Digital Ethics for Biometric Applications in a Smart City

From border control using fingerprints to law enforcement with video surveillance to self-activating devices via voice identification, biometric data is used in many applications in the contemporary context of a Smart City. Biometric data consists of human characteristics that can identify one person from others. Given the advent of big data and the ability to collect large amounts of data about people, data sources ranging from fingerprints to typing patterns can build an identifying profile of a person. In this article, we examine different types of biometric data used in a smart city based on a framework that differentiates between profile initialization and identification processes. Then, we discuss digital ethics within the usage of biometric data along the lines of data permissibility and renewability. Finally, we provide suggestions for improving biometric data collection and processing in the modern smart city.


INTRODUCTION
A biometric trait is a measurable characteristic of a human person.This characteristic differs sufficiently from person to person, harnessed toward the identification of an individual [ 1 ].There are generally two broad 26:2 • L. H. X. Ng et al. categories of biometric traits: physiological and behavioural traits.Physiological characteristics of the human body, such as fingerprints and facial features, are universal human characteristics that are present and nonrenewable throughout a person's lifetime.Behavioural traits, such as voice and writing style, provide some information about individuals but are usually renewable and might not have a sufficiently high variance to differentiate two individuals [ 2 , 3 ].
Smart cities have a network of interconnected devices that access, store, and transmit personal information [ 4 ].Biometric traits provide a wealth of data to drive smart-city applications in the following areas: identification, authentication, surveillance, and personalization.Physiological characteristics such as fingerprints and palm prints are commonly used in forensics and crime-scene investigations to identify suspects [ 5 ]; and facial features are used in user authentication in smartphones [ 6 ].Behavioural traits like gait patterns are used during surveillance by law enforcement agencies [ 7 ]; and voice patterns and modulation are used in personalization of smart-home voice-controlled devices like Siri [ 8 ].

BIOMETRIC DATA TRAITS FOR SMART CITY APPLICATIONS
With big data technology, almost any characteristic that can be harvested from a human can be used to form identification patterns to build a profile for a human [ 9 ].Formulating each data collected as a pattern-of-life formulation, essentially the formation of patterns from sufficient data points of a particular trait of a human, can act as a biometric data characteristic for the identification of a human.For example, a sole fingerprint can identify a person, and so can gait patterns made up of many data points of a person's walking speed, stride, and timing of walk identify a person.In fact, in this digital social media age, even the online posting time and the posting language used can aid in distinguishing a person; this idea is harnessed by classifying automated and human accounts on social media through their temporal and linguistic properties [ 10 ].
A biometric application operates in two key stages: initialization and identification.At initialization, the biometric trait is measured from the human and transformed into a machine-readable format (i.e., vector or image) for storage within a database.At the identification stage, the same biometric trait is measured from the target human, converted into a machine-readable format then compared against the other stored templates within the database before reporting the person's identifier if found [ 11 ].In the context of data required, we can then characterize biometric traits by the two key stages in a biometric application: in terms of the amount of data required for initialization and identification.The ideal biometric trait is one that requires low amount of data for both stages.Such examples are fingerprints and iris, and therefore they are most commonly used for critical applications such as border access control identification.
Adapting the biometric trait classification put forth by Raju and Udayashankara [ 3 ], Table 1 profiles several human traits in terms of segregating the human body into six different regions (hand, facial, ocular, medicochemical, behavioural, soft) and profile the amount of data required for initialization and identification (high/low) and examples of biometric applications in a smart city.We note that soft biometrics like gender and hair colour are insufficient by themselves in distinguishing people due to their lack of uniqueness; more than one person can have the same trait.They are usually used to supplement traits obtained from other regions [ 11 ].

DIGITAL ETHICS IN BIOMETRIC DATA
We look at digital ethics in biometric data collection and usage through the frame of two attributes: the permissibility of data collection during the initialization stage and the renewability of biometric trait at the identification stage.
Ethical biometric data collection for smart cities should ensure that the information gathered during the initialization stage of an application is permissible by having data subjects provide consent before their data is harvested.A permissible trait requires specialized equipment and the physical presence of the person to harvest the data; a non-permissible trait means the data can also be harvested via observations.Data collected from  Ancillary information for forensic evaluation [ 18 ], smart home personalization [ 4 ] non-permissible traits through observations can infringe on a person's privacy as no explicit consent is given.The right to privacy is one of the fundamental rights of human beings set out in the Universal Declaration of Human Rights [ 19 ].Data collection through observation, such as harvesting people's gait or typing patterns, can often be used to identify individuals.This is not only limited to the physical space.A person's digital presence and profile can also be tracked through posts, images, and friends' information from social media platforms.A person's personal profile and temporal and spatial movements should be kept private and surveyed with a proper warrant [ 20 ].Biometric data that has been exposed to consumer technologies can be passed without the knowledge or consent of consumers to the third parties.Several companies, such as Amazon Ring and Family Tree DNA, have passed on their consumer data to law enforcement agencies without prior consent from their customers [ 21 , 22 ].Ethical biometric data collection should involve an opt-in process for people to allow biometric applications to harvest and store a template of their traits, and explicit consent should be obtained from application users before information is passed on to other entities.Regulations such as the Biometric Information Privacy Act (BIPA) have been developed to aid in this aspect.The BIPA requires private entities to have a written policy on the purpose and the time period the data is kept and obtain written consent from the application users [ 23 ].The General Data Protection Regulation imposes tough obligations such as the mandatory performance of privacy impact assessments and the requirement for user consent for biometric applications [ 24 ].
At the identification stage of a biometric application, the application used to identify a person should not rely solely on non-renewable biometric traits, for if that trait is stolen, then a person's identity is stolen as well.A renewable trait means the trait can be changed across time; a non-renewable trait means that it does not change throughout a person's lifetime.Examples of non-renewable traits are fingerprints and palmprints; and that of renewable traits are gait and writing style.Should a person's fingerprint be lifted off a surface and a  Instead, the identification should rely on both renewable and non-renewable data sources to ensure accurate identification, since such a combination is less likely to be impersonated.The combination of a fingerprint and a behavioural trait like gait is less likely to be accurately impersonated and thus allows the person to preserve his identity.Renewable biometric data templates thus preserve a person's identity and make the system less prone to identity theft [ 25 ].
Table 2 profiles the biometric data traits analysed in the previous section and sets out their permissibility and renewability factors.Most physiological traits are generally permissible and require the presence of the data subject for data collection to happen.The person needs to be physically present for the biometric application to capture his fingerprints or iris information at the initialisation stage.Some, though, like facial features, can be non-permissible, because they can be extracted from observed images through computer vision algorithms.Behavioural traits generally require high amounts of data for initialisation and a long period of data capture and can be obtained through observation of images or video feeds.Thus, these traits are generally non-permissible.While consent can be explicitly given, biometric data such as gait patterns can be harvested from prolonged observation of an individual.Physiological traits that are derived from the hand, face, ocular and medico-chemical regions are non-renewable, as these traits are not consciously controlled by a person and will remain with the person for life.If these traits require low data for identification, once exposed, they can make a person prone to identity theft or misidentification.Behavioural traits are renewable as they can be consciously altered and do change over a person's lifetime or lifestyle.For example, while a person's writing style can remain relatively constant for a short period of time, it can change through external influences like attending writing classes.
However, requiring consent for permissible and renewable data traits results in security application tradeoffs.Requiring consent prior to data collection is a trade-off with security: those with bad intentions may not be captured within the databases as they opt out of the data collection; therefore, security systems will not have a record of their biometric traits and will be unable to identify them.A fine line must be drawn between regulating the permissibility of biometric data collection through consent, protecting citizens' privacy as data subjects and security through identification and surveillance using biometric traits.Using renewable behavioural traits means that one's behaviour can be obfuscated or mimicked through deliberate changes, which causes one profile to look similar to another, resulting in false positive hits from the application or inconclusive results.Therefore, multiple traits need to be used to increase identification accuracy.There are several multimodal biometric applications that have been developed that combine renewable and non-renewable data sources, e.g., face features and speech [ 3 ], fingerprint and voice [ 26 ], face features and gait [ 27 ].

Table 1 .
Characterization of the Types of Biometric Data Traits

Table 2 .
Permissibility and Renewability of Biometric Data mould made of it, the person's identity can be impersonated to fool fingerprint-based authentication devices.