October 2002 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS.

This month – Biometrics and Your Privacy

What's all the Fuss About?

Accompanying Resource Page for this Story 

Editor's Preface:

This month Mfg.Trust will address the controversial issue of biometrics and your privacy. As you’ll see below, the issue is controversial because biometric techniques like facial recognition can be conducted without the subject’s knowledge or consent, the technology is far from perfect, the consequences could be very serious, and the U.S. government is poised to deploy biometrics on an unprecedented scale for improving security in the military, transportation industry and in border-crossing control.

Many public interest groups are focused on privacy. So the resources accompanying this and last month’s article are especially rich. Last month Mfg.Trust examined the business use of biometrics and biometric technologies. You can review both articles and the Resource Pages by visiting http://trust.ncms.org and selecting the “Publications Index” tab.

For those who seek a quick education in Biometrics, Prof. Anil Jain of Michigan State University, has produced a fact-filled and expert online course entitled “Introduction to Biometric Authentication” available at http://products.ncms.org/classes.htm . Biometrics using fingerprints, face, hand, iris, and voice recognition are discussed in that course.

John Sheridan (johns@ncms.org)

BIOMETRICS AND YOUR PRIVACY

What’s All the Fuss About?

The Electronic Privacy Information Center’s Biometric Privacy page (see Links) points out six major areas of concern regarding the use of automated biometric devices:

“Biometric identifiers are of course widely used by people to identify each other – one might recognize a friend by the sound of her voice, the color of her eyes, or the shape of her face. Devices using biometric identifiers attempt to automate this process by comparing the information scanned in real time against an "authentic" sample stored digitally in a database. The technology has had several teething problems, but now appears poised to become a common feature in the technological landscape. There are significant privacy and civil liberties concerns regarding the use of such devices that must be addressed before any widespread deployment. Briefly there are six major areas of concern:

1. Storage. How is the data stored, centrally or dispersed? How should scanned data be retained?
2. Vulnerability. How vulnerable is the data to theft or abuse?
3. Confidence. How much of an error factor in the technology's authentication process is acceptable? What are the implications of false positives and false negatives created by a machine?
4. Authenticity. What constitutes authentic information? Can that information be tampered with?
5. Linking. Will the data gained from scanning be linked with other information about spending habits, etc.? What limits should be placed on the private use (as contrasted to government use) of such technology?
6. Ubiquity. What are the implications of having an electronic trail of our every movement if cameras and other devices become commonplace, used on every street corner and on every means of transportation?”

Other experts’ concerns and the BioPrivacy Initiative’s Impact Framework (see Resources page) align very closely with the above. There are also some promising proposed solutions that we will examine. These solutions seem to be receiving much less press than the “Big Brother” problems. Let’s examine these concerns and how they may affect you personally.

Identification, Verification and Databases

Identification matches a physiological or behavioral characteristic of a person to a pre-confirmed record of that characteristic. For example, matching the image of my face to a photograph in a large number of photos in a database, or comparing a "new or candidate" fingerprint to many sets of fingerprints in an existing database. These "one-to-many" (1:N) search techniques compare a sample with data in a database and are at the core of the identification process.

In contrast is a "one-to-one" (1:1) search, used when we are accessing such things as our bank machine. Verification is done through the presentation of a "token" such as a PIN, a card, or a biometric whose validity is confirmed, and thereby verifying one's eligibility to access a particular service. There is no searching and matching to a database, only the validity of the token is established, through a single one-to-one match.

Databases are at the root of EPIC’s privacy concerns #1, 2, and 4 above. Concerns about storage, vulnerability, and authenticity are very real. The biometric database is the ultimate target for all sorts of mischief from within and without the organization that owns it. Database oriented solutions also cause a very practical operational limit because you need access to the (highly protected) database every time you wish to identify someone or verify a token. This all leads towards expensive solutions.

There are promising alternatives that move the database. One solution (see Resources page) use a “smart” card with your biometric data encrypted on the card. You then must read the smart card, and have a secure system for creating the cards. In this case, key management would be the weak link. In an excellent address to a Privacy and Law Symposium Canadian scientist, Dr. George Tomko (worth reading, see Resources page), argues that your biometrics should be the encryption. To our knowledge this approach has not yet been implemented.

Confidence and Consequences

When the implications of false results are very serious, then the 1:N identification systems are at their worst. Dr. Philip Agre of UCLA points out (see Arguments against Automatic Face Recognition in Public Places on the Resources page) that face recognition is nearly useless for the application that has been most widely discussed since the September 11th attacks on New York and Washington: identifying terrorists in a crowd. The reasons why are statistical – a 99.99 percent accurate system that scans 10 million faces will produce 999 errors for each correct match of a real terrorist. The enormous percentage of false matches will condition security workers to assume that all positive matches are mistaken.

Also, 99.99% accuracy is overly optimistic. According to experts, facial recognition has only about an 85% success rate for matching, while fingerprints range close to 99% accuracy. Spotting terrorists in a crowd is a needle-in-a-haystack problem, and most biometric techniques are not a needle-in-a-haystack-quality technology.

Linking and Ubiquity

In the article cited above, Philip Agre accurately points out: “Many social institutions depend on the difficulty of putting names to faces without human intervention. If people could be identified just from looking in a shop window or eating in a restaurant, it would be a tremendous change in our society's conception of the human person. People would find strangers addressing them by name. Prospective customers walking into a shop could find that their credit reports and other relevant information had already been pulled up and displayed for the sales staff before they even inquire about the goods. Even aside from the privacy invasion that this represents, premature disclosure of this sort of information could affect the customer's bargaining position.”

This is a polite example about the dangers of linking information. Other linkages, by both public and private parties, could be far more invasive and destructive.

Good Metrics of Good Biometrics

The International Biometrics Group “BioPrivacy Impact Framework” provides a means of assessing the privacy risks involved in a real or proposed biometric deployment. A private-sector biometric application in which the user retains ownership of his or her biometric information is much less likely to negatively impact user privacy than a covert public identification system; the precautions taken in each system will be proportional to the potential risks related to the use of that system. Though there are many additional factors to assess, such as the political climate and legal backdrop for biometric usage, the existing Impact Framework provides a starting point for intelligent assessment and categorization of biometric systems.

The Impact Framework considers these factors:

1. Overt vs. Covert. Deployments in which users are aware that biometric data is being collected and used, and acquisition devices are in plain view, are less privacy-invasive than surreptitious deployments.

2. Opt-in vs. mandatory. A biometric system in which enrollment is mandated, such as a public sector program or one designed to encompass a company’s employees, bears a more direct relationship to privacy risks than an opt-in system.

3. Verification vs. identification. (see above) A system capable of performing 1:N searches can be considered more susceptible to privacy-related abuse than a 1:1 system.

4. Fixed duration vs. indefinite duration. In deployments where such an option exists, the use of biometrics for a fixed duration is less likely to have a negative impact on privacy than one deployed indefinitely.

5. Public vs. private sector. Suitable protections should be developed for each type of environment.

6. Individual, customer, student, traveler, employee, citizen. An individual’s roles vary according to the people and institutions with whom they interact. Although privacy rights are fundamental regardless of the institution with whom the person is interacting, they are not identical in all environments. Reasonable expectations of privacy are dependent on the capacity in which a person is interacting with another person or institution: anonymous individual, customer, student, traveler, citizen, employee, prisoner.

7. User ownership of biometric data vs. institutional ownership. Deployments in which the user maintains ownership over his or her biometric information are more likely to by privacy-sympathetic than those in which the public or private institution owns the data.

8. Personal storage vs. template database. A biometric system which stores information centrally is clearly more capable of being abused than one in which biometric information is stored on a user’s PC or even on a smart card.

9. Behavioral vs. physiological biometric. Behavioral biometrics are much less likely to be deployed in a privacy-invasive fashion, as technologies such as voice-scan and signature-scan can be easily changed by altering a signature or using a new pass phrase. Physiological biometrics are much harder to mask or alter, and can be collected without user compliance.

10. Give vs. grab biometric information. Biometric systems in which data capture is initiated by the user are less likely to be deployed in a privacy-invasive fashion than those which automatically capture data. The "give" systems require explicit user consent to capture data, while the "grab" systems can capture data without the user's explicit approval.

Good News Too - A Banking Example

Regulators require that bank employees be fingerprinted. The traditional process for processing fingerprints requires twelve weeks to determine if an employee is fit to work in the bank. Bankers have estimated that the processing delay alone costs $3-8 million per year for each large commercial bank in the U.S. A newer technology (see Validex Corp. on the Resources page) scans fingerprints on-site, produces results in 24 hours, and cuts losses.

Conclusion

Because they are so important for business and government, you should expect increasing use of biometric techniques in the coming decade. Technologies and policies will both refine. You’ll want to remain aware of the issues and knowledgeable enough to make informed choices.

Despite the initial unfavorable publicity surrounding biometric techniques, their use can bring both good and evil. Biometrics could be a simple security improvement over those dozen or two passwords/PINs in your life that are not unique, that you don’t really have memorized, and that are possibly written down somewhere.

We will need to learn to deal with this new challenge / opportunity in our public and private lives.

LINKS:

Electronic Privacy Information Center, Biometrics Privacy Page http://www.epic.org/privacy/biometrics/ 

Your Face Is Not a Bar Code: Arguments against Automatic Face Recognition in Public Places Philip E. Agre, Department of Information Studies, UCLA http://dlis.gseis.ucla.edu/people/pagre/bar-code.html 

International Biometric Group, LLC BioPrivacy Initiative
http://www.bioprivacy.org/ 

Biometrics as a Privacy-Enhancing Technology: Friend or Foe of Privacy? Dr. George Tomko, Chairman, Photonics Research Ontario http://www.dss.state.ct.us/digital/tomko.htm

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org 

To unsubscribe please send a blank e-mail message to listmanager@ncms.org with the subject line "unsubscribe mfgtrust".