Informatie- en communnicatietechnologie en recht / Information and communication technology and law, General, Articles

Making our Body Identify For Us: Legal Implications of Biometric Technologies

Corien Prins, Robert van Kralingen

verschijnt in no. 3 1998 The Computer Law and Security Report

1. Introduction

New opportunities to ensure an adequate level of security are becoming available by exploiting unique human characteristics such as fingerprints and dynamic signatures. With computer systems recognising fingerprints or understanding human language, we have gained a powerful tool to verify the identity of an individual and thus ensure the maintenance of a certain required level of security. The technique to use human characteristics is often referred to as biometrics. Both physical characteristics and behavioural characteristics can be used. Examples of the first data are fingerprints, hand and face geometry and iris and retinal characteristics. Dynamic signatures and voice recognition are examples of the latter.

That biometric technology is no longer an embryonic development is illustrated by the proposed legislation in Ontario, Canada, that regulates the use of biometric information used for social assistance purposes. Nevertheless, biometric verification and identification need to be developed further. In particular the methods by which the technique can be most adequately applied have not been established yet. But what is more important, the legal consequences have to be considered. Does the use of biometric techniques intrude on fundamental rights, such as the right of physical integrity and the right of privacy? What is the status of proof when biometrics are involved: should it be awarded compelling evidentiary value? Should one central (governmental) authority be responsible for the storage and management of biometrical data or should storage and management be left to the market players?

This article intends to set some first tentative steps towards a better insight in the legal consequences of as well as conditions for the application of biometric technologies.⁽¹⁾ After providing in the following paragraph a brief description of the techniques involved and of the different biometric methods used, mention will be made of a few of the benefits of the technology as well as applications thereof. Subsequently, issues related to fundamental rights, legal requirements for security measures and the status of proofs (e.g., in trials) are explored. The article is concluded with some recommendations and policy options.

2. The technique

Fingerprints, hand geometry, retina, iris and human voices: they are all unique to a specific individual human being. This uniqueness could be an important instrument to improve the security of information services, for when computer systems can securely recognise, understand, interprete and generate human characteristics, various forms of fraud could be eliminated, yielding savings for both businesses and individuals.To take the situation of voice recognition: in our present-day world in which the telephone has become a prime medium for transacting communication, the benefits may be enormous once we are able to automatically authenticate a human voice at the end of a telephone.⁽²⁾ Also, with the growing importance of smart card applications and the introduction of multi-functional smart cards containing various information functions (health card, electronic money, government service card, etc.), the demand for adequate security measures has increased dramatically. Thus in the case of smart cards, the presence of a human characteristic could be linked to the possession of a smart card.

In short, biometric tecnologies may greatly enhance the value of security in various applications of communication. But biometric technology is far more than just a security device. Primarely it is a recognition technique that has the following applications:

verification of a persons identity
authentication
authorization
security.

What is the technology then really about?

The basic process to make biometrical recognition work, can be devided into two phases. In order for a machine to recognize or understand certain characteristics of our body, these characteristics need to be manipulated by computation. Thus, in the first phase - the enrolment phase - a certain characteristic of an individual (e.g., a hand geometry) is measured by a sensor. The sensor enters these so-called 'raw data' (also called 'signal') into the computer system. Then the 'raw data' are being processed by means of an algorithm and formed into a template ( a set of numbers). This computation process is repeated several times to allow for variations. Thus, depending on the appropriate level of a particular application, a general or more detailled picture of the 'raw data' is generated. It should be mentioned at this point that whereas the 'raw data' can be translated into the set of numbers of the template, the numbers cannot be translated back into the 'raw data'. In other words, an individual's fingerprint cannot be traced on the basis of a template.

In the second phase, the phase in which the verification takes place, again the specific characteristic of an individual is measured. The data obtained, the 'live scan', is translated into a set of numbers and compared with the template.Thus, for example when biometrics is used for admission purposes, each admission request the number will be recalculated and compared with the template. If the match falls within a certain statistical range of values, the match is valid.

There are many possible methods and technical variations when using biometric technologies. Here mention is made of only those that have an impact on legal considerations.

First, different human characteristics may be used, some of which are more reliable than others. For example, the use of fingerprints provides more reliable results than the use of voice recognition.

Second, the balance between the so-called false acceptance rate (FAR) and the false rejection rate (FRR) influences the reliability of the technique. A 100% digital translation and matching of the data may not always be a requirement. What is more, it may not always be efficient from a usability perspective to set the comparison threshold very tight. Tighter thresholds increase the change that the data obtained from the 'life scan' will incorrectly not match the template from the correct person. For various reasons, human characteristics such as fingerprints could vary and a commercial bank, e.g., would not want a customer to be denied access to certain facilities purely because this customer worked in his garden the day before. Thus when matching in the verification phase the 'live scan' data with the data on the stored template, a certain authoring range is set within which the match is valid. The scope of this range influences the reliability.

Finally, different options are possible as regards the way in which templates are stored and used. One could opt for central storage in a large database (on-line) or storage on a smart card (off-line). When stored in a database, the biometric information is often connected to other personal data, such as names or addresses of the individuals. This need not be the case with storage on a smart card. This application could therefore be a key option for secure anonymous verification in the information society.

3. Benefits and Applications

The application of biometric technologies is based on the empirically verifiable notion that nature does not repeat itself and that, therefore certain traits are unique. Thus, an important advantage of the technology is that physical or behavioural traits cannot be transferred to other individuals. One could say that with the application of biometric information there is a shift in the focus from knowledge-based recognition (e.g., with a PIN - personal identification number) or token-based recognition (e.g., with a key) towards the presence of a physical or behavioural trait.

Among the other advantages of automated verification over verification processes conducted by humans are that automated verification will prove more reliable and constant because machines do not get tired and are not affected by psychological defects.

It is thus not surprising that biometric technologies are believed to make a major contribution in a large number of interest areas. In The Netherlands, the Minister of Health has asked for a report on the impact, opportunities and conditions of the use of biometrics as identification instrument for certain health care services.⁽³⁾ In the meantime, the Dutch Ministry of Justice is working on a policy framework with respect to developments and use of biometric technology. Developments in Spain (TASS-project against fraud with social security facilities) as well as international publications also show that biometrics is no longer an embryonic development.⁽⁴⁾ In the wake of incidents like the bombing of a federal building in Oklahoma City, proponents in the United States argue that biometric technologies should be applied to buildings and apartment complexes as a requirement for entry. At present, fingerprint image identification is already applied at the State level for administrative applications such as identification checks for driver's license applications and social welfare benefits.⁽⁵⁾By requiring biometric identification as a condition for enrolling in certain welfare programs, the government hopes to combat fraudulent use of the programs. In 1992, section 139-a of the New York State Social Services Law was amended to require automated fingerprint imaging as a precondition for enrollment in social welfare programs in several New York State counties.⁽⁶⁾ The above section further provides that in case an applicant is suspected of fraudulent multiple enrollment on the basis of a matched fingerprint, the welfare benefits may not be automatically denied. First, the individual must be notified and he or she is entitled to a hearing to be held within forty-five days of the notification.⁽⁷⁾ Also, section 139-a (3) (g) contains a provision on periodic audits to monitor compliance with all laws and regulations regarding the automated finger imaging matching system to ensure that "any records maintained as part of such system are accurate and complete, that no illegal disclosures of such records have taken place, that effective software and hardware designs have been instituted with security feautures to prevent unauthorized access to such records (...)." From this provision it further becomes clear that adequate and timely procedures exist to insure that the recipient or applications's right to access and review of records for the purpose of accuracy and completeness as well as procedures for necessary correction of inaccurate or incomplete information.

In 1997, the Province of Ontario, Canada, proposed legislation on the use of biometric information. Under the legislation that regulates the use of biometric information used for social assistance purposes, biometric information is defined as "information derived from an individual's unique characteristics". Interestingly, the definition expressly excludes photographic or signature images.⁽⁸⁾ Principle objective of the proposed legislation is to provide the use of biometric information with a legal basis: where legislation related to social assistance requires an individual's signature, biometric information may now be used in the place of such a signature, provided the requirements set in the proposed legislation are met.⁽⁹⁾

4. Legal Implications

The above examples already indicate that the introduction of biometric technology requires in certain situations that the relevant laws be adapted. But aside from these concrete measures, in what respect does the use of biometric technology challenge the law? It appears that key challenges manifest themselves in the area of fundamental rights and personal data protection. But also the implications for the rules on security and proof need to be examined.

4.1 Biometric technology and fundamental rights

At first sight, one could argue that the use of unique characteristics of a human being such as his fingerprint, iris or hand geometry, limits certain individual liberties, as enacted in most national constitutions and in international basic documents on human rights: the European Convention on Human Rights (Article 8), The Universal Declaration on Human Rights (Article 12) and The Treaty on Civil and Political Rights (Article 17). However, a more in-depth analysis shows that such a general conclusion cannot be drawn.

What becomes clear first is that with most biometric technologies no penetration of the body's surface is required, meaning that the use of these technologies will not be deemed unreasonably intrusive from this perspective. It is, however, possible that certain technologies are considered intrusive in case they do not meet social acceptance. A successful introduction of biometric technologies will therefore require special attention for user acceptance

It appears that whether or not the use of biometric technologies intrudes on fundamental rights very much depends on the circumstances under which it is applied as well as the specific techniques used. As mentioned in paragraph 2, different techniques can be used when applying biometrics among which a variety of human characteristics. Also, orgnaisations applying the technique may choose between an off-line or on-line system. In the end the answer to the above question depends on the balance formulated between the privacy right on the one hand and the right to free flow of information on the other hand. In finding this balance the following issues are of importance:

the reliability of the technique used;
the existence of a fall-back option;
prior knowledge or consent from the data subject;
proportionality.

As regards the first issue: we have seen that some techniques are more reliable than others. Fingerprints, hand geometry, iris and dynamic signatures are considered reliable techniques, whereas face and voice recognition are examples of less reliable applications.⁽¹⁰⁾ The technique selected to implement biometrics can influence the answer to the question as to whether the use of this technique constitutes a violation of fundamental rights.⁽¹¹⁾

Second, the answer to the question whether a fundamental right has been violated depends on the existence of a fall-back option. Where the organisation applying biometrics also allows for other mechanisms for the required verification or identification (e.g. by means of a PIN), individuals will in general not have a strong case in arguing that the application of biometrics intrudes on fundamental rights.

The third issue implies that in general great care should be taken when biometrics are used without prior knowledge or consent from the data subject. The same applies in case of the obligatory use of biometrics. From the perspective of fundamental rights, the use of biometrics on a voluntary basis will in general not cause problems. In case at some point in the future the use of biometrics becomes obligatory, the type of biometrical data and the purpose for which the data are to be applied, will be key factors in determining whether a statutory basis for such use is required. The legislative developments in Ontario, Canada, are an example in this respect.

Finally, proportionality is an issue. With other - less intrusive - identification and security mechanism available, organisations should not directly turn to the use of biometric technologies. The use of biometric technologies must bear a rational relationship to the legitimate goal it is used for. Thus, fundamental rights are likely to be violated in case biometrics is used for applications merely requiring a low level of security. In the end organisations and government agencies must demonstrate that there is a compelling interest in using biometric technology and that, e.g. an obligatory fingerprint requirement is reasonably related to the objective it is required for.⁽¹²⁾

4.2 Biometric technologies and personal data protection

Also where it concerns personal data protection, one would at first instance be inclined to argue that the use of biometrical data and the means of storing these data are subject to the relevant laws. Again, the situation appears, however, more complex.

In various countries the right to the protection of personal data is extensively regulated in separate acts.⁽¹³⁾ In the European Union, a Directive dealing with the processing of personal data became effective on 24 October 1995.⁽¹⁴⁾ Member States must adapt their legislation within a period of three years, being by the 24th of October of this year. What is the status of biometrics under the Directive and thus under future national acts? The answer to this question is very much determined by the meaning of the definitions used in the Directive. Of prime importance is the criterion set in article 2 (a): the processing must concern data about identified or identifiable persons. Preamble 26 stipulates in this respect that in order to determine whether a person is identifiable, all justifiable means can be undertaken to identify a particular person, which is a rather broad definition.

As mentioned in paragraph 2, the templates containing the biometrical data can be stored and used off-line as well as on-line. Organisations could opt for central storage in a large database (on-line) or storage on a smart card (off-line). When stored in a database, the biometrical information is often connected to other personal data, such as names or addresses of the individuals. This need not be the case with storage on a smart card. Here, the smart card could merely contain the biometrical data, thus revealing no information that may link the data to a specific individual. This type of use allows for the verification of individuals (e.g. this person leaving the building is the same as the one who entered the building, without the necessity of knowing who this person is), whereas the on-line use allows for the identification of an individual (e.g. used in situations where the identity of the person is essential).

Turning to the implications of the use of the different systems under the personal data protection rules, it appears that the use of an off-line system is not subject to these rules. The processing does not concern data about identified or identifiable persons and in the majority of the situations no means allow for the identification of a particular person.

In the situations where the rules on personal data protection apply, each activity concerning the biometrical data is bound to the conditions set in the articles 6 and 7 of the Directive. Article 6 contains a number of principles regarding the quality of personal data. The national laws need to define that personal data are merely processed for predetermined, well- defined and justified purposes and not processed in any way so as to render them for other purposes. With regard to these purposes, the data must be "sufficient, and relevant and not exhaustive". The data must be accurate so that in the case of inaccuracy of incompleteness, these can be corrected or deleted. As regards the lawfulness of the processing, article 7 mentions the unequivocal permission of the data subject to the processing of his personal data. Also the processing is lawful when it is necessary for the conclusion or execution of a contract which binds the individual or guarantees something of vital importance to the individual, either for the respect of their lawful duty or for the execution of a task of social importance or for the representation of lawful interests of third parties (under those responsible) unless in the case of the latter, the interest of fundamental rights and freedoms of the subject prevail.

Further various other provisions will apply, such as the right to access, review and correction of the records that contain biometric information. Earlier, mention was already made of the provision in the New York State Social Services Law, sripulating that adequate and timely procedures exist to insure that the recipient or applications's right to access and review of records for the purpose of accuracy and completeness as well as procedures for necessary correction of inaccurate or incomplete information.

In certain situations the use of biometrical data could imply use of sensitive personal data. When opting for fingerprint techniques or face recognition techniques, racial or ethnic origin could be revealed. Again, the choise for a certain technique appears a determining factor for certain legal implications, in this case a qualification as sensitive data. Although biometrical information as such could qualify as sensitive data, the template representing this information does not qualify as sensitive personal data because, as mentioned above, the digital data of the template cannot be translated back into the biometrical information (the sensitive information of a person's skin cannot be traced on the basis of a template). Thus, a template as such never constitutes sensitive data. However, in situations where the original scanned image is not destroyed and kept in a database, the storage of the relevant data must meet the specific conditions set by the law. This means that additional legal demands have to be met, among which explicit consent of the data subject (article 8 Directive)⁽¹⁵⁾ following from the principle rule prohibiting the processing sensitive data.

4.3 Biometric technologies and security conditions

In certain situations, penal, administrative as well as civil laws pose demands on security measures to be taken. A well-known example can be found in the articles 16 and 17 of the European Directive on personal data protection that require certain security obligations f rom the controller and the processor. When determining the level of safeguard, a balance must be found between the interests to be protected, the technical possibilities and the cost of implementation of the measures. This balancing of interests appears to be the situation under the majority of the laws that set certain security requirements. Meaning, that the 'adequate' level of security can only be indicated within the context of a certain situation. As regards the data to be protected, confidentiality, integrity and availability of data are key issues in this respect.

Applied to the use of biometric technology, it could be argued that for this moment, the demands posed on security are not stringent enough to necessitate this technology. An important factor underlying this conclusion is also that it by far clear for which applications (in civil, administrative and criminal settings) the demand for security reaches a level at which the use of biometric technology becomes a (legal) necessity. However, it might very well be that with developments in both technology and fraudulent practices, the use of biometric technologies may become a condition of the qualification 'adequate' protection (e.g. social service benefits). If at some point in the future the quality of critical social processes is to be guaranteed, biometric technologies are required to determine the true identity of individuals. The use of biometric technology thus becomes a tool of public policy.

In the situations where biometric technology is used as a security mechanism, policy makers should pay attention to several issues. First there is the question whether a card holder can be required to cooperate in disabling a biometrical security measure and if so, what circumstances must apply. Another issue that requires attention is whether an organisation involved in personalizing smart cards with biometric information should take measures to disable the biometric protection if required.

Then there is another important issue to be addressed. What about the security of the biometric data itself? In case an organisation collects biometric data, security conditions should also be met.⁽¹⁶⁾ Having in mind the nature of biometric information it appears that an in comparison high level of security is likely to be required to meet conditions set by the law. The earlier-mentioned Ontario Bill, e.g., stipulates that the biometric data must be stored in an encrypted form.⁽¹⁷⁾The New York State Social Services Law merely states that effective software and hardware designs with security features are instituted.⁽¹⁸⁾

The situation could arise in which certain (smaller) organisations will not be in the position to maintain the required (high) level of protection where they keep biometric information or original scanned images in databases. Security considerations could thus restrict the use of biometric technologies as far as on-line databases used by small organisations is concerned.

This brings us to the issue of the management and protection of (large) databases containing biometric information. Ultimately, this requires the attention of policy makers for society cannot end up with numerous warehouses containing biometric information that may all be easily connected to other personal information or data warehouses.

4.4 Biometric technologies and evidential issues

In many civil law systems, delivering proof can be characterized as an open system (i.e., in principle everything is admissible as evidence). This in contrast to common law systems, that work with various formalities when it comes to the admission and evidentual value of material. Hence, depending on the country's legal tradition, proving a case with the application of biometric information raises problems. Further, where biometric information is used for administrative processes the question arises what procedures exist for individuals that wish to challenge adverse decisions on biometric measures. The amended section 139-a of the law stipulates that in case an applicant is suspected of fraudulent use as a result of a matched fingerprint, the welfare benefits may not be automatically denied. First, the individual must be notified and he or she is entitled to a hearing to be held within forty five days.

In general one might conclude that the use of biometrics will enhance the evidential value of material or will make certain processes more reliable. Nevertheless, the exact reliability depends on the chosen technology and the chosen false rejection rate (FRR). As mentioned, the set of numbers of the template is never a 100% digital translation and matching of the original scanned image of the fingerprint or hand geometry. It is precisely for this reason that the use of biometrics and their implied reliability cannot be a reason to award biometrics compelling evidentiary value. The (technical) context surrounding the use of biometric technologies can never guarantee an entirely reliable result. Comparison based on biometric information can thus be in error. This also leads to the conclusion that policy makers must pay attention to the procedures for individuals that wish to challenge adverse decisions on biometric measures. In addition attention should be paid to the storage and management of biometrical data as well as the precautions for the accuracy of the collected and stored biometric information.

In this light mention must be made of article 15 of the European Directive on personal data protection. It covers decisions made by automated means in which personal profiles are used, referring to a regulation from the French privacy legislation. Paragraph 1 requires the Member States to grant the right to every person to allow, except in the case of circumstances and guarantees mentioned in paragraph 2, not to be subject to a decision which is based on the automated processing of data when intended to evaluate certain personal aspects (performance at work, creditworthiness, conduct, etc.).⁽¹⁹⁾ Since biometric technology is in general not based on the evaluation of personal profiles(instead it works with concrete unique individual characteristics) this particular provision is not likely to apply to situations in which biometric technologies are used.

5. The Impact of Off-Line Biometric Information: Anonimity

Although strange it may seem, but the use of biometric technology could provide individuals with a key tool in enhancing their privacy rights. While on-line use of biometric information (i.e. the 'live scan' data are matched in the verification phase with the template stored in a database) may be making biometric technology a serious threat to privacy rights, off-line use of this information (the 'live scan' data are matched with the template stored on a smart card) could constitute the opposite effect.

As mentioned, when stored in a database the biometric information is often linked to other personal data, such as names or addresses of the individuals. The proposed Ontario legislation mentions in this respect the individual's name, address, date of birth and sex. This need not be the case with storage on a smart card: no other personal information has to be retained together with the biometric information. In the latter situation the biometric technology aids in the verification of a person, not his identification. Off-line use could therefore be a key option for anonymous verification.

Even though the idea that transactions and activities can be accomplished anonymously is not new, the desire for such anonymity has dramatically grown in our present-day information society in which the interchange of data grows to seemingly uncontrollable proportions.More and more there is a demand for impersonal transactions and activities. Both the European Data Registrars and the Project Group on Data Protection of the Council of Europe have underlined the importance of anonimity with respect to transactions on information superhighways.⁽²⁰⁾ Article 2 of the 1997 German Multimedia Act introduces a provision on the obligation of Internet service providers to offer anonimous services.⁽²¹⁾ In the United States the Supreme Court has ruled in 1995 that anonimity is covered by "the freedom of speech protected by the First Amendment".⁽²²⁾ In the wake of the call for anonimity as the growing importance of privacy enhancing technologies (PET), off-line use of biometric information may serve as a key instrument. In the United States an PET application of biometric technology, called Irisdent, is soon to be tested in the banking community. This system using iris recognition was developed to help the banking sector in reducing the necessity for customers to provide identification prior to making a transaction.⁽²³⁾

When taking a critical look at both private and governmental use of personal data, it becomes clear that identification is not a necessity in every situation. Instead, verification suffices. In various situations it suffices to make sure that the person who actually makes use of a certain facility (e.g. entering entering a building) is the same person as the one who is entitled to this facility. There is no need to know who precisely this person is. A subject for further study in thus to analyse in what situations the ratio of our legal system precludes personal anonymity. In what contexts may individuals claim a right to anonymity? In what contexts does it hinder the exercise of certain rights or the performance of activities that constitute rights and obligations?

6. Recommendations and policy options

From the above it becomes clear that the introduction of biometric technology requires the government to make conscious choices regarding it's policy. Preferably, the government should create a context in which the introduction and application of biometric technology can be critically developed. If the government does not have a policy, the marketplace and societal interests will to a large extent determine the developments, which could pose adverse affects for individuals' interests and rights. Considering the potential risks of in particular on-line use of biometric technologies in combination with the intrusive character of the technology, this appears a troubling reality. Necessary precautions must therefore be carefully addressed. What are reasonable limitations to the use of this technology and who may set these limitations as well as conditions for use? The rights and obligations laid down in the law should primarely shape the manner by which private and public organisations on the one hand and individual citizens on the other hand, interact with one another when it comes to biometric technology.

In short, government policy should focus on the legal as well as the societal environment. As regards the latter: a successful introduction of biometric technologies requires special attention for user acceptance. If people feel threatened by machines that base their decisions on the recognition of fingerprints or iris patterns, it leads to a distrust in government policy or business strategies. Nevertheless, even if user acceptance remains limited, their might come a moment at which certain interests require that the use of biometric identification or verification is obligatory. If the quality of critical social processes is to be guaranteed, measures such as biometric technology are required to determine the true identity of individuals. In those circumstances that the use of a biometric technology becomes obligatory, a statutory basis for such use seems to be required.The type of biometrical data used and the purpose for which the data are to be applied, will be key factors to be regulated.

But ultimately the key challenge for policy makers both in the private and governmental sector, is to critically review for which purposes and interests biometric identification is needed and for which verification suffices.When off-line biometric verification is acknowledged as an important tool in controlling the interchange of information about people, the social acceptance for the use of biometric technologies may also be enhanced.

1. Parts of this article are based on a study conducted for the Dutch National Programme for Information Technology and Law (see: CLSR....): R.W. van Kralingen, J.E.J. Prins, J.H.A.M. Grijpink, Het lichaam als sleutel. Juridische beschouwingen van biometrie, Alphen aan de Rijn 1997, IteR-serie no. 7 (english summary included).

2. A research project on this technique is CAVE, supported by The Language Engineering Sector of the Telematics Applications Programme of the European Union. The project focusses on caller verification in banking and telecommunications.

4. See also the July 1997 issue of Wired and the report Biometric Techniques: Review and Evaluation of Biometric Techniques for Identification and Authentication, Including an Appraisel of the Areas Where They Are Most Applicable, D. Polemi (http://www.cordis.lu/infosec/src/stud5fr.htm).

5. See D. Noel, "With New Technology, There'll be no Need to Fingerprint Welfare Recipients", The Hartfort Courant, 30 August, 1995; K.P. Nuger, J.L. Wayman, "Reconciling Government Use of Biometric Technologies With Due Process And Individual Privacy", unpublished paper.

6. NewYork State Social Services Law 139-a (3) (a). Section 139-a deals with special provisions to avoid abuse of assistance and care.

7. NewYork State Social Services Law 139-a (3) (f).

8. Bill 142, to revise the law related to Social Assistance by enacting the Ontario Works Act and the Ontario Disability Support Program Act, by repealing the Family Benfits Act, the Vocational Rehabilitation Services Act and the General Welfare Assistance Act and by amending several other Statutes.

9. These requirements deal with the purposes for which biometric information may be collected and use, disclosure of the information to third parties, the circumstances under which the biometric information may be collected from individuals, the types of personal data that may be retained together with the biometric information and the conditions for the storage of the information.

10. See on an evaluation of the reliability of the different techniques the report of Sandia National Laboratories (A Performance Evaluation of Biometric Identification Services), Albaquerque 1993, and the report of the European Committee for Banking Standards (Biometrics: A Snapshot of Current Activity - 1996), November 1996.

11. See in this respect the California case of Christopher Ann Perkey v. Department of Motor Vehicles, 42 Cal. 3d 185; 721 F.2d 50; 228 Cal Rptr. 169 (1986) in which the Department of Motor Vehicles asserted that fingerprint technology was the only reliable manner to judge the integrity of the drivers licensing records it held. Other techniques such as handwriting samples could be too easily changed. The California Supreme Court agreed and ruled that the use of fingerprint technology bore a rational relationship to the legitimate goal of using a reliable method to check the indentity of driver's license applicants.

12. In these instances, the use of biometric technologies by government agencies is in the United States determined under the so-called requirements of substantive due process (a) can the use of biometric technology be considered a valid exercise of government power; b) is the required use of the technology arbitrary or capricious; c) is there a clear connection between the use of the technology and a legitimate government interest.

13. In the United States no specific act exists that regulates the protection of personal data. Although in certain situations the U.S. Supreme Court has interpreted the Constitution to protect the privacy of individuals and several highly specific regulations have been introduced, it is precisely this patchwork of court rulings and regulations that poses threats to privacy.

14. Directive 95/46 on the Protection of Individuals in Relation to Personal Data O.J. 1995 L 281/31.

15. What exactly falls under the category of "sensitive data" is specified in sub 1 of this article: "(...) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life."

16. The proposed Ontario legislation, e.g.,stipulates that biometric information shall be recorded and stored in a secure electronic environment.

17. "An administrator shall ensure that biometric information collected under this Act is encrypted forthwith after collection, that the original biometric information is destroyed after encryption and that the encrypted biometric information is stored or transmitted only in encrypted form and destroyed in the prescribed manner".

18. Section 139-a (3) (g).

19. With the exception of the remark in preamble 41 concerning the right to be informed about the logic, this rule is not explained either in the Directive or its preambles. However, during the discussions on the text of the Directive it was stated that personal profiles must not be confused with use profiles.This implies that it would be permitted to use such automated decision systems when the decision to refuse to provide cash at an automatic pay terminal or to accept a credit card transaction results from the fact that this payment deviates from the client's usual pattern of doing business.

20. See: the Budapest-Berlin Memorandum of the Data Registrars under 7 (dealing with encryption) and 9 (on anonimity), http://www.datenschutz-berlin.de/diskus/13_15.htm.; "Guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highways, which may be incorporated in or annexed to codes of conduct", Project Group on Data Protection, Council of Europe, 17 October 1997, CJ-PD (97) rev. , II, no. 1 (encryption) and 3 (pseudonym).

21. Http://ourworld.compuserve.com/homepages/ckuner/multimd3.htm.

22. McIntyre v. Ohio Elections Commissions, 514 U.S. 334 (1995). See also:

http://cpsr.org/cpsr/free_speech/mcintyre.txt.

23. See: H.B. Wolfe, "Privacy Enhancing Technologies", Computer Fraud & Security Report, October 1997, p. 15.