The overheated debate around biometrics


By Patrice Caine, the Chairman and CEO of Thales Group

We’ve seen it happen with 5G, vaccination and nuclear power. How can we stop biometrics from becoming the next target of an increasingly biased public debate about new technology? Once again, radical and poorly argumented stances are dividing public opinion and hacking away at people’s trust in scientific and technical progress. So how can we cool the heated debate and make a rational cost-benefit analysis of biometrics technologies? To my mind, the first thing to do is to clear up three sources of confusion.

First, we need to agree on the meaning of the word “biometrics”, which is sadly starting to take on negative connotations and conjure up totalitarian images of mass surveillance. In fact, there’s nothing inherently negative – or even particularly new – about recognising a person from their physical characteristics. In the second millennium BC, the ancient Babylonians pressed the tips of their fingers into clay to record business transactions, although it was not until the late 19th century that progress in forensic science would make fingerprinting a standard police practice around the world. There’s no denying that the permanent and uniquely individual nature of biometric data puts it in a class of its own. But that doesn’t automatically make it more sensitive than other types of personal information. You would probably be much more concerned about someone hacking your smartphone’s GPS records, or discovering the user ID and password for your bank account, than you would about revealing the shape of your face – which is probably all over the internet anyway. The real concerns are not about the nature of the biometric data itself, but about new ways of analysing that data and how those capabilities could be used or misused.

Which brings us to the second source of confusion. There are basically two uses of biometric data – authentication and identification – and they have little to do with one another. Authentication is about providing a secure way for an individual to prove their identity, and there are no particular concerns about that. Barely a voice was raised when biometric passports were introduced, and many of us are more than happy to use our faces or fingerprints to unlock our telephones. But biometric identification is another matter, and it’s distorting the public debate to such an extent that some people are starting to confuse the two. Identification is about identifying a person in a crowd, for example, without any action on their part, and in some cases without their consent. As we know, misuse of these types of applications comes with risks attached, such as invasion of privacy, disclosure of sensitive information and restriction of individual freedoms. But these risks are no more serious or unavoidable than the risk of misuse of many other technologies. There’s a downside to cars or the internet or prescription drugs, but society chooses to limit the risks through a combination of regulation and technical improvements. The same should be true for biometrics. Technological progress (in areas such as data encryption) combined with tighter regulation can provide adequate safeguards to limit the risks of misuse. Another important way to ensure responsible use of these tools is to support an ecosystem of trusted players which combines state of the art biometrics know-how with a strong commitment to work within a clear and comprehensive ethical framework. Indeed, this is the thinking behind TrUE Biometrics, an initiative officially launched by Thales to lay out our commitments to the development of Transparent, Understandable and Ethical biometrics technologies.

The third thing muddying the biometrics debate is confusion about new technologies in general. Public opinion, in certain countries at least, attaches disproportionate attention to the risks versus the potential benefits, thus preventing us from making a balanced assessment. One may say it’s a matter of precaution, but how prudent is it to stymie new efforts to protect millions of people from identity theft? How prudent is it to allow criminals  to exclusively  leverage new technologies and the potential of our digital societies, and to limit that same access to law enforcement simply because a risk exists – however small and however manageable that risk may be. In 2018, when Indian police used facial recognition technology to reunite 3,000 missing children with their families in a matter of days, should they have applied instead the principle of precaution?

As always, trade-offs over the use of technology require a nuanced, balanced assessment based on facts as well as principles.