South African institute warns against biometrics outstripping laws as SIA launches ethical principles
The Institute for Security Studies (ISS) in Pretoria, South Africa writes that in their rush to deploy facial recognition and other biometrics, sub-Saharan African countries should ensure regulation is in place before deployment, The South African reports.
ISS Senior Research Adviser for Emerging Threats in Africa Karen Allen points out that Zimbabwe, Uganda, and South Africa have all adopted facial recognition, and biometrics more generally are becoming ubiquitous in many parts of Africa. Internet connectivity has posed a challenge to biometrics adoption in the past, but that barrier is gradually falling.
iiDENTIFii CEO Gur Geva noted during a June ISS webinar that one-to-one authentication scenarios, in which user consent and participation are required, is less susceptible to abuse than other forms of the technology.
South Africa’s Protection of Personal Information (POPI) Act of 2013 has largely only reached implementation recently, and has yet to be tested in court, according to the report.
Allen suggests that biometric data could be very attractive to hackers, and pose a tremendous cybersecurity risk, particularly when stored within centralized systems, pointing to Kenya’s Huduma Namba in particular. Allen also expresses concern about higher error rates for facial recognition identifying people with dark skin.
Allen recommends regular audits of databases used with facial recognition, context-specific algorithms, and robust cybersecurity checks to protect sensitive data.
SIA sets out mandatory code of ethics
Recognition of similar concerns has prompted the Security Industry Association (SIA) to launch a new mandatory SIA Membership Code of Ethics with nine principles formulated to hold members to the highest standards of conduct.
All SIA members are required to affirm their adoption of the principles developed by The Ethics in Security Technology Working Group as a condition of their membership. If the SIA Executive Committee determines that a material violation of the principles has occurred, a range of punitive actions from a written warning to suspended membership are possible.
The principles include honest and transparent functioning without misleading business practices or conflicts of interest, providing accurate information to the market, consideration of sustainability and environment impacts, and opposition to prejudice, harassment and abuse.
Members must “Work with law enforcement in an appropriate manner that enhances public safety while respecting the reasonable expectations of privacy held by customers and individuals whose images or information are captured by security devices,” and protect personal information according to best practices. They must also monitor and mitigate cyber threats, and ensure their products do not surreptitiously transmit information to third parties. Finally, they must refuse to knowingly participate in any project determined by authorities to support human rights abuses or the restriction of civil liberties.
The list is not intended to be exhaustive, and SIA says the principles are written in broad language to enable their application to a variety of situations.