Overview.   Digitalized biometric recognition is the reflection of the physical presence of individuals in the digital world. It enables to digitally verify or search for the physical presence of individuals using different means, ranging from simple mobile devices and cheap fingerprint sensors to e-gate stations found in airports. Biometric recognition (a.k.a., biometrics [1]) touches nearly all sectors within the socio-economic environment of humans, making biometrics likely to raise risks related to fundamental human rights: the right to privacy, security, and anonymity. Among those sectors, the use of biometrics in the healthcare sector represents an illustrative example of the coexistence of the notions of privacy, security, and anonymity. Biometrics helps to precisely identify patients and monitor their engagement in medical treatments of viral diseases. Additionally, biometrics contributes to securing access to sensitive health records from unauthorized access, bringing a layer of security to critical medical activities, such as electronic prescriptions for controlled substances [2]. Doctors can digitally bind such critical drug prescriptions to the physical presence of their patients such that biometrics serves as proof that pharmacists verify before providing the patients with their drugs. Switching perspectives, participants in viral disease treatment programs (e.g., HIV treatment programs) require a certain obscurity of their identity, given the delicateness of the matter. In this case, the biometrics solutions should satisfy the notion of anonymity on top of the notions of privacy and security. Differently rephrased, an ideal biometrics-based solution should prove the physical presence of participants without disclosing their identities and preserving the privacy of their personal information, all in a secure manner.

Privacy vs. Security in the Context of Biometrics.   Privacy, in the context of biometrics, refers to the protection of individuals’ biometric data in the sense that it should be solely utilized by authorized parties on biometrics systems that perform the recognition task to which the biometric data owner has consented. Biometrics systems should not intentionally or unintentionally allow other classification tasks expressing different purposes that could be privacy-invasive or grant third parties access to biometric data. For instance, biometric recognition systems without a recognition task restriction policy on their biometric reference databases can use the biometric references to learn soft biometric information, such as ethnicity and gender expression, of their enrolled users, even though the initial purpose of providing the biometric data was for a specific recognition task that proves the physical presence only. Consequently, this could lead to the extraction of personal information beyond identity, which potentially causes privacy violations without the biometric data owner’s awareness.

Security, on the other hand, refers to safeguarding the architecture of biometric recognition systems from potential threats or vulnerabilities attackers representing unauthorized parties, regardless of their power, can exploit to achieve their attack goals. These goals comprise stealing biometric data from the system, tricking the system to alter its biometric decision, impersonating legitimate users, tracking specific users, and stealing their identities to gain unauthorized access. Hence, the security aspect covers the protection of the ecosystem within which biometric recognition systems are deployed, considering attackers’ type, behavior, and power. For example, biometric recognition systems that place full trust in the involved entities and lack verification mechanisms to ensure the conformity of interactions within their ecosystem or those that fail to incorporate preventive measures in their design run the risk of opening the doors to serious security threats. Hence, such vulnerabilities could allow attackers to intrude upon the system stealthily.

Unlike the above reflection on privacy, which centers around the proper processing of biometric data for a specific purpose, security in the biometrics context involves creating a safeguarded environment for such processing to take place in accordance with a particular security model. However, if a biometrics system, by design, outputs information indirectly relevant to learning personal information by a legitimate entity, then, in this case, the system fails to satisfy the privacy requirement while it satisfies the modeled security. A concrete example of this case is examined in [3], which proposes a template recovery attack. This attack exploits a vulnerability in the design of some homomorphic encryption-based biometric recognition protocols. Therefore, the concept of privacy in biometrics is linked to the manner in which biometric data is processed and the intended purpose of such processing. At the same time, security pertains to the measures taken to ensure the overall protection of biometrics systems and that only authorized entities can access their ecosystem, thereby safeguarding against unauthorized breaches.

Anonymity in the Context of Biometrics - A Contradiction?   In biometrics, privacy refers to how biometric data is handled and for what purpose, while security refers to the precautions taken to safeguard biometrics systems and prevent unauthorized intrusions. On the other side of the spectrum, anonymity in biometrics relates to the ability to perform the recognition task without tracing individuals or revealing their identities. Hence, anonymity and proving/checking the physical presence, which involves identity, seem paradoxical. However, it is important to distinguish between ‘physical presence proof’ and ‘identity disclosure’.

One of the privacy requirements for biometric template protection schemes is unlinkability, which ensures that there is no relationship between stored protected biometric templates, whether across applications or databases, even for the same subject. Hence, the unlinkability property responds to the untraceability of biometric templates, which indirectly implies the untraceability of individuals. While the untraceability of biometric templates is required for maintaining privacy, the absence of untraceability of individuals does not necessarily hurt the privacy of biometric data because in cases (such as biometrics-based trackers in the educational technology sector), individuals give their consent to be traceable but do not consent to the inference of their Personally Identifiable Information (PII) from their biometric data. Oppositely, the absence of untraceability of individuals breaks anonymity, and so does the absence of untraceability of biometric templates, which, in this case, refers to the unlinkability property.

Proving the physical presence is not restricted to establishing such proof while disclosing the identity to check the legitimacy of the right to do something (such as purchasing products under specific terms or getting access to something) that does not necessitate any identity disclosure. Indeed, it is possible to prove physical presence while hiding the identity. In certain use cases, such as access control to secure buildings, biometrics systems may only need to check whether the presented biometric probe matches an enrolled template stored in the reference database without learning the actual identity of the probe’s owner. This can be achieved via a biometric search task in two steps. During the enrollment, the system can store only the protected reference template without linking it to any identifiable attribute, and during the search, the system compares the protected probe with the references stored in the database and checks if the best score satisfies the biometric threshold.

Depending on the systems’ context, privacy, security, and anonymity are three fundamental notions needed for building safe, trustworthy, and reliable biometric recognition systems to uphold the rights of individuals.