What we talk about when we talk about biometrics and policing

By Professor Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner

When I was the UK’s Biometrics and Surveillance Camera Commissioner, I wrote a blog called “what we talk about when we talk about biometrics.” That was four years ago when what the UK was talking about was diluting an already thin regulatory framework for biometrics and surveillance.

The technology has continued to evolve rapidly, and public expectation has moved with it, but where has that left regulation? Recent reports suggest the pace of policy and reform in biometrics is frustratingly out of step with both the technology and our expectations of its use. The gap between the possible (what can be done), the permissible (what must/must not be done) and the acceptable (what we support being done) has widened, while the opportunity to close it is narrowing. With renewed admiration for Raymond Carver, it is timely to take another look at what we talk about now when we talk about biometrics – and what we should probably be talking about next.

When we talk about biometrics and policing, we still talk about a made-up world where state run surveillance is the great terror and “Orwellian” the adjective of choice. But that’s not where biometrics have taken us – or vice versa.

We should talk about the fact that we’re shifting from a world where the police collected images of the people to one where they collect images from the people; where the citizen has access to biometric technology that only a few years ago was the preserve of state intelligence agencies – we’re talking about AI-powered spectacles with lip-reading functionality, about liveness detection apps and Wi-Fi routers that can see people through walls.

When we talk about regulatory frameworks we think about something designed for Orwell’s future, a pre-AI era when public spaces were watched over by visible, publicly operated cameras looking down on us from fixed points. We don’t yet talk about how we share the product of all this citizen-controlled biometric machinery, not only with each other, but also with the police who now routinely appeal to the public for uploads after any incident. We should be talking about the aggregated biometric capability of the population and the risk of the state becoming increasingly reliant upon citizen-generated data captures. We should talk about how even the EU AI Act misses this evolutionary phase and why using 75-year-old fiction to predict the future of AI is an ironic failure of imagination.

When we talk about biometrics, we talk about how inaccurate facial recognition algorithms used to be rather than the almost 100% accuracy rates now being achieved and the fact that people generally trust the technology in their own hands. We talk about whether we trust the police to use biometrics responsibly, without recognising that this isn’t a technology question; it’s an accountability question. We talk about the intrusiveness of the technology not the intrusiveness of damaging behaviour that biometrics are already preventing. And we talk about data rights in a way that lets those wanted by the police opt out of being found by the very biometric technology we bought to find them. We talk less about how the use of DNA and fingerprints revolutionised criminal investigation, and hardly at all about how breath testing and back calculation has made our roads significantly safer.

When the police talk about new biometrics, they talk about the additional capability live facial recognition (LFR) gives them to prevent sexual harm or police public events. They talk about why they can search everything an arrested suspect owns, carries or controls but can’t access a biometrically locked mobile phone even if it contains proof of the suspect’s involvement in serious crime. And about the act of Parliament that tells them what they must do when taking a suspect’s boot print but says nothing about the mass capture and storage of body images, voice and iris patterns and other measures of biological identity.

We have started to talk about the proliferation of biometrics in the high street. Shop staff talk about age verification tools that are helping them stop under-age purchases, about being given DNA sampling kits because they keep getting spat on and about the difference LFR has made to their workplace by preventing some of the 20, 000 reported assaults or 50, 000 thefts each day. They probably don’t talk about how some retailers are already using plug-and-play biometrics as if they were just clever CCTV cameras but we should. We should also begin to talk about biometrics in shops as a health and safety issue rather than a security solution and why a single enforced standard is essential. At the same time, we should talk about how partial regulation is no regulation, learning the lessons from other ID systems like vehicle number plates where being on the government’s list of 40, 000 registered suppliers in the UK is only effective at generating registration fees and does nothing to stop them selling plates illegally.

When we talk about standards for biometrics in the round, we should answer the only real question for any regulatory framework: does it give the public what they need?

The regulation of biometrics needs an approach that is clear, consistent and comprehensive. What we talk about must cover the whole ecosystem in which any single element operates. Demonising or fetishising a specific application is irrational, expecting the law to move at the speed of creativity is fantasy. If, when we talk about biometrics, we talk about possibilities and dependencies, about the risk of not using solutions as well as those from deploying them, and about meeting people’s legitimate expectations, we’ll have a shot at a planned response to a real-world future while there’s still a chance. If we don’t, it won’t matter what we talk about – it’ll just be talk.

About the author

Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner, is Professor of Governance and National Security at CENTRIC (Centre for Excellence in Terrorism, Resilience, Intelligence & Organised Crime Research) and a non-executive director at Facewatch.

Article Topics

biometrics  |  facial recognition  |  Fraser Sampson  |  police  |  regulation  |  retail biometrics