You are on page 1of 9


Fingerprint Verification and User Identity –

Maintaining Privacy
Biometrics is the science of measuring and statistically analyzing

biological data. By using biometric technology, the body itself becomes a password.

Computerized scanners confirm the identity of a person by collecting information

on a distinctive biometric attribute, converting it into extremely complex

algorithms, then by comparing the data with a digital file in order to determine if

there is a match. As biometric systems are deployed as part of identification

programs, implementation issues relating to user privacy are paramount. The tie

between the actual identity of an individual and the daily use of the biometric is

delicate and provokes much debate, particularly relating to privacy and societal

issues. This paper seeks to clarify some of these issues by providing a framework,

and by distinguishing between the technology and societal issues.


An individual’s identity is represented by a series of identifiers; for example,

societal identifiers such as passport number, and social security number, and

commercial identifiers such as credit card numbers, network accounts, and

telephone numbers. Typically, these identifiers are “spawned” from so called

breeder data or documents, such as a birth certificate or passport, that are used to

establish the uniqueness of an individual. The role of a biometric system is to

recognize (or not) an individual through specific physiological or behavioral traits.

The use of the word recognizes is generally defined as “identify as already known”. 1
In other words, a biometric system does not establish the identity of an individual in

any way; it merely recognizes that they are who they say they are (in a verification

system), or that they were not previously known to the system (in a “negative

identification” system, for example, to avoid double registration in a program).

Biometric systems can be implemented in three modes:

1) A biometric can be used in a “negative identification” mode to establish that an

individual is unique according to the range of previously acquired biometrics

captured in this manner. This can be used as a component of the “background

search” to establish the unique identity of the individual.

2) A biometric can be used in a “positive identification” mode to establish that a

user is a member of an approved list of users.

3) A biometric can be used in a “verification” mode that the individual is the valid

holder (either physically or logically) of the identifier by which they are known to

the application or system.

The fact that identification can be used to achieve two modes of operation,

positive and negative, means that the holder of a biometric template that is used for

one purpose can use it for the other. Biometrics is typically analyzed in a particular

way (typically known as the algorithm). For example, a fingerprint can be analyzed

on a feature (minutiae) basis or on a pattern basis. This “function creep” is the

biggest fear of privacy advocates. For example, the use of a finger minutiae record

to establish that a user is eligible for enrollment in a passport system, could

potentially be used to link to another database for other purposes. Templates that

are created purely for the purposes of verification, such as the Bioscrypt template, 2
are not designed for use with biometric identification. This explicitly limits the

potential misuse of such templates and helps to maintain user privacy, as described

below. Verification may be a simple one-to-one matching, or it may support a few

users, or few fingers, enrolled in a system.

2 User Registration/Enrollment

Consider the various steps comprising the registration of a new user within an

identification system (for example, a passport issuance process).


. User requests registration

. System runs background search

. User Enrolled

. Bioscrypt Template

• An administrator of the system establishes the unique identity of the individual

within that system.

As described above, this is typically achieved through the use of so-called “breeder

documents” such as birth certificate etc., but may also include a search over a

biometric database to establish the uniqueness of the individual’s claim according to

the range of that database. 3
• If the individual is identified as unique, the security system will establish the

individual as a new user of the system, and assign a unique identifier by which they

are known to the system. An example of an identifier would be a passport number.

• The individual will be instructed to enroll their biometric and the biometric system

will create a biometric template that is associated with the user.

• The template will be bound to the identifier, by binding them together using

encryption or a digital signature mechanism, to create a user record.

Subsequently, when the user requests to use a service or initiate a transaction, the

following steps are undertaken:

• An individual establishes a claim to the system that they are a valid user of the

system. This is usually achieved by presenting a card or other credential to the

system to make the claim.

• The security system ensures that the user record of the claimed user is available to

the biometric system (either by transmitting it to the biometric system, or by

selecting it within the biometric system), where it will be unbound to produce the

template and identifier. As part of the unbinding process, either the security system 4
or the biometric system (or both) may verify the authenticity of the user record, by,

for example, checking a digital signature.

• The individual is requested to verify that they are the valid owner of the user

record, by comparing a live biometric sample with that represented by the template

in the user record.

• If a successful match occurs, the identifier that was stored in the user record is

relayed to the security system where the user is authorized, according to their

security system rights and privileges, to complete the service or transaction.

3 User Privacy 5
This separation between the verification of the individual and the authorization of

the user is critical.

1) It provides an explicit segregation between the verification process in the

biometric system and the rights and privileges that the user is assigned by the

application. This is especially important when considering issues such as the

revocation of a user’s rights and privileges (for example, a passport number may

need to be revoked).

2) This process also prevents identity theft, as an attacker cannot simply overwrite a

legitimate user record with his own (if he has access to both on a portable medium

such as a smart card), as he would also need to have a valid identifier on the system.

3) From a privacy perspective, it is important that the User is known only to the

system by their identifier. This point is crucial for maintaining user privacy as the

system only need ever know that the identifier that was established for the user at

the time of registration/enrollment. The daily use of verification declares nothing

about the actual identity of the individual.

4) Biometrics can not only be used to link to a particular identifier (for example,

bank account details), but it can be used to link together several identifiers (thus

removing anonymity). The ability of a biometrics to do this is dependent on the role

of the biometric template, as discussed below. A minutiae-based template that is

designed to link databases will allow function creep, whereas a pattern based

template designed purely for verification will not, as described below.

Pattern Based Templates: 6
Bioscrypt’s fingerprint templates have been carefully designed to produce

the most robust verification algorithm in the world. This is achieved by using a

pattern-based approach that initially enhances the fingerprint via a sophisticated

image enhancement routine. During this process, the image is filtered, smoothed,

and conditioned to produce a high quality representation of the ridge pattern.

Feature such as creases, cuts, abrasions, and pores that appear inconsistently or

move from place to place within the image are removed. In this way, the data that

Bioscrypt uses for comparison are the entire ridge pattern, which remains

unchanged throughout a person’s lifetime. The end points of the ridges, or minutiae

will typically be removed from the image during this process. Secondly, the

Bioscrypt technique estimates and removes the relative distortion between the

candidate fingerprint and the (previously enrolled) template fingerprint. Using a

unique and patented approach, every ridge of the candidate is aligned with every

ridge of the template image providing maximum use of the entire fingerprint image.

Subsequent to the removal of the distortion, the ridge patterns are correlated,

emphasizing areas in which the images are clean and highly complex and down

weighting area where the images are noisy or bland. This combination of pattern-

based processes is used to produce excellent performance. In contrast, with a

minutiae approach, the fingerprint is reduced to a list of points (ridge endings,

bifurcations, bridges, etc). Generally, all other information from the fingerprint is


Subsequently, the minutiae list from the candidate is compared to the list

from the template and a decision is made based on the fraction of overlapping 7
points. Minutiae based templates are designed to be compatible with identification

databases. Bioscrypt’s pattern based template is not compatible with these minutiae

based templates. Therefore, Bioscrypt’s pattern based templates cannot be used to

link together multiple databases in an invasive manner.


In the biometry context, the threat to individual rights and privacy does not come

from the positive identification of the person, but from the capacity of third-party

entities to access the personal data in an identifiable form and link it with other

information, which leads to a secondary usage of the data without the consent of the

targeted person. This means that the individual does not have control anymore over

information concerning him. The respect of privacy is defined by the capacity to

dictate the use and diffusion of the personal data concerning the individual; it is

linked to the freedom of choice. Without the possibly of using a certain control over

the use of one’s personal data, the respect of privacy becomes an empty notion. 8
The efficacy and usefulness of the biometric identification techniques, depending on

the objective, is such that we cannot hope to abolish or eliminate not only their

usage, but also their evolution and expansion. However, we will have to insure that

the use of such techniques will be made in just balance between society’s needs and

individual rights and freedoms protection.

References: 9