In recent years, heightened security concerns arising from the growth of transnational crime and terrorism have led to increased interest and research into biometric technology's potential to make accurate identity checks. Long used in the realm of criminal proceedings, as well as in the private and commercial sector, biometrics have received a great deal of attention as a way of "filling the gaps" in traditional methods of border control.
Biometrics are physiological or behavioral characteristics used to recognize or verify the identity of a living person. Physiological characteristics include fingerprints, hand geometry, iris shape, face, voice, ear shape, and body odor. Behavioral characteristics include hand-written signatures and the way a person walks.
Any one of these types of biometric information can allow border security guards to make rapid and precise, one-to-one (authentication) or one-to-many (verification), identity checks. In simple terms, a one-to-one check determines whether a person is who he claims to be, such as when a signature is compared to one on a legal document. A one-to-many check entails the identification of one person from among many — for instance, when a fingerprint is compared to thousands of fingerprints in a database.
Border checks in both the EU and USA have opted for inkless fingerprints and digital facial recognition through digitized photographs. Saudi Arabia has chosen to use iris recognition technology.
The events of September 11, 2001, were the trigger for a flurry of developments in the biometrics field. The USA Patriot Act, passed in October 2001, introduced measures requiring all foreign visitors to provide machine-readable, biometric travel documents, and put into place an entry-exit system to monitor movements to and from the country. This legislation prompted a number of other countries to adapt their travel documents accordingly and to set up biometric identity checks to ensure border security.
However, there are important human rights implications inherent in the collection, processing, and distribution of a person's unique, physical identifiers, causing a certain degree of friction between the security interests of policymakers and the right to privacy of those subject to any of these measures. This friction is at the heart of the biometrics debate.
It is important to look at this debate from the migrants' perspective because the development of biometric technology is particularly discriminatory towards migrants, both in its application and its effect.
Right to Privacy and Biometrics
Advocates suggest that biometrics should enhance rather than conflict with individual privacy, preventing identity theft and providing increased anonymity for the user. An automated identity check will simply verify that the codified data encrypted on a travel document corresponds to that provided at the border check. However, biometrics still potentially challenge the right of bodily and information privacy and the right to process and distribute this information.
Privacy is a fundamental human right upheld under Article 12 of the Universal Declaration of Human Rights, as well as Article 17 of the UN International Covenant on Civil and Political Rights and inasmuch applies to all people, regardless of nationality, immigration status, age, or sex.
Privacy is also defended at the regional level, both in Europe and the U.S., under their respective human rights conventions, and is equally applicable to all people residing within those jurisdictions. In addition, these rights are enforceable rights under the Inter-American Court, the European Commission, and the European Court of Human Rights. More specifically, the UN International Convention on the Protection of the Rights of All Migrant Workers and Their Families (ICMW), which entered into force in 2003 and has been ratified by 27 countries, provides both regular and irregular migrant workers with a right to privacy under Article 14.
The right to information privacy is assured through data protection mechanisms, which exist in one form or another across the world. The UN General Assembly has devised guidelines of "minimum guarantees" for the use of personal computerized data, as have the Council of Europe and the Organization for Economic Cooperation and Development (OECD). It is up to individual countries to incorporate these guidelines into national legislation protecting personal data.
The more data is transferred across different agencies and countries, the greater the risk of it seeping into controversial areas of immigration control.
All of the above instruments share four key principles. Firstly, data must be obtained lawfully. Second, it also must be kept safely and securely. Third, it must be accurate and up-to-date, and finally, it must only be used for the original purpose specified. In addition, data protection ideally includes some type of enforcement mechanism.
In practice, however, it can be difficult to uphold these principles. For example, one of the weaknesses of biometrics is their lack of reliability, whether from error or from their vulnerability to interference.
"Contactless" RFID (Radio Frequency Identification) chips, a favored tool among private consumer companies to track inventories of clothing and other consumer goods, can be read from a distance of up to 20 meters, enabling any non-official person equipped with a biometric reader to obtain this information anonymously. Furthermore, in the U.S., the stored information is not encrypted, and therefore more easily "read."
A second weakness of biometrics is that it is not always accurate. For example, the relative reliability of fingerprint checks is not only likely to decrease over time, but also as more data accumulates in giant databases.
Another weakness is "function creep," which means data is used in a way not foreseen nor consented to at the time the data was collected. The fallibility of RFID chips, coupled with the use of huge national or regional databases to store biometrics information, highlights the concerns linked to function creep.
However, function creep seems somewhat inevitable as national governments seek to enhance global interoperability between databases, which facilitate the exchange of data between national immigration, law enforcement, and other public and private databases, such as those used by airline and travel agencies.
The more this data is transferred across different agencies and countries, the greater the risk of it seeping into controversial areas of immigration control, such as tracking and surveillance. Such a scheme has already been adopted in Britain, where registered asylum seekers are monitored using biometric "tagging" — for instance, an anklet bracelet with global satellite positioning requiring the asylum seeker to be at home at certain times — as an alternative to detention.
Although these principles are important, they can only be effective if they are enforced. The European Union (EU) has recognized the need for enforcement by establishing a Data Protection Directive (95/46 EC, building on previous measures) to be incorporated into Member States' national laws. This directive is overseen by an independent working party comprised of national data commissioners of Member States. The working party's mandate is to ensure the uniform application of the directive's general principles.
The U.S., however, has perhaps the weakest laws in terms of data protection. Although the U.S. is a signatory to the OECD guidelines, it has not implemented them. Data protection laws have developed on an adhoc basis, with industry-specific codes of practice governed by a mix of legislation, regulation, and self-regulation, but no federal-level law or enforcement agency.
To facilitate commerce with the EU after the EU Data Protection Directive went into effect, the U.S. devised the "safe harbor" framework. This allows a non-regulated list of U.S. companies, which have put secure procedures in place for handling sensitive data, to comply with the directive.
Yet even where such mechanisms are in place, the question arises whether existing protection is appropriate and sufficient to cover all the uncharted territory that accompanies biometrics. The new EU Commissioner for Justice, Freedom and Security has stressed that safeguards "need to be maintained, respected, and reviewed in the light of the development of networks, technologies, and the types of data used, for example, in relation to the possibility of the extensive use of biometrics."
Furthermore, even should there exist sufficient safeguards governing one country or group of states, the exchange of this information across borders throws into question which and whose data protection rules should apply.
Migrants and Biometrics
Biometric measures have tended to discriminate against migrants deliberately as part of a policy to tackle illegal immigration and as an unavoidable consequence of their contact with borders. Immigrants from third-world countries, for example, are more likely to need visas for entry into the U.S., and certain nationals and ethnic groups are deliberately targeted by immigration controls because of terrorism fears.
Many pilot projects have targeted narrow and specific groups. These include the UK's visa registration project, the early U.S. SEVIS program (Student and Exchange Visitor Information Program, an electronic system for maintaining information on international students and exchange visitors in the United States), and the U.S. NSEERS program (National Security Entry-Exit System). The UK project targeted visa applicants from five East African countries as well as asylum seekers, while the U.S. programs were aimed at foreign students and Arab-Muslim travelers, respectively.
For asylum seekers, the process of having their biometric information collected may amount to a terrifying and traumatic experience.
Biometrics are also used at certain airports' border checkpoints as part of "frequent flyer" programs for business travelers and airline employees. These programs include CANPASS in Canadian airports, INSPASS in major U.S. airports, and PRIVIUM in Amsterdam's Schiphol airport; Italy and the UK have similar programs. However, such programs are considerably less controversial because they are based on the voluntary surrender of fingerprints, hand images, or digital photographs.
In addition to this deliberate discrimination, immigrants and asylum seekers wanting to cross borders may also suffer disproportionately from the negative effects of this technology. The very act of collecting biometric information and the implications of such a procedure — the stigma of criminal activity attached to fingerprints or "mugshots" for example, or even the hygiene-related issues of touching a finger scan — might be felt more acutely within different cultural groups.
For asylum seekers — generally people fleeing their country for fear of persecution who may have an acquired distrust of authority — such a procedure may not only be objectionable in principle, but may be a terrifying and traumatic experience.
Function creep also presents far greater problems for migrants, both temporary and permanent, insofar as biometrics may be incorporated into identity cards and multipurpose entitlement cards. The particular link between immigration and law enforcement bodies serves to further stimulate the perception of migrants as criminals, as well as to provide a pretext for identification-based stop and search procedures that tend to target ethnic minority communities.
In addition, public health bodies have already started warning against the exclusionary nature of entitlement cards that may exclude vulnerable people from essential medical treatment or discourage those without cards from seeking care.
Arguments for and Against Biometrics
Biometrics advocates argue these effects are an unavoidable price to pay to ensure border security.
In the fight against illegal migration, biometric identifiers certainly present a number of advantages. They may facilitate return procedures of failed asylum seekers by identifying their true country of origin, as well as prevent multiple asylum claims and "visa shopping" (simultaneous applications), by keeping a centralized, easily accessible database.
Biometrics might even contribute to reducing discrimination, advocates say, by automating identity checks and raising confidence in border security and immigration controls, thereby reducing the myths and stereotypes associated with migrants and asylum seekers. With biometrics, asylum seekers would be able to provide credible, immutable evidence of their claim, and traffickers would be hindered in their attempts to use false identities.
Yet many of these measures would target nationals of particular countries who are entitled to the fundamental rights enshrined in international and regional human rights conventions. Applying these measures in such a discriminatory fashion would almost certainly violate their right to privacy.
There is little evidence from the U.S. and UK that biometric technology has contributed to reducing either terrorism or irregular migration.
Aside from discrimination, data protection principles are key to preventing the worst effects of biometrics. Some migrants suffer from social exclusion, perhaps as a result of linguistic and cultural barriers, or they may lack judicial remedy depending on national laws.
Weak or unclear data protection rules amplify the risk to migrants since they may be reluctant to affirm their rights or may be unfamiliar with the nature, extent, and operation of these rights. Given migrants' exposure to biometric systems that are now being critically reexamined for technical flaws, data protection and legal redress should assume an even greater role.
However, the importance of data protection has been blurred by a distorted emphasis on security and border controls that may compromise privacy rights. The effects are threefold.
First, the priority given to security issues may work against the need to protect and provide for migrants' rights given their particular vulnerability to such measures. Some contend that security concerns are in part a cover for a general reluctance to fulfil these obligations.
This prioritization reveals a widespread practice that considers even fundamental rights, such as privacy, as dependent on legal status or nationality. Such an interpretation is clearly contrary to the provisions of international law cited above, and overlooks the fact that even irregular migrants are entitled to human rights.
Second, the association of biometrics with anti-terrorism measures has linked biometrics procedures with terrorism. Consequently, although identity checks at borders are a recognized and accepted immigration procedure, the use of biometric information has contributed to the criminalization of this process.
Third, security issues seem to operate as a universal key that can open doors previously locked by data protection and privacy concerns. These measures are gaining social acceptance without proper consideration either of their long-term effects or of alternative methods.
So far, there is little evidence from the U.S. and UK that biometric technology has contributed to reducing either terrorism or irregular migration. According to the U.S. Department of Homeland Security, more than 200 persons have been arrested since the January 2004 launch of US-VISIT, a program that electronically tracks the entry and exit of foreign visitors using biographical information and biometric identifiers. Those arrested include "convicted rapists, drug traffickers, individuals convicted of credit card fraud, a convicted armed robber, and numerous immigration violators and individuals attempting visa fraud."
However, having processed over 2.5 million visitors, no terrorist suspects have been caught to date, and these statistics do nothing to change the numbers of migrants who enter legitimately, but who become irregular once inside the country.
Similarly, in the UK, a six-month biometrics visa trial in July 2003 targeted exclusively visitors from Sri Lanka; the trial uncovered seven undocumented migrants. Based on this "success," the UK announced plans to extend the project to include nationals from Djibouti, Eritrea, Ethiopia, Tanzania, and Uganda.
The Future of Security and Human Rights
Nevertheless, security and human rights may not necessarily be incompatible principles, and the development of biometric technology can operate within a context that reconciles the needs and rights of all parties.
Finding that common ground requires reconsideration of three points.
First, the use of biometric documents must be proportional to the risk faced and the consequent restrictions placed on freedom of movement. This principle of proportionality requires the collection of information to be adequate, relevant, and for legitimate purposes. The issue has already been raised by the EU Data Protection Working Party, which has questioned the fundamental legitimacy of collecting such information, suggesting that these measures have so far failed to satisfy requirements of security, necessity, and proportionality.
Second, policymakers who believe biometric identity cards prevent illegal migrants from working or claiming benefits need to remember that "clandestine" migrants live and work clandestinely. In the same way, smuggled migrants have little use for identity travel documents, biometric or otherwise. If current methods are failing, it must be questioned whether this is really a result of a lack of technological advancement.
Finally, there is an urgent need to approach immigration reform and anti-terrorism as two separate and distinct issues. The proportionality principle could be invoked by data protection bodies and civil rights advocates with greater authority to gauge the suitability of biometric data collection and usage. In addition, proportionality could make it easier to assess if the measures undertaken are effective enough to justify radical inroads into privacy rights.
“BMA calls for safeguards on ID cards” (23 November 2004). Available online.
Commission of the European Communities, Extended Impact Assessment (28 December 2004). “Proposal for a Regulation of the European Parliament and of the Council concerning the Visa Information System (VIS) and the exchange of data between member states on short-term visas." COM(2004) 835 final, Brussels: the European Commission. Available online.
The Delegation of the European Commission (21 December 2004). “Data protection in the area of Justice, Freedom and SecurityMeeting with the Joint Supervisory Authorities under the Third Pillar.” Available online.
EurActive, Justice and Security (10 November 2004). “Hague Programme, JHA programme, 2005 – 10." Available online.
European Commission, Information Society website. “Data Protections.” Available online.
European Union, IDABC (5 April 2004). “U.S. Administration extends US VISIT programme to visa waiver countries.” Available online.
International Safe Harbor privacy principles. Available online.
Le Monde (3 December 2004). "Les étrangers sont les premières victimes des violences policières." Available online.
Rosenzweig, Paul, Alane Kochems, and Ari Schwartz (21 June 2004). "Biometric Technologies: Security, Legal, and Policy Implications." Legal Memorandum No 12, Heritage Foundation. Available online..
The Somaliland Times (22 January 2004). “Biometrics to be Used in UK to Tackle Asylum abuse.” Issue 105. Available online.
Statewatch Bulletin (November-December 2004). "France: Police Brutality escapes punishment." Vol. 14, No. 6. Available online.
UK Home Office (8 July 2003). “Visa Fingerprint trial for visitors from Sri Lanka.” Available online.