400 likes | 770 Views
The Impact of Biometrics on the Justice System. Computers, Freedom and Privacy Conference, April 5, 2000. Unauthorized secondary uses apply to biometrics. Biometrics offer the strongest form of positive identification
E N D
The Impact of Biometrics on the Justice System Computers, Freedom and Privacy Conference, April 5, 2000
Unauthorized secondary uses apply to biometrics Biometrics offer the strongest form of positive identification • although viewed as the solution to reducing identity fraud, this feature also threatens personal privacy, specifically: • Secondary uses can apply to • collecting biometrics for one use, say welfare enrollment, and using them to identifying individuals at a crime scene, for example • using the biometric as a token to link transactions of individuals and using this information to construct profiles for intelligence purposes. • Because of its security and economic value, both government and market forces will pursue these practices.
Privacy laws are not enough Controls must be built into the code. laws or policies to restrict the use of biometrics are not sufficient.
Biometrics -- the measurement process Quality enhancement,and feature extraction Analog to digital Finger Iris Voice Hand Image Scanner Conversion Software Digital Number Biometric signature, e.g., minutia file for fingerprints PIN Finger Keypad Digital Number With today’s technology, all biometrics transform to a number. That number is part of me, I can’t forget nor lose it.
Biometrics -- the comparison process Incorporates salient and repeatable features of biometric from a number of scans ENROLMENT X scans of the same biometric X Numbers (signatures) Scanner-S/W Template generation n same as or close to t ? Template (t) Biometric Scanner-S/W Comparison Software Number (n) yes maybe no Authentication: Compare number (n) to a single template (t) to determine verification (yes or no). Identification: Compare number (n) to many templates (t1…tk) to determine any matches within the allowed variability
Applications for Authentication • Logon to networks, servers, laptops, etc., • digital certificates, • access to databases, firearms, premises, bank machines, credit and debit cards, • access to benefits such as social security, medical, welfare • access to personal information such as medical, financial Biometrics viewed as the solution to identity fraud
Applications for Identification • Positive identification, comparing a biometric to a database of known biometric templates to determine its presence -- IAFIS for law enforcement, • Negative identification, comparing a biometric to a database of known biometric templates to confirm that it is absent -- applying for welfare benefits to prevent multiple enrollment or “double dipping.”
Biometric Application Program Interfaces (BioAPI)Plug and Play Biometric Devices Service Provider Interface SPI Bio Device BSP APPLICATION A P I F R A M E W O R K Biometric Service Provider Goal: Standardize biometrics interface API SPI Bio Device BSP SPI Bio Device BSP Applications include: State welfare program, Bank machine access, logon to a network Template(s)
Law Enforcement Health Care Bank Cards Welfare Templates Templates Templates Templates Networking Application Databases
Authentication does not require central storage of templates Biometrics can be stored locally -- smart card, barcode, etc. Comment In practice, we have to resolve how lost, stolen or damaged cards will be handled without the individual physically going to an “enrolment” center to present his ID and have his biometric processed again? Centralized storage of a biometric or its templates would allow a new card containing the biometric template to be put in the mail, or a virtual card downloaded over the Internet.
Fingerprint Pattern versus Digital Template The actual fingerprint pattern is not stored, but only a digital template is stored which cannot be converted back to the original fingerprint pattern. Comment • The issue is not whether a fingerprint pattern can be reconstructed from its digital template. • The issue is that both the fingerprint pattern and its corresponding digital template are unique identifiers and therefore surrogates of one’s identity.
A Scenario of Privacy Infringement (1) A welfare recipient leaves his latent fingerprints at a nightclub that later becomes the scene of a crime. The latent prints are picked up and matched to the fingerprint database compiled for welfare recipients. He is identified and questioned. Solution The fingerprint database will be off limits to the police by virtue of legislation. • How can we ensure it will be the case with the next government? • What about the issue of unauthorized access to the database. The temptation for secondary or unauthorized uses of such a database beyond its primary purpose may be very great.
A Scenario of Privacy Infringement (2) Solution Never store the actual fingerprint pattern, only its digital template. • Still a problem. If the police obtain access to a similar biometric device, and place some digitized latent fingerprints through the system, they will be able to compare against the templates. They have to, otherwise the system doesn’t work.
y y z z X X Mapping Templates T*1 T1 Translation of templates from one format to another is a mapping process from one minutiae n-space to another
A Scenario of Privacy Infringement (3) Solution Have unique hardware or software algorithms that are encrypted for different organizations and government agencies. Privacy is based on ignorance of the potential attacker. • to be comparable to cryptographic systems, biometric security cannot depend on the secrecy of the algorithm or unavailability of the hardware. • The system should have an open design. The protection mechanism must not depend on the ignorance of potential attackers. • The algorithms should be open to public scrutiny, just as cryptographic algorithms are subjected to.
A Scenario of Privacy Infringement (4) Solution Either the templates in a database or their links to personally identifiable information will be encrypted, therefore matching cannot occur without access to the encryption key. • In this case, secure key management would be crucial. • Who is going to have control over the encryption keys? • How do we guard against putting the rabbits in charge of the lettuce? • With key management, we are basing our privacy on the trust model versus the absolute security we have with cryptographic algorithms.
Current biometric systems place the “use limitation”provision in FIPs further in jeopardy Third parties, such as the law enforcement community, will have access to personal profiles about you that are more complete, and potentially more damaging than the combined information that your best friends, spouse and parents have.
3271 bank card PIN 5733 office security system PIN 2259 telephone PIN Mapple Laptop password 8932 home security PIN The feature of PINS that makes for “bad security” makes for great privacy -- a lot of them ! With current biometrics, you have one number or, at most, a few. Privacy loves the company of numbers Safety in numbers -- hazards in one number
Security issues with Biometrics (I) • Limited to a Yes/No response. • For network security, still need to link to a PIN unless one uses the template as the password. If so, then templates have to be stored in databases. • Solution: use the biometric to encrypt the PIN
Use the biometric to encrypt the PIN Enrollment Coded PIN is stored PIN Fingerprint Pattern 73981946 %h*9%4Kd CODES Authentication PIN used for access Coded PIN Fingerprint Pattern %h*9%4Kd 73981946 DECODES Can literally have hundreds of PINs -- Safety in numbers!
Security issues with Biometrics (II) • Current biometrics are not challenge-response sytems. The password, which is the biometric, is always the same. • Solution: use challenge-response systems
Challenge-Response Using Biometrics Response Function Enrollment Coded Res Fnc is stored Fingerprint Pattern 2x + 7 H$g&rc#j CODES Client decodes Res Fnc with fingerprint Host Calculated Response Challengex = 4 R = 15 2x + 7 15 X = 4 R = 15 sent back to Host
Security issues with Biometrics (III) • If template resides in a client PC, open to future surveillance by intelligent agent software, i.e. trojan horses, worms. • Solution: use embedded trusted biometric devices that are isolated from the client. Never store template in the client
Embedded Biometric Devices Trusted Device Embedded Hardware Device Biometric Scanner-S/W Template generation To Client PC Template Storage Comparison Software Template (t)
Security issues with Biometrics (IV) • Biometric systems are still inaccurate and will generate false identifications.
The need for balance when using biometrics Confidentiality, Authentication Benefit Surveillance & Linkage Risk
Conclusion • Current off-the-shelf biometrics will permit the secondary uses of personal information. They are not privacy protective. • Technology that allows informational self-determination and makes good security a by-product of protecting one’s privacy is the goal. • Using the biometric to encrypt a PIN or a standard encryption key will meet that goal.
The privacy problem with current biometrics A biometric such as a fingerprint can be used as a unique identifier of a person which, as a unique identifier: • can be used to trace the person’s transactions, and • link massive amounts of personal data about them. Because of its value, both economic and security, both market and government forces will promote this practice. If biometrics are adopted as the standard method of authentication in our society, we will have central databases of peoples’ biometrics or digital templates residing in networked databases.
The Identity Spectrum Biometric Digital Certificate x.509 Digital Certificate x.509 PINs and Passwords Multiple Pseudonym x.9.59 Anonymity Most Privacy Protective Absolute ID Least Privacy Protective Secure transactions do not require divulging of identity in all cases.
Process to establish authentication credentials 1. Identification – a one time process to establish that I am a unique, named individual (e.g., George Tomko). 2. Confirmation of Eligibility – a one time process to confirm that the named individual is indeed eligible (i.e. meets certain stated criteria) for a given service. 3. Authentication Credentials – a token, furnished or chosen by the service provider, which allows the individual to access the service involved on a recurring basis. It presumes the existence of steps one and two, without which it could not operate.
Levels of Security for Identity Fraud • No proof of identity required. • PIN or password used as token of identity. • Digital certificate used as token of identity. • Biometric tied to digital certificate used as token of identity. • Token changed frequently, e.g, changing a password or PIN on a weekly basis. • Different token for each access attempt, e.g. challenge-response system, one time password.
Industry’s Response This threat to privacy, highlighted by public exposure and heightened media attention, has became somewhat of an obstacle in some countries in the marketing of biometric technologies. In response, biometrics are now being promoted as privacy-enhancing. Is this Orwellian double-speak or is there some foundation to this claim?
Integrating Justice Information: The privacy threat • Secondary uses of personal information without consent -- beyond the intent of the primary purpose for collection. • Impacts privacy rights of : • accused but not yet convicted individuals, • victims or witnesses at a crime scene, • suspicious individuals -- intelligence gathering activities of a government agency.
Levels of Security for Access • “Open door” policy, e.g., no PIN or password • Same token used for each access attempt, eg., PIN, password, biometric. • Token changed frequently, e.g, changing a password or PIN on a weekly basis. • Different token for each access attempt, e.g. challenge-response system, one time passwords. The fundamental problem is that biometrics are not what cryptographers refer to as a “challenge and response” system. That is, the response to the question, “What is your left index fingerprint?” is always the same. A challenge and response system would ask different questions each time and be able to measure the correct response.” (Peter Wayner - New York Times)
Levels of Privacy • Systems designed to protect privacy must have the same level of security as cryptographic systems. • That is, their security cannot depend on the secrecy of the algorithm or unavailability of the hardware. The system should have an open design and the protection mechanism must not depend on the ignorance of potential attackers.
The Solution to Identity Fraud Biometrics are being viewed as a solution to identity fraud because they can be used to positively authenticate and in many cases positively identify individuals. Furthermore, if one wants, biometrics can be used to track individuals and their transactions.
Privacy Issues Confidentiality of personal data (security) Surveillance of location (activities) Linkage of personal data (secondary use)
Your Identity Stored in Cyberspace If biometrics are adopted as the standard method of authentication in our society, we will have databases of peoples’ biometrics or digital templates residing in a networked society