The cyber-panopticon? Regulating the circulation of biometric data in the information society

Ryan Yevcak
Faculty of Law, McGill University

May 15, 2020

As my colleague Simcha Walfish brought out in his Probe called “Sensing Migrants” (1 May 2020), digital surveillance is ubiquitous in today’s society. The panopticon of the nineteenth century, a physical structure, has morphed into a cyber-panopticon for the twenty-first century, with individuals ostensibly free to move about and go wherever they want while every bit of information about them (their movements, purchases, communications) is stored in the so-called cloud. It is useful to recall the lineaments of the original model. Bentham’s design for the panopticon consists of a central tower surrounded by cells in a circular design permitting the guard positioned in the tower to see into each individual cell; the cellmates, by contrast, are unable to see the guard and therefore come to assume that they are under observation at all times. Specifically, it is the individual’s perception of being subject to constant surveillance that acts as a self-control mechanism.

While primarily associated with the prison, Bentham envisioned his model to be applicable to all sorts of situations, such as workhouses and schools. It is doubtful whether he could have imagined how ubiquitous surveillance has become in the information society, which has replaced prison walls with networks of data. Complex issues having to do with the clash between privacy and security have arisen as a result of these developments, and there is an urgent need to sort out questions having to do with their regulation, as we shall see.

Today, state surveillance is undertaken by different levels of government or governmental agencies with the extent of legally permissible monitoring dependent upon the corresponding nation’s laws.^[1] Surveillance can be divided into mass and targeted surveillance. Mass surveillance is “not targeted on any particular individual but gathers images and information for possible future use” while targeted surveillance is “directed at particular individuals and can involve the use of specific powers by authorised agents.”^[2] Technology plays an important role in surveillance. Over the years, the use of closed-circuit television (CCTV) and data monitoring has become standard with both private and public agents employing these instruments. In addition to CCTV, other means of surveillance include communications monitoring, targeted equipment interference (e.g. hacking into devices) and bulk data retention, amongst other measures.^[3]

Amongst the forms of surveillance, I will focus on the use of biometrics, and specifically the use of biometrics for immigration purposes. Biometrics can be divided into the recognition of physiological and behaviourial traits. In relation to the senses, it is predominantly sight and touch that are used for identification purposes with hearing being indirectly used as a means of communication.^[4]

For sight, iris and facial recognition are done via computer technology which matches the source with a stored image in a database; facial recognition can also be done without technology by verifying a printed photo, such as in a passport, with the physical person. The physical photo falls under the 2D-method with the 3D-method, or full-face scan, slowly increasing in use. The 2D facial-recognition method has been the most frequently used as it is highly secure, inexpensive and non-invasive.

With regard to touch, the dactylographic, or fingerprint, method is considered useful due to the pattern to the ridges in the skin of each individual’s fingers being unique. Fingerprints are now commonly registered or “digitized” via a 3D scanner. A palmprint follows the same logic but using the palm region of a hand requires a larger reader to capture this area. Dactylographic scans are being increasingly used for immigration visas to verify the identity of the person upon arrival at first port-of-entry and subsequently.

Besides general communication, voice is another unique characteristic of humans and voices have more than 100 separate characteristics. However, this method requires a numerical model process to analyse, assess and finally identify the speaker. Different spoken records must be registered and the time-process for both registration and verification, in addition to cost, make it a less popular method.^[5]

DNA is another method; however, due to the time required, it is usually reserved for criminal or health/medical procedures. DNA can be captured through a variety of sources such as hair, fingernails, saliva, masticated food, sweat, or blood, and is the one biometrics capturing method that can cover all senses. On this note, it is probably the only method in current use which could involve the sense of taste. Again, for the purposes of immigration and highly-trafficked areas where biometrics are in use, DNA testing cannot be done in real time as the sample must be sent to a laboratory for analysis, and is much more invasive than the measures discussed above.^[6]

Another unique characteristic of humans is their individual odour/scent. There has been technology developed to create electronic or artificial noses which is a modelled on the olfactory recognition system of humans.^[7] The technology uses a sensing system as well as a pattern recognition system to evaluate the concentration of the odour sample. The collection of individuals’ odours is more strenuous and the system calculates only a percentage of the concentration, so it is not the most reliable or accurate method of ensuring a unique identification.

With the progressive strengthening of human rights regimes, a tension has emerged between the claims to rights of privacy and other civil and political rights and freedoms exercised by individuals and the arguments used by states to justify surveillance, such as crime prevention, national security and combatting terrorism.^[8] The global surveillance disclosures, led by Edward Snowden, in 2013 underscored the tension between an individual’s right to privacy and the extent of permissible action under the exemption of national security. For the scope of this probe, I wish to make the link between knowledge, biometric data and access to data.

The public’s increased awareness of global surveillance in addition to recent campaigns for transparency and accountability led to a revision of the original Data Protection Directive of 1995.^[9] Legislation has been introduced to allow members of the public access to data. One headline-grabbing development in the European Union has been the implementation of the General Data Protection Regulation (GDPR), which came into force on 25 May 2018.^[10] Its main purpose is to grant persons control over their personal data and to harmonise the data regulatory measures.

I raise the specific case of biometric data, a source of information increasingly used by states – specifically immigration authorities – to identify, record and track non-nationals entering the host nation. An increasing number of states require the submission of biometrics to obtain a visa (travel permission) to visit, reside or work within their borders. In regard to access to data, individuals who have submitted their biometrics have generally not had a choice in granting their personal data, relinquishing their right to privacy to national authorities.^[11] In terms of cybersecurity and technology, I argue that these regulatory measures directly gain access to certain aspects of our senses, in an intimate and potentially troubling fashion.

In respect to reconciling the human rights and fundamental freedoms against states’ concerns for national security, EU Justice and Rights Commissioner, Viviane Redding, around the time of the debates before the passing of the General Data Protection Regulation, stated: “the question has arisen whether the large-scale collection and processing of personal information under US surveillance programmes is necessary and proportionate to meet the interest of national security.”^[12] On this note, the European Court of Justice upheld and legitimated the fundamental rights of respect for private life and protection of personal information as more important than security concerns in relation to data retention.^[13] Specifically, the Court reasoned that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”^[14] There has been a growing asymmetry between the judiciary’s recognition of individuals’ fundamental rights to privacy and a right to private life against the government’s claims for increased surveillance on the grounds of national security.

The link between personal data and surveillance is ever-closer as advances in technology will continue to maximise the relations between traditional methods of surveillance and bulk data monitoring. For the purposes of the GDPR, article 4(14) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behaviour characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images, digital signature or dactyloscopic data”.^[15]

In relation to the exemptions stated within the GDPR, the Regulation does not apply to the processing of personal data for national security activities, granting individual member states a large range of discretion in relation to what can be considered to fall within the ambit of “national security”.^[16] To directly transpose the regulation into domestic legislation, the UK passed the Data Protection Act 2018. Section 26 of this legislation grants a national security and defence exemption.^[17] Claude Moraes, Labour Member of the European Parliament, raises concern in his opinion piece about how the measure would “proportionately interfere with the fundamental rights of non-nationals resident in the UK.”^[18] He specifically warns about the clause which could potentially bar the rights of non-nationals subject to an immigration procedure to request or access personal information and data held by public authorities.^[19] Such withholding prevents an individual from being able to know the information held about them and this compromises their ability to respond to charges in the context of an administrative dispute. And it is not only the levels of data protection required on a domestic level that are at issue, since the provision could also extend to the government being legally able to disregard “the adequate levels of protection required for the exchange of personal data between the UK and other EU and third-country states.”^[20]

Finally, the asymmetrical power relationship between individuals who are non-nationals and the nation-state brings us back to the model of the panopticon. These individuals are subject to constant surveillance by governmental authorities as information about their natural person is permanently stored and inaccessible to them: the central tower has changed to the virtual cloud and high-security data centres. Philip Schofield, professor of the History of Legal and Political Thought and Director of the Bentham Project at University College London, underscores the action of central inspection and states, “monitoring electronic communications from a central location, that is panoptic”.^[21] He goes on to draw out the parallels between the physical structure of the panopticon and modern-day CCTV cameras which populate street corners, building entrances and other public spaces. State surveillance, however, goes beyond CCTV cameras as communications monitoring and biometrics exemplify the extent to which nearly all actions may be monitored from any location, thereby either increasing or decreasing, dependent upon the individual, the constant awareness of being directly watched. Cyber surveillance is an intangible presence that has insinuated itself into virtually every corner of life in the information society.

Further Reading:

The University College London “Panopticam” Project as part of UCL’s Bentham Project: http://blogs.ucl.ac.uk/panopticam/

Paul Sillers, “Airport Biometrics: How New Customs Technology is Going to Make Security Queues a Thing of the Past” in The Independent (30 June 2017): https://www.independent.co.uk/travel/news-and-advice/airport-biometrics-trial-face-recognition-klm-brisbane-sita-a7813271.html

Thomas McMullan, “The power of privacy: what does the panopticon mean in the age of digital surveillance?” in The Guardian 23 July 2015, accessed at: https://www.theguardian.com/technology/2015/jul/23/panopticon-digital-surveillance-jeremy-bentham 

Notes: 

1. It should be noted that private organisations and corporations also carry out a large amount of surveillance, in the form of data collection and monitoring. ↑
2. House of Lords Select Committee Report (UK Government), “Surveillance: Citizens and the State” (21 January 2009) at paras 24-25, accessible via:https://publications.parliament.uk/pa/ld200809/ldselect/ldconst/18/1802.htm ↑
3. The different mediums and the levels of surveillance will vary in each country. Surveillance and data collection are also used by government agencies such as Public Health England to monitor, surveil and develop strategies to contain infectious diseases. For more information on the health sector, consult Public Health England’s guidance document “Public Health England: approach to surveillance” published 13 December 2017, accessible at: https://www.gov.uk/government/publications/public-health-england-approach-to-surveillance/public-health-england-approach-to-surveillance#background-and-context. Similarly, the Public Health Agency of Canada enumerates the various surveillance programmes undertaken at https://www.canada.ca/en/public-health/services/surveillance.html ↑
4. For types of biometric identifiers see Aleksandra Babich, “Biometric Authentication: Types of biometric identifiers” (2012) University of Applied Sciences, Haaga-Helia (Finland), accessible at: https://www.theseus.fi/bitstream/handle/10024/44684/Babich_Aleksandra.pdf. ↑
5. Supra, note 6 at page 46. ↑
6. Supra, note 6 at page 27. ↑
7. Supra, note 6 at page 38. ↑
8. The Investigatory Powers Tribunal (UK) held that “British security agencies have secretly and unlawfully collected massive volumes of confidential personal data… without adequate safeguards or supervision. The tribunal said the regime governing the collection of bulk communications data failed to comply with article 8 protective the right to privacy of the European Convention of Human Rights,” note accessed at: https://web.archive.org/web/20161018003035/https://www.theguardian.com/world/2016/oct/17/uk-security-agencies-unlawfully-collected-data-for-decade. ↑
9. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on protection of individuals with regard to the processing of personal data and on the free movement of such data, accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046. ↑
10. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 ↑
11. See specifically, Article 8 of the European Convention on Human Rights – Right to respect for private and family life: https://www.echr.coe.int/Documents/Convention_ENG.pdf ↑
12. Commissioner Viviane Reding quoted in Ian Traynor, “NSA surveillance: Europe threatens to freeze US data-sharing arrangements” published in The Guardian 26 November 2013, accessible at: https://www.theguardian.com/world/2013/nov/26/nsa-surveillance-europe-threatens-freeze-us-data-sharing ↑
13. The CJEU declared the Data Retention Directive to be invalid in their judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others. The court recognised the utility and purpose of data retention to safeguard public security, however they stated that overall, the Directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary”, accessed at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf ↑
14. Ibid. accessed at https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf ↑
15. Supra, note 13.: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 ↑
16. See specifically GDPR Chapter I, clause 16, supra note 13: “This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security.” ↑
17. Section 26(1) of the Data Protection Act 2018: “A provision of the applied GDPR or this Act mentioned in subsection (2) does not apply to personal data to which this Chapter applies if exemption from the provision is required for — (a) the purpose of safeguarding national security, or (b) defence purposes.” The Data Protection Act 2018 is accessible at: http://www.legislation.gov.uk/ukpga/2018/12/section/26/enacted ↑
18. Claude Moraes, “New UK data protection rules are a cynical attack on immigrants” in The Guardian 5 Feb 2018: https://www.theguardian.com/commentisfree/2018/feb/05/brexit-data-protection-rules-immigrants. ↑
19. Supra, note 20: Section 26(1) of the Data Protection Act 2018. ↑
20. Supra, note 21. ↑
21. Professor Philip Schofield quoted in Thomas McMullan, “The power of privacy: what does the panopticon mean in the age of digital surveillance?” in The Guardian 23 July 2015, accessed at: https://www.theguardian.com/technology/2015/jul/23/panopticon-digital-surveillance-jeremy-bentham ↑