The Impact of Biometrics on the Justice System

1
The Impact of Biometrics on the Justice System
Computers, Freedom and Privacy Conference, April
5, 2000
2
Unauthorized secondary uses apply to biometrics

• Biometrics offer the strongest form of positive
  identification
• although viewed as the solution to reducing
  identity fraud, this feature also threatens
  personal privacy, specifically
• Secondary uses can apply to
• collecting biometrics for one use, say welfare
  enrollment, and using them to identifying
  individuals at a crime scene, for example
• using the biometric as a token to link
  transactions of individuals and using this
  information to construct profiles for
  intelligence purposes.
• Because of its security and economic value, both
  government and market forces will pursue these
  practices.

3
Privacy laws are not enough

• Controls must be built into the code.
• laws or policies to restrict the use of
  biometrics
• are not sufficient.

4
Biometrics -- the measurement process
Quality enhancement,and feature extraction
Analog to digital
Finger Iris Voice Hand
Image
Scanner
Conversion Software
Digital Number
Biometric signature, e.g., minutia file
for fingerprints
PIN
Finger
Keypad
Digital Number
With todays technology, all biometrics transform
to a number. That number is part of me, I cant
forget nor lose it.
5
Biometrics -- the comparison process
Incorporates salient and repeatable features of
biometric from a number of scans
ENROLMENT
X scans of the same biometric
X Numbers (signatures)
Scanner-S/W
Template generation

n same as or close to t ?
Template (t)
Biometric
Scanner-S/W
Comparison Software
Number (n)
yes
maybe
no
Authentication Compare number (n) to a single
template (t) to determine verification (yes or
no). Identification Compare number (n) to many
templates (t1tk) to determine any matches
within the allowed variability
6
Applications for Authentication

• Logon to networks, servers, laptops, etc.,
• digital certificates,
• access to databases, firearms, premises, bank
  machines, credit and debit cards,
• access to benefits such as social security,
  medical, welfare
• access to personal information such as medical,
  financial
• Biometrics viewed as the solution to identity
  fraud

7
Applications for Identification

• Positive identification, comparing a biometric to
  a database of known biometric templates to
  determine its presence -- IAFIS for law
  enforcement,
• Negative identification, comparing a biometric to
  a database of known biometric templates to
  confirm that it is absent -- applying for welfare
  benefits to prevent multiple enrollment or
  double dipping.

8
Biometric Application Program Interfaces
(BioAPI)Plug and Play Biometric Devices
Service Provider Interface
SPI
Bio Device
BSP
APPLICATION
A P I F R A M E W O R K
Biometric Service Provider
Goal Standardize biometrics interface
API
SPI
Bio Device
BSP
SPI
Bio Device
BSP
Applications include State welfare
program, Bank machine access, logon to a
network
Template(s)
9
Networking Application Databases
10
Authentication does not require central storage
of templates

• Biometrics can be stored locally -- smart card,
  barcode, etc.
• Comment
• In practice, we have to resolve how lost, stolen
  or damaged cards will be handled without the
  individual physically going to an enrolment
  center to present his ID and have his biometric
  processed again?
• Centralized storage of a biometric or its
  templates would allow a new card containing the
  biometric template to be put in the mail, or a
  virtual card downloaded over the Internet.

11
Fingerprint Pattern versus Digital Template

• The actual fingerprint pattern is not stored,
  but only a digital template is stored which
  cannot be converted back to the original
  fingerprint pattern.
• Comment
• The issue is not whether a fingerprint pattern
  can be reconstructed from its digital template.
• The issue is that both the fingerprint pattern
  and its corresponding digital template are unique
  identifiers and therefore surrogates of ones
  identity.

12
A Scenario of Privacy Infringement (1)

• A welfare recipient leaves his latent
  fingerprints at a nightclub that later becomes
  the scene of a crime. The latent prints are
  picked up and matched to the fingerprint database
  compiled for welfare recipients. He is
  identified and questioned.
• Solution
• The fingerprint database will be off limits to
  the police by virtue of legislation.
• How can we ensure it will be the case with the
  next government?
• What about the issue of unauthorized access to
  the database. The temptation for secondary or
  unauthorized uses of such a database beyond its
  primary purpose may be very great.

13
A Scenario of Privacy Infringement (2)

• Solution
• Never store the actual fingerprint pattern, only
  its digital template.
• Still a problem. If the police obtain access to
  a similar biometric device, and place some
  digitized latent fingerprints through the system,
  they will be able to compare against the
  templates. They have to, otherwise the system
  doesnt work.

14
Mapping Templates
T1
T1
Translation of templates from one format to
another is a mapping process from one minutiae
n-space to another
15
A Scenario of Privacy Infringement (3)

• Solution
• Have unique hardware or software algorithms that
  are encrypted for different organizations and
  government agencies. Privacy is based on
  ignorance of the potential attacker.
• to be comparable to cryptographic systems,
  biometric security cannot depend on the secrecy
  of the algorithm or unavailability of the
  hardware.
• The system should have an open design. The
  protection mechanism must not depend on the
  ignorance of potential attackers.
• The algorithms should be open to public scrutiny,
  just as cryptographic algorithms are subjected to.

16
A Scenario of Privacy Infringement (4)

• Solution
• Either the templates in a database or their
  links to personally identifiable information will
  be encrypted, therefore matching cannot occur
  without access to the encryption key.
• In this case, secure key management would be
  crucial.
• Who is going to have control over the encryption
  keys?
• How do we guard against putting the rabbits in
  charge of the lettuce?
• With key management, we are basing our privacy on
  the trust model versus the absolute security we
  have with cryptographic algorithms.

17
Current biometric systems place the use
limitationprovision in FIPs further in jeopardy

• Third parties, such as the law enforcement
  community, will have access to personal profiles
  about you that are more complete, and potentially
  more damaging than the combined information that
  your best friends, spouse and parents have.

18
Privacy loves the company of numbers

• 3271 bank card PIN
• 5733 office security system PIN
• 2259 telephone PIN
• Mapple Laptop password
• 8932 home security PIN

• The feature of PINS that makes for bad security
  makes for great privacy -- a lot of them !
• With current biometrics, you have one number or,
  at most, a few.

Safety in numbers -- hazards in one number
19
Security issues with Biometrics (I)

• Limited to a Yes/No response.
• For network security, still need to link to a PIN
  unless one uses the template as the password. If
  so, then templates have to be stored in
  databases.
• Solution use the biometric to encrypt the PIN

20
Use the biometric to encrypt the PIN
Enrollment
Coded PIN is stored
PIN
Fingerprint Pattern
73981946
h94Kd
CODES
Authentication
PIN used for access
Coded PIN
Fingerprint Pattern
h94Kd
73981946
DECODES
Can literally have hundreds of PINs -- Safety in
numbers!
21
Security issues with Biometrics (II)

• Current biometrics are not challenge-response
  sytems. The password, which is the biometric, is
  always the same.
• Solution use challenge-response systems

22
Challenge-Response Using Biometrics
Response Function
Enrollment
Coded Res Fnc is stored
Fingerprint Pattern
2x 7
Hgrcj
CODES
Client decodes Res Fnc with fingerprint
Host
Calculated Response
Challengex 4 R 15
2x 7
15
X 4
R 15 sent back to Host
23
Security issues with Biometrics (III)

• If template resides in a client PC, open to
  future surveillance by intelligent agent
  software, i.e. trojan horses, worms.
• Solution use embedded trusted biometric devices
  that are isolated from the client. Never store
  template in the client

24
Embedded Biometric Devices
Trusted Device
Embedded Hardware Device
Scanner-S/W
Template generation
Biometric
To Client PC
Template Storage
Comparison Software
Template (t)
25
Security issues with Biometrics (IV)

• Biometric systems are still inaccurate and will
  generate false identifications.

26
The need for balance when using biometrics
Confidentiality, Authentication
Benefit
Surveillance
Linkage
Risk
27
Conclusion

• Current off-the-shelf biometrics will permit the
  secondary uses of personal information. They are
  not privacy protective.
• Technology that allows informational
  self-determination and makes good security a
  by-product of protecting ones privacy is the
  goal.
• Using the biometric to encrypt a PIN or a
  standard encryption key will meet that goal.

28
The privacy problem with current biometrics

• A biometric such as a fingerprint can be used as
  a unique identifier of a person which, as a
  unique identifier
• can be used to trace the persons transactions,
  and
• link massive amounts of personal data about
  them.
• Because of its value, both economic and security,
  both market and government forces will promote
  this practice.
• If biometrics are adopted as the standard method
  of authentication in our society, we will have
  central databases of peoples biometrics or
  digital templates residing in networked
  databases.

29
The Identity Spectrum
Biometric Digital Certificate x.509
Digital Certificate x.509
PINs and Passwords
Multiple Pseudonym x.9.59
Anonymity Most Privacy Protective
Absolute ID Least Privacy Protective
Secure transactions do not require divulging of
identity in all cases.
30
Networking Template Databases
31
Process to establish authentication credentials

• 1. Identification a one time process to
  establish that I am a unique, named individual
  (e.g., George Tomko).
• 2. Confirmation of Eligibility a one time
  process to confirm that the named individual is
  indeed eligible (i.e. meets certain stated
  criteria) for a given service.
• 3. Authentication Credentials a token,
  furnished or chosen by the service provider,
  which allows the individual to access the service
  involved on a recurring basis. It presumes the
  existence of steps one and two, without which it
  could not operate.

32
Levels of Security for Identity Fraud

• No proof of identity required.
• PIN or password used as token of identity.
• Digital certificate used as token of identity.
• Biometric tied to digital certificate used as
  token of identity.
• Token changed frequently, e.g, changing a
  password or PIN on a weekly basis.
• Different token for each access attempt, e.g.
  challenge-response system, one time password.

33
Industrys Response

• This threat to privacy, highlighted by public
  exposure and heightened media attention, has
  became somewhat of an obstacle in some countries
  in the marketing of biometric technologies.
• In response, biometrics are now being promoted
  as privacy-enhancing.
• Is this Orwellian double-speak or is there some
  foundation to this claim?

34
BioAPI Implications
35
Integrating Justice Information The privacy
threat

• Secondary uses of personal information without
  consent -- beyond the intent of the primary
  purpose for collection.
• Impacts privacy rights of
• accused but not yet convicted individuals,
• victims or witnesses at a crime scene,
• suspicious individuals -- intelligence gathering
  activities of a government agency.

36
Levels of Security for Access

• Open door policy, e.g., no PIN or password
• Same token used for each access attempt, eg.,
  PIN, password, biometric.
• Token changed frequently, e.g, changing a
  password or PIN on a weekly basis.
• Different token for each access attempt, e.g.
  challenge-response system, one time passwords.
• The fundamental problem is that biometrics are
  not what cryptographers refer to as a challenge
  and response system. That is, the response to
  the question, What is your left index
  fingerprint? is always the same. A challenge
  and response system would ask different questions
  each time and be able to measure the correct
  response. (Peter Wayner - New York Times)

37
Levels of Privacy

• Systems designed to protect privacy must have the
  same level of security as cryptographic systems.
• That is, their security cannot depend on the
  secrecy of the algorithm or unavailability of the
  hardware. The system should have an open design
  and the protection mechanism must not depend on
  the ignorance of potential attackers.

38
The Solution to Identity Fraud

• Biometrics are being viewed as a solution to
  identity fraud because they can be used to
  positively authenticate and in many cases
  positively identify individuals.
• Furthermore, if one wants, biometrics can be
  used to track individuals and their
  transactions.

39
Privacy Issues
Confidentiality of personal data (security)
Surveillance of location (activities)
Linkage of personal data (secondary use)
40
Your Identity Stored in Cyberspace

• If biometrics are adopted as the standard method
  of authentication in our society, we will have
  databases of peoples biometrics or digital
  templates residing in a networked society