/ 7 August 2003

When someone steals your identity, it remains stolen

Fingerprints, DNA and behavioural characteristics are unique and difficult to forge, but using them to identify an individual in the modern world is legally problematic.

This is the argument of Cape Town lawyer Kevin van Tonder in an article in the August edition of the SA Law Society’s journal De Rebus.

Cabinet approved a programme for the establishment of a national biometric identification register, known as Hanis (the Home Affairs National Identification System), in January 1996.

Van Tonder argues that what could be a remarkable tool — useful both for the individual, to allow almost fireproof access to information, and for the state, for example in the tracing of criminals — also holds major privacy concerns.

”A key principal of privacy is that, generally speaking, people should have control over their personal information.”

Van Tonder argues that South African common law has been developed by the Constitutional Court, as regards the Constitutional right to privacy, but that more is needed.

”Based on the continuum of privacy, it is hard to imagine anything more intimate and personal than one’s biometric information. It is submitted therefore that in terms of South African law, as it now stands, biometric information will have to be afforded strict protection under the Bill of Rights …”.

Meanwhile, the SA Law Commission has begun investigating privacy and data protection and South Africans could, eventually, have a privacy act.

The commission’s Ananda Louw said an issue paper would be produced this year, then a discussion paper and draft legislation, and then, hopefully, promulgated law.

”We are at the start of our investigation. Yes, we do have concerns,” she said.

People are using some biometrics now, only regulated — on a voluntary basis — by the Electronic Communications and Transactions Act.

Louw said this was an interim measure which would fall away if a privacy act was promulgated.

Van Tonder’s article argues that, as always, the weak link is the human one.

An information officer might easily, without intending to, release information which at face value appeared innocuous, but which provided ”the last piece of a puzzle” to the incorrect recipient. Van Tonder submitted that any release of biometric information without the individual’s consent should be regarded as ”unreasonable”.

”However (the relevant sections of the Promotion of Access to Information Act) will fall short in protecting an individual’s biometric record as the information officer of the respective public or private body is, in fact, given a discretion whether to

release such information or not.

”In applying the provisions of these two sections, information officers will have to formulate in their minds what they consider to be unreasonable.”

This could lead to a very serious problem — that of identity theft.

Recently identity theft of a different kind saw Absa internet banking clients lose money when a hacker accessed their personal bank accounts.

”Uniqueness and difficulty to forge, make a biometrics system a potentially powerful authentication or identification tool. The downside, however, is that there is a risk that it will be impossible for a person to repudiate a transaction or repair the situation if something has gone wrong.

”Once someone steals your biometric information, it remains stolen for life. There is no going back to a secure transaction.”

Another concern was that individuals could unintentionally reveal more personal information than was necessary, or wanted.

”Iris recognition and retinal scans, for example, may reveal information about a person’s health.”

This could lead to discrimination, as could the data profiling biometrics might allow.

Perhaps of greater concern: the use of biometrics could increase personal risk from criminals, who might mutilate body parts in order to take advantage of the access these could give to personal information.

Van Tonder argued that current South African law was not robust enough to provide adequate protection. Neither the Promotion of Access to Information Act nor the Electronic Communications and Transactions Act is suitable to afford adequate protection to biometric information.

He submitted that biometric privacy be dealt with specifically in any new legislation.

But, how soon will the Department of Home Affairs have Hanis up and running? – Sapa