GMAC: Navigating EU approval for advanced biometrics
By Jay Cline, CIPP
If you walk into a test center in Europe to take the Graduate Management Admission Test (GMAT), chances are you'll need to scan one of your palms to get in. Used by the Graduate Management Admission Council (GMAC)--publisher of the GMAT--to combat various types of exam fraud, palm vein recognition has been proven to be one of the most accurate and least intrusive forms of biometric authentication. But without GMAC's pioneering efforts to work with EU regulators, palm-vein recognition would still be science fiction for most Europeans.
"It's just not part of European culture," Allen Brandt, CIPP, GMAC corporate counsel and chief privacy official and IAPP board member, told Inside 1to1: Privacy, "Even the bar exam in Italy doesn't collect fingerprints."
Who is GMAC? Based in Reston, Virginia, the 125 employees of this nonprofit serve 265,000 test-takers each year. These students seek admission to 1,900 graduate schools in 111 countries, including many of the leading universities in Europe and throughout the world. The GMAT's 50-year track record of predicting who will be most successful in graduate school has helped make it the most globally recognized entrance exam.
It was the global dataflows of the GMAT that put the nonprofit on a course leading to the European data protection authorities (DPAs). When Brandt joined GMAC in early 2006, the organization had just transitioned its test delivery to Minneapolis, Minnesota-based Pearson VUE, which operates more than 5,000 test centers in over 165 countries. During the transition, GMAC conducted a privacy impact assessment (PIA) on the GMAT.
According to Brandt, GMAC's PIA process is part of its "privacy by design" approach of incorporating privacy into every new GMAC initiative. "We've moved to an all-opt-in regime for all of our services," Brandt said.
The GMAT PIA told GMAC that it needed to register its exam data practices with 27 EU member state DPAs. Brandt soon found that this was a complex undertaking, varying from country to country. "The UK provided a simple online form," he explained, "but we had to wait for the CNIL (France's DPA) to vote on our in-depth submission."
GMAC obtained all of its necessary approvals for the GMAT exam 30 months after beginning. "We had no problems beginning to test anywhere," Brandt said. But that was the easy part.
At the same time GMAC began registering the GMAT with EU DPAs, it decided to pursue a separate approval path for its sponsorship of biometrics in Pearson VUE test centers. Brandt explained that GMAC calculated that its collection of photographs and fingerprints--Pearson VUE's biometric approach at the time--could require more explaining and follow a longer approval process.
A turning point took place at a January 2007 meeting in London with Phil Jones of the UK Information Commissioner's Office. Along with GMAC representatives were Mark Poole of Pearson VUE and Eduardo Ustaran, partner at London-based Field Fisher Waterhouse. Jones recommended that in order to get broad approval for biometric use, GMAC should deploy a method that captures a biometric imprint that is unique to Pearson VUE and that properly accommodates European concerns about data protection. EU DPAs would resist methods, he warned, that would allow "function creep" over time. Indeed, a year later, the Belgian privacy commissioner released an opinion that established the high standards it would require in approving biometric authentication schemes.
After the meeting, GMAC and Pearson VUE took the advice to heart. Pearson's team conducted a review of available biometric technologies and zeroed in on palm-vein recognition. They found it more stable over time than fingerprinting, more accurate than facial recognition and less invasive than iris or retinal scanning. For its part, Pearson VUE worked with its vendor, Fujitsu, to incorporate European data-protection considerations into its implementation of palm-vein recognition.
"While we're a data processor from the EU perspective," said Michael Nealis, chief security and data privacy officer for Pearson VUE, "we leverage modern technology and position our operations to help clients meet their global regulatory obligations."
How does palm-vein recognition work? When exam candidates arrive at a test center to take a test, a test administrator requires them to present government-issued identification. Next, the candidates place both palms over a small, one-square-inch cube that records their unique vein patterns. This video shows the process. The palm-vein patterns are converted into a non-reversible, encrypted biometric template and then securely transmitted to Pearson VUE's hub.
With the palm-vein template created, candidates can later simply scan their palms to retake a test at any Pearson VUE test center around the world. The system ensures with a high degree of accuracy that only the legitimate candidate is allowed to take the test. Additionally, in the unlikely event that unauthorized parties were to gain access to the palm-vein templates, the templates would be unidentifiable and of no use outside the test centers.
Armed with this new approach to authentication, GMAC began anew its EU-registration efforts. GMAC detailed the critical role that biometrics play in reducing exam fraud, especially with regard to test-taker impersonation and similar schemes to commit fraud using false identities. Its efforts paid off. In June 2009, the CNIL issued a press release approving GMAC's palm-vein recognition scheme. The CNIL stated:
"[T]he palm vein of the hand, with the current state of technology, is a no-trace biometry. In view of this, it is not likely to be captured without the knowledge of the person concerned and, therefore, presents very little risk for the civil liberties and fundamental rights of the individual. It may, therefore, be used to combat identity fraud when recourse to a system of this type is justified by genuine reason and surrounded by the appropriate guarantees."
Hewlett-Packard and the IAPP cited this landmark approval in November 2009 when they awarded GMAC with the 2009 Privacy Innovation Award for Small Organizations.
What advice would Brandt give to other organizations needing to register their data practices with EU DPAs?
"Two things," he said. "Start planning early. It takes longer than you probably think."
"It would also be helpful," he added, "to find the right counsel in each country. It made a huge, huge difference for us."
Because of GMAC's efforts, other organizations have a template to follow in demonstrating how business objectives can be met with advanced biometrics without sacrificing privacy.
Jay Cline is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.
For more on the topic of biometrics and data privacy, read "Ubiquitous biometrics" from the June issue of the IAPP's Privacy Advisor member newsletter. (IAPP member login required.)