GMAT Test-taker Objects to Palm-Vein Scanning

PIPEDA Case summary #2011-012

October 27, 2011

A woman objected to having her palm scanned before writing the Graduate Management Admission Test (GMAT) in 2009 and to this information being disclosed to an American organization.

The Graduate Management Admission Council (GMAC), the owner and administrator of the test, is a U.S.-based organization. Personal information is collected and used in Canada for the test by Canadian staff at Canadian test centres, where more than 8,000 tests were delivered in 2008.

GMAC authenticates test-takers with palm-vein scanning technology by identifying the vein patterns beneath the skin of the individual's hand and then retaining the pattern in an encrypted numerical (binary) template (a “numerical key”). The test administrator uses this technology to detect fraud and/or impersonation during tests.

The process cannot be reversed. No actual biometric data is retained in a record that could be deciphered. Forging a vein-pattern identity would be very difficult since veins are inside the body and have many detectable and differentiating features. The test administrator maintained that mere visual identification and verification against ID cards are not fully reliable since fraudsters will go to considerable lengths to physically resemble and impersonate others.

Every time test-takers leave or return to the examination room, only their palm-vein template is used to re-authenticate them. As well, the individual’s palm-vein template is matched against any others the test administrator has collected at past exams and locations, even if they had been collected under different names.

What We Found

Our Office determined that a reasonable person would consider appropriate GMAC’s use of palm-vein scanning for purposes of identifying individuals and ensuring the integrity of the test. We also found it acceptable that the test administrator collects and uses digital photos alongside the palm-vein scan template since, in a few past cases, the photo has protected certain candidates from the repercussions of a false-positive match of their palm-vein scan.

GMAC stated two main reasons for collecting personal information from test-takers, including biometric data: 1) to verify the identity of the candidate taking the GMAT and 2) to ensure that the test scores sent to schools accurately reflect the students’ abilities.

We arrived at our finding after studying three factors: risk of fraud, the degree of privacy sensitivity of GMAC’s current palm-vein scanning technology, and security standards for the storage and treatment of palm-vein templates.

Fraud

GMAC demonstrated that attempted illegal activity and fraud has occurred at test sessions.

GMAC provided evidence of professional test-takers and reported that, in 2003-2004, five individuals located in Montreal and New York were found to have taken the test on behalf of 185 individuals from the U.S. The fraudsters were eventually prosecuted, convicted and imprisoned in a U.S. federal penitentiary. One of the individuals convicted publically claimed to have written the GMAT more than 300 times. As a result, many of the schools which used the exam as part of their admission process asked the test administrator to take a far more rigorous approach to exam security.

GMAC asserted that biometric technology is effective as a deterrent. For example, after introducing its biometrics program, attempted test fraud decreased substantially. And, in two cases, individuals fled a test centre - before a palm-vein scan could be taken - after they were questioned about a mismatch between the photographs and signatures collected under the same names at a previous exam session.

As for preventing instances of impersonation, the test administrator reported that the company’s first forays into palm-vein scanning detected a person who had taken the test five times using five different identities. It also identified 23 people who had hired the same imposter to take the test on their behalf. In both cases, the imposters had used counterfeit government-issued ID.

A Canadian test-taker tried to register at a test centre in 2009 to write the GMAT for the fourth time but was refused because the individual’s palm template did not match that from the previous exam sitting. The individual has never contacted the test administrator since.

Privacy Sensitive

In light of the GMAC’s recent history with authentication methods and the various alternatives that it has adopted over the years, its current use of palm-vein scanning does not appear to be overly privacy invasive. The test administrator began looking for an alternative to its digital fingerprint identification system in 2006, after concerns were voiced about fingerprinting, by students, data-protection authorities and some test centre personnel.

Our Office views all biometrics as privacy invasive to a certain extent because they involve the collection of an individual’s physical characteristics. But not all biometrics are highly privacy invasive in and of themselves. In our view, the binary representation of a candidate’s palm-vein scan, given the test administrator’s current use of the technology, is not overly sensitive personal information.

For example, we note that the palm-vein scans are immediately transformed into an encrypted binary template, the binary code is non-reversible and no raw biometric image is retained. As well, the binary code information retained from the scan cannot easily be interpreted by other parties or applied to other purposes, and the binary template is stored separately from any other personal information about the test taker. Palm-vein scanning is also considered a “non-trace” biometric, since latent images cannot be left on objects, including the system used for the scan.

Data Storage Security Standards and Retention

With respect to personal information transmission, retention and storage, we did not find that GMAC was in contravention of its obligations under the Act.

After a site visit to a test centre, we were satisfied that biometric, identification and test information is encrypted for transmission and storage, and that data access is restricted. The encryption algorithm that the test administrator’s third-party contractor uses is a recognized encryption standard with good security levels for sensitive data. Further, the data is protected by numerous high-level safeguards at the data storage centre. Security policies were found to be documented and written agreements for data protection procedures exist between the test administrator and the third-party contractor. The accountability called for in PIPEDA Principle 4.1.3 was thus upheld.

The complainant also expressed concern about her personal information being transmitted to, as well as retained and stored in, the U.S. In this regard, we noted that in the test administrator’s Information Bulletin, the reader is clearly advised that their information will be transmitted to the United States. We thus deemed the test administrator’s actions to be concurrent with PIPEDA Principle 4.8 (“openness”).

In 2009, this Office issued its Guidelines for Transferring Personal Information Across Borders, which distilled key findings from investigations over the years. Consistent with past findings, the Office took the position that PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing, as long as a comparable level of protection is ensured through contractual or other means to ensure accountability.

We also deemed reasonable GMAC’s set retention period of five years for biometric data and test scores collected, and noted the existence of an automated, scheduled clean-up process of this data after the five years. Thus, the need to limit use, disclosure and retention described in PIPEDA Principle 4.5 was respected.

Consent

When we retraced the steps necessary to register for the test, we found that individuals were adequately informed that their personal information will be collected and that they were notified of the purposes for the collection.

Ninety-five percent of registrations for the test are online, which requires checking a box to agree to specific terms and conditions, as well as to the privacy policy (all web links provided). On the site, test-takers are specifically referred to GMAC’s Information Bulletin, a key online document (also available by mail) that explains the identification requirements to be met on the test day and the reasons for those requirements.

The Bulletin provides test policies and procedures, and also the privacy policy, where more information can be found. It informs individuals of the specific types of personal information to be collected, retained and transmitted to the U.S., data encryption, and the test administrator’s designated uses of this information. It also forewarns test-takers that, on the day of their exam and upon signing the rules and agreement document, they will be providing their consent to palm-vein scanning for fraud-detection purposes. Also on its website, GMAC posts other detailed information about its use of test-day biometrics and also links to FAQs specifically about the test administrator’s use of palm-vein recognition. The website clearly advises that providing a palm-vein scan to the test administrator is mandatory for all exam-takers.

Conclusion

Our Office concluded that the complaint was not well founded.

*Note: This case summary was previously published in an anonymized form in the OPC’s 2011 Annual Report on PIPEDA. With the completion of a related investigation of another college admissions test, the Privacy Commissioner has determined that it is in the public interest to make public the names of both organizations.

Language selection

Search and menus

Search