Biometrics and The Privacy Paradox Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Privacy & Identity: The Promise & Perils of the Technological Age DePaul University, Chicago October 14, 2004

Privacy – What are the Issues?  Expanded surveillance  Diminished oversight  Absence of knowledge/consent  Loss of control

Privacy Defined  Informational Privacy: Data Protection  Personal control over the collection, use and disclosure of any recorded information about an identifiable individual  An organisation’s responsibility for data protection and safeguarding personal information in its custody or control

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1.Collection Limitation Principle 2.Data Quality Principle 3.Purpose Specification Principle 4.Use Limitation Principle 5.Security Safeguards Principle 6.Openness Principle 7.Individual Participation Principle 8.Accountability Principle

Growth of Biometrics  U.S. Border Security Enhancement Act  International Civil Aviation Organization approved facial recognition for travel documents  EU to implement biometrics in passports and visas  CANPASS and INSPASS programs  AAMVA Unique Identifier Working Group

The Myth of Accuracy  The problem with large databases containing thousands (or millions) of biometric templates:  False positives  False negatives

Biometric Applications Identification:  one-to-many comparison Authentication:  one-to-one comparison

Biometric Identification: False Positive Challenge Even if you have a 1 in 10,000 error rate per fingerprint, then a person being scanned against a million-record data set will be flagged as positive 100 times. And that’s every person. A system like that would be useless because everyone would be a false positive. Bruce Schneier, quoted in Ann Cavoukian’s Submission to the Standing Committee on Citizenship and Immigration, November 4,

Biometric Identification  False Negative Challenge:  Attackers could fool the system  Pay-offs high for compromising the system  Increased vulnerability to a target once a terrorist succeeds in obtaining a false negative: threat escalates considerably

Biometric Strength: Authentication The strength of one-to-one matches  Authentication/verification does not require the central storage of templates  Biometrics can be stored locally, not centrally – on a smart card, passport, travel document, etc.

Designing Privacy Into Biometrics The Privacy Challenges:  Central template databases  Unacceptable error rates  Unrelated secondary uses

Facial Recognition: the Dream “ Khalid Al-Midhar came to the attention of federal law enforcement about a year ago. As the Saudi Arabian strolled into a meeting with some of Osama bin Laden’s lieutenants at a hotel in Kuala Lumpur in December 1999, he was videotaped by a Malaysian surveillance team. The tape was turned over to U.S. intelligence officials and, after several months, Al-Midhar’s name was put on the Immigration and Naturalization Service’s “watch list” of potential terrorists. … The videotape of Al-Midhar also could have been helpful. Using biometric profiling, it would have been possible to make a precise digital map of his face. This data could have been hooked up to airport surveillance cameras. When the cameras captured Al-Midhar, an alarm would have sounded, allowing cops to take him into custody.” - Business Week, Sept. 13, 2001, p. 39

Facial Recognition: the Reality  Test results in place show less than stellar results - Logan Airport pilot had a 50% error rate in real world conditions - U.S. State Department has stated that facial recognition has “unacceptably high error rates” - U of Ottawa tests this summer resulted in accuracy rates between 75% to more than 90% - National Institute for Standards and Technology, under ‘ideal lighting and controlled environment conditions’ reported 90% accuracy - Superbowl facial recognition no longer considered ‘useful’ by subsequent Superbowl organizers “Biometrics Benched for Super Bowl” By Randy Dotinga, Wired MagazineRandy Dotinga

Comparison of Accuracy Rates  NIST Studies show for single biometrics: Facial recognition: % true 0.01 false accept rate % true 1.0% false accept rate Fingerprint: % true 0.01% false accept rate % true 1.0% false accept rate

Facial Recognition and Privacy Research  Confounding Facial Recognition systems:  Creating visual noise through: - Disguises, obstructions, light sources, face paint  Objective: - Creating a framework for facial recognition countermeasures  Results: - Research by James Alexander, U. Pennsylvania

Biometrics Can Be Privacy-Enhancing, if they: 1.Have privacy hard-wired into the deployed technology 2.Authenticate personal credentials without necessarily revealing identity 3.Do not facilitate surveillance or tracking of an individual’s activities – avoid the use of template-based central databases 4.Put control of the biometric in the hands of the individual 5.Provide excellent security without compromising privacy

Final Thoughts on Biometrics  Current off-the-shelf biometrics permit the secondary uses of personal information  The Goal: “Technology that allows for informational self-determination and makes good security a by-product of protecting one’s privacy”  Using the biometric to encrypt a PIN or a standard encryption key will meet that goal: Biometric Encryption – Dr. George Tomko

“I am not a number, I am a human being. I will not be filed, stamped, indexed or numbered. My life is my own.” The Prisoner TV series, 1968 “I am not a number, I am a free man”

How to Contact Us Ann Cavoukian, Ph.D. Information & Privacy Commissioner of Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario, Canada M5S 2V1 Phone: (416) Web: