By utilising unique physical attributes, such as fingerprints and facial and iris scans, biometric technology helps construct an unforgeable digital identity (ID) that enhances accuracy in identification. Governments worldwide have increasingly adopted biometric ID systems for this purpose; however, this has faced scrutiny, with many critics citing events unfolding in Afghanistan to underscore the technology’s most pressing threats. 

While an unusual and unique circumstance, the collapse of the Islamic Republic of Afghanistan under President Ashraf Ghani and the reinstatement of the Islamic Emirate of Afghanistan under the Taliban allowed the Taliban to access American devices that store biometric information of Afghan citizens. This has since enabled the Taliban to crack down on political opponents and dissenters. 

The severe adverse consequences of biometric technology, as seen in Afghanistan, necessitates a comprehensive framework that encapsulates risks and mitigation measures before the deployment of the technology.  

Artificial Intelligence (AI) Risk Management Framework

National Institute of Standards and Technology’s (NIST’s) AI Risk Management Framework, which assesses the severity and probability of risks linked to technology deployment, can be adapted to evaluate biometric technology. Risks are evaluated based on severity, categorised as high, moderate, or low, and then assessed for the likelihood of the risk materialising on the same scale. Subsequently, depending on their placement on the risk spectrum, additional mitigation strategies may be necessary to minimise risks of technology deployment.

Source: Bloomberg Law

Severity of harm of biometric technology 

Biometric technology’s greatest benefit—the creation of robust identity systems—is synonymous with its most significant risk. While unique physical attributes make forging identities difficult, biometric information is inherently identifiable. Even without accompanying details like names or locations, individuals photographed, fingerprinted, or iris scanned can be accurately identified. For instance, Taliban soldiers stopped a bus in Afghanistan’s Kunduz province and conducted biometric scans of the passengers. Those identified as part of the Afghan National Defence Force, were targeted and killed. Because of the quality of information stored in biometric databases, a data breach of the system by ill-intentioned actors would threaten individual safety and security; thus, the severity of risk with the deployment of biometric technology is “high” according to the Risk Management Framework.

Probability of harm of biometric technology 

Assessing the likelihood of this risk materialising, however, is more complex to gauge as it is largely context-driven. It hinges on factors such as the probability of entities with access to the data misusing it or the likelihood of a system-wide data breach. In the context of Afghanistan, the likelihood of the Taliban assuming power once the U.S. withdrew its troops was fairly high, which heightened the risk of data misuse. In countries with stronger democratic institutions, which hold public officials accountable, the likelihood of data misuse is presumably lower. Thus, based on the Risk Management Framework, the likelihood of risks materialising due to the deployment of biometric technology cannot be generalised, but instead needs to be evaluated based on the specific country context.

Mitigation measures

In the deployment of biometric technology, the severity of harm in the instance of a data breach or data misuse remains high. To prevent these risks from materialising and keep data misuse at a minimum, mitigation strategies can be implemented to counter the risks. 

Biometric-Privacy Enhancing Technologies (B-PET’s)

Specific privacy enhancing technologies (PET’s) can be utilised in biometric recognition systems that would focus on the protection of the stored biometric data. The implementation of these considerations could decrease the likelihood of recognition of individuals from biometric data while maintaining the utility of this data. Below listed are the main privacy requirements for B-PETs: 

• Irreversibility: A hashing algorithm, which is a mathematical function that garbles data and makes it unreadable, would ensure that an output cannot be traced back to its input. Consequently, irreversibility considerations would safeguard the biometric database, because even if breached, attackers would have trouble making sense of the data accessed. For instance, in a security question, if an individual was asked the name of their mother, the hashing algorithm could store the answer as, “82b000ghyda128,” stripping the answer of its meaning.  
• Unlinkability: This consideration would necessitate separating different forms of biometric data, which would make it difficult to determine whether different representations of biometric data belong to the same individual or not. Such an approach would limit the amount of data attackers gain access to, even in the instance of a data-breach. 
• Privacy of soft-biometrics: Extraction of soft biometric attributes, such as skin or hair colour and height or weight, from biometric data for purposes other than the reasons for collection of data should be prevented. 

Recognising the risks associated with deploying technologies and ensuring their safe implementation, through mitigation strategies, are crucial steps to fully harnessing the benefits of the specific technology and safeguarding against misuse. In the use of biometric technology, if not deployed in a safe manner, its implementation could exacerbate the very issues it aims to address, as seen in the Afghanistan case. 

Conclusion

The Risk Management Framework will help highlight the existence and extent of risks, encouraging policymakers to evaluate longer-term effects associated with the technology; while the mitigation strategies through specific privacy enhancing technologies will help decrease the likelihood of the risks materialising.

In practice, however, implementing biometric technologies also requires taking into consideration the benefits the deployment of the technology would bring. This tradeoff – the risks balanced against the potential benefits of deploying biometric technology – cannot be navigated with these frameworks. The decision of deployment is context specific and should be resolved in a manner that is both transparent and appropriately justifiable. 

• biometrics
• citizen technology
• data
• Data Privacy
• Data Protection
• institutional safeguards
• Privacy
• traceability