Biometric identification is fast becoming a convenient way to ensure we are who we say we are. But at what price?
There are two ways of looking at how biometric data will influence our future working lives.
“It’s clear that the operating system of the future is not people using a computer and a mouse typing in commands. It’s us talking to the computer, with the computer biometrically working out who we are, which gives it permission to access our data, our calendar, our preferences, our bank account details, our credit cards. And then doing whatever we say. That will make life very convenient.”
And then, there’s this.
“As biometics authentication become more prevalent and people become more aware of it, there’s going to be more concerns about privacy. It’s not a coincidence that we’re seeing some of this technology in China, which has different standards and cultural perceptions to how inquisitive and how intrusive authority can be.”
Both viewpoints come from Toby Walsh who is professor of artificial intelligence at UNSW and a speaker at this year’s AHRI convention, where he will be talking about AI and ethics.
(For more on how HR can influence the ethical impact of AI, read our interview with Anthropologist Genevieve Bell)
Clearly there’s a trade-off between greater convenience, reducing fraud and integrity risks, and threats to personal privacy – a trade-off which many people are not sure they’re ready to make.
But first, how is a biometric identifier distinguished from other bits of personal data?
“A biometric is essentially just a stable characteristic that can be used to identify an individual,” says Bruce Arnold, assistant professor at the University of Canberra’s School of Law and Justice.
“That characteristic might be a physical attribute, such as a fingerprint or ear shape, or an expression, such as gait, voice or keyboard style.”
That means companies (and the government) now have the ability to measure things such as how we type – the rhythm, pace and accuracy – to work out who is writing what in real time, as well as how hard we’re working. But only if they first have an accurate reference point.
“The identification might be very accurate or quite fuzzy, depending on the particular technology, how the attribute/expression was recorded and how it was matched to reference information,” says Arnold.
The (finger)tip of the iceberg
Most people are now familiar with using their fingerprint to open their Android or iPhone, but our biometric data will soon become our access code for much, much more. The ATO, for example, now allows you to record your voiceprint for easy authentication.
Of particular interest to governments is how you walk. Gait analysis is already being used at airports, says Dr Jake Goldenfein, a law lecturer at Swinburne University of Technology.
“National security agencies are very interested. They use it for identity verifications, but also as a profiling system,” he says.
That means, even if you cover your face, there’s the potential for you to be identified in public. On the plus side, when the technology is adopted by companies, you won’t need to fumble around for your swipe pass when walking into an office building.
Adoption in the workplace
There are key barriers to seeing more widespread adoption of biometric identifiers across organisations
“One is that it is disruptive to try a new technology. Another is people’s concerns about being watched and listened to by computers. People start thinking of Big Brother,” says Walsh.
The government and large financial institutions are driving adoption, because – at its most basic level – biometric identifiers are and will be used for authorisation, which is a big requirement in how these organisations interact with the public.
The collection of biometric data falls under the category of sensitive information within our information privacy laws, says Goldenfein. “When it comes to private companies, they’re regulated by the federal Act, but it only really applies to companies that turn over three million dollars or more a year.”
However, automatically being allowed to access employee biometric data isn’t an open and shut case, according to lawyer Michael Byrnes, partner at Swaab Attorneys.
“Employers may find that they want to implement this technology because it makes life easier for them or it’s convenient to do so,” says Byrnes. “But that doesn’t necessarily compel the employee to provide it.”
The real question, adds Byrnes, is whether or not it’s a reasonable direction for the employer to require employees to provide the source material for the biometric data. “In order for it to be reasonable, an employer is probably going to have to demonstrate more than that it’s just convenient. The Fair Work Commission may well arbitrate.”
Once an employee leaves, the question remains as to whether an employer is obliged to remove all biometric data relating to them from its systems. “There is an expectation that employers will safely dispose of personal data,” says Arnold, “[but] there isn’t a statutory fixed period for retention, and an ‘obligation’… will depend on the circumstances.”
“Employers,” says Byrnes, “should consider whether or not retention of biometric data is necessary once an employee leaves employment. Presumably, it has no further efficacy and it should not be retained.”
Even if the collection of biometric data passes the legal test, there are a number of ethical questions employers must ask themselves. “We need to recognise that people can change their names, passwords, phone numbers, addresses and other identifiers, but have little scope to change attributes such as fingerprints or DNA,” says Arnold.
“HR managers and other executives also need to acknowledge that some people, correctly or otherwise, have sensitivities regarding particular biometrics.” For example, they associate fingerprint registration with crime or worry that retina scanning will damage their eyes.
That said, you could restrict access to an employee or contractor who refused to remove a full-face covering for a facial recognition scan, says Arnold. “Discrimination law accommodates the need in many circumstances to be able to determine that a person is who she/he claims to be.”
Open to error
What would happen if your gait was the authenticating biometric and one day you decided to wear high heels – or perhaps copped a leg cork from a footy match. Would you still be let in?
“We don’t know yet,” says Goldenfein. “While these technologies are pretty good, they’re certainly not perfect.”
Whatever the case, employers will need to ensure employees can be granted access if the system cannot include them.
Arnold says, for example, if your organisation relies on retina scanning for access to a building, there would need to be arrangements for a person with an ‘unreadable’ retina.
When it comes to voice recognition software, Walsh presents one of the more interesting cases, because he is a twin.
“Voice recognition software has been easily spoofed by twins. My twin will have access to all the buildings that I will have access to. Of course, I trust my twin brother with my life, so I’m not really concerned.”
But it does expose the fact that biometrics is open to security breaches of all kinds.
Human nature being what it is, and storage systems not being infallible, “there will almost certainly be data breaches,” says Byrnes.
“Employers not only need effective regimes for the storage and protection of that data, but also a plan in case there is a breach of security,” he says.
Goldenfein says, the new mandatory data breach laws will hopefully give people a bit of a push to ensure they have adequate security measures in place “because now there are greater consequences for allowing those breaches to occur”.
Goldenfein says that, all in all, employers considering using biometric data should really think about what they want to use it for and whether this kind of identification process is necessary.
“It will impose additional obligations and costs. You have to make sure it’s worth paying for the additional level of security that gives you,” he says.
“Some biometric technologies are oversold,” says Arnold. “They don’t perform as well as claimed by vendors, and real-world costs are under-recognised.”
Nevertheless, indications are that acceptance of biometrics authentication is growing. Public opinion surveys conducted over the past five years in the US illustrate that a large percentage of people are comfortable with the use of biometric data in places of high security, or for altruistic purposes. And the more people exposed to biometric technology, the greater that acceptance is likely to become.
This article originally appeared in the June 2018 edition of HRM magazine.
Hear AI expert Toby Walsh speak on HR’s ethical role in the future of work, at the HR Tech Convention at the AHRI National Convention in Melbourne (28 – 31 August).