I have been engaging with folks who work developing biometric systems and folks who are concerned about biometric systems for in preparation for the Thoughtful Biometrics Workshop coming up March 16th.
Two weeks ago I attended Biometrics Regulation: Global State-of-Play Symposium (one to many talking on zoom with no chat function) put on by the Berkeley Center for Longterm Cybersecurity.
The aim of the virtual symposium is to discuss the global state-of-play for biometric data protection. We want to think more critically about biometric technologies as well as biometric regulation. As a result, we want to merge conversations on data protection compliance with broader technological, social and policy issues in different biometric technologies.– Workshop Description Biometrics Regulation: Global State of Play Symposium
The presentations were interesting and it was great to have folks from all around the world present. India’s Aadhaar system was discussed and a newer system that has similar qualities was just rolled out in Brazil.
However something very concerning – throughout the discussion there was repeated conflation of biometrics with digital ID. This conflation is a problem to have the type of real discussion we need to have about both but to not conflate them.
I’ve been working on “Digital Identity” since 2002-3 and the folks that inspired me to look at this issue were really considering how independent people expressed themselves in the digital world with their handles or avatars. This really began with the general public with the first internet services in the west like AOL, Compuserve and Prodigy. When you signed up to these services you picked a handle/user-name or maybe a few and that likely connected to an e-mail account. This user-name and the email associated with it are “digital identities”. Your twitter handle is a digital identity. Your Gmail account or Yahoo account is a digital identity.
In the last 10 years you have these large scale national ID (Aadhaar) systems being developed (MOSIP) and pushed out to whole populations that in order to get a “record in the digital database” as a citizen you have to go through an erollment and registration system that requires you to share your biometrics – often a photo, iris scans of your two eyes and capturing of all 10 finger prints. Then this national system deduplicates you – makes sure you didn’t already enroll and then issues you a ID number that is in the digital database of the nation state.
Then these national ID systems then create ways to “authenticate” against the database – prove that the person is represented by a given number/record in a database.
This is a very different architecture/design of digital identity than people have accounts in digital services. These two very different paradigms of what “digital identity” is – is part of the massive confusion around the language we are using.
There is a new paradigms around digital identity that involve collecting and sharing attributes from authoritative sources in the form of Verifiable Credentials is yet another type of decentralized digital identity that I spend a lot of time these days working on and convening people working on it at the Internet Identity Workshop.
Several years ago I co-wrote a paper about how biometrics could play nice with this new decentralized digital identity called Six Principles for Self-Sovereign Biometrics. If you look at what US Citizenship and Immigration is doing with their roll out of digital green cards using the verifiable credential technology on the digital green card holder’s wallet will have a photo encoded that when presented can be checked against the presenter’s face in real life. This aligns with what we outline. There is no “phone home” to the USCIS database to pull the photo and then compare – the needed biometric a photo is digitally signed and in a credential that can be compared with the presenter.