A biometric system (also spelled biometrics system) consists of
|“||[m]ultiple individual components (such as sensor, matching algorithm, and result display) that combine to make a fully operational system. A biometric system is an automated system capable of:
Some systems are labeled “biometric systems” but only store images of the characteristics — a picture of the fingerprint or of the face — instead of a template extracted from the detailed observations. These systems are generally used to assist human-driven comparisons such as those in which a screening officer may compare an image of the individual on the surface of an identification card with the individual’s appearance in the image stored inside the ID card.
Biometric systems have long been used to complement or replace badges and keys in controlling access to entire facilities or specific areas within a facility.
How they work
The operation of biometric systems can be organized into five discrete processes. Understanding the nature of these generic processes provides a structure through which specific biometric technologies can be further understood and can provide a model for how best to view the points of intersection with privacy protection policy and practice.
- Collection: The first step of a biometric system involves an observation, or "collection," of the biometric data. Biometrics are typically collected using a sensor, a device that observes and records the particular physical and/or behavioral characteristic. The biometric characteristic determines the choice of biometric modality and the quality of the sensor has a significant impact on the recognition results.
- Conversion: The second step converts and describes the observed data previously collected into a template. The mechanics of this step vary between modalities and also between vendors.
- Storage: The system generally includes the capacity to store the template and/or the original collected biometric data.
- Comparison: In the fourth step, the newly acquired template is compared with one or more templates stored in the database. The result of this comparison is a numerical score, which is fed into a decision process (either automated or human-assisted) to determine actions such as permitting access, sounding an alarm, etc.
- Decision: The fifth and final step involves a decision process, either automated or human-assisted, that uses the results of the matching step to make a system-level decision.
These five steps present the overall architecture of all biometric systems. Through this framework, the impact of particular operations of a specific biometric technology and system can be understood by viewing that technology/system in a larger, structured context.
The accuracy of a biometric system is determined through a series of tests beginning with an assessment of matching algorithm accuracy (technology evaluation), and then assessing performance in a mock environment (scenario evaluation), followed by live testing on-site (operational evaluation) before full operations begin. If done properly, users will know to a high degree of accuracy how the system will perform. Even with matches that are highly probable there is still a possibility that the match is not, in fact, a match.
These tests are statistical with the results phrased in terms of probabilities rather than absolutes. As long as there is a possibility that a probable match is not an actual match, designers, managers and reviewers (privacy, security, and others) should prepare educational materials for the end users of the system and contingency plans for decisions based on matches that ultimately prove to be inaccurate.
- Interfering with an individual’s private affairs
- Sharing embarrassing information about the individual
- Using someone’s name or image for personal gain.
A privacy assessment of the design and operation of a biometric system should incorporate these concerns. The issue would not necessarily be whether an individual would succeed on a particular tort claim. Instead, the focus of the privacy assessment should be at a more general level: Does the use of the system intrude into the personal lives of individual end users?
The purpose of a privacy assessment is to ensure that personal information (biometric information) is used appropriately. The determination of whether a biometric system uses personal biometric information appropriately is driven by the purpose of the system and the context in which that system operates. A thorough planning effort for the use of biometric technology should include a comprehensive privacy assessment to detail any issues that might arise during actual use. The privacy assessment should be conducted at the earliest stage of system development and throughout the life of the system and data to accommodate changes over time.
A privacy protection analysis should focus on the level of the individual end user’s understanding of the system upon first choosing to participate in the system (assuming participation is voluntary) and the actions taken regarding that individual based on matching conducted by the system. If the probability-driven nature of the system is not accommodated both in the up-front understandings between the end user and the organization administering the system and the ultimate actions taken by the organization, then the individual’s decision to contribute personal information to the process and to be affected by the decisions based on the fact that information may be compromised, calling into question the propriety of the system.
- NIST, FIPS 201.
- Privacy and Biometrics: Building a Conceptual Foundation, at 4-5, 22-23, 31.