Regulating biometrics

• Biometric visa or VISABIO
• Biometric passport
• Research programmes
• Voice recognition and vein pattern recognition
• An analytical scale for the use of fingerprints
• Cross perspectives on the analytical scale

On 10 July 2007, CNIL issued an opinion (Decision No.2007-195) on a draft decree referred by the Ministry of Home Affairs, relative to the creation of a master record of foreign nationals applying for a visa.

The new biometric visa system called VISABIO, implementing the experiments conducted since 2004 under the BIODEV pilot project, should concern over two million foreign nationals from countries subject to visa obligations each year. The system under consideration provides for the collection and retention of biometric data in a centralised base (digitised facial photos and ten fingerprint scans), combined with identity data previously collected during the visa application procedure.

While noting that the use of biometric data may offer strong benefits to check the identity of ID card holders and authenticate IDs, the Commission felt however that the system should be framed by strict guarantees. CNIL regretted in particular that no consideration was given to the possibility for card holders to simply retain their own biometric data on their personal ID card, an option that would raise fewer problems from the personal data protection point of view, since in this case, only the data subjects own the device onto which their personal data are recorded.

The Commission also stressed that the collection of fingerprints of minors from the age of 6 could not be regarded as a mere technical measure and that its very principle deserved to be broadly debated.

The issue of biometric passports was referred by the Ministry of Home Affairs to CNIL for review in the autumn of 2007 and the Commission issued its opinion on the draft decree on 11 December 2007 (Decision No.2007-365).

The decree intends for France to be in a position, prior to 28 June 2009, to issue passports fitted with an electronic component containing not only the digitised facial picture but also images of two fingerprints, in compliance with the provisions of the European Council Regulation of 13 December 2004.

Concurrently, it provides for the retention of the passport applicant's digitised facial and eight-fingerprint images in the existing passport management record called “DELPHINE”, which would lead to significant changes to this database.

The Commission expressed a number of reservations about this project, finding that the system under consideration would lead to the implementation of the first centralised bank of biometric data on French nationals for administrative purposes.

CNIL reminded in particular that processing of such data, in an automated and centralised form, would be acceptable only to the extent that it may be justified by a compelling necessity linked to national security or public order.

In this respect, the Commission considered that the purposes claimed, however legitimate, i.e. improving the procedures for issuance and renewal of passports along with combating ID fraud, failed to justify the national-scale retention of biometric data such as fingerprints, and that the type of data processing involved would cause excessive prejudice to individual liberties.

Furthermore, the retention of digitised facial and fingerprint images in a central database appears disproportional with the purposes, in spite of assurances from the Ministry of Home Affairs who stressed that it would be impossible to conduct any identification searches from the digitised fingerprint images (i.e. it would not be possible to retrieve civil registry data on individuals based on their fingerprints) and that the system contained no facial recognition device based on the digitised photos (i.e. it would not be possible to retrieve civil registry data on individuals based on their facial image).

Lastly, CNIL regretted that this new procedure framework was to be defined via a regulatory rather than legislative process (i.e. Government decree versus law voted by Parliament), since the changes introduced by this draft decree are much more substantial than actually required by France's European commitments. The scope of this reform and the significance of the issues at stake would undoubtedly have justified a law to be proposed before Parliament, enabling a broad public debate on the subject.

On 18 January and 4 October 2007, CNIL authorised for the first time three research programmes in the field of biometrics. The first 2 approvals concern public research projects submitted by the University of Evry Val d'Essonne and the Groupement des Ecoles de Télécommunications (GET). These programmes address the following topics :

• assessment of biometric recognition processes;
• compilation of “multimodal” biometric databases, i.e. combining the use of several biometric techniques (2D and 3D facial images, iris, fingerprints, hand geometry).

The third authorisation was granted to a European project coordinated by Sagem Défense Sécurité in a consortium with 12 partners. The purpose of this research project is to improve 3D facial recognition systems and the security of biometric data.

These research programmes, relying on volunteer participation, are of major importance since they provide CNIL with sources of reliable assessments on state of the art techniques. The reports published on research findings will be made available to the Commission.

In 2007, CNIL also investigated its very first request for installation of a voice recognition system, designed to secure and facilitate the management and resetting of passwords used to access the IT system at Michelin. The process can generate and reset the passwords automatically, in particular in the event of forgotten passwords. The Commission reviewed the system to ensure that adequate information was supplied to the personnel and that all efforts were made to guarantee data security and prevent any risks of identify theft.

Similarly on 8 November 2007, CNIL reviewed for the first time five devices based on finger vein pattern recognition (VPR) designed to control access to premises or IT systems. Following an in-depth technical expertise of the vein recognition technology, the Commission reached the conclusion that, in view of the current state of the art, vein pattern recognition is a traceless biometric process generating data that can be recorded in a database without any particular risks in terms of data protection.

CNIL issued its very first opinion in 1997 regarding a device based on fingerprint recognition. A decade later, the Commission felt it was necessary to clarify its position on the subject.

A document was therefore published recently, presenting the major criteria grounding the Commission's decisions to authorise or reject the use of systems based on fingerprint recognition with recording of data in a scanning/matching device or on a server.

The analytical scale derives from the following observations:

• fingerprinting is a traceable biometric process. Each person leaves traces of fingerprints in most circumstances of daily life (e.g. on a drinking glass, a door handle, etc.), which can be exploited with variable ease;
• such “traces” may be captured unbeknownst to data subjects and may be used among other for purposes of identity theft (a copy of the fingerprint can be used to fraudulently deceive a fingerprinting recognition device ).

Consideration for these characteristics and for their related risks has led CNIL to differentiate between the various devices based on the fingerprint storage method:

• Storage on an data subject device (e.g. chip card or USB key) = limited risk since the data subjects keep full control over their biometric data which cannot be used for identification purposes without their knowledge.
• Storage in a scanning/matching device or on a server = higher risk, since data subjects lose control over their data held by a third party. In the event of intrusion into the system, all fingerprint data can be accessed.

Accordingly, the Commission does not authorise the use of devices based on fingerprint recognition with data recording in a database, unless the use of such devices is duly justified by compelling necessity of security and fulfils the following four prerequisites :

• the purpose of the device must be restricted to access control for a limited number of persons to a specifically delimited area constituting or containing a major concern over and above the basic interests of the organisation, such as protection of physical integrity of persons, property and facilities, or integrity of certain data.
• proportionality: it is important to know whether the proposed system is the most suitable for the previously defined purpose with regards to any risks it may involve for personal data protection and as compared with other potentially usable systems;
• security: the device must enable both a reliable authentication and/or identification of data subjects and offer all guarantees of security to prevent any data disclosure;
• information of data subjects : it should be conducted in full compliance with the Data Protection Act and, as appropriate, with the Labour Code.

François Giquel

Vice-President, Honorary Legal Counsellor to the Cour des Comptes
Commissioner in charge of the Justice sector

Didier Gasse  

Legal Counsellor to the Cour des Comptes
Commissioner in charge of Telecommunications & Networks and European & International Affairs sectors

What were the triggering factors that drove the Commission to clarify its doctrine on fingerprint databases?

F. Giquel : In view of technological breakthroughs in biometrics and of the diversity of circumstances, it was felt essential to clarify, as a reminder, the main criteria used by CNIL to investigate applications for authorisation.

It was also necessary to help companies, public administrations or local authorities considering the installation of such systems to ask themselves the relevant “Data Protection”-related questions prior to the decision making and application filing processes.

What justifies such special attention from the Commission to this type of devices?

D. Gasse : Unlike any other identity-related data or any other personal data, biometric data are not assigned by any third party or chosen by the data subject: they are generated by the human body itself, they designate or represent the human body as unique and immutable, unlike any other. Such data therefore belong to the person who generated them.

Hence, it is easy to understand that any possibility of misuse or misappropriation of these data would engender a major risk for that person's identity. Entrusting a third party with your biometric data and allowing that third party to retain them is therefore never a trivial or inconsequential matter, particularly since fingerprints are traceable biometrics that can be captured and used without the person's knowledge.

What are the criteria selected by the Commission to evaluate the proportional nature of a system based on the recording of fingerprints in a database?

F. Giquel : As a general rule, the purposes of fingerprint storage in a database can always be achieved via a different technology based on fingerprint storage on an individual device (e.g. smart card). Nevertheless, a centralised database may be of benefit whenever access must be provided at any time and immediately, or to respond to emergency situations requiring a timely intervention.

D. Gasse : It should also be noted that, whenever we deal with situations where security is the key issue, we also look at the relevance, adequacy and non-excessive nature of fingerprint database systems, as compared with the number of data subjects: the more restricted the area and the smaller the number of data subjects, the more limited are the drawbacks of fingerprint databases.