Designing Privacy-

Sympathetic
Biometric Systems
CHAPTER 16
Why we need such systems ?

 Recall, the previous chapter

 Biometrics deal with concerning issues of privacy

 Technologies most often associated with privacy invasive biometric usage

 we can now investigate how to provide informational and personal privacy in biometric deployments.
 International Biometric Group (IBG)

 IBG’s BioPrivacy Best Practices define what steps institutions can take when deploying biometrics to ensure
that biometric deployments do not intrude on individual privacy and are instead either privacy neutral or
privacy sympathetic.

 It provides some of he best practices that the deployers need to follow, but in the real scenario they don’t
make it full proof practice and therefore the loop hole exists.
Challenges for privacy-sympathetic system
design
 Limit System Scope
Biometric deployments must not be expanded to perform broader verification identification-related functions than
originally intended.

Any expansion or retraction in scope should be accompanied by full public disclosure, under the oversight of an
independent body, allowing individuals to opt out of system usage if possible. A fundamental risk with any system of
identification is that the system can be employed for purposes beyond those that were originally
intended.

From a privacy perspective, function creep must be disallowed, even if the purposes of the system expansion are seen as
innocuous.

The scope of a biometric system can be limited by legislation, by internal or third-party oversight, and by the type of
data collected.

Systems can also be designed that preclude the artificial introduction of images or biometric data, requiring that a live
fingerprint or facial image be presented in order for a decision to be rendered. However, because it is difficult to design
a system that categorically cannot be used for purposes beyond its original intent, auditing, oversight, and transparency
are essential.
If a system is being misused, drawing attention to this misuse and enabling policies whereby system usage can
be suspended are required.

Scope limitation may be more difficult in countries with authoritarian governments, where frameworks to ensure public-
and private-sector accountability may be lacking.
Do Not Use Biometrics as a Unique
Identifier
The use of biometric information as a unique identifier should be extremely limited

Unique identifiers facilitate the gathering and collection of personal information from various databases and can represent
a significant threat to privacy.

Though biometric templates are not ideal unique identifiers—a user’s biometric verification differs every time he or she is
authenticated—the enrollment template is normally a fixed value, used in all subsequent verifications. If a user’s static
enrollment template were shared between various agencies or companies to enable verification to a range of systems, it
could be used as a highly effective unique identifier.

The unique identifier issue will become more problematic if a biometric technology is developed that generates the same
template every time a user interacts with a system. This type of template could be used as an identifier across multiple
databases and applications, and any single verification template could be linked with all of a user’s verification templates.
Limit Retention of Biometric Information
Biometric information must only be stored for the specific purpose of usage in a biometric system and should not be stored
any longer than necessary.

Biometric information and associated account data should be destroyed, deleted, or otherwise rendered useless when the
system is no longer operational. However, data such as transactional logs can be kept for auditing purposes.

Different storage limitations apply to enrollment and verification data. While enrollment data, by definition, must be
retained in order for the system to be operational, verification data need only be retained for as long as necessary to
perform a match. Once a decision is rendered, there is no need to store the biometric verification attempt, and well-
designed systems will dispose of verification data once a decision is rendered.

A hash of the verification template may be stored to prevent compromised templates from being used in replay attacks.

Delete a person’s biometric data once he or she is no longer a transacting entity.

System design can accomplish some of this task by deleting biometric information when an associated account is deleted
or updated.
Evaluate a System’s Potential Capabilities
When determining the risks a specific system might pose to privacy, the system’s potential capabilities must be assessed
in addition to the risks involved in its intended usage.

Best Practices require that the impact of the deliberate misuse of a biometric system be considered when assessing
whether a deployment is privacy invasive, neutral, or sympathetic.

Although systems with the potential to be used in a privacy-invasive fashion can still be deployed if accompanied by
proper precautions, their operations must be monitored and protections must be in place to prevent misuse by internal
or external parties.
Limit Storage of Identifiable Biometric Data
Whenever possible, biometric data in an identifiable state, such as a facial image, fingerprint, or vocal recording, should be
stored or used in a biometric system only for the initial purposes of generating a template.

After template generation, the identifiable data should be destroyed, deleted, or otherwise rendered useless. This is to prevent
the storage of fingerprints and facial images, as opposed to finger-scan and facial-scan templates.

Templates are resistant to misuse because they cannot be identified as biometric information and cannot be used to re-create
original biometric information.

Forensic systems and some public-sector programs store identifiable data in order to resolve borderline matches; in addition,
employee background screens, which involve the acquisition of multiple fingerprint images, store identifiable data for future
processing or auditing purposes.

In this type of system, physical access and operational controls are necessary to ensure that identifiable data cannot be
compromised.
Limit Collection and Storage of Extraneous
Information
The non-biometric information collected for use in a biometric verification or identification system should be
limited to the minimum necessary to make identification or verification possible. Biometric databases generally
comprise an index and a biometric template, with direct or indirect links to other databases as necessary.

Storing names or account information is not only bad database design—this data will normally exist elsewhere
and does not need to be collected and stored again—but also significantly increases the likelihood that biometric
data may be associated with other personal information.
Make Provisions for System Termination
A method must be established by which a system used to commit or facilitate privacy-invasive biometric matching,
searches, or linking can be depopulated and dismantled.

The responsibility for making such a determination would rest with an independent auditing group and would be subject to
appropriate appeals and oversight.

This protection would apply primarily to public-sector systems, as they are most likely to be used in a privacy-invasive
fashion and are more in need of independent oversight and monitoring.

By contrast, private sector deployments found to be privacy invasive will likely be modified or terminated as the result of
pressure from investors, consumers, and the general public.
 IBG BioPrivacy Best Practices: Data
Protection
Use Security Tools and Access Policies to Protect Biometric Information

Protect Postmatch Decisions

Limit System Access

Implement Logical and Physical Separations between Biometric and Nonbiometric Data
 Use Security Tools and Access Policies to Protect
Biometric Information
Biometric information should be protected at all stages of its life cycle, including storage, transmission, and
matching. The protections enacted may include encryption, private networks, secure facilities, administrative
controls, and data segregation. The protections necessary within a given deployment are
determined by a variety of factors, including the location of storage, the location of matching, the type of biometric
used, the capabilities of the biometric system, whether processes take place in a trusted environment, and the risks
associated with data compromise.
Protect Postmatch Decisions

Data transmissions resulting from biometric comparisons should be

protected to prevent replay attacks or compromise of personal
information. When a successful biometric match takes place, this
match is normally transmitted to the application or resource that
requires authentication. This match decision must be protected, most
likely through encryption, to avoid compromise of account information
and to prevent man-in-the-middle attacks. Although these post
comparison decisions do not normally contain any biometric data,
transmissions resulting from biometric matches are also sensitive. This
protection is especially important in non trusted environments such as
the Internet.
Limit System Access

Compromise and unauthorized use of personal information is more

likely to come from within an institution or organization than from
outside. While numerous protections can be built to ensure that
hackers cannot penetrate a biometric database from the Internet, it is
a greater challenge to ensure that internal access to biometric systems
is limited and controlled. In a worst-case scenario, an individual familiar
with an institution’s data reserves and system architecture could
compromise a great deal of personal information without being
detected.
Implement Logical and Physical
Separations between Biometric and
Nonbiometric Data
Biometric data must be stored separately from personal information
such as name, address, and medical or financial data. If biometric
information is somehow compromised—if a template is intercepted or
stolen from a hard drive, for example—protections must be in place to
ensure that this cannot lead to compromise of other sensitive data.
In order for biometric data to be useful, it must be directly or indirectly
associated with an identity, rights and privileges, account information,
or some other piece of meaningful data. These associations, while a
sine qua non of authentication systems, do result in increased risk that
information can be linked to individuals.
BioPrivacy Best Practices: User Control
of Personal Data

Make System Usage Voluntary and Allow for Unenrollment

Enable Anonymous Enrollment and Verification

Provide Means of Correcting and Accessing Biometric-Related Information

Make System Usage Voluntary and Allow for
Unenrollment
A basic privacy principle is that individuals have the right to control usage of their
biometric information and can have it deleted, destroyed, or otherwise rendered
unusable upon request. This extends to allowing individuals to decide whether to
enroll in a biometric system and whether to continue in a system in which they
have enrolled.
In customer-facing systems, the ability to opt out should not be problematic, as
these systems will almost always be voluntary. Policies can be enabled that allow
for users to employ standard authentication methods if desired. However, in
certain public-sector and employment-related applications there is a compelling
interest for the biometric system to be made mandatory and for biometric data to
be retained for verification or identification purposes.
Enable Anonymous Enrollment and
Verification
Depending on operational feasibility, biometric systems can be designed such that
individuals can enroll and verify with varying degrees of anonymity. In Web
environments, where individuals assume identities through email addresses or
usernames, there may be no need for a biometric system to know with whom it is
interacting, so long as the user can verify his or her original claimed identity. This
identity may be associated with a number of purchases, the results of an
anonymous medical test, or simply a series of communications. The key is that
anonymous enrollment allows users to establish a claimed identity with a
significantly reduced risk of profiling.
Provide Means of Correcting and Accessing
Biometric-Related Information
System operators should provide a method for individuals to correct, update, and
view stored information that is associated with biometrically enabled accounts.
Just as consumers have access to their credit data and employees have a right to
review files for accuracy, individuals interacting in any capacity with a biometric
system have a right to review and contest information associated with their
account. This is especially important because false matching may result in
unauthorized access to a biometrically protected account, unbeknownst to the
account holder.
IBG BioPrivacy Best Practices: Disclosure,
Auditing, and Accountability
 Make Provisions for Third-Party Auditing and Oversight

 Hold Operators Accountable for System Use and Misuse

 Fully Disclose Audit Findings

 Disclose the System Purpose and Objectives

 Disclose When Individuals May Be Enrolled in a Biometric System

 Disclose When Individuals May Be Verified in a Biometric System

 Disclose Whether Enrollment Is Optional or Mandatory

 Disclose Enrollment, Verification, and Identification Processes

 Disclose Policies and Protections in Place to Ensure Privacy of Biometric Information

An IBG BioPrivacy Assessment:
Biometrics at the Super Bowl