ISO/IEC TR 24714-1:2008

TECHNICAL ISO/IEC
REPORT TR
24714-1
First edition
2008-12-15
Information technology — Biometrics —
Jurisdictional and societal
considerations for commercial
applications —
Part 1:
General guidance
Technologies de l'information — Biométrie — Considérations
juridictionnelles et sociétales pour applications commerciales —
Partie 1: Guidage général
Reference number
©
ISO/IEC 2008
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Terms and definitions .2
3 Symbols and abbreviated terms .3
4 Societal and cross-jurisdictional considerations .3
4.1 Introduction.3
4.2 Jurisdictional issues .3
4.3 Accessibility.10
4.4 Health and safety.13
4.5 Usability.14
4.6 Societal, cultural and ethical aspects of biometrics.17
4.7 Acceptance .18
Bibliography.22

© ISO/IEC 2008 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
⎯ type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
⎯ type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
⎯ type 3, when the joint technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 24714-1, which is a Technical Report of type 3, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 37, Biometrics.
ISO/IEC TR 24714 consists of the following parts, under the general title Information technology —
Biometrics — Jurisdictional and societal considerations for commercial applications:
⎯ Part 1: General guidance
The following parts are under preparation:
⎯ Part 2: Specific technologies and practical applications
iv © ISO/IEC 2008 – All rights reserved

Introduction
This part of ISO/IEC TR 24714 provides support for the further development of ISO/IEC biometric International
Standards in the context of cross-jurisdictional and societal applications of biometrics, including
standardization of both existing and future technologies.
Specifically, this part of ISO/IEC TR 24714 offers guidance on the design of systems that use biometric
technologies to capture, process and record biometric information
⎯ with regard to societal norms and legal requirements of jurisdictional domains (within and among various
levels of jurisdictions),
⎯ pertaining to privacy/data protection of an identifiable individual,
⎯ with respect to an individual’s ability to access and use these systems and the information they contain,
⎯ with regard to health and safety issues pertaining to an individual when systems are utilized to capture
biometric data.
In this part of ISO/IEC TR 24714, biometric data are considered to be personal data.
The contents of this part of ISO/IEC TR 24714 are recommended practices and guidelines. They are not
mandatory. Legal requirements of the respective countries take precedence and biometric data should be
obtained in accordance with local norms of behaviour. This part of ISO/IEC TR 24714 does not reduce any
rights or obligations provided by applicable laws. Compliance with any recommendations in this part of
ISO/IEC TR 24714 does not of itself confer immunity from legal obligations.
Examples of the benefits to be gained by following the recommendations and guidelines in this part of
ISO/IEC TR 24714 are
⎯ enhanced acceptance of systems using biometrics by subjects,
⎯ improved public perception and understanding of well-designed systems,
⎯ smoother introduction and operation of these systems,
⎯ potential long-term cost reduction (whole life costs),
⎯ increased awareness of the range of accessibility-related issues,
⎯ adoption of commonly approved good privacy practice.
The primary stakeholders are identified as
⎯ users – those who use the results of the biometric data,
⎯ developers of technical standards,
⎯ subjects – those who provide a sample of their biometric data,
⎯ writers of system specifications, system architects and IT designers,
⎯ public policy makers.
© ISO/IEC 2008 – All rights reserved v

TECHNICAL REPORT ISO/IEC TR 24714-1:2008(E)

Information technology — Biometrics — Jurisdictional and
societal considerations for commercial applications —
Part 1:
General guidance
1 Scope
This part of ISO/IEC TR 24714 gives guidelines for the stages in the life cycle of a system’s biometric and
associated elements. This covers the following:
⎯ the capture and design of initial requirements, including legal frameworks;
⎯ development and deployment;
⎯ operations, including enrolment and subsequent usage;
⎯ interrelationships with other systems;
⎯ related data storage and security of data;
⎯ data updates and maintenance;
⎯ training and awareness;
⎯ system evaluation and audit;
⎯ controlled system expiration.
The areas addressed are limited to the design and implementation of biometric technologies with respect to
the following:
⎯ legal and societal constraints on the use of biometric data;
⎯ accessibility for the widest population;
⎯ health and safety, addressing the concerns of users regarding direct potential hazards as well as the
possibility of the misuse of inferred data from biometric information.
The intended audiences for this part of ISO/IEC TR 24714 are planners, implementers and system operators
of biometric systems.
Specification and assessment of government policy are not within the scope of this part of ISO/IEC TR 24714.
© ISO/IEC 2008 – All rights reserved 1

2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
accessibility
〈biometrics〉 possibility for everyone, regardless of physical capability or technological readiness, such as
people with disabilities, to access and use biometric technologies and services
NOTE 1 Access can be gained directly, using assistive technologies or by the use of alternative methods. One should
strive to enable direct access by as many subjects as possible (inclusive design).
NOTE 2 The ISO/IEC JTC 1 Special Working Group on Accessibility defines accessibility as “the usability of a product,
service, environment or facility by people with the widest range of capabilities”.
2.2
attendant
individual who is present to guide or assist a (data) subject in enrolling or verifying their biometric data
2.3
(data) subject
individual who provides biometric data for storage or comparison in a biometric system
2.4
function creep
mission creep
expansion of a project, mission, or system’s function beyond its original goals
NOTE Function creep is the result of the intended or unintended change or extension to the functions of a system,
which occur as small incremental stages, and can lead to significant changes to the function.
2.5
biometric data manager
person within the system operator’s organization accountable for compliance with the principles contained in
this part of ISO/IEC TR 24714
2.6
proportionality
balance between the interests of an individual and the interests of an organisation
2.7
spoofing
〈biometric system〉 presenting a recorded image or other biometric data sample, or an artificially derived
biometric characteristic, in order to impersonate an individual

2.8
usability
extent to which a product can be used by specified users (subjects) to achieve specified goals with
effectiveness, efficiency and satisfaction in a specified context of use
NOTE Adapted from ISO 9241-11:1998, 3.1.
2.9
personal data
information relating to an identified or identifiable individual that is recorded in any form, including
electronically or on paper
2 © ISO/IEC 2008 – All rights reserved

2.10
jurisdictional domain
jurisdiction, recognized in law as a distinct legal and/or regulatory framework, which is a source of external
constraints on people, their behaviour and the making of commitments between people including any aspect
of a business transaction
NOTE Adapted from ISO/IEC 15944-5:2008, 3.67.
2.11
biometric data sample
data captured from a biometric sensor that can be recorded as a biometric reference for a subject or used for
comparison with previously recorded biometric reference data to verify or identify a subject
3 Symbols and abbreviated terms
PET Privacy Enhancing Technology
ICT Information and Communication Technology
PDA Personal Digital Assistant
4 Societal and cross-jurisdictional considerations
4.1 Introduction
This part of ISO/IEC TR 24714 provides generic recommendations that are not specific to technologies or
applications and that can affect all biometrics.
This clause begins by providing principles, guidelines and considerations for the design and implementation of
biometric systems in three major areas: jurisdictional issues related to privacy and protection of personal
information (4.2); accessibility (4.3); and an examination of health and safety issues when using biometric
systems that may affect design and implementation considerations (4.4).
It continues with a discussion of usability addressing “real world” issues surrounding biometrics. It considers
usability and highlights conditions of the physical environment that may affect the operation and usability of a
biometric system (4.5).and continues with the societal, cultural and ethical aspects of biometrics (4.6); and
discusses acceptance of the use of biometric characteristics (4.7).
4.2 Jurisdictional issues
4.2.1 General
The developer of a biometric system needs to take account of a number of issues that relate to specific
jurisdictional requirements, which may differ between jurisdictions. Although some of these are considered in
this part of ISO/IEC TR 24714, a number of others will not be examined. The list of issues which have not
been examined in detail in this part of ISO/IEC TR 24714 includes
⎯ anti-discriminatory laws,
⎯ disclosure laws,
⎯ redress mechanisms,
⎯ contractual issues,
© ISO/IEC 2008 – All rights reserved 3

⎯ provision of biometric data to other companies or subsidiaries,
⎯ provisions for law enforcement agencies for access to biometric and associated information,
⎯ opt-in and opt-out rights and associated requirements for fall-back processes,
⎯ specific data retention conditions (including period of time and security standards),
⎯ evidentiary requirements for use of biometric data in a court of law,
⎯ specific instances where biometrics are required by organizations or governments (e.g. for secure access
to military facilities and critical national infrastructure),
⎯ applicability of legal domains in use of biometrics on the Internet,
⎯ border control laws.
4.2.2 Privacy
With proliferation of biometric systems worldwide, the aspect of privacy gains importance. As a result it is
necessary to understand what the objectives of data protection law and policy intend. It is necessary to protect
not only processed data but also to protect data subjects themselves and of their personal rights. Using a
biometric system means using personal data; thus existing privacy laws apply. Depending on how a system is
deployed, biometric technology can compromise or protect a data subject’s privacy. The possibility of
protection is especially valid in view of the special properties of biometrics, which are linked uniquely to the
subject for their lifetime, unlike PINs and passwords, which are only indirectly and weakly linked to a person.
By using a biometric key, other types of personal data can be better protected from theft and misuse than by
traditional means. Biometrics can therefore be both an object and a tool in the different aspects of this
discussion. In all applications, the principle of proportionality should be applied. That means that biometric
data used should be adequate, relevant and non excessive with regard to the purposes for which they are
collected and further processed.
Biometrics can be considered in the context of Privacy Enhancing Technologies (PETs). PETs are a coherent
system of Information and Communication Technologies (ICT) measures that protect privacy by eliminating or
1)
reducing personal data or by preventing unauthorised, unnecessary and/or undesired processing of personal
data; all without losing the functionality of the data system (see Borking/Raab 2001).
The principle of PET applies to biometrics seen from two standpoints:
⎯ as an object of the principle, the implementation and application of biometrics has to follow a
comprehensive and correct privacy regime in order to be privacy enhancing;
⎯ as a tool in the meaning of PET, biometrics itself can be a privacy enhancing method.
For instance, biometrics can improve the verification process compared with a traditional process where the
subject has to give full information of his/her person along with revealing all personal information on the
requested document. The use of biometrics can simply be putting a fingerprint on a sensor without revealing
any additional personal information (name, address, birth date etc.) to the person who is checking the
entitlement of the identified person (given that there has been a proper registration process beforehand).
Moreover, the use of biometrics enables the subject to bind a device (such as a PDA) to their identity. The
advantage is that the protected device cannot be used by other persons. Subjects can use pseudo-identities
by varying the biometrics provided.

1) Processing in this context includes any operation or set of operations which is performed upon personal data,
whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,
blocking, erasure or destruction.
4 © ISO/IEC 2008 – All rights reserved

The following are some general accepted rules of Privacy Enhancing Technologies.
⎯ Use no personal data or as little as necessary.
⎯ Use encryption if using personal data.
⎯ Destroy raw data as soon as possible.
⎯ Anonymize personal data wherever possible.
⎯ Do not use central databases where not required.
⎯ Give subjects control over their personal data.
⎯ Use a means of evaluation and certification to verify that an application delivers a guarantee of an
appropriate level of trust.
In relation to privacy, Article 17 of the International Covenant on Civil and Political Rights [36] states:
“No one shall be subjected to arbitrary or unlawful interference with his privacy, family,
home or correspondence, nor to unlawful attacks on his honour and reputation”.
Privacy is one of the most significant issues confronting not only the biometrics industry, but also any
organization which gathers personal information. The potential for shared access to information and multiple
uses of biometric databases raises specific concerns; however, many statements on privacy fail to capture the
nuances across various biometric deployments. Certain types of biometrics engender a greater perception of
privacy invasion while others may have little influence on privacy concerns. Personal information is the first
step to establishing personal identity and it is at this point where many crimes of identity occur. Although there
are many issues associated with submitting biometric data, it should be reinforced that identification will have
already been established through other identity documents such as birth certificates. Therefore, many people
might consider biometric techniques to be far less invasive than being asked, sometimes face to face, a
myriad of questions relating to their personal history, details of residence and information about other
members of their family, such as a mother’s maiden name. In this context biometric technology is simply
another means for identification.
The increasing number of implementations and discussions about the use of biometrics raises questions
about the technology’s impact on privacy in applications generally available and widely used by the public, in
the workplace and at home. Key aspects of privacy issues relate to either the data subject or the organization.
From the data subject’s perspective, issues relate to collection, choice, use and security of information and
anonymity of the individual. From an organizational perspective, issues include the manner and purpose of
collection, solicitation, storage and security of information, access to records, relevance and the limits on use
and disclosure of collected data.
Other privacy issues relate to concerns that include stigmatization and reputational or financial damage . An
example of stigmatization in some communities is the association of fingerprints with criminal activity; however,
fingerprinting is now also becoming associated with the more positive identification of the law-abiding citizen
as, a cardholder, club member and consumer. Any concerns can be exacerbated by the possibility that a
person’s biometric can be “spoofed”.
Further privacy issues relate to function creep, or the misuse of information, and tracking or aggregation of
data. In relation to function creep, using data for a secondary purpose may appear worthwhile; however,
socio-cultural and legal issues may arise when individuals are not informed of this secondary purpose for
which their information will be used, and have not given consent for this to take place. “Tracking” can refer to a
specific form of function creep where biometric data is used in combination with additional data such as
spending or travel details to track the actions of individuals. Covert use of biometrics without legal
authorization will impinge on individuals’ privacy.
© ISO/IEC 2008 – All rights reserved 5

In addition to the analysis of cross-jurisdictional issues relating to privacy listed in section 4.2.3, a number of
other considerations may need to be taken account of, including
⎯ issues relating to the linking of biometric data to other information;
⎯ transition states, e.g. the ability to give consent changes:
⎯ migration from a minority to a majority age,
⎯ change in mental capacity (e.g. Alzheimer’s disease),
⎯ death of a subject,
⎯ revocation procedures;
⎯ notification to anonymously enrolled data subjects of any changes in the uses of a biometric.
The data protection officer of the system operator, or equivalent, should take part in the planning and
implementation of all biometric technologies and applications and should also be included in the establishing
and compliance control of the biometric privacy policy. When there is no internal data protection officer there
should be a person in charge of implementing the system who is able to deal with IT security and privacy
issues when they occur.
When recognized national consumer associations have published recommendations on biometrics that seem
to be applicable to a specific biometric implementation, a system operator should consider them where
appropriate.
4.2.3 Privacy principles for biometric systems
In certain applications biometrics allow a measure of privacy to individuals through verifying their identity
rather than identifying them. They may also contribute to the enhancement of privacy in other systems by
controlling access to sensitive data.
In order to protect the privacy of individuals, certain measures should be considered by organizations
implementing a biometric solution.
This list builds upon the reference documents listed in Annex A, providing the user of this part of
ISO/IEC TR 24714 with a minimum of commonly agreed good practice. Nevertheless, appropriate legal
authorities should be consulted in order to ensure compliance with all local laws and regulations, since – in
some countries – some of these principles will be mandatory and have specific obligations attached to system
operators using biometric applications.
1. Transparency
There should be a general policy of openness about the use of biometric data, which should include the
purposes for which the data is to be used and the point of contact responsible for its use. Any subsequent
changes should be made known to data subjects.
2. Consent
Biometric data should be collected, used, disclosed and retained with the knowledge and consent of data
subject, except where local laws have exemptions to this principle.
3. Preference for opt-in
Where feasible and practical, opt-out or opt-in procedures should be made available to the subject. In
general, opt-in is the preferred option.
6 © ISO/IEC 2008 – All rights reserved

4. Limitation of purpose
The purpose(s) of the biometric applications should be specified before implementing the biometric
system, and documented and made available to affected individuals. The biometric data processing
2)
should be limited to the stated purpose .
5. Limitation of collection
The collection of biometric data should be limited to the minimum required to achieve the stated
purpose(s).
6. Limitation of period of retention
The biometric data should be kept only for the period of time necessary for the specified purposes.
Procedures should be specified for secure removal of data that is beyond its retention period.
7. Adherence to performance criteria
The system operator should ensure the correct function and stability of the system according to its
specification and that system malfunction does not cause unnecessary invasion of the subject’s privacy.
8. Access rights of the data subject
The data subject should be given reasonable access to verify the correctness of the biometric data and to
have incorrect data amended.
9. Protection of the data
Biometric data should be protected against unauthorized use or unlawful processing. Opportunities for
such misuse should be minimized at the design and development stage of a system. Back-up and archival
data should have the same level of protection as active data.
10. Secure audit
The biometric system should be designed to permit a secure audit of the use of biometric data including
its deletion or removal from the biometric system. See ISO/IEC 27002:2005.
11. Data transfer between jurisdictions
As a best practice, and unless the law of the receiving jurisdiction already provides adequate protection of
transfers of biometric data between jurisdictions, the system operator should take reasonable steps to
ensure that the data transferred continues to be adequately protected, such as by following model
contracts for the transfer of personal data such as those offered by the Article 26 (4) of directive 95/46/EC
3)
Data Protection Working Party of the European Commission , even though this may not be a legal
requirement in the jurisdictions in which the organization operates.
12. Significant automated decisions
Where biometric systems are used to make significant and fully automated decisions about individuals, a
mechanism to request the intervention of a person should be provided. Individuals should be notified of
such automated decisions.
13. Accountability
A person within the system operator’s organization should be accountable for compliance with these
principles.
14. Accuracy of biometric data
Biometric information should be as accurate, complete, and up-to-date as is necessary for the purposes
for which it is to be used.
2) In some countries the principle of necessity is used. This requires that for use of a particular methodology or
technology, especially emerging technology, it must be demonstrated that its use is required and that the purpose cannot
be achieved by any other methodology and/or technology that is accepted as providing adequate protection of individuals
privacy.
3) Available at
© ISO/IEC 2008 – All rights reserved 7

15. Anonymization of data
Release of biometric data for academic, statistical or testing purposes should be considered and
controlled carefully. Links to other personal information should be removed where they could lead to
identification of an individual.
4.2.4 Further legal aspects
4.2.4.1 Introduction
Although this part of ISO/IEC TR 24714 is not intended to deal in detail with legal issues such as contractual
or evidentiary aspects, some general statements on the legal value and potential consequences of using
biometric systems will be of benefit for its audience.
In some countries a number of regulations already exist either dealing directly with use of biometrics systems
or which may be applicable in this context. This section only gives a general overview of legal issues, other
than privacy aspects. The detailed regulations applicable in specific countries are reported in Annex A.
4.2.4.2 Biometrics in authentication infrastructures
There is a need to facilitate electronic communication of legal transactions between parties. To achieve this
many countries have introduced regulations for an electronic mechanism.
While hand-written signatures are widely accepted in the legal context, this normally relies on human
signature recognition. A sample of biometric data can represent this traditional authority of the hand-written
signature that complements or provides an alternative to a PIN and/or passwords.
Three factor security may involve something that a subject possesses, something they are or something they
know in any combination. Two factors are sufficient for most commercial applications. In this context,
biometrics characteristics in combination with digital security may be seen as the equivalence of a hand-
written signature. If the use of biometrics can realise the traditional functions of the hand-written signature, a
legal transaction and the binding to a person can be ensured and therefore a similar legal binding force can be
achieved.
Where both the captured and reference biometrics data samples are needed to realise equivalent legal validity
in transactions to that of traditional hand-written signature requires that, in all cases, both systems employed
are able to deliver strong security and a reliable audit trail (see ISO/IEC 27002:2005).
The use of biometric characteristics alone in electronic transactions will be deemed by some authorities not to
confer the same legal validity as a hand-written signature. In these cases biometric characteristics and digital
signatures should be in a complementary relationship. Therefore, in this context, the use of biometric
characteristics needs to be considered as one module in a public key infrastructure and subject to the legal
requirements of that infrastructure.
4.2.4.3 Biometric methods and legal proof
The evidential value of an electronic transaction might be maximised if one or more biometric credentials are
used to prevent unauthorised issue of a legal declaration.
An appropriate level of security can enhance the evidential integrity both of binding of the digital signature to
the individual and in non-repudiation of the document or transaction.
Any legal challenges will best be addressed by demonstrating the reliability of the system which was used.
Although the assessment of the court will differ between jurisdictions, the performance and the overall security
of the biometric system will be the most significant aspect in the case.
It should be considered that recognition of a biometric data sample rarely performs perfect matching of
characteristics in practical applications. It is therefore difficult to make reliable statements on the recognition
quality of a specific system at a defined point in time. This contrasts with a PIN or a password where the
8 © ISO/IEC 2008 – All rights reserved

match is one hundred percent true or false but presents the risk that it might have been used by one who is
not entitled to use it.
A system secured by biometric credentials is subject to similar security breaches as a system protected by
PINs or passwords. Naïve faith in technology could result in a higher degree of confidence in a biometric
system’s security than is justified. It is therefore essential to determine the degree of security in the total
system (see ISO/IEC 27002:2005).
4.2.4.4 Performance of biometric systems and liability
Biometric systems are subject not only to technical malfunction but also to reduced performance as a result of
user behaviour (including operators and subjects), deliberate or accidental, or as a result of aged biometric
data samples. The failure to protect and secure biometric data can incur legal liability. It is important to
consider the consequences and liability issues associated with such failures in the legal context.
4.2.4.5 Standard terms of business
Liability can be dealt with in statutory provisions and also in contracts. Businesses often use pre-worded
contract terms that, as a rule, add to the statutory provisions. In many countries, there are existing laws of
standard terms of business, containing rules for whether such terms have become part of a contract, whether
clauses are invalid, and entitle third parties (such as consumer associations) in certain circumstances to file a
court claim aimed at obtaining a judgement holding a clause invalid. Generally what is often needed, is a clear
and understandable wording; in other words the subject should be able to find, and familiarise himself, with
certain mandatory information, without difficulty.
It is desirable to establish consumer friendly terms in order to build trust in a biometric application. Subjects
are unlikely to use a biometric system for their convenience if they are disadvantaged by having the legal
burden of proving whether or how they used the system in the event of a disputed match.
For instance, if the risk of malfunction of the biometric system prevents the subject’s access to the protected
area, standard terms of business should not shift the responsibility to the subject.
An exclusion of liability for user’s system malfunctions is also usually not permitted, or at least not desirable, in
terms and conditions of business. Biometric systems are vulnerable to unauthorised use and malfunctions.
Besides intentional manipulations by attacks on the system and general technical problems, a certain number
of potential erroneous acceptances must always be expected to occur. The subject is neither able to affect nor
to control these technical aspects since these aspects are in the user’s sphere alone.
4.2.4.6 Non-discrimination
Since biometrics systems use physical or behavioural information, individuals can be deterred from using
them if they are unable to present the required characteristic or cannot do so in such a manner as to achieve
successful verification. Examples are represented by missing fingers, inability to speak, inability to control eye
movement. Considering the increasing use of biometrics this is likely to become a problem for affected
subjects especially when biometrics are required to access important services.
In many countries regulations exist to prevent discrimination and to protect disabled persons. To avoid
discrimination against individuals who are unable to use a particular biometric system, provisions should be
made for alternative methods of identity verification.
4.2.4.7 Biometrics in the work place
In several countries specific regulations need to be taken into account when biometric technology is used for
physical or logical access control in a working environment. The working place needs special consideration
since the employee’s ability to refuse consent is constrained by their dependence on employment. In order to
protect the rights of the employees, in particular with regard to their privacy, it will often make sense to involve
a workers’ association, a works council, or equivalent, in place to negotiate sensible use and management of
the biometric data. In Germany, for example, there are clear legal provisions which need to be considered and
require the participation of the works council.
© ISO/IEC 2008 – All rights reserved 9

4.2.4.8 Aspects of criminal law
4.2.4.8.1 Altering data and unauthorised computer access
Under many criminal laws there is a prohibition of altering electronic data without authorisation and it is also
not legal to access a computer of another person without appropriate entitlement. The specific cases under
which legal sanctions are applicable depend on the national regulations.
4.2.4.8.2 Forgery or theft of biometric data
A spoofing attack on a system by copying or theft of biometric characteristics could be subject to criminal law
in various jurisdictions. There could be a need to establish specific regulations in this regard in order to protect
the wellbeing and life of subjects. Technical measures are being developed to ensure the liveness of biometric
characteristics. Systems should therefore provide such a test, a verification that the biometric data sample is
provided by a natural person, and include measures against “replay” or re-presentation of a sample. These
features could mitigate subjects’ concerns over theft of physical biometric characteristics, and should be
implemented where possible.
4.3 Accessibility
4.3.1 Introduction
A biometric system should be easily accessible to all subjects and should not disadvantage any subject.
Accessibility of a biometric system is dependent on specifics of the subjects using the system and on its
usability, including the physical environment (see 4.5.2). For subjects that cannot use the biometric system
due to permanent or temporary conditions, alternative systems are necessary and should be provided. Any
additional costs to the subject that are associated with the use of biometric applications should be clearly
stated.
Accessible systems should be designed to be
⎯ equitable in use for data subjects who have physical or psychological inabilities,
⎯ flexible in use,
⎯ simple and intuitive to use,
⎯ easy-to-understand with appropriate additional prompts,
⎯ clearly indicated by signs,
⎯ tolerant of error,
⎯ usable with low physical effort,
⎯ of a size and in a space that allows easy approach and use,
⎯ use of a range of tactile, audio and visual prompts in the user interface.
Accessibility difficulties may be long term, temporary and/or may occur without warning, for example, as the
consequence of sudden onset of illness such as laryngitis or a sore throat, dental or eye surgery, or other
physical injuries.
Subject groups may be internal or external to the implementing organization or may be a combination of both.
It is imperative that any organization contemplating the introduction of biometrics identifies all stakeholders,
considers how the subject groups might respond to the technology and identifies potential issues and
solutions prior to programme implementation. Human factor issues are not confined to those who are the
subjects of the technology but may also include system implementers, designers, technicians and attendants,
who may all be subject to system limitations and errors.
10 © ISO/IEC 2008 – All rights reserved

Reasonable efforts will need to be made to support accessibility based on analysing costs and benefits such
that fewer exceptions need to be handled and less impact made on other users (operators and subjects).
Many countries have adopted inclusive policies and enforced them with legislation (e.g. the USA’s Americans
with Disabilities Act of 1990 [24]). Standards and Workshop Agreements on Design for All [25] are being
developed at European and international level. ISO/IEC Guide 71, Guidelines for standards developers to
address the needs of older persons and persons with disabilities [26] gives an overview on the possible
impairments of subjects and helps to address their problems when standardizing and/or implementing
systems. The United Nations Standard Rules on Equal Opportunity for Persons with Disabilities [27] provides
guidelines on the enhancement of participation opportunities for people with disabilities in education,
employment, social security, culture, recreation, transport and accessibility to the built environment and
information. In Japan, the domestic standard (JIS X8341) with regard to the accessibility, was established in
May 2004. Biometrics is described in the standard.
The system operator and/or designer should take into account the following disabilities and problems for
subjects using a system. Some of these conditions can be temporary. Note also that many people have a
combination of impairments, the cumulative effect of which will amplify the impact of individual impairments.
Examples of disabilities:
1. The absence of physical body parts required for the correct operation of a biometric or its specific
instantiation in the system.
Example: missing index finger(s) in an access control system using prescribed fingers
2. The absence of behavioural features required for the correct operation of a biometric or its specific
instantiation in the system.
Example: data subject with no power of speech required to use a voice-activated door entry
system
3. Unusable physical body parts required for the correct operation of a biometric or its specific
instantiation in the system.
Example: person with extreme arthritis asked to use a flat plane hand geometry biometric
4. Unusable behavioural features required for the correct operation of a biometric or its specific
instantiation in the system.
Example: data subject in a country with a writing system based on non-Latin alphabet required to
use a dynamic signature system designed for Latin alphabets
5. An inability to present the required biometric characteristic in a sufficiently consistent and predictable
manner under the particular conditions of operation.
Example: uncontrollable movement of the eyeball resulting in difficulty in operating an iris
recognition system
Example: person with a speech impediment (e.g. stuttering) asked to use a speaker verification
scheme
6. An accelerated drift, that is a change in a characteristic over a period of time in physical or behavioural
aspects resulting in increasing difficulty in meeting the m
...