There are a number of aspects that need to be illuminated in order to evaluate biometric methods. They concern not only the methods themselves, but legal and economic aspects are also important. No biometric method offers absolute recognition security. On the one hand, this is due to the method per se – the matching of data is carried out according to the rules of probability calculation and can therefore never offer 100% security. Thus, persons can be rejected by mistake, others accepted by mistake, or the feature is so small that it cannot be detected by the device. On the other hand, physical characteristics can change – due to age, illness or injury.
Problems in practice
The German Federal Office for Information Security (BSI) responds to a related inquiry by saying that an “alternative procedure should be available as an exceptional treatment” for such cases, e.g., “other biometrics” or “other technical procedures up to and including manual control by personnel using an ID card.”
Exactly how this is implemented in practice remains unclear. Who determines which exceptional treatments are used and when? What happens to a patient with pathological changes in the eye who is standing at an airport in another country and whose iris scan suddenly no longer matches his reference profile? And even if the comparability and interplay of biometric data is ensured by an international standard (ISO/IEC 19794), the question is who and how often calibrates, certifies and maintains the devices used to issue and read them.
Data security
Just a few examples illustrate that there are pitfalls in putting this into practice. Another important issue is data security:
Personal or person-related data are subject to data protection regulations. This means that their collection, storage and processing is only permitted on the basis of an existing legal basis or the voluntary and informed consent of the person concerned.
However, this does not necessarily protect such sensitive data from misuse. For example, if security precautions are not adequate, centrally stored data in particular can be used for other purposes or conclusions drawn about other characteristics of the person (e.g., certain eye changes can indicate diseases such as diabetes or high blood pressure).
Another problem is that domestic German or EU regulations are not necessarily valid internationally. Just think of the discussion about the storage and utilization of data collected by international airlines in the USA. (The passenger data collected is transferred to a program that evaluates each traveler to the U.S. according to his or her threat potential. The main point of debate is the fact that this data will not only be stored for 40 years, but that those affected have no right to view the assessments).
Despite all the concerns, it should not be forgotten that the passport photo in the good old ID cards is also a biometric feature that – compared to the newer methods – passes on information about the passport holder without encryption!
