European Association for Biometrics responds to regulators’ paper with clarifications, call for collaboration
A regulator’s paper on biometrics is riddled with inaccuracies, misrepresentations and contradictions, according to a point-by-point refutation written in response by the European Association for Biometrics (EAB).
Spanish data protection authority Agencia Española de Protección de Datos (aepd) and the European Data Protection Supervisor (EDPS) published a technical note in June, with the stated intention of helping data protection officers and others understand the complexities of biometric technology. The note makes a number of generally sound arguments, such as that biometric identification is probabilistic, rather than definite, but also makes more contentious claims about the vulnerability of biometric data, and that conflict with previously established definitions, such as from ISO/IEC.
The EAB position paper, titled “Misunderstanding in Misunderstanding on Biometrics,” takes issue with numerous detail in the technical note, and what it characterizes as missing information identified by EAB members.
The aepd’ and EDPS’ paper’s first observation that biometric data is stored in a template, rather than an algorithm, for example, leaves out that stored biometric reference data sometimes takes the form of a ‘biometric sample,’ as in passports compliant with ICAO 9303. Suggestions that biometric authentication reveals biometric data, that ageing affects the accuracy of fingerprints, and that biometrics other than facial recognition cannot differentiate between monozygotic twins, among others, are pointed out as incorrect.
Further, the terminology used in the aepd-EDPS paper clash with the terminology used in existing literature, such as ISO/IEC standards. The EAB also explains the European TURBINE project, which provides a method for biometric template protection, in response to the technical note’s ninth point identifying the claim that “Biometric identification/authentication systems are safer for users” as a misconception. The EDPS actually issued a positive assessment at the conclusion of the TURBINE project noting that “the revocability of the template ensures that the accuracy of the data is preserved,” the EAB notes.
Several other points made by the regulator about potential risks and vulnerabilities are responded to with examples of existing and established practices to mitigate or eliminate them, and clarifications are provided for many of the 14 points, such as that not all biometric systems are interoperable.
EAB concludes by inviting the EDPS and aepd to work with it to create a joint position paper.
“Our suggestion is to revise and augment the EDPS-aepd-publication, such that it includes a full picture of the current state of the art in biometrics and the availability of standards and privacy enhancing techniques,” the 15 experts from the EAB write in the paper’s abstract.