The Practical Applications of Biometrics: It is not just about Tom Cruise’s Eyes

On July 21st, CompTIA partnered with the International Biometrics+Identity Association (IBIA) to host a webinar entitled, The Practical Applications of Biometrics: It is not just about Tom Cruise’s Eyes.”  A recording of the webinar is available on demand as well as the presentation slides.   The webinar covered four important topics:

  1. Overview of key biometric modalities and uses
  2. Security of biometric data
  3. Implementing a large-scale biometrics system
  4. Overview of policy developments at the State and Federal level.

Biometric Modalities and Uses
John Mears, Senior Fellow at Lockheed Martin offered a comprehensive discussion of biometric modalities and uses. While many are familiar with fingerprint, facial recognition, iris scans and voice recognition, John shared other modalities – even referencing flora that one might find in the gut as a biometric.  He noted that what makes biometrics a useful tool for automated recognition is that it is unique, generally quite secure and cost effective.

Data collected from a biometric is captured and then translated into an electronic template.  This template can be used to then compare a subsequent capture of biometric information to either authenticate that a person is who they say they are—or identify someone whose identity may be in question.  The prior authentication is generally found, for example, in gaining access to a mobile phone or in facial recognition at a bank ATM.  The latter identification is most typically found in law enforcement use or national security needs – matching fingerprints to a crime scene for example. 

Security of Biometric Data
“Spoofing” refers to the use of an artificial or altered sample to defeat the security of a biometrics system in order to falsely match someone else’s identity or conceal one’s own true identity.  Rob Rowe, Vice President at HID Global, ran through some examples – such as facial masks, false contact lenses, or latex finger pads with print.  Rob also shared good security practices to defeat such “spoofing efforts.”  Multi-modality biometric systems (fingerprint plus voice recognition) are recommended.  Spoof detection includes, among others, testing the temporal characteristics of the sample (i.e. pupil dilation), employing random change of required phrases, or checking the physical properties of the sample. 

Rob also noted that many of the same good security practices for non-biometric technology, such as employing encryption, and/or proper key management, should always be used to protect the biometric data templates. Decryption of biometric templates should always take place in protected environments. 

The level of security and convenience are reciprocally related.  Depending on the purpose of the biometric system – authentication versus identification – the convenience changes accordingly.  In either situation, however, the vendor specifications should explicitly lay out its spoof detection capabilities. 

Implementing a Large-Scale Biometrics System
Benji Hutchinson, Senior Director, NEC, shared with the audience an example of a large-scale integration of a biometrics system.  India has embarked on a national identification program to help deploy social services to its citizens in a more efficient and secure manner.  The goal of this endeavor is to enroll 1.2 billion people (one-sixth of the world’s population), taking in finger, face and iris biometric data.  Challenges to such a large scale deployment are numerous. 

Accuracy of collection is a consideration as employment history (laborer with degraded fingerprints) or facial hair can challenge the accuracy of data collected.   Consequently, accuracy calculations – false acceptance and rejection rates -- are recommended for such large scale deployments. 

One must also take into consideration factors such as aging or other prevailing conditions that could lead to imprecise matches and duplication.  A successful system must have duplication checks, and in order to increase optimization, should use the minimum number of parallel match combinations. 

Scalability of such a system (the number of people enrolled, the data categories relating to those people, the number of access points to the data) corresponds to the number of servers employed and the control logic of the matching servers required.

Lastly, Hutchinson spoke about building a “high-availability environment.”  In essence this means having appropriate redundancy of servers to ensure that no biometric data is lost due to fault. 

Such an enormous undertaking must also be built with flexibility in mind to adapt to burgeoning areas of data collection.  Such architecture must also keep in mind database ownership, international data exchange demands, and regulatory and legal regimes that impact data exchange.

Policy Developments Concerning Biometrics
The last portion of the webinar was devoted to an overview of policy developments in the United States.  Kara Bush, Director of State Government Affairs at CompTIA shared that there are two categories of laws which affect the use of biometric information by private and government actors: 1) laws specifically addressing the use of biometric identifiers; and 2) broad privacy laws that include biometric information in their definition of personal information.

A number of existing privacy regimes for specific sectors (health, finance, education) already have significant provisions covering data security and breach requirements that cover personally identifiable information (PII).  But there is a growing number of efforts at the state level to address specific biometric data as it relates to government, student or commercial use. 

The most significant example of this latter category is the Illinois Biometric Information Act (BIPA).  Its major requirements are:

  1. Requires informed consent prior to collection
  2. Prohibits profiting from biometric data
  3. Permits only a limited right to disclose
  4. Mandates protection obligations and retention guidelines
  5. Creates a private right of action for individuals harmed by violators of BIPA

The law is problematic in several ways  – notably vagueness with regard to a number of definitions (consent, what constitutes data for the purpose of profit, facial recognitions, etc.).  The private right of action is also concerning and invites an avalanche of litigation.  A right of action by the State Attorney General to bring suit would be more appropriate.  Thus far only a few states have taken on specific biometric legislation and there is always a concern that a state-by-state approach will create an unworkable patchwork of requirements.  But equally of concern is that the Illinois precedent is gaining greater traction across the states and thus there is a stronger impetus to clarify the law sooner rather than later.

At the Federal level, there has been no broad-based effort to regulate biometrics.  The Federal Trade Commission (FTC) and the National Technology and Information Agency (NTIA) have both sought to set out “best practice” guidelines around facial recognition, and the Government Accountability Office (GAO) has issued a report that suggests that it is premature to develop specific legislation for facial recognition biometrics and that existing privacy regimes that address PII are the preferred avenue to oversee privacy considerations and biometric technology.

Conclusion
These expert presenters offered a glimpse of the promise of the responsible use of biometrics. The global market for biometrics is expected to grow from $15 billion in 2015 to over $35 billion in 2020.  The key to growth will be to allow the technology to develop through increased innovation and adoption without being unduly stifled by laws and regulations that are overly vague or broad. 

Please Note: The on-demand webinar is now eligible so that one can earn CE Credit toward renewal of CompTIA A+, Network+, Security+ or CASP Certification