Biometric Encryption BE

1
Biometric EncryptionPrivacy-Enhancing
Technology
Fred Carter Senior Policy Technology
Advisor Office of the Information Privacy
Commissioner / Ontario, Canada
European Biometrics Forum (EBF) Research
Seminar Tuesday, 02 October 2007
2
Presentation Outline

• IPC Work
• FIPs, PETs
• Biometrics and Privacy
• BE Anonymous Biometrics
• Reactions and Follow-up

3
1. IPC work to date

• Independent agency of govt we oversee three
  laws
• Longstanding interest involvement in privacy,
  technology and law/compliance issues.
• IPC approach constructive engagement ICT both a
  threat to and opportunity for privacy seek
  pragmatic win-win scenarios
• Some publications Path to Anonymity guidance on
  use of PKI, DRM, Privacy-embedded 7 Laws of
  Identity, Biometrics, Biometric Encryption ID
  Theft Intelligent Agents, P3P, RFID, Privacy and
  the Open Networked Enterprise, Privacy Diagnostic
  Tool PIA for health, contactless smart cards
  mobile device security STEPs, etc.
• IPC website www.ipc.on.ca

4
1. IPC biometrics work

• Biometrics Program, Toronto (1994)
• Ontario Works Act (1997)
• Discussion guidance papers (1999)
• Presentations, speeches, etc. (2000-)
• Statement to House of Commons Standing Committee
  on Citizenship Immigration (2003)
• Resolution of Intl DPAs (2005)
• EBF IBAC (2005-)

5
2. FIPs PETs
6
2. PETS and FIPsOur Mantra Build It In

• Build in privacy early into the architecture,
  design specs, and technologies design must start
  from maximum privacy
• Assess all privacy risks conduct privacy impact
  assessments annual privacy audits
• Minimize collection, use, data minimize routine
  collection, use, and retention of all personally
  identifiable data
• Be comprehensive and systematic effective
  privacy requires an integrated approach privacy
  must be applied to entire data systems and
  throughout the data life cycle
• Privacy rules must be enforced enforcement must
  be trustworthy for system to earn trust and use.
• Use privacy enhancing technologies (PETs)

7
2. FIPs PETs

• Effective governance can come from
• Laws, legislation, regulation
• Industry self-regulation, codes of conduct, best
  practices, guidelines, standards, policies, audit
  certification practices
• PETs / Technology solutions
• Public opinion / market acceptance
• Founded on the Fair Information Practices (FIPs)
• PETs just one element in the IPC privacy toolkit

8
2. PETs FIPs

• Many FIPs in use around the world they can be
  condensed into 3 primary and substantive
  impulses
• 1. Data Minimization
• 2. User Participation and Control
• 3. Information Security
• Good success evangelizing to public policymakers,
  information security, auditors, developers, etc.
• Expressed in myriad ways, depending on context.

9
Privacy OR SecurityA Zero-Sum Game
10
Privacy AND Security
11
3. Biometrics and Privacy
12
3. Biometrics Privacy

• Privacy, Security Issues
• Growing biometrics deployments and uses pose
  significant systemic risks to individual privacy
  and security
• Biometrics a lifetime permanent identifier,
  worse than a password (access control)
• Indiscriminate or excess collection of biometric
  data invites misuse
• System performance accuracy and reliability
• Poor accountability will undermine trust,
  acceptance and use.

13
3. Privacy BiometricsConcerns

• Creation of large centralized databases
• Far-reaching consequences of errors in
  large-scale networked systems
• Interoperability that invites unintended
  additional secondary uses

14
3. Biometrics SecurityThe Risks

• Spoofing
• Replay attacks
• Substitution attack
• Tampering
• Masquerade attack
• Trojan horse attacks
• Overriding Yes/No response
• Insufficient accuracy

15
IdentificationThe Myth of Accuracy

• Problem with large centralized databases
  containing millions of biometric templates
• False positives
• False negatives

16
3. Biometrics PrivacyAccuracy and Reliability

• Accuracy and reliability are still viewed as
  major stumbling blocks for large-scale biometric
  applications (OECD Report on Biometric
  Technologies, June 2004)
• http//appli1.oecd.org/olis/2003doc.nsf/linkto/ds
  ti-iccp-reg(2003)2-final
• Serious consequences of false positives and
  negatives, errors, failure rates.

17
AuthenticationBiometric Strength and Privacy

• The strength of one-to-one matches
• Authentication/verification does not require
  the central storage of biometric templates
• Biometric may be stored locally, not centrally
  on a smart card, token, travel document,
  etc.

18
3. Biometrics Privacy11 versus 1Many

• Privacy regulators favor 11 authentication
  (verification) over 1many identification
• The EU Article 29 Working Party Resolution on the
  use of biometrics in passports, identity cards
  and travel documents was passed by Data
  Protection and Privacy Commissioners in Montreux,
  Switzerland, 2005
• The Conference calls for the technical
  restriction of the use of biometrics in passports
  and identity cards to verification purposes
  comparing the data in the document with the data
  provided by the holder, when presenting the
  document.
• 27th International Conference of Data
  Protection and Privacy Commissioners, Montreux,
  16 September 2005
• www.privacyconference2005.org/fileadmin/PDF/biomet
  rie_resolution_e.pdf

19
3. Biometrics PrivacyCentralized Databases

• Risks associated with large centralized,
  networked biometric databases
• Article 29 Working Party, chaired by Peter
  Schaar, Germanys federal Data Protection
  Commissioner, EU Opinion, August 2004 states,
  The Working Party strictly opposes the storage
  of all EU passport holders biometric and other
  data in a centralized data base
• http//ec.europa.eu/justice_home/fsj/privacy/docs
  /wpdocs/2005/wp112_en.pdf

20
3. Biometrics PrivacyInteroperability

• Interoperable biometric databases invite
  additional purposes and secondary uses of the
  data
• E.U. Data Protection Supervisor, Peter Hustinx,
  in his March 2006 Opinion, stressed that
• Interoperability of systems must be implemented
  with due respect for data protection principles
  and in particular, the purpose limitation
  principle.
• Comments on the Communication of the Commission
  on interoperability of European databases,
  www.edps.eu.int/legislation/Comments/06-03-10_Comm
  ents_interoperability_EN.pdf

21
3. Biometrics PrivacyRisks (Summary)

• unauthorized secondary uses of biometric data
• expanded surveillance tracking, profiling, and
  potential discrimination
• data misuse (data breach, identity fraud and
  theft)
• negative personal impacts of false matches,
  non-matches, system errors and failures
• diminished oversight, accountability, and
  openness of biometric data systems
• absence of individual knowledge and consent
  loss of personal control
• loss of user confidence, acceptance and trust
  potential negative backlash

22
4. Biometric Encryption
23
4. Biometric Encryption (BE)

• What is Biometric Encryption?
• Class of emerging untraceable biometric
  technologies that seek to irreversibly transform
  the biometric data provided by the user.
• BE is a process that securely binds a PIN or a
  cryptographic key to a biometric, so that neither
  the key nor the biometric can be retrieved from
  the stored template. The key is re-created only
  if the correct live biometric sample is presented
  on verification.

24
4. Biometric Encryption (BE) Use Biometric as
the Encryption Key
BE binding algorithm
110011001011 ..110
Biometrically-encrypted key is stored
25
4. Biometric Encryption (BE) Decrypt with Same
Biometric
Biometrically-encrypted key
110011001011 ..110
Verification
BE retrieval algorithm
0101100101
Key retrieved
26
4. BE Advantages

• BE technologies can enhance privacy and security.
  
• Some key advantages offered
• 1. NO Retention of biometric image or template
• 2. Multiple / cancellable / revocable identifiers
• 3. Improved authentication security stronger
  binding of user biometric system identifier
• 4. Improved security of personal data and
  communications
• 5. Greater public confidence, acceptance, use à
  compliance with privacy data protection laws

27
4. BE Advantages

• NO Retention of biometric image or template
• Best privacy practice is not to disclose /
  collect PII at all in the first place, if
  possible.
• Most privacy and security concerns derive from
  storage and misuse of the biometric data.
• Mitigates against risks of potential data
  matching, surveillance, profiling interception,
  data security breaches, identity theft...
• User retains (local) control and use of their own
  biometric

28
4. BE Advantages

• 2. Multiple / cancellable / revocable identifiers
• BE allows individuals to use one biometric for
  multiple accounts and identifiers without fear
  that identifiers will be linked together.
• If an account identifier becomes compromised,
  there is less risk that all the other accounts
  will be compromised, i.e., no need to change
  one's fingers!
• BE technologies make possible the ability to
  change or recompute account identifiers
  identifiers can be revoked or cancelled, and
  substituted for newly generated ones calculated
  from the same biometric!

29
4. BE Advantages

• 3. Improved authentication security stronger
  binding of user biometric system identifier
• Account identifiers are re-computed directly from
  the biometric, not merely linked to it
• Results are much stronger account identifiers
• longer, more complex identifiers
• no need for user memorization
• less susceptible to security attacks
• Security of BE technology can be augmented by the
  use of tokens and additional PINs, if needed

30
4. BE Advantages

• 4. Improved security of personal data and
  communications
• Users can take advantage of the convenience and
  ease of BE technologies to encrypt their own
  personal or sensitive data.
• Since the key is one's own biometric, used
  locally, this technology could place a powerful
  tool in the hands of individuals
• This is encryption for the masses, made easy!

31
4. BE Advantages

• 5. Greater public confidence, acceptance, use and
  compliance with privacy data protection laws
• Public confidence, trust are necessary
  ingredients for the success of any biometric
  system deployment.
• Governance policies and procedures only go so
  far. Privacy, security and trust should be built
  directly into the biometric hardware and info
  system.
• BE puts biometric data under control and use of
  the individual, promotes broader acceptance and
  use of biometrics.

32
4. Biometric Encryption

• BE Embodies core privacy practices
• Data minimization no retention of biometric
  image or template, minimizing potential for
  secondary uses, loss, misuse
• Maximal individual control Individuals keep
  their biometric data private, and can use it to
  generate or change unique (anonymous) account
  identifiers, and encrypt own data.
• Improved security authentication, communication
  and data security are enhanced.

33
Possible Applications and Uses of Biometric
Encryption

• Biometric ticketing for events
• Biometric boarding cards for air travel
• Identification, credit and loyalty card systems
• Anonymous (untraceable) labeling of sensitive
  records (medical, financial)
• Consumer biometric payment systems
• Access control to personal computing devices
• Personal encryption products
• Local or remote authentication to access files
  held by government and other various
  organizations.

34
4. Biometric Encryption (BE) BE Case Scenarios
(from paper)

• Small-scale use(personal authentication)
• Anonymous (untraceable) database(access to
  hospital records)
• Travel documents(3-way checks)

35
Three-way-Check in the ePassport Scenario
(Philips)
1. Measure biometric
3. Bio-encrypted key
4. Retrieve key1 from live biometric and
bio-encrypted key
7. Match Hashed key Hashed key1 Hashed key2
5. Retrieve key2 from smartcard biometric and
bio-encrypted key
Kiosk
Border control
Van der Veen et al, 2006
36
4. Biometric Encryption

• IPC Objectives
• Stimulate demand for PETs Bring this biometric
  technology to attention of public, privacy
  advocates, policymakers it is possible and
  should be considered, even demanded.
• Stimulate supply of PETs Encourage research,
  development and marketization of
  privacy-enhancing technologies as viable
  solutions for real-world problems.

37
5. Reactions Follow-Up
38
5. Reactions Follow-Up

• BE Publication Distribution Process
• Pre-publication release, vetting
• Press release, website publication, etc.
• Announced on key listservs (DPAs, biometrics,
  NPC-l, PETs)
• Individualized mailouts (physical and electronic)
  to broad spectrum of public and private
  stakeholders(government, industry, research,
  academia, pivacy advocates, consumer groups, etc)
• Submitted to various fora for review and posting

39
5. Reactions Follow-Up

• Significant Response and Feedback
• Industry (Philips, IBM, Microsoft, Genkey,
  Sagem, Bell, VeriTouch,and others)
• Research/Academic (U of T, Colorado, Carleton
  U., Fraunhofer Institute, Bruce Schneier, Kim
  Cameron, others in Europe, Canada, U.S.)
• Policymakers (Government departments and
  agencies in Ontario, Canada, U.S., EU)

40
5. Reactions Follow-Up

• Future work
• Stimulate attention and interest in untraceable
  biometrics, research and development
• Trumpet BE pilots, success stories
• Technology-agnostic w.r.t. technique/details
• Encourage consideration, adoption by policymakers
  in both public and private sectors
• Stimulate demand and supply of biometrics PETs
• Improve BE accuracy, resilience against attacks

41
More Information

• Biometric Encryption A Positive Sum Technology
  that Achieves Strong Authentication, Security AND
  Privacy www.ipc.on.ca/index.asp?navid46fid1608
  fid24
• and www.ipc.on.ca/images/Resources/up-1bio_encryp
  .pdf
• News Release www.ipc.on.ca/images/Resources/up-20
  07_03_14_bio_encryp.pdf
• Executive Summary
• www.ipc.on.ca/images/Resources/up-bio_encryp_execs
  um.pdf
• FAQ www.ipc.on.ca/index.asp?navid46fid1608fid
  24

42
Questions? Comments?

• Fred Carter
• Senior Policy Technology Advisor
• Office of Information Privacy Commissioner /
  Ontario
• 2 Bloor Street East, Suite 1400
• Toronto, Ontario, Canada
• M4W 1A8
• Phone (416) 326-3333
• Web www.ipc.on.ca
• E-mail info_at_ipc.on.ca