Progress on biometric data privacy too slow, incomplete, say experts

As deepfakes, identity theft and AI warp the shape of online life, new issues arise, requiring new regulation. Police in New Zealand have made progress on how they handle biometrics, but can’t figure out how to delete what they’ve already collected. A professor at Arizona State University believes it’s time for an international biometric bill of rights to govern such cases.

OPC sets new deadline for police to delete disorganized biometric data

New Zealand’s office of the privacy commissioner (OPC) says police are “well on the way” to complying with a 2021 Compliance Notice, which required them “to stop unlawfully collecting photographs and biometric prints from members of the public, particularly young people, and to delete unlawfully collected material stored on their systems, including mobile phones.”

A release from the OPC suggests that the police are doing well on the first part of the notice, not so much on the second. Privacy Commissioner Michael Webster acknowledges that police have put in “significant work” on implementing new training, policies and procedures around collecting biometrics and using facial recognition.

“I’ve seen that they also know they need to have a clear lawful purpose and rationale to take and retain them and have put guardrails in place to help frontline officers make good decisions about what they collect in real-time,” Webster says. The original Compliance Notice resulted from an inquiry that found thousands of images were being kept on officers’ mobile phones and in databases without clear cause or purpose.

But three years has not been enough time for the police to locate and delete all of the unlawfully collected data currently stored on their systems. The release cites “the scale and organization of Police’s information collections” as the primary challenge.

“I am concerned that the current state of Police’s information management systems and the extremely large number of stored images make it very hard to find and delete images in a practical way,” Webster says. As a result of this concern, the OPC has given police extra time to meet the requirement on deleting sensitive biometric data, moving the deadline to June 2025.

It may still be difficult. Many images stored in police databases, says the OPC, are inadequately labeled for easy search. As such, police are often forced to open image files manually and guess at the purpose and rationale for collecting and retaining them. The OPC compares it to opening a cupboard to find that all the cans have had their labels removed, and having to open them to find out what’s what.

Webster says “the development and implementation of a digital evidence management system was presented to us as a potential solution to these issues,” but that he has yet to see investments to that end. “Had they had that, police could have stored and identified photos and linked them to specific cases, which would have also meant staff would have documented the lawful purpose for taking the photo.”

New Zealand is in the process of drafting a biometrics code of practice.

Ancestry sites collecting DNA may not be bound by rules; bill of rights needed ASAP

When it comes to biometric data, it doesn’t get any more sensitive than DNA. A blog from Arizona State University profiles professor of computer science and engineering Katina Michael, who has voiced concerns that genetics and ancestry companies that collect customers’ DNA may not be bound by federal medical privacy laws.

Michael’s work at ASU’s School of Computing and Augmented Intelligence has given her a wide, deep perspective on how the collection of biometric data has evolved over time.

“There’s a whole ecosystem that has been created around biometrics, particularly since the 1990s, when we had governmental agencies in the U.S. building different types of identity systems,” she says.

She argues that this ecosystem needs a new bill of rights to govern it, to reflect an increasing need to better protect and secure biometric data” – “the building blocks of our bodies.”

She stresses that biometric data is irreplaceable: “biometrics are us.”

Michael’s view factors in what she has learned by observing the explosion in uses of biometric technology since 1993, when the U.S. Defense Advanced Research Projects Agency created the Face Recognition Technology program as part of the so-called war on drugs, until now, when it is estimated that some 80 percent of businesses use biometric tools and authentication.

Regulations, however, have had trouble keeping pace with the spike in biometric use cases, and privacy has often been lost in the shuffle.

Michael’s proposed solution weds two popular approaches: better education and more regulation. The first means communicating more effectively to the general public about how biometrics are being used and what that means for their privacy.

But a conversation will only go so far. The bill of rights Michael wants would operate on an international level to offer key guarantees, “like the legal right to have biometric data records destroyed upon request, the right to opt out of the sale or release of personal data and the right to know what information is being collected and stored.”

The piece notes the progression of biometric privacy laws in a few states, including Illinois, home to the strict (and potentially lucrative) Biometric Information Privacy Act (BIPA). The key, says Michael, is protections that allow consumers to take legal action when they believe their data has been misused – in legal terms, a private right to action.

As the online world becomes increasingly populated with deepfakes, and fraudsters continue to find novel ways to exploit identity theft, data protection and cybersecurity must be factored in at the earliest stages of design. And it must happen now.

“My concern is that with so much uncurbed web scraping happening on the internet, facial biometrics will soon mean nothing as deepfakes proliferate,” Michael says. “Something truly disastrous might need to happen before action is taken. Sometimes people don’t react until things really hit the fan.”

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  data privacy  |  data protection  |  regulation