By Jennifer Carlisle

A national biometric database in place of our current flawed identification systems could prevent the loss of liberty and autonomy.

Defending the privacy of our personal data has become more challenging since September 11. Our lives are already tracked and measured in so many ways and our identities can be stolen and abused so easily that the addition of biometric identifiers, as being implemented this year in Hong Kong, seem like the proverbial “last straw.” Paradoxically, a true national biometric identification system may hold the key to guaranteeing and protecting our rights to privacy. A single national biometric database, replacing the currently flawed systems used for drivers’ licenses, Social Security and passports, may be the best way to protect our privacy and enable us to regain control over who tracks us and who gets access to what data about us.

While writing an honors thesis at USC, I conducted a year-long research study on personal data privacy. Neither legislation nor technology seemed to offer a solution that was both feasible and acceptable to all parties. Most special interests in this country favor weak legislation, and new “security technology” tends to facilitate invasion of privacy rather than its protection. I first examined in detail the EU Privacy Directive and various US responses and then focused on the privacy aspects of the 2001 HIPAA legislation. No major breakthroughs or improvements seemed likely.

As my research progressed, I realized that one of the greatest threats to privacy is flawed security of information, which is compounded by our inability to reliably identify individuals. The fundamental flaws in our identification system allow personal data to be incorrectly correlated, accessed by individuals without the proper clearance and, worse, for others to pretend to be someone they are not. I realized that a significant improvement in personal privacy could be achieved by fundamentally improving the way we identify ourselves. Instead of relying on passwords, tokens, smart cards and other identifiers, which can easily be stolen or forged, we need to be able to identify ourselves based on biometrics (i.e., the use of physical or behavioral characteristics such as fingerprints, iris scans, voice signatures, face scans, etc).

Since the terrorist attacks on the World Trade Center and the Pentagon, there have been numerous proponents of biometric identifiers. But if we have many systems (e.g., DMV, INS, criminal system, airports, sports arenas, schools and Social Security — all of whom now propose to begin using such identifiers in parallel) then who is to say which is the correct identifier and who is to validate the accuracy of the ID databases? I am loath to trust the DMV and airport security to verify identities.

I came to realize that the greatest risk to society is not the creation of databases — many of which are essential to our modern lifestyles; rather it is the inadequate protection of data. This led me to a paradox; that our privacy can be better protected though the creation of a universal biometric identification database and that our privacy is far more likely to be compromised by the current plethora of poorly managed, decentralized identity databases. Most Americans have already contributed data to dozens of databases and we are enticed daily to sign away our rights to protect those data. Concealing our identity is not really an option. Rather, the first step in privacy protection is to provide a means of absolute identification, thereby preventing others from impersonation and identity theft. The second step is to overhaul the laws protecting the data collected about us and the third step is to improve cyber security.

There is a great fear of databases by privacy experts due to the increasing access of corporations, the government, hackers and criminals to our personal data. While some of this access is legitimate, in many cases, data can be misused for unauthorized secondary purposes. Corporate and government abuse can be prevented by stronger laws limiting the use of personal data and by better enforcement of these laws. The European Union has passed a comprehensive Privacy Directive, with which US firms must comply when doing business there. The US has adopted a similar model in recent HIPAA legislation, defining the methods for protecting and sharing health data. US laws protecting privacy of financial data leave a great deal to be desired. Our greatest protection from government abuse seems to be the unwillingness of agencies to share data and the primitive nature of the systems they use. Laws and government regulations will not stop hackers and criminals, who gain illegal access to personal data in many ways. Sometimes individuals are careless (e.g., we sell a computer without erasing the disk, send email to the wrong address, leave a list of passwords on our desk or throw it away.) Devious people can access our personal data by gaining access to an administrator account, by hacking into a system or by identity theft. Carelessness can be discouraged through education and penalties, but theft and misuse of the data can only be reduced by means of a better system of identification and access authorization.

In America today, it is far too easy to conceal our own identity or assume the identity of another for the purpose of doing wrong. An individual can steal an identity by obtaining some easily discovered pieces of information about a person or by stealing a card or token that is used to identify the individual. To protect our identity, which is crucial in protecting our privacy, there must be a form of identification that cannot be learned, stolen or forged. The only effective means of accomplishing this is the use of biometrics.

Biometrics uses a digital measurement of a physical characteristic or personal behavioral trait to recognize the identity, or verify the claimed identity, of an individual. Some characteristics that apply themselves well to biometrics are iris scans, fingerprints, voice signatures, retinal scans and face prints. Unless a thief is willing to undergo reconstructive surgery or has extremely sophisticated electronic equipment, it is extremely difficult to fake biometrics, especially if biometrics identification is combined with human monitoring. By this I mean that a security team is checking to ensure that individuals are actually presenting themselves for identification, and not say, hooking up a small computer loaded with other people’s biometrics, to try to fool the scanner. Even if biometrics are less than 100 percent perfect, they offer far better identity verification than the easily-counterfeited driver’s licenses, Social Security numbers and passports.

There is a great distrust of biometrics by privacy advocates. There is a strong fear of Orwell’s Big Brother. However, these concerns can largely be alleviated with the creation of laws, enforcement agencies and monitoring to ensure that the government and corporations do not misuse the data. We do not live in an authoritarian country, but rather a democracy with numerous checks and balances. The key to preventing the loss of our liberty and autonomy is not to prevent the spread of technology, but rather to ensure that it is used properly and in a transparent nature. The development of biometrics should be treated similarly to the development of genetics. It is for the good of society that we learn how to use these technologies, but it needs to be done with observation from government and private watchdog groups to ensure that the technology is not abused. Biometrics is one of the areas that should not be left to market forces and self-regulation as it has been so far.

Once we have reached agreement on the need for biometrics to be used for identification, we still need to prevent a thief from attaching his biometrics to your identity in the many databases that currently exist and are under development. The only viable solution is to have a single, universal biometric identity database, which in turn provides verification to multiple, diverse and distributed databases. Establishing biometric identities with dozens of organizations is inefficient, wasteful, and fails to solve the main problem of preventing identity theft.

The DMV, the Social Security office, the passport office, our local airport and our various dentists and doctors are ill suited to establishing a person’s identity. They would benefit from having that identity pre-established and using it to issue their own cards and administering their systems. They could each use a different numbering system, confident that each person is uniquely and accurately identified biometrically. Repeating our information to every group opens the door to forgeries and allows aliases in different systems. How would we settle identity disputes? Are we to carry as many biometric smart cards as we currently carry credit and ID cards?

The logical solution to these problems is the creation of a single system devoted to identification. This National Biometric Identification System should be managed and certified by a government agency, to ensure accuracy and so that identifiers of known criminals, terrorists and holders of passports, travel visas, etc. can be integrated. This system must be managed at a national level, but would be linked into other national and international systems by common standards. To get it approved by Congress, new legislation would be required to define access, security and strong redress for abuses. Rather than threatening our liberty, this may actually be a catalyst for increasing our protection rights regarding our personal data, most of which we have little control over today. I had to get special permission to focus on and advocate such a system for my honor’s thesis, but I believed it was more important to follow my instincts and passion and propose something constructive and innovative, than to do a traditional policy analysis. It amazed me that in this age of databases, public debate is still focused on the idea of a national ID card rather than an ID database.

Unlike an identity card, which can be stolen or forged, a national database would provide the necessary structure to certify the identity of all Americans and legal visitors. The government should create and maintain a database of biometric identifiers along with each person’s name, unique identification number and several other identifying characteristics, such as eye color and birth date. But that is all. This national database could be carefully guarded and offered via a distributed system for remote verification and for generation of identity cards. This would replace the use of the SSN in many databases.

A national biometric identification system (BIS) should not be used to store behavioral or judgmental data. The BIS should not be used to record and store health, criminal, motor vehicle registration, social security, financial or travel data. Separate systems should continue to manage such databases — each of which should be regulated and secured appropriately. Assembly of behavioral data into one large database should be prohibited. Sharing and aggregating data should be done under strict regulations.

The new universal identity database must be kept simple and secure so it can support many different applications efficiently. For example, the airline industry could access this system to verify the identity of individuals checking in. First, the airline would access the BIS to confirm each passenger’s identity by running a one-to-one match against the biometric database. Then they could check him in for his flight. A third step would be to use the identity number to search a travel alert database to see if each individual is on a risk list of criminals or terrorists. This would allow rapid, yet comprehensive, security checks. The use of biometrics, checked against a secure national database, makes it almost impossible for individuals to use forged identification papers. Of course the database must be developed under strict federal guidelines and maintained in utmost security.

Efficient use requires technology similar to that used for site name recognition on the Internet. A distributed, redundant, secure, high-speed access network can serve many database applications simultaneously. Security is accomplished in two parts, physical and technical. Physical security protects the actual building from intrusion, which is critical in preventing the theft of passwords and access codes. Technical security protects the system from electronic invasion, usually through a network or over the Internet.

It has long been argued that technology is leading to the end of privacy. Rather it is our desire for convenience and our dependence on medical, financial, travel and government systems that has led to the creation of databases that, if poorly managed and protected, threaten our privacy and the loss of our very identity. The best solution to ensure that we can protect our personal data in the future would be national legislation to establish a universal biometric identification system — concurrent with strict restrictions on use of data in all systems that access it.

---

Jennifer Carlisle – University of Southern California.

By Brian Padden – Washington

Computer keyboard

Canadian researchers say they have uncovered a China-based electronic spying operation that infiltrated computers in 103 countries.  While they say they have no conclusive evidence of Chinese government involvement, the targets of the computer espionage were political.  The cyber spying operation is one of the biggest and most sophisticated ever discovered.

Researchers at the University of Toronto call it Ghostnet – an electronic spying operation that infiltrated more than 1,000 computers around the world.  They say it targeted NATO, the Indian Embassy here in Washington and Tibetan exile centers in India, Brussels and London.  Researchers say that in addition to stealing computer files, the cyber spies could turn on the internal camera on a remote computer to eavesdrop on live conversations.

Nart Villeneuve is with the University of Toronto’s Munk Center for International Studies.  He says that while the operation was sophisticated in its organization and scope, it used readily available Internet viruses called Trojans, attached to email messages to infiltrate computers.

“From a purely technical point of view, no, it was not that sophisticated,” said Nart Villeneuve. “The Trojan, the attacker favors, the ‘ghost rat;’ it’s open sourced.  You can go and download it.  It’s not like it is some clever special new way of doing it.  But the way in which the attacker was able to leverage these tools was sophisticated.”

The Toronto researchers uncovered the cyber spying operating when they were asked by the exiled Tibetan leader, the Dalia Lama to examine his organization’s computers for malware – malicious software that can infiltrate or damage a computer system.

Although the group cannot say whether the Chinese government was involved, they add that Ghostnet’s computers were almost exclusively located in China and that the targets were political.  They found infected computers in the Dalai Lama’s organization and were able to trace stolen correspondence back to the spy network’s computer servers in China.

The Chinese government has denied any involvement in the operation.

But James Lewis, a technology expert with the Center for Strategic and International Studies in Washington says cyber spying is nothing new for the Chinese government.

“We know that they are interested as a government,” said Lewis. “We know that they’ve done it in the past as a government.  And the things that are being collected are of interest to the Chinese government.”

Lewis notes that many countries, including the United States and Russia, use computer technology to gather intelligence.

The University of Toronto researchers say an international agreement is needed to protect privacy rights and prohibit cyber spy operations like Ghostnet in the future.

Q&A: NANDAN NILEKANI

Business Standard / New Delhi September 14, 2009, 0:55 IST

There are concerns on technology, cost and privacy in the decision to allot a unique identification number to every Indian. In a talk with Karan Thapar on the CNN-IBN television channel’s Devil’s Advocate programme, NANDAN NILEKANI, who has agreed to head the newly-created Authority to plan and implement this project, concedes these are legitimate concerns. And, that these can be addressed and the project is worthwhile. Edited excerpts:

Eighty per cent of Indians have Election Commission identity cards, others have ration cards, some people have BPL cards, others have driving licences and passports, there are even PAN cards. Why on top of this do we need a unique identification number?

We need one single, non-duplicate way of identifying a person and we need a mechanism by which we can authenticate that online anywhere, because that can have huge benefits and impact on public services and also on making the poor more inclusive in what is happening in India today.

In addition to name, age, sex, date of birth and address, you actually have the biometrics which are unique to that individual?

Absolutely. It is a combination of, most probably, fingerprints and picture and a biometrics committee will finalise that, but finally that makes it unique. And we will make sure there are no duplicates.

The London School of Economics (LSE) did an analysis of a similar project being considered by the British government and this is their conclusion: “The technology envisioned for this scheme is, to a large extent, untested and unreliable. No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious systems have encountered substantial technological and operational problems that are likely to be amplified in a largescale national system.” IIf that is true of Britain, it has to be true of India in spades.
There is no question that we are going into uncharted territories, the technological challenges are immense and one of the risks is the technology.

Not just uncharted territory, this could end up being a case of India’s ambition outstripping its ability. Even today, we can’t issue identity cards with a guarantee that the name is correct or the address isn’t misspelt. We could end by making a complete hash of biometric details.
There are risks but, given the enormous opportunity and developmental benefits it can give, it’s worth taking on so that we get the outcomes we want.

You accept the technology is not just uncharted but not actually fully known?
There is no other country where a billion peoples’ biometrics have been captured and stored in an online database. We don’t have to invent the technology; we have to scale up the existing technology to work at this scale.

The second problem inherent is cost. Once again, the LSE did an analysis of a similar project the British government was thinking of and that is a country one-twentieth the size of India. The LSE concluded the probable cost for Britain would be between 10 and 20 billion pounds. Frontline magazine believes the government in India has a guesstimate of somewhere around Rs 1.5 lakh crore. Is it worth it at that cost?
I don’t know what the exact figure is, but it is much less than that by a factor of 10.

If you don’t know the exact figure, how can you say it is lesser by a factor of 10?
The bulk part is certainly going to be lesser than that.

But it’s a guess?
An informed and educated guess.

So, we don’t know what the exact cost will be?
We don’t know, but I am very confident that whatever the cost, the social, economic and efficiency benefits would make it well worth it.

India is a poor country. This order of money could be better spent if you expand education, health and sanitation, or if you use it to feed the 40 per cent of Indian children who are chronically malnourished.
We don’t want to take away money from important social programmes. But, as we expand our social programmes, their efficiency depends on their reaching the right people and that there are no duplicates taking away the benefits. You need the infrastructure at the bottom to make that happen.

You can only target better those actually availing the benefits but not receiving these fully. Take BPL. The real problem is not leakage, but that there is a vast number who qualify and are not included in the BPL threshold at all. How will you be addressing the second problem?
Today, in a particular state, there may be more BPL cards than the population of the state, because there are multiple cards issued to an individual. With the UID, you will be able to actually trim that down to one card per individual and therefore we will actually know who is not getting this now.

But you can’t identify those who should have BPL cards and do not because they are outside the system, they have been ignored. Technology won’t improve that.
This (UID) is not a panacea for all the problems. This is an enabler which will allow more effective public delivery.

Which is why the order of money involved could be better spent in targeting education, sanitation and health, not to mention child malnutrition, because you would actually then get real benefits rather than what I am describing as notional benefits.
In a country where we are spending Rs 1,00,000-2,00,000 crore a year on different kinds of subsidies and social benefits, to make investment which is a part of that, one-time, to make those investments more efficient, is definitely well worth it.

Is it a one-time investment? Frontline magazine says the government’s estimate of Rs 1.5 lakh crore does not include recurring cost. And we don’t know by how much.
On the scale of money that we spend on public programmes and the ability of the project to deliver better public programmes, it will be well worth it.

I put it to you again, there are so many imponderables about technology, size and cost, that is it wise for a poor country like ours, where there are huge levels of poverty (the Arjun Sen Gupta Committee report says 80 per cent of India live under Rs 20 a day), to be spending this sort of money on this project?
The government has come to the conclusion that this project is strategic and worth it. I have been invited to lead this project. I believe it is viable and I will do my best to make it viable.

How can you ensure the database you are creating will be secure, that it won’t be misused and won’t result in an invasion of privacy?
A very legitimate concern. We are looking at how to make it secure. We are saying nobody can read this database. All they can do is verify the authenticity of an identity. You can ask a question like, is X, X? and the only answer we will give is yes or no. But there is no question that once the UID is implemented and becomes ubiquitous in many applications, then there are challenges of privacy. And, with this project, we have to put in other checks and balances, including laws.

Professor Ian Angle of the LSE, a world renowned authority on precisely the creation of such a database, says with relevance to England, and it will apply even more to India, that what you are going to end up with is the “Olympic games of hacking”. You are going to provide people the biggest challenge to hack through. No one believes in the perfectability of computers, so hackers will hack and succeed.
A legitimate concern and we will have to design it as good as possible. The important thing is — is the risk of hacking and privacy large enough not to do this project? And the view is that the project has so many significant benefits for the poor, in making it inclusive and in giving them a chance to participate in the country’s progress, that it is worth it and we have to mitigate those risks.

You are creating a system which, in the wrong hands, would be a powerful tool for either religious or caste profiling. How can you ensure unscrupulous politicians won’t misuse it?
We are not keeping any profiling attributes in our database. No details of people’s caste?
No. In which case, how can you say to me that you will better target benefits at BPL and other categories? If you don’t know someone is SC or ST, if you don’t know they are OBC, how can you ensure better targetting?
That is the responsibility of the applicant that provides those services.

So, then they will add in that feature into your detail?
That is outside our system. Our system has only basic attributes like the name, address, date of birth. You are creating a weapon which you may not misuse but others could?
Today, we have electronic databases in the country which potentially can be used the way you are suggesting. We are not doing something different from what already exists.

In the UK, the US and in Australia, because the authorities couldn’t respond to public concerns about misuse, they have effectively put on the backburner consideration of similar schemes. If developed countries cannot tackle misuse, how can India, where 35 per cent of the people are illiterate and 22 per cent live below the poverty line?
What these developed countries have put on hold is giving national ID cards to people. But both the US and UK, have a number. In the US, you have the social security number; in the UK, there is the national insurance number. They already have a numbering system, which is what we are going to propose.

Except that it is nowhere near as extensive or as complete in terms of the biometeric details as what you are proposing in India. The national insurance in Britain has been around and developing slowly but it doesn’t have any details that could lead to an invasion of privacy. It doesn’t have any details that can be misused for profiling. Yours could have both.
These are legitimate concerns and we have to address them. But the social benefit, the inclusivity, this project will provide for the 700 million people in this country who are outside the system is immense enough to justify doing this project.

How will you handle the inevitable problems of internal migration or illegal immigration? How will you ensure the wrong people aren’t captured in your system and given an identity and made Indian?
Having this number does not confer any rights, benefits or any entitlements. All it does is confirm that X is X.

There are 100 ways of doing that. Why are we spending close to Rs 1.5 lakh crore just to be able to claim X is X?
To have a system which uses a unique identifier like biometrics, having a system which ensures there are no duplicates and having a system that provides online authentication is, we believe, something that can have a lot of social benefits for the poor.

The LSE conclusion, when they reviewed a potential British concept along the lines of what you are doing in India, was: “The success of a national identity system depends on a sensitive cautious and cooperative approach involving all key stakeholders, including an independent and rolling assessment and regular review of management practices”, and the LSE concluded that did not exist in the UK. If it does not exist there, that environment certainly doesn’t exist in India.
We are trying to make sure all the checks and balances are there. We will have a very wide consultative process. We will involve everybody. We will make it public. All these are legitimate concerns and we have an obligation to meet these concerns

Michael (Micha) Shafir the Founder & Inventor of Innovya
Traceless Biometric technology, is demonstrating to Governor
Kaine, how easy, stored information can be leaked out without
connection to any public network, and why it is so dangerous
to collect sensitive Biometric Information about innocent citizens.
Proving that there is no better security for sensitive data
than not collecting it in the first place.

12 Sep 2009, 1824 hrs IST, ET Bureau

NEW DELHI: In view of the National Unique ID project initiated by the government, and its bearing on the smartcards, RFID, biometrics, e-Security

sectors in India, SmartCards Expo 2009 has been organised in the capital from September 11-12.

The government may use biometric features like iris scan and hand geometry for recording secondary details for the National UID project, said officials at the SmartCard Expo 2009. Face readers which can scan even the face of a hijab clad woman, or a man wearing a beard from his or her original face, new smart cards, iris scanners and printing technology, were showcased at the event in this regard.

Technology majors like NXP, ST Microelectronics, Texas Instruments, Sagem, Base Systems, Bartronics, Lipi Data Systems Ltd, HiTi Digital, Infineon participated in the event. However the absence of any representative of the UIDAI (Unique ID Authority of India) was severely felt at the event, inspite of the importance of this Conference, which was fully devoted to the subject of UID.

Greg Pote, Chairman, Asia Pacific Smart Cards Association mentioned the in his view, various governments are still searching for what they can do with the national ID cards beyond ID. But most governments have a privacy commissioners and monitors, and they limit what the government can do with the details. He said that the registration number is the key driver for the card. That creates problems, with resistance from privacy bodies. His estimate is that smart cards in India are 5 years behind Europe.

Dr B K Gairola, Director General, National Informatics Centre touched upon the role of the government and the importance of the UID Project to India as a whole. He mentioned the it is like a 16 lane highway on which all applications could ride. He talked about the earlier experience of the MNIC – Multi Application National ID Project and also the importance of the creation, operation and maintenance of a Unique ID Database and the challenges associated with it.

Accenture’s Ravinder Pal Singh mentioned that Bluecasting might be a better alternative to start with because people have mobile phones, especially in villages in north India. Mobile phone is much more authentic and secure, according to him.

Biometrics involving fingerprints and other biometrics feature such as face recognition, DNA shape identification, etc were also extensively discussed.

Gemini Ramamurthy, Chairman of Cyber Society of India said that a set of 12 parameters has been issue by the UID, but the only parameter that cannot be duplicated is the biometric one. While it is important to achieve uniqueness in identification of persons, it is equally or more important to be able to establish secure identification. This means the identification of a person has to protected against misuse.
The challenges to the ID project are many. Mere possession of a unique identification number belongs to that person. It has to be established beyond doubt that the particular unique identification number belongs to the particular person and no one else. In other words, there should be a secure way to ensure that no other person can carry that identification number.

And then, if these security features have to be matched with the database contents of a particular individual, it requires a very efficient and robust facility of data base storage and retrieval with a highly reliable remote connectivity.

A more plausible is to provide a smart card, which will carry the unique identification number and the various additional security features that can be checked to further establish the uniqueness of identification of the individual. Many countries have already implemented smart card based identification programmers emphasizing the unparallel security provided by smart cards.

The government is thus considering splitting the UID database into two sets of paramters – the primary database will be accessible on the Internet and used for access purposes and verification, while the secondly database is likely to be kept offline, and in multiple formats, and be used only if the primary data is in dispute. Secondary data could have multiple biometric features including Iris scan, hand geometry, and additional data including names of grandparents and great grandparents, because the hacker may not be aware of these things, Mr Ramamurthy added. Since the UID data is in digital form, it may be useful to include an email ID as an additional data parameter.

“The appropriate audit trail, and what was the value of the data before and after the access needs to be stored, as well as the mode of access to that data. These should be available for judicial scrutiny, and certified for integrity. Companies from countries suspected of cyberwarfare against India should be avoided in case of this project.” Mr Ramamurthy said adding that a pilot project for the UID is being planned in Bangalore.

An eminent panel of experts debated with a sizable audience about the UID andtechnologies of relevance to India. The Panel was chaired by Pradeep Kumar, Vice President, Asia Pacific, STMicroelectronics. Panelists were from Sagem Securite, WYSE Biometrics, UNISYS, Bartronics, NXP Semiconductors, Barnes International, and ASK France.

What a shock: Your e-passport isn’t secure after all

By Bryce Longton – BlackBook Magazine

The US State Department is backpedaling like crazy from their earlier statement that the RFID-enabled passports are safe and secure. In fact, now they’re urging travelers to keep these passports in “radio-opaque sleeves” to protect owners from having their information skimmed by unauthorized readers within a 30-foot range. The State Department’s warning comes with the caveat that “hackers won’t find any practical use for data,” because personal information is encrypted. But that encryption has already been cracked.

As Marc Rotenberg, executive director of the Electronic Privacy Information Center, notes, “By obliging Americans to use these sleeves [...] the government has, in effect, shifted the burden of privacy protection to the citizen.” Who wanted an RFID-chipped passport anyway? No one knows. But if you do happen to have one, do what Mark Ashley of Upgrade: Travel Better suggests “Break the chip. Pound it with a hammer.” I’ll add in there, as a message to the government: if it ain’t broke, don’t fix it.

By Tom Espiner ZDNet.co.uk

Posted on ZDNet News

Security expert and BT chief security-technology officer Bruce Schneier has attacked the US-Visit border-biometrics program, saying it has had “zero benefit” in terms of security.

Speaking to ZDNet UK last week, Schneier said that there was little evidence that the US-Visit program, which takes fingerprints and retinal scans from all visitors to the United States, had made any impact on reducing the threat from criminals and terrorists.

“If the Department of Homeland Security had apprehended any terrorists [through US-Visit], they would have kicked up a huge press stink,” said Schneier. “There has been zero benefit from the program.”

A long-time critic of the US-Visit program, Schneier first questioned the cost-effectiveness of the scheme in 2006. At the time, just under 1,000 people had been apprehended for criminal or immigration violations, yet the program had cost $15 billion (£9.4bn) up to that point.

“Take that $15 billion number,” wrote Schneier in a 2006 blog post. “One thousand bad guys, most of them not very bad, caught through US-Visit. That’s $15 million per bad guy caught. Surely there’s a more cost-effective way to catch bad guys?”

However, Robert Jamison, undersecretary at the US Department of Homeland Security’s National Protection and Programs Directorate, which oversees US-Visit, told ZDNet UK at the RSA Conference Europe 2008 on Wednesday that the border-biometrics program had been effective.

“There have been several instances of someone applying for entry under one name, being denied, applying under another name, and again being denied [due to biometrics records],” said Jamison. “In a few cases, criminal activity and, in some cases, terrorist activity have been prevented.”

Jamison declined to say exactly how many terrorists had been caught as a direct result of the program, saying the information was “classified”. However, Department of Homeland Security figures show that more than 2,400 immigration “violators” and criminals have been identified since the inception of the program in January 2004.

In February, US-Visit was claimed to have helped identify two terrorist suspects, now being held in Iraq, from fingerprints lifted from an improvised explosive device.

By: Michael (Micha) Shafir – Security Park

Current Biometric documents are useless. ePassports don’t make much sense without one-only or unequalled biometric passport reader. Let’s face it once and for all, any electronic data storage method by which content can be read (e.g. RFID, smart/storage cards, etc.), gives it the obvious potential to be hacked, copied and cloned. There’s a reason why “Random Access”, “Write Only Memory” (“WOM”) devices have never sound logical. What purpose would there be to store data that cannot be read? Let’s take this one step further. If stored information is designed to be read, then a device must exist with the ability to read the stored information for it to be of any value.

Now, let us apply that simple logic to stored information that’s meant to be read in a widespread application. In this type of application, multiple standardized reading devices must exist in order to always yield the same result from that stored information. As an example, standardization gives us the ability to use our credit cards regularly because each and every point of sale reader is reading the information contained within the card’s magnetic strip in the exact same way.

We must therefore recognize that these same benefits of standardization create reciprocal risks of fraud. Once the ability to read stored information exists, the ability to either reverse engineer the reading process or clone the coded stored information exists as well. What purpose does, a means of identification serve, if we cannot be near certain that it has not been compromised? Further, once that ID has been compromised, how can it be prevented from yielding positive identification where not intended? To illustrate the point, let us use your everyday ATM cash withdrawal as an example. After inserting the card into the ATM, one is prompted to enter the PIN associated with that card.

If the correct PIN is entered, even by someone other than the authorized user, the ATM will approve the transaction because its predetermined means of authentication is a combination of a card and its associated PIN. As we are well aware, magnetic strip cards and the like can be easily read, thus creating the opportunity for thieves to create a copy of that card. All that’s left is the PIN. For professional thieves, that’s less of a challenge than we’d like to believe.

For years, as technology developers would have it, much effort has been focused on providing more and more secure methods of storing sensitive information, without addressing the root of the problem. Regardless of how securely information is stored, because it is designed to be read, illicit methods by which to read the information will be found. Once that has been accomplished, the ability to create both fake and cloned ID’s exists. ePassport readers are addressing the standards and recommendations of predefined requirements like the Machine Readable Travel Documents (MRTD). In order to make them usable, they must be consistent.

If you have a set of identical targets (e.g. ePassports or National IDs or Driving Licenses or Employee cards etc.), breaching one of them is a breach of all of them. Identical electronic device is a single point of failure. It is unfathomable for governments to change their entire population’s ID’s and documents every time someone, somewhere across the globe hacks and clones a single chip.

It would seem as if the only real way to prove you are who you claim you are to an automated system is through the use of biometrics as a means of authentication. Identity theft is exceedingly common these days. The use of biometrics, however, creates a whole new area of concern. When non-biometric security authentication elements are breached, security can be reestablished by selecting new authentication elements. The same cannot be done in an instance where stored biometric information is breached. Biometric information cannot be changed. Our fingerprints, face, retina and all, are what they are. The question we are faced with is how we can truly secure our biometric information. We can change our name or address, but we cannot change our body parts.

Turning the human body into the ultimate identification card is extremely dangerous. The possibility of fraud with electronic chips and biometric data should not be underestimated. Exposing or losing biometric property is a permanent problem for the life of the individual, since, as we’ve mentioned, there is no practical way of changing one’s physiological or behavioral characteristics. How do you replace your finger if a hacker figures out how to duplicate it? If your biometric information is exposed, in theory, you may never be able to prove who you say you are, who you actually are or, worse yet, prove you are not who you say you aren’t.

The best secrets are secrets that are never shared. Storing those secrets on a readable electronic card from which any simple RF dump reader can extract that information, in the same way as international border readers do, or storing your personal information together with your biometric characteristics on a readable electronic device is like sticking a label with your PIN on the back of your ATM card!

Biometric authentication is a powerful tool, able to bridge the gap between human and machine interaction in everyday instances such as ATM withdrawals, on-line banking and credit card transactions and all sorts of general user authentication. The use of biometric authentication enables a high threshold of security by reducing identity fraud incidences of unauthorized user access. It is also an easy method of authentication from the user’s point of view because a user’s biometric information is always with them. The most critical flaw in the use of biometrics as a means of authentication, however, is that the authentication process cannot work if the subject is a stranger to the system.

We’ve already concluded that storing the biometric information on an external device carried by the user, such as a smart card, is far too risky in that it risks losing one’s biometric information forever. Alternatively, databases are breach-prone, and inefficient, especially when used in large scale applications. Databases also require real-time access to be of any value, communication with which may not always be available. Where then can such sensitive information be stored? Furthermore, why risk storing that unique biometric information in a database, smart card, or other external devices to make it useful?

Another problem with common biometric systems is that the most effective way to achieve maximum system matching is to compare biometric images to a template by using raw data. Biometric Encryption is the process of using a characteristic of the body as a method to code or scramble/descramble data. Since these characteristics are unique to each individual, the biometric information readers, cameras and sensors must all yield identical results.

Most biometric authentication systems use a similarity score as an internal variable, whereby if enough numbers of starting points are given, it is possible to find the highest point without being trapped by local minima. However, different readers, cameras and sensors, manufactured by different manufacturers, generate ever so slightly different biometrics results. Varying starting results, when encrypted alike, will not yield the exact same decrypted result.

Biometric standards can be obtained only if the common information is unconcealed. That, in and of itself, creates system wide vulnerability, and thereby renders the system unsecure. At present, each biometric scanner’s vendor generates their own encryption method. Raw biometric data is critical data. It should not be exposed or stored in public space. As difficult as it might be to create a secure standard for identical encryption paths, it is seemingly not possible to create standards for non-identical encryption paths. Overcoming the encryption matching hurdle is the see-saw that creates the security blind spots because the template can be tapped during the authentication process.

Traceable biometric authentication systems extract features from scanned biometric elements and pattern match it with an enrolled template. Theoretically, a system cannot authenticate strangers to its data store. The other side of that theory is exactly where the hackers look. The inability to “recognize” strangers is an opportunity to breach the authentication barrier. If a biometric authentication system has a blind spot, it can then be take advantage of and used to clone or rob ID. It also means that when the real ID owner will try to use their legitimate ID, they might find that they have been revoked from the system without understanding why. An electronic chip that contains identity elements is only one of the many threats facing traceable biometric authentication systems.

Template leakage is an even bigger problem because once that information is gotten a hold of, the ability to prevent illegitimate copies and “fake originals” of legitimate ID’s is gone unless the template is changed. Any change to the template requires changing ALL associated ID’s, just as is the case when a “master key” is lost. The only solution is to change the key and distribute new keys to all who use it. Can one possibly imagine if such an instance were to occur with Driver’s Licenses? Now try to imagine if it were to happen with Passports. Unfathomable! At least with keys, the ability to change the template or lock is not ideal, but possible. That is not the case with biometrics as biometric elements are with the individual for life. Dear security decision maker, how can you sleep at night?

People want to be able to draw a circle around their personal information, and do not want parts of their body electronically stored in databases. Our system of government tells us that we are entitled to control all that falls inside this circle; we ought to be able to regulate how, to whom, and for what reasons the information within this circle is disseminated. Some people object to biometrics for cultural or religious reasons. Others imagine a world in which cameras identify and track them as they walk down the street, following their activities and buying patterns without their consent. They wonder whether companies will sell biometric data of their body parts the way they sell email addresses and phone numbers. People may also wonder whether a huge database will exist somewhere that contains vital information about everyone in the world, and whether that information would be safe there.

Cloneable, traceable or collectable biometric systems could be designed to have the capability to store and catalog information about everyone in the world. The violation of privacy created by the collection of biometric data creates a prophylactic paradox; the bigger the privacy violation, the farther away it moves away from its intended goal.

How then can the power of biometric authentication be made useful without bumping up against these numerous serious challenges?

Innovya’s Traceless Biometrics approach, using non-unique remedies and a Real Time Reactive Authentication process solves all such cloneable, deflectable and privacy challenges. The Traceless Biometric workflow uses the time tested photo ID concept, wherein you match a picture to a person, no different than in any typical biometric authentication process. In a very simplistic way, just as in a mirror reflection, anyone can “authenticate” a stranger’s reflection without the need to compare the reflection against any other source of stored information. It does so, however, in a manner that is, as its name suggests, traceless, without storing any biometric data anywhere.

Innovya’s Traceless Biometric Authentication process consists of a comparison of only a portion of predetermined biometric elements against the users’ associated access device, wherein the “instructions” for which such portions and their mathematical modifiers are stored on the access device, somewhat similar, in an oversimplified sense, to the PIN on an ATM card. Unlike the ATM card, however, the system will not authenticate unless that specific user is the one seeking authentication because positive identification is derived from biometric elements on the user’s person, and therefore becomes useless without the user. Should the access device be hacked exposing the numerical string derived in the Traceless Biometric Authentication process, an alternative Traceless Biometric Authentication element can easily be programmed and reissued to the user.

Therein lays the essence of Innovya’s novel approach. Innovya has overcome the major challenge of creating a secure and efficient authentication solution that is stronger and less disturbing than electronically cloning human intrinsic characteristics on databases or electronic chips by eliminating them from the equation altogether. Additionally, because only a portion of the total biometric data is used in the process, should that data be compromised, the ability to recreate the biometric element from which it was derived is simply impossible.

Today, most systems are designed to work specifically in place where they are located, like office buildings or hospitals. The information in one system isn’t necessarily compatible with the other’s, although several organizations are trying to standardize biometric data. Once identical information is stored outside of governmental boundaries, the potential of using it commercially is huge, especially by hostile governments that might be willing to pay a lot for these otherwise indiscoverable information elements. Above all the advantages and disadvantages this technology, we will unintentionally be creating ripples in the field of security and privacy.

Adopting traceless guidelines by using real-time reactive authentication process methods for current biometric authentication systems will result in an efficient and unobtrusive authentication solution, wile treating personal privacy as the critical issue that it is. Biometric scanning, not storage, as is necessary for the limited purpose of authenticating a user should suffice. Authentication systems should dismiss all biometric information or traces thereof from the scanning devices immediately after the authentication process, and mustn’t use any external storage systems. Innovya has developed the solution to all of these challenges.

Although there are severe restrictions on collecting, creating, lodging, maintaining, using, or disseminating records of identifiable personal data, there are no legal restrictions on the processing of biometric authentication systems. Biometric authentication processes must be recognized for the risk that they pose, and must therefore be done so only in ways that are Traceless and Anonymous.