© 2003 dataPrivacy Partners Ltd.

dataPrivacy Partners Ltd.

Privacy by Design ®

4th Annual Privacy & Security Workshop

From Anonymisation to Identification: The Technologies of Today and Tomorrow Peter Hope-TindallChief Privacy Architect™dataPrivacy Partners Ltd.

pht@dataprivacy.com November 7, 2003

dataPrivacy Partners Ltd.

2 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Agenda

• Biometrics and Privacy• Privacy Concerns

• Design & Implementation Issues

• Technology to protect Privacy

dataPrivacy Partners Ltd.

3 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Privacy

“Privacy is at the heart of liberty in the modern state.” Alan Westin

“the right to be let alone”* Warren & Brandeis

““the right to exercise the right to exercise control over your personal control over your personal

information.” information.” Ann Ann CavoukianCavoukian

* Warren and Brandeis, "The Right to Privacy" 4 Harvard Law Review 193 (1890). The phrase "right to be let alone" had been coined by Judge Cooley several years earlier. See THOMAS M. COOLEY, COOLEY ON TORTS 29

(2d ed. 1888).

dataPrivacy Partners Ltd.

4 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Security and Privacy – a technical view

• authentication

• data-integrity

• confidentiality

• access controls

• non-repudiation

Security

Privacy

• data protection - FIPs (not FIPS)

n.b.n.b. FIPs: Fair Information PracticesFIPs: Fair Information Practices

FIPS: Federal Information Processing StandardsFIPS: Federal Information Processing Standards

dataPrivacy Partners Ltd.

5 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Security vs. Privacy

• Accountable to President/CEO Board of Directors.

• Risk based assessment. (how likely is it?)

• Access and use controls defined by the system owner.

• Has been focused on protecting against outsiders.

• Accountable to the data subject.

• Capabilities based assessment.(is it possible?)

• Access and use controls defined by use limitation and consent of data subject and legislation.

• Protecting against outsiders, insiders and system owner.

dataPrivacy Partners Ltd.

6 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

The Complex nature of Privacy

• Identity• Measures the degree to which information is

personally identifiable.

• Linkability• Measures the degree to which data tuples or

transactions are linked to each other.

• Observability• Measures the degree to which identity or linkability

may be impacted from the use of a system. Which other data elements are visible; implicitly or explicitly.

With thanks and apologies to the Common CriteriaWith thanks and apologies to the Common Criteria

dataPrivacy Partners Ltd.

7 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Biometrics

• Biometric is derived from the Greek words bio (life) and metric (the measure of).

• “The automated use of Physiological or Behavioral Characteristics to determine or verify identity”

International Biometric Group (IBG)

• “‘Biometrics’ are unique, measurable characteristics or traits of a human being for automatically recognizing or verifying identity. ”

dataPrivacy Partners Ltd.

8 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Biometrics Schmetrics?

• Biometric: (noun) - one of various technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Finger-scanning is a commonly used biometric.” Plural form also acceptable: “Retina-scan and iris-scan are eye-based biometrics."

• Biometrics: (noun) - Field relating to biometric identification. “What is the future of biometrics?”

• Biometric: (adjective) - Of or pertaining to technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Do you plan to use biometric identification or older types of identification?”

dataPrivacy Partners Ltd.

9 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Biometric Template

• Distinctive encoded files derived and encoded from the unique features of a biometric sample

• A basic element of biometric systems• Templates, not samples, are used in

biometric matching

• Much smaller amount of data than sample (1/100th, 1/1000th)

• Vendor specific

• Different templates are generated each time an individual provides a biometric sample.

dataPrivacy Partners Ltd.

10 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Verification

• Also called 1:1 ‘Authentication’• Performs comparison against a single

biometric record

• Answers question: “Am I who I say I am?”

dataPrivacy Partners Ltd.

11 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Identification

• Also called 1:N Search• Performs comparison against entire

biometric database

• Answers question: “Who am I?”

dataPrivacy Partners Ltd.

12 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Is DNA a biometric?

• DNA requires actual physical sample• DNA matching is not performed in real

time• DNA matching does not employ

templates or feature extraction

• however – Policy issues and risks are identical

dataPrivacy Partners Ltd.

13 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

In a strict sense then, DNA matching is not a biometric in the same way that traditional forensic fingerprint examination is not a biometric.

Regardless of these distinctions, we believe that DNA-based technologies should be discussed alongside other biometric-based technologies inasmuch as they make use of a physiological characteristic to verify or determine identity. Beyond the definition, to most observers DNA looks, acts and may be used like other biometrics. The policy ramifications, while much more serious for DNA-based technologies share some common attributes with other biometrics.

dataPrivacy Partners Ltd.

14 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Taxonomy

Physiological Biometrics

• Finger Scanning• Hand Geometry• Facial Recognition• Iris Scanning• Retinal Scanning• Finger Geometry

Behavioral Biometrics

• Voice Recognition• Dynamic Signature

Verification• Keystroke Dynamics

(In reality all biometrics are both physiological and behavioral to some degree.)

dataPrivacy Partners Ltd.

15 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Finger Scanning

Minutiae based or pattern based

dataPrivacy Partners Ltd.

16 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Hand Geometry

Measures dimensions of hands

Easy to use / Widely used in access control applications

dataPrivacy Partners Ltd.

17 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Facial Recognition

Based on distinctive facial features

dataPrivacy Partners Ltd.

18 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Iris Scanning Takes a picture of the iris.

Performs an analysis of the ‘features’ of the iris.

Ridges

Furrows

Striations

Scan distance - up to 1 Meter

dataPrivacy Partners Ltd.

19 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Retinal Scanning

Utilizes distinctive patterns visible on retina at back of eye.

dataPrivacy Partners Ltd.

20 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Finger Geometry

• Measures the shape and size of a single (or pair) of fingers.

dataPrivacy Partners Ltd.

21 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Voice Recognition

Performs an analysis of features from an audio waveform.

dataPrivacy Partners Ltd.

22 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Dynamic Signature Verification

• Measures the pressure, vector and number of strokes of signature.

• Can be used with existing signature applications.

dataPrivacy Partners Ltd.

23 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Keystroke Dynamics

Measures the rhythm and distinctive timing patterns for keyboarding.

dataPrivacy Partners Ltd.

24 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Other

• Ear Geometry

• Body Odour

• Gait (walking pattern)

dataPrivacy Partners Ltd.

25 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Biometrics SummaryBiometric Accuracy Ease of

UseUser

AcceptanceStability Cost Typical Applications Suitability for

1:1 1:N

Finger-Scanning High High Medium Low

High *** Traveler Clearance, Drivers License, Welfare

Yes Yes

Hand Geometry High High Medium High

Medium High

*** Access Control, Traveler Clearance, Day Care

Yes No

Facial Recognition

High[i] Medium High

High Medium Low

*** Casino, Traveler Clearance Yes Yes[ii]

Iris Scanning Very High Medium Low

Medium High

High ***** Prisons, Access Control, Traveler Clearance

Yes Yes

Retinal Scanning

Very High Low Low High **** Access Control, Traveler Clearance,

Yes Yes

Finger Geometry

Medium High Medium High

Medium High

*** Access Control, Amusement Park Ticket holder

Yes No

Voice Recognition

Medium High High Medium Low

* Low security applications, telephone authentication

Yes No

Signature Verification

Medium High Medium High

Medium Low

** Low security applications, applications with existing

‘signature’

Yes No

[i] Note: Although the ‘potential’ exists for high accuracy, recent pilot projects have indicated great difficulty in obtaining accurate results with 1:N systems.[ii] Ibid.

Chart by Peter Hope-Tindall – developed for the OECD

dataPrivacy Partners Ltd.

26 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

How does a biometric system work?

• Scanning / Collection of Sample• Feature Extraction• Biometric template creation• Biometric template matching

• Many vendors have proprietary searching subsystems and optimized hardware

dataPrivacy Partners Ltd.

27 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Types of Function

• Identification (1:N)• Submission of sample as a search

candidate against entire database

• Verification (1:1)• Validation of sample against a

presumed identity

dataPrivacy Partners Ltd.

28 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Standard Biometric System

SensorSensor

LogicLogic ReferenceReference

DatabaseDatabaseApplicationApplication

dataPrivacy Partners Ltd.

29 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

BiometricDevice

BiometricDevice

Capture andFeature Extraction

Capture andFeature Extraction

Create ReferenceTemplate or dataset

Create CandidateMatch Template or

dataset

Store Templatein Database

BiometricVerification

2

6

3

7

8

4

BusinessApplication

Data Subject

1

5

9

dataPrivacy Partners Ltd.

30 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Metrics

• Scientific Method / Biometric Testing

“The real purpose of the scientific method is to make sure Nature hasn't misled you into thinking you know something you don't actually know.”

  Robert M. Pirsig, Zen and the Art of

Motorcycle Maintenance

dataPrivacy Partners Ltd.

31 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Perceptions

• Public perceptions• Looking for a magic solution

• Feel safe technology

• Post terrorism opportunism• Limited information

dataPrivacy Partners Ltd.

32 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Biometric Performance

• “False Reject Rate” a.k.a. False Non-Match Rate (FNMR)

• “False Acceptance Rate” a.k.a. False Match Rate (FMR)

• “Equal Error Rate” • Biometric System Error Trade-off

dataPrivacy Partners Ltd.

33 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Equal error rate crossover

Error Rate

Sensitivity

FRFA

dataPrivacy Partners Ltd.

34 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

dataPrivacy Partners Ltd.

35 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Other Metrics

• “Failure to Acquire” • Missing fingers/eyes

• “Failure to Enroll” • Insufficient features

• Throughput • System Cost

May be as high as 2-4 % in the general population. (up to 20-30 % in elderly).

dataPrivacy Partners Ltd.

36 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Publicly Available Independent Evaluations

• CESG • http://www.cesg.gov.uk/site/ast/index.cfm?

menuSelected=4&displayPage=4

• Face Recognition Vendor Test• http://www.frvt.org

• Fingerprint Verification Competition• http://bias.csr.unibo.it/fvc2002

• US National Biometric Test Center• http://www.engr.sjsu.edu/biometrics/nbtccw.pdf

dataPrivacy Partners Ltd.

37 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Security Concerns related to Biometrics

• Spoofing

• Countermeasures

• Replay Attacks

• Cannot revoke a biometric

• Improper Reliance

• Insufficient Enrolment Rigour

dataPrivacy Partners Ltd.

38 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Liveness

Steve McCurry, photographer of ‘Afghan Girl’ portrait for National Geographic - 1984.

National Geographic

http://www.melia.com/ngm/0204/feature0/

dataPrivacy Partners Ltd.

39 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Concerns about Biometric systems

• Rigour of enrollment process• Lack of independent performance

metrics • No very-large population biometric

system examples• Failure-to-enroll and Failure-to-acquire

underclass (maybe as high as 2-4% to even 20-30%)

• Post terrorism opportunism• Technology panacea• Large scale biometric system failure

dataPrivacy Partners Ltd.

40 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Privacy Concerns

1.Function Creep

2.Infrastructure of Surveillance/Unique Identifier• Default method of identification

• Used inappropriately

3.Consent/Transparency

• Information Leakage• Glaucoma

• DNA Profiling

dataPrivacy Partners Ltd.

41 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Function Creep/Finality

• ‘Function Creep’ (also known as ‘purpose creep’) is the term used to describe the expansion of a process or system, where data collected for one specific purpose is subsequently used for another unintended or unauthorized purpose.

• In fair information practice terms, we may think of function creep as the subsequent use, retention or disclosure or data without the consent of the individual and of unauthorized changes in the purpose specification for a given data collection.

dataPrivacy Partners Ltd.

42 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Function Creep/Finality Example

• As an example, we may think of a social service (welfare) system that requires a finger scan to enroll. Let us assume that undertakings were made at enrollment to the user that the finger scan is being collected solely for the purposes of guarding against ‘double dipping’ (ensuring that the user is not already registered for welfare). If the finger scan were subsequently used for another purpose (e.g. a law enforcement purpose, something not described in the initial purpose specification) then we have ‘function creep’.

dataPrivacy Partners Ltd.

43 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Infrastructure of Surveillance/Unique identifier

• An overarching concern for some people is that biometrics will become a technology of surveillance and social control. Perhaps as the ultimate personal identifier, they may be seen to facilitate all the ominous and dehumanizing aspects of an information society -- a society in which unparalleled amounts of personal information may be collected and used on a systematic basis.

see O’Connor, “Collected, Tagged, and Archived.”

dataPrivacy Partners Ltd.

44 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Consent/Transparency

• Certain biometrics may be used without the consent or active participation (or indeed even the knowledge) of the individual.

• Iris scanning can already be performed at a substantial distance (a range of 18 to 24 inches)[i] from the subject. As the technology improves, it is quite likely that iris acquisition may take place from even greater distances and without any user involvement whatsoever.

• From a privacy perspective these situations can conflict with the collection limitation, openness and purpose specification principles.

[i] http://www.eweek.com/article2/0,3959,115743,00.asp

dataPrivacy Partners Ltd.

45 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Implementation Modalities to Protect Privacy

• Statutory • Policy

• Privacy Impact Assessment

• Threat Risk Assessment

• Common Criteria Scheme

• Standards

• Technology• Tamper proof hardware

dataPrivacy Partners Ltd.

46 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Statutory

• In some jurisdictions, generalized or specific criminal sanction may be used to provide security protection for biometric systems and to outlaw certain activities to bypass security controls.

• Ontario Works Acthttp://www.e-laws.gov.on.ca/DBLaws/Statutes/English/97o25a_e.htm

• Biometric Identifier Privacy Act – State of New Jersey

http://www.njleg.state.nj.us/2002/Bills/A2500/2448_I1.HTM

dataPrivacy Partners Ltd.

47 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Statutory

• Statutory proscription and prohibition• Problem; may always be modified or interpreted

by the Government of the day.• Example: Statistics Canada 1906-1911 Census

dataPrivacy Partners Ltd.

48 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Policy

• The Privacy Impact Assessment (PIA) and privacy audits can ensure that privacy policies are followed and to ensure that the policies meet the needs of a given level of privacy protection or compliance. Although these techniques are commonplace within government, they are just starting to appear in the private sector.

• Depends of rigour and independence of PIA process.

dataPrivacy Partners Ltd.

49 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Technology

•STEPS - Security Technology Enabling Privacy • Build security systems that are privacy

enabled

• Meet both Security and Privacy requirements

• Privacy Architecture• De-Identification

• De-Linkability

• De-Observability

• Divide and conquer (similar to SIGINT)

dataPrivacy Partners Ltd.

50 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Standard Biometric System

SensorSensor

LogicLogic

DatabaseDatabaseApplicationApplication

dataPrivacy Partners Ltd.

51 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Standard Biometric System

• 1:1 and 1:N Functionality• Maximizes Control for System Owner• No Cards to lose• Back End Database Model• Potential for Surveillance• Greatest Potential for abuse

dataPrivacy Partners Ltd.

52 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Smart Card Biometric System

SensorSensor

LogicLogic

DatabaseDatabaseApplicationApplication

dataPrivacy Partners Ltd.

53 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Smart Card Biometric System

• 1:1 Functionality• Balance of Control between System

Owner and Data Subject• Lost Card Issues• Card Failure Issues• Smart Card Infrastructure has

Surveillance Potential

dataPrivacy Partners Ltd.

54 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Privacy Hardened Biometric System

• Designed for Toronto CIBS Project - 1997• Tamperproof tokens in scanner to prevent device

substitution/direct image injection• FPGA logic to restrict use of system within

preprogrammed guidelines• Must be a live finger on the authorized scanner

• Discourage systematic ‘dumping’ of identity database

• Keys required for identity resolution

dataPrivacy Partners Ltd.

55 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Privacy Hardened 1:N System

SensorSensor

LogicLogic

DatabaseDatabase Identity Identity ResolverResolver

dataPrivacy Partners Ltd.

56 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Privacy Hardened

Identity Identity

ResolverResolver

PseudoPseudo

IdentityIdentity

Real Real

IdentityIdentity

17943568957845

73458734857384

53798475839753

Mr John Smith

637-759-986

August 31st, 1953

dataPrivacy Partners Ltd.

57 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Wildcard Option - Biometric Encryption

• Biometric Encryption• Feature Extraction provides an

encryption/decryption key• Promising techniques

• Optical Feature Extraction

• Fourier Transform of ‘visual’ plaintext using Biometric Feature data resulting in ‘visual’ ciphertext

• One Installed site in Canada• Needs further research to bring to

market

dataPrivacy Partners Ltd.

58 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Biometric Encryption

Fingerprint Pattern 73981946 %h*9%4Kd

Enrollment PIN Encrypted PIN is stored

encrypts

Fingerprint Pattern %h*9%4Kd 73981946

Authentication Encrypted PIN PIN used for access

decrypts

dataPrivacy Partners Ltd.

59 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

from: http://www.darpa.mil/iao/HID.htm

dataPrivacy Partners Ltd.

60 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Recommendations

• Communicate openly and honestly about any planned system.

• Smaller inward looking systems.

• Focus on 1:1 authentication systems instead of 1:N identification systems

• Whenever possible, develop opt-in voluntary enrollment systems.

dataPrivacy Partners Ltd.

61 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Recommendations

• Collect biometric samples openly and with the consent of the user.

• If possible, allow the user to retain custody of the biometric template (perhaps on a smart card or token) and do not store the biometric template in a central system.

• Where 1:N systems are required craft protections in legislation/policy and technology.

• Oversight – restrictions on systems usage/identity resolution

dataPrivacy Partners Ltd.

62 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Hope for the future

• Biometric Encryption

• Biometric sensor on a card

• Credential vs. Certificate (Brands)

• Trusted Extension of Self

dataPrivacy Partners Ltd.

63 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Conclusions

• We need to incorporate statutory, policy and technological controls.

• Engage the issues honestly and openly.

• Don’t use a hammer to kill a fly.

dataPrivacy Partners Ltd.

64 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Our Challenge

• Open discussion• The technology is not evil• Develop the best Technology• Develop the best Policy• Develop the best Statutory Protections• Raise the bar• Search for improvement

dataPrivacy Partners Ltd.

65 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Epilogue

• Objectivity of privacy• Question the appropriateness of ‘Public

Acceptance’ as a measurement of anything.

• Useful at telling us what is wrong.

• Not so useful at telling us what is right.

• Storing Template/Minutiae/Image• Privacy Concerns are identical

dataPrivacy Partners Ltd.

66 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Resources

• OECD• http://www.oecd.org

• Information and Privacy Commission/Ontario• http://www.ipc.on.ca

• dataPrivacy Partners Ltd.• http://www.dataprivacy.com

• Roger Clarke• http://www.anu.edu.au/people/Roger.Clarke/

• Biometric Consortium - US• http://www.biometrics.org

• CATA Biometrics Group - Canada• http://www.cata.ca/biometrics/

dataPrivacy Partners Ltd.

67 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

Contact Information

Peter Hope-TindalldataPrivacy Partners

Ltd.5744 Prairie Circle.Mississauga, ON L5N

6B5

+1 (416) 410-0240

pht@dataprivacy.com

dataPrivacy Partners Ltd.

68 Biometrics Presentation © 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.© 2003 dataPrivacy Partners Ltd.

pht@dataprivacy.com

http://www.dataprivacy.com