Protecting privacy in biometric data

Nowadays biometric technology is increasingly used for a wide range of activities ranging from identity authentication to border security, voting system, health care, education and so on. Arguably, biometric identification systems are being used everywhere in the world specially after the terrorist attack in the USA on September 11, 2011. However, there is a huge privacy concern in the developing countries like Bangladesh, where legal safeguards to protect the right to privacy and data security are not adequate and the deployment of new technologies such as biometric technology is increasingly popular.

Literally, biometrics refers to an automated process of identification or verification of persons using their physical or behavioural characteristics. Many parts of human body e.g. eyes, faces, hands, fingerprints etc. along with typing styles, DNA, gesture etc. are used to identify a person in the biometric system; however, the fingerprints and facial characteristics are commonly used globally. Biometric system works using two sets of data by comparing each with the other. Firstly, one set of data is put into the system as a templet while the second set belongs to the visitor. If these two sets of data are nearly identical, then the device acknowledges that the visitor and the data holder are the same person, and accordingly, permits entry.

It is quite impossible for two sets of data to be matched 100%. Thus, in biometrics, both these two sets of information has to be nearly identical but not exactly the same. This is because, for example, one might have a sweaty finger or a tiny scar that changes the templet pattern into the system. However, sometimes it is argued that the technology of biometrics is not as accurate as demanded by the stakeholders.

Biometric data contains a huge amount of sensitive personal data and indeed, it presents a complete identity of a person and his activities. Hence biometric information leakage may cause irreparable loss to the data subject. Bangladesh started a countywide compulsory biometric sim registration process since December 16, 2015. On March 9, 2016, a writ petition was filed in the High Court division challenging the legality of that sim registration process through biometric. The writ petition was filed on the apprehension that one's privacy and neutrality will be violated in the biometric system. On March 14, the Court issued a rule asking why the move should not be declared illegal. On April 12, 2016, the Court held a hearing on the rule and issued the order, legalising biometric registration. According to the newspapers reports, a widespread misuse incident of biometric information taken place in Bangladesh during and after the sim registration process. For example, there are several allegations against the 'Teletalk' that without verifying with the information contained in National ID card, they have registered the sim numbers of their customers. While in the sim registration process, NID numbers and date of birth has only been used by Banglalink, another mobile operator in Bangladesh. According to the reports of the several newspapers, different law enforcement agencies have found a close connection among the vendors, customer care officers and even the mobile phone operators of fraud committed during sim registration process using the stolen or fake NID information and fingerprints. However, the State Minister for Telecom Tarana Halim has repeatedly said that mobile phone operators are not storing subscribers' fingerprints but only cross-checking with the National ID database.

Biometrics have a long-held hope of replacing passwords by establishing a non-repudiated identity and providing authentication with convenience. Unlike passwords system, biometrics cannot be script-injected and/or reset. Since resetting the biometric is impossible, the privacy of biometrics is of utmost concern. However, there is no watertight rule or policy, by which, privacy concern in biometric data can be diminished. According to a report of UNCTAD, 2016, there are nearly 108 countries having either comprehensive or partial data protection laws.

However, all focus on privacy and data protection issues and none of them except EU member States includes the biometric technological challenge. EU addresses the issue in GDPR (General Data Protection Regulation and presents a comprehensive plan to tackle this disaster. There is no comprehensive, single and satisfactory federal legislation in the USA for the regulation of processing and use of biometric data. However, in Illinois and Texas State of USA, there remain legislation over biometric data and lastly, Washington has passed a law on biometric data in June 2017. Clearly, US regulators are also increasingly focusing on the use of biometric data. In a landmark case titled Justice K.S. Puttaswamy v Union of India, the Supreme Court of India termed privacy as a 'fundamental right'. Indian Supreme Court further extended by saying that biometric data protection is now on the top agenda of the legislators as well.

Bangladesh does not have any privacy and data protection law till date and so in the case of the use of biometric technology, there is no mandatory policy or regulations etc. from Bangladesh Telecommunication Regulatory Commission (BTRC) too. Therefore, in the wake of this wholesome use of biometric technology, Bangladesh needs to immediately enact a privacy and personal data protection law covering privacy issue arising from biometric technologies. Before the enactment, the BTRC may prepare a compulsory guideline for the concerned stakeholders following GDPR of EU. They are, inter alia, all data must be processed lawfully, fairly and transparently; collected only for specific legitimate purposes; adequate, relevant and limited to what is necessary; must be accurate and kept up to date; stored only as long as is necessary and finally, ensure appropriate security, integrity and confidentiality. It is pertinent to mention that the BTRC may have a look at the suggestions given by the privacy international too while preparing this guideline.

The writers are P  D Candidate and Senior Lecturer in Law, University of Malaya, Malaysia respectively.