2Proposition 1 – challenge the belief that all biometrics are accurate 2 – rush to deploy regardless of the privacy considerations3 – within a legal framework which is still actively evolving
3Agenda Biometrics – some definitions Technical background What are the issues?Solutions?
4Definition - 1“a general term for technologies that permit matches between a ‘live’ digital image of a part of the body and a previously recorded image of the same part usually indexed to personal or financial information”(Alterman )
5Definition - 2“measuring relevant attributes of living individuals or populations to identify active properties or unique characteristics”(Mordini )
6Definition – 3 (mine!)unique physical characteristic capable of being matched automaticallypossible to match at acceptably low rates of errorpossible to perform automatic one-to-many identification matching, with a high accuracy (near 100%) against a reference database consisting of tens or hundreds of millions of records;accepted in a court of law as a legal proof of identity
7AuthenticationIdentification – selection of one from many e.g. fingerprints from a crime sceneVerification – “I am who I claim to be” e.g. passports or ID cardsfor identification, the system must ensure the uniqueness of each member of the target population and as the size of the population grows, so does the probability that more than one user will fall within the match criteria,whereas when used for verification, a token is provided to allow the system to determine which identity is being claimed, and therefore which specific template to check against
11Generic Method - Operation Biometrics at the Frontiers: Assessing the Impact on Society (2005)
12Accuracy?Key concept is to understand that the matching process is probabilistic and is subject to statistical errorIdeal is to reduce FRR without raising FAR -FTE – Failure to EnrolFTA – Failure to AcquireFMR/FNMR – False Match Rate / False Non-Match RateFAR – False Acceptance RateFRR – False Reject RateFAR & FRR are the key ones operationallyGraph - Top left good, bottom right is badStandard way of quoting is FRR at a standard FAR (typically 0.001)FAR represents a direct security threat while FRR is more of a usability issueWhat do these error rates mean in real terms? If we consider the prospect of using a biometric identifier to control access to air travel, an FAR of 1% could allow at least one “bad guy” to board virtually any full commercial jet flight, and four or more on a jumbo jet, while conversely, an FRR of 1% could result in at least one innocent person on every flight being falsely matched to someone in a database of suspicious people.FAR Strength (CESG/BWG suggestions)1 in 100 Basic1 in Medium1 in HighBiometric Product Testing: Final report, Issue 1.0 (2001): CESG/BWG
13Performance Improvements - Facial Recognition Facial Recognition rate of improvementPhillips et al. “FRVT 2006 and ICE 2006 Large-Scale Results”. (2007)
147 Pillars of (biometric) Wisdom UniversalityUniquenessPermanenceCollectabilityPerformanceAcceptabilityCircumventionEC report: Biometrics at the Frontiers: Assessing the Impact on Society (2005)Universality All human beings are endowed with the same physical characteristics - such as fingers, iris, face, DNA – which can be used for identificationUniqueness For each person these characteristics are unique, and thus constitute a distinguishing featurePermanence These characteristics remain largely unchanged throughout a person's lifeCollectability A person's unique physical characteristics need to be collected in a reasonably easy fashion for quick identificationPerformance The degree of accuracy of identification must be quite high before the system can be operationalAcceptability Applications will not be successful if the public offers strong and continuous resistance to biometricsCircumvention In order to provide added security, a system needs to be harder to circumvent than existing identity management systems
16The Technologies - Challenges Spoofing / Mimicry / Residual ImagesUsabilityAccessibilityHygieneSafetySecondary usePublic PerceptionSpoofing etc – incorporation of “liveness” tests, multi-mode biometrics, biometrics+passwords/PINsUKPS figures:Average time for all enrolments (pass or fail) was 8 minutes 15 seconds (10 minutes 20 seconds for disabled participants);Verification times for non-disabled participants were 39 seconds for facial recognition, 58 seconds for iris scanning and 1 minute 13 seconds for fingerprint scanning. Hygiene concerns about contact sensors (fingerprints and some handprint devices)Think what this would mean for 400 passengers on a jumboSafety doubts related to illuminating the eye for iris or retina scanningFears about secondary medical use of genetic information derivable from DNA samples or iris scans
17DNA Physical sample required Slow to process Lowest FAR & FRR FTE & FTA of 0%A small portion of the extracted DNA is used to obtain a DNA profile. A standard laboratory technique (the polymerase chain reaction, or PCR) is used to make millions of copies of specific parts of the original DNA, the ‘markers’. These markers consist of repeated short sequences of DNA that vary in length between different people. The current standard profiling technique in the United Kingdom, SGM+, uses ten markers of a type called short tandem repeats (STRs)DNA differs from standard biometrics in several ways.1) DNA requires a tangible physical sample as opposed to an impression, image, or recording.2) DNA matching is not done in real-time, nor are all stages of comparison always automated (though this is not likely to be the case fairly soon).3) DNA matching does not employ templates or feature extraction, but rather represents the comparison of actual samples.Regardless of these basic differences, DNA is a type of biometric inasmuch as it is the use of a physiological characteristic to verify or determine identity. Furthermore, it is one biometric which may become usable as a unique identifier, as consistent "templates" may eventually be generated from DNA. For this reason, as well as the theoretical ability to determine information about a user from DNA, render its usage highly problematic from a privacy perspective. Whether DNA will find use beyond its current use in forensic applications is uncertain. Intelligent discussion on how, when, and where it should and should not be used, and who will control the data, and how it should be stored, is necessary before its use begins to expand into potentially troubling areas. These definitions will vary by application: it illogical to suggest that the usage of DNA in public benefits programs, which nearly all would view as highly problematic, should be viewed as an equivalent to the use of DNA in a criminal investigation. Thinking about the dangers of DNA as a biometric is helpful as it underscores the tremendous variety of biometric technologies available, and makes clear that blanket statements about biometrics are generally misleading.
19DNA – Acceptability? 97% were happy to include a photograph 79% fingerprints62% eye recognition (no distinction was made between iris and retina scans)41% approved of the inclusion of DNA detailsHiltz, Han, Briller. “Public Attitudes towards a National Identity "Smart Card:" Privacy and Security Concerns” (2003)
20DNA – Foolproof?Scene of crime samples in particular may be contaminated, degraded, and misinterpreted (especially if mixed). Human errors (e.g. sample mix-ups) will occur.Need for corroborating evidence.Expanding databases could lead to an over-reliance on ‘cold hits’.Increased potential for ‘framing’ of suspects?“The forensic use of Bioinformation: ethical issues” Nuffield Council on Bioethics (2007)Familial SearchingEthnic InferencesDNA Photofit (hair colour + eye colour + skin colour)Surname!! Y-chromosome and surname both come down the male line therefore possible correlation
21Privacy Assessment - 1 Overt 1. Are users aware of the system's operation?CovertOptional 2. Is the system optional or mandatory?MandatoryVerification3. Is the system used for identification or verification?IdentificationFixed Period4. Is the system deployed for a fixed period of time?IndefinitePrivate Sector5. Is the deployment public or private sector?Public SectorInternational Biometric Group have proposed “BioPrivacy Application Impact Framework” (seeLow risk on left (green)High Risk on right (Red)
22Privacy Assessment - 2 Individual, Customer 6. In what capacity is the user interacting with the system?Employee, CitizenEnrollee7. Who owns the biometric information?InstitutionPersonal Storage8. Where is the biometric data stored?Database StorageBehavioral9. What type of biometric technology is being deployed?PhysiologicalTemplates10. Does the system utilize biometric templates, biometric images, or both?ImagesInternational Biometric Group –
23Risk Assessment - DNA Positive Privacy Aspects Negative Privacy AspectsBioprivacy Technology Risk RatingCurrently slow and complex to processAnalysis device non portableUnchanging over subject’s whole lifetimeUse in forensic applicationsStrong identification capabilitiesNot unique for identical twinsSamples can be collected without consent/knowledgePossible to extract additional genetic informationIdentification: H Covert: H Physiological: HImage: HDatabases: H Risk Rating: H
24Legal Background Enabling Legislation Constraints Uses and Abuses Challenges
25Enabling Legislation NDNAD's UK – 3.8 million samples by Jan 2007 (6%)CanadaAustraliaNZUSAPrum: “Member States shall open and keep national DNA analysis files for the investigation of criminal offences”- UK- PACE 1984, amended by CJPOA 1994 & CE(A) 1997, CJPA (2001), CJA (2003), SOCPA (2005)now only “suspicion of a recordable offence” , indefinite retention of samples, no right to destruction- Canada only convicted offenders- Australia is on a state by state basis and inter-state matching only started in 2005NZ is Criminal Investigations (Bodily Samples) Act 1995, amended in from convicted offenders or volunteers, destruction within 12 months if not charged or acquittedPrum convention between 15 states in 2005, to be incorporated by June 2007.“Where, in ongoing investigations or criminal proceedings, there is no DNA profile available for a particular individual present within a requested Member State's territory, the requested Member State shall provide legal assistance by collecting and examining cellular material from that individual and by supplying the DNA profile obtained”Implications of Prum
26Constraints Privacy Data Protection Law Human Rights US Constitution Common LawPrivacy ActsData Protection Law
27Challenges UK – via HRA 1998 Articles 8 and/or 14 R v Marper – now at ECHRUS – via 4th AmendmentUS v KincadeJohson v QuanderCanada – via s.8 of CCRFR v RodgersUS: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
28Uses and Abuses Collection and Retention Data Sharing Forensic DNAD'sOther DNAD'sData SharingPrivacy ChallengesEvidenceScope CreepEthics - What is identity?Other DNADs NZ - H v G (2000) - a very specific case of forensic use of a non-forensic databaseAlterman listed three privacy concerns that he associated with biometricsThreats to one’s person;The use of biometric id’s to collect and collate data for purposes not intended or desired by the individual;Unauthorised access to personal information through abuse or theft of data.It is through the defence of the right to privacy that the existence and growth of DNA databases have faced their strongest challenges to date, but the majority of cases have occurred in jurisdictions without specific privacy laws and defences have instead adopted the vehicles of Human Rights and Constitutional protections.  Anton Alterman, “A piece of yourself”: Ethical issues in biometric identification, Ethics and Information Technology 5: p141, 2003Potential for “Familial Matching” once NDNAD is large enough!!Evidence: DNA carries sufficient power to sway judges to attach uneven weight to its value“privacy is control over how and where we are presented to others. The proliferation of representations that identify us uniquely thus represents a loss of privacy and a threat to the self-respect which privacy rights preserve”.
29ConclusionID fraud becomes worse if there is a single strong identifierBiometrics do not offer non-repudiationBiometrics should be confined to smart cards or encrypted if on databasesBiometrics are useless once compromisedNon-repudiation of authentication typically rests on 2 considerations:· Strength of binding of the authenticator to the individual in question· Informed consent of the individual at the time the authentication was given