680 likes | 851 Views
4 th Annual Privacy & Security Workshop From Anonymisation to Identification: The Technologies of Today and Tomorrow. Peter Hope-Tindall Chief Privacy Architect™ dataPrivacy Partners Ltd. pht@dataprivacy.com. November 7, 2003. Agenda. Biometrics and Privacy Privacy Concerns
E N D
4th Annual Privacy & Security WorkshopFrom Anonymisation to Identification: The Technologies of Today and Tomorrow Peter Hope-Tindall Chief Privacy Architect™ dataPrivacy Partners Ltd. pht@dataprivacy.com November 7, 2003
Agenda • Biometrics and Privacy • Privacy Concerns • Design & Implementation Issues • Technology to protect Privacy Biometrics Presentation
Privacy “the right to exercise control over your personal information.” Ann Cavoukian “Privacy is at the heart of liberty in the modern state.”Alan Westin “the right to be let alone”*Warren & Brandeis * Warren and Brandeis, "The Right to Privacy" 4 Harvard Law Review 193 (1890). The phrase "right to be let alone" had been coined by Judge Cooley several years earlier. See THOMAS M. COOLEY, COOLEY ON TORTS 29 (2d ed. 1888). Biometrics Presentation
Security and Privacy – a technical view • data protection - FIPs (not FIPS) • authentication • data-integrity • confidentiality • access controls • non-repudiation Privacy Security n.b. FIPs: Fair Information Practices FIPS: Federal Information Processing Standards Biometrics Presentation
Security vs. Privacy • Accountable to President/CEO Board of Directors. • Risk based assessment. (how likely is it?) • Access and use controls defined by the system owner. • Has been focused on protecting against outsiders. • Accountable to the data subject. • Capabilities based assessment.(is it possible?) • Access and use controls defined by use limitation and consent of data subject and legislation. • Protecting against outsiders, insiders and system owner. Biometrics Presentation
The Complex nature of Privacy • Identity • Measures the degree to which information is personally identifiable. • Linkability • Measures the degree to which data tuples or transactions are linked to each other. • Observability • Measures the degree to which identity or linkability may be impacted from the use of a system. Which other data elements are visible; implicitly or explicitly. With thanks and apologies to the Common Criteria Biometrics Presentation
Biometrics • Biometric is derived from the Greek words bio (life) and metric (the measure of). • “The automated use of Physiological or Behavioral Characteristics to determine or verify identity” International Biometric Group (IBG) • “‘Biometrics’ are unique, measurable characteristics or traits of a human being for automatically recognizing or verifying identity. ” Biometrics Presentation
Biometrics Schmetrics? • Biometric: (noun) - one of various technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Finger-scanning is a commonly used biometric.” Plural form also acceptable: “Retina-scan and iris-scan are eye-based biometrics." • Biometrics: (noun) - Field relating to biometric identification. “What is the future of biometrics?” • Biometric: (adjective) - Of or pertaining to technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Do you plan to use biometric identification or older types of identification?” Biometrics Presentation
Biometric Template • Distinctive encoded files derived and encoded from the unique features of a biometric sample • A basic element of biometric systems • Templates, not samples, are used in biometric matching • Much smaller amount of data than sample (1/100th, 1/1000th) • Vendor specific • Different templates are generated each time an individual provides a biometric sample. Biometrics Presentation
Verification • Also called 1:1 ‘Authentication’ • Performs comparison against a single biometric record • Answers question: “Am I who I say I am?” Biometrics Presentation
Identification • Also called 1:N Search • Performs comparison against entire biometric database • Answers question: “Who am I?” Biometrics Presentation
Is DNA a biometric? • DNA requires actual physical sample • DNA matching is not performed in real time • DNA matching does not employ templates or feature extraction • however – Policy issues and risks are identical Biometrics Presentation
In a strict sense then, DNA matching is not a biometric in the same way that traditional forensic fingerprint examination is not a biometric. Regardless of these distinctions, we believe that DNA-based technologies should be discussed alongside other biometric-based technologies inasmuch as they make use of a physiological characteristic to verify or determine identity. Beyond the definition, to most observers DNA looks, acts and may be used like other biometrics. The policy ramifications, while much more serious for DNA-based technologies share some common attributes with other biometrics. Biometrics Presentation
Taxonomy Physiological Biometrics • Finger Scanning • Hand Geometry • Facial Recognition • Iris Scanning • Retinal Scanning • Finger Geometry Behavioral Biometrics • Voice Recognition • Dynamic Signature Verification • Keystroke Dynamics (In reality all biometrics are both physiological and behavioral to some degree.) Biometrics Presentation
Finger Scanning • Minutiae based or pattern based Biometrics Presentation
Hand Geometry • Measures dimensions of hands • Easy to use / Widely used in access control applications Biometrics Presentation
Facial Recognition • Based on distinctive facial features Biometrics Presentation
Iris Scanning • Takes a picture of the iris. • Performs an analysis of the ‘features’ of the iris. • Ridges • Furrows • Striations • Scan distance - up to 1 Meter Biometrics Presentation
Retinal Scanning • Utilizes distinctive patterns visible on retina at back of eye. Biometrics Presentation
Finger Geometry • Measures the shape and size of a single (or pair) of fingers. Biometrics Presentation
Voice Recognition • Performs an analysis of features from an audio waveform. Biometrics Presentation
Dynamic Signature Verification • Measures the pressure, vector and number of strokes of signature. • Can be used with existing signature applications. Biometrics Presentation
Keystroke Dynamics • Measures the rhythm and distinctive timing patterns for keyboarding. Biometrics Presentation
Other • Ear Geometry • Body Odour • Gait (walking pattern) Biometrics Presentation
Biometrics Summary Chart by Peter Hope-Tindall – developed for the OECD [i] Note: Although the ‘potential’ exists for high accuracy, recent pilot projects have indicated great difficulty in obtaining accurate results with 1:N systems. [ii]Ibid. Biometrics Presentation
How does a biometric system work? • Scanning / Collection of Sample • Feature Extraction • Biometric template creation • Biometric template matching • Many vendors have proprietary searching subsystems and optimized hardware Biometrics Presentation
Types of Function • Identification (1:N) • Submission of sample as a search candidate against entire database • Verification (1:1) • Validation of sample against a presumed identity Biometrics Presentation
Standard Biometric System Sensor Logic Reference Database Application Biometrics Presentation
Metrics • Scientific Method / Biometric Testing “The real purpose of the scientific method is to make sure Nature hasn't misled you into thinking you know something you don't actually know.” Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance Biometrics Presentation
Perceptions • Public perceptions • Looking for a magic solution • Feel safe technology • Post terrorism opportunism • Limited information Biometrics Presentation
Biometric Performance • “False Reject Rate” a.k.a. False Non-Match Rate (FNMR) • “False Acceptance Rate” a.k.a. False Match Rate (FMR) • “Equal Error Rate” • Biometric System Error Trade-off Biometrics Presentation
Equal error rate crossover Error Rate FA FR Sensitivity Biometrics Presentation
Other Metrics • “Failure to Acquire” • Missing fingers/eyes • “Failure to Enroll” • Insufficient features • Throughput • System Cost May be as high as 2-4 % in the general population. (up to 20-30 % in elderly). Biometrics Presentation
Publicly Available Independent Evaluations • CESG • http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=4&displayPage=4 • Face Recognition Vendor Test • http://www.frvt.org • Fingerprint Verification Competition • http://bias.csr.unibo.it/fvc2002 • US National Biometric Test Center • http://www.engr.sjsu.edu/biometrics/nbtccw.pdf Biometrics Presentation
Security Concerns related to Biometrics • Spoofing • Countermeasures • Replay Attacks • Cannot revoke a biometric • Improper Reliance • Insufficient Enrolment Rigour Biometrics Presentation
Liveness • Steve McCurry, photographer of ‘Afghan Girl’ portrait for National Geographic - 1984. • National Geographic • http://www.melia.com/ngm/0204/feature0/ Biometrics Presentation
Concerns about Biometric systems • Rigour of enrollment process • Lack of independent performance metrics • No very-large population biometric system examples • Failure-to-enroll and Failure-to-acquire underclass (maybe as high as 2-4% to even 20-30%) • Post terrorism opportunism • Technology panacea • Large scale biometric system failure Biometrics Presentation
Privacy Concerns • Function Creep • Infrastructure of Surveillance/Unique Identifier • Default method of identification • Used inappropriately • Consent/Transparency • Information Leakage • Glaucoma • DNA Profiling Biometrics Presentation
Function Creep/Finality • ‘Function Creep’ (also known as ‘purpose creep’) is the term used to describe the expansion of a process or system, where data collected for one specific purpose is subsequently used for another unintended or unauthorized purpose. • In fair information practice terms, we may think of function creep as the subsequent use, retention or disclosure or data without the consent of the individual and of unauthorized changes in the purpose specification for a given data collection. Biometrics Presentation
Function Creep/Finality Example • As an example, we may think of a social service (welfare) system that requires a finger scan to enroll. Let us assume that undertakings were made at enrollment to the user that the finger scan is being collected solely for the purposes of guarding against ‘double dipping’ (ensuring that the user is not already registered for welfare). If the finger scan were subsequently used for another purpose (e.g. a law enforcement purpose, something not described in the initial purpose specification) then we have ‘function creep’. Biometrics Presentation
Infrastructure of Surveillance/Unique identifier • An overarching concern for some people is that biometrics will become a technology of surveillance and social control. Perhaps as the ultimate personal identifier, they may be seen to facilitate all the ominous and dehumanizing aspects of an information society -- a society in which unparalleled amounts of personal information may be collected and used on a systematic basis. see O’Connor, “Collected, Tagged, and Archived.” Biometrics Presentation
Consent/Transparency • Certain biometrics may be used without the consent or active participation (or indeed even the knowledge) of the individual. • Iris scanning can already be performed at a substantial distance (a range of 18 to 24 inches)[i] from the subject. As the technology improves, it is quite likely that iris acquisition may take place from even greater distances and without any user involvement whatsoever. • From a privacy perspective these situations can conflict with the collection limitation, openness and purpose specification principles. [i] http://www.eweek.com/article2/0,3959,115743,00.asp Biometrics Presentation
Implementation Modalities to Protect Privacy • Statutory • Policy • Privacy Impact Assessment • Threat Risk Assessment • Common Criteria Scheme • Standards • Technology • Tamper proof hardware Biometrics Presentation
Statutory • In some jurisdictions, generalized or specific criminal sanction may be used to provide security protection for biometric systems and to outlaw certain activities to bypass security controls. • Ontario Works Act • http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/97o25a_e.htm • Biometric Identifier Privacy Act – State of New Jersey http://www.njleg.state.nj.us/2002/Bills/A2500/2448_I1.HTM Biometrics Presentation
Statutory • Statutory proscription and prohibition • Problem; may always be modified or interpreted by the Government of the day. • Example: Statistics Canada 1906-1911 Census Biometrics Presentation
Policy • The Privacy Impact Assessment (PIA) and privacy audits can ensure that privacy policies are followed and to ensure that the policies meet the needs of a given level of privacy protection or compliance. Although these techniques are commonplace within government, they are just starting to appear in the private sector. • Depends of rigour and independence of PIA process. Biometrics Presentation
Technology • STEPS - Security Technology Enabling Privacy • Build security systems that are privacy enabled • Meet both Security and Privacy requirements • Privacy Architecture • De-Identification • De-Linkability • De-Observability • Divide and conquer (similar to SIGINT) Biometrics Presentation
Standard Biometric System Sensor Logic Database Application Biometrics Presentation