Category: Laws of Identity

My lawyer friends all know I am “legally challenged” – so don't take anything I say about legal issues as representing any particular expertise. 

But on the news today I saw a story about a drug manufacturer showing the consequences of making false technical claims like those I objected to here in other walks of life: 

NEW YORK (CNNMoney.com) — The maker of OxyContin, Purdue Pharma LP, agreed Thursday to a $600 million penalty as part of a plea deal with the Justice Department on a felony charge of misleading and defrauding physicians and consumers, the government said.

Three of the company's executives, including its CEO, general counsel and former chief medical officer, have separately agreed to pay $34.5 million in penalties. The company and the three men appeared in federal court Thursday to plead guilty.

The company also agreed to subject itself to independent monitoring and a remedial action program.

“Purdue … acknolwedged that it illegally marketed and promoted OxyContin by falsely claiming that OxyContin was less addictive, less subject to abuse and diversion, and less likely to cause withdrawal symptoms than other pain medications – all in an effort to maximize its profits,” said U.S. Attorney John Brownlee.

There should be accountability and penalties for those who consciously mislead people like the Marlin County school board, convincing them there is no risk to privacy by preying on their inability to understand technical issues.  It should be mandatory, when selling technology with potential privacy implications, to explain the threats and mitigations in an objective and public way.

Joris Evers at CNet has done a nice wrap-up on the latest identity catastrophy.  (Plumes of smoke were seen coming from the reactor, but so far, there has been no proof of radioactive particles leaking into the environment): 

A CD containing personal information on Georgia residents has gone missing, according to the Georgia Department of Community The CD was lost by Affiliated Computer Services, a Dallas company handling claims for the health care programs, the statement said. The disc holds information on 2.9 million Georgia residents, said Lisa Marie Shekell, a Department of Community Health representative.

It is unclear if the data on the disc, which was lost in transit some time after March 22, was protected. However, it doesn't appear the data has been used fraudulently. “At this time, we do not have any indication that the information on the disk has been misused,” Shekell said.

In response to the loss, the Georgia Department of Community Health has asked ACS to notify all affected members in writing and supply them with information on credit watch monitoring as well as tips on how to obtain a free credit report, it said.  [Funny – I get junk mail with this offer every few days – Kim] 

There has been a string of data breaches in recent years, many of which were reported publicly because of new disclosure laws. About 40,000 Chicago Public Schools employees are at risk of identity fraud after two laptops containing their personal information were stolen Friday.

Last week, the University of California at San Francisco said a possible computer security breach may have exposed records of 46,000 campus and medical center faculty, staff and students.

Since early 2005, more than 150 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.

Identity fraud continues to top the complaints reported to the Federal Trade Commission. Such complaints, which include credit card fraud, bank fraud, as well as phone and utilities fraud, accounted for 36 percent of the total 674,354 complaints submitted to the FTC and its external data contributors in 2006.

This diagram from Cavoukian and Stoianov's recent paper on biometric encryption (introduced here) provides an overiew of the possible attacks on conventional biometric systems (Click to enlarge; consult the original paper, which discusses each of the attacks).

Click to enlarge

Having looked at how template-based biometric systems work, we're ready to consider biometric encyption.  The basic idea is that a function of the biometric is used to encrypt (bind to) an arbitrary key.  The key is stored in the database, rather than either the biometric or a template.  The authors explain,

Because of its variability, the biometric image or template itself cannot serve as a cryptographic key. However, the amount of information contained in a biometric image is quite large: for example, a typical image of 300×400 pixel size, encoded with eight bits per pixel has 300x400x8 = 960,000 bits of information. Of course, this information is highly redundant. One can ask a question: Is it possible to consistently extract a relatively small number of bits, say 128, out of these 960,000 bits? Or, is it possible to bind a 128 bit key to the biometric information, so that the key could be consistently regenerated? While the answer to the first question is problematic, the second question has given rise to the new area of research, called Biometric Encryption

Biometric Encryption is a process that securely binds a PIN or a cryptographic key to a biometric,so that neither the key nor the biometric can be retrieved from the stored template. The key is re-created only if the correct live biometric sample is presented on verification.

The process is represented visually as follows (click to enlarge):

Click to enlarge

Perhaps the most interesting aspect of this technology is that the identifier associated with an individual includes the entropy of an arbitrary key.  This is very different from using a template that will be more or less identical as long as the template algorithm remains constant.  With BE, I can delete an identifier from the database, and generate a new one by feeding a new random key into the biometric “binding” process.  The authors thus say the identifiers are “revokable”.

This is a step forward in terms of normal usage, but the technology still suffers from the “glass slipper” effect.  A given individual's biometric will be capable of revealing a given key forever, while other people's biometrics won't.  So I don't see that it offers any advantage in preventing future mining of databases for biometric matches.  Perhaps someone will explain what I'm missing.

The authors describe some of the practical difficulties in building real-world systems (although it appears that already Phillips has a commercial system).  It is argued that for technical reasons, fingerprints lend themselves less to this technology than iris and facial scans. 

Several case studies are included in the paper that demonstrate potential benefits of the system.  Reading them makes the ideas more comprehensible.

The authors conclude:

Biometric Encryption technology is a fruitful area for research and has become sufficiently mature for broader public policy consideration, prototype development, and consideration of applications.

Andy Adler at the University of Ottawa has a paper looking at some of the vulnerabilities of BE.

Certainly, Cavoukian and Stoianov's fine discussion of the problems with conventional biometrics leaves one more skeptical than ever about their use today in schools and pubs.

Ann Cavoukian has really thought about biometrics – and fingerprinting. As the Privacy Commissioner of Ontario, she hasn't hesitated to join the conversation we have been having as technologists – and has contributed to it in concrete ways. For example, beyond bringing the Laws of Identity to the attention of policy makers, she extended them to make all the privacy implications explicit.

Now she and Alex Stoianov, a biometrics scientist, have published a joint paper called Biometric Encrypton: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy. It is too early to know to what extent Biometric Encryption (BE) will achieve its promise and become a mainstream technology. But everyone who reads the paper will understand why it is absolutely premature to begin using “conventional biometrics” in schools – or pubs. The following table, taken from the paper, summarizes the benefits BE could hold out for us:

	Traditional Biometrics: Privacy OR Security A Zero-Sum Game	Biometric Encryption: Privacy AND Security – A Positive-Sum Game
1	The biometric template stored is an identifier unique to the individual.	There is no conventional biometric template, therefore no unique biometric identifier may be tied to the individual. (pp. 16, 17)
2	Secondary uses of the template (unique identifier) can be used to log transactions if biometrics become widespread.	Without a unique identifier, transactions cannot be collected or tied to an individual. (pp. 17, 25)
3	A compromised database of individual biometrics or their templates affects the privacy of all individuals.	No large databases of biometrics are created, only biometrically encrypted keys. Any compromise would have to take place one key at a time. (pp. 23)
4	Privacy and security not possible.	Privacy and security easily achieved. (pp. 17-20, 26-28)
5	Biometric cannot achieve a high level of challenge-response security.	Challenge-response security is an easily available option. (pp. 26-28)
6	Biometrics can only indirectly protect privacy of personal information in large private or public databases.	BE can enable the creation of a private and highly secure anonymous database structure for personal information in large private or public databases. (pp. 19, 20, 27)
7	1:many identification systems suffer from serious privacy concerns if the database is compromised.	1:many identification systems are both private and secure. (pp. 17, 20)
8	Users’ biometric images or templates cannot easily be replaced in the event of a breach, theft or account compromise.	Biometrically encrypted account identifiers can be revoked and a new identifier generated in the event of breach or database compromise. (pp. 17)
9	Biometric system is vulnerable to potential attacks.	BE is resilient to many known attacks. (pp. 18)
10	Data aggregation	Data minimization (pp. 17)

I'll be writing about the basic idea involved in BE. But I advise downloading the paper since beyond BE, it provides an excellent and well structured discussion of the issues with biometrics in general.

More good news from The Sunday Times in Britain: 

CHILDREN aged 11 to 16 are to have their fingerprints taken and stored on a secret database, internal Whitehall documents reveal.

The leaked Home Office plans show that the mass fingerprinting will start in 2010, with a batch of 295,000 youngsters who apply for passports.

The Home Office expects 545,000 children aged 11 and over to have their prints taken in 2011, with the figure settling at an annual 495,000 from 2014. Their fingerprints will be held on a database also used by the Immigration and Nationality Directorate to store the fingerprints of hundreds of thousands of asylum seekers.

The plans are outlined in a series of “restricted” documents circulating among officials in the Identity and Passport Service. They form part of the programme for the introduction of new biometric passports and ID cards.

David Davis, the shadow home secretary, said: “This borders on the sinister and it shows the government is trying to end the presumption of innocence. With the fingerprinting of all our children, this government is clearly determined to enforce major changes in the relationship between the citizen and the state in a way never seen before.”

…Children under 16 will not be part of the ID card scheme. But the documents show that from 2010 they will still have to be fingerprinted for a new passport.

The prints will initially be stored on the directorate’s database. Once children reach 16 their fingerprints and other personal information will be passed for storage on the register, along with those of nearly 50m adults.