1. Introduction
In Henan, China, face-scanning surveillance systems took an alarming turn, infringing upon the freedom of expression of the people,[1] targeting peaceful protests, and classifying journalists in a ‘traffic-light’ system. Those falling into the ‘red’ category were subjected to appropriate action.[2] It felt like a scene out of George Orwell’s “1984”. But how did we get here?
The answer lies in the era where big data, machine learning, artificial intelligence[3], and the Internet of Things (IOTs) met biometrics. Our daily lives, from heart rates to sleep patterns, are now data points. Innovations like biometric smart glasses[4] and doorbells[5] try to identify people based on their physical traits, behavior or activities. Authorities increasingly apply these technologies in crime and border control, counter-terrorism, advertising, or marketing.[6] In this age where bodies are turned into “machine-readable” data, we face a crucial question: how do Biometrics interact with Human rights?
2. What are Biometrics?
Biometrics are defined as the physical, physiological or behavioral characteristics of an individual that are used to verify the claimed identity of the individual. For example, fingerprint, Iris scan, retina, voice, hand geometry, gait, footprint, DNA or vein pattern, and still adding on.[7] By technical processing, these biometrics are then converted into “machine-readable” data, known as Biometric data. And this data is used for the unique identification of that natural person.
3. Biometrics in the society
The rising popularity of biometrics in technology can be attributed to Apple, which brought the first fingerprint sensors in the iPhone 5s in 2013.[8] With this advent of biometric technology, almost all top smartphone companies are now producing biometric features enabling mobile phones to meet user demands. Biometrics is also being incorporated in IOTs (Internet of Things) where virtual assistants like Siri and Alexa constantly use voice recognition to take commands [9]. Developed countries are deploying biometric technologies to tighten their border security [10]. Australia has trialled iPhones as biometric border technology [11]. Biometrics is also being used in the counter-terrorism efforts by UNSC.[12] The state is using biometric for national identification to fill the “identity gap [13]. The main objective of such programs is to weed out “ghost beneficiaries” from welfare programs, thereby improving administrative efficiency [14].
One of the most interesting applications of biometrics is in the field of Emotion Recognition, where biometrics is being applied to recognise emotions using facial expressions, vocal tone, heartbeat, body movements and other biometric signals.[15] Emotion recognition has enhanced the user experience by enabling responsive interactions.[16] Biometric technology is gaining popularity due to its convenience. It is not only secure but also saves users from the hassle of remembering multiple passwords and PINs. Biometric technologies are rapidly improving, making it very difficult to predict what they will look like in a few years. However, in this evolution, have we ever paused for a moment and asked ourselves “Is everything actually as good as it appears?”
4. Is it really for our assistance?
Remembering the day, we would slap some paint on sheep for identification. Today, our government opted for a little sophisticated approach – the “National Identification card”, ensuring we are all uniquely accounted for and removing “ghost beneficiaries” in welfare programs.[17] But thousands of “ghosts” can be created simultaneously, if our biometrics are stolen once.[18] And by making biometrics a must, the governments are making the welfare policies a mere “data-service exchange”.[19][20] Not only dies this mandatory enrolment exclude genuine beneficiaries who are unwilling to provide their biometrics, but it also
affects those who are willing to do so but the technology is not able to authenticate them[21]. Moreover, it extends to individuals whom the government deems a “threat”.[22]
Biometrics, no doubt, will relieve us from those long passwords while providing a password that can’t be cracked easily.[23] But we should not forget that we carry it on our body, displaying it to others. It can be captured anytime even without our consent violating our right to privacy, allowing strangers to interfere in our private lives without us even being aware.[24] At the same time, security breaches are more severe, as passwords may never be directly traced back to us, whereas biometrics certainly will, persisting for a lifetime.
There are chances of “function creep”, meaning the data stored today will be used for some other purpose tomorrow. It was seen in China where the government collected the individual’s biometrics to register him for healthcare services, but used the data indirectly to identify “sensitive people” and “criminals”.[25] Considering these issues, the European Court of Human Rights underscored the importance of balancing fundamental rights with technological progress. It acknowledged that excessive data retention can disrupt this equilibrium as it lacks necessity and proportionality in relation to the benefits it provides.
Despite the blind faith placed in this technology, its reliability remains questionable. It stands in violation of the right to non-discrimination, outlined in Article 2 of the UDHR.[26] It uses data samples that are not up to standard; such samples cause algorithmic discrimination and racist assumptions. Furthermore, it demeans the right to equality.[27][28] In the US, biometric face recognition failed when it came to women and dark-skinned people.[29] It renders the technology ableist, relying on a normative approach with samples from the general population.[30] Even so, it takes disability as a deviance. Moreover, when coupled with artificial intelligence, it may generate outputs from these biased samples without providing clear reasoning behind its decisions.[31]
5. Intersection of biometrics and human rights
The biometric technology which came to remove administrative inefficiency and enhance the security of the nation also costs an individual the right to be anonymous which is even recognised as an international human right.[32] With the erosion of this right, the right to protest, association, free speech and expression are also compromised. The governments creating a Panopticon nation where they are at the central tower[33], overturns the whole idea of democracy and undermines the importance of open and informed societies. The government should be transparent according to Article 19 of the International Covenant on Civil and Political Rights.[34] But ironically, today the citizens don’t even know when, where, and how their data is collected, misused, or even when it is leaked.[35]
It infringes upon several fundamental human rights. The right to non-discrimination, as enshrined in Article 2 of the Universal Declaration of Human Rights (UDHR) [36], is frequently violated. Biometric systems, due to imperfect data samples, can result in algorithmic discrimination, perpetuating biases, and ableism. For example, in the United States, facial recognition technology has demonstrated higher failure rates for women and individuals with darker skin tones, highlighting its inherent biases.
Emotion recognition has also proven helpful in such surveillance.[37] Emotion recognition technology works on the assumptions that our outer expression is enough to understand our inner emotional state, each individual’s way of expressing things is the same and humans have a limited number of emotions – Basic emotion theory.[38] And by working on these assumptions it claims to infer an individual’s “true” inner self which compels people to express themselves in “good” form lest they want to be classified as a “threat”. It can be based on the flawed assumption that external expressions reflect internal emotions, and can lead to incorrect assessments, pressuring individuals to conform to “acceptable” expressions. This violates the right to privacy and self-expression [39], undermining the principles laid out in Article 17 of the ICCPR.
6. India’s Biometric Experiment
Establishing one’s identity is crucial for various purposes, from law enforcement to efficient healthcare services. In India, the Aadhaar system did that work. It was introduced in 2009 to standardize data collection and streamline the distribution of government subsidies. It took the help of biometric identification to fulfill this purpose. Aadhaar is the largest biometric database globally and covers around 89% of India’s population. It connects a 12-digit unique identity number to an individual’s iris and fingerprint scan. It facilitates the delivery of social services, including pensions and subsidies, by ensuring efficient identification and
authentication. It ensures the uniqueness of each account, significantly reducing the risk of financial fraud.
Despite its potential, Aadhaar faces serious challenges.[40] The involvement of private people in collecting data for the Aadhaar system and Seeding the Aadhaar database with every new scheme and necessity now and then led to various problems. This led to a scenario where the fingerprint and iris scan, which make the bank account accessible, were sold online for as little as 500 rupees ($7.8) due to unauthorized access to the Aadhaar database.
Most of the Indian population is involved in agriculture or factories. The aged and labor force, who have lost their fingerprints due to years of manual work, face exclusion from essential services due to unreliable biometric data. The burden of enrolling in biometric systems falls disproportionately on them, impacting their access to pensions and subsidies. Even after the 2018 judgment [41], Aadhaar remains quasi-mandatory for availing of social benefits.
India’s biggest fault is its privacy-by-design approach, which prioritizes technology over policy, leading to transparency issues and an inadequate grievance redressal mechanism. Data losses are reported, but no action is taken, and citizens have little recourse in case of breaches. Even after focusing on technology, the technology that India purchased is not up to mark. [42] Unlike the European Union’s General Data Protection Regulation (GDPR), Aadhaar lacks comprehensive data protection legislation. On one side, GDPR puts its basis on consent, while the Aadhaar system coerces consent for biometric data collection, leaving citizens vulnerable to exploitation. The victims of human trafficking or individuals involved in prostitution who do not want to unveil their identity are coerced to link Aadhaar with a national health card.
The IT Act of 2000 and its 2011 Rules oversaw personal data protection till 2023. The DPDP Bill included Biometric data in the purview of personal data and mandated consent of the principal for storing such data and hefty fines for violations but no compensation for data misuse. But challenges persist, as the exemption of the “legitimate uses” clause sparks privacy concerns. With this 2023 law, the probability of government surveillance has also increased.
7. Way ahead: With or Without Biometrics
Biometric technology presents a powerful tool for enhancing security and authentication. Still, its potential for misuse and the risk of privacy breaches underscores the need for comprehensive measures at both legislative and technological levels. Talking about legal solutions, we can take inspiration from Illinois’ Biometric Information Privacy Act [43], South Africa’s Protection of Personal Information Act [44], and Europe’s general data protection regulation[45]. The three-part test[46], which focuses on the legitimacy, necessity, and proportionality of the purpose to the risk it involves, should be followed. The data must be captured only with legitimate purposes, such as in cases of public interest, public peace or public health. The purpose should also be proportional to the vulnerability of biometrics data. It should be captured only when it is essential and unavoidable for achieving the intended purpose. The use of biometric technology for mass surveillance does not fulfill this three-part test. There should be transparency regarding the capturing, retention, application, and instances of breach incidents involving biometric data. Informed and unambiguous consent for biometric data collection should be enforced; ensuring individuals become aware of and agree to the use of their biometrics.
The right to be forgotten should be upheld by establishing a legal framework that allows individuals to request the deletion of their biometric data once its collection purpose has ended. To offer redress and set responsibilities in the event of breaches, a legal right of action should be granted to affected individuals, enabling them to seek compensation. Additionally, Organisations dealing with biometric data should appoint Data Protection Officers to ensure compliance with these data protection regulations.
Coming to technological solutions, we can use encryption and cryptography to protect the stored biometric data. Encrypted biometrics[47] involves binding a digital key with the biometric data. Such a key may be generated from the biometrics itself. So that even if a breach occurs, the compromised data remains indecipherable. Or, we can use Cancellable biometrics”[48] which involves storing a distorted image of the biometrics. It provides revocability since biometrics can be re-enrolled even if compromised. It also prevents cross-matching of the databases as each database uses different transformations. The Blockchain technology[49] can also be used for securing the decentralised storage of biometrics. Furthermore, the use of artificial intelligence in the field of biometric technology, such as emotion recognition, should be slowed down until the potential ramifications are not understood thoroughly.[50]
Finally, even though these solutions can help us enjoy enhanced security and convenience while minimising privacy compromises, the search for other alternatives of authentication should continue.
