D3.10: Biometrics in identity management

Title: CONTROL SCHEMES WITHIN BIOMETRIC SYSTEMS

Classification of biometric systems

For making a discussion about the security and privacy aspects and the advantages of biometrics focused, it is suggested to determine in which kind of application biometrics are used. Making blanket assertions on biometrics and its risks is trivial. Only if it is clearly determined for which application(s) the risks discussed are valid, it is possible to propose means and strategies to solve the threat. For this reason, in this section of the report, an attempt is made to give an overview and a classification of applications which deploy biometric functionalities for identity management purposes. 

In the past, there have been some attempts to describe and classify the ways in which biometric methods are applied. It is not the purpose of this report to analyse these classifications in depth or to criticise them. Because these previous attempts are interesting, they will hereunder be briefly described. One attempt that was mentioned in the BioVision Roadmap, was the proposed classification of the Association Française de Normalisation (AFNOR), the French national standards body. According to AFNOR, four classes of services of biometric applications could be made, based on the ‘performance requirement’ of the technology:

Table : The four classes of services of biometric applications by AFNOR

With the term performance requirement, AFNOR in fact referred to the purpose and the underlying biometric functionality of the application (see Class 1 (1:1 comparison), and Class 3 and 4 (1:N comparison); however, see Class 2 (1:1 or 1:N comparison ).  

The consortium of BioVision itself also proposed a classification viewed from another angle: the benefit to the end user/operator:

Table : Classification in BioVision     

In this classification, reference is made to the ‘benefit’ of the application. One could also describe this as the purpose for which the biometric application will be used. A classification only from the point of view of the benefit or purpose is in our view not sufficient. It is also important to know if a public or private entity is pursuing the purpose (see below, section  3.3.3, Type I and Type II applications), or the data subject itself (see below, section  3.3.3, Type IV a - Convenience model below) or whether or not public and private entities share the biometric information (see below, section  3.3.3, Type III – Mixed model).

The International Biometric Group (IBG), an industry’s consulting and services firm, also attempted to make a classification of biometric applications according to its privacy friendliness.

Table : Classification of biometric applications according to its privacy friendliness by IBG

The classification suggested by IBG above, however, does not convince because as a rule, it should be endeavoured to have all applications at least privacy-neutral, or even better, privacy-sympathetic and protective.  

Others have attempted to map different types of biometric databases, depending on which kind of data that were used (raw data, templates called ‘signatures’ and other personal data). The models should enable a scenario-based discussion of privacy needs regarding the different types of (partial) biometric databases. We do not believe, however, that a classification should be made solely on the basis of the type of the database and the kind of data in the database.

We nevertheless agree and believe that it is important to make an attempt to classify applications. For such classification, however, several factors should be taken into account in a consistent way. The way the control over the biometric reference template is exercised is one of the key factors of such an overview, but also so is the control over the capture and feature extraction as well as the comparison component. Other important distinguishing factors are the purpose of the biometric application and the biometric functionality. It is also important whether a governmental entity or a private party controls the biometric application, because the threats and risks are different. The threat of function creep and the resulting privacy risks, e.g., is especially relevant if the application is government controlled (Type I government controlled ID model – see below). From a data protection point of view, the data protection directive is applicable to the processing of biometric data by either public or private entities. However, it is also relevant to question to what extent private parties should be entitled to deploy the identification function of a biometric system and to identify persons.

A discussion about biometric systems will hence be easier to follow in the context of groups of relevant application models. These groups should show common characteristics which are present in the biometric applications which belong to that group. The characteristics which are mentioned in section 3.3.3 in the table 5 below, and which are used to group the application examples, are in fact based on the way control is exercised and two other major criteria used in the data protection legislation. These criteria are based on the following two questions: (1) who is the data controller? and (2) what is the purpose of the application? As mentioned before, such ‘grouping’ of the applications around these three criteria should facilitate the discussion about risks and advantages of biometric characteristic. The criteria with details for each of the groups that could be ascertained are further described infra, in table 5 in section 3.3.3 below.

The five main groups of biometric applications that could be distinguished according to the above mentioned three criteria are mentioned in the table 4 hereunder in the column ‘FIDIS Deliverable 3.10’ and are compared with the categories of AFNOR and BioVision. The table 4 shows how the categories of AFNOR and BioVision fit into the types introduced in FIDIS D3.10.  

Table : The five types of biometric model applications introduced in FIDIS D3.10 compared with the categories of AFNOR and BioVision

As stated before, the relevant questions which were asked in this regard are: by which entity are the biometrics used, for which purposes and functionalities, and what type of control is exercised ? By reviewing existing biometric applications, and by answering these questions, these five types of applications have been ascertained.  

The fifth type, biometrics used for tracking and tracing, is only referred to in a limited number of cases in the further discussion of the privacy and security risks, not because that model is not deployed or biometrics are not fit to be used in that type of model, but because the Privacy Directive 95/46/EC often does not apply (in case of the processing for state security,….), because that model is not a good example of an identity management application and because details about the functioning of that kind of system are often not known.  

Although biometric applications may at first sight belong to more than one group (e.g., for an access monitoring application, the persons who are subject to the monitoring system will in most cases be identified or identifiable), it is important to distinguish applications from other applications. For example, for access control applications, there are good reasons to defend that there is no need to use the identification functionality of the biometric. A mere comparison of the locally stored biometric characteristics for access control purposes is in most cases sufficient as previous identity control will have been done upon issuance of the card, and therefore no central storage of the biometric characteristics for identification purposes is required. For government controlled ID applications, there may be a need to use the identification biometric functionality, however.  

Based on the models and types described, the risks and advantages of biometrics can be better described, including the recommendations of how to improve the design of the biometric identity application.  

Advantages and Disadvantages of the different control models

As stated in today’s information security management systems standards such as ISO 27001, personal responsibility and control over every ICT system that has to meet certain, well defined security levels, are essential factors. Control typically has two aspects: 

1. a technical component, spanning environmental infrastructure (buildings), communicational infrastructure (networks), systems (servers and other ICT components such as sensors and their operating systems), data storage, and applications (including corresponding software releases and configurations) and related data; and 

2. an organisational component, spanning the behaviour of users and administrators of any of the mentioned technical components. 

In addition, control can be applied directly (e.g. by the management of an organisation within the organisation) or it can be applied in a shared and trust based way (also called indirectly). In the latter case trust is typically based on contracts that include security service level agreements (SSLAs), audit schemes and optional fines in case of violation of SSLAs. Four types of control schemes have proven to be relevant in the context of security of biometric systems. These types of control are further briefly described in a table in Annex 2 to this deliverable.

In this context biometric systems can be understood as ICT systems as they process digital data captured through a physical measurement process. Table 5 in section below gives an overview of different implementations of ICT and biometric systems with respect to data storage, control and related data protection and security aspects.

Other aspects of the different control models are the type of the controlling entity (is it a public or private authority which controls the data processing?). For the Type I - government controlled ID applications there will be a need of legislative basis for the establishment of the system. Most risks are with the multilateral control model applications which we find in governmental controlled ID applications of Type Ic. The ICT systems may have many outstanding issues, such as access to the databases, the access procedure and the transfer to third countries. At the same time, the best possibilities for effective abuse protection may be with a control system in which the data subject participates, as in Type IIc access control model applications. The characteristics of the control models depend on the architectural realisation of the control scheme. Later in this document (see below, section 6.3) an architecture with control between data subject and identity management system operator/controller is presented under ‘encapsulated biometrics’ that splits the control of the biometric system into the biometric processing devices (under the secured control of the operator/controller) and the biometric data (under the sole control of the individual that serves as the data subject).

Other aspects of the different control models are the procedure of enrolment and use of the system. The enrolment and the use of Type I – government controlled ID applications will in principle be done in prescribed conditions upon submission of specific evidence with specifically assigned personnel and use in the verification/identification stage will be done in the presence of officials which should attend to the system. This may not always be the case for Type II – access control models and Type III mixed model applications, and will not be applied in the Type IV – convenience model applications. The risks during enrolment and during use for each of these models are therefore different.

Other advantages and disadvantages of biometric applications could be described according to the control models which are given in the overview below.