Biometric data protection sense alternately prevails, eludes authorities

The steady advance of airport biometrics has prompted a data protection authority to make a fine-grained judgement about the requirements for regulatory compliance in one of the most-read articles of the past week on Biometric Update. Data protection measures in other parts of the world are progressing less evenly, between ongoing changes to proposed U.S. legislation, criticism of New Zealand’s proposed code of practice, and an abrupt change of plans in the UK. Meanwhile, age estimation matures towards a new market application for face biometrics, Samsung is staking its position in the stubbornly embryonic biometric smart card market, and Mastercard announced an ambitious digital ID plan in Africa.

Top biometrics news of the week

Interpol has started the procurement process for mobile biometric devices to perform cloud searches from for suspect identification. A five-year contract or contracts will be issued for devices to search fingerprint and face biometrics and others for both search and storage. Local matching capabilities are considered a “nice to have.”

The EU’s data protection authority has ruled that airport biometric systems must rely on an encryption key held and controlled by the data subject to comply with GDPR, and identified minimum accompanying safeguards. The EDPB ruling on four scenarios was requested by French authorities, and could add wind to the sails of the EU Commission’s digital travel credential pilots.

The TSA’s facial recognition program does not work this way, but then it might not reach all American airports for 25 years, at the rate it is going. TSA Administrator David Pekoske says $1.6 billion in proceeds from a security fee intended to fund the program has been diverted.

A pair of false matches with facial recognition in the UK have led to a lawsuit against Facewatch and its retailer customer and another against the Met Police. In the former case, a teenage girl was flagged and ejected from a store as a shoplifter, and in the latter, a man was detained for nearly half an hour. The police say the technology has led to 92 arrests so far, but Big Brother Watch thinks there have been other mismatches.

Coincidentally, this is the sort of issue that falls under the purview of the UK Biometrics and Surveillance Camera Commissioner, which would have been subsumed into the Information Commissioner’s Office if the DPDI had not been abandoned for an election. The inadequacy of existing data protection regulation to address false biometric matches was an anticipated problem. Other parts of the DPDI, however, were broadly supported by digital ID advocates and industry.

Lawmakers on a U.S. house committee painted a picture of digital carnage in voicing support for APRA. The federal data privacy legislation would pre-empt state laws, introduce age verification for social media, and if some members are successful in their attempts to revise it, set rules for biometrics use.

A New Zealand advocacy group for digital ID says the code of practice for biometrics proposed by the country’s Privacy Commissioner puts public fears before real privacy threats. DINZ points out technical inconsistencies and argues the needed guidelines should be created by somebody else.

The age assurance market is taking shape at a breakneck pace, with Trust Stamp filing for a patent and Luciditi partnering with Privately. NIST published its long-awaited report evaluating the performance of biometric facial age estimation from Yoti, ROC, Dermalog, Incode, Neurotechnology and Unissey this week. The ACCS published high level and in-depth reports on its recent Global Age Assurance Standards Summit, where the NIST FATE results were previewed.

Samsung has patented a fingerprint IC for biometric cards, and the cards themselves. The electronics giant says its integrated sensor, storage and processing bundle includes software to optimize user experience and detect spoofs. The card could include additional memory, an RF chip or a digital display. The company already has an MoU with Mastercard.

The aforementioned payments giant is partnering with the African Development Bank on a $300 million plan to put digital ID and online service access in the hands of 100 million Africans in the next decade. The Mastercard Community Pass is based on a digital ID and wallet stored on a smart card.

MOSIP has published the specs for a QR code to enable the use of face biometrics for offline authentication. Claim 169 also supports a range of demographic details, leverages W3C’s Verifiable Credentials, and is intended to support cross-border interoperability between national IDs.

Please let us know about any content we should share with the people in biometrics and the broader digital identity community through social media or in the comments below.

Article Topics

biometric identifiers  |  biometrics  |  data protection  |  digital identity  |  facial recognition  |  week in review