My fingers are all mine: Five reasons why using biometrics may not be a good idea Siraj A. Shaikh 1, Christos K. Dimitriadis 2 1 Department of Information Systems, Cranfield University, Defence Academy, Shrivenham, SN6 8LA, UK 2 University of Piraeus, 80 Karaoli & Dimitriou, GR-185 34 Piraeus, Greece E-mail: s.shaikh@cranfield.ac.uk, cricodc@gmail.com Abstract Biometric technology has undoubtedly become the bedrock of national and commercial identity management infrastructures, and will become more so in the future. While the technology promises great benefits, its use raises a variety of serious ethical, social and technical concerns. The processing and storage of human biological data for this purpose is not entirely foolproof. Moreover, when it comes to deployment in large-scale infrastructures, the accuracy and reliability issues become more serious. Characteristic human data such as facial images and fingerprints is very personal and permanent to humans, the misuse or abuse of which could be disastrous for the privacy of individuals. The purpose of this paper is to delve deeper into these issues, and highlight some of these concerns. Index Terms biometrics, security, facial recognition, privacy, fingerprint matching. I. INTRODUCTION The term Biometrics is a combination of the Greek words Bio (to mean life) and Metric (to mean measure) to mean the measurement and statistical analysis of biological data. The term has become synonymous with IT technologies for measuring and analysing human body characteristics for authentication purposes and automatically recognising a person using distinguishing traits. One of the first known cases of humans using biometrics to identify one another was by early Chinese merchants. Joao de Barros, Portuguese explorer and historian, wrote that the Chinese merchants used a form of biometrics by stamping children s palm prints and footprints on paper with ink to distinguish them from one another. This is one of the earliest known cases of biometrics in use and is still being used today. The role of biometrics has changed considerably in the modern society we live in today however. Primarily used for human identification and authentication (also known as verification) [1], biometrics is used to authenticate the citizenship of travellers through biometric passports and iris recognition procedures, aspects of citizens identity using biometric identity cards, formal entry of travellers to a foreign country through the issuance of biometric visas, and bank customers accessing their account through biometric-enabled automated teller machines, amongst other authentication and access control applications used in the university sector, gaming industry, healthcare, time and attendance, transportation and voter registration sectors as listed by the International Biometric Industry Association (IBIA) [2]. While biometric technology have undoubtedly become the bedrock of national and commercial identity management infrastructures, and will become more so in the future, its use raises a variety of serious ethical, social and technical issues. For one, the processing and storage of human biological data for this purpose is not entirely foolproof. The accuracy and reliability of the biometric technology also falls short at times, making the deployment infeasible for large-scale infrastructures. Moreover, characteristic data such as facial images and fingerprints is very personal and permanent to humans, the misuse or abuse of which could be disastrous for the privacy of individuals. Finally some recent research has emphasised the need to consider cognitive and psychological dimensions of such systems. The purpose of this paper is to delve deeper into these issues. We categorise the issues mentioned above in five different areas, and organise the rest of this paper as follows. Section II discusses the security implications of the use of biometrics. Section III discusses the performance of biometric-based systems, with regards to accuracy and scalability. Section IV is concerned with the privacy issues of such systems. Section V looks at the psychological factors that influence the design and accuracy of biometric and related systems. Section VI then considers the physical aspects of the interaction between humans and this technology, with particular regards to the physical safety of individuals. II. SECURITY ISSUES One of the advantages of the use of biometrics often trumpeted is the availability and readiness of human biological data, whereas one may forget their password or forget to bring their authentication token (such as a smart card). It is both the readiness and availability of human biological data and, the ease and speed with which it can be used (to perform fingerprint or retinal scans for example) for 1-4244-2427-6/08/$20.00 2008 IEEE
authentication purposes that is often trumpeted as one of the advantages of biometric technology. It is this very availability, however, that raises security concerns. Human biological data of the kind most common for these systems, such as fingerprints, facial images or retina patterns, is highly visible and accessible, thus increasing the risk of biometric spoofing. Fingerprints represent one of the most accessible human characteristics that could easily be both obtained and spoofed. Matsumoto et al [3] have shown how fake gelatine fingers can be used to deceive biometric fingerprint devices. Shuckers [4] has shown some results to a similar effect. With an increasing reliance on surveillance cameras and latest developments in video technology, facial images will undoubtedly become common biometric features used for identification, authentication and surveillance. Adler s [5,6] work, however presents a challenge to the use of such biometric (and others in general) as it shows how to generate good quality facial images from a face recognition template. This in turn has serious implications if the database storing the templates is compromised. III. PERFORMANCE ISSUES One of the most important issues for the successful deployment of biometric systems is performance. It clearly depends on the application under consideration and the biometric modality that is deployed. So, iris matching or retinal scanning offer quite high assurances that the person who is successfully passing the verification test is the legitimate user. Performance is perhaps the barrier that biometrics industry has to overcome, if biometric devices are to enjoy widespread acceptance. Paramount to surpassing this obstacle is the establishment of independent testing procedures on predefined datasets. The reason is that the industry is touting their products using their own testing procedures, which obviously have as major purpose to produce sales. Since each application of biometric technology has different requirements and needs different guarantees from the technology, it is sensible to devise application-specific testing suites and evaluation procedures that measure performance within certain scenarios. Moreover, the testing has to be done by an independent group who will be unbiased and judge objectively as to the rating of the quality in a particular setting. In some sections of the industry this is realized already and independent testing groups are set up to perform objective evaluation. In the fingerprint recognition arena, several algorithms were compared head-to-head using different state-of-the-art sensor technologies: optical, capacitive, high-end optical, while the fourth section was produced by synthetically combining images of other fingerprints. Having an independent testing group is crucial in order to see head to head comparisons between different biometric systems, measured on the same data. There is a huge difference from performance measurements taken on one s private set of data, on which the algorithm may have been fine-tuned. We see that the performance issue is really a problem and situation has to be improved significantly, if biometrics is to be used in wide-scale projects, protecting sensitive data. And all that when performance rates as measured by the industry are reaching up to 99 % level. After these considerations, the importance of having an independent group to run the tests and compare algorithms on common test suites and use data unseen before by the algorithms cannot be overstressed. It is the only plausible way that one can get meaningful and comparable numbers that can measure the state of the art and decide whether the current performance levels are suitable for a certain application. More specifically, commercial products have to do a better job in thwarting the simplest attempts to trick the system. It seems that the low-end products targeting the PC market are seen more like toys rather than security tools that one can rely on for protection of their personal data. There is a long way to go before biometric systems can be relied upon for protection of really sensitive data. A. Scalability Scalability is a major issue regarding the wide spread of biometrics systems. In order to deploy a security solution including biometric technologies, it is an important prerequisite for the system to have the ability to extend in levels corresponding to larger population without requiring major changes in its infrastructure. Smart cards for example (as deployed in the market today) have inherent scalability, ensuring organizations like banks or telecommunication providers that the system is extendable, possibly requiring changes only in its database capacity and central system management. A Public Key Infrastructure provides scalability due to the use of certificates and key pairs. Its architecture reduces the number of required keys in conjunction with symmetric cryptography and de-centralized authentication using digital signatures. The only central point is the CA (usually a branch like an RA which maintains an LDAP server) for the validation of a certificate and the provision of the CRLs. This architecture s scalability again depends on the database management scheme for a large population. Scalability for biometric systems depends on two technological factors. The first one regards the performance of the biometric component and the second the database management, which is a common issue for PKI and smart cards as well. Database management regards the administration of the biometric templates in a centralized architecture. There are several data base architectures addressing this problem, including distributed schemas for increasing the performance of the system. Regarding security, it would be effec-
tive to use relational databases with the template storage area separated from the rest of the data and pointers connecting the user to his/her template. In this schema, compromising the templates database will only gain access to a number of templates that will have no owners. Encryption should be an extra security feature. Special care should be given to the authentication controls of the database, which should be strong (two factor authentication) and supported by audit trail controls as detective measures. The most important issue regarding scalability and biometrics is the performance of the system. Identification using biometrics should not be permitted especially when the system serves great populations. The biometric systems are much likely not to be effective if used as identification mediums. While population grows, the task for identifying an individual becomes harder and harder, since the possibility for the existence of similar templates increases. Verification however is not affected, while the system has to compare the measurement to one template, which is indicated by the user by entering his/her username or inserting his/her smart card. However, when population increases, problems, like people being unable to enrol or be verified due to altered characteristics (e.g. damaged fingers) or religious reasons are magnified. The above situation manifests itself due to the increased possibility of including minorities in the application, when addressing large populations. This can be addressed with more sophisticated algorithms and the provision of alternative methods of authentication to the user. Generally, scalability issues relating to performance can be addressed using multi modal biometrics, supported by sophisticated decision mechanisms. The use of combined biometrics, for example face and hand recognition reduces the possibility of fraud in large populations, since the impostor and the legitimate user must have both templates similar. The system, when supported by an effective policy, can disable one of the two authentication methods if the user refused to use it e.g. for religious reasons and replace it with an extra password. IV. PRIVACY ISSUES Privacy is the interest that individuals have in sustaining a personal space, free from interference by other people and organisations. Information privacy refers to the privacy of an individual s personal data and personal communication. With respect to the protection of personal data, Article 8 of the Charter of the Fundamental Rights of the European Union [7] states that (1) everyone has the right to the protection of personal data concerning him or her, and (2) such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Biometric data due to its unique characteristic nature is as personal, if not more, to an individual. It is not just personal property as it affects the rights of individuals on how they choose to use their body, make a financial transaction or authenticate themselves to a system. Such personal data if lost or stolen can never be recovered. Once compromised, it is lost for life as the permanency of such data is never in doubt. Our identification documents (such as a passport) or a driving license can be uniquely reissued if need be but we cannot buy or replace our fingers! Alterman [8] builds on this argument further to point out that biometric data, unlike ordinary photographs for example, is both an irreversible and reliable identifier of an individual. Moreover the efficient nature of mechanical biometric comparisons makes it ever so more important to keep this data from being lost or stolen. The speed and efficacy at which such data can be stored, replicated and abused is far greater. Let us consider other privacy issues in biometric data. There are over four million CCTV camera deployed in Britain, and the...eventual aim is to turn the gathering of video evidence into a third forensic specialism alongside DNA analysis and fingerprinting. [9]. This would mean facial images are automatically scanned, compared to an existing database (of wanted and/or criminals) and detected (if a match is found) [10]. According to Camerawatch [11], a non-profit CCTV watchdog in Britain, somewhere in the region of 90% of all cameras and camera systems operating out there are simply not compliant (with the UK Data Protection Act). This form of digital video surveillance and detection ultimately raises a number of privacy concerns, similar to those raised in the protection of personal data. So, for example, are ordinary citizens provided with a choice? Are they explicitly asked about whether they want to be pictured by a camera, and are they always given a choice to avoid one? Is every individual made conscious of the presence of a camera? Is every camera always explicitly and visibly marked? With CCTV camera becoming so pervasive in our modern infrastructures, it is highly unlikely that this is case. Are people legally asked for their consent whether a sample reading of their face be taken? Are ordinary citizens comprehended about what will the facial image captured be used for? Where and how long will it be stored for? Who will it be communicated to? Is the facial image data confined for the purposes of this immediate surveillance? Is every individual allowed to set a limit on the access to his/her facial image data? Finally, is the facial image data only used within the said context, or could it be used for some other purpose? While this does not apply to facial recognition,
retinal scans could be used to reveal whether an individual is HIV-positive, or is at risk of a stroke [12]. V. PSYCHOLOGICAL FACTORS Recent research suggests that human expertise (which is often needed when comparing fingerprints due to distorted samples for example) is influenced by intuition, and is also psychologically and cognitively vulnerable, and, may therefore be, biased and/or inaccurate. Fingerprint examiners and experts often work under pressure and are also not immune to such cognitive factors. According to a recent survey by Dror et al [13], where the contextual top-down processing of information when matching fingerprints is examined, it is concluded that...contextual information actively biases the ways gaps (in comparing ambiguous fingerprints) are filled (when it comes to matching fingerprints).... This perhaps also questions the use of biometrics in systems where forensic investigation may be called to prosecute individuals. The issue here is not that fingerprint matching is not efficient or accurate, but the use of fingerprints in situations where fingerprint examiners may be called in for the purposes of investigation. VI. PHYSICAL SAFETY Physical safety issues raised by biometrics are often ignored and have been paid little attention thus far. The use of biometric data to verify an individual for the purposes of access control (for a vehicle) or to authenticate a financial transaction (on a biometric ATM) puts him/her at the risk of physical danger. The actual act of providing a biometric sample provide an incentive to a hostile party to force the individual to commit to the act, such a forced retinal scan, or possibly an impetus to amputate the desired body part, such as a finger, for this purpose. A recent event [14] highlights the reality of such risks involving a high-tech luxury car, a Mercedes S-class, which uses an access control system based on a fingerprint matching system. The system allows only a recognized owner of a car to get in and activate the engine. The owner was held by a gang of car stealers, who upon realising that they need the owner's fingerprint to mobilise the engine, cut off the owner's index finger with a machete. VII. DISCUSSION For a technology as new as biometrics, it has certainly found acceptance in leaps and bounds. In a recent speech [15] on liberty by the British Prime Minister Gordon Brown, emphasised on the technology as new means in a new information age to identity people, identity false passports and protect individuals and society against crime, fraud, illegal immigration and terrorism - and protect for each and every individual our own identity. While this is no doubt reflected in the policies of governments worldwide, given the weaknesses of the technology highlighted in this paper, we must proceed with caution. The privacy and ethical issues are largely ignored, and the collection of biometric data at the current mass scale carries a significant should this data is compromised and falls into the wrong hands. Not to mention the possible abuse of such data even in the rightful hands; history is abound with such examples. There is also some indication of refutation of the technology at a political level. A case in point is the first ever deployment of a biometric system at the border crossing between Pakistan and Afghanistan in Chaman [16], and is to start functioning in November 2007. The purpose of the system is to monitor and control the cross-border movement of Pakistani and Afghan nationals. With the intent of antiterrorist surveillance in the area, the system is designed to use a combination of fingerprint, facial and retinal scans. The residents of the border town and districts of Chaman are issued with passes that allow them to easily move across the border. While the system is applauded by the Government of Pakistan, authorities in Afghanistan have expressed serious reservations over it [17]. On a technological front, the increasing possible ways of manipulating and deceiving the technology, as discussed in Section II, is a cause for concern. The critical nature of the technology s use does not allow any leeway for such gaps. Would we ever be satisfied with a password-based authentication system, where the system can potentially reject even the right password even once in a million times? Admittedly, biometrics is often used with a number of other factors to identify or authenticate subjects. And then there are the increased risks to our physical security. Are we willing to compromise a part of our body? Is it perhaps not safer to simple give away your credit card and PIN should such a situation arise? This paper has looked at various issues briefly and highlighted some of the current research that poses serious questions to biometrics. We propose further investigation to have a better understanding of such issues, and how much impact will it have on both the (deployment of) technology and its users. REFERENCES [1] A.K. Jain, A. Ross and A. Pankanti, Biometrics: A Tool for Information Security IEEE Transactions on Information Forensics and Security, vol. 1, no. 2, pp. 125-143, June 2006. [2] International Biometric Industry Association (IBIA) [Online]. Available: http://www.ibia.org, 23 November [3] T. Matsumoto, H. Matsumoto, K. Yamada and S. Hoshino, Impact of Artificial Gummy Fingers on Fingerprint Systems, in Proceedings of SPIE Vol. #4677,
Optical Security and Counterfeit Deterrence Techniques IV, 2002. [4] S. A. C. Shuckers, Spoofing and Anti-Spoofing Measures, Information Security Technical Report, vol. 7, no. 4, pp. 56-62, December 2002 [5] A. Adler, Can images be regenerated from biometric templates? Biometrics Consortium Conference 2003. Washington, D.C., USA, Sept. 22-24, 2003 [6] A. Adler, Sample images can be independently restored from face recognition templates, Canadian Conference on Electrical Computer Engineering (CCECE). Montréal, Canada, May 2003. pp. 1163-1166 [7] The Charter of Fundamental Rights of the European Union (2000) [Online] Available: http://www.europarl.europa.eu/charter/pdf/text_en.pdf, 23 November [8] A. Alterman. A piece of yourself : Ethical issues in biometric identification, Ethics and Information Technology, vol. 5, pp. 139-150, September 2003 [9] C. Vallance New CCTV unit tackles UK crime, BBC News [Online] Available: http://news.bbc.co.uk/1/hi/uk/6241051.stm, 9th January [10] IBM Global Services, Digital video surveillance: leading a revolution in physical security. April 2004. IBM. [11] CameraWatch [Online] Available: http://www.camerawatch.org.uk, 23 November 2007 [date accessed] [12] Parliamentary Office of Science and Technology (POST). Biometrics & Security. Postnote, Number 165. [Online] Available: http://www.parliament.uk/post/pn165.pdf, 23 November 2001 [date accessed] [13] I. E. Dror, A. E. Peroni, S-L. Hind and D. Charlton. When Emotions Get the Better of Us: The Effect of Contextual Top-down Processing on Matching Fingerprints, Applied Cognitive Psychology, vol. 19, pp. 799-809, May, 2005. Wiley InterScience. [14] J. Kent Malaysia car thieves steal finger, BBC News. [Online] Available: http://news.bbc.co.uk/1/hi/world/asia-pacific/439683 1.stm, 31st March 2005 [date accessed] [15] British Prime Minister s Speech on Liberty. [Online] Available: http://www.number-10.gov.uk/output/page13630.asp, 25th October [16] Associated Press Pakistan installs first biometrics system at border crossing with Afghanistan, Herald Tribune. [Online] Available: http://www.iht.com/articles/ap/2007/01/10/asia/as- GEN-Pakistan-Afghanistan-Biometrics.php, 10th January [17] S. Shahid Afghan govt objects biometric system, DAWN. [Online] Available: http://www.dawn.com/2007/10/30/top8.htm, 30th October