92 Computer

I n the post-9/11 world, variousgovernment agencies have pro-posed or built several data systemsthat significantly affect civil liber-ties. As system designers and devel-

opers, we might not be aware of howthe decisions we make when imple-menting such systems could threatencivil liberties. Thus, we need mecha-nisms or procedures to help us maketechnical decisions that respect humanrights. Biometrics is an area in whichthis need is especially important.

WHAT IS BIOMETRICS?Biometrics refers to the automatic

identification or verification of livingpersons using their enduring physicalor behavioral characteristics. Manybody parts, personal characteristics,and imaging methods have been sug-gested and used for biometric systems:fingers, hands, faces, eyes, voices, sig-natures, typing styles, DNA, and so on.The body parts most often used in cur-rent applications are fingerprints andfacial characteristics.

Biometric systems process raw datato extract a biometric template—asmall set of data that can be uniquelyderived given a biometric feature.Various algorithms process biometricdata to produce a template. For exam-ple, in a face-recognition system, facial-geometry algorithms work by defininga reference line—for example, the linejoining the pupils of the eyes—and

using it to measure the distance andangle of various facial features relativeto this reference. Templates are easierto process and store than the originalraw data.

Biometric systems fall into two cate-gories: authentication and identifica-tion, with authentication systems beingfar more common. To be authenticatedby a system, a subject presents a pass-word or a token such as an ID card,along with a live biometric sample suchas a fingerprint. The system accesses arecord based on the token, then com-pares the sample’s biometric data withthe record’s sample to authenticate thesubject’s identity.

Authentication systems are reliableand efficient if the subject base is smalland the biometric readers are accurateand durable. Airports, prisons, andcompanies that need secure access usesystems such as these.

Implementing identification systemsis more difficult. To be identified by asystem, a subject provides biometricdata, and the system must find a record

based on that data only—which canrequire a search of the entire database.Performing this search takes a long timeand even then will only rarely result in asingle-record match. This means that thesystem must perform additional filtering.

Keep in mind that these searches arenot text-based. Because biometric datais pattern-based, finding a hit requiresspecialized algorithms that focus onfinding specific patterns in certainaspects of the data.

FACE-RECOGNITION SYSTEMApplying this background to some

biometric systems examples makes it

easier to understand how implementa-tion decisions can pose a threat to civilliberties. Consider the timely exampleof an airport passenger identificationsystem containing a database thatstores the facial data of known crimi-nals and terrorists in a watch list. Thissystem uses special cameras to scan thefaces of passengers as it looks for indi-viduals whose facial data matchrecords in its database. If the systemfinds a match, it dispatches a securityguard to bring the person to a securitycheckpoint for further investigation.

Is such a system feasible? Experi-mental systems have been implemented,most notably in Boston’s Logan Inter-national Airport, but such systems donot yet meet expectations. At Logan,where 10 of the September 11th terror-ists boarded flights that were subse-quently hijacked, face-recognition sys-tems exhibited a failure rate of 38.6 per-cent during testing. According to pressreports, the systems failed to detect vol-unteers playing potential terrorists.

Biometrics and the Threat to Civil Liberties Margaret L. Johnson, Stanford University

T H E P R O F E S S I O N

Continued on page 90

Biometrics is an area inwhich having mechanismsfor making decisions thatrespect human rights isespecially important.

90 Computer

T h e P r o f e s s i o n

tems to locate and physically track air-line passengers. People being scannedand possibly tracked may not be awareof the system and thus cannot controlit. The US Constitution’s Fourth Amend-ment guards against illegal searchesand seizures by the government. Article12 of the United Nations’ UniversalDeclaration of Human Rights, adoptedin 1948, guards against interferencewith privacy, family, or home. Thus, acase could be made that if a govern-ment agency installs and maintains aface-recognition system at an airport,data collected and used without a sub-ject’s consent could represent a civil lib-erties violation.

WHO ARE THE DECISION MAKERS?Obviously, system designers and

developers must be aware of theirwork’s civil liberty implications. In theexample I’ve described, many techni-cal decisions could, if made in igno-rance of these issues, threaten civilliberties. For example, the security-level parameter that lets a user definethe false-positive rate can be imple-mented in several ways. Internally, theparameter controls how closely bio-metric data must match to represent ahit. A system designer or developer willdecide which aspects of the biometricdata to use and establish the ranges ofacceptability. Because each of thesedecisions affects the false-positive ratein ways the user cannot control, theyaffect the civil liberties of the subjectsthe system processes.

The camera technology chosen pro-vides another potential threat. Supposea designer decides which camera thesystem should use based solely on theproject’s requirements, without con-

Face-recognition technology is notyet robust enough to be used this way,but given the development rate in thisarea, identification systems using it willlikely be implemented soon. Threeprimary impediments must, however,be overcome first:

• Excessive false positive rate. A falsepositive occurs when a subject’sbiometric data incorrectly matchesthat of a watch list member.

• Uncontrolled environmental andsubject conditions. Samples takenin an airport are noisy in that thelight is uneven, shadows can par-tially cover the face, the imagemay not be frontal, the subjectmay be wearing a disguise, and soon. These variations make match-ing more difficult.

• Watch list size. This factor poses animportant limiting factor becauseevery time database size doubles,accuracy decreases by two to threepercentage points overall (P.J.Phillips et al., Face RecognitionVendor Test 2002, National Insti-tute of Standards and Technology,2003).

IMPACT ON CIVIL LIBERTIESAn identification system based on

face-recognition technology poses sev-eral threats to civil liberties. First, falsepositives must be investigated, whichimpinges on the privacy of innocentpeople.

In biometric systems, the degree ofsimilarity between templates requiredfor a positive match depends on a deci-sion threshold, a user-defined systemparameter. The user can specify highsecurity, in which case innocent subjectsmight be caught when the system castsa broader net. Alternatively, the usermight specify low security, in whichcase terrorists could escape. Setting thisparameter thus directly affects the falsepositive rate, which in turn directlyaffects subjects’ privacy.

Another important civil liberty issueinvolves the potential for biometric sys-

sidering whether the camera is smalland unobtrusive or large and obvious.This decision can affect the likelihoodthat subjects will be aware that the sys-tem is collecting their biometric data.Lack of consent implies lack of controlin how a private company or a gov-ernment agency might use a person’sbiometric data.

Finally, the question of how to storethe collected biometric data arises. It’scommon practice to store this data foran extended time after collection. If adisaster occurs, the data would be help-ful in any ensuing investigation. Adesigner creating a database to store thebiometric data makes decisions aboutaccessibility, security, and data organi-zation, all of which define who canaccess the data and how it can be used.The stored data provides a record ofthe subject’s location at a particulartime and can be used for tracking.

CRITICAL ISSUESMore serious issues arise in the

implementation of certain authentica-tion systems. Consider another systemthat might be used in airports: To getpast the security checkpoint, all pas-sengers must provide a fingerprint.Each passenger also presents an IDsuch as a driver’s license. This data isentered into a system, which thensearches a database of US citizens andtheir fingerprints against the passen-ger’s ID. If the data matches, the pas-senger is allowed to pass; if the datadoes not match, or if the person doesnot have a record in the database, offi-cials detain the passenger for furtherinvestigation.

This type of authentication systempresumes a communication mecha-nism to a host computer and a centralrepository of biometric data. Theimplementation of such a system rep-resents both the most serious technicalchallenges in biometrics and the mostserious threats to civil liberties.

A database with biometric data pre-sents a natural target for theft andmalicious and fraudulent use. If crim-inals intercept someone’s biometric

Continued from page 92

A database with biometric data

presents a natural target for theft

and malicious and fraudulent use.

gies can be enhanced to include check-points that allow consideration ofsocial and legal issues.

How developers design, build, pro-tect, and maintain a biometric systemwill determine its effectiveness and thedegree to which it poses a threat tocivil liberties. As application designersand developers, we must understandthe tremendous effect our decisionsand actions can have on society as awhole. �

Margaret L. Johnson is a senior lec-turer in computer science at StanfordUniversity. Contact her at johnson@cs.stanford.edu.

April 2004 91

ing passports that contain biometricdata.

What can we do to raise the sensitiv-ity of future system designers and devel-opers to the social impact of the systemsthey create? Stanford University offersan Ethics and Social Responsibilitycourse that addresses these issues in ascenario-based format. Students partic-ipate in role-playing in real-world situ-ations to help them understand theeffects of their decisions. Also, theACM-IEEE Computing Curricula 2001discusses the need for a required courseon social and professional responsibil-ity, along with short, relevant modulespresented in other courses. Such coursesare becoming increasingly critical as thesystems we build become more intru-sive and dangerous.

What can we do to raise the aware-ness of practicing designers and devel-opers? Perhaps currently used softwaredesign and development methodolo-

data—either by breaking into a trans-mission or by stealing it from the data-base—they can either replicate thesample itself or the template producedfrom a successfully matched sample. Ifthe thieves can ascertain whose data isassociated with the ciphertext, they caneven steal encrypted data. Armed withthese capabilities, criminals can stealidentities. Identity theft is much harderto correct than theft in current token-based systems. Given the difficulty inidentifying compromised records, asuccessfully attacked system is not onlyuseless, it’s dangerous.

Further, although anyone who losesa driver’s license can replace it easily,someone whose fingerprints have beenstolen cannot obtain new ones. Thisadds a new dimension to identity theft,which represents one of the most seri-ous civil liberty violations.

Implementing a large-scale authen-tication system requires making a mul-titude of technical decisions concerningsecurity and database safeguards.Many of these decisions affect civil lib-erties in that they define the system’slevel of security and safety. It oftencomes down to a tradeoff between sys-tem performance and system security.Who will decide on that tradeoff, andwhat criteria will they use?

M any computing professionalsagree that technological limita-tions make implementing large-

scale biometric systems too risky at thistime. This consensus is not stopping pri-vate companies and the US governmentfrom moving forward with such imple-mentations, however.

Under the new US-VISIT programstarted in January 2004, all foreignerswho enter the US on visas must havetheir hands and faces scanned digitally.In addition, starting later this year, newpassports will be issued that bear a chipcontaining biometric data. By October2004, all countries whose nationals canenter the United States without a visa—including western European countries,Japan, and Australia—must begin issu-

Editor: Neville Holmes, School of Comput-ing, University of Tasmania, Locked Bag 1-359, Launceston 7250; neville.holmes@utas.edu.au

25%

No

t

a

me

mb

er

?

Jo

in

o

nl

in

e

to

da

y!

save

on al l

conferences

sponsored

by the

IEEE

Computer Society

I E E E

C o m p u t e r

S o c i e t y

m e m b e r s

w w w. c o m p u t e r. o r g / j o i n