What is biometrics?
Biometrics means the recognition (and/or sometimes classification) of humans using distinctive characteristics such as the shape of the face, the sound of the voice, the veins of their hand, consistently measurable behaviours, etc. In casual use the term typically also implies that the recognition or classification uses only computers. However, in practice, humans can be involved either in support of, or in replacement of, computers to perform these tasks.
In addition to the acts of recognition and classification, the term is also used to mean:
- The distinctive human characteristics that are (or may in future be) used for such recognition or classification processes (such as the face or fingerprints).
- Any external (often digital) representation of these human characteristics (such as encoded template data about the face or fingerprint detail).
Depending on the type, biometrics can be used in a range of ways, from checking an identity claim (for example, unlocking a mobile device using one’s face), to searching databases (for example, checking whether the same person has registered for a service several times), to estimating attributes of people (for example, assessing likely age).
What types of biometrics are there?
Physiological biometrics employ physical, structural, and relatively static attributes of a person such as their fingerprints, the pattern of their iris, contours of their face, or the geometry of veins in their hands.
Behavioural biometrics establish identity by monitoring the distinctive characteristics of movements, gestures, and motor-skills of individuals as they perform a task or series of tasks. This means human movements such as walking (gait analysis) or finger contact with a keyboard (keystrokes) are captured and analysed.
How are biometrics used?
Biometrics can be used in a wide range of applications relating to determining or confirming information about a person’s identity or estimating certain attributes of people. The following examples indicate some of the circumstances where biometrics are used. Inclusion herein does not imply recommendation of a particular use case.
Public safety and law enforcement
- Border control and immigration: Many countries use biometric systems, such as fingerprint or facial recognition, to confirm the identity of travellers at border crossings or airports.
- Crime resolution: Law enforcement agencies use biometrics, such as fingerprint, DNA, or facial recognition, to identify suspects and match evidence to individuals.
- Disaster victim identification: In disaster situations, biometrics (fingerprints, DNA and forensic dentistry) are used as the main sources of identification for the deceased.
- Surveillance: Organisations use biometrics – especially face recognition – to monitor physical spaces for the presence of undesirable people (e.g., a prior shoplifter). Also see ‘VIP treatment’ and ‘Self-exclusion’ below.
Access control and security (both in-person and remote)
- Creation of digital identities: Organisations creating or ‘onboarding’ digital identities use biometrics to confirm that the person creating a digital identity is the one whose identity documents are being presented, often using face recognition.
- Service delivery: Governments and private sector companies use biometrics to verify the identity of individuals receiving customer service, especially remotely. Common modes include voice, face and fingerprint recognition – determined by consumer availability.
- Physical access control and security: Biometric systems are used to control access to restricted areas, buildings, or rooms by verifying a person’s identity using e.g. fingerprints.
- Healthcare: In healthcare settings, biometrics can be used to accurately identify patients, ensuring that they receive the correct treatment and that their records are kept secure.
- Voter registration and elections: Biometric systems are used to verify voter identities, prevent voter fraud, and maintain accurate and secure voter registration databases.
Personal convenience and quality of life
- Payment and transaction security: A wide range of biometric authentication methods are used by banks and retailers to protect transactions such as payments and cash withdrawal.
- Smart home devices: In-home smart devices use biometrics to recognise which member of the household (if any) is asking a question, to tailor the answer to their circumstances.
- Consumer electronics: Biometrics are increasingly used in personal devices such as smartphones, tablets, and laptops. Examples include fingerprint scanners or facial recognition for unlocking devices and authorizing payments or app downloads.
- Support for neurodiverse people: Biometrics are used to support people by presenting estimated information about people within the immediate vicinity, to compensate for neurological differences.
- VIP treatment: Similar to surveillance for public safety, biometrics can be used to monitor spaces for particularly important people to offer them improved service.
- Self-exclusion: Facilities such as casinos use biometrics to check for the presence of people who have indicated a desire to be prevented from entering –again similar to surveillance.
Other business functions
- Workforce management: Employers may use biometrics such as fingerprint or face to track employee attendance and manage access to sensitive information or work areas.
- Advertising: Retailers may use biometrics in a store or mall to estimate information about passers-by (such as age) in order to target suitable advertising to people.
- Education: Educational institutions may use biometrics to identify students and/or monitor their behaviour in some assessment or examination contexts.
Are biometrics a threat to privacy?
The unregulated use of biometric technologies can have a significant adverse effect on an individual’s right to privacy and the protection of their personal, sensitive data. Conversely, a well-controlled biometric system, based on ‘privacy by design’ principles, can protect the same individual from unauthorised parties seeking to steal or maliciously adopt his or her identity in key social situations such as financial transactions or interacting with government services etc.
Traditionally, biometric data has not been subject to specific legislation but has fallen under general data protection or privacy laws where these have existed in various jurisdictions. However, in recent years significant legislation has focused on biometrics as, for example, the General Data Protection Regulation (GDPR) for European Member States which harmonises the approach of most European countries (some half a billion citizens). The GDPR defines biometric data as special categories of personal data.
In the United States there is no single federal law that governs the acquisition or use of biometric data but there are some notable State biometric privacy laws in Illinois, Washington, Texas, California, New York State and Virginia. These laws have been used in litigation procedures against various organisations, but they are not harmonised in the same way as GDPR. Consequently, many large organisations have developed a form of self-regulation in order to comply with these individual state requirements.
India has a national collection of biometric data from nearly all its adult population (1 billion plus) in the form of its Aadhaar system which aims to provide a consensual, formal national identity for all its citizens. Privacy and data protection has been established, through the Indian legal framework, as a fundamental right for all those who use the system. Many other countries in Asia and Africa are using the principles of the Aadhaar system to introduce similar biometric national identity schemes for their populations.
Therefore, organisations that want to introduce a biometric system should explain to their customers (and customers should seek to clarify) the following important points:
- What is the reason for using biometrics?
- Will the biometrics be held by the customer (e.g. on a device) or will they be uploaded to the organisation’s database?
- How will the biometric data be protected and how long will it be retained?
- Are customers able to check the accuracy of their data held by the organisation?
- Will the customers’ data be shared with any third parties?
The Biometrics Institute publishes guidance on privacy matters such as the Privacy Guidelines and the Privacy Awareness Checklist as well as bespoke training modules for those wishing to know more about this topic and its important role in biometric systems of all kinds.
Can biometrics be stolen?
For many biometrics, it is possible to capture an image or recording of the human feature or features in question. Photographs of the face are widespread, and for many of us, easily searchable in social media platforms. Other biometrics are less frequently available online but are nonetheless recordable with widely available equipment (for example, capturing recordings of the voice using a mobile phone).
But for most purposes, these copies of human characteristics are not usable to impersonate someone. Many biometric systems are designed to reject copies of biometrics presented by other people. They use mechanisms suitable for the type of biometric in question – for instance, a fingerprint system might detect blood flow in the presented finger, preventing the use of prosthetics (or detached fingers); a face recognition system might detect particular movements in the face presented, preventing use of a photograph; and a voice biometric system might change the questions it asks, preventing a well-rehearsed impersonation. Multimodal systems that capture different biometrics are sometimes used to support such detection too: it is more difficult to present the face as well as a fingerprint and sign like another person. Techniques for such detection continue to improve over time, along with techniques to attempt to fool them.
Some biometric systems do not perform such checks – for example, those used to investigate crimes through images on security footage and fingerprints. Such investigations involve assembly of a range of information – including that which biometrics can provide – into evidence of presence of a particular person. While it might be technically possible to capture and reproduce a person’s fingerprint at a crime scene in an attempt to incriminate them, it would need to be consistent with the context, material facts and other evidence contained within the investigation and also be potentially subject to independent expert and judicial scrutiny.
All this notwithstanding, normal data sharing prudence should be exercised when sharing biometrics with others. A request from an untrusted party to capture your fingerprints should be considered with the heightened caution you would show towards a similar request for your passwords.
Are there any health risks associated with the taking of biometric samples?
The acquisition of biometric data from individuals should not have any implications for their health or safety. In a free and open society, it would be irresponsible, counterproductive, and not to say illegal, to put someone’s health at risk just to obtain biometric samples such as fingerprints, iris scans, face images etc.
However, there have been some commonly expressed concerns about certain types of biometric acquisition systems and these include:
Fingerprint Scanning: Fingers, thumbs and sometimes palms are placed onto the glass/plastic surface (platen) of a scanner in order to record the ridge detail. In high volume applications, such as at a busy airport, many passengers will come into contact with the scanning surface. Following the outbreaks of contagious diseases in recent years, for example, COVID-19, SARS and bird-flu, some people have been reluctant to come into contact with these devices even though they are no more infected than other commonly handled surfaces such as seat-back tray tables and baggage trolley handles. This risk has been mitigated in some airports by wiping the platen with disinfectant or placing a removable plastic cover over it for each person. The application of hand sanitiser by the passenger after scanning also minimises the risk of some infections.
As a result of these concerns, new ‘contactless’ data acquisition technology has been developed that captures fingerprints without the need for the fingers to come into contact with any device. The quality of these fingerprints is currently not as good as those taken on a platen but they can usually be used for 1:1 verification purposes, for example, matching the passenger’s fingerprints with those held in their passport chip or recorded in a database.
Iris and Vascular (Vein) Scanning: The scanners employed for capturing iris or vein pattern data from a person both use infrared light. However, the wavelength of this infrared light is no different to that found in natural sunlight and the data acquisition process does not subject the person to prolonged exposure to the infrared light. Consequently, there is no risk in undertaking either an iris or vein scan even if this is on a regular basis.
Are biometrics affected by the human ageing process?
As the human body ages some biometric features, such as the face, voice, gait and written signature, will change to some degree as the skin texture, musculature and skeletal components develop and alter from infant to child to young adult and eventually to elderly adult. This is why some identification systems renew biometric samples from individuals on a regular basis throughout their lifetime. This enables the new sample to be verified against the original sample with suitable tolerances being made for the human ageing process. It is also a factor in many national biometric identity systems that may enrol persons under 18 years of age but have to take account of the swift bodily development of younger persons and ensure that sufficient samples are taken over this period to maintain accurate biometric templates in the national register.
Some biometric modalities may change only in size as the body grows, for example, fingerprints, but the arrangement of these unique ridge formations are formed before birth and remain unchanged, unless they are subjected to a deep seated injury or other form of physical abuse (especially some forms of manual labour), until after death. It is interesting to note that many mummified bodies that are thousands of years old still have clearly identifiable ridge formations on their hands and feet.
There are additional challenges in obtaining clear and usable biometric samples from infants and the elderly. In the case of infants these include issues such as the diminutive size of some samples, the infant’s potential lack of cooperation in the process and the legal framework, social and cultural context of their country of birth that may restrict the collection of certain biometric modalities. It should also be noted that some behaviours used for biometric recognition in adults are not displayed adequately in young children, for example, speech, written signatures and gait. Acquiring satisfactory biometric samples from elderly persons may be adversely affected by factors such as skin texture, worn or damaged physical features, physical disablement and sometimes cognitive disabilities.
Is a photo a biometric?
Photos of high enough quality can be used as sources of biometric data in some cases. Images of the face captured to the standards set for passports are often used for biometric purposes. Poor quality images of the face – for instance, with little lighting and parts of the face obscured – may be less useful as sources of biometric data. This relationship between quality and usability is similar to how humans recognise others by face, and also applies to biometrics such as fingerprints.
Photos are of negligible use for biometric modes that depend on activity such as gait or signature performance and are entirely irrelevant for biometrics with no visible appearance such as voice or heartbeat. For these cases, other recording mechanisms may be possible that are subject to similar quality and usability trade-offs.
Many biometric systems prevent the act of impersonating someone using a photo, by checking that the face presented for signs that it is a real person, not an image. Some are designed to compare photos with no such checking, such as systems that assess captured images from a crime scene or categorise social media images by the people present within them. The same is true for recording mechanisms for non-visual biometrics.
In many legal contexts, a determination of whether a photo or similar recording of a person is a biometric depends on the intended purpose. For example, a photo taken to publicise an event may not be intended for biometric use. Were this intent to change, legal rights and responsibilities may also be expected to change.