カナダ プライバシーコミッショナー 意見募集 バイオメトリクス指針案 (2023.10.11)
こんにちは、丸山満彦です。
カナダのプライバシーコミッショナーが、民間組織と連邦政府機関のそれぞれに対してバイオメトリクス指針案を公表し、意見募集をしていますね。。。
最近は空港等でも飛行機会社や入管等が顔認識を使っているので、このあたりは明確にしておくのは重要なんでしょうかね。。。
● The Office of the Privacy Commissioner of Canada; OPC
・2023.10.11 Privacy Commissioner seeks input on draft biometrics guidance documents
| Privacy Commissioner seeks input on draft biometrics guidance documents | 個人情報保護委員会、バイオメトリクスガイダンス文書案について意見を求める |
| The Office of the Privacy Commissioner of Canada (OPC) is seeking input to update guidance for organizations related to handling biometric information for both public and private sector organizations. | カナダ個人情報保護委員会(OPC)は、公的機関および民間企業の生体情報の取り扱いに関する組織向けガイダンスを更新するため、意見を募集している。 |
| Since the OPC’s existing guidance on biometrics was published in 2011, technologies such as fingerprinting, voice identification, facial recognition and even new uses for genetic data have evolved significantly. | バイオメトリクスに関するOPCの既存のガイダンスが2011年に発表されて以来、指紋、音声識別、顔認識、さらには遺伝子データの新たな利用法などの技術は大きく進化している。 |
| “From police use of facial recognition technology to a telecommunications company that did not obtain consent for its voiceprint authentication program, the use of biometrics is surfacing more frequently in our investigative work,” Commissioner Philippe Dufresne says. | 「警察による顔認識技術の利用から、声紋認証プログラムの同意を得なかった電気通信会社まで、バイオメトリクスの利用は我々の捜査活動の中で頻繁に表面化している」とフィリップ・デュフレスヌ委員は言う。 |
| “This field is growing at a rapid pace and we recognize the need for guidance to help organizations ensure that they use these technologies in a privacy protective way. This is why we are now reaching out to stakeholders, including the public, for input.” | 「この分野は急速なペースで成長しており、私たちは、組織がプライバシーを保護する方法でこれらの技術を確実に使用できるようにするためのガイダンスの必要性を認識している。このため、現在、一般市民を含む利害関係者に意見を求めている。" |
| To that end, the OPC is releasing two draft guidance documents – one of which addresses risks under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, while the other pertains to the Privacy Act,which governs how federal institutions handle personal information. | 1つはカナダの連邦民間プライバシー法である個人情報保護および電子文書法(PIPEDA)に基づくリスクを扱ったもので、もう1つは連邦機関の個人情報取り扱い方法を規定するプライバシー法に関連するものである。 |
| Stakeholders are invited to provide feedback by January 12, 2024. | 関係者は2024年1月12日までに意見を提出するよう求められている。 |
| Related content: | 関連コンテンツ |
| Draft Guidance for processing biometrics – for organizations | バイオメトリクスの処理に関するガイダンス案(民間組織向け) |
| Draft Guidance for processing biometrics – for public institutions | バイオメトリクスの処理に関するガイダンス案(連邦政府機関向け) |
| Notice of consultation and call for comments | 協議の通知と意見募集 |
なんとなく比較表...
| 民間組織 | 連邦政府機関 |
| Draft Guidance for processing biometrics – for organizations | Draft Guidance for processing biometrics – for public institutions |
| Published: 2023 | Published: 2023 |
| Target Audience: Private-Sector Organizations | Target Audience: Federal Government Institutions |
| Authority: Personal Information Protection and Electronic Documents Act | Authority: Privacy Act |
| Issued: Office of the Privacy Commissioner of Canada | Issued: Office of the Privacy Commissioner of Canada |
| Status: Public consultation |
Status: Public consultation |
| On this page | On this page |
| Overview | Overview |
| Biometric Technology | Biometric Technology |
| Guidance | Guidance |
| Identifying an Appropriate Purpose | Assess the Appropriateness of an Initiative |
| Consent | Consent |
| Limiting Collection | Limiting Collection |
| Limiting Use, Disclosure, and Retention | Limiting Use, Disclosure, and Retention |
| Safeguards | Safeguards |
| Accuracy | Accuracy |
| Accountability | Accountability |
| Openness | Openness |
| Overview | Overview |
| In today’s digital environment, organizations are looking to facilitate more efficient access to goods and services while adapting to evolving security risks. Biometrics have emerged as one way to achieve this objective by using individuals’ unique traits to identify or authenticate them. They are often viewed as a solution in a world where individuals are increasingly asked to create and remember different passwords, and to prove their identity. | There has been increasing interest in using biometrics to deliver faster services to individuals and to more efficiently fulfill mandates. |
| With the promise of biometrics, however, come serious concerns about privacy. Biometrics are intimately linked to an individual’s body and when used for recognition, are unique, unlikely to vary significantly over time, and difficult to change in their underlying features. These identifiers can be an enabler of surveillance, and if breached, could expose individuals to fraud and identity theft. Challenges with the accuracy of some biometric technologies have also been well-documented, which is of further concern when they are used to make automated decisions about individuals. | With the promise of biometrics, however, come serious concerns about privacy. They are intimately linked to an individual’s body and when used for recognition, are unique, unlikely to vary significantly over time, and difficult to change in their underlying features. These identifiers can be an enabler of surveillance, and if breached, could expose individuals to fraud and identity theft. Challenges with the accuracy of some biometric technologies have also been well documented, which is of further concern when they are used to make automated decisions about individuals. |
| This document provides guidance on organizations’ privacy obligations when handling biometric information. Note that while it addresses some of the main considerations, organizations remain responsible for understanding all of their obligations under applicable laws, regulations, and instruments. For example, the province of Quebec has imposed reporting requirements to the Commission d’accès à l’information du Quebec for processes involving biometric information. | This document provides guidance on federal institutions’ privacy obligations when handling biometric information. Note that while it addresses some of the main considerations, institutions remain responsible for understanding all of their obligations under applicable laws, regulations, and instruments. |
| The privacy authorities in Canada have jointly issued separate guidance on the use of facial recognition by police agencies. | |
| Biometric Technology | Biometric Technology |
| “Biometrics” refers to the quantification of human characteristics into measurable terms. They are used for recognition and, less commonly, for categorization. | “Biometrics” refers to the quantification of human characteristics into measurable terms. They are used for recognition and, less commonly, for categorization. |
| Biometric recognition: | Biometric recognition: |
| There are three main categories used for recognition: | There are three main categories used for recognition: |
| Morphological biometrics — such as fingerprints; | Morphological biometrics — such as fingerprints; |
| Behavioural biometrics — such as keystroke patterns; and | Behavioural biometrics — such as keystroke patterns; and |
| Biological biometrics — such as DNA. | Biological biometrics — such as DNA. |
| There are three general stages that encompass how biometrics are used to recognize an individual: enrollment, storage, and matching. | There are three general stages that encompass how biometrics are used to recognize an individual: enrollment, storage, and matching. |
| Enrollment: This is the first time an individual’s biometrics are collected. A scanner, sensor, microphone, camera, or other technology is used to capture the biometric. The biometric recording is usually algorithmically converted into a mathematical representation, known as a biometric template. | Enrollment: This is the first time an individual’s biometrics are collected. A scanner, sensor, microphone, camera, or other technology is used to capture the biometric. The biometric recording is usually algorithmically converted into a mathematical representation, known as a biometric template. |
| Storage: The biometrics obtained during enrolment can be stored locally in the operations centre where the enrolment took place (e.g. in a reader) for later use, on a device carried by the individual (e.g. on a smart card), or in a centralised database accessible by one or more biometric systems. | Storage: The biometrics obtained during enrolment can be stored locally in the operations centre where the enrolment took place (e.g. in a reader) for later use, on a device carried by the individual (e.g. on a smart card), or in a centralised database accessible by one or more biometric systems. |
| Matching: A “probe” biometric is collected from the individual, and is usually converted into a template to allow for an automated comparison against the previously enrolled biometric for the purposes of: | Matching: A “probe” biometric is collected from the individual, and is usually converted into a template to allow for an automated comparison against the previously enrolled biometric for the purposes of: |
| Authentication: by matching an individual’s probe biometric to the previously stored sample only (one-to-one comparison) to confirm who they are. | Authentication: by matching an individual’s probe biometric to the previously stored sample only (one-to-one comparison) to confirm who they are. |
| Identification: by cross-referencing an individual’s biometric against a database (one-to-many comparison) to search for who they are. | Identification: by cross-referencing an individual’s biometric against a database (one-to-many comparison) to search for who they are. |
| Many biometric systems use algorithms to perform a number of functions, including to compare two templates together and provide a similarity score. If the similarity score passes the set threshold of the system, a positive match is provided. Such algorithms learn to perform these automated functions through the use of training data, the quality of which can affect the accuracy of the overall system. | Many biometric systems use algorithms to perform a number of functions, including to compare two templates together and provide a similarity score. If the similarity score passes the set threshold of the system, a positive match is provided. Such algorithms learn to perform these automated functions through the use of training data, the quality of which can affect the accuracy of the overall system. |
| Biometric categorization: | Biometric categorization: |
| Biometrics can be used to determine if an individual belongs to a group with a particular shared characteristic. Categorization could be based on the biometric data itself or by drawing inferences from this data. For example, the measurement of physiological responses to certain stimuli, such as pupillometry or micro-expression analysis, may be used to deduce interests or emotions, and assign an individual to a category. | Biometrics can be used to determine if an individual belongs to a group with a particular shared characteristic. Categorization could be based on the biometric data itself or by drawing inferences from this data. For example, the measurement of physiological responses to certain stimuli, such as pupillometry or micro-expression analysis, may be used to deduce interests or emotions, and assign an individual to a category. |
| Guidance | Guidance |
| Identifying an Appropriate Purpose | Assess the Appropriateness of an Initiative |
| Among the first steps you must take when planning your biometric initiative is specifying the purpose you are trying to achieve. You must then evaluate whether the purpose is appropriate in the circumstances. Appropriateness requires a contextual assessment, and it cannot be replaced by obtaining the consent of individuals. | Among the first steps you must take when planning your biometric initiative is specifying the purpose you are trying to achieve. You must then evaluate whether the purpose of the biometrics initiative is appropriate in the circumstances, which forms part of the Privacy Impact Assessment (PIA) process that is required for government institutions. Appropriateness requires a contextual assessment, and it cannot be replaced by obtaining the consent of individuals. |
| To guide this assessment, you should evaluate and adjust the proposed biometric program using the following criteria:Footnote1 | To guide this assessment, you should evaluate and adjust the proposed biometric program using the following criteria:Footnote1 |
| Do not use biometrics if you are uncertain that it would be appropriate in the circumstances. If your organization cannot explain how your collection, use, or disclosure of biometrics is rationally connected to a pressing and substantial business goal, the initiative should not go forward. | Do not use biometrics if you are uncertain that it would be appropriate in the circumstances. If your institution cannot explain how your collection, use, or disclosure of biometrics is rationally connected to a pressing and substantial public interest goal, the initiative should not go forward. |
| Sensitivity | Sensitivity |
| Biometrics are a category of sensitive information, but some biometrics may be highly sensitive based on their innately intimate nature and/or the types of harm that could result from their misuse. You should select a suitable biometric modality that presents the least risk to the individual concerned. | Biometrics are a sensitive type of information, but some biometrics may be highly sensitive based on their innately intimate nature and/or the types of harm that could result from their misuse. You should select a suitable biometric modality that presents the least risk to the individual concerned. |
| For example, facial recognition will generally be considered more sensitive than palm-vein scanning, which cannot be passively collected or as easily used to link data about an individual’s activities. | For example, facial recognition will generally be considered more sensitive than palm-vein scanning, which cannot be passively collected or as easily used to link data about an individual’s activities. |
| The sensitivity of personal information, on its own, is not determinative of whether an organization is justified in its collection, use, or disclosure; however, the more sensitive the information, the greater the justification may be required for its collection, use, or disclosure. | The sensitivity of personal information, on its own, is not determinative of whether an institution is justified in its collection, use, or disclosure; however, the more sensitive the information, the greater the justification may be required for its collection, use, or disclosure. |
| Necessity | Necessity |
| Demonstrate that your organization’s biometric program or initiative is necessary to meet a specific, legitimate, and defensible need. Are you using biometrics to resolve a substantial problem, such as to safeguard highly valuable assets or information? Is there evidence of considerable risk to the information? | Demonstrate that your institution’s biometric program or initiative is necessary to meet a specific, legitimate, and defensible need. Are you using biometrics to resolve a substantial problem, such as to safeguard highly valuable assets or information? Is there empirical evidence of a problem that biometrics will solve? |
| Indicate why other non-biometric options, such as two-factor authentication, are not sufficient in your context. Biometrics may not be necessary if your purpose can be achieved without using this type of information. | Indicate why other non-biometric options are not sufficient in your context. Biometrics may not be necessary if your purpose can be achieved without using this type of information.Footnote2 |
| If the underlying business or institutional rationale is to increase convenience or enhance customer experience, your biometric initiative is likely inappropriate. For example, biometrics are not necessary to facilitate access to a fitness club for those with a membership. Consider whether your needs are rationally connected to a business goal that is pressing or substantial, and document this clearly.Footnote2 | If the underlying institutional rationale is to increase convenience or enhance user experience, your biometric initiative is likely inappropriate. For example, biometrics are not necessary to assess a candidate for a job. Consider whether your needs are rationally connected to an institutional goal that is pressing or substantial, and document this clearly. |
| Personal information, including biometrics, must never be collected for a speculative or prospective purpose to be determined at a later date. | Personal information, including biometrics, must never be collected for a speculative or prospective purpose to be determined at a later date. |
| Effectiveness | Effectiveness |
| Ensure that the proposed biometric program or initiative will be effective in meeting the pressing and substantial goal identified. There should be a high degree of organizational confidence that the biometric program will be effective and reliable, as a whole. There should be a clear plan of how to measure the effectiveness of the program. | Ensure that the proposed biometric program or initiative will be effective in meeting the pressing and substantial goal identified. There should be a high degree of organizational confidence that the biometric program will be effective and reliable, as a whole. There should be a clear plan of how to measure the effectiveness of the program. |
| The program must be designed to effectively address the issue for which it is deployed. Consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be spoofed or circumvented. | The program must be designed to effectively address the issue for which it is deployed. Consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be spoofed or circumvented. |
| Using biometric technologies for purposes that lack overall scientific validity will not be considered effective and therefore, will be inappropriate. For example, biometric technologies that purport to evaluate the trustworthiness of an individual, identify their mental state, or infer their competencies do not have scientific backing at this time. | Using biometric technologies for purposes that lack overall scientific validity will not be considered effective. For example, biometric technologies that purport to evaluate the trustworthiness of an individual, identify their mental state, or infer their competencies do not have scientific backing at this time. |
| The OPC has identified as a “no-go zone” profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law. | |
| Proportionality | Proportionality |
| Assess whether the biometric program or initiative’s impact on privacy is proportional to the benefits gained. Will the stated purpose be more effectively achieved through biometrics than using a less intrusive option? And is this gain in effectiveness proportional to the increased level of intrusion? For example, using facial recognition would be disproportionate for the general purposes of checking-in to a hotel or maintaining security by indiscriminately extracting biometrics from video surveillance footage of individuals in a retail store. | Assess whether the biometric program or initiative’s impact on privacy is proportional to the benefits gained. Will the stated purpose be more effectively achieved through biometrics than using a less intrusive option? And is this gain in effectiveness proportional to the increased level of intrusion? For example, it would be disproportionate to indiscriminately extract biometrics from video surveillance footage of individuals in a building lobby. |
| Behavioural biometrics that rely on the analysis of large amounts of behavioural data are more likely to be disproportionate than using morphological biometrics. | Behavioural biometrics that rely on the analysis of large amounts of behavioural data are more likely to be disproportionate than using morphological biometrics. |
| While the loss of privacy that results from the handling of biometrics is generally high, some biometrics are particularly sensitive and may therefore result in even more significant impacts on privacy. For this loss of privacy to be proportional, the benefits of your biometric program must be commensurately high. | While the loss of privacy that results from the handling of biometrics is generally high, some biometrics are particularly sensitive and may therefore result in even more significant impacts on privacy. For this loss of privacy to be proportional, the benefits of your biometric program must be commensurately high. |
| Ensure that the biometric program is also proportional in its design — meaning it is narrowly scoped with limited actors, as opposed to broad, general, and undefined. | Ensure that the biometric program is also proportional in its design — meaning it is narrowly scoped with limited actors, as opposed to broad, general, and undefined. |
| The implementation of technical and other protective measures is an important factor in mitigating the privacy impacts of using biometrics, but adequate safeguards alone cannot render a collection, use, or disclosure of biometrics appropriate. | The implementation of technical and other protective measures is an important factor in mitigating the privacy impacts of using biometrics, but adequate safeguards alone cannot render a collection, use, or disclosure of biometrics appropriate. |
| Minimal Intrusiveness | Minimal Intrusiveness |
| Assess whether there are less intrusive means of achieving the purpose other than through the collection, use, or disclosure of biometrics. Is there evidence that other, less privacy intrusive means cannot achieve the same objective? A biometric initiative being deemed more convenient than alternatives is unlikely to satisfy this requirement. | Assess whether there are less intrusive means of achieving the purpose other than through the collection, use, or disclosure of biometrics. Is there evidence that other, less privacy intrusive means cannot achieve the same objective? A biometric initiative being deemed more convenient than alternatives is unlikely to satisfy this requirement. |
| For example, biometric categorization can lead to “social sorting” (i.e., associating individual data with social groups and treating them differently), a key aspect of surveillance. Such a purpose is privacy invasive and may be ethically problematic, requiring a strong justification. Further, social sorting may engage legal issues under human rights law, based on discrimination on prohibited grounds. | For example, biometric categorization can lead to “social sorting” (i.e., associating individual data with social groups and treating them differently), a key aspect of surveillance. Such a purpose is privacy invasive and may be ethically problematic, requiring a strong justification. Further, social sorting may engage legal issues under human rights law, based on discrimination on prohibited grounds. |
| What steps can be taken to reduce privacy intrusion as much as possible? Consider whether biometrics of a less sensitive nature could be employed or whether there are ways to limit the role of biometrics in the proposed program. | What steps can be taken to reduce privacy intrusion as much as possible? Consider whether biometrics of a less sensitive nature could be employed or whether there are ways to limit the role of biometrics in the proposed program. |
| The OPC has applied these criteria to biometric initiatives in previous Report of Findings, which may be informative for completing your own assessment of appropriate purposes: | The OPC has applied these criteria to biometric initiatives in previous Report of Findings, which may be informative for completing your own assessment of appropriate purposes: |
| PIPEDA Report of Findings #2022-003 | RCMP’s use of Clearview AI |
| We found Rogers’ VoiceID program, which uses voice biometrics to authenticate account holders who phone Rogers’ customer support line, to be an effective solution to address Rogers’ legitimate need for account authentication and security in the context of the high-threat environment facing telecommunication service providers. The program presented limited identification risks when compared to other biometrics solutions, and was designed with a number of limitations, safeguards, and controls to mitigate privacy impacts. | In our joint-investigation into Clearview AI (PIPEDA Findings #2021-001), we determined that the company’s online scraping of images and creation of biometric facial recognition arrays from them represented mass identification and surveillance of individuals. We therefore found Clearview’s purposes to be inappropriate, particularly where they: (i) are unrelated to the purposes for which those images were originally posted; (ii) will often be to the detriment of the individual whose images are captured; and (iii) create the risk of significant harm to those individuals, the vast majority of whom have never been and will never be implicated in a crime. |
| Following our investigation, we also found that since Clearview’s personal information collection practices were not compliant with its legal obligations, the RCMP’s subsequent collection of that information fell outside its legitimate operating programs and activities, thus representing a contravention of Section 4 of the Privacy Act. | |
| PIPEDA Report of Findings #2021-001 | |
| In our joint investigation into Clearview AI, we determined that the company’s online scraping of images and creation of biometric facial recognition arrays from them represented mass identification and surveillance of individuals. We therefore found Clearview’s purposes to be inappropriate, particularly where they: (i) were unrelated to the purposes for which those images were originally posted; (ii) would often be to the detriment of the individual whose images are captured; and (iii) created the risk of significant harm to those individuals, the vast majority of whom have never been and will never be implicated in a crime. | |
| PIPEDA Report of Findings #2008-389 | |
| This investigation examined the collection and use of fingerprint data from participants writing a standardized admission test for law schools, and the findings were centred around questions based in the above criteria. In this case, the use of fingerprint data was found not to be proportional to the benefit gained, and therefore not appropriate. | |
| Consent | Consent |
| Once you have determined that the purpose of your biometrics initiative is appropriate in the circumstances, you need to assess how to obtain valid consent from individuals. Consent is a foundational element of PIPEDA, and is required for the collection, use, and disclosure of personal information, including biometric information, subject to limited exceptions. | Under the Privacy Act government institutions can only collect personal information that relates directly to an operating program or activity of the institution. Obtaining an individual’s consent to collect personal information does not replace or establish authority for the collection of that information.Footnote3 |
| A critical part of obtaining consent is to ensure that individuals have proper knowledge of how your organization will manage their personal information. For consent to be valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. | Subject to certain exceptions, government institutions must collect personal information directly from individuals wherever possible and inform them of all the purposes for which their personal information is being collected. Therefore, absent the consent of the individual, a government institution should generally not collect biometrics intended to be used for an administrative purpose from other sources, including publicly available ones.Footnote4 |
| Consent is generally required for uses or disclosures of information if they are for purposes other than those for which the information was originally collected, with some exceptions.Footnote5 Where consent is required, a critical part is to ensure that individuals have proper knowledge of how you will manage their personal information. | |
| You Must: | You Must: |
| If your biometrics initiative is voluntary to enrol in and you are seeking consent from individuals, you must: | |
| Obtain express, informed, and specific consent: You will almost always need to seek express consent for the collection, use, or disclosure of biometrics, including biometric templates. Express consent involves active rather than passive affirmation on the part of the individual — meaning not taking biometrics from individuals without their explicit knowledge. | Obtain express, informed, and specific consent: When relying on consent, you must almost always seek express consent for the use or disclosure of biometrics, including biometric templates. Express consent involves active rather than passive affirmation on the part of the individual, meaning that you should not take biometrics from individuals without their explicit knowledge. |
| The OPC has developed guidance on obtaining meaningful consent that provides assistance on ensuring that valid consent is obtained. Organizations must convey the consent processes and the related privacy information with user-experience in mind. Consider integrating consent into existing processes, such as enrolment or digital interfaces, as a means of providing specific information on your biometrics initiative in a user-friendly manner. While your biometrics initiative should also be described in your privacy policy, such a description, on its own, would be insufficient to generate meaningful consent. | |
| Consent processes must explain key elements with potential impact on an individual’s privacy, including: | Consent processes must explain key elements with potential impact on an individual’s privacy, including: |
| the purpose of the consent; | |
| the type of biometric information collected; | the type of biometric information involved; |
| the purpose for the collection, use, or disclosure of that information; | reasons and sources for indirect collection (if any); |
| the parties to which the data is disclosed; | uses or disclosures not consistent with the original purpose if extending scope; |
| any meaningful risks of significant harm that remain despite the organization’s efforts at risk mitigation. | any consequences of withholding consent; and |
| For example, if an organization is collecting voiceprints from callers to its customer support line, a generic statement like “this call may be recorded for identification purposes” is not acceptable to obtain meaningful consent. | any alternatives to providing consent. |
| Similarly, obtaining consent to collect photos or videos of an individual does not automatically allow you to extract biometrics from such media sources. You must specify the biometric collection, use, or disclosure separately. | If you are considering contracting with a private-sector organization, also refer to the Treasury Board of Canada Secretariat’s guidance document “Taking Privacy into Account Before Making Contracting Decisions”. This includes information about the “invasion-of-privacy test”, where the biometrics initiative will be assessed based on the sensitivity of the information, the expectations of the individual, and the probability and potential gravity of injury. |
| PIPEDA Report of Findings #2022-003 | Ensure that consent is obtained in writing or properly documented, including information such as the date and time it was provided. |
| In our investigation of Rogers’s use of VoiceID, we found that the company: (i) undertook the “tuning” process, which involved biometric collection, without first obtaining valid consent; and (ii) had not implemented adequate protocols and associated monitoring to ensure express consent was consistently obtained for enrolment. We further determined that Rogers did not provide a clearly explained and easily accessible option for individuals to opt out of the collection and use of their voiceprint. | The OPC has developed guidance on obtaining meaningful consent for private-sector organizations, but it nonetheless provides assistance in ensuring that valid consent is obtained for federal institutions. Institutions should convey the consent processes and the related privacy information with user-experience in mind. Consider integrating consent into existing processes, such as enrolment or digital interfaces, as a means of providing specific information on your biometric initiative in a user-friendly manner. While your biometrics initiative should also be described in your privacy policy, such a description, on its own, would be insufficient to generate meaningful consent. |
| PIPEDA Report of Findings #2020-004 | If an institution is collecting voiceprints from callers to a phone line, a generic statement, such as “this call may be recorded for identification purposes”, is not acceptable to obtain meaningful consent. |
| In a joint-investigation, we found that Cadillac Fairview (CFCL) used cameras in its directory kiosks at its shopping malls to collect and use images of faces, numerical representations of each face, and an assessment of age-range and gender, without valid consent. Given the sensitive data in question, and that a visitor would not expect their image or biometric data to be collected by an inconspicuous camera while searching a mall directory, express consent was required. Simple reference to CFCL’s Privacy Policy did not support meaningful consent, and decals posted on mall entrances were insufficient, only mentioning video recordings for "safety and security" instead of the full scope of purposes for which the facial images were being used. | Similarly, obtaining consent to collect photos or videos of an individual does not automatically allow you to extract biometrics from such media sources. You must specify the biometric collection, use, or disclosure separately. |
| Not make biometrics a condition of service: Under PIPEDA, organizations can only require consent as a condition of service when the collection, use, or disclosure of personal information is integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Otherwise, for non-integral and non-essential collections, uses and disclosures, organizations must give individuals a choice — meaning making biometrics voluntary. | |
| Provide alternative options: Where biometric technology is used for non-integral or non-essential collections, uses, or disclosures, you must provide individuals with other means of access or participation. Communicate these options to individuals, and do not create obstacles that would hinder access to such alternatives. If you are using biometrics as a safeguard, it is likely that there are other methods of authentication you can offer to the individual, and that biometrics are not integral. Providing alternatives accommodates those who are reluctant to enroll in a biometric system as well as those who may not be able to enroll in such systems, for example because of a disability. | Provide alternative options: If you are using biometrics as a safeguard, it is likely that there are other methods of authentication you can offer to the individual, and that biometrics are not integral. Providing alternatives accommodates those who are reluctant to enroll in a biometric system, as well as those who may not be able to enroll in such systems, for example because of a disability. |
| Ensure your collection from third parties is lawful: Where collecting biometrics from third parties is appropriate, organizations must ensure that they have legal authority to do so. Ensure proper grounding in law at every step of the data flow, from initial collection by the third party to disclosure and subsequent use by you. Where consent is required, your organization should work with the third party to design means to obtain valid consent from individuals covering both that third party’s disclosure and your collection and use. | Communicate the source databases: If using a biometric technology for identification purposes rather than authentication, disclose to the individual what databases their biometrics are being stored in, compared with, or matched against. |
| Not assume that it is “publicly available”: An individual’s biometrics may be observable in public, but that does not mean that they are exempt from consent requirements. Photos or videos captured in public spaces, found on the internet, or on social media, may not be further processed without specific consent to extract biometric templates. Furthermore, obtaining consent to collect photographs or video is not the same as collecting consent for biometrics — consent must be specifically obtained for each purpose. | |
| PIPEDA Report of Findings #2018-002 | |
| The OPC investigated Profile Technology Ltd., a company that reused millions of Canadians’ Facebook user profiles without their consent. A point of issue in the investigation was whether the use of personal information available on individuals’ Facebook profiles met the definition of a publication under the Regulations Specifying Publicly Available Information. In considering the scheme under PIPEDA, its objectives, and the legislature’s intent, the OPC did not accept the assertion that Facebook profile information is a publication under the Regulations. | |
| Communicate the source databases: If using a biometric technology for identification purposes rather than authentication, disclose to the individual what databases their biometrics are being compared with or matched against. You must also obtain consent for the purpose of storing an individual’s biometrics in a database for matching. This must be incorporated into consent processes to provide individuals with an adequate understanding of the program and to allow them to properly exercise their access and consent revocation rights. | |
| Renew consent when extending scope: Any extension of the use of biometrics must not be attempted without first obtaining the individual’s consent for the new use, unless a valid legal exception to consent applies. In this sense, organizations should not view consent as a one-time occurrence, never to be revisited. On the contrary, ensuring the validity of consent is an ongoing process and consent may require renewal as circumstances change and as organizations innovate, grow, and evolve. | |
| Limiting Collection | Limiting Collection |
| Limit the collection of personal information to that which is necessary for achieving your stated purpose. | Limit the collection of personal information to that which is necessary for achieving your stated purpose. This is required under the Directive on Privacy Practices.Footnote6 |
| You Must: | You Must: |
| Use authentication before identification: Authentication is based on a one-to-one match with the individual’s biometrics that they have previously enrolled, which can limit what you need to collect versus what is needed for identification to achieve accurate results. You will need specific justification if you choose to use an identification system where an authentication system is viable. | Use authentication before identification: Authentication is based on a one-to-one match with the individual’s biometrics that they have previously enrolled, which can limit what you need to collect versus what is needed for identification to achieve accurate results. You will need specific justification if you choose to use an identification system where an authentication system is viable. |
| Use the minimum number of biometric characteristics needed: This includes both the amount of a single characteristic, and the combination of them. If you can meet your purpose by using points from a single fingerprint, then you must not collect prints from the whole finger, more than one finger, or use prints in conjunction with other biological or behavioural biometrics. When using biometrics as a safeguard, the number of characteristics collected must be appropriate to the sensitivity of the personal information you are protecting. The use of multi-modal biometrics must be justified in that regard. | Use the minimum number of biometric characteristics needed: This includes both the amount of a single characteristic, and the combination of them. If you can meet your purpose by using points from a single fingerprint, then you must not collect prints from the whole finger, more than one finger, or use prints in conjunction with other biological or behavioural biometrics. When using biometrics as a safeguard, the number of characteristics collected must be appropriate to the sensitivity of the personal information you are protecting. The use of multi-modal biometrics must be justified in that regard. |
| Not copy identity documents: During the enrolment phase in a biometric system, you might choose to confirm the individual’s legal identity using documents like government-issued IDs. Identity documents used for this purpose must, in most instances, only be viewed, instead of copied and retained. | |
| Where identity documents are used to perform facial recognition against a live selfie to authentication someone for online services, such as through a mobile app, immediately delete copies of such documents once authentication has been performed. | |
| PIPEDA Report of Findings #2010-007 | |
| In an investigation regarding the Medical College Admission Test (MCAT), the OPC concluded that there were less privacy-invasive means to meet the Association of American Medical Colleges’ (AAMC) purpose of preventing exam fraud. The AAMC agreed to limit the personal information that it collects, and to only collect and retain fingerprint information in a digital format, which was to be converted into unique digital templates composed of a string of alpha/numeric characters and held securely. The OPC was satisfied that this outcome effectively addressed concerns with respect to both privacy and AAMC’s need to protect the integrity of the high-stakes MCAT exam. | |
| You Should: | You Should: |
| Seek to keep the template in the individual’s control: There are different template formats that vary in how much control they provide to the individual. You should strive to keep the template in the individual’s control so long as that is the most secure option while allowing you to achieve your identified purpose. For example, you could store it on a device or token in their possession. You should avoid creating large centralized databases of biometric data, which in the event of a breach, can increase the likelihood of cross-system compromise, imposter access, and source system and physical security compromise. You could also adopt a model where you store the template and it is only activated under the control of the individual. If you decide to maintain sole control of a template, you should have a compelling reason for doing so, such as a determination that this is the best way to safeguard the data or the only way to achieve your purpose. | Seek to keep the template in the individual’s control: There are different template formats that vary in how much control they provide to the individual. You should strive to keep the template in the individual’s control so long as that is the most secure option while allowing you to achieve your identified purpose. For example, you could store it on a device or token in their possession. You should avoid creating large centralized databases of biometric data, which in the event of a breach, can increase the likelihood of cross-system compromise, imposter access, and source system and physical security compromise. You could also adopt a model where you store the template and it is only activated under the control of the individual. If you decide to maintain sole control of a template, you should have a compelling reason for doing so, such as a determination that this is the best way to safeguard the data or the only way to achieve your purpose. |
| Limit its technical capability: As a design choice, you should consider biometric systems that do not contain additional features that enable broader collection of personal information than that required to fulfill your specific purposes. For example, in our joint-investigation of the Cadillac Fairview Corporation Limited, it was found that a software called FaceNet was enabled to collect unique numerical representations of individuals’ faces, but that information was not needed for CFCL’s purposes. | Limit its technical capability: As a design choice, you should consider biometric systems that do not contain additional features that enable broader collection of personal information than that required to fulfill your specific purposes. For example, in our joint-investigation of the Cadillac Fairview Corporation Limited, it was found that a software called FaceNet was enabled to collect unique numerical representations of individuals’ faces, but that information was not needed for CFCL’s purposes. |
| Limiting Use, Disclosure, and Retention | Limiting Use, Disclosure, and Retention |
| Under PIPEDA, biometrics must only be used for the purposes for which the information was collected or obtained, with few exceptions. This applies both to biometrics already contained in a ‘matching database’ as well as to the probe image collected from the individual in question. PIPEDA also identifies limited purposes for which personal information can be disclosed without consent.Footnote3 | Under the Privacy Act, biometrics must only be used for the purposes for which the information was collected or obtained, with few exceptions. This applies both to biometrics in a ‘matching database’ as well as the probe image collected from the individual in question. |
| You Must: | You Must: |
| Not analyze biometrics for secondary purposes: Some biometrics can reveal secondary information, such as that related to health, ethnicity, or biological relationships. You must not analyze biometric data to extract such additional information not originally consented to, and even then, only if appropriate. | Not analyze biometrics for secondary purposes: Some biometrics can reveal secondary information, such as that related to health, ethnicity, or biological relationships. You must not analyze biometric data to extract such additional information without the individual’s consent if this was not the purpose for which the personal information was lawfully obtained. |
| Keep a tight circle: You must design a biometric system where disclosure to third parties is not needed. An extremely strong justification would be required to disclose biometrics. In systems where biometric information must be shared with others, the parties with whom it is disclosed should be very limited. Refer to the “Accountability” section to learn more about your responsibilities in ensuring third parties do not abuse information. | Keep a tight circle: You must not design a biometric system that relies on disclosures to third parties i, unless its fundamental to the purpose. An extremely strong justification would be required to disclose biometrics to third parties. In systems where biometric information must be shared with others, the parties with whom it is disclosed should be very limited. Refer to the “Accountability” section to learn more about your responsibilities in ensuring third parties do not abuse information. |
| De-link across systems: The biometrics system provider must guarantee that the stored data cannot be linked across different implementations of the system, such as those offered by third party vendors. You must not link biometric databases used for one purpose, with other unnecessary personal information that is not needed for that purpose. | De-link across systems: The biometrics system provider must guarantee that the stored data cannot be linked across different implementations of the system, such as those offered by third party vendors. You must not link biometric databases used for one purpose, with other unnecessary personal information that is not needed for that purpose. |
| Limit retention: Biometric information must only be kept for a period necessary to fulfill your stated purpose and any legal obligations, after which it must be permanently destroyed from all locations, including devices, cloud storage, and back-ups. In previous decisions involving biometric systems, the OPC found that the appropriate data retention period depends on the context. For fingerprint digital templates collected from test takers, for example, a period of 5 years was appropriate since this matched the validity of the test results.Footnote4 For voiceprints collected from employees, retaining the biometric data for one month after the employee left the organization was found to be appropriate.Footnote5 | Limit retention: Biometric information must only be kept for a period necessary to fulfill your stated purpose and any legal obligations, after which it must be permanently destroyed from all locations, including devices, cloud storage, and back-ups. Institutions are required to retain personal information for at least two years after it has been used for an administrative purpose in order to allow the concerned individual a reasonable opportunity to access the information, unless the individual consents to its disposal earlier. |
| Distinguish retention of biometrics from other personal information: Biometrics serve a specific purpose and should not be lumped with a retention schedule of other non-biometric information, especially when that non-biometric information may be needed for a longer period of time but the biometrics information is not. | Distinguish retention of biometrics from other personal information: Biometrics serve a specific purpose and should not be lumped with a retention schedule of other non-biometric information, especially when that non-biometric information may be needed for a longer period of time but the biometrics information is not. |
| Destroy raw biometric data used to create a template: Raw biometric data that is collected for the purpose of creating a biometric template must be destroyed as soon as the template has been created. | Destroy raw biometric data used to create a template: Raw biometric data that is collected for the purpose of creating a biometric template must be destroyed as soon as the template has been created. |
| Delete biometric information upon request: If an individual withdraws consent for your use of biometric information, then delete all the biometric information you have collected about them, including any personal information you have created using analysis, unless otherwise required by law. You must also request the same from third parties with whom you may have shared the information. | Delete biometric information upon request: If an individual withdraws consent for your use of biometric information, then delete all the biometric information that you have collected about them, including any personal information you have created using analysis, unless otherwise required by law. You must also request the same from third parties with whom you may have shared the information. |
| Safeguards | Safeguards |
| Biometrics can help organizations secure personal information against impersonators and can thereby prevent social engineering attacks, fraud, and identity theft. However, this only remains an effective option if an individual’s biometric information itself can be protected from breaches and can be trusted to be accurate as to an individual’s identity. Otherwise, biometrics can contribute to the problem you sought to resolve. Security safeguards are therefore of utmost concern, given that individuals are left with few options to protect themselves if their biometric information is compromised. | Biometrics can help organizations secure personal information against impersonators and can thereby prevent social engineering attacks, fraud, and identity theft. However, this only remains an effective option if an individual’s biometric information itself can be protected from breaches and can be trusted to be accurate as to an individual’s identity. Otherwise, biometrics can contribute to the problem you sought to resolve. Security safeguards are therefore of utmost concern, given that individuals are left with few options to protect themselves if their biometric information is compromised. |
| Safeguarding refers to measures to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification. Under PIPEDA, organizations are responsible for protecting personal information with security safeguards appropriate to the sensitivity of the information and degree to which it may be at risk. As a result, biometric data must be stringently protected with a higher level of security safeguards. | Safeguarding refers to measures to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification. As reflected in the Directive on Privacy Practices, government institutions must have adequate safeguards to protect against unauthorized use or disclosure of personal information.Footnote7 As a result, biometric data must be stringently protected with a higher level of security safeguards. |
| Biometrics, like other types of personal information, are not immune to breaches. | Biometrics, like other types of personal information, are not immune to breaches. |
| More specifically, they are vulnerable to spoofing attacks, where false biometrics are presented to fool biometric systems into providing a positive match. Deep learning and neural network technology can be used to create convincing fabrications of an individual’s biometrics to thwart identification technology. The rising use of deepfakes, voice synthesis, and other impersonation techniques using biometric information could also be used to compromise individuals’ accounts or identity. | More specifically, they are vulnerable to spoofing attacks, where false biometrics are presented to fool biometric systems into providing a positive match. Deep learning and neural network technology can be used to create convincing fabrications of an individual’s biometrics to thwart identification technology. The rising use of deepfakes, voice synthesis, and other impersonation techniques using biometric information could also be used to compromise individuals’ accounts or identity. |
| You Must: | You Must: |
| Use physical, organizational, and technical measures to safeguard against the different ways a breach could occur. Review and update security measures regularly to address evolving security threats and vulnerabilities. | Use physical, administrative, and technical measures to safeguard against the different ways a breach could occur. Review and update security measures regularly to address evolving security threats and vulnerabilities. |
| Implement controls for personnel access: Only make biometric information accessible to those employees who truly need it in the context of their work. Consider having a permission system in place to review requests and grant access. | Implement controls for personnel access: Only make biometric information accessible to those employees who truly need it in the context of their work. Consider having a permission system in place to review requests and grant access. |
| Keep track of access: Oversight is important to ensure that sensitive information is not mishandled. Maintain digital logs of each time designated personnel access the biometric information you retain. Review the retained logs routinely to ensure that employee searches are legitimate and related to a business need. You must investigate organizational privacy incidents, including employee snooping. | Keep track of access: Oversight is important to ensure sensitive information is not mishandled. Maintain digital logs of each time designated personnel access the biometric information you retain. Review the retained logs routinely to ensure that employee searches are legitimate and related to a business need. You must investigate organizational privacy incidents, including employee snooping. |
| Encryption: Use end-to-end encryption technology to secure biometric information throughout all stages of its lifecycle, including its storage but also its transmission. | Encryption: Use end-to-end encryption technology to secure biometric information throughout all stages of its lifecycle, including its storage but also its transmission. |
| PIPEDA Report of Findings #2022-003 | |
| We noted in our Rogers’ VoiceID report of findings that voiceprints were well safeguarded. Voiceprints were stored in an encrypted and proprietary format on Canadian servers under Rogers’ control. Rogers confirmed that no third parties had access to the voiceprints for any purpose. Rogers further advised that access to the database was restricted to its Voice ID administration team, and that the voiceprints could not be used outside of their system. Our review of software documentation confirmed that the FreeSpeech solution was deployed by its customers and is not centrally managed, accessible to, or controlled by Nuance. Additionally, our review confirmed that voiceprints were signed using an encryption key unique to the specific instance of FreeSpeech, to protect from use in other programs or in other FreeSpeech implementations.” | |
| Prevent spoofing and presentation attacks: Spoofing refers to the ability to fool a biometric system by applying fake or replicated biometrics — such as a photograph or mask of the target individual’s face to bypass facial authentication. When biometrics are used as a safeguard to protect other personal information, they must be effective at doing so and not be susceptible to spoofing. Liveness detection is one option to prevent many forms of spoofing, but not all liveness detection methods offer the same level of protection.Footnote6 | Prevent spoofing and presentation attacks: Spoofing refers to the ability to fool a biometric system by applying fake or replicated biometrics — such as a photograph or mask of the target individual’s face to bypass facial authentication. When biometrics are used as a safeguard to protect other personal information, they must be effective at doing so and not be susceptible to spoofing. Liveness detection is one option to prevent many forms of spoofing, but not all liveness detection methods offer the same level of protection.Footnote8 |
| Consider specific technical attack methods: You must anticipate and analyze the risks of unauthorized access and unwanted modification if you hold biometric data. There are different types of attacks that are specifically designed to circumvent biometric systems,Footnote7 including hill-climbing and wolf-attacks. | Consider specific technical attack methods: You must anticipate and analyze the risks of unauthorized access and unwanted modification if you hold biometric data. There are different types of attacks that are specifically designed to circumvent biometric systemsFootnote9 including hill-climbing and wolf-attacks. |
| “Hill-climbing” refers to an algorithmic attack where a synthetic biometric template is matched continuously against a stored template and is iteratively modified until it positively matches with the stored template. This method relies on a matching score to be communicated so that the modifications to the synthetic template are based on an increasing similarity with the stored template. Therefore, you should not communicate a matching score publicly, and limit the number of biometric authentication attempts. | “Hill-climbing” refers to an algorithmic attack where a synthetic biometric template is matched continuously against a stored template and is iteratively modified until it positively matches with the stored template. This method relies on a matching score to be communicated so that the modifications to the synthetic template are based on an increasing similarity with the stored template. Therefore, you should not communicate a matching score publicly, and limit the number of biometric authentication attempts. |
| “Wolf-attacks” refer to a biometric “wolf” sample that can function like a master key to successfully match to multiple samples.Footnote8 The use of wolf attack probability testing and detection can help you safeguard against such attacks. | “Wolf-attacks” refer to a biometric “wolf” sample that can function like a master key to successfully match to multiple samples.Footnote10 The use of wolf attack probability testing and detection can help you safeguard against such attacks. |
| Conduct testing and vulnerability assessments: Regularly assess the vulnerability of your biometric system to ensure that your safeguards continue to be effective over time, and to identify vulnerabilities. The testing needs to include variables that depend both on the system’s design and installation, the biology of the tester, and the known vulnerabilities of the biometric modality or modalities chosen. | Conduct testing and vulnerability assessments: Regularly assess the vulnerability of your biometric system to ensure your safeguards continue to be effective over time, and to identify vulnerabilities. The testing needs to include variables that depend both on the system’s design and installation, the biology of the tester, and the known vulnerabilities of the biometric modality or modalities chosen. |
| Report breaches: When sensitive biometric information is subject to a privacy breach, there is a high likelihood that the breach creates a real risk of significant harm to affected individuals. Therefore, breaches involving biometric information will meet the private-sector threshold for mandatory reporting to the OPC and to affected individuals. | Report breaches: When sensitive biometric information is subject to a privacy breach, there is a high likelihood that the breach could reasonably be expected to cause serious injury to affected individuals. Therefore, breaches involving biometric information will meet the public-sector threshold for mandatory reporting to the OPC and Treasury Board of Canada Secretariat. |
| You Should: | You Should: |
| Be proactive: It is more effective to build privacy safeguards into the fabric of a biometric initiative than to try to add them in later. This includes the entire lifecycle of an activity: design, implementation, evaluation, and dismantling. | Be proactive: It is more effective to build privacy safeguards into the fabric of a biometric initiative than to try to add them in later. This includes the entire lifecycle of an activity: design, implementation, evaluation, and dismantling. |
| Use cancellable biometrics: You should convert biometric data into templates that do not reveal permanent features of an individual’s biometric profile. You can do this by using “cancellable” templates that distort data to prevent it from being converted back into the original biometric information. This would allow multiple templates to be associated with the same biometric data, so that templates can be revoked (like a password) if they are compromised. The template should also be unlinkable, so that different biometric templates belonging to a single individual cannot be linked together. Consult technical experts and the latest research around these methods to learn how to implement them in your context. | Use cancellable biometrics: You should convert biometric data into templates that do not reveal permanent features of an individual’s biometric profile. You can do this by using “cancellable” templates that distort data to prevent it from being converted back into the original biometric information. This would allow multiple templates to be associated with the same biometric data, so that templates can be revoked (like a password) if they are compromised. The template should also be unlinkable, so that different biometric templates belonging to a single individual cannot be linked together. Consult technical experts and the latest research around these methods to learn how to implement them in your context. |
| Use Privacy Enhancing Technologies (PETs): Methods such as homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template. For more information about PETs, read our report. | Use Privacy Enhancing Technologies (PETs): Methods such as homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template. For more information on PETs, refer to our report. |
| Specialized security modules: You should consider using specialized security modules for the storage of biometrics. You should also consider making the extraction of biometric templates unique to your biometric system, such that it cannot be used by others. | Specialized security modules: You should consider using specialized security modules for the storage of biometrics. You should also consider making the extraction of biometric templates unique to your biometric system, such that it cannot be used by others. |
| Avoid transmitting biometrics over the internet, if possible but through enrolment devices directly connected or integrated with the IT systems. | Avoid transmitting biometrics over the internet, if possible but through enrolment devices directly connected or integrated with the IT systems. |
| Use multiple factors: Multifactor authentication is often described as combining something you know (such as a password), something you have (such as a card or token), and something you are (such as a fingerprint). Where the use of biometrics is appropriate, you should use it in combination with at least one other factor to improve accuracy and protect against attacks. | Use multiple factors: Multifactor authentication is often described as combining something you know (such as a password), something you have (such as a card or token), and something you are (such as a fingerprint). Where the use of biometrics is appropriate, you should use it in combination with at least one other factor to improve accuracy and protect against attacks. |
| Use active versus passive biometrics: For example, active voice biometrics refers to when the individual must create a passphrase, which the software analyzes to create a voiceprint, targeted to the phrase. This is a form of multi-factor authentication. This is in contrast to passive voice biometrics where recognition software runs in the background on all speech and does not require the individual to say a specific phrase. | Use active versus passive biometrics: For example, active voice biometrics refers to when the individual must create a passphrase, which the software analyzes to create a voiceprint, targeted to the phrase. This is a form of multi-factor authentication. This is in contrast to passive voice biometrics where recognition software runs in the background on all speech and doesn’t require the individual to say a specific phrase. |
| Choose the right modality: Be aware of your choice of biometric and the accompanying technology. For example, fingerprints can leave latent marks that can be lifted by malicious actors. Some modalities may also be easier to spoof than others. | Choose the right modality: Be aware of your choice of biometric and the accompanying technology. For example, fingerprints can leave latent marks that can be lifted by malicious actors. Some modalities may also be easier to spoof than others. |
| Separate biometrics from other personal information: You should store any biometric information about an individual separately from other identifying information about them, to avoid building an unnecessary profile about an individual. This reduces the risk of harm in the event of a breach. | Separate biometrics from other personal information: You should store any biometric information about an individual separately from other identifying information about them, to avoid building an unnecessary profile about an individual. This reduces the risk of harm in the event of a breach. |
| PIPEDA Report of Findings #2011-012 | |
| In the case of the Graduate Management Admission Test palm-vein scanning technology, the OPC found that the palm-vein scans were immediately transformed into an encrypted binary template, which could not easily be applied to other purposes, and were stored separately from any other personal information about the test taker. This was found to be a suitable measure in managing information sensitivity in the circumstances. | |
| Accuracy | Accuracy |
| Biometric systems used for authentication or identification are typically used to make an automated decision about an individual, such as to obtain access to certain locations, or receive a good or service to which they are entitled. As a result, false positives and negatives can significantly disrupt an individual’s life and potentially violate their human rights. You must take every reasonable effort to ensure accuracy in your biometric system. | Biometric systems used for authentication or identification are typically used to make an automated decision about an individual, such as to obtain access to certain locations, or receive a good or service to which they are entitled. As a result, false positives and negatives can significantly disrupt an individual’s life and potentially violate their human rights. You must take every reasonable effort to ensure accuracy in your biometric system. |
| Under principle 6 of PIPEDA, personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used. This includes being sufficiently accurate, complete, and up to date to minimize the possibility that inappropriate information may be used to make a decision about the individual. | Under the Privacy Act, government institutions are required to take all reasonable steps to ensure that any personal information they use for an administrative purpose is as accurate, up-to-date, and complete as possible. The Directive on Privacy Practices outlines measures for ensuring information is accurate and up to date, including verifying information against a reliable source, and using technological means to identify errors and discrepancies. |
| You Must: | You Must: |
| Consider if biometrics are fit for purpose: Organizations must consider whether the biometric system is an appropriate mechanism to achieve their purpose, taking into account the environment and context in which their proposed use of biometrics will take place. For example, systemic errors in a biometric system can result in the capture of inaccurate information, particularly when not adjusted to reflect the diversity of the population. | Consider if biometrics are fit for purpose: Organizations must consider whether the biometric system is an appropriate mechanism to achieve their purpose, taking into account the environment and context in which their proposed use of biometrics will take place. For example, systemic errors in a biometric system can result in the capture of inaccurate information, particularly when not adjusted to reflect the diversity of the population. |
| Choose a technology with suitable accuracy rates: Some biometric technologies are more accurate than others. For example, systems based on morphological biometrics can result in higher accuracy rates than behavioural biometrics. While many biometric systems have low failure rates, a small number of errors can become significant when the system is scaled up. The impact of inaccuracies can also depend on the nature and significance of the decisions being made. It is your responsibility to ensure conformity with relevant accuracy testing standards,Footnote9 including conducting your own accuracy testing or obtaining an independent evaluation, and choose biometric systems with error rates that are appropriate and acceptable in the circumstances. You will need to demonstrate a higher level of accuracy when the consequences of errors for individuals are greater. | Choose a technology with suitable accuracy rates: Some biometric technologies are more accurate than others. For example, systems based on morphological biometrics can result in higher accuracy rates than behavioural biometrics. While many biometric systems have low failure rates, a small number of errors can become significant when the system is scaled up. They can also disproportionately affect certain populations. The impact of inaccuracies can also depend on the nature and significance of the decisions being made. It is your responsibility to ensure conformity with relevant accuracy testing standards,Footnote11 including conducting your own accuracy testing or obtaining an independent evaluation, and choose biometric systems with error rates that are appropriate and acceptable in the circumstances. This includes consideration of more accurate alternatives and tradeoffs. You will need to demonstrate a higher level of accuracy when the consequences of errors for individuals are greater. |
| Ensure accuracy at enrollment: You must take reasonable steps to check and maintain the accuracy of the biometrics. Biometric recordings and templates must be accurate at the enrolment stage, including clear images, free from obstruction or other anomalies that would interfere with an individual’s authentication or identification later. You must ensure that the template is assigned to the correct individual, and account for the time elapsed since the biometric was enrolled to account for issues related to aging. | Ensure accuracy at enrollment: You must take reasonable steps to check and maintain the accuracy of the biometrics. Biometric recordings and templates must be accurate at the enrolment stage, including clear images free from obstruction or other anomalies that would interfere with an individual’s authentication or identification later. You must ensure that the template is assigned to the correct individual, and account for the time elapsed since the biometric was enrolled to account for issues related to aging. |
| You Should: | You Should: |
| Put quality over quantity: Poor quality of captured biometrics can lead to accuracy challenges. You should only use captured biometric information of high quality. This also allows you to better meet the limiting collection requirement, as poor-quality biometrics may lead you to over-collect them to create a functioning template. Improved equipment and standardized collection practices (that account for elements such as image resolution, lighting, and placement) can help reduce the number of mistakes. | Put quality over quantity: Poor quality of captured biometrics can lead to accuracy challenges. You should only use captured biometric information of high quality. This also allows you to better meet the limiting collection requirement, as poor-quality biometrics may lead you to over-collect them to create a functioning template. Improved equipment and standardized collection practices (that account for elements such as image resolution, lighting, and placement) can help reduce the number of mistakes. |
| Develop a procedure for dealing with false matches: Although biometric systems must be designed to ensure accuracy, you should be prepared for your system to provide false positives, false negatives, and non-matches. In such cases, you should offer an alternate identifier in a timely manner, resolve the issue so that it does not recur, and ensure that such errors do not result in systemic biases. There should be human intervention and review of significant decisions made based on biometrics as part of this process in order to offer redress. Biometric decision-making should be subject to a fair process to allow such decisions to be contested and reviewed. | Develop a procedure for dealing with false matches: Although biometric systems must be designed to ensure accuracy, you should be prepared for your system to provide false positives, false negatives, and non-matches. In such cases, you should offer an alternate identifier in a timely manner, resolve the issue so that it does not recur, and ensure that such errors do not result in systemic biases. There should be human intervention and review of significant decisions made based on biometrics as part of this process in order to offer redress. Biometric decision-making should be subject to a fair process to allow such decisions to be contested and reviewed. |
| Have an even higher accuracy threshold when using biometric categorization: Biometric systems that assign an individual to a category and sort them accordingly should be carefully assessed and scrutinized with regards to the categories that are used, whether they are able to accurately reflect the diversity of the individuals who will be captured by the biometric system, and the overall reliability of this feature. Consider that individuals also have rights to access and correction. | Have an even higher accuracy threshold when using biometric categorization: Biometric systems that assign an individual to a category and sort them accordingly should be carefully assessed and scrutinized with regards to the categories that are used, whether they are able to accurately reflect the diversity of the individuals who will be captured by the biometric system, and the overall reliability of this feature. Consider that individuals also have rights to access and correction. |
| Accountability | Accountability |
| You are responsible for the personal information under your control. | You are responsible for the personal information under your control. In the federal public sector, the Privacy Act sets out specific obligations for heads of government institutions or their delegates. Accountability is also delineated through the PIA process and supporting policy instruments, notably the Policy on Privacy Protection and Directive on Privacy Practices. Additional guidance on contracting under the Privacy Act is available in “Taking Privacy into Account Before Making Contracting Decisions”. |
| You Must: | You Must: |
| Comply with all ten principles listed in Schedule 1 of the Act. | Use credible contractors and assess legal authority: Before entering into a business relationship, you must do your due diligence to ensure accountability of third party service providers and that they are acting lawfully. If these parties are providing you access to a database of biometric information, you have a duty to ensure that both the original collection and your use of the information would be in accordance with privacy laws. This equally applies to partnerships you enter into with other government institutions. |
| Appoint someone to be responsible for the organization’s PIPEDA compliance and to whom individuals can ask questions. | If you are subcontracting parts of your biometric program, you must ensure that the subcontractor meets the Privacy Act obligations to which you are subject and does not use personal information handled on your behalf for its own purposes, without requisite consent. |
| Protect all personal information in the possession or custody of the organization, including any personal information transferred to a third party for processing. | Privacy Act Report of Findings: |
| Develop and implement policies and practices to give effect to PIPEDA’s principles. | In the OPC’s investigation into the RCMP’s use of Clearview AI’s services, we found that the RCMP failed to take any active steps to verify the legality of the collection of the information of Canadians from Clearview. Government institutions are obligated to ensure the lawfulness of the collection practices of partners from whom they collect personal information. |
| Ensure breach reporting for any breach that poses a real risk of significant harm to individuals. | Assess whether your biometric activity is subject to the Directive on Automated Decision-Making: If you are using biometrics to make automated decisions about an individual, you should refer to the Directive on Automated Decision-Making and check whether you need to complete an Algorithmic Impact Assessment. |
| You may decide to use the expertise of an external organization to set up and administer your biometric program and give them access to biometric information through that system. If you do so, you must use contractual or other means to ensure a comparably strong level of privacy protection while the information is being processed by that third party. That is, irrespective of where the third party is located, you must be satisfied that the third party has policies and processes in place to ensure that the information in its care is properly safeguarded at all times in accordance with the high standards required for biometrics. You must not transfer biometric data outside of Canada unless there is a contract providing comparable protection. | |
| Integrate the ability to audit contractors: Where biometrics are concerned, organizations must almost invariably integrate the right to audit and inspect how the third party handles personal information into the contract and include measures to address non-compliance. | |
| Provide employees with the proper knowledge and support: You must ensure that employees of your organization who are responsible for managing biometric data are provided with the proper training, guidance, and supervision to perform their duties. | |
| You Should: | You Should: |
| Formalize your relationship with other partners: This includes contracting with private-sector parties that you use the biometric services of, and entering into Information Sharing Agreements with other institutions that you share or receive biometric information from. | |
| Develop robust breach plans: In the event of a privacy breach of biometric information, you will likely be required to report it to a number of parties within short timelines. You will also be required to maintain records of all breaches. To be prepared for a breach scenario, you should develop robust, efficient, and detailed procedures related to reporting mechanisms and any remedial actions to be taken. The OPC has developed guidance for responding to a privacy breach for organizations. | Develop robust breach plans: In the event of a privacy breach of biometric information, you will likely be required to report it to a number of parties within short timelines. You will also be required to maintain records of all breaches. To be prepared for a breach scenario, you should develop robust, efficient, and detailed procedures related to reporting mechanisms and any remedial actions to be taken. The OPC has developed guidance for responding to a privacy breach for government institutions. |
| Demonstrate accountability: You should stand ready to demonstrate your compliance with applicable privacy law(s) to regulators. You should be ready to show records such as how the system was designed, and the steps you took to ensure it was protective of privacy. Developing a Privacy Management Program is an excellent way to prepare. | Demonstrate accountability: You should stand ready to demonstrate your compliance with applicable privacy law(s) to regulators. You should be ready to show records such as how the system was designed, and the steps you took to ensure it was protective of privacy. |
| Consider consulting the OPC: If you are still unsure about your biometric program, consider contacting the OPC’s Business Advisory Directorate for additional advice. | Consider consulting the OPC: If you are still unsure about your biometric program, consider contacting the OPC’s Government Advisory Directorate for additional advice. |
| Openness | Openness |
| Be open and transparent with individuals about how you manage personal information. | Be open and transparent with individuals about how you manage personal information. The Directive on Privacy Practices requires that individuals whose personal information is collected directly of key information relating to the initiative. |
| You Must: | You Must: |
| Post the privacy policy: You must make your policies and practices governing biometric information readily available to individuals, and in an understandable form. This must include the types of biometric information you manage, the ways they are used, retention periods, any other jurisdictions where the information is stored, security safeguards used, and what third parties or subsidiaries the information is disclosed to, if any, and why. | |
| Provide your policies and practices to individuals before you ask them to enroll their biometrics in your system. Give them sufficient time and opportunity to review the practices in full before seeking their consent and collecting their biometrics. | Provide a privacy notice: Directly notify the individual whose biometrics are collected of the purpose and authority of collection, any uses or disclosures consistent with the original purpose, any legal or administrative consequences for refusing to provide biometrics, the rights of access, correction and protection, and the Personal Information Bank (PIB) described in Info Source. |
| Inform individuals about transfers to service providers: You must make readily available to individuals information about service providers that you use to process biometric information on your behalf. When a service provider is located in a foreign country, you need to inform individuals of the risk that their personal information may be lawfully accessed by law enforcement and national security authorities under the laws of that country. This must be done in clear and understandable language, ideally at the time the information is collected. You should also provide clear information related to any risk of harm and other consequences resulting from a transfer to a service provider. | Inform individuals about their ability to complain to the OPC: Your privacy notice must include information about the right of individuals to submit a complaint to the OPC with their privacy concerns. |
| Be specific about the uses of biometrics: Your policies and practices must contain details; they cannot just state that you will use biometric information for “anti-fraud purposes” or “account management purposes”. You must outline how your specifically identified purpose is achieved using the biometric information, how it will be stored, and whether biometrics are compared against databases. | Conduct public reporting of biometrics: All biometric information holdings under your control must be accounted for in your public reporting of PIBs and classes of personal information. This includes on Info Source and in your PIB descriptions. The inventory descriptions must contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act. |
| Provide the contact information of the person accountable: You must provide the name or title and contact information of the person accountable for your organization’s policies and practices, to whom inquiries and complaints can be made. | Notify the OPC of all new consistent uses: If you use biometrics for consistent uses that are not reflected in a PIB, you must notify the OPC. |
| You Should: | You Should: |
| Be transparent about legal obligations: You should communicate to individuals up-front, where possible, about situations where you are unable to delete personal information upon request based on other legal obligations. You should also explain this in response to any deletion request, citing the relevant legal provision. | Be transparent about legal obligations: You should communicate to individuals up-front, where possible, about situations where you are unable to delete personal information upon request based on other legal obligations. You should also explain this in response to any deletion request, citing the relevant legal provision. |
| Be specific about service providers, wherever possible: In the spirit of being open with individuals, you should name the service provider(s) that you transfer biometric data to. While organizations remain accountable for their use of service providers, this information allows interested individuals to know where their sensitive information is going. | Explain automated decisions: Be prepared to provide individuals who may have been subject to an important automated decision using biometrics with information about the key details of the biometric system — such as the confidence interval used by the system, the probe biometric that was relied upon, and any other likely reasons for an outcome. |
| Explain automated decisions: Be prepared to provide individuals who may have been subject to an important automated decision using biometrics with information about the key details of the biometric system — such as the confidence interval used by the system, the probe biometric that was relied upon, and any other likely reasons for an outcome. | |
| Footnotes | Footnotes |
| Footnote 1 | Footnote 1 |
| These criteria are derived from a set of factors considered by the Federal Court in Turner v Telus Communications Inc, 2005 FC 1601 (CanLII) (Turner v Telus) in evaluating an organization’s compliance with subsection 5(3) of PIPEDA (endorsed on appeal). While this case arises from the workplace context, the Court’s analysis is still applicable to organizations using biometrics when engaging in commercial activities. | These criteria form part of the required PIA process for high-risk programs. |
| Return to footnote1 | Return to footnote1 |
| Footnote 2 | Footnote 2 |
| The necessity of biometrics has been considered in the employment context under PIPEDA. In Turner v Telus, supra (and as affirmed in Wansink v Telus Communications Inc, 2007 FCA 21 (CanLII)), the Federal Court found that Telus’s use of employee voice prints for identity verification purposes to access and use an internal computer network was appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA. | The necessity of biometrics has been considered in the employment context under PIPEDA (Personal Information Protection and Electronci Documents Act, S.Sc. 2000,c. 5). In Turner v Telus Communications Inc, 2005 FC 1601 (CanLII) (and as affirmed in Wansink v Telus Communications Inc, 2007 FCA 21 (CanLII)), the Federal Court found that Telus’s use of employee voice prints for identity verification purposes to access and use an internal computer network was appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA. While this case arises under PIPEDA, the Court’s analysis is still informative for institutions using biometrics in its management of the workforce. |
| Return to footnote2 | Return to footnote2 |
| Footnote 3 | Footnote 3 |
| Subsection 7(3) of PIPEDA. | Directive on Privacy Practices, 4.2.7. |
| Return to footnote3 | Return to footnote3 |
| Footnote 4 | Footnote 4 |
| PIPEDA case summary #2010-007. | When it comes to subsequent use and disclosure, however, publicly available personal information is excluded from sections 7 and 8 of the Privacy Act and related consent requirements. |
| Return to footnote4 | Return to footnote4 |
| Footnote 5 | Footnote 5 |
| PIPEDA case summary #2004-281. | See Sections 7 and 8 of the Privacy Act. |
| Return to footnote5 | Return to footnote5 |
| Footnote 6 | |
| According to the Directive on Privacy Practices, institutions are responsible for limiting the collection of personal information to what is also demonstrably necessary for the program or activity. | |
| Return to footnote6 | |
| Footnote 7 | |
| Directive on Privacy Practices. | |
| Return to footnote7 | |
| Footnote 6 | Footnote 8 |
| Liveness detection is used to distinguish a person presenting their biometrics in real-time from non-live recordings of them, such as a photo, to bypass the system. Different techniques and technologies are being developed to increase accuracy and anti-spoofing. You should consult with experts and select the method that offers the best protection. | Liveness detection is used to distinguish a person presenting their biometrics in real-time from non-live recordings of them, such as a photo, to bypass the system. Different techniques and technologies are being developed to increase accuracy and anti-spoofing. You should consult with experts and select the method that offers the best protection. |
| Return to footnote6 | Return to footnote8 |
| Footnote 7 | Footnote 9 |
| See for example, Ann Cavoukian, Alex Stoianov, and Fred Carter in IFIP International Federation for Information Processing, Volume 261; Policies and Research in Identity Management; Eds. E. de Leeuw, Fischer-Hübner, S., Tseng, J., Borking, J.; (Boston: Springer), pp. 57–77. | See for example, Ann Cavoukian, Alex Stoianov, and Fred Carter in IFIP International Federation for Information Processing, Volume 261; Policies and Research in Identity Management; Eds. E. de Leeuw, Fischer-Hübner, S., Tseng, J., Borking, J.; (Boston: Springer), pp. 57–77. |
| Return to footnote7 | Return to footnote9 |
| Footnote 8 | Footnote 10 |
| Huy H. Nguyen, Junichi Yamagishi, Isao Echizen, and Sébastien Marcel, “Generating Master Faces for Use in Performing Wolf Attacks on Face Recognition Systems” Proceedings of the 2020 International Joint Conference on Biometrics, Houston, USA. | Huy H. Nguyen, Junichi Yamagishi, Isao Echizen, and Sébastien Marcel, “Generating Master Faces for Use in Performing Wolf Attacks on Face Recognition Systems” Proceedings of the 2020 International Joint Conference on Biometrics, Houston, USA. |
| Return to footnote8 | Return to footnote10 |
| Footnote 9 | Footnote 11 |
| See, for example, ISO/IEC 19795, Information Technology – Biometric Performance Testing and Reporting; and NIST Special Publication 800-63B, Digital Identity Guidelines where biometric verification systems “shall operate with an FMR [“false match rate”; ISO/IEC 2382-37] of 1 in 1000 or better. This FMR shall be achieved under conditions of a conformant attack (i.e., zero-effort impostor attempt) as defined in ISO/IEC 30107-1”. | See, for example, ISO/IEC 19795, Information Technology – Biometric Performance Testing and Reporting; and NIST Special Publication 800-63B, Digital Identity Guidelines where biometric verification systems “SHALL operate with an FMR [“false match rate”; ISO/IEC 2382-37] of 1 in 1000 or better. This FMR SHALL be achieved under conditions of a conformant attack (i.e., zero-effort impostor attempt) as defined in ISO/IEC 30107-1”. |
● まるちゃんの情報セキュリティ気まぐれ日記
カナダのプライバシーコミッショナー関係...
・2023.06.01 生成的AIとプライバシー当局(カナダ ニュージーランド)
・2022.05.15 カナダ プライバシーコミッショナー室 プライバシーに関する戦略的優先事項とそこから生まれたテーマと見解
・2022.04.24 カナダ プライバシーコミッショーナー事務局 政府機関が機関の長の判断によって個人情報を公開する場合のガイダンス
・2020.08.15 カナダのプライバシーコミッショナーが企業向けの新しいプライバシーガイドを公開
顔認識等...
・2023.08.22 中国 TC260 国家標準「機微な個人情報の処理に関するセキュリティ要件」公開草案 (2023.08.09)
・2022.12.09 世界経済フォーラム (WEF) 顔認識の責任ある制限のためのポリシーフレームワーク ユースケース:法執行機関の捜査 9つの原則 (2022.11)
・2022.07.12 米国 国土安全保障省検査局 米国税関・国境警備局は空港での国際線旅行者の識別のために顔認識のポリシーを遵守している (2022.07.07)
・2022.05.30 英国 情報コミッショナー 顔認識データベース会社Clearview AI Incに750万ポンド以上の罰金を科し、英国人のデータの削除を命じた
・2022.05.20 欧州データ保護委員会 (EDPB) 意見募集「法執行分野における顔認識技術の使用に関するガイドライン」
・2022.05.15 カナダ プライバシーコミッショナー室 プライバシーに関する戦略的優先事項とそこから生まれたテーマと見解
・2022.04.30 米国 GAO ブログ 人工知能は国家安全保障をどう変えるか (2022.04.19)
・2022.01.21 ENISA デジタル・アイデンティティ攻撃に注意:あなたの顔が偽装される可能性があります
・2021.12.25 個人情報保護委員会 犯罪予防や安全確保のためのカメラ画像利用に関する有識者検討会の設置
・2021.10.17 インターポール、国連地域間犯罪司法研究所、オランダ警察、世界経済会議が「顔認証を責任もって制限するためのポリシーフレームワーク ユースケース:法執行機関の捜査」 at 2021.10.05
・2021.09.29 世界経済フォーラム (WEF) 技術の責任ある利用:IBMをケースにした研究
・2021.09.27 欧州委員会 職場での電子モニタリングと監視 (Electronic Monitoring and Surveillance in the Workplace)
・2021.09.10 EU議会 提言 バイオメトリクス認識と行動検知
・2021.08.28 中国 意見募集 国家サイバースペース管理局 「インターネット情報サービスのアルゴリズムによる推奨に関する管理規定」
・2021.08.27 米国 GAO 顔認識技術:連邦政府機関による現在および計画中の使用方法
・2021.08.20 英国 意見募集 監視カメラ実施規範改訂案 by 監視カメラコミッショナー at 2021.08.13
・2021.08.11 EU議会 STUDY バイオメトリクス認識と行動検知
・2021.08.10 EU議会 STUDY ヨーロッパの政策におけるディープフェイクへの取り組み at 2021.07.30
・2021.08.08 EU議会 BRIEFING スマートシティとアーバンモビリティにおける人工知能 at 2021.07.23
・2021.08.07 総務省 AIネットワーク社会推進会議 「報告書2021」の公表
・2021.08.07 Atlantic Council AIとデータ倫理におけるコミットメントからコンテンツへの移行:正義と説明可能性
・2021.08.04 中国 通信院 信頼できる人工知能についての白書 at 2021.07.09
・2021.08.03 中国 最高人民法院 「民事案件における顔識別技術の使用に関する司法解釈」
・2021.07.15 米国GAO 顔認識技術について連邦法執行機関はプライバシーやその他のリスクをより適切に評価する必要がある at 2021.06.03
・2021.07.12 ニューヨーク市 生体情報プライバシー条例が2021.07.09から施行されましたね。。。
・2021.06.30 WHO 保健のための人工知能の倫理とガバナンス
・2021.06.28 EU 外交政策ツールとしての人工知能ガバナンス
・2021.06.23 欧州 EDPBとEDPS 公共の場における人の特徴を自動認識するためのAIの使用、および不当な差別につながる可能性のあるその他のAIの使用の一部を禁止するよう要請
・2021.06.22 欧州保険職業年金局 (EIOPA) 欧州保険セクターにおける倫理的で信頼できるAIガバナンス原則に関するレポートを公表
・2021.06.20 英国 情報コミッショナー 公共の場でのライブ顔認識技術の使用に関するプライバシーの懸念
・2021.06.17 米国上院・下院 顔認識ツールを含む生体情報監視を政府が使用することを禁止する「顔認識および生体認識技術モラトリアム法案」
・2021.06.17 英国政府:データ倫理とイノベーションセンター プライバシーに関するユーザの積極的選択中間報告(スマートフォン)
・2021.06.08 U.S. の公益団体であるEPICが顔認識技術および遠隔生体認識技術の使用禁止を世界的に呼びかけていますね。。。
・2021.05.12 カナダのプライバシーコミッショナーが顔認識技術について議会で見解を述べたようですね。。。
・2021.05.07 ドイツ連邦情報セキュリティ局 (BSI) が「監査可能なAIシステムを目指して - 現状と今後の展望」を公表しています
・2021.05.03 中国 意見募集 顔認識に続けて、歩行認識、音声認識のデータセキュリティ要件の国家標準案を発表し、意見募集していますね。。。
・2021.04.24 欧州委員会がAIへの規制を提案 → 欧州データ保護官は歓迎するけど、公共空間での遠隔生体認証についての規制も入れてね
・2021.04.22 ドイツ連邦情報セキュリティ局 (BSI) が安全なAI導入のための対策をまとめていますね。。。
・2021.04.21 U.S. FTC(連邦取引委員会) のブログ 会社でAIを活用する場合は真実、公正、公平を目指そう、という記事がありますね。。。
・2021.03.14 CNIL 乗客のマスク着用率を測定するためのインテリジェントビデオの使用に関する法令についての意見を公表
・2021.02.05 カナダのプライバシーコミッショナーが顔認識ソフトウェアを提供するClearview AIについての声明を出していますね。。。
・2021.01.30 欧州評議会 108号条約委員会が「顔認証に関するガイドライン」を採択しましたね。。。
・2021.01.12 欧州委員会 市民イニシアティブとして「生体認証による大量監視慣行の禁止」を登録
・2021.01.04 ニューヨーク州 知事が学校での顔認識技術の使用を一時停止し、研究を指示する法律に署名 at 2020.12.22
・2020.11.04 カナダプライバシー委員会 Cadillac Fairview社が500万人の顔データを取得していたことに関する報告書(2020.10.28)
・2020.06.26 人間が間違うなら、人間を模倣したAIも間違うんでしょうね。。。
・2020.06.14 IBM, Amazon, Microsoftは顔認証システムを米国の警察には販売しない
・2020.05.01 (人工知能 AI)ブラックボックスの検証:アルゴリズムシステムを評価するためのツール - アルゴリズムの監査・影響評価のための共通言語の特定
・2020.03.26 JVNVU#99619336 勾配降下法を使用する機械学習モデルに、誤った識別をさせるような入力を作成することが可能な問題
・2020.03.04 FIRST EVER DECISION OF A FRENCH COURT APPLYING GDPR TO FACIAL RECOGNITION
・2020.02.17 遠くからでもわかる顔認識システム!
ぐっと遡って、2000年代
・2009.11.07 世界プライバシー宣言(Global Privacy Standards for a Global World)
・2005.08.11 外務省 IC旅券調査研究報告書
・2005.02.04 監視社会と信頼関係
« NIST SP 800-92 Rev.1(初期公開ドラフト) サイバーセキュリティ・ログ管理計画ガイド | Main | 中国 第3回「一帯一路」サミット国際協力フォーラム(2023.10.17から) »
Comments