Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Safeguards for biometric identification [1998] PLBIRp 37; (1998) 46 Privacy Laws and Business International Report 11

Encryption safeguards biometric identification

SAFEGUARDS FOR BIOMETRIC DATA could be provided by encryption methods – but the technologies are not Privacy Laws & Business Workshop ready yet. The

on Biometric Identification gathered experts, Privacy Commissioners and their staff to discuss the current trends, opportunities and threats of biometric identification.

Biometric identification means using unique biological characteristics, such as retina scans, to identify one person from the other. As the method is more reliable than, say identification cards which can easily be tampered with, biometric identification is rela- tively safe and is already in use as a means of establishing identity. It is used in Ontario, for example, to avoid identity theft in relation to claiming social security benefits.

However, having the data in an electronic form allows the possibility of tracking people. Also, by collecting separate pieces of information on an individual, it is possible to build pro- files of people without their knowl- edge or acceptance.

Examples of fields where biomet- ric identification is already being used include the social security schemes in Ontario, Los Angeles and Spain, immigration control at five US air- ports and monitoring of employees’ attendance at Woolworth stores across Australia. Many more projects are at the planning stage, especially in the financial sector.

BIOMETRICS AS A STANDARDISED METHOD OF IDENTIFICATION?

The first speaker at the Privacy Laws

& Business Workshop, held in Spain on 15th September, was Dr George Tomko, Chairman of Photonics Research, Ontario, Canada. He addressed both the security and the privacy aspects of biometric identifi- cation. He predicted that when biometrics become commonly used, we will soon have central fingerprint databases. This raises the question of unauthorised access, and the problem of secondary uses. For example, fin- gerprints left in a place that later becomes the scene of a crime, could be compared by the police with those given for social security purposes. This would be an infringement of privacy, and regarded as illegal by the present government. However, there are no guarantees that the next gov- ernment would see the issue in the same light.

So, what can be done to improve privacy protection? Even if the finger scans are not stored on the database, but their digital templates (a com- pressed version of the actual fingerprint) are stored instead, the police would be able to reconstruct the fingerprint from its digital tem- plate. Some vendors of biometric technology have suggested that differ- ent government agencies and organ- isations ought to have unique hard- ware and software algorithms so that the police cannot generate the same template. However, Dr Tomko believes that the system’s security should not be based on the possible attackers’ ignorance, or the security of an algorithm.

BIOMETRIC ENCRYPTION ENSURES PRIVACY

Dr Tomko has been involved in developing a new privacy-enhancing technology, biometric encryption, which can offer both privacy protec- tion and good security. Biometric encryption uses a unique pattern, for example a fingerprint, as one’s per- sonal privacy encryption key. The fingerprint would be used, for example, to code a personal identifi- cation number (PIN) for accessing a cash point. Only the coded PIN would be stored in the database. The actual fingerprint would not be stored. As a result, the person would not have given any clues as to his identity. The fingerprint decodes the PIN and the person is able to access his account. Biometric encryption can also be used to de-identify information con- tained in a database. This can be done by anonymising the information; the identity of an individual is separated from his sensitive information.

CHANGES HAVE TO BE MADE NOW Dr Tomko emphasised that he does not regard the current “off-the-shelf” biometric systems as privacy friendly. New solutions need to be developed now before it is too late. However, a change is needed in the way we think. At the moment the emphasis is on security. Hopefully, through biomet- ric encryption, security will become a by-product of protecting individuals’ privacy.

DATA PROTECTION LAW MAY NOT APPLY

The second speaker, Assistant Professor Robert van Kralingen from the Center for Law, Public Administration and Informatization at Tilburg University, the Netherlands, addressed the workshop by discussing whether data protection legislation applies in the field of bio- metrics. In his opinion, personal data is not being used when the data is decentralised, for example on a smart card. As the data could not be identi- fied, it would not be personal data.

He also emphasised the difference between public and private sector uses. In the public sector, applications will probably have a legal basis. Legislation is needed when applica- tions are introduced in fields where consumers will have no choice if they need to use the service. Examples of this type of services are the social security schemes. However, when we move to the private sector, consumers have a choice of whether or not to use a technology which is based on bio- metric identification.

Finally, he mentioned some inter- national projects in biometric identification. In the Netherlands, a discussion is ensuing on whether bio- metrics could be used in passports. Other potential uses around the world include drivers’ licences, iden- tification cards and various planned uses in the financial sector.

CANADA REGULATES BIOMETRICS

Dr Ann Cavoukian, the Ontario Information and Privacy Commissioner, explained how Canada had used law and technology to safeguard privacy when using biometric identification technology. The Municipality of Metropolitan Toronto had, as early as 1996, decided to use biometric identi- fication to detect fraudulent claims for government benefits (PL&B Sept ‘96 pp. 29-30). While over 80% of the public supported the plan, the Privacy Commissioner’s office argued that the technology had to be as privacy-pro- tective as possible, and based on legislative safeguards. The office worked very closely with the Ministry of Community and Social Services to influence the legis- lation that was to be introduced (the Social Assistance Reform Act). The law now includes most of the protec- tions that were proposed by the Commissioner’s office. As a result, the following issues have to be taken into account:

a) Any biometric information that is collected under the Act must be encrypted.

b) The encrypted biometric informa- tion cannot be used to facilitate linkages to other biometric informa- tion or other databases.

c) It can only be stored or transmitted in encrypted form.

d) No programme information is to be retained with the encrypted bio- metric information.

MOVING TO HARDWARE-

BASED ENCRYPTION

At the moment, the technology to meet the demands of the Act is not yet commercially available. Encrypted biometrics could be used as an effec- tive method of authenticating one’s eligibility for government benefits without infringing individuals’ privacy. While technologies to enable biometric encryption are being tested, Dr Cavoukian has suggested that the city of Toronto should add hardware- based encryption to the existing software-based protections. Dr Cavoukian explained that the signifi- cance of the move to hardware-based protection cannot be underestimated. The hardware will know when to allow the linkage of a biometric to an identity, and when to disallow it.

INTERNATIONAL BIOMETRICS

COUNCIL PROPOSED

Dr Cavoukian emphasised that privacy will need to be built in to bio- metric systems right from the start. In addition to technological safe- guards, legal and procedural steps are needed. She encouraged other Privacy Commissioners to have early con- sultations with those developing applications, rather than relying on a critical review once decisions have been made. She also proposed the for- mation of an International Biometrics Council to establish standards and definitions, and offer guidance to other jurisdictions which may not have yet considered biometrics.

ADDITIONAL SECURITY CHALLENGE

Marek Rejman-Greene, Security Consultant of British Telecommu- nications Laboratories, UK, looked at the main security considerations in the use of biometric identification. In his view, there has been relatively little analysis of security issues. Security systems are needed for authentication purposes, for example, checking that the person has not been registered before. There is a range of methods used varying from finger- prints and hand shapes to face recognition and typing rhythmically on keyboards.

When securing systems, designers first have to look at the initial design; for example, do businesses trust their software? Secondly, how easy is it to defeat the system technically, and thirdly, how easy is it to make the system fail intentionally? At the moment, reliable recognition methods are still quite expensive. However, there are already some cheaper devices available, for example facial recognition on computer.

GENETIC DATA ALSO AT RISK Associate Professor Mette Hartlev from the Institute of Legal Science at Copenhagen University addressed an issue related to biometrics: the pro- tection of genetic data with regard to human tissue samples. These include an enormous information potential, but are currently not covered by the Danish data protection law. The ques- tion of whether human tissue samples should be covered is urgent in Denmark, where there are plans to set up a nation-wide DNA database for police use.

SHOULD RISKS BE ASSESSED BEFORE USE?

Charles Raab and Blair Stewart took slightly different viewpoints on the issue. Charles Raab, Reader at the Department of Politics, University of Edinburgh, discussed privacy risks in general, and took as an example the risks posed to individuals’ privacy by the use of biometric technologies. He asked whether we should see tech- nologies as safe until proven dangerous, or dangerous until proven safe. Should the introduction of new information technologies be allowed without regulation concerning their possible effect on privacy? Raab emphasised that risk analysis should be brought into the process of policy-making and governmental decision-making more effectively.

Blair Stewart, New Zealand’s newly appointed Assistant Commissioner, spoke about privacy impact assessments, which may be used to evaluate risks arising from a new technology such as biometric identification. They are normally linked to concrete proposals, and they aim to find out the privacy risks of the proposal, the significance of those risks, and the availability of alterna- tives. He did not think that Privacy Commissioners could carry out privacy impact assessments; first of all, because of too few staff and small budgets, and secondly, because assess- ments are used in real projects and are not merely academic exercises. However, the Commissioners might use privacy impact reports in subsequent audits.

A set of papers from the Privacy Laws & Business 9th Privacy Commissioners’ Workshop on Biometric Identification is available from our office for £50.

Tel: +44 (0) 181 423 1300