FAQ

FAQ's - Definitions

Are biometrics inherently privacy-invasive or privacy-protective?

Biometrics, like any technology, are defined by their usage. The broad range of biometric technologies, infrastructures, and deployment environments render any all-encompassing statements on biometrics pointless. Biometrics can be deployed in a privacy-invasive fashion, in a privacy-neutral fashion, and in a privacy-protective fashion.

An analogy to databases is instructive. Databases can be used to link personal information from disparate sources without user consent and are the source of much of the privacy world’s concern about information aggregation and misuse. Are databases inherently privacy-invasive? No. It is the specific use to which they are put, and the systemic and operational controls (or lack thereof) which define whether databases are privacy-invasive. The same can be said for biometric technologies.

Is biometric data personal information?

Biometric data is personal information: it is derived from an individual, is used to verify or determine a person's identity, and depending on the technology, may be a highly distinctive representation of a physiological or behavioral characteristic. The proposition that biometric data is not personal information is based on a semantic distinction between data and its usage, and does not take into account the purposes for which biometric data is used.

Although biometric data is personal information, there are various situations in which its collection, storage, and usage by individuals, employers or government agencies is beneficial. Biometric data is a type of personal information which, if used properly, can protect other, more sensitive personal information. This capability of biometrics to protect sensitive personal information, such as records pertaining to health, employment, or finances, is the primary basis of biometrics being positioned as a privacy-enhancing technology.

Because biometric data is sensitive, and there are situations in which biometric systems could be misused, protections tantamount to the deployment-specific risks are necessary at all possible stages of the data's lifecycle.

Are biometrics unique identifiers?

A unique identifier is a fixed number or value associated with a specific person. The most common example of a unique identifier would be the Social Security number, which is issued at a young age and used for the purposes of employment and taxation throughout one's life. Unique identifiers are problematic from a privacy perspective, as they make possible the linking of information in separate databases. Social security numbers have come to be used as semi-unique identifiers (some numbers are mistakenly issued more than once, and users can assume false social security numbers).

Biometrics are seen as especially "unique" identifiers, as they are viewed as incapable of being lost, changed, or forgotten. However, biometric technologies in use today are not unique identifiers. How is this possible?

Let us assume that physiological characteristics such as fingerprints, iris patterns, and retinal patterns are unique over the course of a person's life – in theory, no two people share identical fingerprints, irises, or retinal patterns. Even with this assumption, the templates generated from these physiological characteristics vary from day to day, minute to minute, and second to second.

As opposed to being a consistently replicable string of data, such as a social security number, biometric templates vary with each biometric placement or recording: the same finger, placed over and over again, generates a different template each time. Every variation in presentation - attributable pressure, distance, angle, pitch, skin condition, time of day - leads to a different string of numbers (i.e. a template). Without a matching algorithm to make sense of a user's enrollment and verification templates, they appear unrelated. The idea that the same number (i.e. template) will exist in every biometric system in which a user enrolls is inconsistent with the technology’s basic operations. A large percentage of the data changes with each placement.

If biometrics were unique identifiers, there would never be false matches; however, every technology suffers false matches at some point. Because of the variance in template quality, there is always the possibility that a comparison of two templates will result in a false non-match. Oddly, the fact that biometric template generation is not perfect helps ensure that biometrics do not facilitate multi-database tracking.

Biometric templates, then, are highly reliable identifiers, but they are not unique identifiers. The more relevant question is whether biometrics can be used as semi-unique identifiers. At this point, such usage would be exceptionally difficult, but cannot be ruled out. In order for biometric data to be tracked across multiple databases (i.e., to function as a unique identifier), a single biometric vendor would have to supply all of the core technology. Recall that different finger-scan vendors’ templates are not interchangeable or comparable. Assuming that only one biometric company provided the core matching technology for all systems, the companies managing the databases – employers, retailers, trusted third party providers - would need to access vendor source code in order to match templates. Even with the complicity of the biometric vendor and the companies responsible for storing and managing personal data and the biometric vendor, the ability to compare against large databases is limited by the enrollment quality and by the actual finger enrolled. A user who uses the left index at home and the right index at work renders even this theoretical risk moot.

All of this assumes that the biometric templates are stored centrally. There are many situations in which template database is desirable or necessary, others where it is best to decentralize stored biometric data. Many deployments will give the users themselves control over data in the form of tokens or smart cards.

Do biometric comparisons result in exact, 100% matches?

One of the most interesting facts about most biometric technologies is that unique biometric templates are generated every time a user interacts with a biometric system. As an example, two immediately successive placements of a finger on a biometric device generate entirely different templates. These templates, when processed by a vendor’s algorithm, are recognizable as being from the same person, but are not identical. In theory, a user could place the same finger on a biometric device for years and never generate an identical template.

Therefore, for most technologies, there is simply no such thing as a 100% match. This is not to imply that the systems are not secure – biometric systems may be able to verify identify with error rates of less than 1/100,000 or 1/1,000,000. However, claims of 100% accuracy are misleading and are not reflective of the technology’s basic operation.

What are commonly expressed fears regarding biometrics and privacy?

The basic classifications of privacy are personal and informational. It is rare that objections to biometric are expressed systematically: it is much more likely that objections to biometrics are called “slippery slope” or “Big Brother” without further elaboration.

Personal Privacy. For some people, the use of biometrics is seen as inherently offensive. Being required to verify one’s identity through a finger-scan or voice-scan can be seen as intrusive, impersonal, or mistrustful. These objections to biometrics are based on personal privacy.

Informational Privacy. A more common objection to biometrics is based on informational privacy; how biometric data might be misused, tracked, linked, and otherwise abused. Potential privacy-invasive misuses of biometrics are as follows:

Unnecessary or unauthorized collection – gathering biometric information without the user’s permission or knowledge, or gathering biometric data without explicitly defined purposes

Unauthorized use – using biometric information for purposes other than those for which it was originally acquired

Unauthorized disclosure – sharing or transmitting biometric information without the user’s explicit permission

Unique identifier – using biometric information to track a user across various databases, to link different identities, and to amalgamate personal data for the purposes of surveillance or social control

Improper storage – storing biometric information in logical proximity to personal data such as name, address, social security number

Improper transmission – transmitting biometric information in logical proximity to personal data such as name, address, social security number

Forensic usage – using biometric information to facilitate investigative searches, which may be categorized as unreasonable search and seizure

Function creep – gradually using biometric data for a variety of purposes beyond its original intention and scope

Are biometric templates secrets? If my template is compromised, does that mean that I can never use that biometric again?

Not in a well-designed system. If a criminal steals or guesses your password, it is very easy to have it changed. There is a fear, however, that if a criminal gets hold of a biometric template, the damage is irreparable - there is no way to change that part of your body. Although templates are often encrypted when in transit and storage in order to protect against such an occurrence, what happens if a template is compromised?

The answer depends on how well a biometric system is designed. If a system allows a template to be inserted into the verification process without ensuring that this template came from an actual placement, a compromised template can pose a problem. However, a well-designed system will ensure that the information it is analyzing is not a recording but is in fact a new sample.

One way to assure that a new template is being submitted is to seed the request for a sample. This involves the biometric system sending an encrypted random number (known as a seed) to the biometric sensor. This number can be encrypted such that only the sensor itself can decrypt the message. When returning the biometric template, the sensor also sends the seed number back (encrypted). This ensures that the template being sent was created immediately after the request for the template (as opposed to an old template that has been recorded and played back).

The following chart illustrates a request for a biometric sample with a seed value of 3434.

Note that biometric templates cannot be used to regenerate original biometric data.

What is the difference between forensic fingerprinting technology and biometric finger-scan technology?

Many people think of forensic fingerprinting as an ink and paper process. While this may still be done in some locations, most jurisdictions utilize optical scanners known as livescan systems. There are some fundamental differences between these forensic fingerprinting systems (used in AFIS systems) and the biometric finger-scan systems used to logon to a PC:

Response time - AFIS systems may take hours to match a candidate, while finger-scan systems respond with seconds or fractions of seconds.

Cost - an AFIS capture device can range from several hundred to tens of thousands of dollars, depending on whether it is designed to capture one or multiple fingerprints. A PC peripheral finger-scan device generally costs less than $200

Accuracy - an AFIS system might return the top 5 candidates in a biometric comparison with the intent of locating or questioning the top suspects. Finger-scan systems are designed to return a single yes/no answer based on a single comparison.

Scale – AFIS systems are designed to be scalable to thousands and millions of users, conducting constant 1:N searches. Finger-scan systems are almost invariably 1:1, and do not require significant processing power.

Capture – AFIS systems are designed to use the entire fingerprint, rolled from nail to nail, and often capture all ten fingerprints. Finger-scan systems use only the center of the fingerprint, capturing only a small fraction of the overall fingerprint data.

Storage – AFIS systems generally store fingerprint images for expert comparison once a possible match has been located. Finger-scan systems, by and large, do not store images, as they are not used for comparison.

Infrastructure – AFIS systems normally require a backend infrastructure for storage, matching, and duplicate resolution. These systems can cost hundreds of thousands of dollars. Finger-scan systems rely on a PC or a peripheral device for processing and storage.

Can you recreate an image of the sample from a template?

Most vendors indicate that this is not possible. The template represents various measurements of the sample and is usually not a ‘description’ of the sample. However, it cannot be stated with absolute certainty that images cannot be rebuilt in some fashion – the rebuilt image may be a poor likeness, but it is possible that some features can be reverse-engineered with access to vendor source code.

Is DNA a biometric?

DNA differs from standard biometrics in several ways

1) DNA requires a tangible physical sample as opposed to an impression, image, or recording.

2) DNA matching is not done in real-time, nor are all stages of comparison always automated (though this is not likely to be the case fairly soon).

3) DNA matching does not employ templates or feature extraction, but rather represents the comparison of actual samples.

Regardless of these basic differences, DNA is a type of biometric inasmuch as it is the use of a physiological characteristic to verify or determine identity. Furthermore, it is one biometric which may become usable as a unique identifier, as consistent "templates" may eventually be generated from DNA. For this reason, as well as the theoretical ability to determine information about a user from DNA, render its usage highly problematic from a privacy perspective.

Whether DNA will find use beyond its current use in forensic applications is uncertain. Intelligent discussion on how, when, and where it should and should not be used, and who will control the data, and how it should be stored, is necessary before its use begins to expand into potentially troubling areas. These definitions will vary by application: it illogical to suggest that the usage of DNA in public benefits programs, which nearly all would view as highly problematic, should be viewed as an equivalent to the use of DNA in a criminal investigation. Thinking about the dangers of DNA as a biometric is helpful as it underscores the tremendous variety of biometric technologies available, and makes clear that blanket statements about biometrics are generally misleading.

What sort of system attacks could result in compromise of sensitive information?

There are three basic ways to defeat a biometric system: System Circumvention, Verification Fraud, and Enrollment Fraud.

System Circumvention - avoiding a biometric comparison altogether. The simplest way to defeat a biometric system is to find a way to bypass the system altogether. Although this may seem obvious, system managers often setup alternatives to the biometric to make the system easier to administer in case of problems. Types of system circumvention include the following:

Backdoor Entrance – in a logical security system, hackers may be able to expose software loopholes which allow for system access without having to submit a biometric sample. In physical security, an alternate entrance devoid of a biometric reader can allow for system circumvention. For example, in Mission Impossible, a character was able to circumvent a Multiple Biometric Access™ (MBA) application by entering through an air duct in the roof.

Forced Exception Processing - creating circumstances that will force an alternate identification method to be employed. Many biometric systems have backup procedures to handle people who cannot or do not verify with the biometric. For example, one could bypass a voice verification biometric by feigning laryngitis. The system's exception processing most likely does not involve submission of a biometric.

Settings Tampering - an alternate method to circumvent a biometric comparison is to access the system software and alter the system settings. For example, the thresholds needed for a successful verification could be set to zero. Some biometric systems have very poor protection against such system manipulation.

Forcible Entrance - one can forcibly remove a physical barrier without being verified by the biometric system. The effort involved to forcibly enter is governed by the effectiveness of the barrier itself.

Verification Fraud – System attacks attempted during the verification process.

Brute Force Submissions - many samples can be submitted to a system in hopes that one will be falsely verified and access granted.
Forced Submission - involves an submission of a sample from the correct user under duress, e.g., at gun point.
Removed Sample - occurs when the actual biometric sample is used to gain fraudulent access, e.g., cutting off a finger or hand.
Fake Submission - submitting a synthetic sample intended to look like the real things e.g., fake finger or a mask. Other examples include a recording of the pass phrase, using a photograph, or submitting a latent fingerprint.
Data Playback Submission (replay attack) - recording the digital data stream representing a sample and playing the information back into the biometric system input stream to imitate a submission.
Impostor Submission – Submission of one’s own sample in an attempt to verify as someone else.

Enrollment Fraud – System attacks initiated during the enrollment process.

Key Creation - by submitting a fake sample during the enrollment process, one can create a physical “key” to the system. For example, enrolling a silicone finger instead of an actual finger into a finger-scan system creates a key which can be used by anyone to gain access, thus rendering the system ineffective.
False Identity Enrollment - if a person is enrolled under someone else’s name, the person actually enrolled will be able to gain access under the false name. This is a result of a poor identification process during enrollment.
Poor Quality Enrollment – a user determined to circumvent the system at a later date can purposefully enroll with a “bad” sample, such as a masked voice or scarred fingerprint, in order to avoid later 1:1 verification or 1:N identification.

Definitions

Acquisition device – the hardware used to acquire biometric samples. The following acquisition devices are associated with each biometric technology:

Finger-scan	desktop peripheral, PCMCIA card, mouse, keyboard-embedded chip
Voice-scan	microphone, telephone
Facial-scan	video camera, PC camera, single-image camera
Iris-scan	Infrared-enabled video camera, PC camera
Retina-scan	proprietary desktop or wall-mountable unit
Hand-scan	proprietary wall-mounted unit
Signature-scan	signature tablet, motion-sensitive stylus
Keystroke-scan	keyboard or keypad

Behavioral biometrics - technologies based on measurements and data derived from an action, and indirectly measure characteristics of the human body. Voice-scan, keystroke-scan, and signature-scan are leading behavioral biometric technologies. One of the defining characteristics of a behavioral biometric is the incorporation of time as a metric – the measured behavior has a beginning, middle, and end. See physiological biometrics.

Biometric sample - the identifiable, unprocessed image or recording of a physiological or behavioral characteristic, acquired during submission, used to generate biometric templates. Also referred to as biometric data. The following sample types are associated with each biometric technology:

Finger-scan	fingerprint image
Voice-scan	voice recording
Facial-scan	facial image
Iris-scan	iris image
Retina-scan	retina image
Hand-scan	3-D image of top and sides of hand
Signature-scan	image of signature and record of related dynamics measurements
Keystroke-scan	recording of characters typed and record of related dynamics measurements

Biometric system - the integrated biometric hardware and software used to conduct biometric identification or verification.

Biometrics - the automated use of physiological or behavioral characteristics to determine or verify identity.

Additional definitions:

Biometric (noun) - one of various technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Finger-scan is a commonly used biometric.” Plural form also acceptable: “Retina-scan and iris-scan are eye-based biometrics.”

Biometrics (noun) – Field relating to biometric identification. “What is the future of biometrics?”

Biometric (adjective) – of or pertaining to technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Do you plan to use biometric identification or older types of identification?”

Decision – the result of the comparison between the score and the threshold. The decisions a biometric system can make include match, non-match, and inconclusive, although varying degrees of strong matches and non-matches are possible.

Dynamic thresholding - an automated process by which verification thresholds are adjusted based on the specific conditions of a transaction. For instance, a score of 75 or higher might be sufficient to withdraw under $200 from an ATM, whereas a score of 90 or better may be required to withdraw $200 or more.

Enrollment - the process whereby a user’s initial biometric sample or samples are collected, assessed, processed, and stored for ongoing use in a biometric system. Enrollment takes place in both 1:1 and 1:N systems. If users are experiencing problems with a biometric system, they may need to re-enroll to gather higher quality data.

Feature extraction - the automated process of locating and encoding distinctive characteristics from a biometric sample in order to generate a template. The feature extraction process may include various degrees of image or sample processing in order to locate a sufficient amount of accurate data. For example, voice-scan technologies can filter out certain frequencies and patterns, and finger-scan technologies can thin out the ridges present in a fingerprint image to the width of a single pixel. Common physiological and behavioral characteristics used in feature extraction include the following:

Finger-scan	Location and direction of ridge endings and bifurcations on fingerprint
Voice-scan	Frequency, cadence, and duration of vocal pattern
Facial-scan	Relative position and shape of nose, position of cheekbones
Iris-scan	Furrows and striations in iris
Retina-scan	Blood vessel patterns on retina
Hand-scan	Height and width of bones and joints in hands and fingers
Signature-scan	Speed, stroke order, pressure, and appearance of signature
Keystroke-scan	Keyed sequence, duration between characters

Identification (1:N, one-to-many, recognition) – the process of determining a person’s identity by performing matches against multiple biometric templates. Identification systems are designed to determine identity based solely on biometric information. There are two types of identification systems: positive identification and negative identification. See verification.

Two types of identification:

Positive identification - systems are designed to find a match for a user’s biometric information in a database of biometric information. Positive identification answers the “Who am I?”, although the response is not necessarily a name – it could be an employee ID or another unique identifier. A typical positive identification system would be a prison release program where users do not enter an ID number or use a card, but simply look at an iris capture device and are identified from an inmate database.

Negative identification - systems search databases in the same fashion, comparing one template against many, but are designed to ensure that a person is not present in a database. This prevents people from enrolling twice in a system, and is often used in large-scale public benefits programs in which users enroll multiple times to gain benefits under different names.

Matching - the comparison of biometric templates to determine their degree of similarity or correlation. A match attempt results in a score which, in most systems, is compared against a threshold. If the score exceeds the threshold, the result is a match; if the score falls below the threshold, the result is a non-match.

One-to-few - a biometric matching process which locates a user from a very small database of enrollees. While there is no exact number that differentiates a 1-to-many from a 1:few system, any system involving a search of more than 500 records is likely to be classified as 1-to-many.

Physiological biometrics - technologies based on measurements and data derived from direct measurement of a part of the human body. Finger-scan, iris-scan, retina-scan, hand-scan, and facial-scan are leading physiological biometrics. See behavioral biometrics.

Score – a number indicating the degree of similarity or correlation of a biometric match. Nearly all biometric systems are based on comparison algorithms which generate a score subsequent to a match attempt. This score represents the degree of correlation between the verification template and the enrollment template.

Submission - the process whereby a user provides behavioral or physiological data in the form of biometric samples to a biometric system. A submission may require looking in the direction of a camera or placing a finger on a platen. Depending on the biometric system, a user may have to remove eye glasses, remain still for a number of seconds, or recite a pass phrase in order to provide a biometric sample.

Template – a comparatively small but highly distinctive file derived from the features of a user’s biometric sample or samples, used to perform biometric matches. A template is created after a biometric algorithm locates features in a biometric sample. The concept of the template is one of biometric technology’s defining elements, although not all biometric systems use templates to perform biometric matching: some voice-scan systems utilize the original sample to perform a comparison.

Enrollment template - a template created upon the user’s initial interaction with a biometric system, stored for usage in future biometric comparisons.

Verification template - a template generated during verification attempts, compared to the stored template, and generally discarded after the comparison.

Threshold - a predefined value, often controlled by a biometric system administrator, which establishes the degree of correlation necessary for a comparison of biometric templates to be deemed a match. If the score resulting from template comparison exceeds the threshold, the templates are a “match” (though the templates themselves are not identical).

Verification (1:1, matching, authentication) – The process of establishing the validity of a claimed identity by comparing a verification template to an enrollment template. Verification requires that an identity be claimed, after which the individual’s enrollment template is located and compared with the verification template. Verification answers the question, “Am I who I claim to be?” See identification.