“Biometrics are our most unique physical (and behavioral) features that can be practically sensed by devices and interpreted by computers so that they may be used as proxies of our physical selves in the digital realm. In this way we can bond digital data to our identity with permanency, consistency, and unambiguity, and retrieve that data using computers in a rapid and automated fashion.”
Governments collect personal information about its citizens, typically in the interest of improved social, medical, or physical security of some kind. Not everyone agrees on how much of this personal information is too much, and biometrics tend to epitomize the type of personal information considered by some to be too much. The historical use of biometrics by government law enforcement agencies as a tool for criminal booking and investigation perpetuates their association with the forfeit of personal rights. In some parts of the world there is a history of abuse of personal information that has forged a strong aversion to its possession by governments. Although private corporations today possess, utilize, and transact upon vastly greater quantities of personal data, we tend to perceive it to be more innocuous, and that we are getting something in return, such as use of their products.
More recently, the proliferation of the Internet, digital cameras, smartphones, and social media has brought an exponential increase in the availability of personal data and potential for its abuse. We are learning that in this new era, privacy is a very personal choice; some individuals choose to minimize the amount of personal information they share, while others “overshare” enthusiastically. In either case, biometrics have the potential to provide a more convenient and secure means to improve privacy through better control of access to an increasingly vast abundance of personal information, particularly when used in conjunction with other traditional security mechanisms such as PINs and passwords.
The abundance of facial images on the Internet presents an opportunity to abuse them as biometrics. It is conceivable that through a process of “identity resolution,” facial images and their associated data (e.g. name, school, associates, etc.) can be bonded via biometric facial matching with information from different sources where the facial images are stored. Identity resolution is a process by which otherwise disparate, “siloed” data is aggregated into a “digital identity” that comprises a more comprehensive view of a person than exists from any individual data source. Where small and scattered amounts of personal information had been made available—each with a particular use and audience in mind—the aggregation of this personal data from multiple sources made possible with a biometric facial search can pose a privacy threat.
It should be noted that this process is more traditionally (and perhaps more effectively) performed using text-based data, and so the potential threat exists with or without the presence of facial images. It’s also worth noting that other biometric modalities do not pose the same risk as facial images for this type of process because they don’t exist abundantly in the public domain. In assessing the impact of biometrics on privacy, it is critical to consider them in a larger context of all text- and signal-based identity data; this includes data that is held by government agencies, by private entities, available on the Internet, and from other open sources.