Opinion and recommendations on challenges raised by biometric developments

Transcription

1 Opinion and recommendations on challenges raised by biometric developments Position paper for the Science and Technology Committee (House of Commons) Participation to the inquiry on Current and future uses of biometric data and technologies initiated by the Science and Technology Committee: What are the key challenges facing both Government and industry in developing, implementing and regulating new technologies that rely on biometric data? How might these be addressed?

2 Content Risks arising from the implementation of biometric systems Emergence of new usages Issues raised at the development and implementation stages... 4 Recommendations for designing a privacy-compliant environment... 7 Natural Security Alliance: A case-study and Best practices... 8 Conclusion... 9 Appendix The products used for the biometrics authentication must have been approved by Natural Security Alliance according to the Type Approval Process

3 Biometrics has changed considerably in recent years as technology has continued to evolve. The most recent development was announced a few weeks ago, with the launch of a new smartphone embedding biometric technology. New technologies have created new usages, raising issues and challenges that both industry and government must handle either immediately or in the near future, especially with regard to privacy and data protection. In order to support and not restrict technological development while avoiding unwanted creep of any kind, solutions need to be defined quickly. This position paper addresses questions around the challenges faced by industry and government in developing, implementing and regulating biometric technologies. It describes the changes in technology and the emerging usages, and explains the challenges they pose. It offers recommendations for overcoming these challenges, which are illustrated using a case study on and best practices of Natural Security Alliance.

4 Risks arising from the implementation of biometric systems Technological developments and the deployment of biometric technologies have made it possible to precisely determine risks to privacy and data protection Emergence of new usages Biometric authentication: one-to-many Biometric authentication based on identification requires checking an identity against a database in order to identify an individual. Traditionally, this method has been used to restrict and control access to sensitive information, goods and places. As advances in technology have enabled actors to easily create databases and made biometric readers affordable, biometric authentication has crossed over into daily life. Biometric identification is now implemented to control logical and physical access even to buildings or services that only require a lower level of security. Biometric authentication: one-to-one The verification-based method requires checking one identity against another. The aim is not to identify an individual but to confirm or refute that he/she is who he/she claims to be. Biometric verification is starting to be mass deployed, especially through the use of biometric readers embedded in new smartphones and other personal devices. Such devices are carried by the owner and store his/her biometric data. When the owner needs to be authenticated, the biometric data obtained by the reader are compared to those stored on the personal device. The verification method and widespread deployment of devices, especially smartphones, have extended the scope of application for biometric authentication. This technology can be used to lock and unlock a smartphone, for authentication to online and app-based services, for face-to-face payment, and so on. With the release of new smartphones, banks are starting to provide app-based solutions so users can consult their accounts online and pay in stores using just their fingerprint. It is easy to predict that within a few years biometrics will be used to access every kind of physical and virtual system. This will raise very specific issues Issues raised at the development and implementation stages Privacy and data protection Privacy and data protection are at stake in the area of biometrics. The data processed are of a special nature because they relate to the behavioural and physiological characteristics of an individual, which are typically unique and unchangeable and so allow for unique identification. Biometric authentication therefore raises many concerns. Depending on the biometric authentication method used, different threats may endanger a user s privacy because his/her biometric data may be unlawfully handled, for example collected, processed, retained or used in a way incompatible with the purposes for which they have been collected. There are two main risks. First, there is a risk that the user s biometric data may be stolen and re-used by the thief, which would compromise authentication of the legitimate user. Second, there is a risk that the biometric data may be used by the controller for incompatible purposes, taking away the user s control over his/her data. These risks are of particular concern when the biometric authentication is based on identification. The use of databases represents an exposure for the data subject for many reasons. First, authentication based on identification endangers privacy because biometric data are compared to a whole database until a match occurs. This means that personal data are always processed. Second, the data subject has no control over his/her own data, so data may be kept without his/her consent and re-used or shared with other controllers. Moreover, use of a database enables linkability between information and thus profiling.

5 Privacy and data protection can only be guaranteed through respect of Fair Information Principles. Security Security is inherent to privacy. Personal biometric data, though relatively easily accessible depending on the modality, must be stored in a confidential manner. This means that only the legitimate controller may access and process data. Three main risks are involved in security. First, there is a risk of spoofing, which occurs when fake biometric data are presented and accepted by an authentication system. The drastic shift from using biometric technologies solely in closed government applications to integration in mass-produced devices is creating larger windows of opportunity for understanding both the technology underlying the sensor and, as a result, the most suitable spoofing materials. Second, there is a significant risk of theft (leading to misuse or alteration, for example) when biometric data are transmitted from one device to another. Such transmission occurs for both identification (to the database) and verification (to the personal device). If communication is not secure along the channel from the biometric sensor though extraction and matching blocks to the database, there is the potential for an attack. Finally, there is a risk of theft from storage (leading to misuse or alteration, for example), which is particularly high when biometric data are stored in a database. Databases present a considerable risk for two reasons: First, large volumes of data are stored, often centrally, meaning huge banks of biometric data can be stolen in the event of a security breach. Second, databases can be accessed by a variety of actors who are not always legitimately authorized to access personal data. Even in the case of well secured access, administrative weaknesses may open the door to insider attacks whereby unscrupulous legitimate actors may tamper with the biometric data. The question of security in systems that rely on databases is more than debatable because of the underlying human factor. To make things worse, bearing reverse social engineering, stolen biometric data due to their unicity can unlock the Pandora s Box via function creep, making injecting a huge weakness in other biometric systems. Non-secure infrastructures may be vulnerable to Trojan horse attacks. Because systems based on biometric databases are often a cluster of different blocks with a link between the biometric reference data and the sensor, they are only as strong as their weakest link. The security framework should provide a broad bespoke testing panel to assess potential weaknesses in the biometric system, brought to a level of appreciation to the concerned implementation. The system should be corrected to obtain a more secure environment. User experience During authentication the user may not be aware that his/her biometric data are being processed. This is the case when authentication systems make use of second-generation biometric technologies. These technologies can authenticate individuals remotely without their knowledge. For instance, secret capture is possible when authentication is based on facial or iris recognition. This raises privacy concerns related to the legality and legitimacy of the data handling because the data subject is not required to play an active role. This makes it more difficult to establish whether the user has been informed or gave consent. User experience should be based on a voluntary action. Business transparency Depending on the openness to third parties, biometric systems can be more or less reliable and trustworthy. Reliability and trust come from the capacity of users to obtain information on and verify the hardware and software used. When

6 hardware and software can only be accessed by manufacturers, systems do not provide transparency and are therefore barely trustworthy or reliable. Biometric technologies should be open in order to facilitate evaluation and certification. Implementation The focus should be on both the technology and the implementation. Even though a technology may provide technical measures to mitigate risks, an implementer can intentionally use them for other purposes. In light of the multiplication of actors, this risk has to be taken into consideration, especially since the manufacturer is unlikely to be the final implementer. Along the chain, providers may change the essential purpose of a technology. There is a particularly high risk of such behaviour when smartphones embed biometric systems and third-party applications are allowed to use those systems. For instance, despite the privacy-friendly feature of a given biometric technology, such as storage on a personal device, an implementer could decide to store data elsewhere at the enrolment stage or to generate extra information from biometric data in order to establish profiles. Biometric data can also be used to track users by generating unique identifiers. Faced with these challenges, both industry and government must find appropriate solutions. The next section makes some recommendations, which are supported with a study case. Implementation choices should comply with relevant and local data protection laws, and help data controllers satisfy these requirements. Rules and recommendations should be defined to deal with implementation issues that go beyond purely technical questions. Risks to privacy when using biometrics Recommendations Risk of intrusion into private life and misuse by controllers, loss of control by data subject Systems designed according to Privacy-by-Design based on governmental recommendations Risk of theft, function creep, loss, alteration of the biometric data by a third party Security framework of the systems assess weaknesses in the light of the implementation Risk of surveillance and secret capture Implementation limited by Privacy Rules based on governmental recommendations Risk of opacity of the biometric system Systems based on an open standard, a certification scheme which reliability is reckoned by government Risk of hijacking Privacy compliant technology at the implementation Implementation limited by Privacy Rules based on governmental recommendations

7 Recommendations for designing a privacy-compliant environment Open standard Biometric authentication systems should be based on an open standard that can evolve as required. Standardisation ensures that all systems meet the same requirements. Because standards are based on and address multiple business needs, it also reduces the necessity to create as many products as there are needs. In addition, standards are tested during implementation and pilot programmes to guarantee the end result is technically reliable. Moreover, openness is crucial because it allows anyone to access the specifications and verify the requirements. This condition is fundamental for privacy because trust and reliability are based on the ability to check and control. Finally, an evolving standard can be used for existing as well as emerging technologies. This reinforces the universal characteristic of the standard, which can be adapted to various needs and requirements. Privacy by Design Compliance with privacy law can be achieved through technical measures. Privacy concerns should therefore be taken into consideration at the design stage to provide a Privacy By Design standard, which integrates technical measures to mitigate privacy risks. Any products implementing the standard would then have to implement the technical measures as well, making them privacy-compliant. Industry requires recommendations to determine which technical measures to implement and, before developing privacy-enhancing technologies, the legal certainty and legal security that those technical measures will resolve government concerns about privacy and data protection. Privacy by Design, especially with regard to biometrics, therefore requires government recommendations and guidelines. Certification scheme Certification aims to guarantee that the standard is correctly integrated in a product. Certification also provides secondary advantages such as transparency, openness and reliability for implementers, consumers, controllers and data subjects. In this regard, government should support certification schemes by recognising specific certifications, certification procedures and certification bodies. Government can play a key role by issuing labels certifying compliance with privacy and data protection laws. Such labels provide transparency and reliability for users, and encourage industry to adopt the standard and undergo certification. Privacy rules Privacy rules constitute an additional layer of directives that imposes contractual obligations on the implementers, who agree to provide biometric authentication in conformity with privacy and data protection requirements. Such obligations may be similar to or more stringent than those imposed by current data protection laws. Government should provide clear recommendations on biometric implementations so industry can develop an efficient code of conduct. In this regard, recommendations are preferable to hard law because biometric technologies will continue to evolve and raise new issues; soft law provides more flexibility and adaptability to respond to future challenges.

8 Implementation of privacy principles at each step of development Design PbD Open Standard - Inputs from stakeholders - Recommendations from regulator Certified integration of the standard into a product - Reliability established by the regulator Certification Privacy Rules regulating implementer control over data processing based on recommendations Implementation Natural Security Alliance: A case-study and Best practices An open standard developed by an Alliance Established in 2008 by a group of banks, retailers and manufacturers, the Natural Security standard defines an authentication method that can be used wherever a transaction takes place. The standard is backed by an alliance of actors working towards common goals: promote the use and adoption of the standard, and pioneer an ecosystem of solutions based on this standard. The Alliance brings together banks, retailers, solution manufacturers, solution providers, test laboratories and certification bodies. Within five months of inception, it already had 40 members.

9 Natural Security Alliance s unique approach to payment transaction and user authentication standardises the user experience and provides high levels of security, privacy and efficiency. It offers a single, user-centric authentication method designed especially for payment operations and access to services, and is both fast and simple to use. A privacy-enhancing technology By combing something the user has (a personal device storing the biometric data) and something the user is (the biometric feature), the Alliance makes it possible to reliably authenticate users without sacrificing security or privacy. The Alliance has incorporated a number of key privacy-enhancing features into the fundamental design of its authentication approach to address important data protection and privacy concerns. Technology must comply with the current security standard and rely on a voluntary action. Therefore, the Alliance encourages implementers to use data from fingers or hands, since such authentication requires the user to put his/her hand or finger on the reader. Biometric data must be stored in a secure environment, and it should be impossible to extract these data from the personal device or use them without the user s knowledge or consent. The Alliance acquires biometric data using a biometric reader, which securely transfers data directly to the secure element in the personal device. It does not store any biometric data itself, meaning no biometric data are stored in the enrolment station, any component of the enrolment station reader, or a database. A certification procedure A certification process has been devised by the Alliance to verify products using the standard to ensure the standard is implemented correctly. This represents the key step for marketing and selling such products. Privacy rules for implementers Natural Security Alliance provides implementers with privacy rules they can accept to follow. These rules impose stringent obligations concerning the implementation of products based on the standard. Under these privacy rules, implementers agree to not use a database and not store biometric data outside the personal device. They are obligated to provide a secure environment for collecting and processing biometric data by encrypting the data and securing the communication channel. They agree that authentication is to rely on a voluntary action made by the user instead of a remote system that operates without the user s knowledge or consent. Conclusion The use of biometrics is becoming widespread, and the scope of application is expanding. What was once a technology used solely in the public sector, especially by law enforcement agencies, has became a mass-deployed tool for daily use. The special nature of biometric data raises questions and poses risks around privacy and data protection. Users, like implementers and regulators, are facing new challenges. Biometric applications provide some real advantages and so should not be restricted or prohibited. But solutions must be found to prevent any sort of creep and protect both privacy and security. This paper has made recommendations along these lines for both industry and government actors. It has demonstrated that privacy concerns should be taken into account right from the design stage, and again during implementation. To encourage industry, and to provide a safe biometric environment, the government should provide support through recommendations and guidelines. Natural Security Alliance s model offers a good example of the values that should be encouraged (i.e. biometric authentication that does not compromise privacy or security) and the means to do so.

10 Appendix Privacy Rules by Natural Security Alliance Definition The terms below shall have the following definitions: Authentication: process of determining if the User is who he/she declares to be. Biometric reader: device that reads the User s biometric data and communicates with the User s Personal Device to authenticate the User. Data controller: legal person who controls and is responsible for the storage and use of personal information on a computer. Personal Device: personal device hold by the User in order to be authenticated. Enrolment Station: station used to register the User s biometric data on his/her Personal Device. User: individual who has registered his/her biometric data on his/her Personal Device and who can be authenticated with his/her consent by placing his/her finger or hand on the Biometric reader. Technology: a User-Authentication technology combining a mid-range contactless Personal Device and biometrics. Preamble Natural Security has developed a Technology combining a mid-range contactless Personal Device and biometrics. The Technology is universal and can be used for payment transactions and access to services. The Technology brings convenience, speed and security for Users and Data Controllers and at the same time ensures an efficient privacy protection of the User s personal data. One of the core values of Natural Security Alliance is privacy and convenience for Users. Privacy is inherent to the Technology as it prevents the tracking of Users and there is no data base storage. Biometric data are securely stored on the User s Personal Device itself and are therefore under the User s control at all time. The present privacy rules list the good practices in order to respect Natural Security Alliance values of the implementation of the Technology. They express the commitment of Data Controllers to share Natural Security Alliance values to guarantee privacy and security to Users. Article 1: The Objectives Data Controllers agree, when implementing the Technology, to observe the following rules: Protecting personal data of Users by forbidding biometric data-base; Protecting User s privacy by forbidding any network tracking;

11 Guaranteeing security to Users when using a product implemented with the Technology by adopting procedures and practices in compliance with the above goals; Data Controllers agree to respect any applicable legislation regarding data protection. Article 2: The Commitments Data Controllers shall comply with the following commitments when implementing the Technology in order to be in line with the values shared by Natural Security Alliance. 2.1 Approved products The products used for the biometrics authentication must have been approved by Natural Security Alliance according to the Type Approval Process. 2.2 Secure personal data storage 1. Biometric data shall be stored in a secure element. 2. Biometric data shall not be extracted from the Personal Device. 3. Personal data shall not be used without the consent of the User. The present rules only apply to data used for Authentication. Data used for authentication Data used for services Type of data Biometric templates Applications : payment, electronic signature, online and face to face authentication Access to data No-one shall have access to the biometric data stored. Access to these data are : - Limited to (and only to) a Data Controller and the User; - And only after the authentication by the User. Data Storage Storage on a secure element; No database storage. Personal data may be stored on a database for matching the authentication method in order to deliver the service Traceability No traceability of the biometric data. Traceability of the transaction (for example for security and accountability reasons)