What are biometrics?
Put simply, ‘Biometrics’ are a way to measure a person’s physical, biological, physiological or behavioural characteristics to establish or verify their identity.
The term “biometric” is derived from a term first used in the modern Greek language Βιομετρική (pronounced Veeometrikee) meaning ‘measurement of life’.
As the name suggests, ‘Biometric Data’ conventionally relates to human identification information that is stored in a computerised form as binary code following specific technical processing. For example, the extraction of a computerised DNA profile from a biological sample such as blood obtained from a person or crime scene.
Importantly, the term ‘biometric data’ is defined slightly differently in different U.K. legislation.
For example, the UK General Data Protection Regulations (GDPR) forms part of the data protection regime in the UK, together with the Data Protection Act 2018 (DPA). Biometric data and genetic data are each classified as ‘special category data’ under UK GDPR and can only be processed without the consent of the data subject where there is a clear lawful basis, such as law enforcement.
Responsibility for enforcing UK data protection laws rests with the U.K. Information Commissioners Office (ICO):https://ico.org.uk/
The UK GDPR defines biometric data in Article 4 (14) as ‘…personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data’. (fingerprints).
Therefore, the term ‘Biometric Data’ in UK data protection law covers the computerised data resulting from ‘specific technical processing’.
The reason that biometric data is treated as a ‘special category’ of data is due to its extremely sensitive nature and the important privacy, ethical and human rights considerations that arise from the processing of such personal information.
However, Section 34 (1) of the Scottish Biometrics Commissioner Act 2020 defines the meaning in the following terms:
“biometric data” means information about an individual’s physical, biological, physiological, or behavioural characteristics which is capable of being used, on its own or in combination with other information (whether or not biometric data), to establish the identity of an individual.
For the purposes of subsection (1), “biometric data” may include:
Physical data comprising or derived from a print or impression of or taken from an individual’s body,A photograph or other recording of an individual’s body or any part of an individual’s body,Samples of or taken from any part of an individual’s body from which information can be derived, andInformation derived from such samples.
Accordingly, the Scottish definition includes all computerised biometric data records, corresponding manual prints, impressions, or photographs, and to biological samples or materials used for criminal justice and police purposes from which identity information about an individual can be derived.
Whilst the role of the Scottish Biometrics Commissioner extends to policing and criminal justice in Scotland, other U.K. Commissioners have primacy over biometric data where reserved powers apply. There are 3 specific examples:
The enforcement of data protection and privacy laws including the UK Data Protection Act, 2018, the UK General Data Protection Regulation (GDPR) and the upholding of information rights in accordance with the statutory functions of the UK Information Commissioner (IC0). https://ico.org.uk/
Matters in relation to which the Investigatory Powers Commissioner (IPCO) has responsibility under the Investigatory Powers Act 2016, and the Regulation of Investigatory Powers (Scotland) Act 2000 (biometric data obtained through covert policing activity).https://www.ipco.org.uk/
Biometric data in relation to which the Home Office Biometrics and Surveillance Camera Commissioner (BSCC) for England and Wales has a function under section 20 of the Protection of Freedoms Act 2012 specifically national security determinations (NSDs) in Scotland made under section 18G of the Criminal Procedure (Scotland) Act 1995. This is where the Chief Constable has made a determination to retain the fingerprints and DNA of a person who has not been convicted because they are viewed as posing a significant threat to UK national security.https://www.gov.uk/government/organisations/biometrics-commissioner
Examples of biometric data
The main biometric data types used regularly in Scotland at present for policing and criminal justice purposes are Fingerprints, DNA and Photographic images. Fingerprints and DNA can be searched and compared automatically on policing databases to establish characteristics of ‘uniqueness’. For example, the probability of two unrelated individuals having an identical DNA profile is around 1 in 1 billion. Although it should be noted that identical twins share identical DNA.
Similarly, no two people (including identical twins) have ever been found to have identical fingerprints.
By contrast, the facial search functionality within the UK Police National Database (PND) is based on an algorithm which looks for measurements of ‘similarity’ rather than uniqueness. Against this context, it must also be understood that all such biometric technologies necessitate human interaction. Accordingly mistakes can occur, and it is therefore important to acknowledge that there is no such thing as an entirely reliable biometric technology.
There are currently many other biometric modalities in use in other policing jurisdictions and in other public and commercial contexts, including many with potential applications to policing and criminal justice in the future. Examples of other modalities include vein pattern recognition, iris and retina recognition, gait recognition, ear recognition, hand and finger geometry recognition, voice recognition, and keystroke recognition.
Biometrics are used in everyday life, for example biometric security features on a Smartphone which use your fingerprint or face to unlock the device.
DNA matching facilitates the identification of an individual using analysis of the segments from their DNA. To compare a victim’s or suspect’s DNA profile to recovered crime scene DNA, the forensic science laboratory will compare the DNA within biological samples. DNA databases facilitate the automated recognition of samples. It should be noted that identical twins share identical DNA.
Comparison of the unique ridges and valley patterns of a fingerprint or palm print to establish the unique identity of a person. Fingerprint databases and static and mobile optical scanners facilitate the automated recognition of samples.
The comparison of ‘similar’ facial features or patterns to assist in the identification of an individual. Most live or real-time face recognition systems use either eigenfaces or local feature analysis. Eigenface is the name given to a set of vectors which produce measurements of the human face for automated analysis and identification by computers. Face recognition looks for similarity rather than uniqueness. It is a less reliable biometric.
The comparison of ‘similar’ facial features carried out retrospectively by comparing a single ‘probe’ image from a crime scene or incident against a gallery of images to assist in the potential identification of a suspect. This is the technology used within the UK Police National Database (PND). The objective is for the software to produce a short-list of potential matching images that can then be further investigated by humans.
The use of the features in a human iris to assist in the identification of an individual. Iris scanners collect around 240 biometric features, the amalgamation of which are unique to every eye. The scanners create a numeric representation of information extracted from the iris which is stored in a computer database to facilitate automated searching.
The use of unique patterns of veins in the back of the eye to accomplish identification. The retina is the layer of blood vessels situated at the back of the eye. The scanners create a numeric representation of information extracted from the retina which is stored in a computer database to facilitate automated searching.
The identification of an individual using the unique shape of the human ear. An optical scanner produces an algorithm based on the curved features of an ear and is stored in a computer to facilitate automated searching.
The use of 3D geometry of the fingers and hand to facilitate the comparison of ‘similar’ facial features or patterns to assist in the identification of an individual.
The use of an individual’s walking style or gait to assist in automated recognition. Artificial intelligence systems are used to measure body mechanics for comparison with reference samples in a database.
Keystroke recognition or keyboard dynamics uses a unique biometric template to identify individuals based on typing pattern, rhythm, and speed. The raw measurements are known as ‘dwell time’ and ‘flight time’. Dwell time is the duration that a key is pressed, and flight time is the duration between keystrokes.
Vein pattern recognition technology is a method of biometric identification that looks for similarity or uniqueness on vein patterns of the human hand and forearm. The technique was first pioneered in Scotland by Professor Sue Black.
Voice biometrics is a technology which uses an algorithm to create a computerised voice print to assist with biometric identification. It is more commonly used for authentication rather than identification.