1. The Challenge of Biometrics
Laurence Edge

2. Proposition 1 – challenge the belief that all biometrics are accurate
2 – rush to deploy regardless of the privacy considerations
3 – within a legal framework which is still actively evolving

3. Agenda Biometrics – some definitions Technical background
What are the issues?
Solutions?

4. Definition - 1
“a general term for technologies that permit matches between a ‘live’ digital image of a part of the body and a previously recorded image of the same part usually indexed to personal or financial information”
(Alterman )

5. Definition - 2
“measuring relevant attributes of living individuals or populations to identify active properties or unique characteristics”
(Mordini )

6. Definition – 3 (mine!)
unique physical characteristic capable of being matched automatically
possible to match at acceptably low rates of error
possible to perform automatic one-to-many identification matching, with a high accuracy (near 100%) against a reference database consisting of tens or hundreds of millions of records;
accepted in a court of law as a legal proof of identity

7. Authentication
Identification – selection of one from many e.g. fingerprints from a crime scene
Verification – “I am who I claim to be” e.g. passports or ID cards
for identification, the system must ensure the uniqueness of each member of the target population and as the size of the population grows, so does the probability that more than one user will fall within the match criteria,
whereas when used for verification, a token is provided to allow the system to determine which identity is being claimed, and therefore which specific template to check against

8. The Technologies - Types
Fingerprints
Hand/Finger geometry
Voice print
Signatures
Facial Recognition
Vein Patterns
Iris Recognition
Retina Scans
DNA
Others
Others includes
Gait
BO !
Ear prints

9. The Technologies - Concepts
Generic method
Accuracy
General concerns

10. Generic Method - Enrolment
Measure
Generate template
Record

11. Generic Method - Operation
Biometrics at the Frontiers: Assessing the Impact on Society (2005)

12. Accuracy?
Key concept is to understand that the matching process is probabilistic and is subject to statistical error
Ideal is to reduce FRR without raising FAR -
FTE – Failure to Enrol
FTA – Failure to Acquire
FMR/FNMR – False Match Rate / False Non-Match Rate
FAR – False Acceptance Rate
FRR – False Reject Rate
FAR & FRR are the key ones operationally
Graph - Top left good, bottom right is bad
Standard way of quoting is FRR at a standard FAR (typically 0.001)
FAR represents a direct security threat while FRR is more of a usability issue
What do these error rates mean in real terms? If we consider the prospect of using a biometric identifier to control access to air travel, an FAR of 1% could allow at least one “bad guy” to board virtually any full commercial jet flight, and four or more on a jumbo jet, while conversely, an FRR of 1% could result in at least one innocent person on every flight being falsely matched to someone in a database of suspicious people.
FAR Strength (CESG/BWG suggestions)
1 in 100 Basic
1 in Medium
1 in High
Biometric Product Testing: Final report, Issue 1.0 (2001): CESG/BWG

13. Performance Improvements - Facial Recognition
Facial Recognition rate of improvement
Phillips et al. “FRVT 2006 and ICE 2006 Large-Scale Results”. (2007)

14. 7 Pillars of (biometric) Wisdom
Universality
Uniqueness
Permanence
Collectability
Performance
Acceptability
Circumvention
EC report: Biometrics at the Frontiers: Assessing the Impact on Society (2005)
Universality All human beings are endowed with the same physical characteristics - such as fingers, iris, face, DNA – which can be used for identification
Uniqueness For each person these characteristics are unique, and thus constitute a distinguishing feature
Permanence These characteristics remain largely unchanged throughout a person's life
Collectability A person's unique physical characteristics need to be collected in a reasonably easy fashion for quick identification
Performance The degree of accuracy of identification must be quite high before the system can be operational
Acceptability Applications will not be successful if the public offers strong and continuous resistance to biometrics
Circumvention In order to provide added security, a system needs to be harder to circumvent than existing identity management systems

15. 7 Pillars of (biometric) Wisdom

16. The Technologies - Challenges
Spoofing / Mimicry / Residual Images
Usability
Accessibility
Hygiene
Safety
Secondary use
Public Perception
Spoofing etc – incorporation of “liveness” tests, multi-mode biometrics, biometrics+passwords/PINs
UKPS figures:
Average time for all enrolments (pass or fail) was 8 minutes 15 seconds (10 minutes 20 seconds for disabled participants);
Verification times for non-disabled participants were 39 seconds for facial recognition, 58 seconds for iris scanning and 1 minute 13 seconds for fingerprint scanning. Hygiene concerns about contact sensors (fingerprints and some handprint devices)
Think what this would mean for 400 passengers on a jumbo
Safety doubts related to illuminating the eye for iris or retina scanning
Fears about secondary medical use of genetic information derivable from DNA samples or iris scans

17. DNA Physical sample required Slow to process Lowest FAR & FRR
FTE & FTA of 0%
A small portion of the extracted DNA is used to obtain a DNA profile. A standard laboratory technique (the polymerase chain reaction, or PCR) is used to make millions of copies of specific parts of the original DNA, the ‘markers’. These markers consist of repeated short sequences of DNA that vary in length between different people. The current standard profiling technique in the United Kingdom, SGM+, uses ten markers of a type called short tandem repeats (STRs)
DNA differs from standard biometrics in several ways.
1)     DNA requires a tangible physical sample as opposed to an impression, image, or recording.
2)     DNA matching is not done in real-time, nor are all stages of comparison always automated (though this is not likely to be the case fairly soon).
3)     DNA matching does not employ templates or feature extraction, but rather represents the comparison of actual samples.
Regardless of these basic differences, DNA is a type of biometric inasmuch as it is the use of a physiological characteristic to verify or determine identity. Furthermore, it is one biometric which may become usable as a unique identifier, as consistent "templates" may eventually be generated from DNA. For this reason, as well as the theoretical ability to determine information about a user from DNA, render its usage highly problematic from a privacy perspective. 
Whether DNA will find use beyond its current use in forensic applications is uncertain. Intelligent discussion on how, when, and where it should and should not be used, and who will control the data, and how it should be stored, is necessary before its use begins to expand into potentially troubling areas. These definitions will vary by application: it illogical to suggest that the usage of DNA in public benefits programs, which nearly all would view as highly problematic, should be viewed as an equivalent to the use of DNA in a criminal investigation. Thinking about the dangers of DNA as a biometric is helpful as it underscores the tremendous variety of biometric technologies available, and makes clear that blanket statements about biometrics are generally misleading.

18. DNA – Uniqueness?

19. DNA – Acceptability? 97% were happy to include a photograph
79% fingerprints
62% eye recognition (no distinction was made between iris and retina scans)
41% approved of the inclusion of DNA details
Hiltz, Han, Briller. “Public Attitudes towards a National Identity "Smart Card:" Privacy and Security Concerns” (2003)

20. DNA – Foolproof?
Scene of crime samples in particular may be contaminated, degraded, and misinterpreted (especially if mixed). Human errors (e.g. sample mix-ups) will occur.
Need for corroborating evidence.
Expanding databases could lead to an over-reliance on ‘cold hits’.
Increased potential for ‘framing’ of suspects?
“The forensic use of Bioinformation: ethical issues” Nuffield Council on Bioethics (2007)
Familial Searching
Ethnic Inferences
DNA Photofit (hair colour + eye colour + skin colour)
Surname!! Y-chromosome and surname both come down the male line therefore possible correlation

21. Privacy Assessment - 1 Overt
1. Are users aware of the system's operation?
Covert
Optional 
2. Is the system optional or mandatory?
Mandatory
Verification
3. Is the system used for identification or verification?
Identification
Fixed Period
4. Is the system deployed for a fixed period of time?
Indefinite
Private Sector
5. Is the deployment public or private sector?
Public Sector
International Biometric Group have proposed “BioPrivacy Application Impact Framework” (see
Low risk on left (green)
High Risk on right (Red)

22. Privacy Assessment - 2 Individual, Customer
6. In what capacity is the user interacting with the system?
Employee, Citizen
Enrollee
7. Who owns the biometric information?
Institution
Personal Storage
8. Where is the biometric data stored?
Database Storage
Behavioral
9. What type of biometric technology is being deployed?
Physiological
Templates
10. Does the system utilize biometric templates, biometric images, or both?
Images
International Biometric Group –

23. Risk Assessment - DNA Positive Privacy Aspects
Negative Privacy Aspects
Bioprivacy Technology Risk Rating
Currently slow and complex to process
Analysis device non portable
Unchanging over subject’s whole lifetime
Use in forensic applications
Strong identification capabilities
Not unique for identical twins
Samples can be collected without consent/knowledge
Possible to extract additional genetic information
Identification: H Covert: H Physiological: H
Image: H
Databases: H  Risk Rating: H

24. Legal Background Enabling Legislation Constraints Uses and Abuses
Challenges

25. Enabling Legislation NDNAD's
UK – 3.8 million samples by Jan 2007 (6%)
Canada
Australia NZ
USA
Prum: “Member States shall open and keep national DNA analysis files for the investigation of criminal offences”
- UK- PACE 1984, amended by CJPOA 1994 & CE(A) 1997, CJPA (2001), CJA (2003), SOCPA (2005)
now only “suspicion of a recordable offence” , indefinite retention of samples, no right to destruction
- Canada only convicted offenders
- Australia is on a state by state basis and inter-state matching only started in 2005
NZ is Criminal Investigations (Bodily Samples) Act 1995, amended in from convicted offenders or volunteers, destruction within 12 months if not charged or acquitted
Prum convention between 15 states in 2005, to be incorporated by June 2007.
“Where, in ongoing investigations or criminal proceedings, there is no DNA profile available for a particular individual present within a requested Member State's territory, the requested Member State shall provide legal assistance by collecting and examining cellular material from that individual and by supplying the DNA profile obtained”
Implications of Prum

26. Constraints Privacy Data Protection Law Human Rights US Constitution
Common Law
Privacy Acts
Data Protection Law

27. Challenges UK – via HRA 1998 Articles 8 and/or 14
R v Marper – now at ECHR
US – via 4th Amendment
US v Kincade
Johson v Quander
Canada – via s.8 of CCRF
R v Rodgers
US: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

28. Uses and Abuses Collection and Retention Data Sharing
Forensic DNAD's
Other DNAD's
Data Sharing
Privacy Challenges
Evidence
Scope Creep
Ethics - What is identity?
Other DNADs NZ - H v G (2000) - a very specific case of forensic use of a non-forensic database
Alterman[1] listed three privacy concerns that he associated with biometrics
Threats to one’s person;
The use of biometric id’s to collect and collate data for purposes not intended or desired by the individual;
Unauthorised access to personal information through abuse or theft of data.
It is through the defence of the right to privacy that the existence and growth of DNA databases have faced their strongest challenges to date, but the majority of cases have occurred in jurisdictions without specific privacy laws and defences have instead adopted the vehicles of Human Rights and Constitutional protections. [1] Anton Alterman, “A piece of yourself”: Ethical issues in biometric identification, Ethics and Information Technology 5: p141, 2003
Potential for “Familial Matching” once NDNAD is large enough!!
Evidence: DNA carries sufficient power to sway judges to attach uneven weight to its value
“privacy is control over how and where we are presented to others. The proliferation of representations that identify us uniquely thus represents a loss of privacy and a threat to the self-respect which privacy rights preserve”.

29. Conclusion
ID fraud becomes worse if there is a single strong identifier
Biometrics do not offer non-repudiation
Biometrics should be confined to smart cards or encrypted if on databases
Biometrics are useless once compromised
Non-repudiation of authentication typically rests on 2 considerations:
· Strength of binding of the authenticator to the individual in question
· Informed consent of the individual at the time the authentication was given

30. Questions