Biometrics and The Privacy Paradox

Document Sample
Biometrics and The Privacy Paradox Powered By Docstoc
					                Biometrics and The Privacy
                         Paradox
                      Ann Cavoukian, Ph.D.
                Information & Privacy Commissioner/Ontario

                            Privacy & Identity:
                The Promise & Perils of the Technological Age
www.ipc.on.ca

                        DePaul University, Chicago
                             October 14, 2004
  Privacy – What are the Issues?

 Expanded surveillance
 Diminished oversight
 Absence of knowledge/consent
 Loss of control



                                 www.ipc.on.ca
                Privacy Defined

Informational Privacy: Data Protection

  Personal control over the collection, use and
   disclosure of any recorded information about
   an identifiable individual

  An organisation‟s responsibility for data
   protection and safeguarding personal
   information in its custody or control

                                               www.ipc.on.ca
     OECD Guidelines on the Protection of Privacy
       and Transborder Flows of Personal Data

1.   Collection Limitation Principle
2.   Data Quality Principle
3.   Purpose Specification Principle
4.   Use Limitation Principle
5.   Security Safeguards Principle
6.   Openness Principle
7.   Individual Participation Principle
8.   Accountability Principle
                                            www.ipc.on.ca
            Growth of Biometrics

 U.S. Border Security Enhancement Act

 International Civil Aviation Organization approved
  facial recognition for travel documents

 EU to implement biometrics in passports and visas

 CANPASS and INSPASS programs

 AAMVA Unique Identifier Working Group

                                               www.ipc.on.ca
       The Myth of Accuracy

The problem with large databases
 containing thousands (or millions)
 of biometric templates:
   False positives
   False negatives



                                  www.ipc.on.ca
      Biometric Applications

Identification:
one-to-many comparison
Authentication:
one-to-one comparison



                               www.ipc.on.ca
        Biometric Identification:
        False Positive Challenge
Even if you have a 1 in 10,000 error rate per
fingerprint, then a person being scanned
against a million-record data set will be
flagged as positive 100 times. And that’s
every person. A system like that would be
useless because everyone would be a false
positive.
       Bruce Schneier, quoted in Ann Cavoukian’s Submission to the Standing
               Committee on Citizenship and Immigration, November 4, 2003
                                    http://www.ipc.on.ca/docs/110403ac-e.pdf

                                                                      www.ipc.on.ca
        Biometric Identification

 False Negative Challenge:
  Attackers could fool the system
  Pay-offs high for compromising the
   system
  Increased vulnerability to a target once
   a terrorist succeeds in obtaining a false
   negative: threat escalates considerably

                                          www.ipc.on.ca
             Biometric Strength:
               Authentication

The strength of one-to-one matches
   Authentication/verification does not require
    the central storage of templates
   Biometrics can be stored locally, not
    centrally – on a smart card, passport, travel
    document, etc.


                                            www.ipc.on.ca
Designing Privacy Into Biometrics

 The Privacy Challenges:
    Central template databases

    Unacceptable error rates
    Unrelated secondary uses



                                  www.ipc.on.ca
   Facial Recognition: the Dream

“ Khalid Al-Midhar came to the attention of federal law enforcement
  about a year ago. As the Saudi Arabian strolled into a meeting with
  some of Osama bin Laden‟s lieutenants at a hotel in Kuala Lumpur
  in December 1999, he was videotaped by a Malaysian surveillance
  team. The tape was turned over to U.S. intelligence officials and,
  after several months, Al-Midhar‟s name was put on the
  Immigration and Naturalization Service‟s “watch list” of potential
  terrorists. … The videotape of Al-Midhar also could have been
  helpful. Using biometric profiling, it would have been possible to
  make a precise digital map of his face. This data could have been
  hooked up to airport surveillance cameras. When the cameras
  captured Al-Midhar, an alarm would have sounded, allowing cops
  to take him into custody.”
                           - Business Week, Sept. 13, 2001, p. 39



                                                                    www.ipc.on.ca
       Facial Recognition: the Reality

 Test results in place show less than stellar results
   - Logan Airport pilot had a 50% error rate in real world conditions
   - U.S. State Department has stated that facial recognition has
      “unacceptably high error rates”
   - U of Ottawa tests this summer resulted in accuracy rates between
      75% to more than 90%
   - National Institute for Standards and Technology, under „ideal
      lighting and controlled environment conditions‟ reported 90%
      accuracy
   - Superbowl facial recognition no longer considered „useful‟ by
      subsequent Superbowl organizers

                                    “Biometrics Benched for Super Bowl”
                                        By Randy Dotinga, Wired Magazine

                                                                   www.ipc.on.ca
     Comparison of Accuracy Rates

NIST Studies show for single biometrics:
 Facial recognition:
  - 71.5% true accept @ 0.01 false accept rate
  - 90.3% true accept @ 1.0% false accept rate
 Fingerprint:
  - 99.4% true accept @ 0.01% false accept rate
  - 99.9% true accept @ 1.0% false accept rate


                                                 www.ipc.on.ca
         Facial Recognition and Privacy
                   Research
 Confounding Facial Recognition systems:
    Creating visual noise through:
      - Disguises, obstructions, light sources, face paint
    Objective:
      - Creating a framework for facial recognition countermeasures
    Results:
      - Research by James Alexander, U. Pennsylvania




                                                                www.ipc.on.ca
               Biometrics Can Be
           Privacy-Enhancing, if they:
1. Have privacy hard-wired into the deployed technology
2. Authenticate personal credentials without necessarily
   revealing identity
3. Do not facilitate surveillance or tracking of an
   individual‟s activities – avoid the use of
   template-based central databases
4. Put control of the biometric in the hands of the individual
5. Provide excellent security without compromising privacy

                                                       www.ipc.on.ca
        Final Thoughts on Biometrics

 Current off-the-shelf biometrics permit the
  secondary uses of personal information
 The Goal: “Technology that allows for
  informational self-determination and makes good
  security a by-product of protecting one’s
  privacy”
 Using the biometric to encrypt a PIN or a standard
  encryption key will meet that goal: Biometric
  Encryption
                               – Dr. George Tomko
                                                 www.ipc.on.ca
             “I am not a number,
               I am a free man”


    “I am not a number, I am a human being.
I will not be filed, stamped, indexed or numbered.
               My life is my own.”


               The Prisoner TV series, 1968



                                              www.ipc.on.ca
           How to Contact Us

Ann Cavoukian, Ph.D.
Information & Privacy Commissioner of Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario, Canada M5S 2V1

Phone:   (416) 326-3333
Web:    www.ipc.on.ca
E-mail: commissioner@ipc.on.ca

                                           www.ipc.on.ca