Security & Privacy in Biometric Systems Two Hindering Requirements? Dip. Elettronica Applicata Università degli Studi Roma TRE Roma, Italy www.comlab.uniroma3.it/campisi.htm campisi@uniroma3.it
Road map Biometric systems security at a glance Biometric systems privacy: Privacy connotations, Privacy and biometrics Privacy-invasive biometric misuses Fair Information Practices Security & Privacy How to protect privacy Procedural approach: Best practices Privacy Enhancing Technologies at a glance
The five pillars of security Security Data Confidentiality The protection of data from unauthorized disclosure Authentication The assurance that the communicating entity is the one that claims to be. Data Integrity The assurance that data received are exactly as sent by the authorized entity (contain no modification, insertion, deletion or replay). Non repudiation Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication Access control The prevention of unauthorized use of a resource Who can have access to a resource; Under what conditions access can occur; What those accessing the resource are allowed to do.
Biometric system security Biometric system security related issues: If a biometric is compromised once, it is compromised forever; A biometric cannot be replaced (a new credit card could be issued); The number of biometric features is limited (one face, ten fingers, etc.); Biometric data do not allow revocation.
Security issues: points of attack Jain, et al. IEEE Tr. IFS, June 2006
What is privacy? Privacy is the ability to keep other people out of your life, to be self-determined, and to have full control of your personal information. Decisional privacy Spatial privacy Intentional privacy Informational privacy
Personal information Personal information is any information that could be used in any way to identify an individual. This definition is quite general to include all the information that relates to an individual. Innocent data, that is data that may not appear to be personal information can become personal information according to the use. Example: if data that does not identify an individual is used together with other information, not identifying a user as well, it may happen that the combined data could be used to identify an individual. Therefore all the used data become personal information.
Privacy conceptualizations Decisional privacy: freedom of the individual to make private choices without undue interferences. Spatial privacy: freedom from contact with other people or monitoring agents. Intentional privacy: right of the individual to forbid/prevent further communication of observable events (e.g. conversations, ) or features (e.g. publishing photos, ) Information privacy: freedom of the individual to limit access to certain personal information about him/her.
Privacy and Biometrics User acceptance is crucial for the successful deployment of a biometric system. Privacy is a critical issue for acceptance. Biometric systems rely on the use of personal information. A privacy compliance lifecycle, is necessary to integrate privacy protection into a biometric system. Both perception of the potential threats to privacy and the real risks to privacy have to be taken into account when designing a biometric system.
Privacy-invasive biometric misuses (1/5) Unnecessary/Unauthorized collection: without user s permission, knowledge, or without specific purpose. Unauthorized use of biometric data for different purposes than the intended. Unauthorized disclosure: sharing or transmitting biometric information without user s permission. Unique identifier: biometrics should not be used as a universal identifier since they could be used to pinpoint and track a user across different databases for the purpose of covert surveillance, profiling, and social control.
Privacy-invasive biometric misuses (2/5) Biometrics use can violate the principle of proportionality biometric data may only be used if adequate, relevant and not excessive with respect to the system's goal. If this principle is violated, the users may feel that the benefit coming from donating their biometrics is much less than what they get in exchange. Identity theft: Most biometric characteristics are observable in public (face, voice, fingerprint, gait, etc.) therefore they cannot be considered as secrets.
Privacy-invasive biometric misuses (3/5) Improper storage/transmission: there are significant risks associated with the storage/transmission of templates or biometric images over non secure networks. Raw biometrics cannot be: revoked, cancelled, reissued if compromised. All the applications using that biometrics are compromised Administrator or operator misuse: potential misuse of privileges for accessing the biometric database.
Privacy-invasive biometric misuses (4/5) Function creep: gradually using biometrics for another unauthorized or unintended purposes than the original intention. Function creep can erode the public trust and confidence in a system. Function creep occurs when: Companies adopt new technologies and do not define specific policies (policy vacuum). As a result the new technologies are used for very different purposes than the intended ones. There is a need that is not satisfied. There is a slippery slope effect towards a new function Large centralized databases are more prone to function creep.
Privacy-invasive biometric misuses (5/5) Revealing side personal information: gender, ethnicity, medical disposition, medical conditions or medications. Examples: Fingerprint patterns anomalies can be linked to some chromosomal disorders such as Down syndrome, Turner s syndrome, etc. Iris or retina analysis can allow to determine diseases like diabetes and hypertension. Vein patterns can reveal high blood pressure. Face traits can allow to determine gender, ethnicity, Down syndrome, Marfan syndrome, etc. Hand geometry can reveal Marfan syndrome, arthritis, gouts, etc.
How to protect privacy The protection of privacy is built on legislation, policy, and technology: Legislation gives the basic principles which have to be addressed by both policy makers and technicians which are based on the Fair Information Practices, (e.g. European Directive 95/46/EC) Procedural approaches: Privacy compliance lifecycle, aimed at integrating privacy protection into systems which collect, process, produce personal information. Best Practices. Technological approaches. Privacy Enhancing Technologies (PET).
OECD Privacy Guidelines In 1980, the Organization for Economic Co-operation and Development (OECD) published a series of privacy guidelines to handle personal information whose goal was to: harmonise national privacy legislation, prevent interruptions in international data flows. The OECD privacy guidelines formulate a set of eight principles, often referred to as Fair Information Practices, specifically: Purpose specification principle, Openness principle, Collection limitation principle, Data quality principle, Accountability principle, Use limitation principle, Individual Participation principle, Security safeguard principle.
Fair Information Practices (1/3) Purpose specification principle: the purpose for which the data are collected should be specified when the data are collected. Moreover, the data usage should be limited to the fulfilment of the specified purposes and should not be changed; Openness principle: the objectives of research, the main purposes of the use of personal data and the policies and practices related to their protection, and the identity of the data controller should be open to the public; Collection limitation principle: the collection of personal data should be obtained by lawful and fair means and, whenever applicable, with the knowledge and consent of the individual;
Fair Information Practices (2/3) Data quality principle: personal data should be relevant, accurate, complete and up to date for the intended purposes; Accountability principle: a data controller should be accountable for complying with measures which give effect to the stated principles; Use limitation principle: personal data should be not be made available for other purposes than the ones agreed with the individual in the Purpose Specification Principle except with the consent of the data subject or by the authority of the law;
Fair Information Practices (3/3) Individual Participation principle: the individual should have the right to know from the data controller if some data regarding him are stored, to have communicated to him, if there are data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that it is intelligible to him, to be given to be given reasons if a request made under this principle is denied, and to be able to challenge such denial; to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. Security safeguards principle: personal data should be protected against security risks like unauthorized disclosure, use, modification, destruction, and loss.
Security & Privacy Some clues can be obtained by the Fair Information Practices Security safeguards principle: personal data should be protected against security risks like unauthorized disclosure, use, modification, destruction, and loss. In practice you need security to have privacy. Is security enough to guarantee privacy?
Security & Privacy Security The information has to be made available to authorized users and protected from nonauthorized users. The ultimate control over the data is made by the system owner/administrator Privacy The set of authorized users: has to be limited only to those users who need to know the data; must use the data for the reasons for which the data have been collected in the first place. (Purpose specification, use limitation, collection limitation, principles.) The ultimate control over the data is made by the individual (Individual participation principle)
How can we protect privacy?
Best Practices: Scope and Capabilities Scope limitation: expansion of scope should be limited, Universal Unique Identifier: to be avoided, Limited storage of Biometric information: biometric data should be stored only for the necessary time, Collection or storage of extraneous information: should be limited to the minimum necessary for the intended scope, Storage of original biometric data: identifiable data (facial image, fingerprint image, etc) should be destroyed, deleted, or made useless after the templates are extracted. www.bioprivacy.org International Biometric Group
Best Practices: user control of personal data Ability to un-enrol: the users have the right to control usage of their biometric information and have it deleted upon request Possible in non mandatory systems. Correction mechanism: the individual must be able to correct and update any biometric identification information in the database, re-enrol if needed. Anonymous Enrolment: the user should be able, in some specific contexts, to enrol with some degree of anonymity. www.bioprivacy.org International Biometric Group
Best Practices: Disclosure, Auditing Disclosure of system purposes and objectives: The purpose of the biometric system should be fully disclosed, Disclose whether enrolment is optional or mandatory, Disclosure of the protection measures for biometric data and systems, Disclosure of the people responsible for system operation. Third party auditing: Since internal or external misuse can occur, independent system auditing should be implemented. www.bioprivacy.org International Biometric Group
Best Practices: Data Protection Protection of Biometric Information: during storage, transmission and matching Encryption, private networks, secure facilities. Protection of post-match decision Limited System Access: the access to biometric system functions and data should be limited to certain personnel under certain conditions. Segregation of Biometric Information: biometric data should be stored separately from personal information (name, address, medical data, etc). www.bioprivacy.org International Biometric Group
Template protection Template protection is a key issue in the design of privacy sympathetic systems A template protection scheme should possess: Diversity: the protected template should not allow cross-matching across different databases (application specific dependent) Revocability: it should be possible to revoke a compromised template Renewability: obtain a new tempalte from the same biometrics (user specific dependent) Security: it should be hard to obtain the original biometric from the secure template, Performance: the implemented protection scheme should not degrade the recognition performance of the biometric system.
Template distortions at a glance Template distortions: They allow to obtain both cancelability and renewability by applying intentional either invertible (security relies on the chosen key) non invertible (security does not rely on the chosen key) distortions on the original biometrics. Example
Biometric cryptosystems at a glance Key release The cryptographic key is stored together with the biometric template, After successful matching the key is released, Necessitate template storage. Key binding The key is bind to the biometric template in such a way that both of them are inaccessible to an attacker, After successful matching the key is released, Does not necessitate template storage. Key generation The key is obtained from the biometric data.
Conclusions Security is a key issue in the design of a biometric system The public concern about security is very high Privacy is also a key issue in the design of a biometric system The public concern about privacy is increasing Joint optimization of security and privacy is possible to: Enhance system security and Minimize privacy invasive characteristics. It is possible to have both security and privacy BUT it is needed that government and industry care about.
Thanks for your attention!! campisi@uniroma3.it www.comlab.uniroma3.it/campisi.htm