Biometric capabilities, once the preserve of state intelligence agencies, are now on the open market, as Philip Ingram MBE reports.
Biometrics enable the recognition of individuals based on their biological and behavioural characteristics. Facial images are one form of biometric data. Others include DNA, fingerprints, irises and voice.
The field of biometrics is growing as new technologies are able to measure subtle biological differences between individuals. For example, a person’s gait or the shape of the veins in their hands are also ways in which to identify someone.
However, this growing technology raised some concerns as outlined by Professor Fraser Sampson the Surveillance Camera and Biometrics Commissioner when he said: “My statutory functions as Commissioner were introduced by the Protection of Freedoms Act 2012 primarily to cover the use of biometric surveillance by policing and law enforcement.
“Biometric capabilities that were available only to state intelligence agencies at the time of enactment are now readily available on the open market. In this context the expansion of newly intrusive technologies since the Act was passed now raises daily questions even when being legitimately used to protect national security and prevent serious harm.”
As Professor Sampson quoted some legislation, what legislation impacts biometrics in the UK?
The Data Protection Act 2018implements the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive. It explicitly classifies biometric data as a ‘special’ type of data, making it subject to stricter processing rules.
The Act defines biometric data as physical, physiological or behavioural characteristics that allow the unique identification of a person. The Biometrics Commissioner has suggested that this definition may also include patterns of social behaviour or ‘sociometrics’.
The Human Rights Act 1998states that everyone has the right to respect for their private life. The European Court of Human Rights (2008) and the UK High Court of Justice (2012) have ruled that the retention of fingerprints, DNA and facial images by police interferes with this right and hence must be justified and proportionate for the purposes of public safety.
The Police and Criminal Evidence Act 1984 (PACE)allows police to take and retain fingerprints, DNA and facial images following arrest, for the purpose of solving or preventing crime. Before the Protection of Freedoms Act 2012, DNA and fingerprints could be held indefinitely.
The Protection of Freedoms Act 2012 (POFA) amended PACE in response to a ruling from the European Court of Human Rights that the indefinite retention of fingerprint and DNA data from people not convicted of a crime was unlawful. The new regime generally requires the automatic deletion of fingerprint and DNA data from people who are not convicted.
However, there are exceptions, for example, DNA and fingerprint data from those charged with a serious offence may be kept for three years. DNA and fingerprint data from those convicted of a recordable offence may be retained indefinitely.
The Act created the roles of the Surveillance Camera Commissioner, who encourages compliance with the Surveillance Camera Code of Practice and the Biometrics Commissioner. It also created a strategy board to oversee the police DNA and fingerprint databases.
It is becoming increasingly important that the security community ensures it is aware of and compiles with the everchanging legislative landscape, but what could we describe as biometric attributes?
In general, there are universal and permanent biometric attributes. These attributes can be measured and analysed to produce what is in effect a digital signature that is sufficiently distinctive to enable the identification of an individual. Often, we hear of two types of attributes – physical and behavioural.
Physical means simply a physical attribute, including DNA, fingerprints, iris, hand geometry, vein pattern and face. Behavioural attributes include a person’s gait (how they walk), typing pattern (how they use a keyboard or smartphone touchscreen), voice (determined by factors such as accent and the shape and size of the vocal tract) and signature (the way they sign their name).
These attributes are derived from biometric systems which are essentially pattern matching systems, which involve four main processes:
Data capture – a sensor captures the biometric characteristics of the user – for instance, a camera taking an image of a person’s face
Feature extraction – the biometric data captured by the sensor are processed into a digital form containing only the key distinguishing features required to identify the user
Storage – biometric features are stored for future comparison as a reference record, either on a central database or on local storage (such as on a passport)
- Comparison – an algorithm compares input biometric data with one or more reference records and gives a score for how close the match is. Depending on whether the score is over a certain threshold, the system declares either a match or a non-match.
As most biometric systems compare what they have against a data base and apply probability-based algorithms to identify matches, there is always an element of error. That error is compounded if there are flaws in the base data used to train the usually AI based systems doing the comparisons or underpinning the AI technology itself.
When it comes to where the data is stored this is key to ensure it is handled and protected properly. UK Government databases that hold biometric information include:
IDENT1has been fully operational since 2004, this replaced the National Automated Fingerprint Identification System. This year it has been integrated via Xchange in enabling the integration with forensic data from the Forensic Capability Network (FCN) and Home Office Biometrics under the Transforming Forensics (TF) programme.
NDNADis the National DNA Database, established in 1995. In March 2022, it contained the DNA profiles of an estimated 5.8m people and almost 0.7m crime scene profiles.
IABSis the Immigration and Asylum Biometrics System came into operation in 2012. In 2021, it had around 91.9 million records.
PND, orthe Police National Database, has been in place since 2010 and enables sharing of intelligence information between UK police forces. Developments to the database are currently being examined.
Our biometric profiles are becoming an increasing fact of life, but who holds what and how it is processed and protected is something every individual shod be aware of. For all of the government systems that exist, there are significantly more in the private sector.
At least in England and Wales, the Government systems come under the Protection of Freedoms Act, but the time is here for more control over privately held biometric profiles.
This article was originally published in the July 2022 edition of Security Journal UK. To read your FREE digital edition, click here.