You remember Minority Report? I’m referring to the film Steven Spielbergdated 2002 and freely based on the science fiction story of the same name by Philip K. Dick, Minority report. The film reproduced the dystopian reality of a Washington projected in 2054, where a widespread network of cameras was used to constantly identify the population and, by cross-referencing that data with a predictive system, the subjects could be arrested before they committed criminal acts, based on the prognostic judgment of this system.
Disturbing and possible scenario, but which seemed far from being able to materialize in Western realities, while in China has been substantially close to full completion for some time now.
Actually, even in the West technological itches little by little they overcome every obstacle, first cultural and then regulatory, and if in the United States, for example, the FaceBoarding is already active in several airports, in Europe Italy was the first to want to cross the border facial biometric recognition to facilitate access requirements to boarding gates. In fact, on May 7th it was inaugurated atLinate airport a new system of this type which, as ensured by Sea SpA, the company that manages the Milanese airports, “guarantees the protection of passengers’ privacy and data” by means of “safe, simple and rapid technology”.
Technically, facial recognition is based on the collection and processing of biometric characteristics of the face, from which a certain number of biometric traits are extracted, such as the position, distance and size of the elements that characterize the face, in order to construct a biometric model, i.e. a set of biometric traits stored in digital form. From a legal point of view, each of these elements falls within the definition of biometric data, which the Regulation (EU) 679/2016 (General Data Protection Regulation – GDPR) includes within the special categories of personal data (so-called “sensitive data”), the processing of which is subject to more rigorous regulation, in consideration of the risks that may arise for the rights and freedoms of individuals.
What could these risks be? Some are easily imaginable, such as identity theft and the consequent use of biometric data to carry out fraudulent actions. For this reason, the processing of biometric data requires the adoption of security measures particularly high, about which interested parties have the right to be informed. And also the information on the processing of personal data through the FaceBoarding service, present on the Linate airport website, provides some indications in this sense, specifying that the biometric data are preservedin the form of a biometric model, in encrypted form.
A little sparse information, in fact. You might ask yourself, for example, what algorithm is used to encrypt biometric templates, what authorization levels are applied for access to the databases which hosts them, how the transmission of biometric data acquired through the kiosks at the airport to the airport IT systems is protected.
Furthermore, starting from June, the biometric data associated with the faces of passengers can be acquired via “selfie” in the case of registration via the App. Also in this case, no other details emerge from the information on the process of acquiring biometric data via the App, which could entail further, not insignificant, risks. It is known, in fact, that the biometric characteristics of the face can also be obtained from photographic images, which today, with the use of artificial intelligence systems now accessible and easily usable by anyone, can be reworked in order to obtain a reconstruction of the face that is very faithful to that of a real person (for example, through the creation of three-dimensional models) capable of deceiving acquisition systems via smartphones. Even more so, in the absence of any human control, since, as stated in the information, the “choice to carry out identification operations via biometrics means that the verification of his identity will take place in an entirely automated manner”.
Indeed, all risks that may arise from the use of this FaceBoarding system, including choices regarding established times for the retention of this data, should have been carefully verified and documented within an impact assessment on data protection, which the GDPR requires to be carried out in the case of particularly delicate processing which impacts the fundamental rights of the people involved in such processing. But this is not clear from reading the skimpy information provided.
In a nutshell, the problem is not the technology used, but attention to the protection of the data processed through certain systems and – for the more invasive ones – transparency should never be “skimpy”, but should always allow us to verify that the rights of the interested parties have been wisely combined – correctly informed (also for the purposes of acquiring valid consent) – with the needs to make gate entrances more efficient, combined with safety reasons. On the other hand, fundamental rights and the provision of adequate safety measures to avoid these very serious risks for passengers cannot be neglected, perhaps trusting in some sort of “privacy addiction” which dangerously characterizes the latest digital times we are experiencing.
In short, Europe (and probably the USA) are currently far from using techniques social scoring and predictive justice as feared by certain dystopian futures hypothesized in some science fiction films, but attention to the topic must always be maximum and information transparency, if developed effectively (perhaps supported by literacy policies on these issues) could favor widespread awareness of digital citizenship.
And let’s remember that it is precisely awareness the only weapon available that can distance certain dystopian scenarios from our horizons of truly digital life.
