D3.10: Biometrics in identity management

Title: BIOMETRICS AS A PRIVACY GUARD

Existing security vulnerabilities of biometric systems and potential misuse of biometric data combined with an intensified commercial and governmental interest in biometrics stemming from their inherent identification capabilities which promise to overcome the limitations of current identification and authorisation systems have resulted in an increased concern over the way they can affect the persons’ privacy. However, the security enhancement of existing systems in a large set of applications comprises one of the main promises of biometric technology. In fact, biometrics seem to be not only a threat but also an opportunity to privacy.

The accurate and thus reliable identification and verification of individuals comprise a major goal for both governments and private organisations. Identification or authentication processes are included in various applications in many fields from entertainment and education to law enforcement and access control. High false rejection and false acceptance rates in existing identification and verification systems result in unnecessary duplication, regular cases of identity fraud and resulting customer disruption and thus comprise a heavy cost for organisations. Biometric technology offers the potential of overcoming the security vulnerabilities and the performance limitations of conventional identification and authentication systems which mainly rely on the use of unique identifiers such as PINs, passwords and smart cards which can be fraudulently stolen or guessed. The personal data of the individuals as well as these resulting from the individual’s interaction with the system data are thus less vulnerable to attacks. 

A technology can be characterised as privacy-enhancing when it protects informational privacy by preventing unnecessary or unauthorised personal data disclosure and processing but still maintaining the functionality of the system. A biometric (sub-)system built with a privacy enhancement orientation and offering the promised increased security levels can in fact serve as a privacy guard. The most profound use of biometrics as a privacy protecting technology is as a means of controlling access to the individual’s personal data through a strict authentication system. The very nature of biometric authentication systems is using “what you are” information for access purposes in contrast to conventional authentication / authorisation systems which are based on “what you have” (e.g., smart card) and “what you know” (e.g., passwords) with the benefit of being a set of features tightly linked to a person’s identity that cannot be shared or easily duplicated. Thus, privacy issues are reduced due to the decrease in the ability to duplicate an individual’s identity as well as in the need to maintain multiple forms of identification means (e.g., credit cards, passwords, etc). The notion of protecting privacy includes providing the ability to correct an error or to prevent fraud that is related to a suspected misuse or abuse of personal information by the authorities. According to Neuman “a biometric can enhance privacy, such as when an authority looks something up in a system, and their authority to do so is also verified through the use of their own biometric identifier”. But in general, access to databases and other types of data storage containing sensitive personal information including religious, financial data, medical records, criminal records and others, can be monitored and recorded through the use of biometric authentication of the one accessing the data. Examples of such applications include:

1. access to personal - including medical - information which can be restricted to healthcare workers granted with authorisation rights through the use of biometrically protected smart cards and an underlying authorisation structure

2. access to emergency contact information and special medical information of students which requires the presence of the student 

3. access to specific facilities of a laboratory being possible only to the permanent staff of the lab (e.g., printers, oscilloscopes, etc). 

Moreover, biometrics serving as a profiling technique or as a link between personal data can comprise a big asset – provided that they are being developed and implemented in the context of the appropriate legal framework - when conducting background investigations to ensure the individual does not have a negative history, particularly in the areas of child abuse and sex offenders. 

For this reason, apart from the formation of the suitable legal framework, many technological efforts have been made in order to eliminate the biometric system vulnerabilities that threaten the user’s privacy which put into their shade the privacy-enhancing capabilities of biometrics. It should be noted that these efforts aim at offering a beneficial additional layer in the privacy aspect of the biometric systems and not providing a complete solution. The centralised storage of the collected biometric data is strongly discouraged, whereas concepts such as cancellable or revocable biometrics – biometrics distorted in a non-invertible manner both during enrolment and verification – have been introduced in order to deal with the protection of the biometric data. More specifically, instead of storing a digital representation of the specific biological feature, a distorted image of that feature is stored during enrolment. Every time the same individual tries to access the system, the machine scanner distorts the image during scanning, and the matching process involves the comparison of the two distorted images. The non-invertible transformation of the biometric data ensures that even if the transform function and the produced biometric data are known, the original biometric data cannot be extracted. Used this way, biometrics can comprise a mechanism to verify an individual’s identity without linking it to their private data by supporting the unlinkability aspect of privacy. However, provided that serious restrictions are posed by the special requirement for cancellable biometrics that the transformed version of the biometrics should not only not match the original biometrics of the individual but they should also not match the biometrics of any other individual as well as that current techniques suffer from lack of high levels of accuracy, cancellable biometrics cannot yet guarantee high levels of unlinkability.

The combination of multiple biometrics (also called multimodal biometrics) has also been regarded as a technique that can enhance the privacy aspects of biometrics. In this case, more than one separate biometric feature are combined to obtain a non-unique identifier of the individual. Example of multiple biometrics include use of imprints of more than one fingers or iris scans of both eyes, or combination of totally different biometric data, such as a facial image combined with an iris scan. Although the key comparative advantage of multiple biometrics against single biometrics lies in the information richness, it is not limited to it. In fact, not only are there expectations for performance enhancement but also the risk of misuse and privacy invasion is reduced, as a potential attempt for intentional false positive requires the provision of more than one biometric to the system. Currently the main deterring factor for the implementation and utilisation of systems integrating multiple biometrics is the cost involved, since they involve the need for the combination of expensive equipment (iris patterns and fingerprint scanner and processing system). However, cases of multiple biometrics being extracted by the same body part (e.g. fingers) could be the first step in that direction.

Biometric encryption is another possible improvement of biometrics. Encryption is the process through which the information which is transmitted or stored in a database is disguised. The basic idea behind key-based cryptography is that the data is scrambled up so that only the sender and the recipient of the data can actually read it. More specifically, in public-key cryptography the user has a pair of keys: a private and a public key. The sender uses the public key as the basis for the encryption of the data, whereas only the owner of the private key can decrypt the encrypted data.

Biometric encryption is a process which results from the merging of biometrics with cryptography. In an effort to take advantage of the main features of biometrics including uniqueness and variability, it uses one or more biometric feature as a method for secure key management, rather than data encryption / decryption with the main reason for the latter being the great variability of biometrics. In other words, biometric encryption aims at enhancing the crypto system so that the keys are less vulnerable to attack through the secure binding of the key with the biometric so that neither the biometric nor the key could be retrieved from the stored template. The rapidly increasing information exchange via the Internet has led to an intensified need for protection of sensitive data connected to open networks which are either transmitted or stored in databases. Moreover, biometric encryption goes a step beyond the traditional biometric systems and allows individuals to use a single biometric for multiple accounts and purposes with no fear that these separate identifiers or uses will be linked together by a single biometric image or template. According to Cavoukian, another application of biometric encryption could be a privacy-protected one-to-many database for “double dipping” prevention. More specifically, this database is multimodal containing both conventional (but anonymous) templates and private templates that control a link with the user’s encrypted records. Thus, the decryption of the user’s records is possible provided that a positive match is achieved on both types of templates. Biometric encryption aims at protecting this information and hence can act as a supporting technology for a privacy enhancing system.