• Buro Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, de overheid in Nederland en Europa kritisch volgt. Een grond-rechten kollektief dat al 30 jaar publiceert over uitbreiding van repressieve wetgeving, publiek-private samenwerking, bevoegdheden, overheids-optreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202/06-34339533, info@burojansen.nl.
    Steun Buro Jansen & Janssen. Word donateur, NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.
  • Publicaties

  • Europa

  • Politieklachten

  • Biometrics: the Solution for a Safer Society?

    We can see an increased use of biometric technology in our everyday lives. The attacks on the WTC at 9/11 have jumpstarted many developments in this field. Even though the argument of safety is usually used to create acceptance for this technology, the main reason is usually found in marketing objectives. Instead of a more secure society, the loss of privacy as a result of this technology should be considered a threat. This thesis is about uncovering the real effects of the rising popularity of biometrics and the motives behind it. In western high technology societies data is continuously related to our daily activities. It is collected, stored and exchanged.

    In this thesis I try to answer questions regarding the effects of biometric technologies in contemporary high tech societies, since these technologies are seen as the solution against terrorist attacks and other threats. But what we can see is that these technologies create a risk for a democratic society.
    In order to answer the main question: Which functions do biometric technologies have in society and how do end users eventually internalise these technologies? I have chosen three real time case studies. From these case studies [implemented in public space] it becomes clear that there are different motives behind industry and small private enterprises in promoting these ‘security’ technologies. It is clear that end users are willing to give up their personal data easily in exchange for a more secure environment. Moreover there are some dangers which we as public should be aware of: There is an ongoing trend of increased control; these biometric technologies increase the capacity to discriminate and sort people in different groups and classes; the technology can be outwitted.

    Discussion

    One can see the long history of intercepting communications. It is one of the oldest methods of surveillance. The biggest surveillance system ever established is ECHELON, a global spy system created by the U.S. national Security [NSA]. It is an international electronic eavesdropping network run by intelligence organisations of the U.S., U.K., Canada, Australia and New Zealand. It is said that the first ECHELON network was built in 1971. The existence of ECHELON was first publicized late 80s. Since 1990 the development of the network has continued on an everincreasing
    basis [Campbell, D., p. 149, 2000].

    ECHELON is used to capture and analyse virtually every email, fax, telex, telephone
    communications carried over the world’s telecommunications networks. It is said that it can intercept almost any electronic communication. Some estimate that it has capabilities to sort through up to 90% of all internet traffic. ECHELON, designed during the Cold War, was primarily used for non military targets, such as governments, organizations, businesses and individuals in every country. The focus changed from espionage to surveillance of terrorists, orgainsed crime, domestic political groups, considered to be a threat, diplomatic negotiations [Hager, N., Mediafilter.org, 1998, Q&A,BBC News, 2001].

    This systems works by intercepting large quantities of communications; it uses computers to identify and extract messages of interest. These computers automatically search through the millions of messages, containing pre programmed keywords. Keywords could include all the names, phrases, words, locations, subjects or anything the intelligence service regard ‘suspicious’. This helps the intelligence agencies to create a picture of the communication between various networks of people which require watching. Flagged documents are forwarded to the respective intelligence agency [Poole, P.S., 1999].

    After September 11th these internet surveillance systems, a large system of international monitoring of all communications, fax, telephone, telex and email became grew to a much larger extent. Since then companies are willing to cooperate in the war against terror, by complying to requests for data even before the warrant has been issued, suggesting that the continuous state of emergency has been accepted [Lyon, D., p.669 672, 674 675, 2003, Lyon, D., p. 172, 180, 2001, Fleming, p.125, 136, 2003, Langenderfer, J., Linnhoff, S., p. 325, 330, 332 334, Migani, C., p.4, 2005].

    Search engines check messages for key words and contexts in quest of suspicious or risky communications. However these are used not only for military or terrorist threats. They are also used by police departments trying to prepare for protests such as those by antiglobalisation groups, but also as a means for commercial intelligence. The problem here is that our day to day transactions and conversations are under scrutiny and they may not even catch terrorists, but they do complicate life for everyone, especially since we are monitored, classified, categorised and valuated continuously. Above that, biometric technologies have been introduced into our daily life.

    As seen from the previous chapters, there are still many questions to be answered
    regarding the complex biometric technological scene.

    Due to the fewer transactions and interactions based on face to face relationships, new tokens of trust have come in place. Hence the PIN, barcodes, signatures, photo IDs are replaced by biometrics. Human beings are abstracted and have become data in various flows and networks of surveillance systems.
    These high technology societies relate data to our daily activities by collecting, storing, checking, exchanging and using in order to determine some eligibility or access to persons, places, experiences or events.
    As Lessig states: The system watches what you do; it fits you into a pattern; the pattern is then fed back to you in the form of options set by the pattern; the options reinforce the pattern; the cycle begins again [Lessig, L., 154, 1999]. The point is that searchable databases make people up ; it reinvents each person as a unique individual in the system by capturing personal details within a set structure.

    To finally come back to my main question: Which functions do biometric technologies have in society and how do end users eventually internalise these technologies?

    Biometrics is seen as the solution against terrorist attacks and other threats, but at the same time creates a danger for a democratic society. These technological solutions, as explained in foregoing chapters, are dangerous because of some key trends:

    A. The centralisation of state power and social control over society
    While there seems to be a very great care motive for implementing biometrics; it appears that it is in favour of an increased control . This trend is inevitable, but a trend which could become a serious threat for society.

    B. The increased capacity to discriminate between different classes of persons, using
    biometrical surveillance
    This biometrical system deepens the process of social sorting, categorisation. It is a way of including and excluding, accepting and rejecting people of worthiness and unworthiness. Personal data is abstracted into information and assessed into risk or non risk groups, giving privileges to some and disadvantaging others. Furthermore these biometric technologies intend to classify and discriminate between different groups of people. They are intended to check for illegal immigrants or other persons in transit who have inadequate documentation. There is even evidence that after September 11th that especially Arab and Muslim people are singled out for negative treatment, including lengthy detention without charge or trial.

    C. The relative lack of accountability of these systems
    These new ID cards and new methods of identification are introduced; however it is still possible to fool these technologies. If central databases are used, they are very vulnerable to attack. Then there is still the biggest difficulty, suicide bombers do not strike twice. How can one pick terrorists out of crowds? Does the biometric match anyone in the crowd? So even though a whole surveillance network is set up, the criminal or terrorist has to be known in the database. Terrorists do not pose for photos and are likely to use evasive techniques and disguises, because human beings are more flexible and imaginative than technologies. Eventually any technology can be outwitted given time and ingenuity. Thus it is unlikely that the terrorists will ever find their way onto suspect lists.

    D. The willingness of populations to accept these technologies as the price of security
    According to Henk Attema, director of Secure Access Road [SAR] biometric entrance
    system are still not fully accepted in the Netherlands [Security, July 2007]. Here we are lagging behind in the acceptance of biometric technologies; however one can see an increasing interest among private companies taking these technologies up as a security solution. However the majority is ready to accept these technologies, for they prefer to give up their privacy for a more secure life.

    To come back to the case studies I used for my research one can conclude that they follow a similar trend as mentioned above.

    As stated in point A; all three case studies motivate the implementation of biometric
    technologies in their public space for security purposes. In the Baja Beach Club they state that the customer is safe, because one will not need to carry one’s wallet, so one cannot be robbed. In the other two cases, they want to keep troublemakers out of their club. Therefore they claim that for a safer and better environment it is important to apply these security systems in order to have a more pleasant situation than before, because of their ‘care’ for the customer. But it is quite evident that their motivations are quite different than they claim; they are especially interested to bind their customers to their club. Finally the customers’ data is mostly used for marketing strategies. In the case of the Baja Beach Club it seems that it was a big media stunt, since they received worldwide media attention.

    Point B states that there is an increased differentiation between groups of people. In all three case studies one can see that people are being categorised. In the Baja Beach Club, people are being differentiated as VIP members, people who are chipped and the regular visitor. The VIP member is a privileged customer with a special area for VIPs only and custom made services. In the other two case studies a distinction is made between nonmembers and members. Members receive discounts at the entrance; get special [free] invitations and can save credits for discounts on products in the web shop. Moreover people can be put on a blacklist categorising people in risk and non risk groups. In de Fakkel [the swimming pool case], many people of Moroccan origin used to visit the swimming pool, but they have stopped coming there. Instead of involving them in discussion and going into a dialogue with them, trying to adjust their swimming pool behaviour, the ‘problem’ has shifted to other swimming pools. It has become a matter of control rather than trying to acquire the desired norms and values.

    In point C the lack of accountability is addressed. In none of the case studies the
    technologies are airtight. In the disco [Alcazar] the biometrics system can easily be bypassed. If one does not want to be a member, he or she can always enter as a non member. In that way, if the individual is a troublemaker and is not enrolled in the system, the individual has normal access to the disco. However the individual can be blacklisted if he or she makes trouble. Yet there is a leak in the system; if one is thrown out of the disco, the bouncer will have to ask the smart card. Many times the individual does not hand in the smart card, or the bouncer does not even ask for it. Consequently the bouncer depends on his memory and has to go to the database, see whether the troublemaker is enrolled in the system, if so, only than can the individual be blacklisted. Of course this is a very vulnerable procedure and errors can easily slip into this system. In the case of the Baja Beach Club, the VeriChip can be spoofed. The signal can be intercepted and one could have access to sensitive data, such as the amount of money on the chip and one could even impersonate to be the person in question.

    In the last point D it is clear that the end users are willing to give away their personal data as they see it as a price for their security. When I asked them, whether they knew what happened to their personal data, none of the respondents knew what happened with it. Moreover they trust the clubs for their integrity and the handling of their personal data with care. Finally I laid a scenario before the end users; “What if your personal data is shared with third parties?” None of the end users was happy with this scenario and everyone was worried about such a situation. Thus only after explaining them this scenario, were the end users aware about this possible situation.

    Recommendations

    Biometrics has the potential to improve security without jeopardising individual s privacy. It may even be possible that data is stored securely and exchanged between commercial and governmental entities with a court order and that these technologies are only implemented if it offers a real advantage to individuals, outweigh the costs, accuracy is fully tested and guaranteed before implementation.

    The dangers of biometric data being exchanged can be reduced if data is not stored
    centrally or if biometric templates are not reversible and thus cannot reproduce the
    biological features from which they are extracted. Because once biometric data has been compromised, biometric data cannot be revoked. Therefore it is very important to use strong encryption to protect biometric data during storage.

    Another solution is to store the biometric data separately. A portion of the biometric data will be stored centrally, while a matching and necessary portion of the biometric data is stored on a smartcard, carried by the end user. In that way no individual has access to the entire data. Consequently it is not possible to make any reconstructions of the biometric without having access to both databases. A hacker in this way will only have one part if the data and will be unable to duplicate anyone s biometric information.

    The government has a big role to play as biometric technology is becoming common in a day to day life. Some regulation is required in order to provide protection to the
    consuming public. Here are some recommendations:

    • No biometric data should be collected by a private entity without notice, or in the case of government collecting data, no secret collection should be allowed without a court order.
    • Biometric systems should not be compulsory, except in criminal cases.
    • One should try to partially store biometric data in a decentralised manner, such as on smartcards carried by individuals.
    • Biometric data should be stored in encrypted form to lessen the possibility of the data being exposed.
    • Data should be stored using templates that cannot be reconstructed to the original
    biometric feature.
    • Biometric data should never be shared with other entities without the consent of the enrolled individual, except for serious crimes.
    • Biometric systems should explicitly acknowledge the possibility of errors and create a method to correct these errors.
    • Biometric authentication should only be used when necessary for the security of a
    company or other entities.

    Furthermore it is very important to create awareness [Migani, C., p.4, 2005] among endusers about biometric systems. They should be informed about privacy concerns; moreover they should have the last say about their biometrical data. End users should know what the possible effects are if their data is being used.

    scriptie Biometrics: the Solution for a Safer Soci