Biometrics, trends and perspectives

1
Biometrics,trends and perspectives
Prof. dr mr Jan Grijpink Utrecht University /
Ministry of Justice Chairman Netherlands
Biometrics Forum
Schiphol, 24 June 2008
2
Outline

• The Netherlands Biometrics Forum
• Trends and perspectives
• Major concerns
• Identity fraud
• Better protection of biometric details
• Introducing the chain perspective on biometrics
• Building blocks for a general biometrics strategy

3
The Netherlands Biometrics Forum

• 2002-2007
• Curiosity commitment participation
• Focus on technical aspects
• Meeting point
• Vision and strategy development

• 2007-2012
• Knowledge and influence interests concerns
• Focus on (large scale) applications
• Opinion centre
• Communication en initiatives

4
Trends and perspectives

• Identity management and fighting identity fraud
  are getting more important
• Large-scale applications come across many
  technical and organisational problems (criminal
  law enforcement)
• Small-scale applications are often successful
  (Europe car, Rotterdam Cargo)
• Technology aims at enhanced protection of the
  biometric detail itself, in some unexpected ways

5
Major concerns

• Secure large-scale applications
• Large-scale biometrics may give rise to adverse
  results (so-called fallacy of the wrong level)
• Identity fraud
• Biometrics can easily provoke more identity fraud
  instead of preventing it
• Safe enrolment and card issue are not enough,
  monitoring biometric verification and detection
  of misuse are needed

6
Identity fraud
7
Identity fraud/theft

• Deliberately dishonestly passing oneself off
  under an identity that does not belong to you
• using somebody elses identity (real or faked)
• by using his personal number, biometric template,
  password or pin-code, with or without an official
  ID
• anywhere, anyhow
• Thus, ID fraud/theft is more than fraud with
  legal proof of identity still, we remain focused
  on official id-documents!

8
What is new about it?

• 1. Successful ID fraud often goes unnoticed,
  spreading surreptitiously to other sectors
• If there are traces, they lead to victims in
  stead of culprits
• Resulting in mistaken suspicions and unsolvable
  ID fraud cases
• Digital ID-checking can be inconspicuously
  disabled by the person to be checked (many
  fall back procedures are sloppy!)

9
Three basic problems to overcome
We spontaneously trust administrative identities,
even if they are based on unverified or
unverifiable personal data. Our favourite
name-number verification based on a ID-document
always succeeds regardless of who is making use
of it. If you succeed in manipulating biometric
data or biometric measurement, your free ride on
the holders identity cannot be detected.
A person is innocent until proved guilty. This
principle might be in danger, because identity
fraud leaves many traces, but they all point to
the victim. The victim has to prove his
innocence.
We prefer general and compulsory use of uniform
standard documents, personal numbers, biometrics
and procedures. Thus creating high value!
10
Identity fraud understandings

• Taking a free ride on someone elses identity is
  not difficult, produces great benefits to the
  impostor at virtually no cost to him
• Predictable procedures of identity checking with
  only one compulsory, general tool provoke
  identity fraud
• General compulsory tools like a biometric
  passport and policy objectives like service or
  transparency make procedures and products
  vulnerable to identity fraud

11
Does biometrics contribute to combating identity
fraud?

• Better focus on the person?
• More variation in the process of identity
  checking, the identity fraudster must get
  seriously uncertain about the outcome of the
  identity check?
• Contributing with independent checking details
  no unnecessary details on ID documents (e.g.
  social security number, biometrics!)?
• The value of ID documents, personal numbers or
  biometric details should be diminished the
  higher the value the heavier the attaque. Has it?

12
Technology better protecting the biometric
detail, for more privacy and security
13
Shielding and scrambling, to be profitably
combined?

• The Austrian model for personal numbers the
  original detail is not used every government
  domain derives its own separate independent
  number that can only be traced back to the right
  person if he collaborates this solution is
  proved to be interoperable, e.g. within the EU
• IBM/Philips the original biometric detail is
  transformed or scrambled (e.g. the Philips bar
  code), the biometric checking is done with the
  stored and the live bar code the original detail
  stays out of the picture. Second advantage
  missing ID document new bar code is derived no
  loss of privacy nor security.
• Utrecht University/Informatics fingerprint can
  be scrambled with details taken from another
  fingerprint can only be retieved with the right
  person present. Disadvantage the comparison is
  done using the original fingerprint!

14
Four-level security paradigm

• Organisational level e.g. separation of duties
• Procedural level e.g. authorisation
• Applicational level e.g. multiple biometrics
• The level of the biometric detail shielding and
  transformation (e.g. mosaic fingerprint, bar code)

15
Introducing the chain concept and
applying it to biometrics
16
What is a (value) chain?

• temporary co-operation between independent
  organizations
• to solve a dominant chain problem
• a chain-wide problem that puts the whole
  value chain at risk, no chain partner being able
  to solve it on his own
• no co-ordinating, commanding nor enforcing
  authority
• the dominant chain problem is the boss

17
Chain perspective on biometrics

• Biometrics is having its best effects if it is
  indispensable in fighting the chains dominant
  problem
• 2.Biometrics can only be reliably managed within
  the boundaries of this specific chain.

18
Building blocks for a general biometrics strategy
19
Realizing the benefits of biometrics an overall
biometrics strategy

• Basically, biometric systems should be chain-tied
  and chain-specific supra-chain biometrics can
  only be effective and stable if differently
  embedded in chain-specific control systems, thus
  reducing the details value for an impostor
• Biometrics is to focus on the person, not to
  enhance the ID-document
• Biometrics is to be used to make the checking
  procedure less predictable and in control of the
  checker
• Biometric details that are in an accessible form
  on the ID- document are controlled by the holder
  and cannot accurately detect a false acceptance.

20
Thank you