eBook - ePub

Data Protection and Privacy, Volume 11

Name: Data Protection and Privacy, Volume 11
Author: Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert, Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert

The Internet of Bodies

Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert, Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert

344 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Data Protection and Privacy, Volume 11

The Internet of Bodies

Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert, Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert

Book details

Book preview

Table of contents

Citations

About This Book

The subjects of Privacy and Data Protection are more relevant than ever, and especially since 25 May 2018, when the European General Data Protection Regulation became enforceable. This volume brings together papers that offer conceptual analyses, highlight issues, propose solutions, and discuss practices regarding privacy and data protection. It is one of the results of the eleventh annual International Conference on Computers, Privacy, and Data Protection, CPDP 2018, held in Brussels in January 2018. The book explores the following topics: biometrics and data protection in criminal justice processing, privacy, discrimination and platforms for men who have sex with men, mitigation through data protection instruments of unfair inequalities as a result of machine learning, privacy and human-robot interaction in robotized healthcare, privacy-by-design, personal data protection of deceased data subjects, large-scale face databases and the GDPR, the new Europol regulation, rethinking trust in the Internet of Things, fines under the GDPR, data analytics and the GDPR, and the essence of the right to the protection of personal data. This interdisciplinary book was written while the reality of the General Data Protection Regulation 2016/679 was becoming clear. It discusses open issues and daring and prospective approaches. It will serve as an insightful resource for readers with an interest in computers, privacy and data protection.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Data Protection and Privacy, Volume 11 an online PDF/ePUB?

Yes, you can access Data Protection and Privacy, Volume 11 by Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert, Ronald Leenes, Rosamunde van Brakel, Serge Gutwirth, Paul De Hert in PDF and/or ePUB format, as well as other popular books in Law & Science & Technology Law. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Hart Publishing

Year

2018

ISBN

9781509926220

Edition

Topic

Law

Subtopic

Science & Technology Law

Index

Law

You’ve been Measured, You’ve been Weighed and You’ve been Found Suspicious

Biometrics and Data Protection in Criminal Justice Processing

ERIK ZOUAVE AND JESSICA SCHROERS

Abstract

Biometrics, the measurement of life or living beings, has been applied within criminal intelligence and investigations for over a century. Since early law enforcement biometrics, the techniques and sources for biometric processing have increased dramatically. More than ever, personal data is collected from public fora, in particular the Internet, to infer suspects’ physical, physiological and behavioural characteristics. This raises concerns of burgeoning databases with increasingly complex, heterogeneous biometric data impacting the rights of individuals. In this chapter, we assess the current state of the art of legal recommendations on how to demonstrate compliance with the regulation of biometric data under European data protection law. Our assessment focuses especially on the automation of second generation biometrics and technical by design measures to minimise data protection risks in police biometrics based on online identifiers. We find that most of the scholarship and interpretation has focused on providing general recommendations in the civilian context, and that these recommendations frequently reflect situations of one-to-one verification rather than one-to-many identification. Only some recommendations are suitable in the way ahead under Directive (EU) 2016/680. We therefore argue that the adoption of the Directive necessitates a reinvigorated focus on technical by design compliance.

Keywords

Biometrics, biometric data, data protection, law enforcement, Directive (EU) 2016/680

1.Introduction

Biometrics, the measurement of life or living beings has been applied within criminal intelligence and investigations for over a century for uses such as the unique identification of suspects of crimes or threats to public security. Dactyloscopy, or fingerprinting, used by the Bengali Inspector General already in the late 1800s¹ and the U.S. Federal Bureau of Investigation since 1924,² quickly became widespread biometric investigative methods together with DNA sampling.³ Biometrics is a powerful and fact-based⁴ means to authenticate identities and match them to events, locations, groups and concepts of interests.

However, since early police biometrics, the techniques and sources for biometric processing have increased dramatically. While first-generation biometrics were generally “strong” biometrics such as fingerprint, or iris, second-generation biometrics include technologies that measure “motor skills,” electromagnetic body signals and human-computer interaction patterns (eg walking patterns, dynamic facial features, voice recognition, online behaviour recognition etc.) and require less user cooperation.⁵ Increasingly, embedded systems, ambient intelligence and distant sensors aggregate the volumes of available data.⁶ More than ever, personal data is collected from public fora, particularly in the form of online identifiers from the Internet, to infer suspects’ physical, physiological and behavioural characteristics. Consider, for example, ubiquitous social media where image, audio and video data are shared and where biometrics are even incorporated into services such as “tagging” or “suggesting” people in photos.

This diversification and increase of biometric data poses discrete risks to the privacy and protection of personal data that must be balanced against security interests. Firstly, this trend raises concerns that the collection, generation and storage of biometric data will become increasingly associated to disproportionate Big Data practices.⁷ Secondly, the heterogeneity of data sources, formats and data quality may further impact the accuracy of biometric data underpinning criminal evidence, seriously affecting the rights of data subjects.⁸ Thirdly, the diversification and increasing use of biometrics also increases the sensitivity of the data and the risk and likelihoods of adverse impacts for affected individuals when the security and confidentiality of the processing proves insufficient. Finally, the scale and complexity of this processing necessarily leads to increased reliance on semi-automated and automated techniques, making the overall process more “opaque” and less foreseeable.⁹

In view of such concerns, the European Union data protection reforms have updated the laws applying to civilian research and development of police biometrics on the one hand – through Regulation (EU) 2016/679 – and to police and criminal justice authorities as end-users of such systems on the other hand – through Directive (EU) 2016/680. However, we argue that guidance on technical implementation has been and remains focused on civilian identity management to the detriment of data subjects processed by police biometric systems for the identification of suspects of crime.

In this chapter, we assess the state of the art of legal recommendations on how to demonstrate compliance with the regulation of biometric data under European data protection law, especially with respect to technical by design measures to minimise data protection risks in police biometrics based on online identifiers. We find that only some of the widely accepted recommendations are suitable in the way ahead under Directive (EU) 2016/680 when combined with novel implementation methods. Given the significant values and rights at stake, we argue for reinvigorated research into technical by design compliance measures for police biometrics.

Demonstrating compliance is a principle of data protection. It entails both organisational measures, such as the adoption of data protection policies and carrying out data protection impact assessments, as well as technical measures implemented in processing systems to comply with all data protection principles by design through the entirety of operations. We focus on the technical aspects of compliance as these are more contextual, frequently elude generalisation, yet are essential for data protection law in practice. Indeed, the European Data Protection Supervisor emphasises the need for specific by design safeguards or technical measures to resolve, for example, proportionality and accuracy problems in biometric data.¹⁰ We derive our insights from Directive 2016/680, its commonalities with the Regulation, and soft law guidance from the Article 29 Working Party and the (European) Data Protection Supervisor. Following Jasserand’s terminology clarification, we understand biometrics as the automatic recognition of individuals, while biometric data is considered as “a type of personal data relating to biometric characteristics and linked to the identification or identifiability of an individual.”¹¹ The term “biometric systems” is used synonymously with biometrics.

This chapter also draws on contextual learning from law enforcement to supplement established recommendations with novel means of mitigating complexity and heterogeneity. We draw on the conceptual research of Coudert et al regarding digital evidence in legal proceedings and the practical biometric case studies in the Horisons 2020 DANTE project, its system, and law enforcement practitioners. The DANTE project aims to deliver effective biometrics, notably physical facial, silhouette, and voice metrics as well as behavioural analysis of stylometrics, logos, objects and concepts, from online sources and identifiers, while applying legal best practices to avoid unwanted societal impacts.¹² However, in doing so, we observe and propose solutions to common problems in the automation of policing and biometrics.

2.A History of Police Biometrics

As mentioned previously, biometrics have featured as an investigatory tool since the nineteenth century. Cole observes that biometric procedures allowed police to “link bodies … across time and space” and “to track the body” of a criminal rather than just signs of criminality.¹³ Early police biometrics were particularly useful for establishing recidivism within precincts.¹⁴ Two types of early police biometrics became particularly prevalent; dactyloscopy, or fingerprinting, and anthropometry, or the measurement of body proportions.¹⁵

The fact that criminal justice biometrics can be physical, physiological as well as behavioural, and that their perceived reliability will vary according to context, is recorded in early European case law. As accounted by Cole, sixteenth-century French courts relied on the peculiarities of a cobbler’s measurement of feet, testimonial accounts of dialect and outward appearance, such as hair color and scars, in determining whether Martin Guerre was, in fact, Martin Guerre or an impostor.¹⁶ The French court relied less on the quantitative measurements of the cobbler and more on the (fleeting) qualitative memories of witnesses.

Nineteenth-century investigative biometrics sought to standardise the description of qualitative physical features such as whether fingerprints have arches or whirls and whether lips are pouty, by which reproducible methods the data should be collected, and in which order and format it should be presented. In other words, the idea of biometric templates were introduced to policing.¹⁷ However, these early biometrics were limited by the constraints of manual labor and, frequently, the need to physically take measurements from suspects.

Contemporary (and future) police biometrics are significantly impacted by modern technology, allowing for the pluralisation and automation of data collection and analysis.¹⁸ Urban spaces are surveilled with CCTV and thermal cameras¹⁹ and online spaces allow for massive sharing of data in text, audio, image and video formats. It is in this online context that the DANTE project, our primary source of contextual learning, appears. DANTE delivers automated data mining and analytics solutions to detect, retrieve, collect and analyze heterogeneous and complex multimedia and multi-language terrorist-related contents, from both the Surface and the Deep Web. It detects and monitors terrorist-related fundraising, propaganda, training and disinformation. It seeks to link online pseudonyms, identify publishers of terrorist content and suspects that are identifiable through textual, image, audio and video data.

3.The Legal Framework for Police Biometrics

The EU data protection reforms have attempted to resolve several problems with biometric data processing. Firstly, the Regulation and Directive encompass a common, binding definition to biometric data, clarifying its scope.²⁰ In this respect, biometric data encompasses personal data, i.e. data relating to an individual, subjected to specific technical processing to uniquely identify that individual. However, identification is not necessarily prec...