D3.2: A study on PKI and biometrics

Title: CURRENT PRIVACY RESEARCH APPLIED TO BIOMETRICS

The International Biometric Group & BioPrivacy

The International Biometric Group (IBG) is an independent biometric research, consulting and technology solutions firm based in the United States. IBG advises government and corporate clients in the effective use of biometrics. IBG’s BioPrivacy Initiative defines best practices as well as deployment and technology guidelines for maintenance of personal and informational privacy in biometric deployments. IBG’s BioPrivacy Initiative uses three evaluative tools to ensure that new or existing biometric deployments are consistent with generally accepted privacy principles:

• BioPrivacy Application Impact Framework: it is a tool for evaluating the potential risks of a specific biometric deployment. It defines ten factors critical to identifying potential privacy risks within a biometric application, e.g., if the biometric data are stored in a database, there is a greater risk of privacy invasiveness.

• BioPrivacy Technology Risk Ratings: a technology-by-technology assessment of potential privacy risks. E.g., facial scan and finger scan rate as a significant privacy risk because these technologies are capable of operating without user knowledge or consent.

• BioPrivacy Best Practices: a list of 25 key precautions which institutions can take to ensure privacy-sympathetic biometric deployments. E.g., original biometric data should not be stored other than for the initial purposes of generating a template.

Although IBG takes into account many concerns which could be raised from a privacy point of view, following up all of the recommendations will not necessarily result in a fully privacy compliant biometric system in accordance with the Directive 95/EC/46. The data protection section of the best practices, e.g., does not make reference to the necessity of a legal basis for the processing of the data or the requirement of proportionality of the processed biometric data, a key element in the European data protection regime. 

BioSec is a two-year Integrated Project within the FP6 IST programme which researches towards answers for the (i) unsatisfactory performance of certain biometric methods, in particular the combining of several biometric characteristics for verification/identification purposes, (ii) incompatibility of components, subsystems, biometric data, usage procedures and performance metrics due to lacking standards, (iii) insufficient technological solutions for assuring privacy and ownership of user’s biometric data, and (iv) poor usability as well as problems with general acceptability. The research of BioSec should hence lead to improved performance (i) of novel 3D face and hand method, noise-cancellation based voice verification methods, with emphasis on multimodal biometrics, including face-voice and iris-finger, (ii) towards integration of the different components of a biometric system, including by developing a specific BioSecAPI, (iii) of fake-resistive methods for high security and token-based solutions for enhanced privacy in sensitive applications, and (iv) additional studies on usability and general acceptability. The BioSec consortium also endeavours to actively contribute to the development of biometric standards.

The PRIME project (standing for Privacy and Identity Management for Europe) focuses on solutions for trustworthy, user controlled identity management. As such, the use of biometric technologies is investigated in the context of PRIME.

PRIME is basing its research on a search for solutions to a set of well-defined application scenarios. Some scenarios are subject to the development of application prototypes, such as the Air Transport and Security Controls scenario. For simplifying air transport processes and enhancing the airport security, recent technologies such as biometrics are currently investigated. The Airport Transport and Security Controls scenario is related to ambient intelligence, where biometrics can be used to collect and store personal information about trusted or registered travellers.

This scenario foresees the extensive use of biometrics technologies for the purposes of secure identification of airline passengers: an application would be to identify those travellers which belong to the group of “trusted passengers”. Another application would be to support and enhance the current “customer card” or “credit card” function in the future “paperless” travel environment to make sure for instance that the physical person collecting a boarding card is the same as the card holder.  

In the traveller scheme called “trusted traveller”, along with customer data and possibly, but not necessarily passport data, the user agrees to give biometric information in order to gain quick access to the check-in and to boarding processes. The main idea of the scenario is to have a user permanently registered by an airline to allow him to be handled more efficiently during the processes involved in air transportation. The condition of being a “trusted person” is verified at enrolment by adequate checks. Here biometrics will be used in the departure process to verify whether the ticket holder is identical to the person for which the ticket has been issued, and to check whether the ticket holder may be accepted for transportation (in the case that he is identified as a “trusted traveller”) or whether he should be referred to a security authority for further verifications. One issue which is particularly important from the data protection point of view is the form of storage of users’ templates, which – depending on the application at issue – can be in the memory of a biometric device, in a central database or in plastic cards, optical cards or smart cards. The latter form enables users to carry their templates with them as identification devices and is currently privileged through Europe. 

Viewed from a certain angle, the use of biometric systems might be considered as a privacy-enhancing technology, in so far as it contributes to the reduction of the processing of other personal data like the name, address or a unique identifier of an individual. Biometrics could even serve as a solid basis for safe anonymous and pseudonymous transactions. To this end, the use of anonymous or pseudonymous data should be possible, at least in certain circumstances. Also, it is essential to set up mechanisms to deal with the problems resulting from lost, stolen or damaged tokens (cards). However, those solutions not resulting in centralised storage of biometric data should be promoted. 

As previously discussed, neither the measurement of biometric data nor the comparison with a stored reference template should be done outside a highly protected and user-controlled infrastructure. There is no good reason to measure, store or compare biometric data in a centralised architecture. It is sufficient that the biometric measurement is processed in a protected and certified way and that the result of the biometric identity verification is transmitted securely to the IMS. The storage of a biometric reference template, the measurement and the comparison process should be under the control of the user (but protected against manipulations of the user) and then be linked in a secure way to a digital credential that does not disclose any biometric information. 

First attempts in such a direction are achieved with biometric reference templates on smart cards carried by the user or even cards with match-on-card functions. But a real secure and privacy protecting implementation of a biometric authentication puts all biometric data handling, including the measurement process, into the user’s hands. Given below are two commercial examples of such a system. 

In the AXSionics AXS-Card system, the critical step of converting a users’ biometric information into digital credentials is done “close to the user”, and requires only 1-to-1 matching (i.e. does this finger match the authorised owner’s?). In addition, the measurement process can be adapted to the individual quality of the biometric features the person has. Once this is done, it is easy to process the digital credentials against a large central database with minimal computing power and data storage required. In addition, individualised biometric processing raises the usability and the user acceptance, and as the user becomes accustom to their biometric device the false rejection rate drops.

A similar device is offered by ProSection, a Swedish company which offers encryption services for fingerprints where user privacy of this biometric characteristic is preserved.  The company uses so-called correlation-preserving encryption tools such that the original fingerprint features are immediately encrypted during enrolment and not stored as raw data.  During use, the correlation is compared between the newly submitted and encrypted biometric data and the previously stored and encrypted data. The solution is privacy friendly as there is no need to store the original fingerprint, and the encrypted original fingerprint features cannot be decrypted or recreated again. The solution is different from other encryption services as the encryption preserves correlation since the encrypted templates can be compared and a 100 % match between encrypted templates can be realised.