1 / 68

Peter Hope-Tindall Chief Privacy Architect™ dataPrivacy Partners Ltd. pht@dataprivacy

4 th Annual Privacy & Security Workshop From Anonymisation to Identification: The Technologies of Today and Tomorrow. Peter Hope-Tindall Chief Privacy Architect™ dataPrivacy Partners Ltd. pht@dataprivacy.com. November 7, 2003. Agenda. Biometrics and Privacy Privacy Concerns

anthea
Télécharger la présentation

Peter Hope-Tindall Chief Privacy Architect™ dataPrivacy Partners Ltd. pht@dataprivacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 4th Annual Privacy & Security WorkshopFrom Anonymisation to Identification: The Technologies of Today and Tomorrow Peter Hope-Tindall Chief Privacy Architect™ dataPrivacy Partners Ltd. pht@dataprivacy.com November 7, 2003

  2. Agenda • Biometrics and Privacy • Privacy Concerns • Design & Implementation Issues • Technology to protect Privacy Biometrics Presentation

  3. Privacy “the right to exercise control over your personal information.” Ann Cavoukian “Privacy is at the heart of liberty in the modern state.”Alan Westin “the right to be let alone”*Warren & Brandeis * Warren and Brandeis, "The Right to Privacy" 4 Harvard Law Review 193 (1890). The phrase "right to be let alone" had been coined by Judge Cooley several years earlier. See THOMAS M. COOLEY, COOLEY ON TORTS 29 (2d ed. 1888). Biometrics Presentation

  4. Security and Privacy – a technical view • data protection - FIPs (not FIPS) • authentication • data-integrity • confidentiality • access controls • non-repudiation Privacy Security n.b. FIPs: Fair Information Practices FIPS: Federal Information Processing Standards Biometrics Presentation

  5. Security vs. Privacy • Accountable to President/CEO Board of Directors. • Risk based assessment. (how likely is it?) • Access and use controls defined by the system owner. • Has been focused on protecting against outsiders. • Accountable to the data subject. • Capabilities based assessment.(is it possible?) • Access and use controls defined by use limitation and consent of data subject and legislation. • Protecting against outsiders, insiders and system owner. Biometrics Presentation

  6. The Complex nature of Privacy • Identity • Measures the degree to which information is personally identifiable. • Linkability • Measures the degree to which data tuples or transactions are linked to each other. • Observability • Measures the degree to which identity or linkability may be impacted from the use of a system. Which other data elements are visible; implicitly or explicitly. With thanks and apologies to the Common Criteria Biometrics Presentation

  7. Biometrics • Biometric is derived from the Greek words bio (life) and metric (the measure of). • “The automated use of Physiological or Behavioral Characteristics to determine or verify identity” International Biometric Group (IBG) • “‘Biometrics’ are unique, measurable characteristics or traits of a human being for automatically recognizing or verifying identity. ” Biometrics Presentation

  8. Biometrics Schmetrics? • Biometric: (noun) - one of various technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Finger-scanning is a commonly used biometric.” Plural form also acceptable: “Retina-scan and iris-scan are eye-based biometrics." • Biometrics: (noun) - Field relating to biometric identification. “What is the future of biometrics?” • Biometric: (adjective) - Of or pertaining to technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Do you plan to use biometric identification or older types of identification?” Biometrics Presentation

  9. Biometric Template • Distinctive encoded files derived and encoded from the unique features of a biometric sample • A basic element of biometric systems • Templates, not samples, are used in biometric matching • Much smaller amount of data than sample (1/100th, 1/1000th) • Vendor specific • Different templates are generated each time an individual provides a biometric sample. Biometrics Presentation

  10. Verification • Also called 1:1 ‘Authentication’ • Performs comparison against a single biometric record • Answers question: “Am I who I say I am?” Biometrics Presentation

  11. Identification • Also called 1:N Search • Performs comparison against entire biometric database • Answers question: “Who am I?” Biometrics Presentation

  12. Is DNA a biometric? • DNA requires actual physical sample • DNA matching is not performed in real time • DNA matching does not employ templates or feature extraction • however – Policy issues and risks are identical Biometrics Presentation

  13. In a strict sense then, DNA matching is not a biometric in the same way that traditional forensic fingerprint examination is not a biometric. Regardless of these distinctions, we believe that DNA-based technologies should be discussed alongside other biometric-based technologies inasmuch as they make use of a physiological characteristic to verify or determine identity. Beyond the definition, to most observers DNA looks, acts and may be used like other biometrics. The policy ramifications, while much more serious for DNA-based technologies share some common attributes with other biometrics. Biometrics Presentation

  14. Taxonomy Physiological Biometrics • Finger Scanning • Hand Geometry • Facial Recognition • Iris Scanning • Retinal Scanning • Finger Geometry Behavioral Biometrics • Voice Recognition • Dynamic Signature Verification • Keystroke Dynamics (In reality all biometrics are both physiological and behavioral to some degree.) Biometrics Presentation

  15. Finger Scanning • Minutiae based or pattern based Biometrics Presentation

  16. Hand Geometry • Measures dimensions of hands • Easy to use / Widely used in access control applications Biometrics Presentation

  17. Facial Recognition • Based on distinctive facial features Biometrics Presentation

  18. Iris Scanning • Takes a picture of the iris. • Performs an analysis of the ‘features’ of the iris. • Ridges • Furrows • Striations • Scan distance - up to 1 Meter Biometrics Presentation

  19. Retinal Scanning • Utilizes distinctive patterns visible on retina at back of eye. Biometrics Presentation

  20. Finger Geometry • Measures the shape and size of a single (or pair) of fingers. Biometrics Presentation

  21. Voice Recognition • Performs an analysis of features from an audio waveform. Biometrics Presentation

  22. Dynamic Signature Verification • Measures the pressure, vector and number of strokes of signature. • Can be used with existing signature applications. Biometrics Presentation

  23. Keystroke Dynamics • Measures the rhythm and distinctive timing patterns for keyboarding. Biometrics Presentation

  24. Other • Ear Geometry • Body Odour • Gait (walking pattern) Biometrics Presentation

  25. Biometrics Summary Chart by Peter Hope-Tindall – developed for the OECD [i] Note: Although the ‘potential’ exists for high accuracy, recent pilot projects have indicated great difficulty in obtaining accurate results with 1:N systems. [ii]Ibid. Biometrics Presentation

  26. How does a biometric system work? • Scanning / Collection of Sample • Feature Extraction • Biometric template creation • Biometric template matching • Many vendors have proprietary searching subsystems and optimized hardware Biometrics Presentation

  27. Types of Function • Identification (1:N) • Submission of sample as a search candidate against entire database • Verification (1:1) • Validation of sample against a presumed identity Biometrics Presentation

  28. Standard Biometric System Sensor Logic Reference Database Application Biometrics Presentation

  29. Biometrics Presentation

  30. Metrics • Scientific Method / Biometric Testing “The real purpose of the scientific method is to make sure Nature hasn't misled you into thinking you know something you don't actually know.” Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance Biometrics Presentation

  31. Perceptions • Public perceptions • Looking for a magic solution • Feel safe technology • Post terrorism opportunism • Limited information Biometrics Presentation

  32. Biometric Performance • “False Reject Rate” a.k.a. False Non-Match Rate (FNMR) • “False Acceptance Rate” a.k.a. False Match Rate (FMR) • “Equal Error Rate” • Biometric System Error Trade-off Biometrics Presentation

  33. Equal error rate crossover Error Rate FA FR Sensitivity Biometrics Presentation

  34. Biometrics Presentation

  35. Other Metrics • “Failure to Acquire” • Missing fingers/eyes • “Failure to Enroll” • Insufficient features • Throughput • System Cost May be as high as 2-4 % in the general population. (up to 20-30 % in elderly). Biometrics Presentation

  36. Publicly Available Independent Evaluations • CESG • http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=4&displayPage=4 • Face Recognition Vendor Test • http://www.frvt.org • Fingerprint Verification Competition • http://bias.csr.unibo.it/fvc2002 • US National Biometric Test Center • http://www.engr.sjsu.edu/biometrics/nbtccw.pdf Biometrics Presentation

  37. Security Concerns related to Biometrics • Spoofing • Countermeasures • Replay Attacks • Cannot revoke a biometric • Improper Reliance • Insufficient Enrolment Rigour Biometrics Presentation

  38. Liveness • Steve McCurry, photographer of ‘Afghan Girl’ portrait for National Geographic - 1984. • National Geographic • http://www.melia.com/ngm/0204/feature0/ Biometrics Presentation

  39. Concerns about Biometric systems • Rigour of enrollment process • Lack of independent performance metrics • No very-large population biometric system examples • Failure-to-enroll and Failure-to-acquire underclass (maybe as high as 2-4% to even 20-30%) • Post terrorism opportunism • Technology panacea • Large scale biometric system failure Biometrics Presentation

  40. Privacy Concerns • Function Creep • Infrastructure of Surveillance/Unique Identifier • Default method of identification • Used inappropriately • Consent/Transparency • Information Leakage • Glaucoma • DNA Profiling Biometrics Presentation

  41. Function Creep/Finality • ‘Function Creep’ (also known as ‘purpose creep’) is the term used to describe the expansion of a process or system, where data collected for one specific purpose is subsequently used for another unintended or unauthorized purpose. • In fair information practice terms, we may think of function creep as the subsequent use, retention or disclosure or data without the consent of the individual and of unauthorized changes in the purpose specification for a given data collection. Biometrics Presentation

  42. Function Creep/Finality Example • As an example, we may think of a social service (welfare) system that requires a finger scan to enroll. Let us assume that undertakings were made at enrollment to the user that the finger scan is being collected solely for the purposes of guarding against ‘double dipping’ (ensuring that the user is not already registered for welfare). If the finger scan were subsequently used for another purpose (e.g. a law enforcement purpose, something not described in the initial purpose specification) then we have ‘function creep’. Biometrics Presentation

  43. Infrastructure of Surveillance/Unique identifier • An overarching concern for some people is that biometrics will become a technology of surveillance and social control. Perhaps as the ultimate personal identifier, they may be seen to facilitate all the ominous and dehumanizing aspects of an information society -- a society in which unparalleled amounts of personal information may be collected and used on a systematic basis. see O’Connor, “Collected, Tagged, and Archived.” Biometrics Presentation

  44. Consent/Transparency • Certain biometrics may be used without the consent or active participation (or indeed even the knowledge) of the individual. • Iris scanning can already be performed at a substantial distance (a range of 18 to 24 inches)[i] from the subject. As the technology improves, it is quite likely that iris acquisition may take place from even greater distances and without any user involvement whatsoever. • From a privacy perspective these situations can conflict with the collection limitation, openness and purpose specification principles. [i] http://www.eweek.com/article2/0,3959,115743,00.asp Biometrics Presentation

  45. Implementation Modalities to Protect Privacy • Statutory • Policy • Privacy Impact Assessment • Threat Risk Assessment • Common Criteria Scheme • Standards • Technology • Tamper proof hardware Biometrics Presentation

  46. Statutory • In some jurisdictions, generalized or specific criminal sanction may be used to provide security protection for biometric systems and to outlaw certain activities to bypass security controls. • Ontario Works Act • http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/97o25a_e.htm • Biometric Identifier Privacy Act – State of New Jersey http://www.njleg.state.nj.us/2002/Bills/A2500/2448_I1.HTM Biometrics Presentation

  47. Statutory • Statutory proscription and prohibition • Problem; may always be modified or interpreted by the Government of the day. • Example: Statistics Canada 1906-1911 Census Biometrics Presentation

  48. Policy • The Privacy Impact Assessment (PIA) and privacy audits can ensure that privacy policies are followed and to ensure that the policies meet the needs of a given level of privacy protection or compliance. Although these techniques are commonplace within government, they are just starting to appear in the private sector. • Depends of rigour and independence of PIA process. Biometrics Presentation

  49. Technology • STEPS - Security Technology Enabling Privacy • Build security systems that are privacy enabled • Meet both Security and Privacy requirements • Privacy Architecture • De-Identification • De-Linkability • De-Observability • Divide and conquer (similar to SIGINT) Biometrics Presentation

  50. Standard Biometric System Sensor Logic Database Application Biometrics Presentation

More Related