Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.

Slides:



Advertisements
Similar presentations
Penetration Testing Biometric System
Advertisements

Why the Financial Privacy Law is Better than People Think Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9,
Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Reflections on the White House Privacy Office Peter P. Swire U.S. Chief Counselor for Privacy, OSU College of Law, 2001-present CFP, March 8,
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.
Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.
Court Records and Data Privacy: Online or Over the Line? Professor Peter P. Swire Moritz College of Law The Ohio State University Judges Day 2005 October.
"Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Sharing of Medical Records Pursuant to an Authorization Professor Peter P. Swire Moritz College of Law, Ohio St. Univ. Consultant, Morrison & Foerster,
Privacy and the Use of Cost/Benefit Analysis Professor Peter Swire Ohio State University FTC Workshop on Information Flows June 18, 2003.
Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.
Data Breach as a Critical Infrastructure & Computer Security Issue Peter P. Swire Professor, The Ohio State University Senior Fellow, Center for American.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime Peter P. Swire Ohio State University & Center for American Progress Fordham CLIP Information.
Online Profiling and Consumer Choice Peter P. Swire Center for American Progress Ohio State University ATL Hill Briefing April 28, 2008.
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.
How to protect yourself, your computer, and others on the internet
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Some Thoughts on Cyber-Resiliency, Time, and Surveillance Peter Swire Huang Professor of Law and Ethics Georgia Institute of Technology NAS/NRC Forum on.
Computer Crime and Identity Theft Abe Orabi Tom Ballaro Tim Williams.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.
Possible Threats To Data. Objectives To understand: Types of threats Importance of security Preventative and remedial actions Personal safety This will.
“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.
Beyond “I Fought The Law” Educating Law Enforcement about Privacy Services Adam Shostack.
Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
FIT3105 Security and Identity Management Lecture 1.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
© 2003 SHRM SHRM Weekly Online Poll: March 9, 2004 QOTW - Identity Theft Analyzing 340 responses of s sent, 1628 received (response rate = 20.9%).
Track II: Introduction and Overview of Financial Services and Information Technology Privacy Policy: Synthesizing Financial Services Industry Privacy David.
CS 736 A methodology for Analyzing the Performance of Authentication Protocol by Laseinde Olaoluwa Peter Department of Computer Science West Virginia.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Unethical use of Computers and Networks
Starter How many methods of keeping data secure can you think of… Username and Password Biometrics Digital Signature Encryption Access Levels Physical.
Digital Citizenship Project By Allen Naylor Ed 505.
3.06 Data Encryption Unit 3 Internet Basics. Introduction In May of 2006, an analyst with the U.S. Department of Veterans Affairs was robbed of his notebook.
SPH Information Security Update September 10, 2010.
Cyber Security Awareness Month Using Your Laptop Safely On the Road Off-Campus Safe Computing Part 2.
Cryptography and Network Security (CS435) Part One (Introduction)
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
CPS 82, Fall Privacy l Taxonomy of Privacy  Understanding Privacy, Daniel Solove, MIT Press 2008 l Information Processing  Aggregation  Identification.
Project MED INF 403 DL Winter 2008 Group 3. Group Members Michael Crosswhite Maureen Farrell Julia Hernandez R Steven McDonald Jennifer Ogg David Robbins.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.
Overview of Bio-Tech Technology+- Fingerprint Popular Cheapest Less Accurate Voice Non invasive Least Accurate Iris & Retinal Very accurate Invasive Expensive.
Safe Computing Practices. What is behind a cyber attack? 1.
PATIENT IDENTITY RESOLUTION FOR SMARTER HEALTHCARE
Outline The basic authentication problem
Protection of CONSUMER information
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
ARE YOU A TARGET? YOU MAY NOT REALIZE IT, BUT YOU ARE A TARGET FOR CYBER CRIMINALS. IDENTITY THEFT IS ON THE RISE. BE AWARE AND TAKE PREVENTIVE ACTIONS.
Five Unethical Uses of Computers
Who Uses Encryption? Module 7 Section 3.
Protecting Your Credit
Protecting Your Company’s Most Valuable Asset
“Court Records and Data Privacy: Online or Over the Line?”
HQ Expectations of DOE Site IRBs
LO1 - Know about aspects of cyber security
Presentation transcript:

Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005

Overview Theme for today: Theme for today: Learn from SSNs & identity theft problems Learn from SSNs & identity theft problems Dont release the keys, in cryptographic systems or in biometrics Dont release the keys, in cryptographic systems or in biometrics Proposal: law to prohibit the selling or sharing of individuals biometrics Proposal: law to prohibit the selling or sharing of individuals biometrics Prevent loss of the keys that breed fraud Prevent loss of the keys that breed fraud

Swire Background Now law professor at Ohio State Now law professor at Ohio State Teach computer security, privacy, cyber Teach computer security, privacy, cyber Consultant, Morrison & Foerster Consultant, Morrison & Foerster Was Chief Counselor for Privacy, OMB Was Chief Counselor for Privacy, OMB 1999-early early 2001 Worked to fund CSTB study on authentication and privacy; discussed biometric study Worked to fund CSTB study on authentication and privacy; discussed biometric study

Problems with SSNs Technically weak identifier Technically weak identifier No check sum No check sum Easy to fake or to steal Easy to fake or to steal Uses have spread dramatically over time Uses have spread dramatically over time Despite earlier promises to use only for federal programs Despite earlier promises to use only for federal programs Nonetheless, SSN is now the key information that gives access to credit system and authoritative credentials Nonetheless, SSN is now the key information that gives access to credit system and authoritative credentials ChoicePoint incident & data compromised for at least 145,000 persons ChoicePoint incident & data compromised for at least 145,000 persons

Algorithms and Keys Modern crypto Modern crypto Kerchkoffs law and assume the algorithm should be public Kerchkoffs law and assume the algorithm should be public Keep the key/password secret Keep the key/password secret If the key is copied/compromised, the system is wide open If the key is copied/compromised, the system is wide open Especially for online/remote applications Especially for online/remote applications Also for fake drivers license Also for fake drivers license A Model for When Disclosure Helps Security: What Is Different About Computer and Network Security?, at A Model for When Disclosure Helps Security: What Is Different About Computer and Network Security?, at

How to Prevent Loss of Keys For SSNs, perhaps law this year prohibiting sale or display of SSNs For SSNs, perhaps law this year prohibiting sale or display of SSNs Goal of enhancing the security of the keys Goal of enhancing the security of the keys For biometrics, why not have a law prohibiting the sale or display of plaintext of biometrics? For biometrics, why not have a law prohibiting the sale or display of plaintext of biometrics? Goal of enhancing the security of the keys Goal of enhancing the security of the keys

Benefits of the No Display Law Prophylactic rule, before have commercial enterprises who depend on the sale or display Prophylactic rule, before have commercial enterprises who depend on the sale or display Keep the keys more secure from the start Keep the keys more secure from the start Bad enough to get a new SSN Bad enough to get a new SSN Much harder to get a new finger, iris, etc. Much harder to get a new finger, iris, etc. Encourage encryption in storage and use of images of fingerprints, etc. Encourage encryption in storage and use of images of fingerprints, etc. [Interlude – best practice should be to encrypt biometrics in storage] [Interlude – best practice should be to encrypt biometrics in storage]

Exceptions to the Law Photos Photos Many non-security uses of photos Many non-security uses of photos Faces are seen in public Faces are seen in public DNA samples DNA samples When is transfer appropriate for medical treatment or research? When is transfer appropriate for medical treatment or research? Burden on others to explain why the biometric keys should be made public Burden on others to explain why the biometric keys should be made public

Conclusion One-time opportunity for society to protect biometric keys before they are compromised One-time opportunity for society to protect biometric keys before they are compromised Let those who think display or sale is good explain precisely why, and craft exceptions Let those who think display or sale is good explain precisely why, and craft exceptions Without clear law, we will see proliferation of disclosures, in insecure applications Without clear law, we will see proliferation of disclosures, in insecure applications Without encryption, will have data leaks Without encryption, will have data leaks If so, biometrics could become a failed approach, like SSNs today If so, biometrics could become a failed approach, like SSNs today