Biometric Identifiers

Latest News/Events

  • Biden Administration Abandons DHS Plans to Expand Biometric Collection + (May. 11, 2021)
    According to a news report, the Biden Administration plans to rescind a proposed rule to massively expand the collection of biometric information from immigrants. The rule, proposed towards the end of the Trump Administration, would have granted the Department of Homeland Security broad authority to collect biometric data from immigrants and their families and associates. The rule would have enabled the collecting of palm prints, iris images, voiceprints, DNA, and images for facial recognition regardless of age. In comments to the Department of Homeland Security, EPIC opposed the rule and urged the agency to rescind the proposed rule. EPIC argued that DHS']s broad authorization to collect biometrics was incompatible with the Department's Fair Information Practice Principle. EPIC also specifically called on the agency to suspend the use of facial recognition technology. Last year, EPIC, joined by over 40 organizations called for the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC, Coalition Urge DHS to Rescind CBP's Proposed Biometrics Rulemaking + (Mar. 10, 2021)
    In a letter to Secretary of Homeland Security Alejandro Mayorkas, EPIC and a coalition of civil rights, civil liberties, immigrant's rights, technology, and privacy organizations urged the agency to rescind a Notice of Proposed Rulemaking massively expanding Customs and Border Protection's (CBP's) use of biometrics, and to suspend the use of facial recognition across DHS. The NPRM was originally issued November 19, 2020 and re-published on February 9, 2021 in a sign that DHS and the Biden Administration intend to go forward with the rulemaking. EPIC submitted comments on the original NPRM, urging CBP to suspend its use of facial recognition, or in the alternative use only 1:1 face comparison. Earlier, EPIC voiced opposition to a broader DHS rulemaking authorizing widespread use of biometrics, including facial recognition, throughout the agency.
  • EPIC, Coalition Call on Biden Administration to Abandon "Virtual Border Wall," Invest in Migrant Communities + (Feb. 25, 2021)
    In letter to the Biden administration, EPIC and a coalition of 40 privacy, immigration, and civil liberties organizations urged the administration to abandon the proposed U.S. Citizenship Act of 2021 as an extension of the Trump administration's border policy. The proposed legislation would direct DHS to deploy a bevy of biometric and other surveillance technologies at points of entry and along the southern border. The letter describes how such technologies endanger the lives of migrants by pushing them onto more dangerous travel routes. The use of surveillance technologies at the border inevitably extends into the interior, where they are deployed against protesters, communities of color, and indigenous peoples. EPIC recently urged DHS to rescind a proposed rule increasing the agency's collection of biometric information.
  • More top news

  • EPIC, Coalition Urge NYPD to Limit Use of Surveillance Technologies and Disclose More Information on Their Use + (Feb. 25, 2021)
    In comments to the New York Police Department, EPIC called for meaningful limits on the use of mass surveillance technologies including facial recognition, airplanes and drones, automated license plate readers, and social media monitoring tools. EPIC also joined with privacy and civil liberties advocates and academics in coalition comments urging the NYPD to make a good faith effort to meet the requirements of the Public Oversight of Surveillance Technologies (POST) Act. The POST Act requires the NYPD to publish impact statements and use policies for 36 surveillance technologies. The Department's draft policies fail to disclose necessary information including detailed data storage, retention, and auditing practices, do not name the vendors of these technologies, and gloss over systemic racial discrimination in the use of these technologies with boilerplate language. The disclosures illuminate the use of technologies by the NYPD that enable mass surveillance and have extensive documented risks of bias and inaccuracy. EPIC leads a campaign to Ban Face Surveillance, and through the Public Voice coalition gathered support from over 100 organizations and experts from more than 30 countries.
  • EPIC Urges NIST to Adopt Privacy-Protective Standards for Federal ID Cards + (Feb. 2, 2021)
    In comments responding to the National Institute of Standards and Technology's draft Federal Information Processing Standards for personal identity verification (ID cards and digital identity verification), EPIC urged the agency to adopt more privacy protective technology for federal employees and contractors. EPIC drew upon expertise from the Advisory Board for these comments. EPIC recently urged the Department of Homeland Security to suspend a new counterintelligence system of records which will collect biometric information. EPIC previously urged the Department of Transportation to provide more privacy protections for federal employees in the Insider Threat database.
  • Hamburg DPA Deems Clearview AI's Biometric Photo database Illegal, Orders a Partial Deletion of Profile + (Jan. 28, 2021)
    The Hamburg Data Protection Authority has ruled that Clearview AI’s searchable database of biometric profiles is illegal under the EU’s GDPR and ordered the U.S. company to delete the claimant’s biometric profile. Clearview AI scrapes photos from websites to create a searchable database of biometric profiles. The database, which is marketed to private companies and U.S. law enforcement, contains over 3 billion images gathered from websites and social media. The claimant submitted a complaint to the Hamburg DPA after discovering that Clearview AI had added his biometric profile to the searchable database without his knowledge or consent. The DPA ordered Clearview to delete the mathematical hash values representing his profile but did not order Clearview to delete his captured photos. The DPA’s narrow order protects only the individual complainant because it is not a pan-European order banning the collection of any EU resident’s photos. The DPA decided that Clearview AI must comply with the GDPR, yet this narrow order places a burden on Europeans to have their profiles removed from the database. EPIC has long opposed systems like Clearview AI, filing an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws, submitting FOIA requests with several government agencies that use Clearview AI technology, and urgingthe Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC to Maryland Legislators: Enact Biometric Privacy Law + (Jan. 27, 2021)

    EPIC Senior Counsel Jeramie Scott testified today to Senate and House Committees of the Maryland General Assembly in support of legislation protecting biometric information privacy. HB218 and SB16 are modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America. "Unlike a password or account number, a person’s biometrics cannot be changed if they are compromised," EPIC told the Committees. EPIC stressed the importance of strong enforcement measures in privacy laws, particularly a private right of action. EPIC also submitted a recent case study on the Illinois law written by EPIC Advisory Board member Woody Hartzog. EPIC previously filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. [Watch the hearing]

  • EPIC Urges DHS to Suspend New Counterintelligence Records System + (Jan. 13, 2021)
    EPIC submitted comments to the Department of Homeland Security in response to a system of records notice and proposed exemptions from Privacy Act requirements for a new counterintelligence records system. DHS's proposed records system would permit nearly limitless collection of sensitive personal information and unchecked disclosure of that information to state, local and international agencies, and to private companies. DHS's proposed exemptions would eliminate all individual rights under the Privacy Act and exempt DHS from basic Privacy Act requirements, including limiting data collection to necessary information. EPIC recently insisted that DHS rescind a proposed expansion of the use of biometrics, including facial recognition, across the agency.
  • EPIC Urges CBP to Halt Use of Facial Recognition for Biometric Entry/Exit + (Dec. 21, 2020)
    EPIC submitted comments to U.S. Customs and Border Protection (CBP) in response to a Notice of Proposed Rulemaking that would drastically expand CBP’s use of facial recognition at airports and land border crossings. EPIC urged the agency to stop using facial recognition to identify travelers. EPIC criticized CBP’s implementation of Biometric Entry/Exit for the agency's failure to even follow its own Fair Information Practice Principles. EPIC recently insisted that DHS rescind a proposed expansion of the use of biometrics, including facial recognition, across the agency. Earlier this year, an EPIC-led coalition called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC Urges Advisory Council to Address Privacy Risks of DHS’s Use of Biometrics + (Dec. 11, 2020)

    In response to a report by the Homeland Security Advisory Council’s Biometric Subcommittee, EPIC urged the Council to table the report until they can address the privacy and civil liberties implications of the Department of Homeland Security’s collection and use of biometrics in full. The Biometric Subcommittee was tasked with examining DHS use and collection of biometrics. The Subcommittee’s report failed to address a rule proposed in September that would broadly expand DHS use of biometrics. EPIC previously argued that the proposed rule, giving DHS broad authorization for biometric collection, was incompatible with the department's Fair Information Practice Principles.

  • EPIC Opposes DHS's Plans to Broadly Expand Biometric Collection + (Oct. 14, 2020)
    In comments to the Department of Homeland Security and U.S. Citizenship and Immigration Services, EPIC urged the agency to rescind a proposed rule to broadly permit DHS to collect biometric from immigrants, their families, and associates. DHS's rule would enable the collection of palm prints, iris images, voiceprints, DNA, and images for facial recognition. EPIC argued that DHS's broad authorization of biometric collection was incompatible with the department's Fair Information Practice Principles. EPIC also specifically called on the agency to suspend the use of facial recognition technology. EPIC previously urged DHS to extend the comment period on this NPRM from 30 days to a standard 60-days for major rulemakings. EPIC consistently opposes biometric collection at DHS. In April EPIC urged DHS to narrow both the use and Privacy Act exemptions for its Insider Threat Database linking biometrics to personal information. Earlier this year, EPIC, joined by over 40 organizations called for the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.
  • EPIC Urges DHS to Extend Comment Period on Massive Expansion of Biometric Data Collection + (Oct. 1, 2020)
    In a letter to the Department of Homeland Security, EPIC urged DHS to provide the standard 60-day comment period for a notice of proposed rulemaking authorizing DHS to expand its biometric data collection practices. DHS would be able to collect finger/palm prints, images for facial recognition, DNA, iris images, and voiceprints from a broad swath of the population, including millions of citizens. The proposed rule would subject immigrants to "continuous vetting" surveillance up-to and even past the time they obtain citizenship. In 2018 EPIC urged CBP to suspend its biometric entry/exit program. EPIC currently leads a campaign to Ban Face Surveillance.
  • CBP Failed to Protect Sensitive Biometric Information in Test of Facial Recognition Program + (Sep. 24, 2020)
    In a new report, the Inspector General for the Department of Homeland Security found that Customs and Border Protection failed to safeguard pictures of travelers obtained for a facial recognition pilot program, the Biometric Entry-Exit Program. The pictures were exposed in a data breach of a CBP subcontractor, Perceptics, LLC. OIG found that the CBP failed to undertake sufficient information security practices to prevent Perceptics from obtaining the data. At least 17 of the images were ultimately released on the dark web. EPIC leads an ongoing campaign to Ban Face Surveillance. In 2018, EPIC urged CBP to suspend its Biometric Entry-Exit Program. EPIC previously obtained documents on that program through a FOIA lawsuit.

Background

The tragic events of September 11, 2001, have led to a closer examination of security measures that might have foiled those devastating attacks and that might prevent similar attacks in the future. Prominent among the various measures being considered is the use of devices that check a person's identity using biometric identifiers such as fingerprints, iris/retina, or facial patterns. Soon after the attacks, Larry Ellison, head of California-based software company Oracle Corporation, advocated the deployment of mandatory national ID cards with fingerprint information to be matched against a national database of digital fingerprints to confirm the identity of the card's carrier. There have been recent discussions between the United States and the European Union concerning the creation of biometric passports.

Biometric identifiers are of course widely used by people to identify each other ñ one might recognize a friend by the sound of her voice, the color of her eyes, or the shape of her face. Devices using biometric identifiers attempt to automate this process by comparing the information scanned in real time against an "authentic" sample stored digitally in a database. The technology has had several teething problems, but now appears poised to become a common feature in the technological landscape.

The most widely used biometric is the fingerprint identifier. A June 2004 report by National Institute of Standards and Technology (NIST) showed that one-fingerprint identification systems had an accuracy rate of 98.6 percent, while the accuracy rate rose to 99.6 when two fingerprints were used and 99.9 when four, eight and ten fingerprints were used. The report also showed that the accuracy rate for fingerprint identification drops as the age of the person increases, especially for those more than 50 years old.

The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program marked its first anniversary in early January and extended its entry/exit biometric capturing system to 50 of the busiest land ports of entry. The system requires two digital index finger scans as well as a digital photograph of the visitor, which are intended to verify identity and are compared to a vast network of government databases.

There are significant privacy and civil liberties concerns regarding the use of such devices that must be addressed before any widespread deployment. Briefly there are six major areas of concern:

Storage. How is the data stored, centrally or dispersed? How should scanned data be retained?

Vulnerability. How vulnerable is the data to theft or abuse?

Confidence. How much of an error factor in the technology's authentication process is acceptable? What are the implications of false positives and false negatives created by a machine?

Authenticity. What constitutes authentic information? Can that information be tampered with?

Linking. Will the data gained from scanning be linked with other information about spending habits, etc.? What limits should be placed on the private use (as contrasted to government use) of such technology?

Ubiquity. What are the implications of having a electronic trail of our every movement if cameras and other devices become commonplace, used on every street corner and every means of transportation?

News Items

Resources

Previous Top News

  • Human Rights Organizations Urge US Secretary of Defense to Investigate Biometric Database of Iraqis. In a letter to Secretary of Defense Robert Gates, EPIC, Privacy International, and Human Rights Watch warn that a new system of biometric identification contravenes international privacy standards and could lead to further reprisals and killings. The groups cite the particular risk of identification requirements in regions of the world torn by ethnic and religious division. The groups also note a 2007 report from the Pentagon's Defense Science Board that said military use of biometric data raise substantial privacy concerns. For a discussion of identity systems and threats to privacy, see "Privacy and Human Rights Report 2005." See also Privacy International resources. (Jul. 27)
  • Britain Increasing Use of Biometrics on Schoolchildren. The British Educational Communications and Technology Agency (BECTA) released guidelines for UK schools, "BECTA Guidance on the Use of Biometric Systems in Schools." BECTA explained that the collection of schoolchildren's fingerprints is covered under the Data Protection Act of 1998, care must be taken if such data is collected, and "schools have a duty to ensure that all the personal data they hold is kept secure." At the same time, the UK Information Commissioner's Office also issued guidance (pdf) on biometrics collection from schoolchildren, who can be as young as five years old. The Office agreed that such data collection was covered by the Data Protection Act of 1998 and told schools that they "should explain the reasons for introducing the system, how personal information is used and how it is kept safe." It is not known if parents fully understand that, when investigating a crime, the UK police are allowed to access schools' biometric databases without parental permission. (Jul. 23)
  • U.S. Military Builds Biometric Database on Iraqis. USA Today reports that U.S. troops are using mobile scanners to capture fingerprints, eye scans, and input other personal data from hundreds of thousands of Iraqis. Although General Patraeus has indicated that the purpose is to identity insurgents, U.S. troops are stopping Iraqis at homes, checkpoints, workplaces, and "In several neighborhoods in and around Baghdad, troops have gone door to door collecting data." A March report (pdf) from the Pentagon's Defense Science Board said military use of biometric data raise substantial privacy concerns. For a discussion of identity systems and threats to privacy, see "Privacy and Human Rights Report 2005." See also Privacy International resources. (Jul. 18)
  • Federal Air Marshals to Surreptitiously Photograph Travelers. The US Department of Homeland Security is investing in face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere to check whether they are in terrorist databases. The Los Angeles police department already is using handheld facial recognition devices. See EPIC's Video Surveillance page. (May 10)
  • EPIC Recommends Against Use of Universal Identifiers. In comments (pdf) to the Federal Trade Commission, EPIC warned against using universal identifiers, such as biometrics, in authentication systems. EPIC explained that a biometric identifier cannot be changed by a victim once his or her identity has been breached -- a fingerprint is unalterable. "Any move toward universal identifiers, while potentially deterring amateur thieves, increases the potential for misuse once determined criminals steal that data," EPIC said. For more information, see EPIC's National ID Cards and REAL ID Act page. (Mar. 23)
  • Joint Paper on Biometric Encryption Released. Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, released a joint research paper with Dr. Alex Stoianov, an internationally recognized biometrics scientist. The paper, entitled, "Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy," discussed how biometrics can be deployed in a privacy-enhanced way that minimizes the potential for surveillance and abuse, maximizes individual control, and ensures full functionality of the systems in which biometrics are used. The paper suggested that biometric encryption could address the privacy, security and trust problems of current biometric information systems. With biometric encryption, instead of storing a sample of one's fingerprint in a database, you can use the fingerprint to encrypt or code some other information, like a PIN or account number, or cryptographic key, and only store the biometrically encrypted code, removing the need to collect and store the biometric itself. (Mar. 14)
  • European Commission Plans Multinational 'Centralised Database of Fingerprints.' The European Commission has revealed (pdf) that one of its "key actions envisaged for 2008" is "implementing a centralised database of fingerprints." The proposal for a massive database of fingerprints from all 27 EU countries prompted accusations of "Big Brother Europe." The database would include fingerprints of suspects and people released without charge, as well as those convicted of crimes. The cost and scope of the massive EU-wide fingerprint database are being assessed, but the goal is to create the database by the end of 2008. Questions remain about whether the third-party countries, such as the United States, would have access to this centralized repository of EU citizens' fingerprints. (Feb. 21)
  • Prum Treaty Signatories Agree to Share Access to Fingerprint and Motor Vehicle Databases. Home Affairs ministers of signatories to the Prum Treaty agreed to share access to each nation's fingerprint and motor vehicle databases. Austria, Belgium, France, Germany, Luxembourg, Netherlands, and Spain signed the treaty in 2005. Italy, Finland, Portugal, Romania, Slovenia, and Sweden and Romania issued formal notification of their wish to sign, as well. This continues an expansion of international sharing of fingerprint data. The Philippines and the US are cooperating on a joint database. (Jan. 15, 2007)
  • UK to Gather Biometrics From Foreign Nationals. The UK Home Office today announced a plan to "record[] biometrics for everyone from the 169 nationalities outside the [European Economic Area] applying to work, study or stay in the UK for more than six months, and for people from 108 nationalities applying to visit the UK," to be implemented by 2008. The UK plans (pdf) to record fingerprints and facial images and also plans to begin issuing biometric ID documents to foreign nationals by 2008. (Dec. 19)
  • Police Increasingly Using Handheld Fingerprint Scanners. Traditionally, fingerprint biometrics have been used in law enforcement investigations of crimes; used in laboratories and courts to identify criminals. However, law enforcement has begun using fingerprint databases outside of these contexts. In Australia and the UK, police now carry handheld fingerprint scanners so that they can quickly identify people on the streets, such as drivers who are pulled over for a traffic violation or pedestrians "suspected" of criminal offenses. The police obtain "permission" from suspects, but the voluntariness of such permission is suspect, and then check for matches in a database containing 6.5 million fingerprints. The portable biometric devices used by Australian police are made by French electronics company Sagem and can hold up to 100,000 fingerprints. (Nov. 22)
  • European Data Protection Supervisor Says Biometrics Are Unreliable. European Data Protection Supervisor Peter Hustinx criticized (pdf) the increasing usage of biometric identifiers and databases by governments. He said that fingerprint and DNA identifiers are too inaccurate. He also called for stronger data protection legislation for these large databases. (Mar. 10)
  • Government to Test E-Passports in San Francisco. The Department of Homeland Security will begin testing e-Passports on Sunday at San Francisco International Airport. The e-Passports contain Radio Frequency Identification chips, which transmit information wirelessly. Testing conducted last year revealed that "contactless" passports impede the inspection process, according to documents (pdf) recently obtained by EPIC under the Freedom of Information Act. EPIC has urged (pdf) the agency to abandon the use of such technology in passports because of significant security and privacy issues. For more information, see EPIC's RFID page. (Jan. 13)
  • Minnesota Will Begin Using Face Recognition on Driver's Licenses. Minnesota Gov. Tim Pawlenty has announced plans to add facial recognition technology to driver's licenses as part of a plan protect consumers from identity theft. This plan includes stronger criminal penalties for hackers and others who abuse access to personal data on computers. The state will scan photos on current driver's licenses to create the new facial recognition files. (Jan. 9, 2006)
  • Australian Airport to Test Biometrics. The Australian Immigration minister announced a six-month biometrics trial at the Sydney airport. During the testing, fingerprints, iris scans, and facial data will be collected from selected travelers on a voluntary basis. About 9 million people per year enter and exit Australia. The trial is part of a four-year program of testing and implementing biometrics systems across different government departments. (Sept. 29)
  • Australian Police to Carry Portable Fingerprint Scanners. New South Wales Police will begin using portable, handheld fingerprint scanners by the end of 2006. These portable biometric devices, made by French electronics company Sagem, can be used during routine traffic stops for on-the-spot identity checks. They hold up to 100,000 fingerprints, according to Sagem. (Oct. 14)
  • More Biometric Information Gathered for US-VISIT. The Department of Homeland Security announced that it would expand the collection of biometric data from visitors entering the country through the US-VISIT program. From its inception in 2003, the US-VISIT program has used a two-fingerprint identification system, but Homeland Security now will begin collecting a full ten-fingerprint set from travelers. This expands the already vast amount of personal data accumulated by the program, including some data about U.S. citizens and legal permanent residents. This information includes complete name, date of birth, citizenship, country of residence, address while in the United States, and such other information. (July 13)
  • Germany Approves Plan to Add Biometric Data to Passports. The German Parliament has approved a proposal to introduce new electronic passports containing biometric data. A chip will contain a digital picture of the traveler's face, and store fingerprints starting in March 2007. These new "ePass" passports will be issued beginning in November. The ePass uses a Radio Frequency Identification chip to store and transmit information to specialized readers that will be installed in all border stations. Officials say the chip can only be read by calculating a special access code when the booklet is opened. The new passports will cost German citizens 59 Euros ($71) each, more than double their current cost of 23 Euros ($27). (July 8)
  • Lufthansa, Siemens Roll Out Biometric Ticketing System. Lufthansa, Germany's national airline and the third biggest in Europe, is testing biometric ticketing on 400 of its employees at Frankfurt Airport. The system, designed by Siemens, translates a thumbprint into a barcode at check-in. Then, before boarding, the barcode is scanned and matched with the passenger's thumbprint for verification. The pilot project is called "Trusted Traveler" and is expected to be widely implemented by 2006. Lufthansa says the program will be voluntary, but will encourage its frequent fliers to have the thumbprint barcode added to their frequent flier cards. (July 6)
  • Orlando Airport Debuts Biometric ID Traveler System. Orlando International Airport has begun test operations of a registered traveler program. In exchange for an exclusive security line and a guarantee against random secondary pat-down check, travelers offer their biometric information, fingerprints and iris scans, and undergo a background check by the Department of Homeland Security. Program participants, who must pay an $80 annual fee, still must have bags screened and go through a metal detector. (June 27)
  • US Backs Down on Biometric Passports for EU. Acknowledging international concerns, the United States will revamp its biometric passport requirements to make it easier for foreign travelers from friendly nations to enter the country without a visa. The new passport standards require digital photographs to match with a person's unique physical characteristics by October and an embedded identification chip later. However, the Department of Homeland Security still plans to require expanded biometric data in passports in the future. (June 14)
  • Congress Passes Controversial ID Bill Without Debate. The Senate yesterday approved the supplemental military spending bill to which the REAL ID Act had been attached. The legislation mandates federal identification standards and requires states DMVs, which have become the targets of identity thieves, to collect sensitive personal information. Legislators in both parties urged debate and more than 600 organizations opposed the legislation. The new licenses would have more personal information than current licenses, and may include biometric identifiers. (May 11)
  • EPIC Urges Privacy Review of Transportation Biometric ID. In comments filed today, EPIC urged the Transportation Security Administration to delay its test of biometric technology for transportation workers until it conducts a comprehensive Privacy Impact Assessment. The assessment should allow the agency "to ensure protection of the privacy rights of program members." EPIC said that the program must comply with the federal Privacy Act and noted that there are unique problems associated with biometric technologies, including the varying degrees of error, the risk of circumvention, and the likelihood of "mission creep." (Mar. 18, 2005)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security