Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.
Biometric technologies in Canada: Finding a balance between security and privacy
What’s the current state of biometrics in Canada, and how is privacy taken into account when introducing new biometric technologies?
Dr. Colin Soutar is director of the identity and privacy assurance group with the leading global identity management company, CSC. Dr. Soutar has been instrumental in the establishment of several international standards and industry initiatives relating to biometrics, identity, security and privacy. He was an early proponent of security evaluations of biometric systems in the late 1990s.
Biometric technologies are a deeply personal subject — they relate to the automated measurement of human physiological traits (such as face, finger and iris) or behavioural traits (such as walking gait or typing style). By definition, we are all attached to our biometric attributes. But to get to the heart of a technology that has been around for a couple of decades (pre-dated by many non-automated systems), one has to poke around a bit under the surface.
What are biometric technologies used for?
Biometric technologies are used for two main purposes:
- identification of individuals from a database;
- to support identity assurance, meaning that a user of a system is who he or she claims to be.
In order to promote understanding and acceptance of biometric technologies, it’s crucial to differentiate between these two purposes. This is particularly important in Canada, as Canadians have a keen sense of privacy, which is reflected in our federal and provincial legislation.
Let’s consider a couple of examples: first, an individual who has committed a crime and left behind a fingerprint may be subject to a forensic search against a database of fingerprints — this is identification.
Second, a user interested in establishing that they are the valid holder of a document, such as a passport, may use biometric technologies to support identity assurance. Indeed, biometric technologies are increasingly being placed alongside other technologies, such as smart cards (or “chip cards”) and cryptography, to provide an overall assurance that the user is who they claim to be.
Along this line, the use of biometric technologies has migrated from its historical role in isolated applications such as forensic investigation to a broader role supporting applications such as crossing a border or authorizing a financial transaction.
The acceptable degree of identity assurance for any transaction depends on the particular risk assessed in that environment. For example, a higher degree of identity assurance would be required for crossing a border than for buying a bag of groceries. Thus, the desired degree of identity assurance varies for the following common transactions:
- general access to entitlements and services on the Internet;
- shift-logging for time and attendance applications;
- financial transaction approval; and
- border and immigration crossings.
Biometric technologies can enable such a high degree of identity assurance that they can largely mitigate any malfeasance by imposters. In other words, the stronger that an individual can assert a claim of identity assurance, the less chance there is for someone else to be able to access their data or services. For the examples listed above, this can provide security and prevent identity theft to mitigate terrorism, protect financial well-being, provide employee accountability and prevent loss of reputation.
How Canada uses biometric technologies
So what does this all mean for Canada? Well, as stated above, Canada’s keen sense of privacy and personal data control is embodied by its legislation. As biometric technologies are deployed in Canada, both in the private and public sectors, their effect on the existing infrastructure is typically evaluated through both a security evaluation and a privacy impact assessment. This is particularly true of large-scale government deployments such as the use of electronic passports.
Maintaining both security and privacy is integral to Canada’s well-being, and the use of biometric technologies is assessed with this in mind. Indeed, Canada’s privacy commissioners are internationally regarded as some of the top practitioners in their field and have, at the federal and provincial levels, helped to positively shape the emerging technology landscape of biometric and identity technologies.
In Canada, biometric technologies are currently being used in many commercial environments such as protection of physical and computer assets, and time and attendance applications. Often, a single biometric technology such as facial recognition will be used (for example, with the e-passports for some countries); in other cases, a combination of several technologies will be used to increase the degree of identity assurance (for example, fingerprint and facial recognition are typically combined for border and immigration applications).
Canada has been operating expedited traveller systems for the last decade, first with the CANPASS border clearance system, which expedites border clearance for low-risk, pre-approved travellers into Canada, and more recently with the NEXUS system for travellers into both Canada and the U.S. On a related note, Canada was one of the first nations in the world to strengthen its airport security using biometric technologies to access secure areas with the Restricted Area Identification Card deployed by the Canadian Air Transport Security Authority.
In 2012, Canada will join the 100 or so countries around the world that use e-passports, which allow automated facial recognition to positively authenticate that the holder is who they claim to be. The standards for e-passports were developed by the International Civil Aviation Organization, headquartered in Montréal.
Canada will also soon include biometric technologies in its visa application process — much like its fellow countries the U.K. and the U.S. The use of biometric technologies for visa application prevents known criminals from entering Canada and maintains integrity throughout the visit by ensuring that no one has stolen the correct holder’s visa entitlement.
What’s the future of biometrics in Canada?
Moving forward, there are four main trends that are driving biometric technologies to more commonplace applications:
- People are becoming increasingly aware of the well-being of their personal data and the need to protect it using strong authentication techniques such as biometric technologies.
- The use of remote cloud applications to store important corporate or personal data means that identity assurance needs to be increasingly strong.
- The use of mobile devices such as smart phones to remotely access data and services can be strengthened using on-board biometric capabilities.
- The continued security and performance characterization of biometric technologies will allow them to be further used alongside other authentication technologies.
Canada’s strong technology and privacy base will ensure that technologies are designed with the appropriate safeguards and principles in place, and that biometric technologies can continue to be used as a tool to maintain our personal information, assets and access to entitlements.
Some people say that the measure of maturity and success of a technology is the degree to which it is integrated with existing business processes; others say that it is the degree to which it conforms to jurisdictional and societal backdrops — on both fronts, we can say that biometric technologies in Canada have come of age.
ISSN 1927-0275 = Dimensions (Ottawa. Online)