Research Result :: Putting privacy at the heart of biometric systems
(18/08/2011) Without surgery, you can’t change your biometric data: your fingerprints, your eyes and your face are yours for life. Biometric security systems use this extremely accurate – and extremely personal – identity information to verify who you are. But should the data be misused or stolen the consequences can be disastrous. A groundbreaking ‘privacy by design’ technique developed by EU-funded researchers promises biometric security without the risks.
Most biometric security systems store templates of a particular biometric feature of a person, such as a fingerprint, hand print or iris scan, in a database or on a chip in a smart card or electronic token. The templates are then matched with the image generated when a person uses a scanner to enter a building, access a bank account or boot up their laptop computer. It is a highly accurate way of authenticating someone's identity, whether used on its own or in combination with other information, such as their name, ID number, date of birth or a password or pin code.
But what happens if that biometric image and associated data falls into the wrong hands or is used for purposes other than originally intended?
A fingerprint scan, after all, can be directly traced back to the person who generated it, and scans stored in different databases could be cross-referenced to build up a complete profile of a person, matching their healthcare records, for example, to their employment information. Because biometric information is so intrinsically personal and can't be easily changed, a stolen biometric identity could have life-long consequences that would be almost impossible to put right. In effect, once biometric information is compromised it is compromised forever.
The privacy implications are enormous, but they could soon be largely solved.
A new technique developed by a team of European researchers working in the EU-funded 'Trusted revocable biometric identities' (Turbine) project offers all the benefits of biometric security while mitigating or eliminating the associated risks.
In one of the world's first practical applications of so-called crypto-biometrics, the team demonstrated a solution based on the concept of 'privacy by design' that enables people to use their fingerprints to prove who they are while keeping their identity information safe.
'Instead of storing scans of fingerprints, we are using scans to generate a mathematical code that represents an identity. The code cannot be used to restore the original fingerprint sample, it can be revoked at any time and the same fingerprint can be used to generate multiple codes so people can have different identities or pseudo-identities for different purposes,' explains Nicolas Delvaux, a programme manager at biometric security company Morpho, part of the Safran group, in France and the coordinator of Turbine.
Irreversible and revocable
The code – a cryptographic bit-string key – is generated by a mathematical formula based on stable characteristics of the person's fingerprint and instructions on how a fingerprint reader should find those characteristics. Each time a person uses a biometric system based on the Turbine technology, the bit-string key their fingerprint generates – not the image of their fingerprint – is matched against the previously saved key. It simply authenticates that the person using the system is authorised, without identifying who they are. In this way, their real identity and their real biometric information remains secure.
I am a banker, for example, and someone comes along wanting to access an account. In this context, it doesn't matter to me who they are, just that they are the only person who, with part of their body, can generate the code that gives access to that account,' Mr Delvaux says.
A single person could have different bit-string keys for different systems, one, for example, to identify them in the government social security system, another to access their bank account, all generated using the same fingerprint. Or, in a different set up and using a different mathematical formula to generate the code, users could all have the same key to prove they are a member of a certain group or have a certain level of security clearance, for example.
Most significantly, the bit-code keys can be revoked by the user at any time. If one is stolen or misused, it can be cancelled and a new one generated.
'You can never revoke your biometry – I mean, you could change your fingerprint but it's extremely difficult to do and not something most people would do... People have 10 fingers so with current systems there are just 10 times a person can generate a new identity. But you can easily generate a new key from a fingerprint as many times as you like,' Mr Delvaux notes.
And because the keys for different applications are all unique there is simply no way to identify users across different systems and databases.
'Let's say you have an account at two different banks. If the banks merge, there is no way the new bank would be able to identify you as having two accounts without your consent,' Mr Delvaux explains.
The technology was demonstrated in a real-world trial and a proof-of-concept application.
The trial focused on physical access control using a biometric security system installed at Thessaloniki International Airport in Greece. Airport staff were given contact-less smart cards to store their pseudo-identities generated by the Turbine system. By using these together with a fingerprint reader on doors and gates they were able to access restricted areas of the airport building.
The proof-of-concept is a web-application for health professionals, with pharmacists in Germany using pseudo-identities stored on a smart card and fingerprint readers to verify their identity when they sign electronic prescriptions. One of the project partners is planning to develop a commercial version.
'The trials were very successful and show the wide range of applications for this technology, however, there are still some hurdles to overcome,' the project coordinator notes.
Though several of the partners, including Morpho, are planning to develop commercial products based on work done in Turbine, there is still the issue, as with other biometric systems, of gaining approval from national data protection agencies.
'It is still very fragmented in Europe with regard to data protection... though we are planning to approach some with our technology and we are active in standardisation efforts,' Mr Delvaux explains.
Nonetheless, the European Data Protection Supervisor (EDPS) issued a broadly positive opinion on Turbine's work, the first time it has done so for a European research project.
'By making the biometric representations irreversible, the system shall prevent the use of biometric data for any other purpose than the one originally intended. It also ensures that the biometric data themselves are not kept for longer than necessary, as they are replaced by the bit-string key… This security aspect is further strengthened by the aspect of revocability of the key,' the EDPS stated.
'It shows that our approach, in many respects, is in line with the EDPS's data protection principles,' Mr Delvaux says. 'That's very encouraging.'
Turbine received EUR 6.35 million in EU support under the Seventh Framework Programme for research, sub-programme 'Secure, dependable and trusted infrastructures'.