Privacy advocates across Canada have been struggling to prevent the Ontario provincial government from passing legislation that will see radio identifiers and biometric data inserted into future Ontarian drivers licenses. In spite of their efforts to raise the government’s awareness of the privacy dangers accompanying the proposed licenses, it appears as though their work may been in vain: Bill 85 is now in its final reading, and is widely expected to be passed on November 17th, or shortly thereafter, when the reading continues.
Ontario, and the rest of Canada, is being forced into including radio and biometric features in future drivers licenses by the United States government. As a consequence of the U.S. Western Hemisphere Travel Initiative (WHTI), all Canadians and Americans who cross into the U.S. at a land border with just a driver license will be required to present an Enhanced Drivers License (EDL) as of June 1, 2009. While the radio ‘feature’ is disturbing in its own right, insofar as it emits a unique identifier whenever brought into range of a reader, I want to focus on the biometric features of these cards, why they raise human rights and civil liberties concerns, and the risk of function creep associated with the biometric facets of EDLs.
WHTI-Mandated Biometrics
The EDLs that Canadians and Americans will need to enter the U.S. include a picture of a driver’s face that can be analyzed against an American-Canadian facial database. To enroll in the database, individuals must first have their images captured, after which the computer system converts the image to a biometric template that is stored in a shared American-Canadian database. Next, the biometric template is used to authenticate a person’s identity, ensuring that the biometric data that is provided recalls the precise template for the individual in question. Finally, and arguably the most concerning, the system performs an identification process, where the biometric data is compared to all of the records held in the database. This final stage allows for mass analysis of images in the database against incomplete facial templates, such as those derived from security cameras.
The WHTI-mandated biometrics are intended to guarantee the identity of individuals at the border while providing an extra level of difficulty in creating illegal identity documents. In theory, because these licenses crosscheck between the image provided, and the one entered into the government database, it is less likely that phony IDs can be used to cross the Canadian-American border. Beyond this security feature, the American and Canadian governments argue that placing these biometrics in identity documents will enable airports to process travelers more efficiently because of the redundancy in evaluating a person’s identity. The WHTI mandates are publicly stated as securing America while providing convenience to Americans and Canadians alike.
Current Issues with the Proposed Biometrics
Several issues arise when citizens provide their biometric information to central government agencies. To begin, there is the matter that biometric authentication relies on a statistical pattern recognition technology. We do not live in Jack Bauer’s nightmare world of 24, where computers accurately and easily identify faces against government databases; in the real world there is a likelihood that images will be misidentified. Such misidentifications can lead to an inability to move internationally, and given the ‘ease’ of removing oneself from the American and Canadian ‘no-fly’ lists it is likely that any immobility imposed by mistaken biometric associations will be long-term conditions. Inviting the possibility of such immobility is an affront to Canada’s commitment to the Universal Declaration of Human Rights, which mandates that “Everyone has the right to leave any country, including his own, and to return to his country” — the biometrics, as proposed, may deny Americans who have come to visit Canada from reentering their own nation, or prevent Canadians from enjoying their right of international movement. Regardless of America’s hesitance to sign the Declaration, Canada and her governments should attend to their obligations and resist the licensing changes on behalf of both Americans and Canadians.
In addition, there are concerns that the biometric proposals would fly in the face of privacy protections offered by Ontario’s Privacy and Information Commissioner, Dr. Ann Cavoukian. In her open letter to the Hon. D. Tsubouchi on April 5, 2001 she warned that, “…there must be no ability to compare biometric images from one data with biometric images from other databases or reproductions of the biometric not obtained from the individual.” Her caution was offered during a time that the Ontario government was considering issuing smart cards, and it still echoes today: people must be aware of all uses of their biometric data and consent to its use. In the case of Ontario, the government has been silent on the possibility of American authorities using the biometric information provided by the drivers license database for purposes beyond border screenings.
Finally, we live in a world where identity theft is becoming more sophisticated, more harmful, and more common. Were a person to successfully enroll in the biometric-program associated with the drivers license using another person’s identity, then the thief would have effectively stolen another person’s face for the purposes of computer-algorithm authentication. In a situation like this, how do we adjudicate when the correct person uses a license? The danger of ‘losing’ biometric information places innocent citizen at substantial risk of being accused of actions they are not responsible for. Research groups have demonstrated that there are substantial costs that follow from having one’s identity stolen, with costs reaching as high as thousands of dollars. How much will these costs skyrocket when biometric data is included in the information that thieves steal?
Function Creep
In the case of the American-mandated drivers licenses, there is a considerable worry of function creep that could ensue after they are distributed to the public. Interpol has recently announced that they want to begin using a facial recognition database to catch suspects by using a facial recognition system at borders, and various law enforcement agencies in Canada and the United States have similarly expressed an interest in this mode of discovering and identifying suspects. Imagine how much safer society might be; by using a massive government-sponsored facial database it would be far easier to identify dangerous elements in society!
While this might, initially, sound like a positive thing there are (at least) two associated dangers with this kind of function creep. First, any such use of the biometric data for these purposes would exceed the intent that the data was collected for — citizens should always be notified, and be required to give their consent, when their biometric data might be used for either private or public purposes. Second, and perhaps of even greater concern, biometric analyses are not wholly accurate. Accuracy rates plummet when less than ideal images are used in facial comparisons — the images taken from a security camera, for example, provide poor templates to search against the database. Searching the drivers license database with poor templates would risk implicating a great number of people as ‘suspects’ in a crime, based on poorly constructed computer-algorithms. The prospect of being a suspect on the basis of a computer foul-up is a less than heartening thought to the innocent.
Voltaire famously wrote, “It is better to risk saving a guilty man than condemn an innocent one.” We should heed his sound advice, and rethink the deployment of identity cards that will almost inevitably condemn the innocent to hardships in our governments’ incessant drives to ‘secure’ the societies that they govern from the guilty.