Upload
debra-gibson
View
215
Download
0
Embed Size (px)
Citation preview
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Biometric Encryption:Privacy-Enhancing Technology
European Biometrics Forum (EBF)
Research SeminarTuesday, 02 October 2007
Fred CarterFred CarterSenior Policy & Technology Advisor
Office of the Information & Privacy Commissioner / Ontario, Canada
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Presentation Outline
1. IPC Work
2. FIPs, PETs
3. Biometrics and Privacy
4. BE & Anonymous Biometrics
5. Reactions and Follow-up
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
1. IPC work to date
• Independent agency of gov’t; we oversee three laws• Longstanding interest & involvement in privacy,
technology and law/compliance issues.• IPC approach: constructive engagement; ICT both a
threat to and opportunity for privacy; seek pragmatic “win-win” scenarios
• Some publications: Path to Anonymity; guidance on use of PKI, DRM, Privacy-embedded 7 Laws of Identity, Biometrics, Biometric Encryption; ID Theft; Intelligent Agents, P3P, RFID, Privacy and the Open Networked Enterprise, Privacy Diagnostic Tool; PIA for health, contactless smart cards; mobile device security; STEPs, etc.IPC website: www.ipc.on.ca
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
1. IPC biometrics work
• Biometrics Program, Toronto (1994)• Ontario Works Act (1997)• Discussion & guidance papers (1999)• Presentations, speeches, etc. (2000-)• Statement to House of Commons Standing
Committee on Citizenship & Immigration (2003)• Resolution of Int’l DPAs (2005)• EBF IBAC (2005-)
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
2. FIPs & PETs
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
2. PETS and FIPsOur Mantra: “Build It In”
• Build in privacy – early into the architecture, design specs, and technologies; design must start from maximum privacy
• Assess all privacy risks: conduct privacy impact assessments; annual privacy audits
• Minimize collection, use, data: minimize routine collection, use, and retention of all personally identifiable data
• Be comprehensive and systematic: effective privacy requires an integrated approach; privacy must be applied to entire data systems and throughout the data life cycle
• Privacy rules must be enforced; enforcement must be trustworthy for system to earn trust and use.
• Use privacy enhancing technologies (PETs)
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
2. FIPs & PETs
Effective governance can come from:
1. Laws, legislation, regulation
2. Industry self-regulation, codes of conduct, best practices, guidelines, standards, policies, audit & certification practices…
3. PETs / Technology solutions
4. Public opinion / market acceptance
• Founded on the Fair Information Practices (FIPs)• PETs just one element in the IPC privacy toolkit
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
2. PETs & FIPs
• Many FIPs in use around the world; they can be condensed into 3 primary and substantive impulses:– 1. Data Minimization– 2. User Participation and Control– 3. Information Security
• Good success evangelizing to public policymakers, information security, auditors, developers, etc.
• Expressed in myriad ways, depending on context.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Privacy vs. Security(false dichotomy)
Privacy
Secu
rity
Privacy OR Security:A Zero-Sum Game
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Privacy AND Security
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics and Privacy
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & Privacy
Privacy, Security Issues:
• Growing biometrics deployments and uses pose significant systemic risks to individual privacy and security
• Biometrics a lifetime permanent identifier, worse than a password (access control)
• Indiscriminate or excess collection of biometric data invites misuse
• System performance: accuracy and reliability• Poor accountability will undermine trust,
acceptance and use.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
• Creation of large centralized databases
• Far-reaching consequences of errors in large-scale networked systems;
• Interoperability that invites unintended additional “secondary” uses
3. Privacy & Biometrics:Concerns
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & SecurityThe Risks
• Spoofing• Replay attacks• Substitution attack: • Tampering• Masquerade attack• Trojan horse attacks• Overriding Yes/No response• Insufficient accuracy
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Identification:The Myth of Accuracy
• Problem with large centralized databases containing millions of biometric templates:
– False positives
– False negatives
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & PrivacyAccuracy and Reliability
• Accuracy and reliability are still viewed as major stumbling blocks for large-scale biometric applications (OECD Report on Biometric Technologies, June 2004);
http://appli1.oecd.org/olis/2003doc.nsf/linkto/dsti-iccp-reg(2003)2-final
• Serious consequences of false positives and negatives, errors, failure rates.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Authentication:Biometric Strength and Privacy
The strength of one-to-one matches:
• Authentication/verification does not require the central storage of biometric templates;
• Biometric may be stored locally, not centrally – on a smart card, token, travel document, etc.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & Privacy1:1 versus 1:Many
• Privacy regulators favor 1:1 authentication (verification) over 1:many identification;
• The EU Article 29 Working Party Resolution on the use of biometrics in passports, identity cards and travel documents was passed by Data Protection and Privacy Commissioners in Montreux, Switzerland, 2005:
“…The Conference calls for the technical restriction of the use of biometrics in passports and identity cards to verification purposes comparing the data in the document with the data provided by the holder, when presenting the document.”
— 27th International Conference of Data Protection and Privacy Commissioners, Montreux, 16 September 2005
www.privacyconference2005.org/fileadmin/PDF/biometrie_resolution_e.pdf
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & PrivacyCentralized Databases
• Risks associated with large centralized, networked biometric databases;
• Article 29 Working Party, chaired by Peter Schaar, Germany’s federal Data Protection Commissioner, EU Opinion, August 2004 states, “The Working Party strictly opposes the storage of all EU passport holders’ biometric and other data in a centralized data base…”
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp112_en.pdf
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & PrivacyInteroperability
• Interoperable biometric databases invite additional purposes and secondary uses of the data;
• E.U. Data Protection Supervisor, Peter Hustinx, in his March 2006 Opinion, stressed that:
“Interoperability of systems must be implemented with due respect for data protection principles and in particular, the purpose limitation principle.”
Comments on the Communication of the Commission on interoperability of European databases, www.edps.eu.int/legislation/Comments/06-03-10_Comments_interoperability_EN.pdf
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
3. Biometrics & PrivacyRisks (Summary)
• unauthorized secondary uses of biometric data• expanded surveillance tracking, profiling, and
potential discrimination• data misuse (data breach, identity fraud and theft)• negative personal impacts of false matches,
non-matches, system errors and failures• diminished oversight, accountability, and openness
of biometric data systems• absence of individual knowledge and consent;
loss of personal control• loss of user confidence, acceptance and trust;
potential negative backlash
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. Biometric Encryption
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. Biometric Encryption (BE)What is Biometric Encryption?
• Class of emerging “untraceable biometric” technologies that seek to irreversibly transform the biometric data provided by the user.
• BE is a process that securely binds a PIN or a cryptographic key to a biometric, so that neither the key nor the biometric can be retrieved from the stored template. The key is re-created only if the correct live biometric sample is presented on verification.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. Biometric Encryption (BE) Use Biometric as the Encryption Key
110011001011………………..110
01011001…01
Randomly generated key
Biometrically-encrypted key is stored
Enrollment
Biometric Image
100110100010…………………010
Biometric Template
BE binding algorithm
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. Biometric Encryption (BE) Decrypt with Same Biometric
Verification
101100101010…………………000
Fresh Biometric Template
110011001011………………..110
Biometrically-encrypted key
BE retrieval algorithm
01011001…01
Key retrieved
Fresh Biometric Image
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. BE AdvantagesBE technologies can enhance privacy and security. Some key advantages offered:1. NO Retention of biometric image or template2. Multiple / cancellable / revocable identifiers3. Improved authentication security: stronger binding of user biometric & system identifier4. Improved security of personal data and communications5. Greater public confidence, acceptance, use à compliance with privacy & data protection laws
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. BE Advantages
1. NO Retention of biometric image or template• Best privacy practice is not to disclose / collect PII
at all in the first place, if possible.• Most privacy and security concerns derive from
storage and misuse of the biometric data.• Mitigates against risks of potential data matching,
surveillance, profiling; interception, data security breaches, identity theft...
• User retains (local) control and use of their own biometric
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. BE Advantages
2. Multiple / cancellable / revocable identifiers• BE allows individuals to use one biometric for
multiple accounts and identifiers without fear that identifiers will be linked together.
• If an account identifier becomes compromised, there is less risk that all the other accounts will be compromised, i.e., no need to change one's fingers!
• BE technologies make possible the ability to change or recompute account identifiers; identifiers can be revoked or cancelled, and substituted for newly generated ones calculated from the same biometric!
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. BE Advantages
3. Improved authentication security: stronger binding of user biometric & system identifier
• Account identifiers are re-computed directly from the biometric, not merely linked to it
• Results are much stronger account identifiers: – longer, more complex identifiers– no need for user memorization– less susceptible to security attacks
• Security of BE technology can be augmented by the use of tokens and additional PINs, if needed
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. BE Advantages
4. Improved security of personal data and communications
• Users can take advantage of the convenience and ease of BE technologies to encrypt their own personal or sensitive data.
• Since the key is one's own biometric, used locally, this technology could place a powerful tool in the hands of individuals
• This is encryption for the masses, made easy!
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. BE Advantages
5. Greater public confidence, acceptance, use and compliance with privacy & data protection laws
• Public confidence, trust are necessary ingredients for the success of any biometric system deployment.
• Governance policies and procedures only go so far. Privacy, security and trust should be built directly into the biometric hardware and info system.
• BE puts biometric data under control and use of the individual, promotes broader acceptance and use of biometrics.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. Biometric Encryption
BE Embodies core privacy practices:
1. Data minimization: no retention of biometric image or template, minimizing potential for secondary uses, loss, misuse
2. Maximal individual control: Individuals keep their biometric data private, and can use it to generate or change unique (“anonymous”) account identifiers, and encrypt own data.
3. Improved security: authentication, communication and data security are enhanced.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
• Biometric ticketing for events;• Biometric boarding cards for air travel;• Identification, credit and loyalty card systems;• “Anonymous” (untraceable) labeling of sensitive
records (medical, financial);• Consumer biometric payment systems;• Access control to personal computing devices;• Personal encryption products;• Local or remote authentication to access files held
by government and other various organizations.
Possible Applications and Uses of Biometric Encryption
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
1. Small-scale use(personal authentication)
2. Anonymous (untraceable) database(access to hospital records)
3. Travel documents(3-way checks)
4. Biometric Encryption (BE) BE Case Scenarios (from paper)
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Three-way-Check in the ePassport Scenario (Philips)
— Van der Veen et al, 2006
IDBio-encrypted
keyHashed key
Biometric DB
Kiosk Border control
1. Measure biometric
2. Claim ID
3. Bio-encrypted key
4. Retrieve key1 from live biometric and bio-encrypted key
5. Retrieve key2 from smartcard biometric and bio-encrypted key
6. Hashed key1, key2
7. Match:Hashed key == Hashed key1== Hashed key2
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
4. Biometric Encryption
IPC Objectives: • Stimulate demand for PETs: Bring this biometric
technology to attention of public, privacy advocates, policymakers: it is possible and should be considered, even demanded.
• Stimulate supply of PETs: Encourage research, development and marketization of privacy-enhancing technologies as viable solutions for real-world problems.
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
5. Reactions & Follow-Up
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
5. Reactions & Follow-Up
BE Publication & Distribution Process• Pre-publication release, vetting…• Press release, website publication, etc.• Announced on key listservs
(DPAs, biometrics, NPC-l, PETs)• Individualized mailouts (physical and electronic) to
broad spectrum of public and private stakeholders(government, industry, research, academia, pivacy advocates, consumer groups, etc)
• Submitted to various fora for review and posting
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
5. Reactions & Follow-Up
Significant Response and Feedback:
• Industry: (Philips, IBM, Microsoft, Genkey, Sagem, Bell, VeriTouch,and others)
• Research/Academic: (U of T, Colorado, Carleton U., Fraunhofer Institute, Bruce Schneier, Kim Cameron, others in Europe, Canada, U.S.)
• Policymakers: (Government departments and agencies in Ontario, Canada, U.S., EU…)
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
5. Reactions & Follow-Up
Future work:
• Stimulate attention and interest in untraceable biometrics, research and development
• Trumpet BE pilots, success stories• Technology-agnostic w.r.t. technique/details• Encourage consideration, adoption by policymakers
in both public and private sectors• Stimulate demand and supply of biometrics PETs• Improve BE accuracy, resilience against attacks
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
More Information
Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy: www.ipc.on.ca/index.asp?navid=46&fid1=608&fid2=4
and: www.ipc.on.ca/images/Resources/up-1bio_encryp.pdf
News Release: www.ipc.on.ca/images/Resources/up-2007_03_14_bio_encryp.pdf
Executive Summary:www.ipc.on.ca/images/Resources/up-bio_encryp_execsum.pdf
FAQ: www.ipc.on.ca/index.asp?navid=46&fid1=608&fid2=4
EBF Research Seminar - 02 Oct 2007
© Information and Privacy Commissioner of Ontario, 2006
Questions? Comments?
Fred CarterFred CarterSenior Policy & Technology Advisor
Office of Information & Privacy Commissioner / Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]