From passport photos to accessing bank accounts with fingerprints, the use of biometrics is growing at an exponential rate. And while using your fingerprint may be easier than typing in a password, just how far is too far when it comes to biometric use, and what’s happening to your biometric data once it’s collected, especially where governments are concerned?
Here at Comparitech, we’ve updated our biometric data study to find out where biometrics are being taken, what they’re being taken for, and how they’re being stored.
There is huge scope for biometric data collection, so we have identified nine key areas that apply to most countries. Our goal is to offer a fair country-by-country comparison and to ensure the data is available. In this update, we’ll also see which countries impose biometric checks when registering SIM cards. Each country has been scored out of 29, with low scores indicating extensive and invasive use of biometrics and/or surveillance and a high score demonstrating better restrictions and regulations regarding biometric use and surveillance.
While China, India, Iran, and Bangladesh topping the list perhaps doesn’t come as too much of a surprise, residents of (and travelers to) certain other countries may be surprised and concerned to find out just how much biometric data is collected on them and what happens to it afterward.
Key findings
- Many countries have or are trying to implement nationwide biometric databases. A number are establishing digital IDs that permit citizens access to various services, e.g. healthcare or banking. Without signing up and handing over their biometrics, citizens may be unable to access these fundamental services
- Many countries collect travelers’ biometric data, often through visas or biometric checks at airports
- The vast majority of countries we studied use biometrics for bank accounts, e.g. fingerprints to access online apps, but a growing number also use them to confirm identities and/or payments
- Despite many countries recognizing biometric data as sensitive, increased biometric use is widely accepted
- Facial recognition CCTV is being implemented in a large number of countries with its use growing at an increasing rate, despite there often been protests or concerns raised by data protection authorities
- EU countries scored better overall than non-EU countries due to GDPR regulations protecting the use of biometrics in the workplace (to some extent)
The worst countries for biometric data collection and use
These countries received the lowest scores overall, meaning they are showing a concerning lack of regard for the privacy of people’s biometric data. Through the collection, use, and storage of biometric data, these countries use biometrics to a severe and invasive extent.
China = 3/29
This year, China regained its title as the worst country for biometric data collection and protection. Its three points are earned from its data protection law, providing some (if minimal) safeguards in the workplace for biometrics, and its lack of a biometric voter system.
These scores are met with some irony, as the voting system is very heavily controlled, which perhaps rids the need for biometric voting. Companies have been permitted to monitor employees’ brain waves for productivity whilst they work, showing the lack of protection available. More recently, bus drivers in Beijing were told to wear wristbands that would monitor their emotions.
CCTV surveillance with facial recognition is extensive with a large number of China’s 626 million cameras (estimated) containing the technology. These cameras are often used to track minorities, such as Uyghurs and Tibetans. DNA databases for these two minorities are being built, as are various iris databases.
China collects biometrics for all visas and fingerprints are taken upon arrival into the country.
India, Iran, and Bangladesh = 4/29
Similar to China, India offers some protections within the workplace for biometrics, albeit inadequate ones. It gains two points in the visa section for ‘only’ requiring just over 160 countries to enter with an e-Visa. Police don’t have real-time access to the national Aadhaar database, which is one of the largest biometric databases in the world with around 1.4 billion people registered.
India is increasing its use of facial recognition. It recently held a $4 million bid for implementing the tech in prisons and is reportedly using facial recognition to persecute Muslims and other marginalized communities. The government permits banks to use facial recognition and iris scans for certain transactions. This process confirms the identity via the Aadhaar card but, according to a report, this isn’t supposed to be public knowledge.
Iran’s four points come from not having a biometric voter registration system, no SIM-card registration, and the other for allowing 11 countries visa-free access to the country.
Worrying developments in Iran for this update include facial recognition technology being used to identify Iranian women who defy the new hijab law. Iran’s extensive centralized biometric database, in which citizens’ IDs (featuring 10 fingerprints and a photograph) is interconnected with numerous agencies. This allows for widespread surveillance, especially as there is no data protection law and a lack of due process within the country.
Iran tracks everyone crossing the border with biometrics in visas and biometric collection when entering the country.
Unlike India and Iran, Bangladesh does have facial recognition technology in various places, but it doesn’t appear to be used for extreme surveillance tactics (e.g. targeting minorities). All countries require a visa to enter Bangladesh, but these visas don’t contain biometrics and there are no widespread biometric border controls.
Uganda = 5.5/29
Uganda’s half a point is for biometric data being included as “identity data” within the Data Protection Act. The other five points were for allowing around 30 countries visa-free entry into the country, for having some biometric checks upon arrival into the country but not explicitly for all arrivals, and for having some use of facial recognition CCTV but not extensive use. That said, police have recently suggested that they’re expanding their use of facial recognition and utilizing it alongside AI technology.
All Ugandans must present their biometric ID card to open a bank account, get a SIM card, get a passport, and even obtain a student loan. The country also uses a biometric voter registration system.
Iraq, Russia, and Saudi Arabia = 6/29
Saudi Arabia and Russia both have a data protection law, no biometric voter registration, and offer some safeguards (consent required) for biometrics in the workplace. Russia allows more people to enter the country visa-free (61 compared to 6) but Saudi Arabia’s use of facial recognition, while widespread, isn’t as extensive as Russia’s. Russia has reportedly used facial recognition in its fight against anti-war protests. Reports suggest a “wanted” list has been created so they can intercept people on their way to protests.
Iraq differs in that it doesn’t have a data protection law but doesn’t require biometrics when registering a SIM card. It doesn’t allow anyone to enter the country without a visa but these visas don’t contain biometrics. Unlike Russia and Saudi Arabia, which biometrically check everyone at the border, Iraq doesn’t have such widespread controls. Iraq has received technology from the US to help ‘fight terrorism.’
Algeria, Cameroon, Myanmar, and the United Arab Emirates = 7/29
Only the UAE has a data protection law, which gives it two points (one for having the law and one for some safeguards for employee monitoring). The UAE and Myanmar also require biometrics when registering a SIM card.
All four countries allow limited numbers of countries to enter visa-free (less than 20 each).
Algeria recently implemented finger verification systems at its border control points. Cameroon recently implemented biometrics within its visas. The UAE is also increasing its biometric border controls. Dubai Airport collaborates with Emirates to check travelers’ biometrics and Abu Dhabi airport uses facial scans to replace boarding cards.
Top countries for protecting biometric data (to some extent)
While no country provides unwavering protection for its citizens’ biometric data, there are some countries that either haven’t introduced invasive biometric collections or have some safeguards in place. These are:
Luxembourg = 18/29
Luxembourg tops other countries to become the ‘best’ at protecting biometric data because it explicitly states that it will not use facial recognition software. It shares all of the same scores across all of the other categories as the below but gains two points in the CCTV with facial recognition category.
Bulgaria, Lithuania, Norway, and Portugal = 16/29
All of these countries share the exact same score thanks to their data protection laws (from GDPR), no biometric voter registration, criminal-only biometric databases with restrictions around access, some minimal use of facial recognition cameras (often in airports), adequate data protection surrounding biometrics in the workplace, and no biometric registration for SIM cards.
Even though Bulgaria isn’t officially part of the Schengen area, it is currently in the process of joining. All of the above countries require a large number of people to get a biometric visa. As part of the Schengen Entry/Exit System being rolled out, biometric checks can also take place for visa applicants at the borders.
Belgium, Czech Republic, Denmark, Finland, Ireland, Poland, Romania, Spain, Sweden, Switzerland, and Turkmenistan = 15/29
All of these countries have a data protection law, none of them require biometrics for voter or SIM-card registration, and all bar Turkmenistan have cameras with facial recognition installed in multiple places.
Ireland scored worst for biometric databases due to its growing collection of biometric photos. The photos are used for cards issued by the Department of Social Protection. Since 2013, the department has collected face images and has amassed 3.2 million of these in total. A data protection impact assessment found that the software upgrade in 2021 failed to meet legal requirements under GDPR. Individuals weren’t given legal information about the processing of their data and there are concerns over the length of time for which the data is stored.
Ireland does scrape back a point by not requiring all visa applicants to submit their biometrics (only residents living in China, Hong Kong, India, Nigeria, or Pakistan). But Turkmenistan doesn’t require biometrics from any applicants.
Recent developments also include Finland’s Ministry of the Interior looking into whether it could use fingerprint data from ID cards and passports to investigate serious crimes. In Turkmenistan, it was reported that foreign students’ biometric passports and driver’s licenses are collected in the National Educational Institutions.
Are biometric databases and surveillance becoming the norm?
What all of the above demonstrates is that no country protects its citizens’ or visitors’ biometric data to an extent that privacy is maintained. Worse still, these databases are only growing and are being increasingly used alongside surveillance methods.
As more and more countries work toward digital IDs, handing over biometrics is becoming a requirement to do even some of the most basic tasks, such as seeking healthcare or opening a bank account. While many governments try to ‘sell’ the use of biometrics as a great way to combat fraud, NordVPN’s recent discovery of 81,000 fingerprints for sale on the dark web only highlights the threat posed to such sensitive data.
One can change a stolen password, but not their biometrics.
Methodology
Our research focused on the top 100 countries by GDP. In this update, Côte d’Ivoire, the Democratic Republic of Congo, Estonia, Latvia, Libya, Papua New Guinea, and Zimbabwe were introduced and Cuba, Lebanon, Pakistan, Sudan, Tunisia, Ukraine, and Yemen were removed.
To give countries a score out of 29, we created nine categories. Lower scores indicate more biometric intrusion than higher ones.
The first category was a simple set of five yes or no questions. “Yes” answers were allocated one point (or, in the case of banking, two) as they indicated the use of biometrics in a certain area (or lack of protection by law), and “no” answers were given a zero as no biometrics were being collected (or they were being protected by a specific law).
These questions were:
- Are biometrics used in passports? Yes (0) / No (1) – countries where biometric passports are in the process of being introduced also scored zero
- Does the national ID card contain biometrics? Yes (0) / No (1) – countries where biometric ID cards are in the process of being introduced also scored zero
- Has the country failed to introduce a law to protect biometric data? Yes (0) / No (1) – If biometric data is covered in personal data protection legislation, this is classed as “no.” But if a law partially covers biometric data (e.g. an industry-specific or digital-only law), this is classed as “yes.” Where the data protection law may offer some protection (e.g. for sensitive data, genetic data, or health data but doesn’t specifically mention biometrics), countries may receive a score of 0.5.
- Are biometrics being used in banks (inc. trials)? Yes – for payments, ATMs, to register for an account, and/or in branches (0), Yes – for online banking (1), No (2)
- Is biometric voter registration being used to a large extent? Yes (0) / No (1)
The next few categories were assigned various scores depending on the severity of biometric use/collection/access.
Storage
4 = No biometric database
3 = Very small biometric database (i.e. criminal database) or plans for national database but not yet implemented
2 = Medium-sized biometric database
1 = Large or growing biometric database (or widespread database but with no fingerprints/iris scans – just photos)
0 = Most of the nation on a biometric database (including fingerprints, irises)
Police Access
2 = No access (or no database to access)
1 = Some access but some restrictions (e.g. only a criminal database available)
0 = Real-time, unwarranted police access to the database
CCTV
4 = No mention of facial recognition technology
3 = Increasing CCTV use with facial recognition perhaps being mentioned
2 = Testing facial recognition CCTV or some minimal evidence of use
1 = Evidence of facial recognition CCTV in multiple places
0 = Nationwide with a number of extreme cases
Workplace
4 = The use of biometrics is banned
3 = Biometrics are protected by multiple safeguards and employee consent isn’t enough for employers to use them
2 = Fewer safeguards to protect biometrics (or safeguards that aren’t specific to the workplace) and consent is enough
1 = Very few safeguards/cases of excessive use
0 = No safeguards
SIM-Card Registration
2 = No biometrics required
1 = In progress/some operators using
0 = Biometrics required
Visa Entry to Country
4 = No visa required
3 = Few countries require a visa (less than 100)
2 = A large majority of countries require a visa (over 100)
1 = Most countries require a visa (only less than 20 don’t)
0 = All countries require a visa (two or three exceptions)
Biometrics in Visa
2 = No biometrics in visas
1 = Some visas require biometrics
0 = All visas require biometrics (or only 1 or 2 countries excluded)
Biometric Checks Upon Entry
2 = No biometrics are taken when people enter the country
1 = Some biometric checks when entering the country (e.g. visa applicants or citizens)
0 = Everyone is biometrically checked when entering the country
While we have tried to cover as many areas of biometrics as possible, there may be some limitations. To ensure a fairer country-by-country comparison we have focused on more common categories/areas where data is more readily available. For example, we haven’t included drones as, at present, many are only in military operations or are still being discussed as a potential test in a small number of countries.
If a law has been passed and is coming into place next year, we have scored the country based on this as it is going to happen and will be enforced. We have scored countries based on national laws so as to account for the majority of people (i.e. we haven’t taken state or city laws into account in the US as these relate to the minority).
For biometric voter registration, the focus is on whether biometrics are required to sign up to vote – not whether the voting machines require biometrics.
Facial recognition used in airports isn’t tallied if it’s just for check-ins and no biometric data is collected.
To find this data, we analyzed a variety of information, including government legislation, news articles, press releases, and government information.
For the full list of sources, please request access here.
Data researcher: Rebecca Moody