The Internet Freedom Festival, 2018 was held in Valencia, Spain from 5 to 9 March.

Each year, the IFF brings together those who defend digital rights around the world – journalists, activists, technologists, policy advocates, digital safety trainers, and designers – in support of the following core goals:

 1. Create an inclusive space and cultivate an atmosphere of trust for the Internet Freedom Community to pool resources, share knowledge, and network.

2. Increase the diversity of the Internet Freedom community by engaging perspectives from a variety of backgrounds brought by under-represented groups.

3. Collectively improve the services, strategies, and tools offered to the most vulnerable individuals on the frontlines by mapping censorship, surveillance and access obstacles faced in different regions in the world .

SFLC.in organised a panel discussion at the annual forum on March 7, 2018. The session was titled “Privacy and Data Protection in the Age of Biometrics”. Panelists were: Cathleen Berger (Mozilla), Katitza Rodriguez (Electronic Frontier Foundation), Lucy Purdon (Privacy International), Gbenga Sesan (Paradigm Initiative), Prof. K.S Park (Open net Korea) and Priyanka Chaudhuri (SFLC.in). The discussion was held under Chatham House rules.

The discussion focussed on the challenges of using biometrics identifiers as it is rapidly becoming the most preferred kind of technology across Governments, industries and applications.

Some of the points that were covered were:

  • Purpose of biometrics enabled national identity systems: Panelists discussed biometrics identity systems in India, Nigeria, Kenya, Pakistan and Britain, particularly, Aadhaar, biometric voter registration in Nigeria, National Identity Register in UK, Pakistan’s Data Protection Bill, 2005. Panelists also touched upon the fact that digital identities don’t necessarily include biometrics, but are often conflated because of different narratives emphasizing increased security.

  • Privacy implications related to using biometrics technology and the various reasons behind using the technology, considering it is not foolproof and like any other database, is vulnerable to hacking: Panelists agreed that the starting point of any technological development should be ‘individual empowerment.’ The usual logic adopted for using biometrics technology is that an individual’s biometrics are unique, immutable and therefore the technology is foolproof and secure. Panelists expressed that that is not completely true. Infact, use of biomerics technology is a huge violation of privacy and can also be used as a tool for mass surveillance. Panelists also discussed the motivations for the recent wave of biometrics data capture by Governments and emboldened private businesses, including fear and control. It was also discussed how this is done without privacy or data protection laws or with deliberate attempts at creating laws around established intentions.

  • Use of specific biometrics technology like facial recognition: Panelists were of the view that accuracy of facial recognition decreases significantly due to variations in pose, expression, resolution and illumination. It was also raised that facial recognition leads to high rate of false positives (system identifies someone as a suspect even though they are innocent) and false negatives (system doesn’t recognize someone even though their picture is in the database). Criminal mugshot or facial recognition databases generally produce “ranked results” rather than IDs. Additional privacy challenges that came up were: facial recognition can be captured covertly, from a distance, in a public space and on a mass scale.

  • Function creep and solutions in law and policy before implementing a biometrics enabled system: Panelists highlighted that data protection laws should have an anti-function creep clause to prevent potential invasion of privacy. A panelist explained that like all identification schemes, biometric identification also suffers from a phenomenon what called “Paradox of Trust”: the more trustworthy an identification scheme you try to build, the less trustworthy it becomes.