420 likes | 461 Views
Biometric Encryption: Privacy-Enhancing Technology. Fred Carter Senior Policy & Technology Advisor Office of the Information & Privacy Commissioner / Ontario, Canada. European Biometrics Forum (EBF) Research Seminar Tuesday, 02 October 2007. Presentation Outline. IPC Work FIPs, PETs
E N D
Biometric Encryption:Privacy-Enhancing Technology Fred Carter Senior Policy & Technology Advisor Office of the Information & Privacy Commissioner / Ontario, Canada European Biometrics Forum (EBF) Research Seminar Tuesday, 02 October 2007 EBF Research Seminar - 02 Oct 2007
Presentation Outline • IPC Work • FIPs, PETs • Biometrics and Privacy • BE & Anonymous Biometrics • Reactions and Follow-up EBF Research Seminar - 02 Oct 2007
1. IPC work to date • Independent agency of gov’t; we oversee three laws • Longstanding interest & involvement in privacy, technology and law/compliance issues. • IPC approach: constructive engagement; ICT both a threat to and opportunity for privacy; seek pragmatic “win-win” scenarios • Some publications: Path to Anonymity; guidance on use of PKI, DRM, Privacy-embedded 7 Laws of Identity, Biometrics, Biometric Encryption; ID Theft; Intelligent Agents, P3P, RFID, Privacy and the Open Networked Enterprise, Privacy Diagnostic Tool; PIA for health, contactless smart cards; mobile device security; STEPs, etc. IPC website: www.ipc.on.ca EBF Research Seminar - 02 Oct 2007
1. IPC biometrics work • Biometrics Program, Toronto (1994) • Ontario Works Act (1997) • Discussion & guidance papers (1999) • Presentations, speeches, etc. (2000-) • Statement to House of Commons Standing Committee on Citizenship & Immigration (2003) • Resolution of Int’l DPAs (2005) • EBF IBAC (2005-) EBF Research Seminar - 02 Oct 2007
2. FIPs & PETs EBF Research Seminar - 02 Oct 2007
2. PETS and FIPsOur Mantra:“Build It In” • Build in privacy – early into the architecture, design specs, and technologies; design must start from maximum privacy • Assess all privacy risks: conduct privacy impact assessments; annual privacy audits • Minimize collection, use, data: minimize routine collection, use, and retention of all personally identifiable data • Be comprehensive and systematic: effective privacy requires an integrated approach; privacy must be applied to entire data systems and throughout the data life cycle • Privacy rules must be enforced; enforcement must be trustworthy for system to earn trust and use. • Use privacy enhancing technologies (PETs) EBF Research Seminar - 02 Oct 2007
2. FIPs & PETs Effective governance can come from: • Laws, legislation, regulation • Industry self-regulation, codes of conduct, best practices, guidelines, standards, policies, audit & certification practices… • PETs / Technology solutions • Public opinion / market acceptance • Founded on the Fair Information Practices (FIPs) • PETs just one element in the IPC privacy toolkit EBF Research Seminar - 02 Oct 2007
2. PETs & FIPs • Many FIPs in use around the world; they can be condensed into 3 primary and substantive impulses: • 1. Data Minimization • 2. User Participation and Control • 3. Information Security • Good success evangelizing to public policymakers, information security, auditors, developers, etc. • Expressed in myriad ways, depending on context. EBF Research Seminar - 02 Oct 2007
Privacy OR Security:A Zero-Sum Game EBF Research Seminar - 02 Oct 2007
Privacy AND Security EBF Research Seminar - 02 Oct 2007
3. Biometrics and Privacy EBF Research Seminar - 02 Oct 2007
3. Biometrics & Privacy Privacy, Security Issues: • Growing biometrics deployments and uses pose significant systemic risks to individual privacy and security • Biometrics a lifetime permanent identifier, worse than a password (access control) • Indiscriminate or excess collection of biometric data invites misuse • System performance: accuracy and reliability • Poor accountability will undermine trust, acceptance and use. EBF Research Seminar - 02 Oct 2007
3. Privacy & Biometrics:Concerns • Creation of large centralized databases • Far-reaching consequences of errors in large-scale networked systems; • Interoperability that invites unintended additional “secondary” uses EBF Research Seminar - 02 Oct 2007
3. Biometrics & SecurityThe Risks • Spoofing • Replay attacks • Substitution attack: • Tampering • Masquerade attack • Trojan horse attacks • Overriding Yes/No response • Insufficient accuracy EBF Research Seminar - 02 Oct 2007
Identification:The Myth of Accuracy • Problem with large centralized databases containing millions of biometric templates: • False positives • False negatives EBF Research Seminar - 02 Oct 2007
3. Biometrics & PrivacyAccuracy and Reliability • Accuracy and reliability are still viewed as major stumbling blocks for large-scale biometric applications (OECD Report on Biometric Technologies, June 2004); http://appli1.oecd.org/olis/2003doc.nsf/linkto/dsti-iccp-reg(2003)2-final • Serious consequences of false positives and negatives, errors, failure rates. EBF Research Seminar - 02 Oct 2007
Authentication:Biometric Strength and Privacy The strength of one-to-one matches: • Authentication/verification does not require the central storage of biometric templates; • Biometric may be stored locally, not centrally – on a smart card, token, travel document, etc. EBF Research Seminar - 02 Oct 2007
3. Biometrics & Privacy1:1 versus 1:Many • Privacy regulators favor 1:1 authentication (verification) over 1:many identification; • The EU Article 29 Working Party Resolution on the use of biometrics in passports, identity cards and travel documents was passed by Data Protection and Privacy Commissioners in Montreux, Switzerland, 2005: “…The Conference calls for the technical restriction of the use of biometrics in passports and identity cards to verification purposes comparing the data in the document with the data provided by the holder, when presenting the document.” — 27th International Conference of Data Protection and Privacy Commissioners, Montreux, 16 September 2005 www.privacyconference2005.org/fileadmin/PDF/biometrie_resolution_e.pdf EBF Research Seminar - 02 Oct 2007
3. Biometrics & PrivacyCentralized Databases • Risks associated with large centralized, networked biometric databases; • Article 29 Working Party, chaired by Peter Schaar, Germany’s federal Data Protection Commissioner, EU Opinion, August 2004 states, “The Working Party strictly opposes the storage of all EU passport holders’ biometric and other data in a centralized data base…” http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp112_en.pdf EBF Research Seminar - 02 Oct 2007
3. Biometrics & PrivacyInteroperability • Interoperable biometric databases invite additional purposes and secondary uses of the data; • E.U. Data Protection Supervisor, Peter Hustinx, in his March 2006 Opinion, stressed that: “Interoperability of systems must be implemented with due respect for data protection principles and in particular, the purpose limitation principle.” Comments on the Communication of the Commission on interoperability of European databases, www.edps.eu.int/legislation/Comments/06-03-10_Comments_interoperability_EN.pdf EBF Research Seminar - 02 Oct 2007
3. Biometrics & PrivacyRisks (Summary) • unauthorized secondary uses of biometric data • expanded surveillance tracking, profiling, and potential discrimination • data misuse (data breach, identity fraud and theft) • negative personal impacts of false matches, non-matches, system errors and failures • diminished oversight, accountability, and openness of biometric data systems • absence of individual knowledge and consent; loss of personal control • loss of user confidence, acceptance and trust; potential negative backlash EBF Research Seminar - 02 Oct 2007
4. Biometric Encryption EBF Research Seminar - 02 Oct 2007
4. Biometric Encryption (BE) What is Biometric Encryption? • Class of emerging “untraceable biometric” technologies that seek to irreversibly transform the biometric data provided by the user. • BE is a process that securely binds a PIN or a cryptographic key to a biometric, so that neither the key nor the biometric can be retrieved from the stored template. The key is re-created only if the correct live biometric sample is presented on verification. EBF Research Seminar - 02 Oct 2007
Enrollment Randomly generated key 01011001…01 Biometric Image Biometric Template 100110100010… ………………010 4. Biometric Encryption (BE)Use Biometric as the Encryption Key BE binding algorithm 110011001011… ……………..110 Biometrically-encrypted key is stored EBF Research Seminar - 02 Oct 2007
Fresh Biometric Image Fresh Biometric Template 101100101010… ………………000 4. Biometric Encryption (BE) Decrypt with Same Biometric Biometrically-encrypted key 110011001011… ……………..110 Verification BE retrieval algorithm 01011001…01 Key retrieved EBF Research Seminar - 02 Oct 2007
4. BE Advantages BE technologies can enhance privacy and security. Some key advantages offered: 1. NO Retention of biometric image or template 2. Multiple / cancellable / revocable identifiers 3. Improved authentication security: stronger binding of user biometric & system identifier 4. Improved security of personal data and communications 5. Greater public confidence, acceptance, use à compliance with privacy & data protection laws EBF Research Seminar - 02 Oct 2007
4. BE Advantages • NO Retention of biometric image or template • Best privacy practice is not to disclose / collect PII at all in the first place, if possible. • Most privacy and security concerns derive from storage and misuse of the biometric data. • Mitigates against risks of potential data matching, surveillance, profiling; interception, data security breaches, identity theft... • User retains (local) control and use of their own biometric EBF Research Seminar - 02 Oct 2007
4. BE Advantages 2. Multiple / cancellable / revocable identifiers • BE allows individuals to use one biometric for multiple accounts and identifiers without fear that identifiers will be linked together. • If an account identifier becomes compromised, there is less risk that all the other accounts will be compromised, i.e., no need to change one's fingers! • BE technologies make possible the ability to change or recompute account identifiers; identifiers can be revoked or cancelled, and substituted for newly generated ones calculated from the same biometric! EBF Research Seminar - 02 Oct 2007
4. BE Advantages 3. Improved authentication security: stronger binding of user biometric & system identifier • Account identifiers are re-computed directly from the biometric, not merely linked to it • Results are much stronger account identifiers: • longer, more complex identifiers • no need for user memorization • less susceptible to security attacks • Security of BE technology can be augmented by the use of tokens and additional PINs, if needed EBF Research Seminar - 02 Oct 2007
4. BE Advantages 4. Improved security of personal data and communications • Users can take advantage of the convenience and ease of BE technologies to encrypt their own personal or sensitive data. • Since the key is one's own biometric, used locally, this technology could place a powerful tool in the hands of individuals • This is encryption for the masses, made easy! EBF Research Seminar - 02 Oct 2007
4. BE Advantages 5. Greater public confidence, acceptance, use and compliance with privacy & data protection laws • Public confidence, trust are necessary ingredients for the success of any biometric system deployment. • Governance policies and procedures only go so far. Privacy, security and trust should be built directly into the biometric hardware and info system. • BE puts biometric data under control and use of the individual, promotes broader acceptance and use of biometrics. EBF Research Seminar - 02 Oct 2007
4. Biometric Encryption BE Embodies core privacy practices: • Data minimization: no retention of biometric image or template, minimizing potential for secondary uses, loss, misuse • Maximal individual control: Individuals keep their biometric data private, and can use it to generate or change unique (“anonymous”) account identifiers, and encrypt own data. • Improved security: authentication, communication and data security are enhanced. EBF Research Seminar - 02 Oct 2007
Possible Applications and Uses of Biometric Encryption • Biometric ticketing for events; • Biometric boarding cards for air travel; • Identification, credit and loyalty card systems; • “Anonymous” (untraceable) labeling of sensitive records (medical, financial); • Consumer biometric payment systems; • Access control to personal computing devices; • Personal encryption products; • Local or remote authentication to access files held by government and other various organizations. EBF Research Seminar - 02 Oct 2007
4. Biometric Encryption (BE)BE Case Scenarios(from paper) • Small-scale use(personal authentication) • Anonymous (untraceable) database(access to hospital records) • Travel documents(3-way checks) EBF Research Seminar - 02 Oct 2007
Biometric DB ID Bio-encrypted key Hashed key 2. Claim ID 6. Hashed key1, key2 Three-way-Check in the ePassport Scenario (Philips) 1. Measure biometric 3. Bio-encrypted key 4. Retrieve key1 from live biometric and bio-encrypted key 7. Match: Hashed key == Hashed key1== Hashed key2 5. Retrieve key2 from smartcard biometric and bio-encrypted key Kiosk Border control EBF Research Seminar - 02 Oct 2007 — Van der Veen et al, 2006
4. Biometric Encryption IPC Objectives: • Stimulate demand for PETs: Bring this biometric technology to attention of public, privacy advocates, policymakers: it is possible and should be considered, even demanded. • Stimulate supply of PETs: Encourage research, development and marketization of privacy-enhancing technologies as viable solutions for real-world problems. EBF Research Seminar - 02 Oct 2007
5. Reactions & Follow-Up EBF Research Seminar - 02 Oct 2007
5. Reactions & Follow-Up BE Publication & Distribution Process • Pre-publication release, vetting… • Press release, website publication, etc. • Announced on key listservs (DPAs, biometrics, NPC-l, PETs) • Individualized mailouts (physical and electronic) to broad spectrum of public and private stakeholders(government, industry, research, academia, pivacy advocates, consumer groups, etc) • Submitted to various fora for review and posting EBF Research Seminar - 02 Oct 2007
5. Reactions & Follow-Up Significant Response and Feedback: • Industry: (Philips, IBM, Microsoft, Genkey, Sagem, Bell, VeriTouch,and others) • Research/Academic: (U of T, Colorado, Carleton U., Fraunhofer Institute, Bruce Schneier, Kim Cameron, others in Europe, Canada, U.S.) • Policymakers: (Government departments and agencies in Ontario, Canada, U.S., EU…) EBF Research Seminar - 02 Oct 2007
5. Reactions & Follow-Up Future work: • Stimulate attention and interest in untraceable biometrics, research and development • Trumpet BE pilots, success stories • Technology-agnostic w.r.t. technique/details • Encourage consideration, adoption by policymakers in both public and private sectors • Stimulate demand and supply of biometrics PETs • Improve BE accuracy, resilience against attacks EBF Research Seminar - 02 Oct 2007
More Information Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy:www.ipc.on.ca/index.asp?navid=46&fid1=608&fid2=4 and: www.ipc.on.ca/images/Resources/up-1bio_encryp.pdf News Release: www.ipc.on.ca/images/Resources/up-2007_03_14_bio_encryp.pdf Executive Summary: www.ipc.on.ca/images/Resources/up-bio_encryp_execsum.pdf FAQ: www.ipc.on.ca/index.asp?navid=46&fid1=608&fid2=4 EBF Research Seminar - 02 Oct 2007
Questions? Comments? Fred Carter Senior Policy & Technology Advisor Office of Information & Privacy Commissioner / Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: info@ipc.on.ca EBF Research Seminar - 02 Oct 2007