PABAU: Privacy Analysis of Biometric API Usage

TL;DR

This paper introduces PABAU, a method that analyzes biometric API usage to categorize privacy-related behaviors, aiding organizations in assessing biometric data privacy and supporting legal compliance.

Contribution

PABAU is a novel semantic analysis technique that automatically detects and categorizes biometric API usage based on privacy behavior, bridging technical and non-technical understanding.

Findings

Effective detection and categorization of biometric API usage.

Supports rapid privacy assessment for organizations.

Facilitates legal documentation and compliance processes.

Abstract

Biometric data privacy is becoming a major concern for many organizations in the age of big data, particularly in the ICT sector, because it may be easily exploited in apps. Most apps utilize biometrics by accessing common application programming interfaces (APIs); hence, we aim to categorize their usage. The categorization based on behavior may be closely correlated with the sensitive processing of a user's biometric data, hence highlighting crucial biometric data privacy assessment concerns. We propose PABAU, Privacy Analysis of Biometric API Usage. PABAU learns semantic features of methods in biometric APIs and uses them to detect and categorize the usage of biometric API implementation in the software according to their privacy-related behaviors. This technique bridges the communication and background knowledge gap between technical and non-technical individuals in organizations by providing an automated method for both parties to acquire a rapid understanding of the essential behaviors of biometric API in apps, as well as future support to data protection officers (DPO) with legal documentation, such as conducting a Data Protection Impact Assessment (DPIA).