Embed Size (px)
Citation preview
The Impact of Biometrics on the Justice System
Computers, Freedom and Privacy Conference, April 5, 2000
2
Unauthorized secondary uses apply to biometrics
Biometrics offer the strongest form of positive identification– although viewed as the solution to reducing identity fraud, this feature
also threatens personal privacy, specifically:
• Secondary uses can apply to– collecting biometrics for one use, say welfare enrollment, and using
them to identifying individuals at a crime scene, for example
– using the biometric as a token to link transactions of individuals and using this information to construct profiles for intelligence purposes.
• Because of its security and economic value, both government and market forces will pursue these practices.
3
Privacy laws are not enough
Controls must be built into the code.
laws or policies to restrict the use of biometrics
are not sufficient.
4
Biometrics -- the measurement process
ScannerConversion
Software
Image DigitalNumber
FingerIrisVoiceHand
Biometric signature,e.g., minutia file for
fingerprints
KeypadFinger
DigitalNumber
With today’s technology, all
biometrics transform to a number.
That number is part of me, I can’t
forget nor lose it.
Analog to digitalQuality enhancement,and feature extraction
PIN
5
Biometrics -- the comparison process
Scanner-S/WTemplate
generation
X Numbers(signatures)
X scansof thesamebiometric
Incorporates salient and repeatablefeatures of biometric from a number
of scans
Biometric Number (n)Scanner-S/W Comparison
Software
Template (t)
yes
nomaybe
Authentication: Compare number (n) to a single template (t) to determine verification (yes or no).
Identification: Compare number (n) to many templates (t1…tk) to determine any matches within the allowed variability
nsame as
or close tot ?
ENROLMENT
6
Applications for Authentication
• Logon to networks, servers, laptops, etc.,
• digital certificates,
• access to databases, firearms, premises, bank machines, credit and debit cards,
• access to benefits such as social security, medical, welfare
• access to personal information such as medical, financial
Biometrics viewed as the solution to identity fraud
7
Applications for Identification
• Positive identification, comparing a biometric to a database of known
biometric templates to determine its presence -- IAFIS for law enforcement,
• Negative identification, comparing a biometric to a database of known
biometric templates to confirm that it is absent -- applying for welfare
benefits to prevent multiple enrollment or “double dipping.”
8
Biometric Application Program Interfaces (BioAPI)Plug and Play Biometric Devices
BioDevice
BioDevice
BioDevice
BSP
BSP
BSP
APISPI
SPI
SPIAPI
FRAMEWORK
APPLICATION
Service Provider Interface
BiometricServiceProvider Goal:
Standardize
biometrics
interface
Template(s)
Applications include: State welfare program,Bank machine access,logon to a network
9
Networking Application Databases
Templates
Health Care
Templates
Welfare
Templates
LawEnforcement
Templates
Bank Cards
10
Authentication does not require central storage of templates
Biometrics can be stored locally -- smart card, barcode, etc.
Comment
In practice, we have to resolve how lost, stolen or damaged cards will be handled
without the individual physically going to an “enrolment” center to present his ID and
have his biometric processed again?
Centralized storage of a biometric or its templates would allow a new card
containing the biometric template to be put in the mail, or a virtual card downloaded
over the Internet.
11
Fingerprint Pattern versus Digital Template
The actual fingerprint pattern is not stored, but only a digital template
is stored which cannot be converted back to the original fingerprint
pattern.
Comment
• The issue is not whether a fingerprint pattern can be reconstructed from its
digital template.
• The issue is that both the fingerprint pattern and its corresponding digital
template are unique identifiers and therefore surrogates of one’s identity.
12
A Scenario of Privacy Infringement (1)
A welfare recipient leaves his latent fingerprints at a nightclub that later becomes the scene of a crime. The latent prints are picked up and matched to the fingerprint database compiled for welfare recipients. He is identified and questioned.
Solution
The fingerprint database will be off limits to the police by virtue of legislation.
• How can we ensure it will be the case with the next government?
• What about the issue of unauthorized access to the database. The temptation for secondary or unauthorized uses of such a database beyond its primary purpose may be very great.
13
Solution
Never store the actual fingerprint pattern, only its digital template.
• Still a problem. If the police obtain access to a similar biometric device, and place some digitized latent fingerprints through the system, they will be able to compare against the templates. They have to, otherwise the system doesn’t work.
A Scenario of Privacy Infringement (2)
14
Mapping Templates
X
y
z
X
y
z
T1
T*1
Translation of templates from one format to another is a mapping process
from one minutiae n-space to another
15
Solution
Have unique hardware or software algorithms that are encrypted for
different organizations and government agencies. Privacy is based on
ignorance of the potential attacker.
• to be comparable to cryptographic systems, biometric security cannot depend on
the secrecy of the algorithm or unavailability of the hardware.
• The system should have an open design. The protection mechanism must not
depend on the ignorance of potential attackers.
• The algorithms should be open to public scrutiny, just as cryptographic algorithms
are subjected to.
A Scenario of Privacy Infringement (3)
16
Solution
Either the templates in a database or their links to personally identifiable
information will be encrypted, therefore matching cannot occur without
access to the encryption key.
• In this case, secure key management would be crucial.
• Who is going to have control over the encryption keys?
• How do we guard against putting the rabbits in charge of the lettuce?
• With key management, we are basing our privacy on the trust model versus the absolute security we have with cryptographic algorithms.
A Scenario of Privacy Infringement (4)
17
Current biometric systems place the “use limitation”provision in FIPs further in jeopardy
Third parties, such as the law enforcement community, will have
access to personal profiles about you that are more complete, and
potentially more damaging than the combined information that your
best friends, spouse and parents have.
18
Privacy loves the company of numbers
3271 bank card PIN
5733 office security system PIN
2259 telephone PIN
Mapple Laptop password
8932 home security PIN
• The feature of PINS that makes for
“bad security” makes for great
privacy -- a lot of them !
• With current biometrics, you have
one number or, at most, a few.
Safety in numbers -- hazards in one number
19
Security issues with Biometrics (I)
• Limited to a Yes/No response.
• For network security, still need to link to a PIN unless one uses the template as the password. If so, then templates have to be stored in databases.
• Solution: use the biometric to encrypt the PIN
20
Use the biometric to encrypt the PIN
Fingerprint Pattern 73981946 %h*9%4Kd
Enrollment PIN Coded PIN is stored
CODES
Fingerprint Pattern %h*9%4Kd 73981946
Authentication Coded PIN PIN used for access
DECODES
Can literally have hundreds of PINs -- Safety in numbers!
21
Security issues with Biometrics (II)
• Current biometrics are not challenge-response sytems. The password, which is the biometric, is always the same.
• Solution: use challenge-response systems
22
Challenge-Response Using Biometrics
Fingerprint Pattern 2x + 7 H$g&rc#j
Enrollment Response Function Coded Res Fnc is stored
CODES
Challenge
x = 4R = 15
2x + 7 15
HostClient decodes Res Fnc
with fingerprint Calculated Response
X = 4
R = 15 sent back to Host
23
Security issues with Biometrics (III)
• If template resides in a client PC, open to future surveillance by intelligent agent software, i.e. trojan horses, worms.
• Solution: use embedded trusted biometric devices that are isolated from the client. Never store template in the client
24
Scanner-S/WTemplate
generationBiometric
TemplateStorage
ComparisonSoftware
Template (t)
Embedded Hardware Device
Embedded Biometric Devices
To Client PC
TrustedDevice
25
Security issues with Biometrics (IV)
• Biometric systems are still inaccurate and will generate false identifications.
26
The need for balance when using biometrics
Confidentiality,Authentication
Surveillance
&Linkage
Benefit
Risk
27
Conclusion
• Current off-the-shelf biometrics will permit the secondary uses of personal information. They are not privacy protective.
• Technology that allows informational self-determination and makes good security a by-product of protecting one’s privacy is the goal.
• Using the biometric to encrypt a PIN or a standard encryption key will meet that goal.
28
The privacy problem with current biometrics
A biometric such as a fingerprint can be used as a unique identifier of a person which,
as a unique identifier:
– can be used to trace the person’s transactions, and
– link massive amounts of personal data about them.
Because of its value, both economic and security, both market and government forces
will promote this practice.
If biometrics are adopted as the standard method of authentication
in our society, we will have central databases of peoples’ biometrics
or digital templates residing in networked databases.
29
The Identity Spectrum
AnonymityMost Privacy
Protective
Absolute IDLeast Privacy
Protective
MultiplePseudonym
x.9.59
PINsand
Passwords
DigitalCertificate
x.509
BiometricDigital
Certificate
x.509
Secure transactions do not require divulging of identity in all cases.
30
Networking Template Databases
31
Process to establish authentication credentials
1. Identification – a one time process to establish that I am a unique, named
individual (e.g., George Tomko).
2. Confirmation of Eligibility – a one time process to confirm that the named
individual is indeed eligible (i.e. meets certain stated criteria) for a given
service.
3. Authentication Credentials – a token, furnished or chosen by the service
provider, which allows the individual to access the service involved on a
recurring basis. It presumes the existence of steps one and two, without
which it could not operate.
32
Levels of Security for Identity Fraud
• No proof of identity required.
• PIN or password used as token of identity.
• Digital certificate used as token of identity.
• Biometric tied to digital certificate used as token of identity.
• Token changed frequently, e.g, changing a password or PIN on a weekly basis.
• Different token for each access attempt, e.g. challenge-response system, one time password.
33
Industry’s Response
This threat to privacy, highlighted by public exposure and
heightened media attention, has became somewhat of an
obstacle in some countries in the marketing of biometric
technologies.
In response, biometrics are now being promoted as privacy-
enhancing.
Is this Orwellian double-speak or is there some foundation to this
claim?
34
BioAPI Implications
35
Integrating Justice Information: The privacy threat
• Secondary uses of personal information without consent -- beyond
the intent of the primary purpose for collection.
• Impacts privacy rights of :
– accused but not yet convicted individuals,
– victims or witnesses at a crime scene,
– suspicious individuals -- intelligence gathering activities of a
government agency.
36
Levels of Security for Access
• “Open door” policy, e.g., no PIN or password
• Same token used for each access attempt, eg., PIN, password, biometric.
• Token changed frequently, e.g, changing a password or PIN on a weekly basis.
• Different token for each access attempt, e.g. challenge-response system, one time passwords.
The fundamental problem is that biometrics are not what cryptographers refer to as a “challenge and response” system. That is, the response to the question, “What is your left index fingerprint?” is always the same. A challenge and response system would ask different questions each time and be able to measure the correct response.” (Peter Wayner - New York Times)
37
Levels of Privacy
• Systems designed to protect privacy must have the same level of
security as cryptographic systems.
• That is, their security cannot depend on the secrecy of the
algorithm or unavailability of the hardware. The system should
have an open design and the protection mechanism must not
depend on the ignorance of potential attackers.
38
The Solution to Identity Fraud
Biometrics are being viewed as a solution to identity fraud
because they can be used to positively authenticate and in
many cases positively identify individuals.
Furthermore, if one wants, biometrics can be used to track
individuals and their transactions.
39
Privacy Issues
Confidentialityof
personal data(security)
Surveillanceof
location(activities)
Linkageof
personal data(secondary use)
40
Your Identity Stored in Cyberspace
If biometrics are adopted as the standard method of authentication
in our society, we will have databases of peoples’ biometrics or
digital templates residing in a networked society
