Accenture: Moratorium on biometrics – What to do?
Over the past twenty years we’ve seen rapid growth in the biometrics market – personal, commercial, and governmental use cases all on the rise. The greatest spike in the usage of biometrics was seen with the release of the iPhone 5 which added millions of biometric sensors and an awareness of the benefits of usability and security that automated recognition has to offer. In the same period, we have seen a rapid increase in biometrics used to automate border clearance, increase inclusion for the undocumented, and add security to financial transactions. There are scores more examples where automated recognition systems facilitate and secure our public and private interactions.
As these systems have become more part of our daily lives we have also heard of, and perhaps experienced, some of the downsides of automated recognition systems. Perhaps because of the success of biometric systems they are receiving more scrutiny – are they accurate enough? Do they discriminate? In response to this some jurisdictions have banned the use of biometric systems outright and some have put moratoria in effect.
The relative performance of biometric recognition systems is extremely use case dependant, so it is difficult to understand outright bans that don’t delineate factors such as:
- Is the system overt or covert?
- Is the system performing authentication or identification?
- Does the system require informed consent of the data subject?
- Under which privacy regulations does the system operate?
- Under which performance requirements does the system operate?
- To which security requirements does the system conform?
We know that all biometric systems have Type I and Type II errors (False Rejects and False Accepts) and we know that these error rates can be influenced by factors such as quality and age of the biometric data and the sex, age, and ethnicity of the data subjects.
Given the rapid adoption and utility of biometric systems in the public, private, and humanitarian sectors, one would think that effective regulation would follow suit – it has not – and outright bans and moratoria with no corresponding action plan does not resolve this issue.
If the perceived, or actual, problem with a biometric system for the intended use case is that it is not accurate enough or that its performance is impacted by demographic differentials then bans should be replaced with performance requirements and moratoria with regulations that require certification to specified conformance criteria for the intended use case. The sharing, retaining, and protecting of personal data, including biometric information are all fundamental data privacy provisions as are portability, accuracy, redress, and breach alerts that must have corresponding regulation and enforcement– and liability.
There is an understanding gap that should be reconciled with education – regulators need to understand how biometric systems work in their many and varied applications and legislate accordingly as they did with Health Information, Vehicle Emissions, Food Safety, etc. With proper education, legislation, and certification biometric systems can continue to facilitate and secure our lives – while preserving our privacy and human dignity – for the next twenty years and beyond.
Accenture
Daniel Bachenheimer
Daniel.bachenheimer@accenture.com
Director, Biometrics Institute
Applications and use cases | Privacy and policy | Research and development | Technology innovation