© Information and Privacy Commissioner of Ontario, 2006 EBF Research Seminar - 02 Oct 2007 Biometric Encryption: Privacy-Enhancing Technology European

EBF Research Seminar - 02 Oct 2007

© Information and Privacy Commissioner of Ontario, 2006

Biometric Encryption:Privacy-Enhancing Technology

European Biometrics Forum (EBF)

Research SeminarTuesday, 02 October 2007

Fred CarterFred CarterSenior Policy & Technology Advisor

Office of the Information & Privacy Commissioner / Ontario, Canada



Presentation Outline

1. IPC Work

2. FIPs, PETs

3. Biometrics and Privacy

4. BE & Anonymous Biometrics

5. Reactions and Follow-up



1. IPC work to date

• Independent agency of gov’t; we oversee three laws• Longstanding interest & involvement in privacy,

technology and law/compliance issues.• IPC approach: constructive engagement; ICT both a

threat to and opportunity for privacy; seek pragmatic “win-win” scenarios

• Some publications: Path to Anonymity; guidance on use of PKI, DRM, Privacy-embedded 7 Laws of Identity, Biometrics, Biometric Encryption; ID Theft; Intelligent Agents, P3P, RFID, Privacy and the Open Networked Enterprise, Privacy Diagnostic Tool; PIA for health, contactless smart cards; mobile device security; STEPs, etc.IPC website: www.ipc.on.ca



1. IPC biometrics work

• Biometrics Program, Toronto (1994)• Ontario Works Act (1997)• Discussion & guidance papers (1999)• Presentations, speeches, etc. (2000-)• Statement to House of Commons Standing

Committee on Citizenship & Immigration (2003)• Resolution of Int’l DPAs (2005)• EBF IBAC (2005-)



2. FIPs & PETs



2. PETS and FIPsOur Mantra: “Build It In”

• Build in privacy – early into the architecture, design specs, and technologies; design must start from maximum privacy

• Assess all privacy risks: conduct privacy impact assessments; annual privacy audits

• Minimize collection, use, data: minimize routine collection, use, and retention of all personally identifiable data

• Be comprehensive and systematic: effective privacy requires an integrated approach; privacy must be applied to entire data systems and throughout the data life cycle

• Privacy rules must be enforced; enforcement must be trustworthy for system to earn trust and use.

• Use privacy enhancing technologies (PETs)



2. FIPs & PETs

Effective governance can come from:

1. Laws, legislation, regulation

2. Industry self-regulation, codes of conduct, best practices, guidelines, standards, policies, audit & certification practices…

3. PETs / Technology solutions

4. Public opinion / market acceptance

• Founded on the Fair Information Practices (FIPs)• PETs just one element in the IPC privacy toolkit



2. PETs & FIPs

• Many FIPs in use around the world; they can be condensed into 3 primary and substantive impulses:– 1. Data Minimization– 2. User Participation and Control– 3. Information Security

• Good success evangelizing to public policymakers, information security, auditors, developers, etc.

• Expressed in myriad ways, depending on context.



Privacy vs. Security(false dichotomy)

Privacy

Secu

rity

Privacy OR Security:A Zero-Sum Game



Privacy AND Security



3. Biometrics and Privacy



3. Biometrics & Privacy

Privacy, Security Issues:

• Growing biometrics deployments and uses pose significant systemic risks to individual privacy and security

• Biometrics a lifetime permanent identifier, worse than a password (access control)

• Indiscriminate or excess collection of biometric data invites misuse

• System performance: accuracy and reliability• Poor accountability will undermine trust,

acceptance and use.



• Creation of large centralized databases

• Far-reaching consequences of errors in large-scale networked systems;

• Interoperability that invites unintended additional “secondary” uses

3. Privacy & Biometrics:Concerns



3. Biometrics & SecurityThe Risks

• Spoofing• Replay attacks• Substitution attack: • Tampering• Masquerade attack• Trojan horse attacks• Overriding Yes/No response• Insufficient accuracy



Identification:The Myth of Accuracy

• Problem with large centralized databases containing millions of biometric templates:

– False positives

– False negatives



3. Biometrics & PrivacyAccuracy and Reliability

• Accuracy and reliability are still viewed as major stumbling blocks for large-scale biometric applications (OECD Report on Biometric Technologies, June 2004);

http://appli1.oecd.org/olis/2003doc.nsf/linkto/dsti-iccp-reg(2003)2-final

• Serious consequences of false positives and negatives, errors, failure rates.



Authentication:Biometric Strength and Privacy

The strength of one-to-one matches:

• Authentication/verification does not require the central storage of biometric templates;

• Biometric may be stored locally, not centrally – on a smart card, token, travel document, etc.



3. Biometrics & Privacy1:1 versus 1:Many

• Privacy regulators favor 1:1 authentication (verification) over 1:many identification;

• The EU Article 29 Working Party Resolution on the use of biometrics in passports, identity cards and travel documents was passed by Data Protection and Privacy Commissioners in Montreux, Switzerland, 2005:

“…The Conference calls for the technical restriction of the use of biometrics in passports and identity cards to verification purposes comparing the data in the document with the data provided by the holder, when presenting the document.”

— 27th International Conference of Data Protection and Privacy Commissioners, Montreux, 16 September 2005

www.privacyconference2005.org/fileadmin/PDF/biometrie_resolution_e.pdf



3. Biometrics & PrivacyCentralized Databases

• Risks associated with large centralized, networked biometric databases;

• Article 29 Working Party, chaired by Peter Schaar, Germany’s federal Data Protection Commissioner, EU Opinion, August 2004 states, “The Working Party strictly opposes the storage of all EU passport holders’ biometric and other data in a centralized data base…”

http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp112_en.pdf



3. Biometrics & PrivacyInteroperability

• Interoperable biometric databases invite additional purposes and secondary uses of the data;

• E.U. Data Protection Supervisor, Peter Hustinx, in his March 2006 Opinion, stressed that:

“Interoperability of systems must be implemented with due respect for data protection principles and in particular, the purpose limitation principle.”

Comments on the Communication of the Commission on interoperability of European databases, www.edps.eu.int/legislation/Comments/06-03-10_Comments_interoperability_EN.pdf



3. Biometrics & PrivacyRisks (Summary)

• unauthorized secondary uses of biometric data• expanded surveillance tracking, profiling, and

potential discrimination• data misuse (data breach, identity fraud and theft)• negative personal impacts of false matches,

non-matches, system errors and failures• diminished oversight, accountability, and openness

of biometric data systems• absence of individual knowledge and consent;

loss of personal control• loss of user confidence, acceptance and trust;

potential negative backlash



4. Biometric Encryption



4. Biometric Encryption (BE)What is Biometric Encryption?

• Class of emerging “untraceable biometric” technologies that seek to irreversibly transform the biometric data provided by the user.

• BE is a process that securely binds a PIN or a cryptographic key to a biometric, so that neither the key nor the biometric can be retrieved from the stored template. The key is re-created only if the correct live biometric sample is presented on verification.



4. Biometric Encryption (BE) Use Biometric as the Encryption Key

110011001011………………..110

01011001…01

Randomly generated key

Biometrically-encrypted key is stored

Enrollment

Biometric Image

100110100010…………………010

Biometric Template

BE binding algorithm



4. Biometric Encryption (BE) Decrypt with Same Biometric

Verification

101100101010…………………000

Fresh Biometric Template

110011001011………………..110

Biometrically-encrypted key

BE retrieval algorithm

01011001…01

Key retrieved

Fresh Biometric Image



4. BE AdvantagesBE technologies can enhance privacy and security. Some key advantages offered:1. NO Retention of biometric image or template2. Multiple / cancellable / revocable identifiers3. Improved authentication security: stronger binding of user biometric & system identifier4. Improved security of personal data and communications5. Greater public confidence, acceptance, use à compliance with privacy & data protection laws



4. BE Advantages

1. NO Retention of biometric image or template• Best privacy practice is not to disclose / collect PII

at all in the first place, if possible.• Most privacy and security concerns derive from

storage and misuse of the biometric data.• Mitigates against risks of potential data matching,

surveillance, profiling; interception, data security breaches, identity theft...

• User retains (local) control and use of their own biometric



4. BE Advantages

2. Multiple / cancellable / revocable identifiers• BE allows individuals to use one biometric for

multiple accounts and identifiers without fear that identifiers will be linked together.

• If an account identifier becomes compromised, there is less risk that all the other accounts will be compromised, i.e., no need to change one's fingers!

• BE technologies make possible the ability to change or recompute account identifiers; identifiers can be revoked or cancelled, and substituted for newly generated ones calculated from the same biometric!



4. BE Advantages

3. Improved authentication security: stronger binding of user biometric & system identifier

• Account identifiers are re-computed directly from the biometric, not merely linked to it

• Results are much stronger account identifiers: – longer, more complex identifiers– no need for user memorization– less susceptible to security attacks

• Security of BE technology can be augmented by the use of tokens and additional PINs, if needed



4. BE Advantages

4. Improved security of personal data and communications

• Users can take advantage of the convenience and ease of BE technologies to encrypt their own personal or sensitive data.

• Since the key is one's own biometric, used locally, this technology could place a powerful tool in the hands of individuals

• This is encryption for the masses, made easy!



4. BE Advantages

5. Greater public confidence, acceptance, use and compliance with privacy & data protection laws

• Public confidence, trust are necessary ingredients for the success of any biometric system deployment.

• Governance policies and procedures only go so far. Privacy, security and trust should be built directly into the biometric hardware and info system.

• BE puts biometric data under control and use of the individual, promotes broader acceptance and use of biometrics.




BE Embodies core privacy practices:

1. Data minimization: no retention of biometric image or template, minimizing potential for secondary uses, loss, misuse

2. Maximal individual control: Individuals keep their biometric data private, and can use it to generate or change unique (“anonymous”) account identifiers, and encrypt own data.

3. Improved security: authentication, communication and data security are enhanced.



• Biometric ticketing for events;• Biometric boarding cards for air travel;• Identification, credit and loyalty card systems;• “Anonymous” (untraceable) labeling of sensitive

records (medical, financial);• Consumer biometric payment systems;• Access control to personal computing devices;• Personal encryption products;• Local or remote authentication to access files held

by government and other various organizations.

Possible Applications and Uses of Biometric Encryption



1. Small-scale use(personal authentication)

2. Anonymous (untraceable) database(access to hospital records)

3. Travel documents(3-way checks)

4. Biometric Encryption (BE) BE Case Scenarios (from paper)



Three-way-Check in the ePassport Scenario (Philips)

— Van der Veen et al, 2006

IDBio-encrypted

keyHashed key

Biometric DB

Kiosk Border control

1. Measure biometric

2. Claim ID

3. Bio-encrypted key

4. Retrieve key1 from live biometric and bio-encrypted key

5. Retrieve key2 from smartcard biometric and bio-encrypted key

6. Hashed key1, key2

7. Match:Hashed key == Hashed key1== Hashed key2




IPC Objectives: • Stimulate demand for PETs: Bring this biometric

technology to attention of public, privacy advocates, policymakers: it is possible and should be considered, even demanded.

• Stimulate supply of PETs: Encourage research, development and marketization of privacy-enhancing technologies as viable solutions for real-world problems.



5. Reactions & Follow-Up




BE Publication & Distribution Process• Pre-publication release, vetting…• Press release, website publication, etc.• Announced on key listservs

(DPAs, biometrics, NPC-l, PETs)• Individualized mailouts (physical and electronic) to

broad spectrum of public and private stakeholders(government, industry, research, academia, pivacy advocates, consumer groups, etc)

• Submitted to various fora for review and posting




Significant Response and Feedback:

• Industry: (Philips, IBM, Microsoft, Genkey, Sagem, Bell, VeriTouch,and others)

• Research/Academic: (U of T, Colorado, Carleton U., Fraunhofer Institute, Bruce Schneier, Kim Cameron, others in Europe, Canada, U.S.)

• Policymakers: (Government departments and agencies in Ontario, Canada, U.S., EU…)




Future work:

• Stimulate attention and interest in untraceable biometrics, research and development

• Trumpet BE pilots, success stories• Technology-agnostic w.r.t. technique/details• Encourage consideration, adoption by policymakers

in both public and private sectors• Stimulate demand and supply of biometrics PETs• Improve BE accuracy, resilience against attacks



More Information

Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy: www.ipc.on.ca/index.asp?navid=46&fid1=608&fid2=4

and: www.ipc.on.ca/images/Resources/up-1bio_encryp.pdf

News Release: www.ipc.on.ca/images/Resources/up-2007_03_14_bio_encryp.pdf

Executive Summary:www.ipc.on.ca/images/Resources/up-bio_encryp_execsum.pdf

FAQ: www.ipc.on.ca/index.asp?navid=46&fid1=608&fid2=4



Questions? Comments?

Fred CarterFred CarterSenior Policy & Technology Advisor

Office of Information & Privacy Commissioner / Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario, Canada

M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: [email protected]

Documents

© Information and Privacy Commissioner of Ontario, 2006 EBF Research Seminar - 02 Oct 2007 Biometric Encryption: Privacy-Enhancing Technology European