Tech experts want new UK data protection law for biometrics

A panel compromising the former head of GCHQ, leading scientists and privacy rights campaigners raised concerns over the use of biometrics at a government committee meeting earlier this week.

RBS and NatWest to let mobile customers sign-in with biometrics
RBS and NatWest to let mobile customers sign-in with biometrics

Speaking at a House of Commons Science and Technology Committee meeting on Wednesday, professors from Durham University, the University of Dundee and the Biometrics Institute were joined by the former GCHQ head and current director of privacy rights group Big Brother Watch in warning that biometric technology raises pertinent questions on data collection, security, trust and data protection legislation.

Professor Juliet Lodge, representing the Biometrics Institute, said that biometric take-up has transcended past national ID schemes to social media algorithms, and could soon be used in sectors such as travel, banking, finance, insurance and health. On the latter, she cited e-health and implants as examples where biometric adoption is expected to grow in future.

“From our perspective I'd say that the uptake of biometrics is increasing, it's vast, but the real issue is to ensure that it is done in a way that is responsible, transparent, accountable, reliable, secure and robust – and is a way that is going to be acceptable to the public, which so far has not been terribly well informed of what biometric is, and how we can use biometrics,” she said.

However, both Lodge and Louise Amoore, Professor of political geography at Durham University, says that trust is imperative if users are to use biometric devices, applications and processes – with both women admitting that data storage ‘might be the weakest link in the chain'.

“Any breach is going to have far more effect on public belief in the system,” said Lodge, who added that biometric technology is ‘not fool-proof'.

Professor Sue Black, director of the centre for anatomy and human identification at the University of Dundee, added that people would be ‘frightened' in the event of a security incident because identity is so personal. “Your identification is probably one of the things people hold most dear, because it's a representation of self.

“Every time we have media scare stories, true or otherwise, it just chips away at the public's confidence on who can hold ID securely and who you trust to hold it.

Government needs to do more

The panel urged the government to look actively at the problems (an investigation is on-going) and said that its engagement in biometric technology has stalled ever since the proposed ID cards scheme was scrapped back in 2010.

The first of their priorities, the panel said, should be to evaluate the current data protection legislation.

“New legislation will possibly require a whole new outlook, because the role of biometrics in society is running away from our capability to manage it," said Black.

“We are looking at physical identity and cyber-identity, while we have the measure of these identities [in isolation], the barrier between is currently a no man's land," she added. “The Internet of Things will require a step change in terms of legislation."

Quizzed on this legislation by one witness, Lodge added that a legal update was required as well as a ‘really thorough review of what it means in an age where devices and people communicate invisibly with each other'.

Sir John Adye, chairman of the UK firm Identity Assurance Systems and the former chief of GCHQ in the late 1980s and early 1990s, said that trust is the key, adding that good systems would be needed to show the public how their biometric data was being used.

His comments echoed those from web founder Tim Berners-Lee, who last month said he sees a future in trackable data.

 “If we are going to rebuild or create public trust, we must have good examples of good systems, so that people can understand how their data is being used and can start to use biometric technology through convenience,” he said at the committee meeting.

But he cited the smartphone space as an example of poor practice, slamming Apple and cloud services in particular.

“Internet use is a jungle. What happens to my personal data when I use it on a smartphone to prove my identity? Is another commercial company or even a hostile foreign government going to use it to target me? We need to properly organise this system."

He added: “I don't know what happens to my personal data when I use it on a smartphone”

"I don't know, although I'm quite experienced in this area, what happens to my personal data when I use it on a smartphone for proving my identity. Is Google going to use that data to target advertising at me? Is some other commercial company or maybe some hostile foreign government going to use it to target me in some other way? I don't know," he said.

Big Brother Watch director Emma Carr said that – whatever the direction of mravel – privacy must be guarded: “Building privacy into design from the outset is very important. In our view Many schools have installed biometric technology simply because it was new and the most advanced thing to have, rather than actually being necessary."

This news comes in the same week Kirk Skaugen, senior VP and general manager of the PC client group at Intel, said that McAfee software will develop biometric technology to verify users' identities by the year end. In addition, the European Article 29 Working Party this week issued its own opinion on device fingerprinting.