Biometric systems

A synopsis of the arguments presented in:Oliver Subotic, Biometric Systems of Identification: A Critical Study (Serbian language, PDF version)

1. Biometric identification systems should, primarily, be approached from the context of the implications they have for society, and not through questions about their practicality or applicability. This approach would, of course, have to be of an inter-disciplinary nature, encompassing the fields of ethics, information technology, law and sociology. Any attempt to reduce the question of biometric identification systems to just one of the aforementioned fields will lead astray the results of any study, leading to misplaced conclusions the consequences of which can be far-reaching.

2. The implementation of biometric identification systems on the basis of political volunteerism, and without critical appraisal and extra-academic debate, is unacceptable. Political institutions are frequently poorly informed about this field and mostly rely on information provided by corporations which produce biometric identification equipment, causing a conflict of interest. No free society can allow questions of identification management to be resolved by political/ interested parties, instead the initiative must come from expert panels and scientific institutions working in the relevant fields. As well as expert, scientific recommendations it is necessary to take into account the opinion of the public on these matters. For, should there be a lack of widespread public support for biometric identification systems, they should not be adopted.

3. The sensationalist and superficial approach of the press when dealing with this subject makes even more difficult the task of experts and scientists to provide sufficient information that could enable them to conduct adequate studies of public opinion. Therefore, public expert panels, round table discussions and debate on the topic, are vital for this issue. These must be conducted before any broad-spectrum implementation of biometric identification systems. In the event that a debate on the issue does not take place before the implementation of such systems, any further discussion loses its significance and becomes nothing more than a formal cover for uncritical, politically motivated solutions.

4. The automatic processing of biometric information is a key aspect of modern biometric identification systems. Rudimentary biometric identification is an historical predecessor of such systems but cannot truly be compared with them precisely because they lack the capability to automatically process data. No comparison can be made between electronic and non-electronic biometric information systems due to differences in function, processing speed, speed of access and the ability to directly amalgamate information. Though modern systems are widely believed to be infallible, both theory and practice show that they are still decidedly in the early stages of development.

5. The possibility of anonymity must not be revoked where it can be maintained. In cases where biometric information is surplus to requirements, for example the implementation of e-government, it should not be incorporated into the system, as this would be a disingenuous way to introduce the technologies into everyday use. The technology to implement biometric identification system must not be an end in itself; instead it must remain a tool, balanced by widely accepted ethical principles. In the event that the technological solutions and the legal norms do not correspond, the latter should always prevail. This principle ought to be applied to biometric identification systems.

6. A moratorium, suggested by experts, on the further application of biometric identification systems until the legal mechanisms for their use can be comprehensively examined is both realistic and practical. However, it would first be necessary to conduct a thorough study into whether biometric identification systems truly change the nature of political interaction in society; do they affect the relationship between the individual and the state, and would their ultimate implementation open the possibilities for a totalitarian future? Approaches which deal primarily with issues relating to the technical feasibility of such systems, without emphasising the basic ideals society is built around, can lead to a progressive erosion of legal norms and the principles they are founded on.

7. The problems that arise as a result of uncritical implementation of biometric identification systems cannot be solved by self-regulating measures. The ethical, legal and security issues that arise must be critically and thoroughly scrutinised and must be resolved prior to the definite implementation of such systems. The principle of convalidation must not be applied to cases of demonstrable illegality of the project.

8. Solutions that are based on voluntary use should always be given precedence as much as this is possible. In this case, the timely prevention of any potential discrimination is vital. It is clear that political actors generally favour the widespread use of biometric identification systems in an invasive manner. The justification for this approach is most usually the need to combat terrorism and organised crime, or simply the modernisation of government. These arguments, however frequently employed, are not supported by reality and cannot withstand thorough critical examination.

9. Any private sector implementation of biometric identification systems must be in compliance with legal norms regarding data protection and the protection of individual identity. In the event that such norms have not been established in a given society, the private sector should be prohibited from employing systems of this kind until their use can be precisely regulated by appropriate legislation. Likewise, data protection and identity protection laws must be correctly standardised, especially relating to sections intended to specify new categories of criminal activity and their prevention.

10. The concept of a central database for biometric, and associated, information has the potential to realise an information-controlled society. Even though the perception of ordinary members of the public is that the actual device storing an individual’s biometric information (for example, a smart I.D. card) is the problem, from an ethical, legal and information technology point of view the main bone of contime, if combined with other databases, a biometric database would have the potential to become an all-seeing substratum. The interlinking of compatible databases can be accom plished in a number of different ways, however, in practice it is reduced to the use of one universal alphanumeric identifier. The increase in the concentration of political power, the internal/external vulnerabilities of such databases and the potential for the creation of an information-controlled society are all factors that make the implementation of a central biometric database, which can interlink with other relevant databases, an affront to the idea of liberal society and should be prevented by law.

11. Future incarnations of uncritical implementation of biometric identification systems suggest the creation of total surveillance and control over all transactions. The current generation of technology, i.e. single-role smart cards, is not the problem. It is the rise of future, multi-role technologies possibly involving a biochip (electronic implant), which is completely unacceptable to the majority of people today. The idea of a biochip is particularly troublesome in societies with a Christian cultural background as it could evoke St. John’s prophesies and also due to the fact that disagreement over this issue could be manipulated by interest groups to create division and strife amongst dissidents.

12. The political pressures for an uncritical acceptance of biometric identification systems have, in liberal countries, traditionally been resisted by academic institutions, expert groupings, the thinking public and NGOs dealing with the protection of the right to privacy. In countries with a majority Orthodox Christian population, active resistance has come predominantly from the Church. The greatest resistance has been gauged in countries with a common law tradition, and the least in countries in the Middle and Far East. There are cases of countries overturning the uncritical implementation of such systems through judicial or parliamentary intervention, public pressure or even where such concepts were compromised through security lapses. There are also, economically well-developed, countries with a highly liberty-conscious public where such systems are in use on a voluntary basis.

13. In order to take a balanced view of the implementation of biometric identification systems it is necessary to understand their historical background and the sociological milieu they are introduced into so that conclusions can be drawn on a case-by-case basis. Also, it is necessary to be aware of the differences between various forms of implementation, the type of identification documentation, the existence (or not) of central databases, the inter-operability and extent of biometric information on file. It is absolutely unacceptable to draw generalised conclusions on the basis of different forms of implementation.

14. In 2003 the Serbian state unveiled its own biometric identification system project for the republic’s citizens. Legislation passed in 2006, which legalises the government’s efforts in this field, is a classic case of adopted volunteerism in identification management; an instance in which the equipment is purchased – in a manner that is in breach of certain laws but which will be legalised after the fact – and installed before any kind of public or parliamentary debate can take place. Serbia has, in this way, become the very epitome of an uncritical approach to the introduction of biometric identification systems and is enacting policies which clash with every single conclusion this study makes. On the other hand, the antinomy of Serbia’s case is reflected in the resistance offered by the public, with the assistance of reputable institutions, which managed to force a re-evaluation of the project and the implementation of biometric identification systems on a partly voluntary basis. This seems to place Serbia firmly in the very small group of liberal countries which have had similar experiences, however, there is one thing holding Serbia back; the authorities still intend to introduce a unified (now separated) identifier and a central biometric database.

15. In cases like that of Serbia and the rest of the free world, the principled defence of the freedoms contemporary society is founded on is of vital significance. This defence must include active involvement, in a constructive discourse, of the relevant technical and scientific institutions which will then be in a position to determine the guidelines necessary for critical implementation of a biometric identification system. Approaches based on political volunteerism and uncritical modernism inevitably lead to a less than bright statist future.



Biometrics, Security and Human Rights (public debate in Belgrade`s Media Center,  3rd of March 2008 )

Oliver Subotic`s statement

Even during the first panel it was obvious that this issue was controversial. We have, before us, diametrically opposed opinions. The natural question is: why is this so? Diametrically opposed opinions, on the issue of biometrics, is not a phenomenon unique to Serbia, the situation is the same around the world. How have we arrived at this situation?

Is there some abstract reason or can everything simply be reduced to such a formulation in order for it to be understood more easily?

I would like to briefly return to one very superficial argument of neo-Luddism, an argument I once answered when a political scientist claimed that a new kind of Luddism had emerged in the 21st century and that this is the explanation for everything. I asked him why hundreds of professors and expert associates of the London School of Economics were opposed to the project. Why were many, lets say prestigious computer scientists principally (note, not just practically but principally) opposed to biometric identification systems. I have frequently had the opportunity to mention Professor Roger Clarke from the Australian National University, also Bruce Schneier the world’s greatest cryptography expert, and many others; people who are without a doubt pre-eminent authorities in the field of information technology.

My personal opinion is that the deep divisions within this field are a result of the different methodological approaches used to study it. First of all, therefore, if we return to the differing methodological matrix, it seems to me the problem is the altogether too frequent reversion to reductionism. Namely, that the issue of introducing biometric identification systems and their study is most often reduced to the technical problems of their application, and also, perhaps, on their compliance with existing legal norms. The issue is not viewed as part of a wider context and there are too few inter-disciplinary studies that could examine the various aspects of this problem. Filip mentioned my study, which I endeavoured to conduct utilising this kind of methodological approach. I hope to have succeeded, at least in part. You will find this study before you today and it was unveiled to the public a year ago. It came out in the publication of the Belgrade Institute for Political Studies.

The second precondition that must be fulfilled, if this question is to be comprehensively covered, is a high level of detachment and objectivity. In other words, I do not believe that all opinions ought to be given the same weight. One cannot, after all, compare the opinions of leading biometrics corporations, which are trying to sell their equipment and which are ruled by profit alone, and the aforementioned London School of Economics study. Above all because reputable academic institutions are keen to maintain the highest levels of detachment and objectivity. In the same way we cannot be guided by attitudes that can be found in the tabloid press. They are likely to release sensational news stories about who knows what kind of systems simply to sell more papers. Therefore, in the study of this issue, and that is another aspect of the whole story, we must always, and without exception, start from academic circles. That is my personal opinion and I hope that you will allow me it.

And third aspect I would like to say a few words about is the fact that biometric identification systems should primarily be scrutinised in the context of their social implications. Though problems of a technical nature do exist, we heard about a few of these during the first panel, they are not the most significant. The problem of social implications should be divided into the immediate and current social implications and those that may arise in the near or distant future. Immediate social implications are already evident in the Anglo-Saxon world. I’d like to remind you that, until recently, in the English-speaking world, biometric information of the sort we are discussing here today could only be taken from criminals. You are aware, I’m sure, that the FBI has the world’s largest biometric database that is made up of, I believe, around 60 million fingerprints. I believe that is the largest biometric database in the world. Only recently has biometric information been taken from ordinary people. That is already sending a particular kind of message. First of all, it smacks of distrust between the state and its citizens. The state has little faith in its citizens and that de facto affects, at least indirectly, the principle of innocence until proven guilty; a fundamental right in any free society. The mistrust, therefore, becomes reciprocal. Because when the state does not have faith in its citizens it creates an uneasy feeling amongst the population, not so much mistrust, more a sense of unease. Because of the fact that the public is aware that the state is gathering enormous amounts of information about them, we enter into a kind of vicious cycle. This suspicion of the population is, to a certain degree, compounded by a form of insecurity. You have probably followed the cases of massive information theft, especially in the UK, over the last few years. This leads to a feeling of insecurity amongst the public, raising the question of what will happen to their information once the databases become centralised.

A minute ago I mentioned that biometric information is alarmingly sensitive information. Why? Well, if it is compromised or stolen, it cannot be replaced by different information. Simply put, biometrics remain the same throughout an individual’s entire life and so their theft is permanent. These are some of the imminent social implications. I personally belong to the camp that believes that this project is not problematical because it has social implications now, but because of the implications it might have in the future. This is what professor Clarke is talking about when he says that this is the thin end of the wedge that will open up space for totalitarian projects further down the line. In other words, the greater the volume of information, on members of the public, that is in the hands of any regime, the greater the risk. This is particularly the case as we move towards centralised databases and the use of unified identifiers for various transactions. For example, here in Serbia the unified identifier is, as you know, the JMBG (Unified Citizens’ Number). This JMBG should be the topic of another discussion considering the new Law on ID Cards suggests, as far as I know, that this number be combined with that of the user and one of his parents. A move that allows for direct cross-referencing of databases. But this is a separate issue, which I won’t delve into.

What is the basic problem with these systems? The fact that biometric identification systems uniquely designate the provider of the biometric information will, in the near future, be a viable form of identification for financial transactions. In the West, there are pilot projects, which are slowly becoming more widely accepted, for bio-pay systems with which a user can make payments, exclusively on the basis of his biometric characteristics with no need to carry even a credit card. The basis for these kinds of systems is a pre-existing, centralised, biometric database through which the user can be identified. What is also very interesting is that prices for these kinds of payments are significantly lower making this, in many ways, an unfair way to introduce biometric identification systems. If in the near, or not-so-near, future things move towards the integration of ID documents and if biometric identification systems or some similar concept is used to completely abolish any anonymous money transfer (perhaps in the event of another security scare) we would have an information controlled society. If all monetary transactions, of every individual, can be controlled, the individual will undoubtedly become an opportunist. Allow me to give you an example. Imagine, if you will, a man who for years purchases an opposition publication but does not want this to be publicly known, for whatever reason, perhaps he doesn’t have the strength of his convictions. At the moment, his purchase of this publication can go completely unnoticed; he’ll go to a newsstand, pay for the magazine with cash and go on voting for the party he supports. In the event that all payments are automatic, as they naturally would be if we are uncritical of this phenomenon, if we say, let it develop the way it wants to, self-regulating. Then tomorrow we will find ourselves in the situation that that individual will not only avoid buying his opposition publication, because he will assume that somebody somewhere is tracking his purchases and is worried that he might lose his right to a stipend or that he will not be respected in society. We will find ourselves in the situation that this individual will take every moment he can to behave like an opportunist. I am sorry that Ms Koljević could not make it here today, I expected her to talk a little more about so-called panoptic surveillance, as I am not as familiar with the philosophies of Michel Foucault. I assumed that she will talk in a little more detail about that because that is at the crux of the issue. All intellectuals concerned by this issue point to something called the information controlled society as the end product if we continue to think about this kind of panoptic system uncritically. Panopticum is what Foucault called it. Ejdus has also written on the subject, which is why the text is so important. This is especially problematic for the bio-chip solutions, which is why philosophers must actively engage in the debate. I’ll just say one more thing. You are all probably interested to know why it was the Church in Serbia that was amongst the first to react to what had happened. How come the Church suddenly has something to do with biometrics? The reason is very simple. In the beginning groups of church-goers took the initiative to ask their bishops whether these new biometric identification systems were some sort of technological gambit similar to the technological super-system described in the Book of Revelation. In the Book one, and I’ll only mention this without going into dogmatic details, one world power uses a specific system to mark people and control absolutely everything, all transactions, and those who refuse to accept such a system are marginalised. The bishops next move was, in my opinion, the best possible. They didn’t try to resolve the problems of biometric identification systems on their own, they aren’t engineers but theologians. Instead they called in the experts, computer scientists, lawyers, philosophers, sociologists, political scientists, and so on, and they organised several symposia. The Eparhija Žička took the lead on this and, in the end, the Synod asked the Church to produce a study for its own uses, so the Church could, as precisely as possible, determine its attitude towards this new technology. The Synod then ordered me, as the Officer of the ID Centre at the Belgrade Seminary, to compile an expert analysis, which then enabled me to conduct a study five times larger. On the basis of the conclusions drawn from symposia and conventions, the Church made its decision, that the project must be reviewed, that there should be a public debate, that the government should suggest a moratorium on the whole system until it has been re-examined and, finally, that the law be retracted as it is poorly written. This decision was supported by various non-governmental organisations. Mr Pavić is the president of one of these. A little while ago Mr Šabić was mentioned, he also supported this critical stance. Independent intellectuals also supported the cause and wrote papers on the topic. It all seemed to start rather spontaneously and in the end, thank God, it bore fruit. Some amendment was issued, which, in itself, is not a good solution but it is better than nothing. Even so, there is plenty of room for more changes. Now I will begin to conclude my talk. When biometric identification systems are in question, a critical approach and proactive examination of the whole issue are imperative. Every opportunistic or reactive stance, every attempt to hide behind a culture of security without any personal opinions whatsoever is, I believe, leading us towards a totalitarian society either in the near or distant future. I personally believe that the lion’s share of the responsibility for this issue rests on the shoulders of the academic institutions and the representatives of authentic public initiatives, such as the one made possible today by the Centre for Civil-Military Relations.