We all know that we should use unique passwords for each service (Facebook, Netflix etc) we use. This is to prevent a credential stuffing attack, when a leaked/stolen password from one service is used to access another. If you don’t know about the importance of this, read about the importance of unique strong passwords here.
As I outlined when I covered the BBC voiceprint hack, I’m concerned about a scenario where stolen biometric markers are leaked, just like a password leak, where criminals now have access to credentials to use for account access or identity theft. Password leaks can be very damaging, but for those of us who manage our passwords, the harm is minimal. Worst case they can be reset and the damage dealt with. But what if your biometric credential was stolen? Your biometrics are a part of you and for most of us, can’t be changed. For my major project for my Privacy and Data Security course I’ve chosen to investigate biometrics, what they are, how they are used, can they be reset and the role the government has to play in ensuring their use is secure.
Overview of biometric landscape
Security Challenges to Biometric systems
Can biometric data be protected?
Abstract
The use of biometric systems is growing rapidly, set to more than double by 2027. They are well suited for use in authentication and identification, however the properties that make them ideal for these purposes also make them attractive to criminals. Unlike passwords which can be reset, biometrics lack revocability making any loss permanent. This can have major impacts on privacy, with biometric data classified in law as identification information and sensitive information, making them suitable for identity theft or fraud. Identity theft and fraud exposes an individual’s information and data to unauthorised parties. Depending on the attacker’s motives it could result in a breach of privacy and/or data privacy. Fortunately, privacy preserving biometrics offer a method that not only preserves the security benefits but increases the privacy of biometrics by making them revocable. In the event of a biometric credential being stolen, it can be revoked and a new one issued, which is a benefit to the individuals enrolling in the biometric scheme as well as the operators of the scheme. We have previously seen the government legislate to improve protection of privacy and given the permanent risk to individuals, the government has a responsibility to legislate on the use of privacy preserving biometrics.
Intro
Humans have used biometrics for thousands of years to recognise friends, family and enemies (Jain et al. 2004), in its more modern guise – biometric technology as the cutting edge of authentication and identification – their use began close to two hundred years ago. A significant security challenge for biometrics is the non-revocability of biometric credentials, once one (e.g. a fingerprint) is stolen it is gone forever, reducing the utility of biometric systems and leaving individuals vulnerable to loss of privacy and identity theft. Cancellable or privacy preserving biometrics are promising areas of research which could improve the utility of biometric systems, by allowing a compromised biometric credential to be revoked, and a new one issued – similar to resetting a password. This essay will review the history and application of biometrics systems; their security challenges; impacts of data loss; and how they can be protected. Finally it will present a case that the government has a critical role to play in creating an environment where privacy preserving biometric credentials are not only encouraged, but mandated.
Overview of biometric landscape
Biometrics are measurable human characteristics which can be used for authentication and identification, Jain et al. (2004) states that biometrics refers to the recognition of individuals based on their physiological and/or behavioral characteristics. According to Jain et al. (2004), a biometric factor must be:
- Universal: in theory every person has.
- Distinctive: unique to each individual.
- Permanent: should not change, or change very slowly.
- Collectability: should be measurable.
These properties make them ideal for authentication and identification.
Early applications for biometrics were identification, with Alphonse Bertillon developing the idea of using a variety of body measurements to identify criminals (Jain et al., 2004). In the late 19th century his work was supplanted with fingerprinting. Fingerprints were used to add irripudiality to signatures on contracts in India from 1858 and first used for identification from a crime scene in Japan in 1880, in 1883 Mark Twain wrote of a criminal identified by his thumb print and in 1891, the first nationwide fingerprint identification system was implemented in Argentina (Hawthorne et al., 2021). We even read that radio operators were identified by their ‘fist’ – the way they tapped out morse code – as a biometric in Dr No (Fleming, 1958).
Biometrics are used for authentication and identification. Authentication attempts to match a sample (e.g. a person presenting their fingerprint) with a database record held for the individual, this is known as one-to-one (1:1) matching. Identification searches a database of records to find a match for a sample (e.g. a photo of a suspect’s face), this is known as one-to-many (1:N) matching (Biometrics and Privacy – Issues and Challenges, 2021).
As far back as 2004 1:1 systems were used for authentication for secure access to buildings, computers, phones, and ATMs (Jain et al., 2004). Since then their use has expanded to consumer devices such as smartphones, computers and cars. We’ve also seen an increase in the use of one-to-any systems for identification for uses such as: border control, attendance verification at educational institutions (Types of Biometrics, 2018), voice identification; law enforcement, criminal identification; military, enemy and ally identification; healthcare; civil identity and voter registration (Types of Biometrics, 2018), (Thales Group, 2021). In Australia we currently have the Identity Matching Services Bill before the Australian Parliament which would allow the government to collect, store and use citizens’ photos for a nation-wide one-to-many system (Identity-Matching Services Bill 2019, 2019). We are also seeing increased commercial use of one-to-many systems for commercial applications such as Know Your Customer (KYC) and customer (or shoplifter) recognition (Thales Group, 2021).
Security Challenges to Biometric systems
If we look at the properties that make biometrics suitable for authentication – as outlined by Jain et al. (2004) – through an attackers lens, we can see their risk to privacy and use as a vector for identity theft:
- Universal: everyone on earth is a potential target
- Distinctive: It is an indisputable, unique identifier of the target.
- Permanent: it can’t be changed or revoked.
- Collectability: an attacker can obtain them, often passively.
Taking these properties into account we can see that the theft of a biometric would result in its permanent loss for an individual. Identity theft is a breach of privacy by definition “Identity fraud (also known as identity theft or crime) involves someone using another individual’s personal information without consent” (OAIC, n.d.). Depending on the attacker’s motives it could result in a privacy breach such as gaining access to personal thoughts, photos or events and/or a data privacy breach such as collecting a victims data after gaining access to a system with their credentials.
Credential theft is always a concern, which is why we practice good password management (Hally, 2021). In the case of a password leak, we can reset our password, but biometrics cannot be reset (Adler, 2009), their theft results in a stolen or partially stolen identity (Ignatenko & Willems, 2012, p. 2) which can result in financial loss, reputational, emotional and psychological damage (Attorney-General’s Department, 2014).
This is not a theoretical scenario, we’ve seen examples around the globe. In the UK over a million fingerprints along with facial recognition data were publicly available from the Biostar 2 authentication platform, used across 1.5m locations globally (Taylor, 2019), (Symanovich, n.d.). In the USA a chain store, Nevada Restaurant Services (NRS), suffered a breach which included biometric data for an unspecified number of individuals (Greig, 2021). In Pakistan, the National Database & Registration Authority’s (NADRA) biometric system was breached in November 2021 (Tribune, 2021).
These examples demonstrate a widespread lack of care and treatment of biometric credentials. This raises the question of whether or not we can have a cancellable biometric? Fortunately during research I have discovered a number of promising areas of research to achieve this.
Impact of Biometric Data Loss
It is important to have cancelability in biometric systems, because of the impact of their loss on individuals:
- People have a limited number of biometrics to use.
- Biometrics are classified identification information (Criminal Code Act (Cth), 1995) and can be used for identity theft.
- Potential breach of personal privacy with access to the victims files.
- Potential breach of data privacy with access to systems the victim is enrolled in.
- If a user has made multiple enrollments with the same biometric, this is equivalent to reusing a password, the individual is now open to bio-credential stuffing attacks.
- Emotional/psychological impacts of identity theft (Attorney-General’s Department, 2014)
It can also limit the utility of the system – as more and more biometrics are compromised, less and less individuals can make use of the system. This is compounded by the fact that most systems only accept limited biometric factors. At some point, there will be no viable biometrics for a system to sample.
Privacy preserving biometrics can play a role in increasing privacy while preserving security (Q. N. Tran et al., 2021), this is a benefit for individual’s privacy and ID retention as well as for the system utilising the biometric, as it will help preserve the pool of viable biometrics and allow people to re-enroll in the event of a compromised credential.
Can biometric data be protected?
Our news cycles are regularly peppered with details of data breaches (Contributors to Wikimedia projects, 2021b), given that this seems to be an inevitable part of a digitally connected life (Hewage, 2019) as well as the biometric leaks outlined previously, it seems we can expect more in the future. According to Tran et al., 2021, privacy preserving biometrics may provide a solution to secure authentication which preserves privacy. In their paper, they suggest a novel approach to the taxonomy of cancelable biometrics, this essay will be focusing on the Non-Invertible Transformations and Direct Biometrics Key Generation. Tran et al. (2021) state that a cancellable biometric should have these properties:
- Irreversible: intractable to revert to or retrieve the original biometric data, even if the attacker has obtained the parameter keys.
- Revocable: If a cancellable biometric template is compromised, it can be revoked. Since the original biometric data is never exposed, it is safe and a new template can be generated from it.
- Diversity: There should be no correlation between biometric templates generated from different parameters, this prevents a cross-template attack.
- Accuracy: The matching process should not be affected by the transformation of the biometric data. This is achieved by making the comparison in the transformed domain (Q. Tran, personal communication, December 1, 2021)
Non-invertible transformations
Cancelable biometrics is an approach to non-invertible transformations that produces multiple varied outputs for the same biometric input, the output of which is used for authentication – not the individual’s actual biometric or direct representation on it. There are two approaches to cancellable biometrics: signal, which is the distortion of the raw data before being transformed into a template; and feature, which is the distortion of the template. If the cancelable biometric is being used between systems, then it means there is a need for a shared secret between the systems – how the biometric was distorted.
Direct Biometrics Key Generation
Biometric Cryptography is the binding of a digital key to a biometric or the practise of generating a digital key from the biometric, so that no biometric image or template is stored. Cavoukian & Stoianov (2009) claim that it can increase privacy without decreasing security, a claim supported by Tran et al (2021).
There are two types of Biometric Cryptography: key binding, where a key is used to encrypt the biometric; and key generation, where a key is generated from the biometric – note that a different key is generated each time that the individual enrolls in a system.
There are a number of approached to biometric cryptography, including: Mytec1, Mytec2, ECC Check Bits, Biometrically Hardened Passwords, Fuzzy Commitment, ECC Syndrome, Quantization using Correction Vector, Fuzzy Vault, Biohashing (with key binding) and Graph-based Coding (Cavoukian & Stoianov, 2009)
Government Responsibility
The protection of biometric data is a privacy issue and the government needs to be taking a more proactive position on it. Australians want their privacy protected especially when it comes to biometric data, with 66% being reluctant to share their biometric data and for 24%, it is the thing they are most reluctant to share with anyone (OIAC, 2020, p. 81). This is reflected in the Criminal Code Act (Cth), (1995) and the Privacy Act 1988 (2021) with biometric data classified respectively as identification information and sensitive information. Contrastingly, the biometric industry is set to more than double by 2027 (Wadhwani & Gankar, 2021), and governments around the world are adopting systems that rely on it (Welcome to ID Match, n.d.) (Identity-Matching Services Bill 2019, 2019), (Tribune, 2021). This demonstrates a tension between the privacy concerns of individuals and the security and convenience desires of governments and industry. Increased use naturally leads to more data breaches that have led to the loss of government issued photographic identification (Nguyen & Bavas, 2020) and leaks of personal information on government websites (Abbott et al., 2020). These leaks demonstrate that the government has the desire to collect biometric data, but not the capability to keep it safe.
Legislation of data breach reporting led to a significant improvement in security in Australia and other countries (Buckland, 2020), so it is not unreasonable to assume a qualitatively similar effect can be achieved by legislating the use of privacy preserving biometric systems. Given this, the Australian government has a duty to lead by example in only accepting privacy preserving biometrics and legislating that all biometric systems must use them. This wouldn’t be unprecedented as the government has previously legislated on privacy matters with the Notifiable Data Breach Scheme (About the Notifiable Data Breaches Scheme, n.d.) and acted to protect the privacy of users on social media and other tech platforms (Karp, 2021), (Knaus, 2020), (Kwan, 2021).
Conclusion
While the properties of biometrics make them well suited for authentication and identification, the same properties also make them targets for criminals, we have reviewed the security challenges of biometric systems and the impacts a breach can have on the owners of the systems as well as individual enrollees. These impacts include impacts on privacy, data privacy and identity theft. Privacy preserving biometrics provide a number of methods for adding revokability to biometric credentials which could mitigate the risks of these security challenges and make a lost or stolen biometric no more troublesome than a stolen password.
The importance of biometric data in relation to privacy has been enshrined in law and we’ve seen that it has previously legislated on privacy matters, combining this with permanence or biometric loss and the desire of Australians to have their biometric data protected, there seems a clear mandate for the government to act to enforce the use of privacy preserving biometrics for all biometric systems.
In a globally connected environment, acting alone would achieve little and this raises the challenge of interoperability of diverse biometric systems, an area of further research is Public Biometric Infrastructure (Hui, 2012) which could help establish standards and protocols for distributed biometric systems and contribute to a global solution for biometric privacy and security.
This mandate, combined with Australia’s history of action and legislation to improve privacy, places the government in an ideal position to lead the world on creating a more secure and private digital environment.
References
Abbott, C., Andersen, Warwick , & Evans, M. (2020, November 11). Leaky port: City of port phillip inadvertently discloses personal information on federal government website. Cyber Law Watch. https://www.cyberlawwatch.com/2020/11/leaky-port-city-of-port-phillip-inadvertently-discloses-personal-information-on-federal-government-website/
About the Notifiable Data Breaches scheme. (n.d.). Home. Retrieved December 3, 2021, from https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme
Adler, A. (2009). Cancelable biometrics. In Encyclopedia of Biometrics (pp. 175–178). Springer US. http://dx.doi.org/10.1007/978-0-387-73003-5_66
Adler, A., & Schuckers, S. (2009). Biometric vulnerabilities, overview. In Encyclopedia of Biometrics (pp. 160–168). Springer US. http://dx.doi.org/10.1007/978-0-387-73003-5_65
Al Rousan, M., & Intrigila, B. (2020). A Comparative Analysis of Biometrics Types: Literature Review. Journal of Computer Science, 16(12), 1778–1788. https://doi.org/10.3844/jcssp.2020.1778.1788
Attorney-General’s Department. (2014). Identity crime and misuse in Australia. Australian Government. https://www.homeaffairs.gov.au/criminal-justice/files/national-identity-crime-and-misuse-pilot.PDF
Criminal Code Act (Cth), (1995). https://www.legislation.gov.au/Details/C2019C00043/Html/Volume_2
Privacy Act 1988, (2021). https://www.legislation.gov.au/Details/C2021C00452
Biometrics – australian privacy foundation. (2011, October 15). https://privacy.org.au/policies/biometrics/
Biometrics and privacy – Issues and challenges. (2021, April 17). Office of the Victorian Information Commissioner. https://ovic.vic.gov.au/privacy/biometrics-and-privacy-issues-and-challenges/
Buckland, R. (2020, November 25). Ep 5.1 Foundations Week5 – Data breaches. Apple Podcasts. https://podcasts.apple.com/au/podcast/foundations-of-cybersecurity-zzen9201/id1539051905?i=1000500262180
Cavoukian, A., & Stoianov, A. (2009). Encryption, biometric. In Encyclopedia of Biometrics (pp. 260–269). Springer US. https://doi-org.wwwproxy1.library.unsw.edu.au/10.1007/978-1-4899-7488-4
Contributors to Wikimedia projects. (2021a, November 11). Alphonse Bertillon. Wikipedia. https://en.wikipedia.org/wiki/Alphonse_Bertillon
Contributors to Wikimedia projects. (2021b, November 21). List of data breaches. Wikipedia. https://en.wikipedia.org/wiki/List_of_data_breaches
Department of Home Affairs. (n.d.-a). Identity security. Retrieved December 4, 2021, from https://www.homeaffairs.gov.au/about-us/our-portfolios/criminal-justice/cybercrime-identity-security/identity-security
Department of Home Affairs. (n.d.-b). Statement of biometric interoperability capability requirements. Retrieved December 4, 2021, from https://www.homeaffairs.gov.au/criminal-justice/files/statement-of-biometric-interoperability-capability-requirements.pdf
Fleming, I. (1958). Doctor no. Vintage.
Greig, J. (2021, September 16). Popular slot machine chain Dotty’s reveals data breach exposing SSNs, financial account numbers, biometric… ZDNet. https://www.zdnet.com/article/popular-slot-machine-chain-dottys-reveals-data-breach-exposing-ssns-financial-account-numbers-biometric-data-medical-records-and-more/
Hally, L. (2021a, July 25). Password management. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/cyber-tips/password-management/
Hally, L. (2021b, December 2). The war on encryption. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/government/the-war-on-encryption/
Hawthorne, M. R., Plotkin, S. L., & Douglas, B.-A. (2021). Fingerprints: Analysis and understanding the science. CRC Press.
Hewage, C. (2019, August 20). Stolen fingerprints could spell the end of biometric security – here’s how to save it. The Conversation. https://theconversation.com/stolen-fingerprints-could-spell-the-end-of-biometric-security-heres-how-to-save-it-122001
Hui, Z. (2012). Research and application on building of campus information resource platform based on PKI. IERI Procedia, 3, 192–197. https://doi.org/10.1016/j.ieri.2012.09.032
Ignatenko, T., & Willems, F. M. J. (2012). Biometric security from an information-theoretical perspective.
Jain, A. K., Ross, A., & Prabhakar, S. (2004). An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology, 14(1), 4–20. https://doi.org/10.1109/tcsvt.2003.818349
Karp, P. (2021, October 25). Social media giants face $10m fines for privacy breaches under proposed government reform. The Guardian. https://www.theguardian.com/australia-news/2021/oct/25/social-media-giants-face-10m-fines-for-privacy-breaches-under-proposed-government-reform
Kaspersky. (2021, January 13). What is Biometrics Security. Www.Kaspersky.Com. https://www.kaspersky.com/resource-center/definitions/biometrics
Knaus, C. (2020, September 14). Facebook suffers blow in Australia legal fight over Cambridge Analytica. The Guardian. https://www.theguardian.com/technology/2020/sep/14/facebook-suffers-blow-in-australia-legal-fight-over-cambridge-analytica
Kong, A., Cheung, K.-H., Zhang, D., Kamel, M., & You, J. (2006). An analysis of BioHashing and its variants. Pattern Recognition, 39(7), 1359–1368. https://doi.org/10.1016/j.patcog.2005.10.025
Kwan, C. (2021, October 25). Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom,… ZDNet. https://www.zdnet.com/article/australian-online-privacy-bill-to-make-social-media-age-verification-mandatory-for-tech-giants-reddit-zoom-gaming-platforms/
Li, S. Z., & Jain, A. (2021). Encyclopedia of biometrics. Springer.
Marcel, S., Nixon, M. S., & Li, S. Z. (2014). Handbook of biometric anti-spoofing: Trusted biometrics under spoofing attacks. Springer.
McKee, G. (2000). Biometric identity theft [Letters]. Computer, 33(5), 5–10. https://doi.org/10.1109/mc.2000.841773
Multi biometric passport – NADRA pakistan. (n.d.). Retrieved December 1, 2021, from https://www.nadra.gov.pk/solutions/secure-document-solutions/multi-biometric-passports/
Nguyen, K., & Bavas, J. (2020, August 31). Data breach exposes tens of thousands of NSW driver’s licences online. ABC News. https://www.abc.net.au/news/2020-09-01/nsw-drivers-licence-data-breach-under-investigation/12611918
OIAC. (2020). Australian community attitudes to privacy survey 2020.
Identity-matching services bill 2019, House of Representatives (2019) (testimony of Parliament of Australia & Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6387
Part 4: Notifiable data breach (NDB) scheme. (2019, July 13). Home. https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme
Payment Times Reporting Scheme Eligibility criteria. (n.d.). Payment Times Reporting Scheme. Retrieved December 3, 2021, from https://paymenttimes.gov.au/who-must-report/eligibility-criteria
Richards, N. (2013). THE DANGERS OF SURVEILLANCE. Harvard Law Review, Vol.126(7), 134–1925.
Symanovich, S. (n.d.). Biometric data breach: Database exposes fingerprints and facial recognition data of 1 million people. Norton. Retrieved December 1, 2021, from https://us.norton.com/internetsecurity-emerging-threats-biometric-data-breach-database-exposes-fingerprints-and-facial-recognition-data.html
Taylor, J. (2019, August 14). Major breach found in biometrics system used by banks, UK police and defence firms. The Guardian. https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms
Thales Group. (2021, June 2). Biometrics: Definition, use cases, latest news. Thales Group. https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/inspired/biometrics
Tomko, G., Soutar, C., & Schmidt, G. (1994). Fingerprint controlled public key cryptographic system. https://patents.google.com/patent/US5541994A/en
Tourist visa. (2017, July 18). Pakistan Online Visa System. https://visa.nadra.gov.pk/tourist-visa/
Tran, Q. (2021, December 1). Cancellable Biometric session with Luke (L. Hally, Interviewer) [Personal communication].
Tran, Q. N., Turnbull, B. P., & Hu, J. (2021). Biometrics and privacy-preservation: How do they evolve? IEEE Open Journal of the Computer Society, 2, 179–191. https://doi.org/10.1109/ojcs.2021.3068385
Tribune. (2021, November 26). NADRA data leak. Tribune. https://tribune.com.pk/story/2331199/nadra-data-leak
Types of biometrics. (2018, July 9). Biometrics Institute. https://www.biometricsinstitute.org/what-is-biometrics/types-of-biometrics/
Wadhwani, P., & Gankar, S. (2021, August). How big is the biometrics market? Global Market Insights, Inc. https://www.gminsights.com/industry-analysis/biometrics-market
Welcome to ID Match. (n.d.). Retrieved December 2, 2021, from https://www.idmatch.gov.au
What is the Rule of Law? – Rule of Law Education Centre. (2015, August 21). The Rule of Law Institute. https://www.ruleoflaw.org.au/what-is-the-rule-of-law/
Yang, B., Busch, C., Derawi, M., Bours, P., & Gafurov, D. (2009). Geometric-Aligned cancelable fingerprint templates. In Image Analysis and Processing – ICIAP 2009 (pp. 490–499). Springer Berlin Heidelberg. http://dx.doi.org/10.1007/978-3-642-04146-4_53
