Interested in conversing with end-users, engineers, vendors, testers, and subject matter experts from around the globe about issue arising from new technologies? Get involved with ASIS International's Security Applied Sciences Community.
by Robert Tappan, Managing Director, International Biometrics + Identity Association
Over the past four years, members of the biometrics community from around the world began to set about crafting ethical guidelines for the responsible use of the various products and technologies that they have been developing, producing and implementing.
Being aware of these ethical guidelines is useful for members of the law enforcement and security management community, as it has direct impacts on their work and the people and entities that they serve, protect, and defend.
Biometrics and identity technologies have evolved into a part of almost all of our daily lives, from voice recognition and authentication on customer service phone assistance, to facial recognition at airports and at our borders, to thumbprint and face recognition on our smart phones. Mobile financial transactions and things like digital driver’s licenses in our phones’ “wallets” are also becoming increasingly a reality. In short, biometrics, in one form or another, are becoming a ubiquitous part of our lives. They are here to stay and are not going away.
In response to the burgeoning use of biometric technologies, my organization, the International Biometrics + Identity Association, published two important documents regarding the responsible use of biometric technologies: “Principles for Biometric Data Security and Privacy” and a white paper entitled “Ethical Use of Biometric Technology”.
The five ethical tenets that our member companies have committed to uphold are:
- Respecting the person and related data: when we talk about respecting the person and their data, what we mean is improving the accuracy of the data collected and analyzed, protecting the integrity of the data, as well as constantly working towards eliminating bias. Only through continuous testing, constant improvement and a commitment to privacy will ensure that biometric technologies are accurate across demographic groups, and most importantly, not be used for discriminatory purposes or intent.
- Upholding a commitment to transparency: Transparency is paramount. This means communicating with people about four main criteria: what data is being collected; what the data will be used for; with whom the data will be shared; and for how long the data will be retained. Companies and security professionals need to respect both the person and the integrity of the data collected. That also means providing the public with ample opportunity to provide input on public-sector biometric technology programs.
- Working to secure biometric data: First, efforts should be made to minimize data; that is, to collect and retain just what is necessary to achieve the purpose for which the data was collected in the first place. Periodically, security management professionals should assess the collected data quality against established standards and delete that data which is of insufficient quality. Further, data should be stored in the lowest-risk appropriate format and encrypted, and, when appropriate, it should be anonymized and aggregated so as to minimize personally identifiable information. Finally, access to this information should be controlled and limited only to those individuals who are trained and authorized to access it.
- Promoting accountability: Security management professionals have to strive for accountability. At the outset, biometric technology developers and end-users need to work together to develop and provide training to the individuals operating the biometric systems. Accountability also means working with policymakers to develop biometric laws and regulations that facilitate appropriate reporting, oversight and accountability measures.
- Resolving and redressing any problems that arise: Security management professionals need to conduct operational performance assessments on a regular basis when deploying these technologies, and regularly upgrade these systems to ensure the use of the most accurate, secure and privacy-protective technologies available.
Just as important, there needs to be an iron-clad, trust-based relationship between the individual providing biometric information and the entity that is collecting that data. In change for that information provided in good faith, there needs to be a process for redress, such as revocation, deletion or change of biometrics used for identification purposes.
At the heart of all this discussion of ethics — be it the debate over the use of biometrics, the implementation of biometric and identity-authenticating technologies, or the human-to-human interaction that may take place during the use of biometric technology — the key to better utilization, better understanding, and better acceptance of these technological advances is that they should be — and need to be — conducted in an environment of mutual respect and clear communication between security management professionals and the individual, along with providing great stewardship of their data.