Ann Cavoukian has really thought about biometrics – and fingerprinting. As the Privacy Commissioner of Ontario, she hasn't hesitated to join the conversation we have been having as technologists – and has contributed to it in concrete ways. For example, beyond bringing the Laws of Identity to the attention of policy makers, she extended them to make all the privacy implications explicit.
Now she and Alex Stoianov, a biometrics scientist, have published a joint paper called Biometric Encrypton: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy. It is too early to know to what extent Biometric Encryption (BE) will achieve its promise and become a mainstream technology. But everyone who reads the paper will understand why it is absolutely premature to begin using “conventional biometrics” in schools – or pubs. The following table, taken from the paper, summarizes the benefits BE could hold out for us:
Privacy OR Security
A Zero-Sum Game
Privacy AND Security – A Positive-Sum Game
|1||The biometric template stored is an identifier unique to the individual.||There is no conventional biometric template, therefore no unique biometric identifier may be tied to the individual. (pp. 16, 17)|
|2||Secondary uses of the template (unique identifier) can be used to log transactions if biometrics become widespread.||Without a unique identifier, transactions cannot be collected or tied to an individual. (pp. 17, 25)|
|3||A compromised database of individual biometrics or their templates affects the privacy of all individuals.||No large databases of biometrics are created, only biometrically encrypted keys. Any compromise would have to take place one key at a time. (pp. 23)|
|4||Privacy and security not possible.||Privacy and security easily achieved. (pp. 17-20, 26-28)|
|5||Biometric cannot achieve a high level of challenge-response security.||Challenge-response security is an easily available option. (pp. 26-28)|
|6||Biometrics can only indirectly protect privacy of personal information in large private or public databases.||BE can enable the creation of a private and highly secure anonymous database structure for personal information in large private or public databases. (pp. 19, 20, 27)|
|7||1:many identification systems suffer from serious privacy concerns if the database is compromised.||1:many identification systems are both private and secure. (pp. 17, 20)|
|8||Usersâ€™ biometric images or templates cannot easily be replaced in the event of a breach, theft or account compromise.||Biometrically encrypted account identifiers can be revoked and a new identifier generated in the event of breach or database compromise. (pp. 17)|
|9||Biometric system is vulnerable to potential attacks.||BE is resilient to many known attacks. (pp. 18)|
|10||Data aggregation||Data minimization (pp. 17)|
I'll be writing about the basic idea involved in BE. But I advise downloading the paper since beyond BE, it provides an excellent and well structured discussion of the issues with biometrics in general.