Biometrics: Caution! Danger ahead for civil liberties!
Biometrics is in the air. Identity cards, border control, access to sites, patient identification, security of payments, control of access to smartphones and to information systems... biometrics are now ubiquitous and pervasive.
This has not always been the case. Only a decade ago, the technique of identifying or authenticating a person’s identity from physical, biological or behavioral characteristics, aroused a certain amount of suspicion among the general public and remained confined to government, military, or high security realms.
Since then things have changed, as a result of two main factors. The first is a general feeling of insecurity, which confers legitimacy to (and makes it difficult to question) the introduction of biometric identification documents and the implementation of population control and migration flows based on biometrics. The second is the widespread use of these technological processes in commercial applications, smartphones, connected devices and smart watches that know everything about you, whose playful and entertaining side has naturally accustomed us to biometric measurement.
Of course, not all biometric applications pose the same threat to civil liberties. They take different forms and are increasingly the subject of research. Among the most dangerous are those that involve the creation of centralized databases containing biometric identifiers, which aim in particular to prevent a person from maintaining two different identities.
This type of application is essentially governmental (fingerprint databases for example), but can also be used by private-sector companies given the ease of recovery of certain physical or behavioral data (photos, videos, health websites, geolocation by manufacturers or navigation applications for example). In contrast, applications that simply compare data presented by the individual with an encrypted reference stored in physical media (USB flash drives, smartphones, smart cards) are obviously much less likely to give rise to abuse. Between the two, there is the power of the imagination of vendors and their offerings are proliferating.
How to protect personal data?
To what extent can French law today and European law tomorrow through the future pan-European data protection framework, effectively stem this tide?
Current French law, as interpreted by the French Data Protection Authority (CNIL), authorizes biometric identity control devices only sparingly. These devices are systematically scrutinized in light of its three guiding principles: proportionality between the purpose of the data processing and the risks related to data protection and privacy; data security; and, the sufficiency of information to data subjects.
The American way or the protection of privacy?
The logic underlying the future European regulation in this area is still taking shape and remains a matter of contention between liberal and conservative tendencies which are clashing at the Commission. These tendencies simply reflect the sizeable differences in views between those who are closer to the American view that emphasizes security imperatives and commercial applications for consumers largely promoted by US suppliers, and those who attempt to take a hard line in favor of the protection of privacy.
One can reasonably say today that the visibility we have on the effectiveness of legal means to regulate the use of the human body tomorrow, in its public or private aspects, whether this entails everyday shopping and errands, travel or healthcare, is uncertain to say the least. This is especially the case given that the European bloc is isolated in its attempts to regulate, squeezed as it is between the American bloc and a number of states in our globalized world in which human rights are not a primary concern.
This is a real political issue and a real issue of collective responsibility, on which we would like to see a little more information worthy of its name, coupled with a little less techno-commercial-legal claptrap.