Electronic devices including phones and laptops, have various accessibility measures allowing a user to lock a device and restrict access to other individuals.  Many of these security measures include biometric identifiers that use the individuals’ physical features. The more common identifiers include fingerprints or facial recognition, but some other methods include eye scanners, voiceprints, and scanning’s of the hands or face. ¹ Biometric data can also be accessed through other smart devices like smart watches and fitness trackers that are often worn by those looking to maintain or track various health analytics. ² While the uses of biometric identifiers has became more mundane and integrated into everyday life, there should be more caution should be taken in regard to how data is stored and used. If biometric data is to be used to be stored for longer than a year, and used for reasons outside of its initial purpose, it should be required for individuals to remain informed on its status and provide consent for its collection and use. Any data collected should be used without the consent of the individual as this would be a major ethical concern that imposes on the privacy of individuals. Although the identifiers and data may not be used around the clock by consumers, some questions that might pop up are “what happens to my data when I’m not using it?”, “where does it go?”, “can anyone else see my information”?  Here is where there ethical concerns arise in the use of biometric data beyond an individuals consent.

For a biometric system to function, there are several steps and mechanisms that the trait of interest must go through before a match can be determined or identified. This would include the trait being applied and recognized to a sensor to which its features are recorded, and a virtual layout is pieced together. If it was the first time the trait was being applied to the system, then the curated layout is stored into a database for future application. Once in the system, upon future authentication, another layout of the trait is taken and compared with the initial one where if the match is close enough they will be taken to be from the same individual. ⁴ In general this iterative process is used for all types of biometric systems. As mentioned previously, biometric data can be taken from palm and/or fingerprint scanners, retinal scanners, voice prints, as well as facial recognition software. In the case of cell phones, biometric data can be collected and then using the internet, transmitted to a secondary remote location to be evaluated and subsequently stored. The second storage option for collection and storage would be on the phone itself as it “serves the purpose of preventing unauthorized access to cell phone’s functions and data.” ⁵ Due to the multiple mentioned avenues as well as more frequent use, it could be assumed that there would be widespread or federal laws to protect the data as it is acquired- this is not necessarily the case.

A February 2022 report analyzed how different states currently use or intend to implement the Biometric Information Privacy Act (BIPA) when it comes to how biometric data is handled. BIPA was originally enacted in Illinois of 2008 as a way to monitor and regulate the use of biometric data amongst various businesses and other avenues. ⁶ According to the report there are only 9 states with existing laws for biometrics and 22 states with proposed laws. For the states that have existing biometric laws, there are similarities between the retrieval, destruction and disclosure concerning the data, though there are some differences. For example, in Texas an individual whos traits are being recorded must be informed of what is being done and subsequently must consent to the process. Further, the data is to be destroyed within the first year of its extraction and if those that have the data were to sell or distribute it without the individuals consent, they would receive a civic penalty. Whereas in Oregon, facial recognition is not allowed to be collected in public areas that surround Portland. ⁷ These differences in legislation and how few states have any laws put into place, show that there is a lack in biometric law standards on both the state and federal level. As a result, attacks on biometric systems and data put individuals at a high risk of having information stolen, used, or distributed without consent.

There are several ways in which a biometric system could be attacked, this may include hacking, a direct attack on the system and/ or an indirect attack to the system. In a direct attack, the sensor of the system is affected in that rather than using the real biometric trait, a fake or replicate is used and placed in front of or on the systems sensor. The fake or replicate trait can be anything from a silicon finger(print) to holding up a photo in front of a face scanner. In either case, the sensor then goes through the process of trying to match the unauthentic trait with the ones that have been collected and stored in the system. This is in contrast to an indirect attack that manipulates the inside of the system rather than the sensor. By doing this, false positives are returned to the system and access is granted. ⁸ With any of these situations, if the system is breached, then the likelihood of an individuals biometric data and personal information being stolen and used for purposes outside their agreed purpose is increased. Such a situation can be seen in the court case of the State of Texas vs Meta Platforms, more specifically Facebook.

In the court case, Facebook was accused to taking biometric information from uploaded pictures and videos that were put up by its members to be shared with the people they knew- not to be used for any other purpose. The biometric data that was being retrieved from the photos and videos through a service they implemented known as tagging. Tagging would let the user identify individuals in the photo to let others know who they were, but once this act was done the information was then analyzed through Facebook and used as part of an algorithm for further individual identification.

This information became a part of the system’s facial recognition technology that would map out users and non-users facial geometry for better identification and tag suggestions. It is stated that Facebook did not receive or obtain consent from its users, let alone non-users consent to keep track of and record their facial makeups. Moreover, it is also mentioned that “Facebook intentionally avoided using the term “biometric” to describe Tag Suggestions, because it knew that doing so would “scare people off.” Facebook also was distributing members personal information to outside/ third party sources that then further distributed the data. Further infringement was done to those who were not a part of the community but that were seen in the photos and videos that were being uploaded to the site. Biometric data was failed to be destroyed within the one year since its procurement and as such was also a violation to individuals. The State of Texas has asked that Facebook make amends by no longer obtaining biometric data illegally, destructing the data that is past its destruction date and been collected under false pretense, do away with the system that collects such information, and get back any of the data that had been disrupted to outside sources. ⁹

Although the storage and use of biometric data/ systems can be subjected to data breaches and non-consented use as seen with the State of Texas vs Meta Platforms case, there are some positives to its applications and use. One example is how use of biometric systems add for an extra layer of security for everyday technology. Use of fingerprints and face features has become a common application for cell phones and laptops to remain locked until the individual, whose features have been added to device, is able to unlock it. By using biometrics, only those that have been added to the devices biometric list/ log are able to open it. In some cases, it may be hard for even the user to get access into their own device if something is obstructing the sensor/ camera. For example, if the finger used to get access into the device is wet, the phone or laptop will more than likely not open as a result of the water  obstructing the fingerprint. This comes to show the level of security that the use of biometrics offers. Along with its more mundane uses, biometric systems and data can also be used in law enforcement and with forensic science.

Biometrics have been able to be used as a tool for law enforcement and as forensic evidence through the use of fingerprints, face imaging, DNA, palm prints, the iris, and voice data. ¹⁰,¹¹ The use of palmprints for example can help in a forensic science scenario because similar to fingerprints, the palm contains patterns and minutia that are unique to everyone and when analyzed or compared to ones from known individuals, a match can be made from the unique traits. The palm prints may also be subjected to a palm print identification system where an image of the print is created and key features are recorded to match the obtained print. An example of a database that can be used to compare and identify prints is the Integrated Automated Fingerprint Identification System (IAFIS). This database is maintained and monitored by the FBI and is used to to compare obtained prints against “70 million subjects in the criminal master file, 31 million civil prints and fingerprints from 73,000 known and suspected terrorists process by the U.S. or by international law enforcement agencies.” ¹¹ As a result of the large number of prints IAFIS database and other biometric databases as well, there should be higher restrictions and standards put into place for federal and state agencies to be able to have access and use biometric data as it can further be used to aid in their investigations.

As seen previously, the use of biometric systems and data are ones that should not be taken lightly. Such systems are being more incorporated into daily lives and activities and therefore require higher standards and laws to ensure the safety and privacy of the data. The addition of such laws would also allow for companies like Facebook, as well as other individuals to be held accountable for the use of biometric data beyond a user’s consent.