While biometrics have the potential to increase security by improving the speed and efficiency with which the government can identify criminals, they also raise important privacy concerns. In order to protect privacy and civil liberties, we outline here a set of policy recommendations for the use of biometrics. Some of these policy recommendations are general, while others apply to specific biometrics.
I. The United States Supreme Court has stated that unless fingerprints or DNA tests are collected voluntarily, they cannot be used in the court of law (“IBIA Privacy Best Practice Recommendations”). As all biometrics are personal identifiers which may be collected involuntarily, they should all be treated similarly. Therefore, unless a citizen has opted into biometric recognition technology voluntarily, any identification based on biometric recognition will be invalid in a court of law.
II. Any biometric data held by the government or a private entity must be fully encrypted. Appropriate encryption standards will be determined by a court of law.
III. Fingerprints and iris scans may be used for identification, but not authentication. The United States Federal Bureau of Investigation has developed and is preparing to release the Next Generation Identification system which will allow for the use of fingerprint and iris recognition technology for use in identifying criminals. This identification is an appropriate use of these biometric technologies. For sensitive uses such as authentication at the DMV or customs at the airport, an indexical piece of data must be used as a secondary means of authentication. Examples of an indexical piece of data include a passport, photo ID, or passcode.
IV. Due to the sensitivity of the technology to aging and plastic surgery, identification through facial recognition may only be used as a preliminary checkpoint and must be verified by a second source.
V. Voice recognition technology may be used for speaker verification but not speaker identification. Speaker verification technology works as a means of authentication by comparing a user's voice to a stored voiceprint. In contrast, speaker identification is the recording of a user's voice, often without their consent, to find a match among a database of recorded voiceprints. While speaker identification has the potential to help law enforcement identify criminals, it is a slippery slope from speaker identification to monitoring of conversations and wiretapping. Thus, voice recognition technology should never be used without the speaker's consent.
VI. Commercial use of biometrics should be closely regulated. Any private entity that uses biometrics commercially (be it fingerprint authentication on the iPhone or an easy pay option at a restaurant) should be required to provide a comprehensive Terms of Use policy to their users enumerating the risks of using a biometric recognition service. Companies should not be allowed to provide any sort of incentive, economic or otherwise, to their users for registering in a biometric recognition service. Additionally, to discourage hasty decision making, we recommend a required wait time between enrollment in biometric recognition technology and first use.
For more information about specific biometrics, please see individual pages.