Privacy and Biometric Scans

Written by USW 9511 Admin on Thursday April 18, 2019

The company started a pilot project in regards to automating timekeeping back in 2018.  Part of the project included using a biometric finger scan as a way of signing into and out of the time clock.  The Union raised member objections about the privacy of this matter.  Now the company is intending to roll this out to 28 centres, it is important all members understand the privacy issues regarding biometric scans.

.

Questions about Privacy and Biometric Information

The following questions and answers are adopted from the most recent document provided by the Information and Privacy Commissioner of Ontario in regards to Fingerprint Biometric systems (November 2008).  The full document ("Fingerprint Biometrics: Address Privacy Before Deployment) can be accessed on the IPC website at https://www.ipc.on.ca/privacy/data-and-technology-management/biometrics/

Is the stored biometric information "personal"? How sensitive and unique is it?

Information is considered personally identifiable if an individual may be uniquely identified either from this information only or in combination with any other information. Biometric information cannot be easily (if at all) changed and is essentially permanently part of an individuals identity. If it is determined that the information is Personally Identifiable Information [PII] (and not just contact information), it will also be considered “personal information” by other Canadian jurisdictions (including the federal Personal Information Protection and Electronic Documents Act).

Does Calling a Biometric Template a "number" reduce its sensitivity as personal information? - No.

It is true that a fingerprint template, which is unique to an individual, typically appears as a string of numbers. However, although the template may appear to be “just a string of numbers,” it cannot be said to be “of no use to anyone.” It is important to recognize that any information, whether it be numbers or alphanumerics, is rendered PII when linked to personal identifiers. Therefore, the templates that are generated, regardless of whether they appear in the form of numbers or not, serve as a surrogate of a person’s identity and are sensitive PII by virtue of the fact that they are permanently and uniquely linked to an identifiable individual.  It is, of course, true that in a fingerprint application each biometric template can be assigned a reference number. The reference number is returned if, for example, a match is obtained. Those reference numbers may be stored separately from the templates; however, the reference numbers do not replace the templates. The fingerprint templates still continue to be stored somewhere, and are deterministically linked to the reference numbers.

Which Biometric Information is Collected?

There are two main groups of fingerprint algorithms: minutiae-based and non-minutiae, or

Pattern-based.  The vast majority of systems use minutiae-based algorithms. However, this does not preclude the use of some non-minutiae information as an auxiliary means to improve system performance. There are several types of fingerprint minutiae.  The most common are the following two types: fingerprint ridge endings and bifurcations. Each fingerprint may contain a few to a few dozen minutiae (30 – 40 on average); this number is a biological characteristic of an individual’s finger. As specified by the standards and commonly referenced in scientific literature each minutia is defined by at least the following basic information: position x, position y, and minutia direction (i.e. angle). Having this information for all minutiae, one can create a 2D minutiae map, which is, again, a biological characteristic of an individual’s finger. The standards also allow storing other optional minutiae information: type (ending, bifurcation, or “other”), and minutiae quality. Further, the standards allow the storage of “extended data,” such as ridge count data, fingerprint core and delta data, zonal quality data, or any other vendor’s proprietary information. This additional minutiae and non-minutiae information can be used to improve the performance of a matching algorithm.  In one-to-many matching applications, it is very likely that optional and/or extended data will be used, given the challenges of such an identification system. However, we will here make a conservative assumption that only the basic minutiae information is collected in a particular application. In other words, the fingerprint template stored contains at least the number of minutiae per finger, the minutiae positions x, positions y, and directions. This information is not a “meaningless number” but a biological characteristic of an individual’s finger and is, therefore, highly sensitive personal information. Unlike many other forms of personal information, this biometric information cannot be changed, cancelled, or revoked. It must be understood that in order to obtain this information from the stored template, it is not necessary to be familiar with the particular proprietary algorithm in use. It is also of no consequence how sophisticated the algorithm is. What is needed is only the format in which the information is stored. Also, templates can generally be made compatible with the existing minutiae standards. Even if this functionality is not directly built into the deployed system, anyone ordinarily skilled in biometrics can make the template compatible with the standards, provided that the template storage format is known.

Is it possible to link the fingerprint template with the other fingerprint databases?

The answer to this question is “yes.”  Collected minutiae templates can be submitted to any other minutiae-based database. The template can easily be made compatible with the format used by another database, be it a format specified by the ISO or other standards body, or any other format, as long as the basic minutiae information is stored.

In particular, templates can be run against the FBI IAFIS or RCMP fingerprint databases. Even though these databases normally require a fingerprint image as an input, they can accept minutiae templates as well. This is usually done for criminal investigations: a fingerprint expert manually extracts minutiae from a poor quality fingerprint image (collected, for example, at a crime scene) and submits the extracted minutiae to the system. By the same token, the minutiae obtained from a template can be also submitted to these databases.

Can a fingerprint image be reconstructed from the template?

Since we have already established that minutiae information is personal and sufficient to identify an individual, and interoperable among different databases, this question becomes less important.  However, since many proponents of biometric systems make a claim that a fingerprint image cannot be reconstructed from a minutiae template, we will address this issue. Until recently, the view of non-reconstruction was dominant in the biometrics community.  However, over the last few years, several scientific works were published that showed that a fingerprint can, in fact, be reconstructed from a minutiae template. Even though this reconstruction was only approximate, the reconstructed image was sufficient to obtain a positive match in more than 90% of cases for most minutiae matchers.

I don't want to consent to have my Personal Information used in this manner, so what do I do?

Currently, the Union has submitted a grievance in regards to the collection and use of biometric scans for time keeping purposes, and has had talks throughout the process of the pilot program making our position clear to the company. Members should make their concerns about their privacy known to their supervisor and their Union Steward.