003).  It is often the case that privacy is something that arouses more thought and interest in its absence or when it is threatened than in its presence. Prince Edward, a member of the British royal family illustrated this when he was quoted as saying on the eve of his marriage that you do not value your privacy until you have lost it.  According to Crompton (2003), another point worth making is that people often do not value other people's privacy until their own is threatened.  

Biometrics and the Privacy Risks

Just as each type of biometric deployment can have a different impact on privacy, each biometric technology bears a different relation to privacy (International Biometric Group, LLC., 2003). Some technologies have almost no privacy impact, and could scarcely be used in any privacy-invasive fashion. Other technologies are much more likely to be associated with privacy-invasive usage, either due to their core operation or due to extrinsic factors.  As with many other ideas/concepts, viewpoints surrounding this issue or concept vary.  People see different threats or risks and at different levels or degrees of severity.  There are in fact mixed views among the various interest groups about whether the use of biometrics is privacy enhancing or privacy invasive (Crompton, 2003). It is an important concept though to realize that various types of biometric technologies can have various types of influence/impact on privacy.  The following discussion provides a few different viewpoints in regards to this subject area, which is the idea of potential threats or risks.  

The first viewpoint concerning potential privacy threats or risks is that of Roger Clarke.  The following information has been summarized from Clarke (1988), Clarke (1993), Clarke (1994), Clarke (1997), and Clarke (2001).  He identifies and describes the items listed below as potential privacy threats or risks concerning biometric technologies:

1.      Privacy of Person: Biometric technologies don't just involve collection of information about the person, but rather information of the person, intrinsic to them. That alone makes the very idea of these technologies distasteful to people in many cultures, and of many religious persuasions.
In addition, each person has to submit to examination, in some cases in a manner that many people regard as demeaning. For example, the provision of a quality thumbprint involves one's forearm and hand being grasped by a specialist and rolled firmly and without hesitation across a piece of paper or a platen; and an iris-print or a retinal print require the eye to be presented in a manner compliant with the engineering specifications of the supplier's machine. Some technologies, such as those based on DNA, go so far as to require the person to provide a sample of body fluids or body-tissue.

2.      Privacy of Personal Data: Many schemes require the provision of personal data to assist in the administration of the scheme. Some are operated in close conjunction with other data-rich systems such as personnel or welfare administration. This consolidation of data enhances the opportunity for the organization to exercise control over the population for whom it holds biometrics.

3.      Privacy of Personal Behavior:  The monitoring of people's movements and actions through the use of biometrics increases the transparency of individuals' behavior to organizations. Those organizations are in a better position to anticipate actions that they would prefer to prevent and communicating warnings to the predicted perpetrators. Moreover, an organization that performs biometrics-aided monitoring is in a position to share personal data with other organizations, such as contracted suppliers and customers, “business partners”, and corporations and governments agencies with which it “enjoys a strategic relationship”.

4.      Multi-Purpose and General-Purpose Identification:  Biometric schemes are expensive. They also require the individuals that are subjected to them to register with some authority. Some schemes also require the individual to carry a token such as a card. To share costs, organizations are therefore motivated to apply biometric schemes for multiple purposes. 
Any multiple usages of identifiers represent a serious threat to privacy, because it provides the organizations with simple means of sharing the data that each of them gathers, and hence with means to exercise control over the individuals involved. 
There are no natural barriers to data sharing, many countries lack laws to preclude it, and a strong tendency exists for organizations to break down such legal impediments as do exist. Hence the multiple purposes to which a biometric scheme is applied can readily extend beyond a single organization to encompass multiple organizations in both the private and public sectors.

5.      Denial of Anonymity and Pseudonymity: Until very recent times, the vast majority of actions and transactions undertaken by people were anonymous, or were identified only to the extent that an observer saw them and might remember them, but no records of the event were kept.
Corporations and government agencies have been working very hard to deny people the ability to keep their transactions anonymous. As a result of new forms of information technology, the cost of data capture has plummeted, and huge numbers of transactions are now recorded which would have been uneconomic to record in the past. These records carry enough information to identify who the person was who conducted them, and systems are designed so as to readily associate the data with that person.
Biometric technologies create new capabilities for the association of identity with transactions that have never been recorded before, such as passing through a door within a building, across an intersection, or into a public place or an entertainment facility. They provide a powerful weapon to corporations and governments, whereby yet more of the remnant anonymity of human action can be stripped away.

6.      Masquerade:  The storage of biometrics makes much easier the fabrication of tools, or the synthesis of signals, that are highly convincing replicas of a particular person's physiometrics. This raises the prospect of people having acts attributed to them that they did not do.
The feasibility of the maneuver varies depending on the kind of biometric. The technology to fabricate a convincing iris, based on the data captured and stored by an iris-reading device would seem to be challenging, and may well not exist. On the other hand, if a biometric comprises measurements of some part of a person's body, such as the first knuckle of the right thumb, then technology is probably already available that can produce a synthetic equivalent of that body-part.
Moreover, some biometric techniques select a small sub-set of the captured data, such as the number and orientation of ridges on a fingerprint, or the location and size of features in an iris. The risk is all the greater if the biometric is used in its raw form, or the compression is insufficiently `lossy” and hence the compressed form can be used to generate an adequate masquerade, or the hashing algorithm is not one-way.
A significant risk exists that an imposter could produce means to trick devices into identifying or authenticating a person even if they are not present. Possible uses would be to gain access to buildings, software or data, digitally sign messages and transactions, capture the person's identity, harm the person's reputation, or `frame” the person.
Any id or authentication scheme that involves storage of a biometric is fraught with enormous risks. These will very likely rebound on the person, whether or not it harms the organization that sponsors the scheme.

7.      Permanent Identity Theft:  An act of masquerading, as another person is a single event. If the imposter conducts a succession of masquerades, their behavior amounts to taking over the person's identity. Cases of identity theft have been reported already, which have had very serious consequences for the victims. Organizations cannot distinguish the acts and transactions of the two individuals using the one identity, and hence they are merged together. A typical outcome is that the person faces demands for payment from organizations they have never purchased anything from, and shortly afterwards can no longer gain access to loans.
Under these circumstances, the identity can become so tainted that the person has to abandon that identity and adopt a new one. That is challenging, because such an act is readily interpreted as an admission of guilt, and an attempt to avoid the consequences of actions that are presumed to be actions of that person, rather than of the imposter.
Biometrics adds a frightening new dimension to identity theft. The purveyors of the technology convey the message that it is foolproof, in order to keep making sales. The organizations that sponsor schemes want to believe that it is foolproof, in order to avoid liabilities for problems. The resulting aura of accuracy and reliability will make it extraordinarily difficult for an individual who has been subjected to identity theft to prosecute their innocence.
Any biometric is an extraordinarily dangerous measure, because it's the equivalent of a PIN that can't be changed. Lose it once, and you're forever subject to masquerade by each person or organization that gains access to it.

8.      Automated Denial of Identity:  Identity theft is not limited to individual criminals. For example, a corporation could apply biometrics to the denial of access to premises by ex-employees, customers previously found guilty of shoplifting, and in the case of casinos, problem-gamblers.
Proposals of this nature have arisen in the context of football grounds, and it was reported that an application was applied to the thousands of people who streamed into the U.S. Super Bowl in January 2001 (e.g. Green 2001). The technique could of course be extended to the denial of access by customers suspected of shoplifting, complainants, or known agitators against the company's practices. Government agencies could find scores of applications, such as preventing targeted people from using transport facilities. This scenario was investigated many years ago in the sci-fi novel “Shockwave Rider” (Brunner 1975).

9.      Chilling Effect on Freedom, and on Democracy:  Biometric technologies, building as they do on a substantial set of other surveillance mechanisms, create an environment in which organizations have enormous power over individuals. Faced with the prospect of being alienated by employers, by providers of consumer goods and services, and by government agencies, individuals are less ready to voice dissent, or even to complain.
That is completely contrary to the patterns that have been associated with the rise of personal freedoms and free, open societies. It represents the kind of closed-minded society that the Soviet bloc created, and which the free world decried. The once-free world is submitting to a “technological imperative”, and permitting surveillance technologies to change society for the worse. Biometrics tools are among the most threatening of all surveillance technologies, and herald the severe curtailment of freedoms, and the repression of “different-thinkers”, public interest advocates and troublemakers”.
Clearly, this undermines democracy, because candidates, dependent on parties, sponsors and the media, are less willing to be marginalized; supporters are less prepared to be seen to be so; and voters become fearful of the consequences if their voting patterns become visible.
Less clearly, the suppression of different-thinkers strangles the economy. It does this because the adaptability of supply is dependent on experimentation, choice, and the scope for consumers to change their demand patterns.

10.  Dehumanization:  Beyond the fairly practical considerations of freedom of thought and action, democracy and economic behavior, there is the question of the ethics of the matter. If we're happy to treat humans in the same manner as manufactured goods, shipping cartons, and pets, then biometrics technologies are unobjectionable. If, on the other hand, humans continue to be accorded special respect, then biometrics technologies are repugnant to contemporary free societies.
Authoritarian governments ride roughshod over personal freedoms and human rights. They will establish legal authority for and enforcement of the capture of biometrics for every transaction, and at every doorway. Such governments see consent and even awareness by the person as being irrelevant, because they consider that the interests of society or “the State” (i.e. of the currently powerful cliques) dominate the interests of individuals.
In the free world as well, substantial momentum exists within governments and corporations to apply those same technologies, and in the process destroy civil rights in those countries.  

In contrast, Crompton (2003) categorizes potential privacy risks or threats as follows:

1. Use of biometrics for authentication may have a low level of privacy risk provided that the authentication system involves the individual knowingly exercising a choice to enroll in a system and the system does not require the authenticating body to hold large amounts of information about an individual except that necessary to establish that the person is who they say they are.
2. Use of biometrics for identification has the potential to be more privacy invasive in cases where it involves the identifying organization holding large amounts of information about individuals that it may or may not need, or that the individual may or may not know about. In the case of identification in a criminal context, it often involves bodily intrusive methods of collection from suspects, for example DNA sample collection, iris recognition, or in some cases fingerprints, especially where giving the sample is not voluntary.
3. Use of biometrics for surveillance is likely to be a major privacy concern, particularly when carried out covertly. A key principle of privacy is that generally speaking people should have control over their personal information. People have no control if identifiable information about them is collected without their knowledge. Some biometrics are particularly capable of being collected covertly. These include facial or appearance characteristics, voice characteristics and keystroke behavior.
4. Other privacy risks arise regardless of the proposed use. Some of the privacy risks result from the nature of biometric information. Biometric information provides information about a person that is unique (or very close to unique). Also, the initial biometric information is inseparable from the person so is hard to forge.
   These great strengths however, are also the source of key privacy risks and weaknesses, especially if systems are not properly designed and/or regulated. As is the case with all unique identifiers, it is easy and very tempting to use the one identifier in a whole range of contexts and then to link the information for purposes other than the original purpose for collection (otherwise known as function creep). We have already seen the debates about this around the proposal for an Australia Card. Public interest advocates in the US are keen to ensure that “the same thing didn't happen with biometric information that happened with Social Security numbers.
5. Another privacy risk that comes from collecting information from a person's body is that the information may reveal more information than just identity regardless of the intended use. Some of this is very sensitive. For example, voice can reveal emotions; the face may reveal information about a person's emotions and health. Iris recognition and retinal scans may also reveal information about a person's health. Aside from unintended collection of this information it seems that there are already products on the market that aim to collect this kind of information, for example to detect deception through voice. The authors of "At face value" predict that biometrics used to expose emotions, though voice, face and keystrokes dynamics will have great influence in the future because these characteristics can be measured without consent. Examples of where they are likely to be used include particularly in multimedia contexts to collect more information from a person than they intend and for e-commerce or telemarketing for example, to influence the purchase patterns of customers.
6. A further privacy risk that seems bizarre but which cannot be dismissed is the possibility that people may mutilate other people's body parts in order to use someone else's biometric identity for criminal purposes, for example, access to money, or buildings.
7. Other privacy risks arise from the nature of the technology used for biometrics.
   The effectiveness and efficiency of current biometric uses depends on computer technology and electronic devices. This means that most of the privacy risks associated with computer technology also apply to biometric systems. Systems that involve storage of data on, and processing and transmission using, computer technology are subject to hacking and unauthorized access, use and disclosure. Although it may be difficult for a person to fake a finger print, or a voice, or their hand, there is a view among a number of commentators that it could be relatively simple for a person to hack into a system and copy the digital image of biometric and replay it whenever he or she wishes to pass as the person whose image it is.
   It is important to stress that, when biometrical systems are used, there is always a fraction of false acceptances. Corruption of personal data due to false acceptances will occur. The use of biometrics however might create the illusion that the personalization is always correct.

The following method and information has been collected from International Biometric Group, LLC. (2003):  

“The BioPrivacy Technology Risk Ratings” assesses the privacy risks of leading biometric technologies in four key areas: 

1.      Verification/Identification:  Technologies capable of robust identification are rated higher; technologies that are only capable of verification are rated lower.

2. Overt/Covert:  Technologies capable of operating without user knowledge or consent are rated higher; technologies that only operate with user consent are rated lower.
3. Behavioral/Physiological:  Technologies based on unchanging physiological characteristics are rated higher; technologies that are based on variable behavioral characteristics are rated lower.
4. Availability of Searchable Databases:  Technologies for which searchable databases exist (or are likely to exist in the near future) are more likely to be used in a privacy-invasive fashion than those for which no databases exist (or are likely to exist in the near future).

Technologies are rated Low, Medium, and High in each of these categories. 

1. Low: Little privacy risk
1. The basic functionality of the technology ensure that there are few if any privacy issues
2. Medium: Potential privacy risk
1. The technology could be used in a privacy-invasive fashion, but the range of potential misuse is limited
3. High: Moderate privacy risk
1. For certain types of deployments, proper protections should be in place to ensure that the technology is not misused

*Table extracted from International Biometric Group, LLC. (2003)

 Assessing the Potential Privacy Impact

“The BioPrivacy Application Impact Framework,” according to International Biometric Group, LLC. (2003), is a valuable tool in determining the potential privacy impact of a biometric deployment. Assessing a biometric deployment through the “BioPrivacy Impact Framework” illustrates the areas where greater risks are involved, such that appropriate precautions and protections can be enabled.  Again, the following information has been taken from International Biometric Group, LLC. (2003):  

*Table extracted from International Biometric Group, LLC. (2003)

 Applying the BioPrivacy Impact Framework

1. Overt vs. Covert:  Deployments in which users are aware that biometric data is being collected and used, and acquisition devices are in plain view, are less privacy-invasive than surreptitious deployments. User consent is a key principle of privacy-sympathetic deployment, and it is difficult to consent to covert systems. Covert biometric systems, if deployed, should only be deployed in environments where a highly compelling interest is present.
2. Opt-in vs. mandatory:  A biometric system in which enrollment is mandated, such as a public sector program or one designed to encompass a company’s employees, bears a more direct relationship to privacy risks than an opt-in system. Mandatory systems come under more suspicion as they are imposed on a user as opposed to being selected by the user. Appropriate protections for mandatory and opt-in systems should be developed.
   A midpoint on the opt-in vs. mandatory continuum is whether any sanction is applied to non-compliance with the biometric system. If  the decision not to enroll results in any sort of punitive measure, it is not truly voluntary, and would be more prone to inappropriate usage.
3. Verification vs. identification:  A system capable of performing 1:N searches can be considered more susceptible to privacy-related abuse than a 1:1 system. A 1:N biometric system would be necessary for use in any indiscriminate large-scale searches. Protections regarding 1:N usage may need to be more strict than more employed in 1:1 usage.
4. Fixed duration vs. indefinite duration:  In deployments where such an option exists, the use of biometrics for a fixed duration is less likely to have a negative impact on privacy than one deployed indefinitely. This applies in particular to public surveillance deployments, which are comparatively more likely to bear a questionable relation to privacy than other biometric deployments. When deployed for an indefinite duration, the risk of scope creep increases; biometric surveillance may be viewed as commonplace as opposed to an exceptional event. An event-driven as opposed to open-ended use of biometrics is less likely to have a negative impact on privacy.
   Of course, the majority of biometric deployments, such as securing network login or PC login, are only meaningful when deployed indefinitely. Indefinite use in these applications is unlikely to result in a reduction of personal privacy, and may increase informational privacy.
5. Public vs. private sector:  Public sector biometric usage can be seen as more risky than private sector due to the possibility of state or government abuse. Government collection of biometric data without proper controls and restrictions is highly problematic. On the other hand, private sector companies may be more tempted to share or link personal data for marketing or profiling purposes. Suitable protections should be developed for each type of environment.
6. Individual, customer, student, traveler, employee, citizen:  An individual’s roles vary according to the people and institutions with whom they interact. A person is a citizen (or resident) in their dealings with the government or state, an employee in their dealings with an employer, a customer when party to certain types of a commercial transaction (credit issuance, for example), and a great variety of environments is an anonymous individual.
   Although privacy rights are fundamental regardless of the institution with whom the person is interacting, they are not identical in all environments. Reasonable expectations of privacy are dependent on the capacity in which a person is interacting with another person or institution: anonymous individual, customer, student, traveler, citizen, employee, and prisoner. To counteract this, biometric systems deployed in each of these environments should be designed and controlled according to the potential risks involved for the user population. Above all, to enable a person to maintain his or her separate "identities", data residing in separate biometric systems should not be linked or amalgamated without explicit, informed permission of the individual.
7. Enrollee ownership of biometric data vs. institutional ownership:  Deployments in which the user maintains ownership over his or her biometric information are more likely to by privacy-sympathetic than those in which the public or private institution owns the data. User control over collection, usage, and disposal of biometric information is not possible in every deployment, especially in entitlements programs or other public sector uses.
8. Personal storage vs. Template database:  A biometric system which stores information centrally is clearly more capable of being abused than one in which biometric information is stored on a user’s PC or even on a smart card. The privacy risks involved in biometric systems are heavily informed by the location of template storage and processing.
9. Behavioral vs. physiological biometric:  Behavioral biometrics are much less likely to be deployed in a privacy-invasive fashion, as technologies such as voice-scan and signature-scan can be easily changed by altering a signature or using a new pass phrase. Behavioral biometrics are very rarely used in 1:N applications, which are less privacy-sympathetic than 1:1. Physiological biometrics are much harder to mask or alter, and can be collected without user compliance.
10. Templates vs. identifiable images or samples:  Biometric systems in which identifiable biometric images or samples are retained are more likely to bear privacy risks than those, which retain only templates. Biometric templates are generally only of value when processed through a vendor algorithm, and cannot be linked with a specific biometric characteristic without dedicated processing. Biometric images are generally identifiable, and can be associated with a specific individual based on visual or aural inspection. 

Safeguards and “Best Practices”

The following “Best Practices,” as recommended by International Biometric Group, LLC. (2003), are guidelines for privacy-sympathetic and privacy-protective deployment, providing institutions with an understanding of the types of protections and limitations commonly implemented.  These “Best Practices” are meant to address the full breadth of biometric applications and technologies, from small-scale physical access to nationwide identification programs. Therefore, it is not expected that any deployment will be compliant with all “Best Practices,” and non-compliance with one or more “Best Practices” does not necessarily make a deployment privacy-invasive. If a certain deployment is not compliant, for example, with “Best Practices” relating to Scope and Capabilities, that deployment will need to comply with “Best Practices” relating to Disclosure, Auditing and Accountability in order to counterbalance this lack of compliance. It is helpful to think of these “Best Practices” as providing a wide range of checks and balances against potential privacy-invasive usage.    

According to International Biometric Group, LLC. (2003), the categories of “Best Practices” are (1) Scope and Capabilities, (2) Data Protection, (3) User Control of Personal Data, and (4) Disclosure, Auditing, Accountability, Oversight.  The following information was summarized from International Biometric Group, LLC. (2003):  

1. Scope and Capabilities
1. Scope Limitation. Biometric deployments should not be expanded to perform broader verification or identification-related functions than originally intended. Any expansion or retraction of scope should be accompanied by full and public disclosure, under the oversight of an independent auditing body, allowing individuals to opt-out of system usage if possible.
2. Establishment of a Universal Unique Identifier. Biometric information should not be used as a universal unique identifier. Sufficient protections should be in place to prevent, to the degree possible, biometric information from being used as a universal unique identifier.

*Universal unique identifiers facilitate the gathering and collection of personal information from various databases, and can represent a significant threat to privacy if misused.

3. Limited Storage of Biometric Information. Biometric information should only be stored for the specific purpose of usage in a biometric system, and should not be stored any longer than necessary. Biometric information should be destroyed, deleted, or otherwise rendered useless when the system is no longer operational; specific user information should be destroyed, deleted, or otherwise rendered useless when the user is no longer expected to interact with the system.

*This also applies to templates generated during comparison attempts, such as a template generated in the verification stage of a 1:1 application.

4. Evaluation of Potential System Capabilities. When determining the risks a specific system might pose to privacy, the system's potential capabilities should be assessed in addition to risks involved in its intended usage.

*Few systems are deployed whose initial operations are manifestly privacy-invasive. Instead, systems may have latent capabilities, such as the ability to perform 1:N searches or the ability to be used with existing databases of biometric information, which could have an impact on privacy. Although systems with the potential to be used in a privacy-invasive fashion can still be deployed if accompanied by proper precautions, their operations should be monitored: the maximum protections possible should be taken to prevent internal or external misuse.

5. Collection or Storage of Extraneous Information. The non-biometric information collected for use in a biometric verification or identification system should be limited to the minimum necessary to make identification or verification possible.

*In most systems, personal information will already exist independently of the biometric information, such that there is no need to collect personal information again.

6. Storage of Original Biometric Data.  If consistent with basic system operations, biometric data in an identifiable state, such as a facial image, fingerprint, or vocal recording, should not be stored or used in a biometric system other than for the initial purposes of generating a template. After template generation, the identifiable data should be destroyed, deleted, or otherwise rendered useless.

*This is to prevent the storage of fingerprints and facial images as opposed to finger-scan and facial-scan templates.

2. Data Protection
1. Protection of Biometric Information. Biometric information should be protected at all stages of its lifecycle, including storage, transmission, and matching.

*The protections enacted to protect biometric information may include encryption, private networks, secure facilities, administrative controls, and data segregation. The protections that are used within a given deployment are determined by a variety of factors, including the location of storage, location of matching, the type of biometric used, the capabilities of the biometric system, which processes take place in a trusted environment, and the risks associated with data compromise.

2. Protection of Post-Match Decisions. Data transmissions resulting from biometric comparisons should be protected. Although these post-comparison decisions do not necessarily contain any biometric data, their interception or compromise could result in unauthorized access being granted to personal information.

*This protection is especially important in non-trusted environments such as the Internet.

3. Limited System Access. Access to biometric system functions and data should be limited to certain personnel under certain conditions, with explicit controls on usage and export set in the system.

*Multiple-user authentication can be required when accessing or exposing especially sensitive data. Any access to databases, which contain biometric information, should be subject to controls and strong auditing.

4. Segregation of Biometric Information. Biometric data should be stored separately from personal information such as name, address, and medical or financial data.

*Depending on the manner in which the biometric data is stored, this separation may be logical or physical.

5. System Termination. A method should be established by which a system used to commit or facilitate privacy-invasive biometric matching, searches, or linking can be depopulated and dismantled.

*The responsibility for making such a determination may rest with an independent auditing group, and would be subject to appropriate appeals and oversight.

3. User Control of Personal Data
1. Ability to "Unenroll". Individuals should, where possible, have the right to control usage of their biometric information, and the ability to have it deleted, destroyed, or otherwise rendered unusable upon request.

*This Best Practice is more applicable to opt-in systems than to mandatory systems. In certain public sector and employment-related applications there is a compelling interest for data to be retained for verification or identification purposes, such that the option of unenrollment would render the system inoperable.

2. Correction of and Access to Biometric-Related Information. System operators should provide a method for individuals to correct, update, and view information stored in conjunction or association with biometric information.

*Failure to provide a means of updating personal information is inconsistent with basic privacy principles, and may lead to increased likelihood of erroneous decisions.

3. Anonymous Enrollment. Depending on operational feasibility, biometric systems should be designed such that individuals can enroll with some degree of anonymity.

*In web environments, where individuals can assume alternate identities through email addresses or usernames, there may be no need for a biometric system to know with whom it is interacting, so long as the user can verify his or her original claimed identity.

4. Disclosure, Auditing, Accountability, Oversight
1. Third Party Accountability, Audit, and Oversight. The operators of certain biometric systems, especially large-scale systems or those employed in the public sector, should be held accountable for system use. As internal or external agents may misuse biometric systems, independent system auditing and oversight should be implemented.

*Depending on the nature of a given deployment, this independent auditing body can ensure adherence to standards regarding data collection, storage, and use.

2. Full Disclosure of Audit Data. Individuals should have access to data generated through third-party audits of biometric systems.

*Biometric systems, which may pose a potential risk to privacy, should be monitored and audited by independent parties; the data derived from such oversight should be available to facilitate public discussion on the system's privacy impact.

3. System Purpose Disclosure. The purposes for which a biometric system is being deployed should be fully disclosed.

*For example, if individuals are informed that the system is to be used for identity verification, it should not be used for 1:N identification. Without full disclosure of the purposes for which a system is being deployed, it is difficult to make informed assessments on the system's potential privacy impact.

4. Enrollment Disclosure. Ample and clear disclosure should be provided when individuals are being enrolled in a biometric system. Disclosure should take place even if the enrollment templates are not being permanently stored, such as in a monitoring application.

*This includes employees enrolled in a facial-scan system through badge card pictures or drivers’ licenses photos, or telephone callers enrolled in a voice-scan system. Informed consent to the collection, use and storage of personal information is a requirement of privacy-sympathetic system operations.

5. Matching Disclosure. Ample and clear disclosure should be provided when individuals are in a location or environment where biometric matching (either 1:1 or 1:N) may be taking place without their explicit consent.

*This would include facial-scan technology used in public areas and fingerprint information taken from employees.

6. Use of Biometric Information Disclosure. Institutions should disclose the uses to which biometric data are to be put, both inside and outside a given biometric system. Biometric information should only be used for the purpose for which it was collected and within the system for which it was collected unless the user explicitly agrees to broader usage. There should be no sanctions applied to any user who does not agree to broader usage of his or her biometric information.
7. Disclosure of Optional/Mandatory Enrollment. Ample and clear disclosure should be provided indicating whether enrollment in a biometric system is mandatory or optional. If the system is optional, alternatives to the biometric should be made readily available.

*Individuals should be fully aware of their authentication options: There should be no implication that enrollment in a given system is compulsory if it is optional.

8. Disclosure of Individuals and Entities Responsible for System Operation and Oversight. As a precondition of biometric system operation, it should be clearly stated who is responsible for system operation, to whom questions or requests for information are addressed, and what recourse individuals have to resolve grievances.
9. Disclosure of Enrollment, Verification and Identification Processes. Individuals should be informed of the process flow of enrollment, verification, and identification. This includes detailing the type of biometric and non-biometric information they will be asked to provide, the results of successful and unsuccessful positive verification, and the results of matches and non-matches in identification systems. Furthermore, in 1:N systems where matches may be resolved by human intervention, the means of determining match or non-match should be disclosed.
10. Disclosure of Biometric Information Protection and System Protection. Individuals should be informed of the protections used to secure biometric information, including encryption, private networks, secure facilities, administrative controls, and data segregation.
11. Fallback Disclosure. When available, fallback authentication processes should be available for individuals to review should they be unable or unwilling to enroll in a biometric system. These fallback procedures should not be punitive or discriminatory in nature. 

In addition, Clarke (2001) offers the following list of possible “safeguards to be employed:  

1. Self-Regulation
2. Compulsory Social Impact Assessments
3. Generic Privacy Laws
4. Specific Regulation
5. A Moratorium on the Application of Biometrics”

Suggestions for Legislation

First and foremost, it is of utmost important that a clear and concise definition of privacy specific to education exists.  This allows for a consistent analysis and application of methods pertinent to privacy.  

Secondly, a method or process for identifying potential risks or threats to privacy within the realm of education should be established.  It may be recommended that a method similar to that suggested by International Biometric Group LLC., (2003) be applied.  This method appears to provide the most organized and consistent means in regards to risk identification.  However, one should also keep in mind the range of opinions or viewpoints surrounding the idea of potential privacy risks and threats and to the best of one’s ability to take the full spectrum into consideration.  

Thirdly, it is crucial that upon identifying potential privacy risks or threats applicable to education that a method of assessment of the potential impact is applied.  As research has supported, the varying biometric technologies have varying levels or degrees of impact in terms of privacy.  If one applies the method suggested by International Biometric Group, LLC. (2003), please kind in mind, though there are many additional factors to assess, such as the political climate and legal backdrop for biometric usage, the existing “Impact Framework” provides a starting point for intelligent assessment and categorization of biometric systems.   

Finally and most importantly, be able to apply the above information to create “safeguards” and “best practices” that are applicable to education.  This task should be completed following the decision concerning which biometric technology (or technologies) will be employed, as different technologies will require different “safeguards.”  It is suggested that in order to accomplish this goal, one may need to apply multiple “safeguards” and/or “best practices” as recommended previously.