Body, Biometrics and Identity

Bioethics ISSN 0269-9702 (print); 1467-8519 (online) Volume 22 Number 9 2008 pp 488–498 doi:10.1111/j.1467-8519.2008.00700.x BODY, BIOMETRICS AND IDENTITY EMILIO MORDINI AND SONIA MASSARI Keywords biometrics, identity, ethics, privacy, digitalization, person, globalization ABSTRACT According to a popular aphorism, biometrics are turning the human body into a passport or a password. As usual, aphorisms say more than they intend. Taking the dictum seriously, we would be two: ourself and our body. Who are we, if we are not our body? And what is our body without us? The endless history of identification systems teaches that identification is not a trivial fact but always involves a web of economic interests, political relations, symbolic networks, narratives and meanings. Certainly there are reasons for the ethical and political concerns surrounding biometrics but these reasons are probably quite different from those usually alleged. INTRODUCTION In the course of modern history, individuals have been identified by legal names, locations, tokens, pseudonyms, and so on. More recently individuals have been also recognized through automatic identification technologies (Auto-ID). Pioneered by military logistics planners, Auto-ID encompasses a vast array of equipments that can be used to identify both people and items. They include Bar Codes,1 Optical Memory Cards,2 Contact Memory buttons,3 Radio Frequency Identification,4 Radio Frequency Data Capture,5 Micro Electro Mechanical Systems,6 and Smart Cards.7 Biometric identification technologies are a special case of Auto-ID because they associate identities to individuals by using measurable personal features instead of something owned or known by the individual. Biometrics can be used only to recognize living8 beings (animals9 and humans). Although biometrics have been 5 1 Bar Codes include: a) linear bar codes, which consist of vertical black lines and white spaces that carry data; b) 2 dimensional bar codes, which use similar technology as linear bar codes but carry about 100 times more data. 2 Optical Memory Cards (OMC) use technology similar to the familiar CD-ROM. 3 Contact Memory Buttons are similar to a floppy disc in that they have a read and write capability. 4 Radio Frequency Identification (RFID) is a small radio transceiver combined with a memory unit. Radio Frequency Data Capture uses a built-in radio, where a bar code scanner can talk directly to the host computer and pass messages back and forth, similar to real-time receipt processing. 6 Micro Electro Mechanical Systems (MEMS) combine several environmental sensors on a credit card-sized radio transceiver. 7 A smart card contains an integrated circuit chip, with a microprocessor that is able to read, write and calculate. 8 A few biometrics can also be used for identifying corpses but this is not standard. 9 Animal tracking and identification systems based on RFID and biometrics (chiefly retinal scan) have been adopted worldwide for livestock, after Mad Cow disease, and are used for monitoring wild animal populations. Address for correspondence: Emilio Mordini, Centre for Science, Society & Citizenship, Piazza Capo di Ferro 23, Rome 00186, Italy. T: +39 0645551042 F: +39 0645551044, Email: emilio.mordini@cssc.eu © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd., 9600 Garsington Road, Oxford OX4 2DQ, UK and 350 Main Street, Malden, MA 02148, USA. Body, Biometrics and Identity used to recognize individuals for ages,10 as a scientific discipline they date back only to the 19th century.11 Biometrics have been also used for looking for patterns in natural populations,12 for searching for change in bodily and psychological parameters over time and in different health conditions,13 and for grounding racial classifications.14 As far as biometrics for personal recognition is concerned, any biological or behavioral characteristic can be used as a biometric identifier providing it satisfies at least four basic requirements: 1) collectability (the element can be measured); 2) universality (the element exists in all persons); 3) unicity (the element must be distinctive to each person); 4) permanence (the property of the element remains permanent over time). Many body features have been investigated,15 yet for almost a century only fingerprints satisfied all these conditions. In recent decades, there has been a dramatic evolution of biometric technologies, chiefly due to digitalization. While non-automatic biometrics for recognition purposes – e.g. conventional fingerprinting – are based on analogical representations,16 automatic biometric technologies use digital representations.17 Digital biometrics differ from traditional biometrics both quantitatively (the digit format allows us to collect, store and process electronically a huge amount of data in a short period of time) and qualitatively (being numeric strings instead of icons, digital representations have different qualities from analogical representations). Unless otherwise 10 A number of archeological artifacts show that fingerprint impressions have been used as a signature since the Neolithic era (see A. Moenssens. 1971. Fingerprint Techniques. Clifton Park, NY: Chilton Book Company). 11 Many well written histories of biometrics are currently available, e.g. A.K. Jain, P. Flynn & A.A. Ross, eds. 2007. Handbook of Biometrics. New York: Springer. 12 See M. Bulmer. 2003. Francis Galton: Pioneer of Heredity and Biometry. Baltimore, MD: Johns Hopkins University Press. 13 See W. Bynum. 1994. Science and the Practice of Medicine in the Nineteenth Century. Cambridge: Cambridge University Press; also E.G.Boring. 1950. A History of Experimental Psychology. 2nd edn. New York: Appleton-Century-Crofts. 14 Bulmer, op. cit. note 12. 15 E.g., in 1882 Alphonse Bertillon, chief of criminal identification of the Paris police department developed a very detailed method of identification based on a number of bodily measurements, physical description, and photographs. 16 An analogical representation is characterized by a parallel (though not necessarily isomorphic) correspondence between the structure of the representation and the structure of the represented. The analogical representation can be said to model or depict the thing represented. 17 A digital representation converts the original structure into digits. Digital representations are only approximations of the represented structure, but they can be electronically processed much more easily than analogical representations. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. 489 stated, in this paper we shall use the term ‘biometrics’ only to refer to automatic biometric technologies for personal recognition. Current biometrics include fingerprints, ultrasound fingerprinting, iris scans, hand geometry, facial recognition, ear shape, signature dynamics, voice recognition, computer keystroke dynamics, skin patterns, foot dynamics. Future biometrics (second generation biometrics) include neural wave analysis, skin luminescence, remote iris scan, advanced facial recognition, body odour, and so on. Multimodal systems, which match different identification technologies, are rapidly progressing, as well as multiple biometrics, which consist of different types of biometrics used in combination. Also behavioral biometrics – which measure behavioral characteristics such as signature, voice, keystroke pattern and gait – is becoming increasingly important. Scientific literature on ethical and privacy implications of biometrics is also growing.18 A sharp debate is emerging about whether biometric technology offers society any significant advantages over other forms of personal identification,19 and whether it constitutes a threat to privacy and a potential weapon in the hands of authoritarian governments. The main issues at stakes concern large-scale applications; biometric databases; remote and covert biometrics; respect for fair information principles, in particular the principle of proportionality;20 medical applications; enrollment of vulnerable and disabled groups; information sharing and system interoperability; technology convergence; behavioral biometrics; and surveillance. It is however arguable whether it makes sense to discuss all these issues together, sometimes without differentiating between different biometrics and applications. As a matter of fact, biometrics encompass so many different technologies and applications that it is hardly possible to develop arguments which are valid in all circumstances. Yet there are two interconnected issues that are worth discussing in general terms. They are ‘function creep’ and the so called ‘informatization of the body’. This paper will discuss these two wider issues and will 18 See E. Mordini & C. Petrini (eds), Ethical and Social Implications of Biometric Identification Technology, Annali dell’ISS, 2007; 43: 1. 19 Unless otherwise stated, in this article we use the term ‘personal identification’ as a synonym for recognition. 20 The principle of proportionality states that identification systems should only be implemented if the benefits are worth the social costs, including the invasion of privacy, loss of autonomy, social discrimination, or imposition of conformity, see: Article 29 – Data Protection Working Party, 2003, Working document on biometrics, 12168/02/EN, Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/ 2003/wp80_en.pdf [Accessed 6 Mar 2008]. Emilio Mordini and Sonia Massari 490 conclude by addressing a rather unexplored question, the ‘liberating’ value of biometric technologies. FUNCTION CREEP Since 2001 with a seminal Rand’s report,21 function creep has been in the limelight of the ethical and privacy debate about biometrics. ‘Function creep’ is the term used to describe the expansion of a process or system, where data collected for one specific purpose is subsequently used for another unintended or unauthorized purpose.22 Function creep in the field of automated personal recognition may have various motivations (from State intelligence to commercial purposes) and is not limited to biometric identification. Although some examples of function creep are fairly innocuous,23 function creep has always the potential to erode public trust and destroy confidence in a given system. When function creep results from a deliberate intention, it represents a serious ethical breach. Function creep usually involves three elements: 1) 2) 3) a policy vacuum; an unsatisfied demand for a given function; a slippery slope effect, or a covert application. A policy vacuum is probably the most important element to determine the risk of function creep. When organizations (be they small companies, large industries, or governmental agencies) adopt new information technologies or new information schemes, while failing to create specific policies, these technologies end up being driven only by different interests of various stakeholders. As a result, the new scheme may develop in quite a different sense from – sometimes even opposite to – that primarily intended. An unsatisfied demand for a given function is the second important element that has the potential for creating function creep. Information collected for one 21 See J.D. Woodward et al. 2001. Army Biometric Applications, Identifying and Addressing Sociocultural Concerns. Document Number: MR-1237-A. Available at http://www.rand.org/pubs/monograph_ reports/MR1237/ [Accessed 5 Apr 2007]. 22 See OECD Directorate For Science, Technology And Industry Committee For Information, Computer And Communications Policy – Working Party on Information Security and Privacy. 2004. BiometricBased Technologies Available at www.oecd.org/sti/security-privacy [Accessed 23 Dec 2007]. 23 E.g. the ‘Social Security Number’ in the US, which is an often-cited example of function creep. Although the original social security cards bore the warning that the SSN could not be used for identification, in the 1960s the Internal Revenue Service started using the SSN for taxpayer identification and today the SSN is the main identity document used by most US citizens. purpose is used for another when there is a need that is not properly met. Finally, function creep must develop almost unnoticed. Usually it can happen for two reasons. Either the new function(s) develop little by little, quite innocently, because of the incremental effect of several minor changes of mission, or the new functions are the result of a hidden agenda or, at least, of some undisclosed goals. Warrantless cell-phone tracking by law enforcement officers is a good example of this latter kind of function creep, which is obviously the most ethically and politically worrying. Also, in the context of biometric applications, one should distinguish between two different situations: when biometrics are used beyond the limits for which the system was officially adopted24 and when biometrics are misused to generate extra, unauthorized, information. As regards the former, it is evident that any identification scheme can be carried out with a hidden agenda (e.g. sorting out some social groups, eliciting the feeling of being under observation, etc.) and biometrics are no exception. According to the ISO SC37 Harmonized Biometric Vocabulary (ISO SC37 Harmonized Biometric Vocabulary – Standing Document 2 Version 8 – dated 2007-08-22)25 in these cases one should refer to a ‘subversive use’ of biometrics – i.e., an attempt to subvert the correct and intended system policy – rather than to function creep. Biometric systems might also be misused to generate details that are not relevant to personal recognition, and which could be exploited for unintended or unauthorized purposes. To date there is no evidence that any relevant biometric application has ever been systematically misused with the goal of revealing the subject’s personal details beyond those necessary for personal recognition.26 Biometrics have the potential for being misused, but personal details that could be elicited by using biometric applications can be obtained in easier ways, and the cost/benefit ratio of intentional misuse is still discouraging. Yet this state of affairs is likely to change in the near future with second generation biometrics and large scale adoption of multimodal systems, 24 E.g. a security agency could decide to carry out a covert screening program parasitic to a standard verification program. People enrolled for identity verification are covertly screened against, say, a database of terrorists. In such a case biometrics would still be used for identification purposes but these purposes would be partly different from those claimed. 25 http://isotc.iso.org/livelink/livelink?func=ll&objId=2299739& objAction=browse [Accessed 10 Feb 2008]. 26 One could argue that some ID schemes adopted in countries such as Pakistan or Malaysia have been designed to produce extra information but this is a rather different issue because it involves the whole policy of a state rather than a specific misuse. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. Body, Biometrics and Identity which are expected to have the potential to reveal personal data that could be hardly collected by other means.27 Some biometric characteristics are more appropriate for individual recognition, other less so, but all may generate data that are not strictly relevant only to personal identification. Data surplus sooner or later become available for ‘unintended or unauthorized purposes’. One of the possible variants of the Murphy’s Law states that if any technology can be misused, it will be, and there is no reason to assume that biometrics might escape this rule. The principle of data minimization, or limitation, should then be the cornerstone of any biometric policy that is respectful of privacy and ethical tenets. Unfortunately this is not the case with most biometric systems, which are redundant and unavoidably end up generating more data than necessary. What is worst – and this is our argument – is that it is unlikely that biometric applications will ever succeed in minimizing data capture and processing. In the following paragraphs we shall try to explain why. BIOMETRIC SYSTEMS ARE REDUNDANT An ideal biometric system should collect and process only details relevant to personal recognition. Unfortunately this is an impossible mission, both because of the way in which a modern biometric system works, and because of the ‘communicational’ nature of the human body. Usually a modern biometric system consists of six modules:28 sensors, aliveness detection, quality checker, feature-generator, matcher, and decision modules. Sensors – which are the most important part of a ‘biometric capture device’ – target physical properties of body parts, or physiological and behavioral processes, which are called ‘biometric characteristics’.29 The output of the sensor(s) is an analogical, or digital, representation of the biometric characteristic, this representation is called a ‘biometric sample’. Sensors unavoidably generate 27 E.g., an Israeli company – WeCU (‘We see you’) – is developing software for screening terrorists in airports, metro stations, etc. by submitting the crowd to subliminal stimuli and covertly registering their reactions with hidden biometric sensors. 28 We use the terminology adopted by the ISO. SC37 Harmonized Biometric Vocabulary – Standing Document 2 Version 8 – 2007–08: 22. Available at http://isotc.iso.org/livelink/livelink?func=ll&objId= 2299739&objAction=browse [Accessed 21 June 2007]. 29 A biometric characteristic is a ‘biological and behavioral characteristic of an individual that can be detected and from which distinguishing, repeatable biometric features can be extracted for the purpose of automated recognition of individuals’ http://isotc.iso.org/livelink/ livelink?func=ll&objId=2299739&objAction=browse [Accessed 29 June 2007]. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. 491 data about time and location, say, when and where the sample was captured. They may also collect shadow information, for instance any system for facial recognition inescapably ends up collecting extra information on people’s age, gender and ethnicity,30 and – given that facial expressions are topological configurations that can be measured – they have also the potential to detect people’s emotional states, as reflected in their expressions. Sensors can also elicit details on the medical history of the identifying person. Medical details can be elicited in various ways.31 First, injuries or changes in health can prevent someone from being enrolled by the system and then be recorded.32 Although most current technologies have no capability for determining the causes of recognition failure, no one can exclude the possibility that future applications may be designed to identify these causes. Second, medical information can be deduced by comparing selected biometric characteristics captured during initial enrolment and subsequent entries.33 Indeed, using biometrics to search for consistency over time – as for recognition purposes – is not so different from using biometrics to look for patterns of change as medical doctors do. Third, biometric characteristics could directly disclose health information.34 Additionally, some sensors may detect surgical modifications to the body.35 Finally, by knowing that certain medical disorders are associated with specific biometric patterns, researchers might actively investigate such questions as whether biometric patterns can be linked to behavioural characteristics or predispositions to medical conditions.36 As a consequence, biometric characteristics could become a covert source for prospective medical information, allowing people to be profiled according to their current and 30 See K. Jain, S. C. Dass & K. Nandakumar. 2004. Soft Biometric Traits for Personal Recognition Systems. In Proceedings of International Conference on Biometric Authentication. Hong Kong, July 2004. Available at http://citeseer.ist.psu.edu/jain04soft.html [Accessed 18 Jan 2008]. 31 E. Mordini. 2008. Biometrics, Human Body and Medicine: A Controversial History. In Ethical, Legal and Social Issues in Medical Informatics. P. Duquenoy, C. George & K. Kimppa, eds. Hershey, PA: Idea Group Inc. 32 E.g. some eye diseases could prevent iris scanning, arthritis could prevent hand geometry, finger burns can prevent fingerprinting, etc. 33 E.g. facial geometry taken in different periods of time can reveal some endocrinopathies. 34 E.g. certain chromosomal disorders – such as Down’s syndrome, Turner’s syndrome, and Klinefelter’s syndrome – are known to be associated with characteristic fingerprint patterns. 35 Infrared cameras can easily, and covertly, detect dental reconstruction and plastic surgery (e.g. added or subtracted skin tissue, added internal materials, body implants, scar removal, skin resurfaced by laser, removed tattoos, etc.) because the temperature distribution across reconstructed and artificial tissues is different from normal. 36 D. Zhang, ed. 2008. Medical Biometrics. New York: Springer. 492 Emilio Mordini and Sonia Massari potential health status. Mitigating this state of affairs is not easy, because – as we shall discuss below – it is partly due to the very nature of the human body. However there are two critical measures that should be adopted. First, biometric characteristics should be always chosen with their potential for disclosing health details taken into consideration. Medical doctors should be involved in biometric capture device design and sensors with the effective capability to detect medical conditions should not be deployed. Second, people should be always aware of the presence of biometric sensors. This is a very difficult goal, not only because some applications are by definition covert (e.g. screening and surveillance), but also because biometric sensors are more and more embedded in ambient intelligence environments. According to the EU Data Protection Directive (art.7 par.1) no data collection can go unnoticed by the subject that is being monitored. The goal is that the individual is aware of all types of data about him/her that are collected. Yet this is exactly what embedded biometrics would prevent. The loophole to escape from this legal dilemma comes from art.7 par.2, which states that par.1 is not applied in case of ‘processing of data relating to offences, criminal convictions or security measures’. Yet is it legitimate to extend the concept of ‘security measures’ to any technology used in any context? The growing proliferation of embedded biometrics cannot be justified by a never-ending growing of an indistinct ‘security area’. Nor does warning people that they are entering into a biometric controlled area seem to be sufficient to ensure respect for privacy rights. Warning labels tend not to be perceived any longer as people become familiar with them. The aliveness detection module detects a person’s physiological signs of life in order to avoid being cheated by artificial (fake) attributes. The aliveness detection module is still more critical than sensors because it has the potential to generate a good deal of extra, unauthorized, data. The most obvious way to check aliveness is to elicit a physiological reflex, such as pupillary reflex, or to test some physiological responses such as blood pressure, pulse, respiration and skin conductivity. This however generates unintended information on subject’s physiology, on her medical conditions, and her emotional state.37 It is however possible with certain biometrics to detect aliveness by using features that can hardly disclose medical and physiological information; this is the case for instance with iris biometrics.38 However mitigated the 37 Basically polygraphs for lie detection are based on the same principles. 38 See V. Valencia. 2002. Biometric Liveness Testing. In Biometrics. J. D. Woodward et al., eds. New York: Osborne McGraw Hill. risk of generating unintended information can be, aliveness detection modules remain the main source of concerns about function creep.39 The quality checker module performs a quality check on biometric samples and indicates whether the characteristic should be sensed again. Also, the quality check module may become responsible for producing extra data if the system is set for accepting only high resolution samples. The most important element of a quality metric is its utility. Biometric samples with the highest resolution do not necessarily result in a better identification, while they always result in being redundant. Consequently, in order to mitigate risks of function creep, the sample resolution should not be higher than necessary. The feature-generator module extracts discriminatory features from biometric samples and generates a digital string called ‘biometric features’. A whole set of these features then constitute the‘biometric template’. This is an important passage, though less important than the public tends to believe. In principle, templates could include more details than necessary, but this almost never the case because this would defeat the chief purpose of the template, which is the efficient storage of identifying data. This is convincingly demonstrated by the impossibility of deducing original biological and behavioral characteristics of an individual from a template.40 Template reverse engineering is not possible because most of the data that would be necessary to recreate the original attribute, have been discarded and are not present any more in the set of digital strings that constitute a template. Templates could be used to recreate artifacts that might be exploited for spoofing the system; such a possibility should be prevented by using encrypted templates. Of course it is important that compressed biometric samples are not stored in the system or – which would be even worse – included in the template. Together with template encryption, this measure is vital to avoid the main risks of template misuse (e.g. identity theft, data mining, profiling). The matcher module compares the template with one or more templates previously stored.41 The decision module takes the final decision about personal identity according to the system’s threshold for acceptable matching. Extra data can hardly be generated by these two modules; their ethical and privacy relevance chiefly 39 E.g. biometrics can be used covertly to detect people emotions. P. Statham. 2006. Issues and Concerns in Biometrics IT Security. In Handbook of Information Security. H. Bigdoli, ed. New York, NY: John Wiley and Sons: 471–501. 41 The place where templates are stored – whether in a central database or in a portable medium owned by the subject – is a critical aspect of privacy policies. However its discussion is well out beyond the purposes of this paper. 40 © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. Body, Biometrics and Identity concerns the setting of the threshold for acceptable matching, which is not a trivial fact because it determines false rejections and false acceptance rates. In conclusion, in almost any working phase biometric systems might generate extra information, which has the potential to be further used for unintended, unauthorized, purposes. This state of affairs can certainly be mitigated but it is highly improbable that it can be totally prevented. Generating extra information is not due to imperfect technologies, or to procedures still to be refined, but depends on the very nature of the human body. WHY BIOMETRIC SYSTEMS CANNOT AVOID BEING REDUNDANT In real life, communication and recognition are but two sides of the same coin. When sender and receiver exchange messages they unavoidably produce details that can be used to identify both. A totally anonymous sender or receiver do not exist either in the real world or in cyberspace. Communication always introduce a distinction, which is already a form of identification.42 Similarly, processes of recognition channel messages that go well beyond mere personal identification, think for instance how, even moments after birth, the newborn seeks out the mother’s eyes and face in an intricate and insoluble mix between recognition, auto-identification, and non-verbal messages.43 People are used to thinking of recognition as a process in which an (active) subject (or devise) recognizes a (passive) individual by searching for some identifiers. This model is hardly tenable. In the real world, personal recognition is closer to a conversation than to a security check. Personal recognition involves conscious, explicit, messages, which are usually conveyed by verbal languages, and unconscious, implicit, messages that are mostly channeled by non-verbal (bodily) languages. Discrepancies between the two levels are actively searched for screening purposes, when one suspects an identity fraud. Indeed, body languages have the specific feature of ‘speaking’ quite independently of our conscious will; and this can be exploited to unravel fake identities, both because the person can reveal emotions related to the fraud, and because she can unwillingly provide clues about her true identity. The body provides information 493 about the ‘person who inhabits it’ through a wide array of messages channelled by physical appearances, gestures, postures, expressions, odors, sounds, and even tastes. These messages allow us to recognize different aspects of an individual: 1. 2. 3. 4. 5. Aliveness: the first piece of information that one gives to the other by nonverbal communication is that she is alive and existing here and now.44 Species: the second message is that she is human. This message is more obvious when one tries to communicate with other species and is sometimes obliged to mitigate signals about one’s membership of the human species (e.g., body odour, posture, etc).45 Gender and age: the third set of messages communicated by using nonverbal languages concern gender and age, which partly overlap, probably, because they are both relevant to mating. Group(s): nonverbal languages also convey information on culture, ethnicity, and age, social groups to which the individual belongs and in which she grew up. Individual: finally, nonverbal languages also give information about individual personal identity. Scars, wrinkles, body postures and gestures, voice prosody, idiosyncratic behaviors, memories, ‘speak’ about that particular person, her biography and her oneness and identity. Personal recognition among human beings is usually generated by the interplay between all these non-verbal messages and verbal, explicit, communication. Needless to say, no system for automatic recognition could adopt such a sophisticated and complex scheme. Most Auto-IDs simply rely on tokens, which are a technological version of old passes, electronic labels (e.g. smart tags, RFIDs, etc) that include only details necessary to associate individuals to identities. Yet these autoIDs are not true proof of identity, rather statements as to who a person claims to be. Automatic biometrics instead adopt a scheme that, although extremely simplified, is close to normal human interactions. Biometrics allow people to be recognized by using their physical appearances and behaviors and, in doing this, biometrics exploit the vast web of messages that the human body continuously produces. First generation biometrics focused on those elements that directly allow individualizing of the 42 Distinguishing and individualizing are two different things, although they are both forms of recognition. Communication always introduces distinctions, but does not necessarily individualize. 43 See L. Cohen & E.R. Gelber. 1975. Infant Visual Memory. In Infant perception: From sensation to cognition. L. Cohen & P. Salapatek, eds. New York: Academic Press; vol 1: 347–403. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. 44 This would not be true for cultures that believe in demonic possession. In these cultures, the body could be inhabited by an alien. 45 Incidentally one could note that in the science fiction movie Blade Runner, which first depicted a ‘biometric society’, biometrics were used to distinguish between humans and androids. 494 Emilio Mordini and Sonia Massari subject, for instance fingerprint, iris, DNA46 and so. Little by little, however, technologists’ strategy has been changing to improve accuracy, robustness, and security. Second generation biometrics is increasingly based on multimodality, multiple biometrics, soft biometrics, behavioral biometrics. This makes biometrics more scientifically challenging and effective, but also more troublesome. As biometric applications are similar to human recognition schemes, they are destined to become redundant and to convey a great deal of messages beyond those selected only for identification purposes. We have already illustrated how aliveness detection unavoidably produces extra, parasitic, details. The same holds true when, in order to make more accurate facial recognition, for example, one decides to use soft biometrics; say, ancillary data on gender, age and ethnicity. The list of examples could go on and on. The troubling consequence is that as biometrics become mature, as they are likely to become intrusive. There is another critical issue related to biometric identification schemes that deserves to be mentioned. By mimicking human modalities for personal recognition, biometrics become a building block of the digital persona.47 Digital subjects need digital identifiers. Biometrics also allow the use of physical identifiers in the digital world. In other words, biometrics permit the use of human modalities for personal recognition in relationships between digital subjects (e.g. between humans and devices, documents or services, and among digital representations of humans). This leads us to the second point of this paper: the so called ‘informatization of the body’. INFORMATIZATION OF THE BODY Together with function creep, informatization of the body is the other general issue that concerns biometric ethics. Scholars speak of ‘informatization of the body’ to point out the digitalization of physical and behavioral attributes of a person and their distribution across the global information network.48 According to a popular 46 Although DNA biometrics is still in progress, and consequently is usually considered as a second-generation biometrics, from a conceptual point of view it is a first-generation biometrics. 47 The concept of digital persona was first illustrated by R. Clarke in 1994. See http://www.anu.edu.au/people/Roger.Clarke/DV/ DigPersona.html ‘The digital persona is a model of the individual established through the collection, storage and analysis of data about that person.’ 48 I. van der Ploeg. 2005. The Machine-Readable Body. Essays on Biometrics and the Informatization of the Body. Herzogenrath, Germany: Shaker. aphorism, biometrics are turning the human body into a passport or a password. As usual, aphorisms say more than they intend. Taking the dictum seriously, we would be two: our self and our body. Who are we, if we are not our body? And what is our body without us? Briefly, at the core of the notion of ‘informatization of the body’ there is a concern for the ways in which digitalization of physical features49 may affect the representation of ourselves and may produce processes of ‘disembodiment’. While privacy advocates and civil liberty organizations are concerned with the risk of function creep, philosophers are often concerned with informatization of the body, because it would touch our inner nature, the ‘human essence’. Biometric systems digitalize physical appearances and behaviors in order to process them. The passage from analogical to digital representations is not a trivial one, because digital representations always imply a certain degree of simplification, which modifies the nature of the represented object. By digitalizing representations of body parts and behaviors, biometric technologies tends to remove from them all dimensions but those which are relevant to recognition. Ideally, biometrics aims to turn persons into mere living objects, which can be measured and matched with similar living objects. This leads to the dramatic contrast between zoe and bios, natural life and political life. Ancient Greeks had two words for life, zoe and bios. Zoe is the life common to animals, humans, and gods, just life. Bios is life that is particular to humans, particular because it is life in the human context, with meanings and purposes. The Italian philosopher Giorgio Agamben has argued that there are times when rulers create indistinct zones between human life (bios) and bare life (zoe). Agamben, following Carl Schmitt and Walter Benjamin, calls these times ‘states of exception’. In states of exception, humans are stripped of all meanings except the fact they have life, and that life, like the life of an animal, can be taken at any point without it being considered murder, as happened in the concentration camps. In January of 2004, Giorgio Agamben cancelled a trip to the United States, protesting the dictates of the US-Visit program – which requires persons entering the US to be photographed, fingerprinted and registered in the US biometric database. Then Agamben50 wrote a brief essay explaining why he would not enter what he describes as a state of exception and martial law. Agamben stated that biometrics was akin to the tattooing that the Nazis did 49 Not only through biometrics but also by medical imaging, genetics, and so on. 50 See: No to Bio-Political Tattooing. Le Monde 10 January 2004. Infoshop News. Available at: http://www.infoshop.org/inews/ stories.php?story=04/01/17/2017978> [Accessed 15 May 2008]. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. Body, Biometrics and Identity during World War II. The tattooing of concentration camp victims was rationalized as ‘the most normal and economic’ means of regulating large numbers of people. With this logic of utility applied during a similar state of exception in the United States today, the US-Visit’s biopolitical tattooing enters a territory which ‘could well be the precursor to what we will be asked to accept later as the normal identity registration of a good citizen in the state’s gears and mechanisms’.51 Agamben envisages the reduction to bare bodies for the whole humanity.52 For him, a new bio-political relationship between citizens and the state is turning citizens into pure biological life; and biometrics herald this new world. On the contrary, other scholars53 see biometrics’ capacity to abstract from any biographical detail and to focus only on ‘bare life’ as a promise of transmigration from our ‘ biological body’ to the ‘cyborg’, when individuals may become free to create, or simply to remake, themselves and to change their identities as though they were clothing. Other, more critical perspectives54 have questioned the ways in which information technologies and biometrics articulate themselves as technologies of immateriality. Baudrillard describes a process of dematerialization, which progresses from thing, to commodity, to sign, to mere information. Baudrillard’s analysis derives from Marx’s famous notion of ‘commodity fetishism’ and indeed the concept of informatization of the body owes much to early theorization on the fetish. The fetish is an object endowed with a special force, a magical power, inhabited by a spirit.55 The process of disembodiment – like those carried out by biometric technologies – would end up turning the body into a fetish inhabited by ‘us’. This has also led to (rather emphatic) questions about whether biometrics risks dehumanizing the body and offends human dignity.56 51 http://www.infoshop.org/inews/stories.php?story=04/01/17/ 2017978> [Accessed 21 May 2008]. 52 G. Agamben. 1998. Homo Sacer: Sovereign Power and Bare Life. Trans. Daniel Heller-Roazen. Stanford: Stanford UP. 53 E.g. D.J. Haraway, ed. 1991. Simians, Cyborgs and Women: The Reinvention of Nature. New York: Routledge. 54 E.g. J. Baudrillard. 1990. Fatal Strategies: Revenge of the Crystal. Sydney: Power Institute Pub. 55 See W. Pietz. 1985. The Problem of the Fetish. Res: Anthropology and Aesthetics. 9: 5–17. 56 E.g. the French National Consultative Ethics Committee for Health and Life Sciences, 2007, Biometrics, Identifying Data and Human Rights. OPINION N° 98. Available at; http://www.ccne-ethique.fr/ docs/en/avis098.pdf: [Accessed 23 Aug 2007] ‘Do the various biometric data that we have just considered constitute authentic human identification? Or do they contribute on the contrary to instrumentalizing the body and in a way dehumanizing it by reducing a person to an assortment of biometric measurements?’ © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. 495 Finally, a number of more pragmatic theories have addressed the ways in which information paradigms pervade biological descriptions. For instance Irma van der Ploeg57 argues that ‘the human body is co-defined by, and in co-evolution with, the technologies applied to it. [. . .] the dominant view of what the body is, what it is made of and how it functions, is determined and defined by the practices, technologies and knowledge production methods applied to it [. . .] Seen in this light, biometrics appear as a key technology in a contemporary redefinition of the body in terms of information’. COULD BIOMETRIC INCREASE HUMAN FREEDOM? The co-evolution between technologies and the body – of which van der Ploeg speaks – has various reasons; but one deserves to be emphasized. All technologies relate to the body because one of their ultimate aims is to enhance its ‘imperfect’ nature, to alleviate the tyranny of human material constitution, its physical limitations, its spacetemporal constraints, and its limited capacity to perform actions. ‘Technology – as Mesthene puts it – is nothing if not liberating’.58 This holds true also for biometrics and the last part of this paper will be devoted to this rather unexplored issue. Current ethical debate on biometrics focuses on concerns raised by this technology. Certainly, any process of personal identification implies that individuals are recognized possessors of rights and obligations, and this could be seen as a limitation of individual liberty. Moreover, biometric applications are far from being a ‘clean’ identification technology, because – as we have illustrated – they cannot avoid producing extra information, which is not relevant to recognition, that can be misused. Then there are several ethical and privacy issues raised by specific applications and systems, which have not been discussed in this paper.59 Finally, biometrics per se raise troubling issues about embodiment and body dignity. Yet biometrics are also an effective instrument for personal identification and there would be no right, no liberty, without certified personal identities. One can claim her rights, included the right to be left alone, and 57 See I. van der Ploeg. 2008. Machine-Readable Bodies, Biometrics, Informatization and, Surveillance. In Identity, Security and Democracy. E. Mordini, ed. Amsterdam: IOS Press, Nato Series, in press. 58 E.G. Mesthene. 1970. Technological Change: its Impact on Man and Society. Cambridge, Mass: Harvard Univ Press: 20. 59 See for instance E. Mordini & C. Petrini. 2007. Ethical and Social Implications of Biometric Identification Technology, Annali dell’ISS, 43(1): 5–11. 496 Emilio Mordini and Sonia Massari the right to refuse to be identified, only if she is an identifiable subject, if she has a public identity. We are all victims of the illusory belief that personal identification per se threatens basic liberties and infringes our private sphere, while – on the contrary – there would be no liberty and no private sphere if there were no public identity. The real issue is the way in which we ascertain public identities. The need for recognition schemes probably dates back to the beginning of human civilization, with the first urban societies in Middle East and China, when societies became complex enough to require frequent interactions between people who did not know each other.60 People who travelled outside the confines of their home town (e.g., military, sailors, traders) needed to recognize and be recognized. A recorded description of physical appearances was probably the first way to recognize someone else, and to be recognized. Description of physical appearances alone became inadequate as human interactions became more and more frequent and complex. The first recognition schemes61 were probably based on artificial body modifications (e.g., branding, tattooing, scarifications, etc) and tokens. The Roman Empire was the first cosmopolitan society in the west and was also the first example of a universal system for people recognition, which was mainly based on badges and written documents. In Mediaeval Europe – where the majority of the population never went outside the immediate area of their home or villages – individuals were identified through passes and safe-conducts issued by religious and civil authorities. The birth of large-scale societies and the increased mobility associated with urbanization imposed new recognition schemes. The first passports were issued in France by Luis XIV in 166962 and by the end of the 17th century, passports and ID documents became standard. Yet only by the end of the 19th century was a passport system for controlling people movement 60 Yet it is noteworthy that most primitive recognition schemes (e.g., tattoos, circumcisions, ritual scarifications) had a chiefly religious purpose , as the issue with recognition was first to be recognized by the God(s). Interestingly enough, in Genesis 3: 8–10, after eating from the tree of the knowledge, humans try to escape God’s gaze, to avoid being recognized by him, and the alliance between God and Abraham is sealed by a sign of recognition, the circumcision. Being recognized by God (and His legates) is indeed not a minor issue, as is also witnessed by the infamous dictum pronounced by the Papal Legate, abbot Arnaud, at the siege of Béziers in 1209, where more than 20,000 people were massacred in the space of two hours. When asked how to distinguish the good Catholics from the Jews and the Cathars, he said: ‘Tuez-les tous; Dieu reconnaîtra les siens’ (Kill them all; God will recognize his own). 61 J. Caplan & J. Torpy, eds. 2001. Documenting Individual Identity. Princeton: Princeton UP. 62 J. Torpey. 2000. The invention of the Passport- Surveillance, Citizenship and the State. Cambridge: Cambridge UP. between states universally established. In the 20th century, passports and ID cards – incorporating face photography, and in some cases fingerprinting too – became the primary tool for people recognition. Finally, in the late 1960s, Auto-IDs emerged. It took however some time because people understood that biometrics had a very special status among other Auto-IDs. With biometrics, for the first time in the history of human species, human beings have really enhanced their capacity for personal recognition by amplifying their natural, physiological, recognition scheme, based on the appreciation of physical and behavioral appearances. Complex personal recognition schemes, tattoos, seals, passports, badges, safe-conducts, passes, passwords, PINs: biometrics make obsolete all these traditional identification paraphernalia and – at least in the long run – promise to replace all of them. Biometric technologies also promise to liberate citizens from the ‘tyranny’ of nation states and create a new global, decentralized, rhyzomatic schemes for personal recognition. Today, states hold the power to establish national identities, to fix genders, names, surnames and parental relationships, and to assign rights and obligations to individual subjects according to the names written on their identity documents. In his fascinating book on the history of passports,63 John Torpey argues that ‘modern states, and the international state system of which they are a part, have expropriated from individuals and private entities the legitimate means of movement’ (p.4). Beginning with the French Revolution64 there has been an indivisible unity of national citizenship and individual recognition. The Declaration of Human Rights has created the modern concept of citizenship. Whereas, before, absolutist regimes were obliged to work through social intermediaries, the new democratic order is based on a direct, unmediated, relationship to the citizen. Universal rights and individual identity are the two sides of the same coin. This new citizen is an unmarked individual who is uniquely and reliably distinguishable as an inhabitant of a nation-state, and not as a member of a guild, village, manor or parish. Other identity elements, which have been important in the past (e.g., religion, ethnicity, race, cast, etc), become, at least theoretically, less and less important. One of the main task (and source of power) of modern states becomes to register birth certificates, to secure their authenticity, and fix citizenship accordingly. According to Torpey nation states have generated ‘the worldwide development of techniques for uniquely and 63 Ibid. On August 4, 1794, five years after the Revolution, France enacted the first law in the west that fixed identity and citizenship to the birth certificate. See J. Caplan & J. Torpy, op. cit. note 40. 64 © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. Body, Biometrics and Identity unambiguously identifying each and every person on the face of the globe, from birth to death; the construction of bureaucracies designed to implement this regime of identification and to scrutinize persons and documents in order to verify identities, and the creation of a body of legal norms designed to adjudicate claims by individuals to entry into particular spaces and territories’ (p. 7). This state of affairs could now be radically challenged. Globalization is characterized by the development of technologies (fiber-optic cables, jet planes, audiovisual transmissions, digital TV, computer networks, the internet, satellites, credit cards, faxes, electronic point-of-sale terminals, mobile phones, electronic stock exchanges, high speed trains and virtual reality) which dramatically transcend national control and regulation and thus, also, the traditional identification schemes. Moreover the globalized world is confronted with a huge mass of people with weak or absent identities. Most developing countries have weak and unreliable documents and the poorer people in these countries do not have even those unreliable documents. In 2000, UNICEF calculated that 50 million babies (41% of births worldwide) were not registered at birth and thus lacked any identity documents. Pakistan, Bangladesh, Nepal have not yet made child registration at birth mandatory.65 In this scenario, a personal identity scheme based on citizenship and birth certificates is less and less tenable. The tourist who wants to use the same credit card in any part of the globe, the asylum seeker who wants to access social benefits in the host country, the banker who in real time huge moves amount of money from one stock market to another, they all have the same need. They must prove their identities, they must be certain of others’ identities. But they can hardly rely on traditional means for proving identities, such as birth certificates, passports or ID cards, etc. because these schemes are not dependable enough in most parts of the world and hence unfit for global digital networks. Moreover, biometric systems are the only large-scale identification systems that could also be run by small private actors and independent agencies instead of heavy governmental structures. This makes possible, for the first time, a global system for personal recognition that would be closer to the Internet than to the Leviathan. The fear that biometrics might lead to a unique identifier – a digital cage from which no one could ever escape – is probably misplaced. On the contrary, biometrics permit us to create separate digital IDs for particular purposes, by applying different algorithms to the same biometric characteristic. As well as providing the appro65 UNICEF. Available at http://www.unicef.org/protection/files/Birth_ Registration.pdf [Accessed 5 Jan 2008]. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd. 497 priate level of security for each application, this makes it much easier to revoke a biometric template and issue the user a new one if their digital identity becomes corrupted or is stolen. Still more important, these processes do not need cumbersome, centralized, structures but can be easily implemented by a web of local authorities, as has been indirectly demonstrated by the astonishing penetration of biometric technology and applications in Asian and African markets.66 CONCLUSIONS In the long run, biometrics promise to provide the global citizen with a sound identity management system, which could develop quite independently of nation states. Of course one could argue that this would be a tragedy, and that an ID management solution controlled and operated by governments is absolutely essential in order for government agencies to provide the services citizens expect to receive and to guarantee the survival of the same notion of state. Discussing this question is well beyond the scope of this paper, but there is no doubt that this is one of the main ethical and political challenges raised by biometric technologies. The endless history of identification systems teaches us that identification has never been a trivial fact but has always involved a web of economic interests, political relations, symbolic networks, narratives and meanings. In ancient Greece, slaves were not considered real persons and were called ‘faceless’, aprosopon. The word that in Greek designates the face, prosopon, is also at the root of the Latin word persona, person. The person is thus an individual with a face; to use the metaphor, an individual becomes a person when she has a recognizable identity. Biometrics could contribute to give a face to the multitude of faceless people who live in developing countries, contributing to turn these anonymous, dispersed, powerless, crowds into the new global citizens. Certainly, then, there are reasons for the ethical and political concerns surrounding biometrics; but these reasons are fortunately balanced by some reasons for hope. Acknowledgement This work was supported in part by the European Commission under contract FP7-217762 HIDE. HOMELAND SECURITY, BIOMETRIC IDENTIFICATION & PERSONAL DETECTION ETHICS. Emilio Mordini trained as a medical doctor and a psychoanalyst before getting a degree in philosophy. He was formerly Director of the Psychoanalytic Institute for Social Research (1986–2001) and Professor of 66 See International Biometric Group. 2006. Report on world biometrics market and industry. http://www.biteproject.org/reports.asp [Accessed 15 Apr 2008]. 498 Emilio Mordini and Sonia Massari Bioethics at the University of Rome ‘La Sapienza’ (1994–2006). Since 1992, Emilio has participated as a main contractor and coordinator in several FP3, FP4, FP5, FP6 and FP7 projects. Focusing his efforts on creating an international research centre devoted to ethical, political and social implications of emerging technologies, he founded CSSC in 2002. He has published widely on the social and ethical implications of new technologies, on ethics and globalization, on bioethical research, and on changing rationalities and techniques of human identification. Sonia Massari graduated (BA + MA) in Communication Sciences at Siena University (Italy). She is a PhD student in ‘Telematics and Information Society’ at Florence University, specializing in Human-Machine Interaction. She joined the Centre for Science, Society and Citizenship in 2008, where she serves as Research Assistant. © 2008 The Authors. Journal compilation © 2008 Blackwell Publishing Ltd.