A traceless biometric system (TBS) is a method for identifying an individual through a biometric identifier(s) that is designed to be non-unique. Instead of using unique biometric information, an amorphous identifier(s) agent is replacing it. The amorphous agent is an incomplete identifier(s) obtained from a fresh scanned biometric information which is non-unique. (Another alterable limit indicator(s) form a document(s) can be added to overturn non-unique combinations to become unique). By ‘incomplete’ or ‘alterable’ we mean that the biometric information itself or the document cannot be reconstructed from the identifier(s) even with the device that originally allocated the agent or the ‘Biometric Identifier Token’. Using this method, the individual has to be present (with his document(s)) during the identification process since the (secret) token identifier itself has no true value except in a particular biometric identification transaction. This is important in order to avoid an association with recorded values or any other unique characteristic.

Although many inventors have offered myriad approaches attempting to providing inexpensive, minimally accumulated, and compact verification systems in which digitized characters of human users could be stored, retrieved and compared at some later time to verify that a human user is indeed a properly authorized user, none have succeeded in producing a system that is practical and desirable for use in providing non-unique biometric security for appropriate for use with real-time reaction biometric measurements (without need to store unique information). Because of these and other significant limitations, no commercially viable biometric-based non-unique security system has been successfully invented. It was first proposed by Shafir^[1] et al. Besides reliable accuracy performance and the replacement policy Traceless Biometric has to be non-revisable in order to fulfill the aim.

Traceless biometrics guidelines:

• Able to authenticate innocent’s strangers, even if they’re not known to the system.
• Does not require infrastructure (can work offline)
• No need for proprietary scanners/readers (any mix fits)
• No need for central databases, no storage, no templates
• Privacy friendly – non unique nor clonable and must be traceless.
• Cancelable Biometrics[2] – Letting the subject cancel/change his own biometric or key by himself anytime anywhere.
• Standard without secrets give-away – Easy integration with foreign applications without changing their core procedures (transparent)
• Can be spread anywhere (no single key) without risk of breach
• Fast, reliable, anonymously, mobile, non-unique, irreversible, accurate, unidirectional, high entropy.
• Able to authenticate anywhere across the globe! (Even in the desert or high seas) without communication.

Adopting the above traceless guidelines, using real-time reactive authentication process or method for the current biometrics authentication systems will present an efficient and friendlier authentication solution. Obviously, privacy is an issue, which is potentially solved, Biometric scan as is necessary for a function or activity to authenticate the subject should be sufficient. The new traceless authentication systems should after the authentication process, dismiss all the biometric information or traces from the scanning devices and must not use any storage systems or leave unique information behind.

Traceless biometrics incentives

Traceable or stored biometric information is a computerized invasive method that able to simulate human attendance by mimicking the adaptability of the living persons using their enduring physical or behavioral characteristics, as a result of the fact that biometrics offer irrefutable evidence of one’s identity. Biometric properties from the perspective of traces or permanent storage can now lead to undesired identification via attendance simulation or tracing of the activities of an individual, because of the power of computers. The “pseudo state of a person being presence” made by the biometric simulation system is able to mimic the living persons attendance even if the legitimate owner of the enrolled biometrics information, is not aware of this process or not physically present in front of the biometric system…

One of the main logical paradoxes, governments needed to address with the current biometrics is, traceable biometrics are clonable…all our data – fingerprints, body parts, personal characteristics and imaging can be exploited by businesses or criminals ^[3]. How do you replace your finger if a hacker figures out how to duplicate it?^[4] If your biometric got exposed, theoretically you will never be able to prove you are who you say you are or more unfavorable situation, prove you are not who you say you are not. The subject is always carrying his biometrics with him, why then unique biometrics information, should be collected and stored in databases ^[5] or smart cards, or other external devices, in order to make it useful?

^[6]Many body parts, personal characteristics and imaging methods have been suggested and used for biometric systems: fingers, hands, feet, faces, eyes, ears, teeth, veins, voices, signatures, typing styles, gaits and odors. A fingerprint for example is a biometric, which if compromised (i.e. obtained in an unauthorized manner) cannot easily be controlled by the individual. An unretouched or altered photograph of a face and a physical signature are biometrics, which can be checked using the eyes and experience of the verifier. These biometrics have been in use routinely and efficiently throughout human history. The use of automation to authenticate people is new and is being tested on consumers without precautions regarding their privacy.

The privacy key element is governments’ willingness

Biometrics solution should be completely noninvasive with regard to personal privacy. Further, we hold that if these traceless biometric systems (TBS) are used in conjunction with existing security mechanisms (such as public-key algorithms), they can provide almost foolproof protection for electronic transactions and other operations in smart environments. The key element however, is that government intervention, in the form of a set of standards for how the new traceless biometric solution will be adopted, is an absolute necessity for complete privacy protection.

Existing legal framework for privacy protection of personal information

The U.S. Constitution does not explicitly guarantee a right to privacy. Privacy of personal data has traditionally been protected in two ways: through self-regulatory codes and through laws. If one biometrics system were widely adopted, say fingerprinting, the many databases containing the digitized versions of the prints could be combined. While such a system is most likely to be developed by the commercial sector for use in financial transactions, government and law enforcement authorities would likely want to take advantage of these massive databases for other purposes, especially if we were to enter a time of social unrest. Indeed, government agencies and law enforcement are the top subscribers to the many databases compiled by private sector ‘information brokers’. Privacy laws and policy in the United States were derived from a code of fair information practices^[7] developed in 1973 by the U.S. Department of Health Education and Welfare. This Code is ‘an organized set of values and standards about personal information defining the rights of record subjects and the responsibilities of record keepers.’ The Code highlights five principles of fair information practices:

• There must be no secret personal data record-keeping system.^[8]
• There must be a way for individuals to discover what personal information is recorded about them and how it is used.^[9]
• There must be a way for individuals to prevent personal information obtained for one purpose from being used or made available for other purposes without their consent.^[10]
• There must be a way for individuals to correct or amend information about themselves.^[11]

Privacy Protection Through Law

1. The Privacy Act of 1974^[12] The first response by the U.S. federal government to the many concerns about their power to use and misuse personal information was the Privacy Act of 1974. This Act covers federal databases and is based on the Code of Fair Information Practices defined above. In 1977, a Privacy Protection Study^[13] Commission rejected the idea of having a similar privacy law for the private sector. This means that individuals’ privacy with respect to databases of information stored and maintained by private organizations is not protected. In the private sector, total reliance is on the fair information practice codes. This is a serious problem.

2. Constitutional Provisions Though there is no clearly defined right to privacy in the U.S. Constitution, privacy rights are implied^[14] in several of the amendments. The right to privacy is rooted in the 4th Amendment, which protects individuals from unreasonable search and seizure; the 5th Amendment, which protects individuals from self incrimination ^[15], and the 14th Amendment, which gives the individual control over his personal information.

What remains to be determined is the following:

1. Can the biometric information be collected, stored, or retrieved?
2. Can the biometric information collected be used both for criminal and noncriminal searches and suspicionless searches?
3. Can the system give the individual full control over his abandoned personal intrinsic information?

The following fact remains: there are no legal restrictions on biometrically identifying information, or biometric authentication systems. However: there are severe restrictions on collecting, creating, maintaining, using, or disseminating records of identifiable personal data. One immediate conclusion that we should draw is that biometrics authentication must be traceless.

There is no standard for storing Biometric data

Stored biometric information is useful only if a subject is already known to the system… From the security point of view, biometrics authentication will not work if the subject is a stranger to the cloned biometric system. Biometrics is not universally used because there is no standard for storing the data. As long as biometric information is stored in databases, practically there is no cancelable biometric. You cannot grant access to the public to control owned entries, especially stored biometrics information. Biometric is more private to you than a number that somebody assigned to you. Security requires secrets, if someone tries to create a standard to collect “widespread known secrets”, it cannot be called a “secret” any more since the best secrets are never shared. There is a class of biometric information that can be perfect secrets and still be useful – traceless biometrics are the only secrets that we know of that we can (a) avoid sharing, and, (b) usefully deploy. The owner of the biometric can prove that he or she has it without sharing it. No other types of authentication knowledge are useful if they are not kept as perfect secrets.

The power of computers and privacy

Biometric properties from the perspective of traces or permanent storage can now lead to undesired identification and tracing of the activities of an individual, because of the power of computers. Even if the biometric data is stored in an altered form that requires a complex algorithm to decipher, the speed and computational power available today makes any such protection scheme irrelevant. For example, today anyone with a computer and an electronic telephone book can trace a telephone number to a particular address. Previously before computers, only a governmental entity or authorized authorities such as the police had the right access or permission to trace back the telephone number to a name or location.

Individuals should be unique, biometrics not

In order for a unique individual identifier to be effective for privacy, not every individual should have an identifier that applies only to that individual and that identifier must change over time, especially when the personal information has been exposed.

If unique biometric properties are stored somewhere, for example on a smart card or on a computer system, either if it is stored in an encoded, scrambled or ciphered form, it is still a unique biometric identifier^[16]. Once a unique biometric identifier has being stored anywhere, at any time, on any external^[17] media (including media that is associated with the boundaries of the individual, such as a smartcard held by the individual), the privacy of that biometric property owner is violated or can easily be violated. As noted previously, exposing or losing a biometric property is a permanent problem for the life of the individual^[18], as there is no way to cancel the physiological or behavioral characteristics of the individual. Biometric technology is inherently individuating and interfaces easily to database technology, making privacy violations easier and more damaging.^[19]

Privacy fears are justified not only in the context of identifiable fingerprints of the kind commonly used by the police, where there is centralized retention. A fingerprint, and the broader family of biometrics, offer irrefutable evidence of one’s identity since they are unique biological characteristics that distinguish one person from another, and that mistakenly can be linked to one individual which is NOT necessarily the original biometric presenter or the rightful owner of the unique biological characteristics!!.

References

1. “System and method for traceless biometric identification”, A device, system and method for identifying an individual with a biometric identifier that at least one other individual in a given population has the identical biometric identifier. The biometric identifier according to the present invention, also referred to herein as a “BIdToken”, is implemented to be biometrically traceless, such that an exact image or copy of the biometric information is preferably not maintained by the present invention. Shafir (Micha) Michael et at, 2006.
2. Cancelable Biometrics – Wikipedia (http://en.wikipedia.org/wiki/Biometrics#Cancelable_Biometrics)
3. ^ Proposed biometric ID cards won’t prevent fraud or terrorism (IEEE Spectrum, Jan 2006)
4. How to fake fingerprints? October 26, 2004 (starbug) Simple instructions how copy and fake fingerprints (http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=en)
5. ACLU – The government and corporations are aggressively collecting information about your personal life and your habits.(http://www.aclu.org/pizza)
6. (WO/2008/001373) SYSTEM AND METHOD FOR TRACELESS BIOMETRIC IDENTIFICATION – BACKGROUND, Shafir et al, 2006 (http://www.wipo.int/pctdb/en/wo.jsp?IA=WO2008001373&WO=2008001373&DISPLAY=DESC)
7. FAIR INFORMATION PRACTICES – Robert Gellman (http://bobgellman.com/rg-docs/rg-FIPshistory.pdf)
8. Introduction to Fair Information Practices – Pam Dixon
9. Ethical and Legal Requirements Associated with Data Dissemination
10. Economic aspects of personal privacy
11. Information Technologies and the Shifting Balance between Privacy and Social Control
12. THE PRIVACY ACT OF 1974, “Records maintained on individuals ” (http://www.usdoj.gov/oip/privstat.htm)
13. Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission
14. Privacy and Accuracy of Personal Information
15. Technology and Privacy: The New Landscape By Philip E. Agre, Marc Rotenberg
16. Biometrics from a legal perspective (Dr. Ronald Leenes TILT – Tilburg Institute for Law, Technology, and Society)
17. U.K. researchers devise smart-card hack – Tom Espiner ZDnet 2007 (http://news.zdnet.com/2100-1009_22-6156601.html)
18. Bank loses tapes with data on 4.5M clients – Brian Fonseca, Computerworld (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8)
19. Computers and new information technologies have greatly increased the power of surveillance by government and large corporate entities, Douglas Kellner – University of Texas at Austin