Innovya Traceless Biometrics Technology

Embed Size (px)

Citation preview

  • 8/14/2019 Innovya Traceless Biometrics Technology

    1/7

    Traceless Biometrics Technology

    Author: Michael Micha Shafir Inventor

    Innovya R&D

    A traceless biometric system (TBS) is a method for identifying an individual through a

    biometric identifier(s) that is designed to be non-unique. Instead of using unique

    biometric information, an amorphous identifier(s) agent is replacing it. The amorphousagent is an incomplete identifier(s) obtained from a fresh scanned biometric information

    which is non-unique.

    (Another alterable limitindicator(s) form a

    document(s) can beadded to overturn non-unique combinations to

    become unique). By

    incomplete or 'alterable'

    we mean that the biometric information

    itself or the document

    cannot be reconstructedfrom the identifier(s)

    even with the device that

    originally allocated theagent or the 'Biometric

    Identifier Token'. Using

    this method, theindividual has to be present (with his document(s)) during the identification process since

    the (secret) token identifier itself has no true value except in a particular biometric

    identification transaction. This is important in order to avoid an association with recorded

    values or any other unique characteristic.

    Although many inventors have offered

    myriad approaches attempting to

    providing inexpensive, minimally

    accumulated, and compact verificationsystems in which digitized characters of

    human users could be stored, retrieved

    and compared at some later time toverify that a human user is indeed a

    properly authorized user, none have

    succeeded in producing a system that is

  • 8/14/2019 Innovya Traceless Biometrics Technology

    2/7

    practical and desirable for use in providing non-unique biometric security for appropriate

    for use with real-time reaction biometric measurements (without need to store unique

    information). Because of these and other significant limitations, no commercially viablebiometric-based non-unique security system has been successfully invented. It was first

    proposed by Shafir[1] et al. Besides reliable accuracy performance and the replacement

    policy Traceless Biometric has to be non-revisable in order to fulfill the aim.

    Traceless biometrics guidelines:

    Able to authenticate innocents strangers, even if theyre not known to the system.

    Does not require infrastructure (can work offline)

    No need for proprietary scanners/readers (any mix fits)

    No need for central databases, no storage, no templates

    Privacy friendly non unique nor clonable and must be traceless.

    Cancelable Biometrics[2] - Letting the subject cancel/change his own biometric or

    key by himself anytime anywhere.

    Standard without secrets give-away - Easy integration with foreign applications

    without changing their core procedures (transparent)

    Can be spread anywhere (no single key) without risk of breach

    Fast, reliable, anonymously, mobile, non-unique, irreversible, accurate,

    unidirectional, high entropy.

    Able to authenticate anywhere across the globe! (Even in the desert or high seas)

    without communication.

    Adopting the above traceless guidelines, using real-time reactive authentication processor method for the current biometrics authentication systems will present an efficient and

    friendlier authentication solution. Obviously, privacy is an issue, which is potentiallysolved, Biometric scan as is necessary for a function or activity to authenticate the subject

    should be sufficient. The new traceless authentication systems should after the

    authentication process, dismiss all the biometric information or traces from the scanningdevices and must not use any storage systems or leave unique information behind.

    Traceless biometrics incentivesTraceable or stored biometric information is a computerized invasive method that able to

    simulate human attendance by mimicking the adaptability of the living persons using

    their enduring physical or behavioral characteristics, as a result of the fact that biometricsoffer irrefutable evidence of ones identity. Biometric properties from the perspective of

    traces or permanent storage can now lead to undesired identification via attendance

    simulation or tracing of the activities of an individual, because of the power of

    http://en.wikipedia.org/wiki/Image:Traceless_%28Non-Unique%29_Biometric_ROC_Cruves.png
  • 8/14/2019 Innovya Traceless Biometrics Technology

    3/7

    computers. The pseudo state of a person being presence made by the biometric

    simulation system is able to mimic the living persons attendance even if the legitimate

    owner of the enrolled biometrics information, is not aware of this process or notphysically present in front of the biometric system

    One of the main logical paradoxes, governments needed to address with the currentbiometrics is, traceable biometrics are clonable...all our data fingerprints, body parts,

    personal characteristics and imaging can be exploited by businesses or criminals [3]. Howdo you replace your finger if a hacker figures out how to duplicate it?[4] If your biometric

    got exposed, theoretically you will never be able to prove you are who you say you are or

    more unfavorable situation, prove you are not who you say you are not. The subject isalways carrying his biometrics with him, why then unique biometrics information, should

    be collected and stored in databases [5] or smart cards, or other external devices, in order

    to make it useful?

    [6]Many body parts, personal characteristics and imaging methods have been suggested

    and used for biometric systems: fingers, hands, feet, faces, eyes, ears, teeth, veins, voices,signatures, typing styles, gaits and odors. A fingerprint for example is a biometric, which

    if compromised (i.e. obtained in an unauthorized manner) cannot easily be controlled bythe individual. An unretouched or altered photograph of a face and a physical signature

    are biometrics, which can be checked using the eyes and experience of the verifier. These

    biometrics have been in use routinely and efficiently throughout human history. The useof automation to authenticate people is new and is being tested on consumers without

    precautions regarding their privacy.

    The privacy key element is governments' willingness

    Biometrics solution should be completely noninvasive with regard to personal privacy.

    Further, we hold that if these traceless biometric systems (TBS) are used in conjunction

    with existing security mechanisms (such as public-key algorithms), they can provide

    almost foolproof protection for electronic transactions and other operations in smartenvironments. The key element however, is that government intervention, in the form of a

    set of standards for how the new traceless biometric solution will be adopted, is an

    absolute necessity for complete privacy protection.

    Existing legal framework for privacy protection of

    personal information

    The U.S. Constitution does not explicitly guarantee a right to privacy. Privacy of personaldata has traditionally been protected in two ways: through self-regulatory codes and

  • 8/14/2019 Innovya Traceless Biometrics Technology

    4/7

    through laws. If one biometrics system were widely adopted, say fingerprinting, the many

    databases containing the digitized versions of the prints could be combined. While such a

    system is most likely to be developed by the commercial sector for use in financialtransactions, government and law enforcement authorities would likely want to take

    advantage of these massive databases for other purposes, especially if we were to enter a

    time of social unrest. Indeed, government agencies and law enforcement are the topsubscribers to the many databases compiled by private sector information brokers.

    Privacy laws and policy in the United States were derived from a code of fair information

    practices[7] developed in 1973 by the U.S. Department of Health Education and Welfare.This Code is an organized set of values and standards about personal information

    defining the rights of record subjects and the responsibilities of record keepers. The

    Code highlights five principles of fair information practices:

    There must be no secret personal data record-keeping system. [8]

    There must be a way for individuals to discover what personal information is

    recorded about them and how it is used.[9]

    There must be a way for individuals to prevent personal information obtained forone purpose from being used or made available for other purposes without theirconsent.[10]

    There must be a way for individuals to correct or amend information about

    themselves.[11]

    Privacy Protection Through Law

    1. The Privacy Act of 1974[12] The first response by the U.S. federal government to the

    many concerns about their power to use and misuse personal information was the PrivacyAct of 1974. This Act covers federal databases and is based on the Code of Fair

    Information Practices defined above. In 1977, a Privacy Protection Study[13] Commissionrejected the idea of having a similar privacy law for the private sector. This means that

    individuals' privacy with respect to databases of information stored and maintained by

    private organizations is not protected. In the private sector, total reliance is on the fairinformation practice codes. This is a serious problem.

    2. Constitutional Provisions Though there is no clearly defined right to privacy in the

    U.S. Constitution, privacy rights are implied[14] in several of the amendments. The right to

    privacy is rooted in the 4th Amendment, which protects individuals from unreasonable

    search and seizure; the 5th Amendment, which protects individuals from selfincrimination [15], and the 14th Amendment, which gives the individual control over his

    personal information.

    What remains to be determined is the following:

    1. Can the biometric information be collected, stored, or retrieved?

  • 8/14/2019 Innovya Traceless Biometrics Technology

    5/7

    2. Can the biometric information collected be used both for criminal and

    noncriminal searches and suspicionless searches?

    3. Can the system give the individual full control over his abandoned personalintrinsic information?

    The following fact remains: there are no legal restrictions on biometrically identifyinginformation, or biometric authentication systems. However: there are severe restrictions

    on collecting, creating, maintaining, using, or disseminating records of identifiablepersonal data. One immediate conclusion that we should draw is that biometrics

    authentication must be traceless.

    There is no standard for storing Biometric data

    Stored biometric information is useful only if a subject is already known to the systemFrom the security point of view, biometrics authentication will not work if the subject is a

    stranger to the cloned biometric system. Biometrics is not universally used because thereis no standard for storing the data. As long as biometric information is stored in

    databases, practically there is no cancelable biometric. You cannot grant access to the

    public to control owned entries, especially stored biometrics information. Biometric ismore private to you than a number that somebody assigned to you. Security requires

    secrets, if someone tries to create a standard to collect widespread known secrets, it

    cannot be called a secret any more since the best secrets are never shared. There is a

    class of biometric information that can be perfect secrets and still be useful tracelessbiometrics are the only secrets that we know of that we can (a) avoid sharing, and, (b)

    usefully deploy. The owner of the biometric can prove that he or she has it withoutsharing it. No other types of authentication knowledge are useful if they are not kept asperfect secrets.

    The power of computers and privacy

    Biometric properties from the perspective of traces or permanent storage can now lead toundesired identification and tracing of the activities of an individual, because of the

    power of computers. Even if the biometric data is stored in an altered form that requires acomplex algorithm to decipher, the speed and computational power available todaymakes any such protection scheme irrelevant. For example, today anyone with a

    computer and an electronic telephone book can trace a telephone number to a particular

    address. Previously before computers, only a governmental entity or authorizedauthorities such as the police had the right access or permission to trace back the

    telephone number to a name or location.

  • 8/14/2019 Innovya Traceless Biometrics Technology

    6/7

    Individuals should be unique, biometrics not

    In order for a unique individual identifier to be effective for privacy, not every individualshould have an identifier that applies only to that individual and that identifier must

    change over time, especially when the personal information has been exposed.

    If unique biometric properties are stored somewhere, for example on a smart card or on a

    computer system, either if it is stored in an encoded, scrambled or ciphered form, it is stilla unique biometric identifier[16]. Once a unique biometric identifier has being stored

    anywhere, at any time, on any external[17] media (including media that is associated with

    the boundaries of the individual, such as a smartcard held by the individual), the privacyof that biometric property owner is violated or can easily be violated. As noted

    previously, exposing or losing a biometric property is a permanent problem for the life of

    the individual

    [18]

    , as there is no way to cancel the physiological or behavioralcharacteristics of the individual. Biometric technology is inherently individuating and

    interfaces easily to database technology, making privacy violations easier and more

    damaging.[19]

    Privacy fears are justified not only in the context of identifiable fingerprints of the kindcommonly used by the police, where there is centralized retention. A fingerprint, and the

    broader family of biometrics, offer irrefutable evidence of ones identity since they are

    unique biological characteristics that distinguish one person from another, and that

    mistakenly can be linked to one individual which is NOT necessarily the originalbiometric presenter or the rightful owner of the unique biological characteristics!!.

    References

    1. System and method for traceless biometric identification, A device, system andmethod for identifying an individual with a biometric identifier that at least one

    other individual in a given population has the identical biometric identifier. The

    biometric identifier according to the present invention, also referred to herein as aBIdToken, is implemented to be biometrically traceless, such that an exact

    image or copy of the biometric information is preferably not maintained by thepresent invention. Shafir (Micha) Michael et at, 2006.2. Cancelable Biometrics - Wikipedia

    (http://en.wikipedia.org/wiki/Biometrics#Cancelable_Biometrics)

    3. ^ Proposed biometric ID cards won't prevent fraud or terrorism (IEEE Spectrum,Jan 2006)

    http://en.wikipedia.org/wiki/Biometrics#Cancelable_Biometricshttp://en.wikipedia.org/wiki/Traceless_Biometrics#cite_ref-2http://en.wikipedia.org/wiki/Biometrics#Cancelable_Biometricshttp://en.wikipedia.org/wiki/Traceless_Biometrics#cite_ref-2
  • 8/14/2019 Innovya Traceless Biometrics Technology

    7/7

    4. How to fake fingerprints? October 26, 2004 (starbug) Simple instructions how

    copy and fake fingerprints

    (http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=en)5. ACLU - The government and corporations are aggressively collecting information

    about your personal life and your habits.(http://www.aclu.org/pizza)

    6. (WO/2008/001373) SYSTEM AND METHOD FOR TRACELESS BIOMETRICIDENTIFICATION - BACKGROUND, Shafir et al, 2006

    (http://www.wipo.int/pctdb/en/wo.jsp?IA=WO2008001373&WO=2008001373&

    DISPLAY=DESC)7. FAIR INFORMATION PRACTICES - Robert Gellman

    (http://bobgellman.com/rg-docs/rg-FIPshistory.pdf)

    8. Introduction to Fair Information Practices - Pam Dixon

    9. Ethical and Legal Requirements Associated with Data Dissemination10. Economic aspects of personal privacy

    11. Information Technologies and the Shifting Balance between Privacy and Social

    Control

    12. THE PRIVACY ACT OF 1974, "Records maintained on individuals" (http://www.usdoj.gov/oip/privstat.htm)

    13. Personal Privacy in an Information Society: The Report of the Privacy ProtectionStudy Commission

    14. Privacy and Accuracy of Personal Information

    15. Technology and Privacy: The New Landscape By Philip E. Agre, Marc Rotenberg

    16. Biometrics from a legal perspective (Dr. Ronald Leenes TILT - Tilburg Institutefor Law, Technology, and Society)

    17. U.K. researchers devise smart-card hack - Tom Espiner ZDnet 2007

    (http://news.zdnet.com/2100-1009_22-6156601.html)18. Bank loses tapes with data on 4.5M clients - Brian Fonseca, Computerworld

    (http://www.computerworld.com/action/article.do?command=viewArticleBasic&

    articleId=9091318&source=NLT_PM&nlid=8)19. Computers and new information technologies have greatly increased the power of

    surveillance by government and large corporate entities, Douglas Kellner -

    University of Texas at Austin

    http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=enhttp://www.aclu.org/pizzahttp://www.wipo.int/pctdb/en/wo.jsp?IA=WO2008001373&WO=2008001373&DISPLAY=DESChttp://www.wipo.int/pctdb/en/wo.jsp?IA=WO2008001373&WO=2008001373&DISPLAY=DESChttp://bobgellman.com/rg-docs/rg-FIPshistory.pdfhttp://www.usdoj.gov/oip/privstat.htmhttp://news.zdnet.com/2100-1009_22-6156601.htmlhttp://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=enhttp://www.aclu.org/pizzahttp://www.wipo.int/pctdb/en/wo.jsp?IA=WO2008001373&WO=2008001373&DISPLAY=DESChttp://www.wipo.int/pctdb/en/wo.jsp?IA=WO2008001373&WO=2008001373&DISPLAY=DESChttp://bobgellman.com/rg-docs/rg-FIPshistory.pdfhttp://www.usdoj.gov/oip/privstat.htmhttp://news.zdnet.com/2100-1009_22-6156601.htmlhttp://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8