Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.10: Biometrics in identity management
Annex 2: Characteristics of the different control schemes
Control scheme | Characteristics | Security aspects | Privacy aspects |
Central control | Biometric system controlled by a single organisation (data controller). Mostly centrally hosted database of reference templates. Individual data subjects deliver their biometric sample to the system on request of the operator (controller). Treatment and interpretation of the data is controlled by the operator (controller) only. Applied in the verification and identification mode. | Operator has to supply and guarantee confidentiality, integrity and availability of the data processed using the biometric system over the full lifetime. Central storage of the reference templates and the central processing leads to the scaling problem and it is a critical point of failure or attack. | The data subject has no individual control over the use of his biometric data.
|
Divided control with trust | Biometric system is shared between organisations which use all the same central reference template repository or operated using an external service provider. Capture and processing are distributed over the operator federation. The processing follows common standards. There is a common security and privacy policy which however is only marginally influenced by the data subject.
| One or more data controllers are responsible for the central security concept of the biometric system, dealing with confidentiality, integrity and availability of the data. Security in the system is based on trust, which in turn is based on Security Service Level Agreements (SSLAs), (mutual) audit schemes and in cases needed also fines. The distribution of the reference templates to the peripheral control instances is critical. Leakage of biometric data needs to be prevented. | The data subject has no individual control over the use of his biometric data. Data subject may be traced over all involved organisations. In some cases, multiple enrolments and identity mismatch may lead to serious problems for the concerned persons. |
Multilateral control
| The multilateral control model allows an easy sharing of the biometric application among different operators without allowing a direct access to biometric data.
It requests a relative high level of standardisation of the biometric processing and the biometric data representation. | ISO 27001 covers control objectives and controls for a situation where a risk assessment covering all relevant assets is carried out centrally or jointly, leading to a standardised level of security requirements and measures spanning all participating organisations. A situation of multilateral security requirements is not covered by ISO 27001 and other security management standards.
| The data subject has no individual control over the use of his biometric data.
|
Divided control with data subject | Control over the biometric system is divided among data controller and data subjects who may have different security requirements. The biometric system is defined and sealed within a physical device by the operator (e.g. encapsulated in a personal token or match-on-card schemes). The operator provides at least parts of the biometric system to the data subject who decides about the enrolment and the occasions to be recognised by the system. The biometric data never leave the device; only the result of the decision step is sent to the operator. The biometric data remain under the control of the data subject who decides about the recall or the destruction of this data. The system may operate in the identification mode without any loss of performance.
| The compartmentalisation of the biometric data makes a general loss of such data hardly impossible. The storage of a single or of only very few templates in a device prevents an attacker to invest in the breaking of such a device as the return on investment is too low. The system can be scaled to arbitrary number of units and thus individuals enrolled in the system. There is no scaling problem. The device carrying the biometric system has to be secured to prevent from attacks by non cooperative users. | The biometric data stays always under the full control of the data subject. The operator has no direct access to the biometric data and therefore can not cause any biometrics related privacy violation.
|
Data subject control | The biometric system and the biometric processing is under the full and sole control of the data subject. There is no guarantee on the reliability of the biometric recognition process and therefore it will not be trusted by an external operator of a value service | The outcome of the biometric recognition process is under the control of the data subject only. An external organisation can not trust this outcome more than any other uncertified identity statement of the data subject. | The privacy of the biometric data needs to be protected by the data subject. The data subject may lose the control by inadvertence or under attack of a malware. |
40 / 40 |