New standard to address jurisdictional and societal considerations for biometric applications

As global connectivity increases, we need to find more ways to enhance security methods for the technology we use in daily life. 

Smart phones use facial recognition technology
The unique nature of biometric data makes them ideal for validating identity

There are many applications using biometrics, to avoid issues around compromised usernames and passwords for online access or forgotten keys and badges for physical access. Additionally, the unique nature of biometric data, such as an iris scan, fingerprint or vein pattern, makes them ideal for validating identity.

The most common applications are for access control to allow logical access to web sites and databases or for physical access to an area, for example, in critical infrastructure. Applications may be of commercial use or provided by public authorities, such as automated border control (ABC) or automated fingerprint identification systems (AFIS) for visa applications.

IEC and ISO work together to develop international standards for ICT through their joint technical committee (ISO/IEC JTC 1). Subcommittee 37 covers biometrics and is currently preparing ISO/IEC 24714, which covers jurisdictional and societal considerations for biometric applications.

“SC 37 is updating this document in an environment where a new generation of biometric sensors and algorithms are being used in many more applications”, said Patrick J. Grother, Chair of SC 37.

The standard is based on a Technical Report published in 2008 which is widely used and accepted. However, with maturing biometric applications, it is under review and expected to be published as an international standard within the next 18 months.

e-tech spoke with Kristina Unverricht, an active member of SC 37 and editor of the ISO/IEC 24714, to find out more about the standard. Unverricht works as Senior Project Manager for the German Institute for Standards (DIN) Consumer Council.

Why do we need this standard?

This standard will give planners, implementers and system operators of biometric applications an overview of which aspects they need to consider so that their applications meet consumer requirements. This is very important, because consumer issues with biometric applications may be quite complex and diverse – as diverse as consumers themselves.

Who will benefit and how?

The standard will help with the design of applications by focusing on consumer needs and giving recommendations as to how to address them. System designers are not necessarily experts in consumer issues. Thus, they will benefit from following these recommendations which will help them to achieve a smooth implementation and operation of biometric systems as well as potential long-term cost reductions.

Consumers will benefit from biometric systems which consider important aspects, such as privacy, accessibility, usability and transparent use of systems. Overall, this is a win-win situation, because an informed user who is able and willing to use a system will make fewer mistakes and not endanger the perfor

What are some of the key issues around biometric applications?

Data privacy

In most jurisdictions and in this standard biometric data are considered personal and sensitive. Therefore, the design of biometric systems must follow common privacy rules and focus on transparency as well as voluntary use by the consumer. Because some biometric data could potentially be misused or reveal additional personal information, for instance related to health, the system needs to follow the principle of privacy-by-design, so that the collection of the data is limited to the minimum data required to achieve the previously stated purpose of the biometric system. Aspects such as quality and protection of biometric data are prerequisites for the broad adoption of biometric systems and are described in detail in other standards, such as ISO/IEC 24745, Information technology - Security techniques - Biometric information protection, or ISO/IEC 29794, Information technology - Biometric sample quality, which has several parts.

Accessing systems

Accessibility issues with biometric applications will occur in obvious situations, but also with consumer groups that a system designer may not think of. For instance, if someone is using crutches and their hands are not free or for those who wear glasses, it may not be easy to use a system with face recognition or iris scans. Alternative systems need to be developed for people with varying disabilities, whether temporary or permanent. The standard will list examples of accessibility issues, to raise awareness about the diversity of consumer groups and their needs. It will also give general recommendations on how to achieve accessibility.

Health and safety

Regarding health and safety, the standard will address the direct and indirect medical implications of the use of biometric technologies.

Direct implications could include hygiene and safety issues, for example, with the current pandemic and other previous outbreaks, it is important not to spread disease by touching common surfaces. Developers may consider using iris cameras, which would be appropriate for places where hygiene cannot be compromised, such as healthcare and research facilities and educational institutions.

For many of the consumer concerns and fears in this area, it needs to be noted that these are not necessarily based on scientific data, however, they will affect consumer acceptance.

Indirect implications are related to medical information that might be retrieved from the biometric data. If someone using a biometric system has tremors and the wrong conclusion is drawn from such a condition, it could greatly impact the consumer. The indirect implications of a biometric system will for the most part, be addressed by a privacy-friendly design of the system.

Which other standards development organizations are you working with?

We have established a liaison with ISO/IEC JTC1/SC 27 which covers information security, cybersecurity and privacy protection. In particular we work with the group focusing on identity management and privacy technologies. We also work closely with the European Committee for Standardization (CEN) and its technical committee for biometrics, which covers European standardization projects related to the consumer-friendly use of biometric applications.

Which UN SDGs does the standard help achieve?

The standard helps achieve several UN SDGs. It will facilitate equity and fairness of the use of biometric systems for culturally and socially diverse user groups, thereby reducing inequalities (SDG 10). It will also help design a resilient infrastructure (SDG 9) that is acceptable to all user groups and will perform easily in all contexts of use.