Biometrics and The Privacy Paradox

1
Biometrics and The Privacy Paradox

• Ann Cavoukian, Ph.D.
• Information Privacy Commissioner/Ontario
• Privacy Identity
• The Promise Perils of the Technological Age
• DePaul University, Chicago
• October 14, 2004

2
Privacy What are the Issues?

• Expanded surveillance
• Diminished oversight
• Absence of knowledge/consent
• Loss of control

3
Privacy Defined

• Informational Privacy Data Protection
• Personal control over the collection, use and
  disclosure of any recorded information about an
  identifiable individual
• An organisations responsibility for data
  protection and safeguarding personal information
  in its custody or control

4
OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data

1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use Limitation Principle
5. Security Safeguards Principle
6. Openness Principle
7. Individual Participation Principle
8. Accountability Principle

5
Growth of Biometrics

• U.S. Border Security Enhancement Act
• International Civil Aviation Organization
  approved facial recognition for travel documents
• EU to implement biometrics in passports and visas
• CANPASS and INSPASS programs
• AAMVA Unique Identifier Working Group

6
The Myth of Accuracy

• The problem with large databases containing
  thousands (or millions) of biometric templates
• False positives
• False negatives

7
Biometric Applications

• Identification
• one-to-many comparison
• Authentication
• one-to-one comparison

8
Biometric Identification False Positive
Challenge

• Even if you have a 1 in 10,000 error rate per
  fingerprint, then a person being scanned against
  a million-record data set will be flagged as
  positive 100 times. And thats every person. A
  system like that would be useless because
  everyone would be a false positive.
• Bruce Schneier, quoted in Ann Cavoukians
  Submission to the Standing
• Committee on Citizenship and Immigration,
  November 4, 2003
• http//www.ipc.on.ca/docs/110403ac-e.pdf

9
Biometric Identification

• False Negative Challenge
• Attackers could fool the system
• Pay-offs high for compromising the system
• Increased vulnerability to a target once a
  terrorist succeeds in obtaining a false negative
  threat escalates considerably

10
Biometric Strength Authentication

• The strength of one-to-one matches
• Authentication/verification does not require the
  central storage of templates
• Biometrics can be stored locally, not centrally
  on a smart card, passport, travel document, etc.

11
Designing Privacy Into Biometrics

• The Privacy Challenges
• Central template databases
• Unacceptable error rates
• Unrelated secondary uses

12
Facial Recognition the Dream

• Khalid Al-Midhar came to the attention of
  federal law enforcement about a year ago. As the
  Saudi Arabian strolled into a meeting with some
  of Osama bin Ladens lieutenants at a hotel in
  Kuala Lumpur in December 1999, he was videotaped
  by a Malaysian surveillance team. The tape was
  turned over to U.S. intelligence officials and,
  after several months, Al-Midhars name was put on
  the Immigration and Naturalization Services
  watch list of potential terrorists. The
  videotape of Al-Midhar also could have been
  helpful. Using biometric profiling, it would have
  been possible to make a precise digital map of
  his face. This data could have been hooked up to
  airport surveillance cameras. When the cameras
  captured Al-Midhar, an alarm would have sounded,
  allowing cops to take him into custody.
• - Business Week, Sept. 13, 2001, p. 39

13
Facial Recognition the Reality

• Test results in place show less than stellar
  results
• - Logan Airport pilot had a 50 error rate in
  real world conditions
• - U.S. State Department has stated that facial
  recognition has unacceptably high error rates
• - U of Ottawa tests this summer resulted in
  accuracy rates between 75 to more than 90
• - National Institute for Standards and
  Technology, under ideal lighting and controlled
  environment conditions reported 90 accuracy
• - Superbowl facial recognition no longer
  considered useful by subsequent Superbowl
  organizers
• Biometrics Benched for Super Bowl 
• By Randy Dotinga, Wired Magazine

14
Comparison of Accuracy Rates

• NIST Studies show for single biometrics
• Facial recognition
• - 71.5 true accept _at_ 0.01 false accept rate
• - 90.3 true accept _at_ 1.0 false accept rate
• Fingerprint
• - 99.4 true accept _at_ 0.01 false accept rate
• - 99.9 true accept _at_ 1.0 false accept rate

15
Facial Recognition and Privacy Research

• Confounding Facial Recognition systems
• Creating visual noise through
• - Disguises, obstructions, light sources, face
  paint
• Objective
• - Creating a framework for facial recognition
  countermeasures
• Results
• - Research by James Alexander, U. Pennsylvania

16
Biometrics Can BePrivacy-Enhancing, if they

1. Have privacy hard-wired into the deployed
   technology
2. Authenticate personal credentials without
   necessarily revealing identity
3. Do not facilitate surveillance or tracking of an
   individuals activities avoid the use of
   template-based central databases
4. Put control of the biometric in the hands of the
   individual
5. Provide excellent security without compromising
   privacy

17
Final Thoughts on Biometrics

• Current off-the-shelf biometrics permit the
  secondary uses of personal information
• The Goal Technology that allows for
  informational self-determination and makes good
  security a by-product of protecting ones
  privacy
• Using the biometric to encrypt a PIN or a
  standard encryption key will meet that goal
  Biometric Encryption
• Dr. George Tomko

18
I am not a number, I am a free man
I am not a number, I am a human being. I will
not be filed, stamped, indexed or numbered. My
life is my own. The Prisoner TV series, 1968
19
How to Contact Us
Ann Cavoukian, Ph.D. Information Privacy
Commissioner of Ontario 80 Bloor Street West,
Suite 1700 Toronto, Ontario, Canada M5S
2V1 Phone (416) 326-3333 Web
www.ipc.on.ca E-mail commissioner_at_ipc.on.ca