Transcript Recommending a Strategy - Computers Freedom & Privacy

The Impact of Biometrics on the Justice System
Computers, Freedom and Privacy Conference,
April 5, 2000
Unauthorized secondary uses apply to biometrics
Biometrics offer the strongest form of positive identification
– although viewed as the solution to reducing identity fraud, this feature
also threatens personal privacy, specifically:
• Secondary uses can apply to
– collecting biometrics for one use, say welfare enrollment, and using
them to identifying individuals at a crime scene, for example
– using the biometric as a token to link transactions of individuals and
using this information to construct profiles for intelligence purposes.
• Because of its security and economic value, both government and
market forces will pursue these practices.
2
Privacy laws are not enough
Controls must be built into the code.
laws or policies to restrict the use of biometrics
are not sufficient.
3
Biometrics -- the measurement process
Finger
Iris
Voice
Hand
Quality enhancement,
and feature extraction
Analog to digital
Image
Scanner
Conversion
Software
Digital
Number
Biometric signature,
e.g., minutia file for
fingerprints
PIN
Finger
Keypad
Digital
Number
With today’s technology, all
biometrics transform to a number.
That number is part of me, I can’t
forget nor lose it.
4
Biometrics -- the comparison process
Incorporates salient and repeatable
features of biometric from a number
of scans
ENROLMENT
X scans
of the
same
biometric
Scanner-S/W
X Numbers
(signatures)
Template
generation
Template (t)
Biometric
Scanner-S/W
Number (n)
Comparison
Software
no
n
same as
or close to
t?
yes
maybe
Authentication: Compare number (n) to a single template (t) to determine verification (yes or no).
Identification: Compare number (n) to many templates (t1…tk) to determine any matches within
the allowed variability
5
Applications for Authentication
• Logon to networks, servers, laptops, etc.,
• digital certificates,
• access to databases, firearms, premises, bank machines, credit and debit
cards,
• access to benefits such as social security, medical, welfare
• access to personal information such as medical, financial
Biometrics viewed as the solution to identity fraud
6
Applications for Identification
• Positive identification, comparing a biometric to a database of known
biometric templates to determine its presence -- IAFIS for law enforcement,
• Negative identification, comparing a biometric to a database of known
biometric templates to confirm that it is absent -- applying for welfare
benefits to prevent multiple enrollment or “double dipping.”
7
Biometric Application Program Interfaces (BioAPI)
Plug and Play Biometric Devices
Service Provider Interface
SPI
Bio
Device
BSP
A
P
I
Biometric
Service
Provider
SPI
Bio
Device
BSP
SPI
Bio
Device
BSP
Template(s)
F
R
A
M
E
W
O
R
K
API
A
P
P
L
I
C
A
T
I
O
N
Goal:
Standardize
biometrics
interface
Applications include: State welfare program,
Bank machine access,
logon to a network
8
Networking Application Databases
Health Care
Templates
Law
Enforcement
Templates
Welfare
Templates
Bank Cards
Templates
9
Authentication does not require central storage of
templates
Biometrics can be stored locally -- smart card, barcode, etc.
Comment
In practice, we have to resolve how lost, stolen or damaged cards will be handled
without the individual physically going to an “enrolment” center to present his ID and
have his biometric processed again?
Centralized storage of a biometric or its templates would allow a new card
containing the biometric template to be put in the mail, or a virtual card downloaded
over the Internet.
10
Fingerprint Pattern versus Digital Template
The actual fingerprint pattern is not stored, but only a digital template
is stored which cannot be converted back to the original fingerprint
pattern.
Comment
• The issue is not whether a fingerprint pattern can be reconstructed from its
digital template.
• The issue is that both the fingerprint pattern and its corresponding digital
template are unique identifiers and therefore surrogates of one’s identity.
11
A Scenario of Privacy Infringement (1)
A welfare recipient leaves his latent fingerprints at a nightclub that later
becomes the scene of a crime. The latent prints are picked up and matched
to the fingerprint database compiled for welfare recipients. He is identified
and questioned.
Solution
The fingerprint database will be off limits to the police by virtue of
legislation.
• How can we ensure it will be the case with the next government?
• What about the issue of unauthorized access to the database. The temptation for
secondary or unauthorized uses of such a database beyond its primary purpose
may be very great.
12
A Scenario of Privacy Infringement (2)
Solution
Never store the actual fingerprint pattern, only its digital template.
• Still a problem. If the police obtain access to a similar biometric device, and place
some digitized latent fingerprints through the system, they will be able to compare
against the templates. They have to, otherwise the system doesn’t work.
13
Mapping Templates
y
T*1
z
T1
X
Translation of templates from one format to another is a mapping process
from one minutiae n-space to another
14
A Scenario of Privacy Infringement (3)
Solution
Have unique hardware or software algorithms that are encrypted for
different organizations and government agencies. Privacy is based on
ignorance of the potential attacker.
• to be comparable to cryptographic systems, biometric security cannot depend on
the secrecy of the algorithm or unavailability of the hardware.
• The system should have an open design. The protection mechanism must not
depend on the ignorance of potential attackers.
• The algorithms should be open to public scrutiny, just as cryptographic algorithms
are subjected to.
15
A Scenario of Privacy Infringement (4)
Solution
Either the templates in a database or their links to personally identifiable
information will be encrypted, therefore matching cannot occur without
access to the encryption key.
• In this case, secure key management would be crucial.
• Who is going to have control over the encryption keys?
• How do we guard against putting the rabbits in charge of the lettuce?
• With key management, we are basing our privacy on the trust model versus the
absolute security we have with cryptographic algorithms.
16
Current biometric systems place the “use limitation”
provision in FIPs further in jeopardy
Third parties, such as the law enforcement community, will have
access to personal profiles about you that are more complete, and
potentially more damaging than the combined information that your
best friends, spouse and parents have.
17
Privacy loves the company of numbers
3271
bank card PIN
• The feature of PINS that makes for
“bad security” makes for great
5733
office security system PIN
2259
telephone PIN
Mapple
Laptop password
privacy -- a lot of them !
• With current biometrics, you have
one number or, at most, a few.
8932
home security PIN
Safety in numbers -- hazards in one number
18
Security issues with Biometrics (I)
• Limited to a Yes/No response.
• For network security, still need to link to a PIN unless one uses the template
as the password. If so, then templates have to be stored in databases.
• Solution: use the biometric to encrypt the PIN
19
Use the biometric to encrypt the PIN
Enrollment
PIN
Fingerprint Pattern
CODES
Authentication
Fingerprint Pattern
73981946
Coded PIN
DECODES
%h*9%4Kd
Coded PIN is stored
%h*9%4Kd
PIN used for access
73981946
Can literally have hundreds of PINs -- Safety in numbers!
20
Security issues with Biometrics (II)
• Current biometrics are not challenge-response sytems. The password,
which is the biometric, is always the same.
• Solution: use challenge-response systems
21
Challenge-Response Using Biometrics
Enrollment
Fingerprint Pattern
CODES
Host
Response Function
Coded Res Fnc is stored
2x + 7
H$g&rc#j
Client decodes Res Fnc
with fingerprint
Calculated Response
2x + 7
15
Challenge
X=4
x=4
R = 15
R = 15 sent back to Host
22
Security issues with Biometrics (III)
• If template resides in a client PC, open to future surveillance by intelligent
agent software, i.e. trojan horses, worms.
• Solution: use embedded trusted biometric devices that are isolated from
the client. Never store template in the client
23
Embedded Biometric Devices
Trusted
Device
Embedded Hardware Device
Biometric
Template
generation
Scanner-S/W
To Client PC
Template
Storage
Template (t)
Comparison
Software
24
Security issues with Biometrics (IV)
• Biometric systems are still inaccurate and will generate false
identifications.
25
The need for balance when using biometrics
Benefit
Confidentiality,
Authentication
Surveillance
&
Linkage
Risk
26
Conclusion
• Current off-the-shelf biometrics will permit the secondary uses of
personal information. They are not privacy protective.
• Technology that allows informational self-determination and makes
good security a by-product of protecting one’s privacy is the goal.
• Using the biometric to encrypt a PIN or a standard encryption key
will meet that goal.
27
The privacy problem with current biometrics
A biometric such as a fingerprint can be used as a unique identifier of a
person which, as a unique identifier:
– can be used to trace the person’s transactions, and
–
link massive amounts of personal data about them.
Because of its value, both economic and security, both market and
government forces will promote this practice.
If biometrics are adopted as the standard method of
authentication in our society, we will have central databases
of peoples’ biometrics or digital templates residing in
networked databases.
28
The Identity Spectrum
Multiple
Pseudonym
x.9.59
Anonymity
Most Privacy
Protective
PINs
and
Passwords
Digital
Certificate
x.509
Biometric
Digital
Certificate
x.509
Absolute ID
Least Privacy
Protective
Secure transactions do not require divulging of identity in all cases.
29
Networking Template Databases
30
Process to establish authentication credentials
1. Identification – a one time process to establish that I am a unique, named
individual (e.g., George Tomko).
2. Confirmation of Eligibility – a one time process to confirm that the named
individual is indeed eligible (i.e. meets certain stated criteria) for a given
service.
3. Authentication Credentials – a token, furnished or chosen by the service
provider, which allows the individual to access the service involved on a
recurring basis. It presumes the existence of steps one and two, without
which it could not operate.
31
Levels of Security for Identity Fraud
• No proof of identity required.
• PIN or password used as token of identity.
• Digital certificate used as token of identity.
• Biometric tied to digital certificate used as token of identity.
• Token changed frequently, e.g, changing a password or PIN on a weekly
basis.
• Different token for each access attempt, e.g. challenge-response system,
one time password.
32
Industry’s Response
This threat to privacy, highlighted by public exposure and
heightened media attention, has became somewhat of an
obstacle in some countries in the marketing of biometric
technologies.
In response, biometrics are now being promoted as privacyenhancing.
Is this Orwellian double-speak or is there some foundation to this
claim?
33
BioAPI Implications
34
Integrating Justice Information:
The privacy threat
• Secondary uses of personal information without consent -- beyond
the intent of the primary purpose for collection.
• Impacts privacy rights of :
– accused but not yet convicted individuals,
– victims or witnesses at a crime scene,
– suspicious individuals -- intelligence gathering activities of a
government agency.
35
Levels of Security for Access
• “Open door” policy, e.g., no PIN or password
• Same token used for each access attempt, eg., PIN, password, biometric.
• Token changed frequently, e.g, changing a password or PIN on a weekly basis.
• Different token for each access attempt, e.g. challenge-response system, one
time passwords.
The fundamental problem is that biometrics are not what cryptographers
refer to as a “challenge and response” system. That is, the response to the
question, “What is your left index fingerprint?” is always the same. A
challenge and response system would ask different questions each time
and be able to measure the correct response.” (Peter Wayner - New York
Times)
36
Levels of Privacy
• Systems designed to protect privacy must have the same level of
security as cryptographic systems.
• That is, their security cannot depend on the secrecy of the
algorithm or unavailability of the hardware. The system should
have an open design and the protection mechanism must not
depend on the ignorance of potential attackers.
37
The Solution to Identity Fraud
Biometrics are being viewed as a solution to identity fraud
because they can be used to positively authenticate and in
many cases positively identify individuals.
Furthermore, if one wants, biometrics can be used to track
individuals and their transactions.
38
Privacy Issues
Confidentiality
of
personal data
(security)
Surveillance
of
location
(activities)
Linkage
of
personal data
(secondary use)
39
Your Identity Stored in Cyberspace
If biometrics are adopted as the standard method of authentication
in our society, we will have databases of peoples’ biometrics or
digital templates residing in a networked society
40