Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.

Published byAdrian Cameron Modified over 10 years ago

Similar presentations

Presentation on theme: "Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005."— Presentation transcript:

1 Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005

2 Overview Theme for today: Theme for today: Learn from SSNs & identity theft problems Learn from SSNs & identity theft problems Dont release the keys, in cryptographic systems or in biometrics Dont release the keys, in cryptographic systems or in biometrics Proposal: law to prohibit the selling or sharing of individuals biometrics Proposal: law to prohibit the selling or sharing of individuals biometrics Prevent loss of the keys that breed fraud Prevent loss of the keys that breed fraud

3 Swire Background Now law professor at Ohio State Now law professor at Ohio State Teach computer security, privacy, cyber Teach computer security, privacy, cyber Consultant, Morrison & Foerster Consultant, Morrison & Foerster Was Chief Counselor for Privacy, OMB Was Chief Counselor for Privacy, OMB 1999-early 2001 1999-early 2001 Worked to fund CSTB study on authentication and privacy; discussed biometric study Worked to fund CSTB study on authentication and privacy; discussed biometric study

4 Problems with SSNs Technically weak identifier Technically weak identifier No check sum No check sum Easy to fake or to steal Easy to fake or to steal Uses have spread dramatically over time Uses have spread dramatically over time Despite earlier promises to use only for federal programs Despite earlier promises to use only for federal programs Nonetheless, SSN is now the key information that gives access to credit system and authoritative credentials Nonetheless, SSN is now the key information that gives access to credit system and authoritative credentials ChoicePoint incident & data compromised for at least 145,000 persons ChoicePoint incident & data compromised for at least 145,000 persons

5 Algorithms and Keys Modern crypto Modern crypto Kerchkoffs law and assume the algorithm should be public Kerchkoffs law and assume the algorithm should be public Keep the key/password secret Keep the key/password secret If the key is copied/compromised, the system is wide open If the key is copied/compromised, the system is wide open Especially for online/remote applications Especially for online/remote applications Also for fake drivers license Also for fake drivers license A Model for When Disclosure Helps Security: What Is Different About Computer and Network Security?, at www.ssrn.com A Model for When Disclosure Helps Security: What Is Different About Computer and Network Security?, at www.ssrn.com

6 How to Prevent Loss of Keys For SSNs, perhaps law this year prohibiting sale or display of SSNs For SSNs, perhaps law this year prohibiting sale or display of SSNs Goal of enhancing the security of the keys Goal of enhancing the security of the keys For biometrics, why not have a law prohibiting the sale or display of plaintext of biometrics? For biometrics, why not have a law prohibiting the sale or display of plaintext of biometrics? Goal of enhancing the security of the keys Goal of enhancing the security of the keys

7 Benefits of the No Display Law Prophylactic rule, before have commercial enterprises who depend on the sale or display Prophylactic rule, before have commercial enterprises who depend on the sale or display Keep the keys more secure from the start Keep the keys more secure from the start Bad enough to get a new SSN Bad enough to get a new SSN Much harder to get a new finger, iris, etc. Much harder to get a new finger, iris, etc. Encourage encryption in storage and use of images of fingerprints, etc. Encourage encryption in storage and use of images of fingerprints, etc. [Interlude – best practice should be to encrypt biometrics in storage] [Interlude – best practice should be to encrypt biometrics in storage]

8 Exceptions to the Law Photos Photos Many non-security uses of photos Many non-security uses of photos Faces are seen in public Faces are seen in public DNA samples DNA samples When is transfer appropriate for medical treatment or research? When is transfer appropriate for medical treatment or research? Burden on others to explain why the biometric keys should be made public Burden on others to explain why the biometric keys should be made public

9 Conclusion One-time opportunity for society to protect biometric keys before they are compromised One-time opportunity for society to protect biometric keys before they are compromised Let those who think display or sale is good explain precisely why, and craft exceptions Let those who think display or sale is good explain precisely why, and craft exceptions Without clear law, we will see proliferation of disclosures, in insecure applications Without clear law, we will see proliferation of disclosures, in insecure applications Without encryption, will have data leaks Without encryption, will have data leaks If so, biometrics could become a failed approach, like SSNs today If so, biometrics could become a failed approach, like SSNs today

Download ppt "Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005."

Similar presentations

Penetration Testing Biometric System

Penetration Testing Biometric System
Why the Financial Privacy Law is Better than People Think Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9,

Why the Financial Privacy Law is Better than People Think Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9,
Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Reflections on the White House Privacy Office Peter P. Swire U.S. Chief Counselor for Privacy, 1999- 2001 OSU College of Law, 2001-present CFP, March 8,

Reflections on the White House Privacy Office Peter P. Swire U.S. Chief Counselor for Privacy, OSU College of Law, 2001-present CFP, March 8,
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.

HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.
Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.
Court Records and Data Privacy: Online or Over the Line? Professor Peter P. Swire Moritz College of Law The Ohio State University Judges Day 2005 October.

Court Records and Data Privacy: Online or Over the Line? Professor Peter P. Swire Moritz College of Law The Ohio State University Judges Day 2005 October.
Embedding Privacy in Federal Information Systems Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.

"Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Sharing of Medical Records Pursuant to an Authorization Professor Peter P. Swire Moritz College of Law, Ohio St. Univ. Consultant, Morrison & Foerster,

Sharing of Medical Records Pursuant to an Authorization Professor Peter P. Swire Moritz College of Law, Ohio St. Univ. Consultant, Morrison & Foerster,
Privacy and the Use of Cost/Benefit Analysis Professor Peter Swire Ohio State University FTC Workshop on Information Flows June 18, 2003.

Privacy and the Use of Cost/Benefit Analysis Professor Peter Swire Ohio State University FTC Workshop on Information Flows June 18, 2003.
Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.

Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.
Data Breach as a Critical Infrastructure & Computer Security Issue Peter P. Swire Professor, The Ohio State University Senior Fellow, Center for American.

Data Breach as a Critical Infrastructure & Computer Security Issue Peter P. Swire Professor, The Ohio State University Senior Fellow, Center for American.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,

The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime Peter P. Swire Ohio State University & Center for American Progress Fordham CLIP Information.

No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime Peter P. Swire Ohio State University & Center for American Progress Fordham CLIP Information.
Online Profiling and Consumer Choice Peter P. Swire Center for American Progress Ohio State University ATL Hill Briefing April 28, 2008.

Online Profiling and Consumer Choice Peter P. Swire Center for American Progress Ohio State University ATL Hill Briefing April 28, 2008.
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.

Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.

The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

Similar presentations

Ads by Google