Implementing biometric technology ethically

by Ned Lupson
0 comment

The temptation to implement facial recognition and other biometric technologies within security systems is growing, but what are the ethical considerations?

The triumphant 2023 FIFA Women’s World Cup saw more fans pack into stadiums across Australia and New Zealand than
ever before in the event’s history, with almost two million total people attending tournament games, beating FIFA’s initial crowd forecasts by over 500,000.

Each one of these patrons carried distinct identity signatures that may be the future of facility security. But they are signatures that, at this time, are subject to a debate around unclear tracking in Australian stadiums.

As facial recognition and other biometric technologies become available to FMs, the temptation to implement security systems built upon them has grown, but ethical adoption seems abstruse. Confusing consent requirements, privacy challenges and a lacking regulatory environment complicate this landscape.

Facility Management speaks to an expert about the concerns surrounding the deployment of biometric technology in Australia: Dr Arathi Arakala from the RMIT University Centre for Cyber Security Research and Innovation, who specialises in developing mathematical algorithms to protect biometric data and user privacy.

Early advances in biometrics

Arakala notes that the field of biometrics is long established, pointing to its origins in police activities with fingerprinting. Where fingerprints lifted from crime scenes once were manually compared to databases, early machine learning and pattern recognition facilitated a more efficient process with automatic fingerprint identification systems.

It wasn’t until after the 9/11 attacks in 2001 that wider applications of biometric technologies advanced beyond reactive law enforcement.

“That’s when there was a big impetus to do research on biometric security and look at modalities other than fingerprints that could be used to identify human beings and do it automatically using software,” says Arakala.

Dr Arathi Arakala from the RMIT University Centre for Cyber Security Research and Innovation.

She identifies border security as the next sector to invest in new biometric systems, with biometric passports allowing easier navigation of airport immigration checks.

But the security innovations held widespread commercial value, and before long key biometric technologies could be found in private interactions from unlocking devices with fingerprints to voice recognition with banking call lines.

“Once, it was esoteric, it was just for law enforcement and things like that, but now it has become a part of everyday life,” says Arakala.

“Every human being has used biometric data in some way.”

The regulatory framework to consider

Biometric data has been classified under the Commonwealth Privacy Act of 1988 as personal or sensitive depending on the type of information, with both categories requiring strict confidentiality, including consent of the data subject.

Arakala believes that since these guidelines predate many biometric technologies they have resulted in privacy-conscious development, but suggests that weaknesses in jurisdiction permit insecure biometric data interactions.

The Privacy Act only applies to Australian government agencies, private bodies with an annual turnover greater than $3 million and, in limited circumstances, other entities, but the act could be strengthened to govern all organisations that interact with biometric data. The handling of personal or sensitive information requires consent, but workarounds for this seemingly strict requirement have long been in place.

Stadium facial recognition causing controversy 

Public attention has recently been drawn to the use of facial recognition technology in major Australian stadiums following an investigation by consumer advocacy group Choice, which found inconsistent use across facilities.

“A few stadiums in Australia have facial recognition mainly to keep out offenders or people that have been evicted previously to maintain safety at the venue,” Arakala says, adding that the current situation is primitive, with many patrons unaware that their information is being collected.

FMs do hold an element of responsibility to inform their stakeholders, but regulators also need to encourage vulnerable demographics in particular to ask questions about where their data is stored.

While Australian stadiums that do use facial recognition technology like Melbourne Cricket Ground (MCG) and Sydney Cricket Ground already divulge biometric data collection in their conditions of entry, Arakala questions if any spectators actually read the fine print on ticketing platforms or venue websites, or if this information is clear.

The MCG conditions of entry only state: “Facial recognition operates at the MCG. Patrons consent to the collection of biometric information (including biometric templates) for what is reasonably necessary for one of the MCC [Melbourne Cricket Club]’s functions or activities.”

Small signs at stadium entrances advising that biometric cameras are in use also have little impact on decision-making when patrons have already spent hundreds of dollars on a ticket to see their favourite team or performer.

“We still are a work in progress as a biometric community to develop regulations that protect the consumer and keep this open so that people actually have a choice about whether they want to enter a stadium or not,” says Arakala.

She believes a more ethical solution would be to “make people aware at the time of ticket purchase that

this venue uses facial recognition”, suggesting that an additional checkbox requiring informed consent at the time of purchase would be preferable so that patrons could consider risks.

Public education plays a major role in aiding informed decision-making. Arakala says that FMs do hold an element of responsibility to inform their stakeholders, but that regulators also need to encourage vulnerable demographics in particular to ask questions about where their data is stored.

“Ask questions about who is storing the data, where it is stored, how it is protected. Ask what kinds of protection mechanisms govern it, what regulations are the company in charge of the data following, what are the implications for the company if the data is breached, or is shared without consent,” says Arakala.

Best practice with biometric technology for FMs 

Currently there is little information available about how and where biometric data is stored, a problem that is common across many industries. Ethical data interaction involves transparent storage and processing, beginning with divulging how the data is kept.

Personal devices store sensitive biometric data that forms a “biometric template” locally, encrypted on the device. Only a confirmation or denial of verification is shared with compatible applications, not the data itself. But large organisations may use centralised databases that are often controlled by Software as a Service (SaaS) consultants that can facilitate unethical storing or sharing.

“A company that has data can do anything with it,” Arakala says, also acknowledging that stored information is always vulnerable to a data breach. FMs should advise potential facility attendees of specific biometric data practices that are active, including what, where and how data is stored.

Melbourne Cricket Ground (MCG) divulges biometric data collection in their conditions of entry.

Arakala warns that, in deciding which software to adopt, FMs need to be mindful of “demographic bias”, which can function poorly and be “dangerous”. If artificial intelligence is not trained on a diverse sample it can misidentify and implicate unfamiliar individuals, so FMs should look for systems that are diversity-accredited by industry bodies.

Future technological developments should allow greater data security for both FMs and patrons. In the European Union, one of the most strict privacy environments thanks to its General Data Protection Regulation, there has recently been a push to move away from biometric databases.

Instead biometric ID cards are being issued that store facial images and fingerprints offline. It is possible that such biometric cards will one day be incorporated into facility security systems to confirm or deny identity securely, but Arakala warns that such a day is a long way off.

This article originally appeared in the ‘Future-focused Facilities Issue’ of the Facility Management digital magazine. Grab your free copy here. Existing subscribers can read the magazine here.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More