Standards, Best Practices, and Recommendations

Best Practices for Privacy-Sympathetic Biometric Deployment – BioPrivacy Initiative, International Biometric Group, www.bioprivacy.org/best_practices_main.htm 

These guidelines for privacy-sympathetic and privacy-protective deployment provide institutions with an understanding of the types of protections and limitations commonly implemented.  The Best Practices are meant to address the full breadth of biometric applications and technologies, from small-scale physical access to nationwide identification programs.


Biometrics Institute – www.biometricsinstitute.org
 
The Biometrics Institute is an Australian independent not-for-profit user group with 115 organizations, including government departments, financial services institutions, health service providers, and also vendors of biometric products and services. It is a meeting place for organizations that have an interest in biometrics and would like to share experiences and receive information and training in an information environment. The Biometrics Institute has developed a Privacy Code for the biometrics industry in Australia and offers a privacy impact assessment (PIA) service.


 
The Biometrics.gov standards page includes several standards documents that contain privacy recommendations or discussions, such as the Supplemental Information in Support of the NSTC Policy for Enabling the Development, Adoption, and Use of Biometric Standards, August 10, 2009, which contains in Section A.22 a discussion on biometric information privacy, including an analysis of the issue and the need for a privacy impact assessment, and solutions


BioPrivacy Initiative – www.bioprivacy.org
 
Recognizing that biometric technologies are seeing increased usage in the public and private sectors, the International Biometric Group's (IBG) BioPrivacy Initiative defines best practices as well as deployment and technology guidelines for maintenance of personal and informational privacy in biometric deployments. The objectives of IBG's BioPrivacy Initiative are to raise awareness of privacy issues for end users and deployers of biometric technology and to increase the likelihood that biometric technologies, when deployed, will be as protective of personal and informational privacy as possible. The BioPrivacy Initiative is a resource for the following:
  • Public and private sector entities drafting privacy policies or statements
  • Institutions deploying biometrics to employees, customers, or citizens
  • Private citizens concerned with the use of biometric technology 
International Biometric Group's BioPrivacy Initiative uses three evaluative tools to ensure that new or existing biometric deployments are consistent with generally accepted privacy principles:  Application Impact Framework (www.bioprivacy.org/bioprivacy_main.htm), Technology Risk Ratings (www.bioprivacy.org/technology_assessment_main.htm), and Best Practices for Privacy-Sympathetic Biometric Deployment (www.bioprivacy.org/best_practices_main.htm). This site also contains a useful FAQs and Definitions section, www.bioprivacy.org/FAQ.htm.


FBI Biometric Center of Excellence (BCOE) http://www.biometriccoe.gov/
 
The Federal Bureau of Investigation’s (FBI’s) Biometric Center of Excellence Web site is dedicated to providing up-to-date information regarding FBI biometric standards initiatives from the Criminal Justice Information Services (CJIS) Division, Technology Evaluation Standards Test Unit. The FBI's Science and Technology Branch created the BCOE to strengthen our ability to combat crime and terrorism with state-of-the-art biometrics technology. CJIS actively participates in close partnership with other U.S. government agencies and U.S. industry to help establish formal national and international biometric standards development bodies as the best environments to support deployment of standards-based solutions and to accelerate the development of the consensus standards. This site contains background information and links on the Integrated Automated Fingerprint Identification System (IAFIS), the American National Standards Institute/National Institute of Standards and Technology (ANSI/NIST), and the Electronic Biometric Transmission Specification (EBTS). This site also includes the results of the State-of-the-Art Biometrics Excellence Roadmap (SABER) Technology Assessment, referenced in an earlier section.


Mobile ID Device Best Practice Recommendation, Version 1.0 – July, 2009, National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 500-280, Shahram Orandi and R. Michael McCabe, Information Access Division, Information Technology Laboratory
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=903169
 
On August 25, 2009, the National Institute of Standards and Technology (NIST) published a report detailing the best practices for the interoperability of the next generation of mobile biometric acquisition devices.  The devices will allow for the remote collection of biometric information and the ability to wirelessly send collected information for database and watch list comparison in real time.  The NIST recommendations address future mobile applications of fingerprints, facial recognition, and iris scanning in law enforcement (e.g., by patrol officers and on-board patrol vehicles), criminal justice, and military environments.  The report also addresses XML issues.  There is much that is significant about this report. For example, it encourages the use of images rather than templates because of the higher accuracy attributed to this approach.  However, although not stated in the report, images are more likely to be usable in other applications (if stolen/replicated) and consequently are a greater threat to privacy than templates.  Also, the use of biometrics in mobile contexts may, over time, reshape fundamental criminal justice tasks.  For example booking facilities could be potentially eliminated.  Verification of who is giving a DNA sample could be made easier than what is sometimes done today with the concurrent capture of both DNA and fingerprints. Sex offender registrant and wanted persons identification at the scene of major disasters (e.g., weather-forced relocations) could be greatly facilitated.  Updating of criminal case disposition information could be done more easily and less expensively, etc.  


National Biometric Security Project (NBSP) Enterprise – www.nationalbiometric.org
 
The mission of the National Biometric Security Project (NBSP) is to help government and private sector organizations protect the civil infrastructure by deterring attacks through the timely deployment of biometric technologies for identity assurance. NBSP, a nonprofit organization, was established after the events of 9/11 with the support of the U.S. Congress. NBSP widely supports government and private sector efforts to standardize, test, acquire, and deploy biometric technology and to do so in an environment compatible with rational social objectives in preserving individual privacy and civil liberties. The NBSP Enterprise was created to increase national security and personal identity protection by enhancing identity assurance with biometrics. The enterprise components provide biometric acquisition support, testing, training, standards development, and authentication services to public and private sector clients. The NBSP organization is ISO 9001-certified [Quality Management Systems Requirements]. As a 501(c)(3) nonprofit corporation, NBSP is able to ensure a technology-neutral, vendor-independent posture and focus on user requirements.


National Institute of Justice (NIJ) Sensors, Surveillance, and Biometric Technologies Center of Excellence – www.biometricgroup.com/Center/
 
The National Institute of Justice (NIJ) established the Sensors, Surveillance, and Biometric Technologies Center of Excellence as part of the National Law Enforcement and Corrections Technology Center (NLECTC) system. DOJ contracted with the International Biometric Group to establish and operate the center to support NIJ’s law enforcement and corrections technology projects, including concealed weapons detection, through-the-wall surveillance, novel sensors, video surveillance, and biometric technologies. The center provides hands-on expert services and engineering assistance to 19,000+ U.S. state and local criminal justice agencies.


National Institute of Standards and Technology (NIST) Information Technology Laboratory’s Identity Management Systems Program – http://www.itl.nist.gov/ITLPrograms/IDMS/external/
 
In conjunction with other federal agencies, academia, and industry partners, the NIST Identity Management Systems Program is pursuing the development of common models and metrics for identity management, critical standards, and interoperability of electronic identities.  These efforts will improve the quality, usability, and consistency of identity management systems; protect privacy; and ensure that U.S. interests are represented in the international arena.


Privacy guidance for the electronic sharing of corrections photographs – October 9, 2008, Nlets—The International Justice and Public Safety Network
 
This study—led by Nlets, in cooperation with Automated Regional Justice Information System (ARJIS), U.S. Department of Homeland Security, and the National Institute of Justice—offers proposed privacy policy provisions for the State, Regional, and Federal Enterprise Retrieval System (SRFRS)/Nlets Interstate Sharing of Photos (NISP) Interstate Corrections Photo Sharing Demonstration. As part of this demonstration, Departments of Corrections (DOCs) will make corrections information (including but not limited to offender photographs; descriptions of offenders’ scars, marks, and tattoos; and supervision information) available to criminal justice practitioners over the Nlets network. North Carolina and Oregon DOCs have agreed to participate in this demonstration. This privacy guidance report addresses the electronic dissemination of corrections photographs and supervision information over the Nlets network. It does so by discussing the privacy issues raised by the electronic sharing of such information and proposing policies intended to ensure that corrections information is treated in accordance with applicable state law and is not mismanaged or improperly attached to individuals with negative, real-world consequences.