My fingers are all mine: Five reasons why using biometrics may not be a good idea

Siraj A. Shaikh1, Christos K. Dimitriadis2 1Department of Information Systems, Cranfield University, Defence Academy, Shrivenham, SN6 8LA, UK

2University of Piraeus, 80 Karaoli & Dimitriou, GR-185 34 Piraeus, Greece E-mail: s.shaikh@cranfield.ac.uk, cricodc@gmail.com

Abstract – Biometric technology has undoubtedly become the bedrock of national and commercial identity management infrastructures, and will become more so in the future. While the technology promises great benefits, its use raises a variety of serious ethical, social and technical concerns. The process-ing and storage of human biological data for this purpose is not entirely foolproof. Moreover, when it comes to deployment in large-scale infrastructures, the accuracy and reliability is-sues become more serious. Characteristic human data such as facial images and fingerprints is very personal and permanent to humans, the misuse or abuse of which could be disastrous for the privacy of individuals. The purpose of this paper is to delve deeper into these issues, and highlight some of these con-cerns.

Index Terms – biometrics, security, facial recognition, pri-vacy, fingerprint matching.

I. INTRODUCTION

The term Biometrics is a combination of the Greek words Bio (to mean life) and Metric (to mean measure) to mean the measurement and statistical analysis of biological data. The term has become synonymous with IT technologies for measuring and analysing human body characteristics for authentication purposes and automatically recognising a person using distinguishing traits. One of the first known cases of humans using biometrics to identify one another was by early Chinese merchants. Joao de Barros, Portu-guese explorer and historian, wrote that the Chinese mer-chants used a form of biometrics by stamping children’s palm prints and footprints on paper with ink to distinguish them from one another. This is one of the earliest known cases of biometrics in use and is still being used today.

The role of biometrics has changed considerably in the modern society we live in today however. Primarily used for human identification and authentication (also known as verification) [1], biometrics is used to authenticate

• the citizenship of travellers through biometric pass-ports and iris recognition procedures,

• aspects of citizens’ identity using biometric identity cards,

• formal entry of travellers to a foreign country through the issuance of biometric visas, and

• bank customers accessing their account through biometric-enabled automated teller machines,

amongst other authentication and access control applica-tions used in the university sector, gaming industry, health-care, time and attendance, transportation and voter registra-tion sectors as listed by the International Biometric Industry Association (IBIA) [2]. While biometric technology have undoubtedly become the bedrock of national and commer-cial identity management infrastructures, and will become more so in the future, its use raises a variety of serious ethi-cal, social and technical issues. For one, the processing and storage of human biological data for this purpose is not en-tirely foolproof. The accuracy and reliability of the biomet-ric technology also falls short at times, making the deploy-ment infeasible for large-scale infrastructures. Moreover, characteristic data such as facial images and fingerprints is very personal and permanent to humans, the misuse or abuse of which could be disastrous for the privacy of indi-viduals. Finally some recent research has emphasised the need to consider cognitive and psychological dimensions of such systems.

The purpose of this paper is to delve deeper into these is-sues. We categorise the issues mentioned above in five dif-ferent areas, and organise the rest of this paper as follows. Section II discusses the security implications of the use of biometrics. Section III discusses the performance of bio-metric-based systems, with regards to accuracy and scal-ability. Section IV is concerned with the privacy issues of such systems. Section V looks at the psychological factors that influence the design and accuracy of biometric and related systems. Section VI then considers the physical as-pects of the interaction between humans and this technol-ogy, with particular regards to the physical safety of indi-viduals.

II. SECURITY ISSUES

One of the advantages of the use of biometrics often trumpeted is the availability and readiness of human bio-logical data, whereas one may forget their password or for-get to bring their authentication token (such as a smart card).

It is both the readiness and availability of human biologi-cal data and, the ease and speed with which it can be used (to perform fingerprint or retinal scans for example) for

1-4244-2427-6/08/$20.00 ©2008 IEEE

authentication purposes that is often trumpeted as one of the advantages of biometric technology.

It is this very availability, however, that raises security concerns. Human biological data of the kind most common for these systems, such as fingerprints, facial images or retina patterns, is highly visible and accessible, thus in-creasing the risk of biometric spoofing. Fingerprints repre-sent one of the most accessible human characteristics that could easily be both obtained and spoofed. Matsumoto et al [3] have shown how fake gelatine fingers can be used to deceive biometric fingerprint devices. Shuckers [4] has shown some results to a similar effect.

With an increasing reliance on surveillance cameras and latest developments in video technology, facial images will undoubtedly become common biometric features used for identification, authentication and surveillance. Adler’s [5,6] work, however presents a challenge to the use of such bio-metric (and others in general) as it shows how to generate good quality facial images from a face recognition tem-plate. This in turn has serious implications if the database storing the templates is compromised.

III. PERFORMANCE ISSUES

One of the most important issues for the successful de-ployment of biometric systems is performance. It clearly depends on the application under consideration and the biometric modality that is deployed. So, iris matching or retinal scanning offer quite high assurances that the person who is successfully passing the verification test is the le-gitimate user.

Performance is perhaps the barrier that biometrics indus-try has to overcome, if biometric devices are to enjoy wide-spread acceptance. Paramount to surpassing this obstacle is the establishment of independent testing procedures on pre-defined datasets. The reason is that the industry is touting their products using their own testing procedures, which obviously have as major purpose to produce sales. Since each application of biometric technology has different re-quirements and needs different guarantees from the tech-nology, it is sensible to devise application-specific testing suites and evaluation procedures that measure performance within certain scenarios. Moreover, the testing has to be done by an independent group who will be unbiased and judge objectively as to the rating of the quality in a particu-lar setting.

In some sections of the industry this is realized already and independent testing groups are set up to perform objec-tive evaluation. In the fingerprint recognition arena, several algorithms were compared head-to-head using different state-of-the-art sensor technologies: optical, capacitive, high-end optical, while the fourth section was produced by synthetically combining images of other fingerprints. Hav-ing an independent testing group is crucial in order to see head to head comparisons between different biometric sys-

tems, measured on the same data. There is a huge difference from performance measurements taken on one’s private set of data, on which the algorithm may have been fine-tuned.

We see that the performance issue is really a problem and situation has to be improved significantly, if biometrics is to be used in wide-scale projects, protecting sensitive data. And all that when performance rates as measured by the industry are reaching up to 99 % level. After these consid-erations, the importance of having an independent group to run the tests and compare algorithms on common test suites and use data unseen before by the algorithms cannot be overstressed. It is the only plausible way that one can get meaningful and comparable numbers that can measure the state of the art and decide whether the current performance levels are suitable for a certain application.

More specifically, commercial products have to do a bet-ter job in thwarting the simplest attempts to trick the sys-tem. It seems that the low-end products targeting the PC market are seen more like toys rather than security tools that one can rely on for protection of their personal data. There is a long way to go before biometric systems can be relied upon for protection of really sensitive data.

A. Scalability

Scalability is a major issue regarding the wide spread of biometrics systems. In order to deploy a security solution including biometric technologies, it is an important prereq-uisite for the system to have the ability to extend in levels corresponding to larger population without requiring major changes in its infrastructure. Smart cards for example (as deployed in the market today) have inherent scalability, ensuring organizations like banks or telecommunication providers that the system is extendable, possibly requiring changes only in its database capacity and central system management.

A Public Key Infrastructure provides scalability due to the use of certificates and key pairs. Its architecture reduces the number of required keys in conjunction with symmetric cryptography and de-centralized authentication using digital signatures. The only central point is the CA (usually a branch like an RA which maintains an LDAP server) for the validation of a certificate and the provision of the CRLs. This architecture’s scalability again depends on the data-base management scheme for a large population.

Scalability for biometric systems depends on two techno-logical factors. The first one regards the performance of the biometric component and the second the database manage-ment, which is a common issue for PKI and smart cards as well.

Database management regards the administration of the biometric templates in a centralized architecture. There are several data base architectures addressing this problem, including distributed schemas for increasing the perform-ance of the system. Regarding security, it would be effec-

tive to use relational databases with the template storage area separated from the rest of the data and pointers con-necting the user to his/her template. In this schema, com-promising the templates database will only gain access to a number of templates that will have no owners. Encryption should be an extra security feature. Special care should be given to the authentication controls of the database, which should be strong (two factor authentication) and supported by audit trail controls as detective measures.

The most important issue regarding scalability and bio-metrics is the performance of the system. Identification using biometrics should not be permitted especially when the system serves great populations. The biometric systems are much likely not to be effective if used as identification mediums. While population grows, the task for identifying an individual becomes harder and harder, since the possibil-ity for the existence of similar templates increases. Verifi-cation however is not affected, while the system has to compare the measurement to one template, which is indi-cated by the user by entering his/her username or inserting his/her smart card. However, when population increases, problems, like people being unable to enrol or be verified due to altered characteristics (e.g. damaged fingers) or reli-gious reasons are magnified. The above situation manifests itself due to the increased possibility of including minorities in the application, when addressing large populations. This can be addressed with more sophisticated algorithms and the provision of alternative methods of authentication to the user.

Generally, scalability issues relating to performance can be addressed using multi modal biometrics, supported by sophisticated decision mechanisms. The use of combined biometrics, for example face and hand recognition reduces the possibility of fraud in large populations, since the im-postor and the legitimate user must have both templates similar. The system, when supported by an effective policy, can disable one of the two authentication methods if the user refused to use it e.g. for religious reasons and replace it with an extra password.

IV. PRIVACY ISSUES

Privacy is the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organisations. Information privacy refers to the privacy of an individual’s personal data and personal communica-tion. With respect to the protection of personal data, Article 8 of the Charter of the Fundamental Rights of the European Union [7] states that (1) everyone has the right to the pro-tection of personal data concerning him or her, and (2) such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.

Biometric data due to its unique characteristic nature is as personal, if not more, to an individual. It is not just personal

property as it affects the rights of individuals on how they choose to use their body, make a financial transaction or authenticate themselves to a system. Such personal data if lost or stolen can never be recovered. Once compromised, it is lost for life as the permanency of such data is never in doubt. Our identification documents (such as a passport) or a driving license can be uniquely reissued if need be but we cannot buy or replace our fingers! Alterman [8] builds on this argument further to point out that biometric data, unlike ordinary photographs for example, is both an irreversible and reliable identifier of an individual. Moreover the effi-cient nature of mechanical biometric comparisons makes it ever so more important to keep this data from being lost or stolen. The speed and efficacy at which such data can be stored, replicated and abused is far greater.

Let us consider other privacy issues in biometric data. There are over four million CCTV camera deployed in Britain, and the “...eventual aim is to turn the gathering of video evidence into a third forensic specialism alongside DNA analysis and fingerprinting.” [9]. This would mean facial images are automatically scanned, compared to an existing database (of wanted and/or criminals) and detected (if a match is found) [10]. According to Camerawatch [11], a non-profit CCTV watchdog in Britain, “somewhere in the region of 90% of all cameras and camera systems operating out there are simply not compliant (with the UK Data Pro-tection Act)”. This form of digital video surveillance and detection ultimately raises a number of privacy concerns, similar to those raised in the protection of personal data. So, for example,

• are ordinary citizens provided with a choice? Are they explicitly asked about whether they want to be pictured by a camera, and are they always given a choice to avoid one?

• Is every individual made conscious of the presence of a camera? Is every camera always explicitly and visibly marked? With CCTV camera becoming so pervasive in our modern infrastructures, it is highly unlikely that this is case.

• Are people legally asked for their consent whether a sample reading of their face be taken?

• Are ordinary citizens comprehended about what will the facial image captured be used for? Where and how long will it be stored for? Who will it be com-municated to?

• Is the facial image data confined for the purposes of this immediate surveillance? Is every individual al-lowed to set a limit on the access to his/her facial image data?

• Finally, is the facial image data only used within the said context, or could it be used for some other pur-pose? While this does not apply to facial recognition,

retinal scans could be used to reveal whether an in-dividual is HIV-positive, or is at risk of a stroke [12].

V. PSYCHOLOGICAL FACTORS

Recent research suggests that human expertise (which is often needed when comparing fingerprints due to distorted samples for example) is influenced by intuition, and is also psychologically and cognitively vulnerable, and, may there-fore be, biased and/or inaccurate. Fingerprint examiners and experts often work under pressure and are also not immune to such cognitive factors.

According to a recent survey by Dror et al [13], where the “contextual top-down processing” of information when matching fingerprints is examined, it is concluded that “...contextual information actively biases the ways gaps (in comparing ambiguous fingerprints) are filled (when it comes to matching fingerprints)...”. This perhaps also ques-tions the use of biometrics in systems where forensic inves-tigation may be called to prosecute individuals. The issue here is not that fingerprint matching is not efficient or accu-rate, but the use of fingerprints in situations where finger-print examiners may be called in for the purposes of inves-tigation.

VI. PHYSICAL SAFETY

Physical safety issues raised by biometrics are often ig-nored and have been paid little attention thus far. The use of biometric data to verify an individual for the purposes of access control (for a vehicle) or to authenticate a financial transaction (on a biometric ATM) puts him/her at the risk of physical danger. The actual act of providing a biometric sample provide an

• incentive to a hostile party to force the individual to commit to the act, such a forced retinal scan, or

• possibly an impetus to amputate the desired body part, such as a finger, for this purpose.

A recent event [14] highlights the reality of such risks in-volving a high-tech luxury car, a Mercedes S-class, which uses an access control system based on a fingerprint match-ing system. The system allows only a recognized owner of a car to get in and activate the engine. The owner was held by a gang of car stealers, who upon realising that they need the owner's fingerprint to mobilise the engine, cut off the owner's index finger with a machete.

VII. DISCUSSION

For a technology as new as biometrics, it has certainly found acceptance in leaps and bounds. In a recent speech [15] on liberty by the British Prime Minister Gordon Brown, emphasised on the technology as new means in a new information age to “identity people”, “identity false passports” and “protect individuals and society against crime, fraud, illegal immigration and terrorism - and protect

for each and every individual our own identity”. While this is no doubt reflected in the policies of governments world-wide, given the weaknesses of the technology highlighted in this paper, we must proceed with caution. The privacy and ethical issues are largely ignored, and the collection of biometric data at the current mass scale carries a significant should this data is compromised and falls into the wrong hands. Not to mention the possible abuse of such data even in the rightful hands; history is abound with such examples.

There is also some indication of refutation of the tech-nology at a political level. A case in point is the first ever deployment of a biometric system at the border crossing between Pakistan and Afghanistan in Chaman [16], and is to start functioning in November 2007. The purpose of the system is to monitor and control the cross-border movement of Pakistani and Afghan nationals. With the intent of anti-terrorist surveillance in the area, the system is designed to use a combination of fingerprint, facial and retinal scans. The residents of the border town and districts of Chaman are issued with passes that allow them to easily move across the border. While the system is applauded by the Govern-ment of Pakistan, authorities in Afghanistan have expressed serious reservations over it [17].

On a technological front, the increasing possible ways of manipulating and deceiving the technology, as discussed in Section II, is a cause for concern. The critical nature of the technology’s use does not allow any leeway for such gaps. Would we ever be satisfied with a password-based authen-tication system, where the system can potentially reject even the right password even once in a million times? Ad-mittedly, biometrics is often used with a number of other factors to identify or authenticate subjects.

And then there are the increased risks to our physical se-curity. Are we willing to compromise a part of our body? Is it perhaps not safer to simple give away your credit card and PIN should such a situation arise?

This paper has looked at various issues briefly and high-lighted some of the current research that poses serious ques-tions to biometrics. We propose further investigation to have a better understanding of such issues, and how much impact will it have on both the (deployment of) technology and its users.

REFERENCES

[1] A.K. Jain, A. Ross and A. Pankanti, “Biometrics: A Tool for Information Security” IEEE Transactions on Information Forensics and Security, vol. 1, no. 2, pp. 125-143, June 2006.

[2] International Biometric Industry Association (IBIA) [Online]. Available: http://www.ibia.org, 23 November 2007 [date accessed]

[3] T. Matsumoto, H. Matsumoto, K. Yamada and S. Ho-shino, “Impact of Artificial Gummy Fingers on Finger-print Systems,” in Proceedings of SPIE Vol. #4677,

Optical Security and Counterfeit Deterrence Tech-niques IV, 2002.

[4] S. A. C. Shuckers, “Spoofing and Anti-Spoofing Measures,” Information Security Technical Report, vol. 7, no. 4, pp. 56-62, December 2002

[5] A. Adler, “Can images be regenerated from biometric templates?” Biometrics Consortium Conference 2003. Washington, D.C., USA, Sept. 22-24, 2003

[6] A. Adler, “Sample images can be independently re-stored from face recognition templates,” Canadian Conference on Electrical Computer Engineering (CCECE). Montréal, Canada, May 2003. pp. 1163-1166

[7] The Charter of Fundamental Rights of the European Union (2000) [Online] Available: http://www.europarl.europa.eu/charter/pdf/text_en.pdf, 23 November 2007 [date accessed]

[8] A. Alterman. “A piece of yourself : Ethical issues in biometric identification,” Ethics and Information Technology, vol. 5, pp. 139-150, September 2003

[9] C. Vallance “New CCTV unit tackles UK crime,” BBC News [Online] Available: http://news.bbc.co.uk/1/hi/uk/6241051.stm, 9th January 2007 [date accessed]

[10] IBM Global Services, Digital video surveillance: lead-ing a revolution in physical security. April 2004. IBM.

[11] CameraWatch [Online] Available: http://www.camerawatch.org.uk, 23 November 2007 [date accessed]

[12] Parliamentary Office of Science and Technology (POST). Biometrics & Security. Postnote, Number 165. [Online] Available: http://www.parliament.uk/post/pn165.pdf, 23 Novem-ber 2001 [date accessed]

[13] I. E. Dror, A. E. Peroni, S-L. Hind and D. Charlton. “When Emotions Get the Better of Us: The Effect of Contextual Top-down Processing on Matching Finger-prints,” Applied Cognitive Psychology, vol. 19, pp. 799-809, May, 2005. Wiley InterScience.

[14] J. Kent “Malaysia car thieves steal finger,” BBC News. [Online] Available: http://news.bbc.co.uk/1/hi/world/asia-pacific/439683 1.stm, 31st March 2005 [date accessed]

[15] British Prime Minister’s Speech on Liberty. [Online] Available: http://www.number-10.gov.uk/output/Page13630.asp, 25th October 2007 [date accessed]

[16] Associated Press “Pakistan installs first biometrics sys-tem at border crossing with Afghanistan,” Herald Tribune. [Online] Available: http://www.iht.com/articles/ap/2007/01/10/asia/AS-GEN-Pakistan-Afghanistan-Biometrics.php, 10th Janu-ary 2007 [date accessed]

[17] S. Shahid “Afghan govt objects biometric system,” DAWN. [Online] Available: http://www.dawn.com/2007/10/30/top8.htm, 30th Oc-tober 2007 [date accessed]