|
|
Biometrics and digital identity
How is technology being used to define identity online and off?
By Peter Ferne, Technical Consultant, Futurelab |
Biometrics is currently being promoted as a technological panacea for all kinds of security problems, from identity theft to terrorism. But what exactly is it, what is it good for and, just as importantly, what problems doesn't it solve?
Biometrics refers to a class of techniques which use measurements of one or more physical characteristics of the human body to generate a unique identifier which can then be used (in theory at least) to positively identify an individual.
The UK government is currently running a series of roadshows in shopping centres around the country to inform people about planned changes to passports. The new passports, to be introduced in 2006, will include an RFID chip which will store biometric information. Initially this will be a 'facial biometric' - essentially a digital summary of how close together your eyes are and how long your nose is - although later versions may also include fingerprints.
Fingerprints are a very widespread biometric identifier with a long history of successful use in certain applications, such as catching criminals. Electronic fingerprint readers are now being proposed and deployed in a range of new applications from access control, such as opening the door to your office building or letting you into the country, to taking the register and paying for your lunch, at Loughborough Grammar School.
Despite the claims of equipment manufacturers these devices are not always as reliable as you might think. Tsutomu Matsumoto, a Japanese cryptographer, wrote a paper with some of his students at Yokohama National University entitled 'Impact of Artificial Gummy Fingers on Fingerprint Systems'. They were able to use gelatin to create fake fingerprints from photographs of latent fingerprints left on glass. With these 'gummy fingers' they were able to reliably fool all 11 commercial fingerprint readers tested, about 80% of the time.
Another survey by German computer trade magazine c't produced similarly worrying results. They were able to fool fingerprint readers by a variety of methods including breathing on them, reusing a fingerprint lifted with sticky tape and pressing a plastic bag full of water on the sensor - none of them particulary high-tech methods.
There are other problems with biometric keys. The trouble is, as security expert Bruce Schneier says, "Biometrics are unique identifiers, but they are not secrets." If you lose your house key you can change the locks, if somebody finds out your password or your bank PIN you can change it. But if you're using a fingerprint as a biometric identifier and somebody manages to get hold of a copy, you're going to find it a lot more inconvenient to get it changed! Once it's been stolen it's stolen for good - there's no simple way to get back to a secure situation.
And if this biometric identifier is being used in conjunction with a centralised database, like the proposed National Identity Register, there is the added danger that it will unlock everything from your medical records to your bank accounts. Good security practice mandates different passwords or keys for different systems. A universal key means that security breaches, when they do happen, will be catastrophic.
OK, so fingerprints aren't all they're cracked up to be, but isn't there some other more reliable biometric? Yes there is: iris scanning - which uses low-level infrared light to photograph your iris - is by far the most accurate biometric system widely available and yet even these systems often have difficulty correctly identifying those with very dark eyes. And, as the c't survey showed, even iris scanners with so called 'liveness detection' can be fooled by a high quality photograph with a small hole cut for the pupil, or printed contact lenses.
Besides, as Emily Finch, a Reader in Law at the University of East Anglia, points out, "The more people rely on the production of a particular piece of identification to verify identity, the less vigilance people will exercise themselves - that's the problem." As an example of this in action she relates how when she and a male colleague swapped chip and PIN cards and went shopping nobody picked up on the obvious difference between the sex of the name on the card and the person using it.
In June the London School of Economics published report called 'The Identity Project: an assessment of the UK Identity Cards Bill and its implications', which concluded that "the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence." It goes on to say "Many of the public interest objectives of the Bill would be more effectively achieved by other means. For example, preventing identity theft may be better addressed by giving individuals greater control over the disclosure of their own personal information, while prevention of terrorism may be more effectively managed through strengthened border patrols and increased presence at borders, or allocating adequate resources for conventional police intelligence work."
Ross Anderson is Professor of Security Engineering at the Cambridge University Computer Laboratory; his research interests include the economics of information security and the reliability of security systems. A recent paper which he co-authored, 'Combining cryptography with biometrics effectively', concluded that "high-quality identification of persons is possible using biometric means but without a central database of templates."
————————
To effect change in the sphere of public policy you might try writing to your MP or joining the NO2ID campaign, but when it comes to safeguarding your digital identity online there are positive steps which you can take yourself, and encourage others to take too.
As anyone who has received a 'phishing' mail inviting you to 'update' your bank details knows, forging e-mail is widespread and relatively easy. However you can protect your own correspondence by digitally signing it, so that the recipient knows it is really from you, and, if it's sensitive or private, even encrypting it so that only they can read it.
A well-established and widely trusted method for doing this is encapsulated in a program called PGP (for Pretty Good Privacy - a reminder that no security system is perfect). PGP itself is commercial software but there is also a widely supported free open source version available, called GnuPG or Gnu Privacy Guard, which uses the same protocol and is interoperable.
PGP and related software make use of the notion of a 'Web of Trust'. This attempts to answer the question: 'How can you trust somebody you have never met?' Well you could go and meet them and decide for yourself, or you could take the word of somebody you already know who trusts them, or somebody who they trust in turn. The point is that you decide who to trust and how much.
In this way a flexible and robust web of trust is built which accurately mirrors human relations in the real world and isn't tied to some huge centralised database under the control of governmental or commercial interests. After all you probably don't want your bank manager seeing your medical records or your doctor seeing your bank account, or your local supermarket seeing either of them.
An unrelated but complementary project which adopts a similar decentralised approach to identity management is OpenID. The seemingly endless proliferation of usernames and passwords which we accumulate to access various online services is a familiar source of frustration to most people who spend a lot of time online. There have been various attempts to impose a 'standard' identity management solution, notably Microsoft's Passport Network and the competing Liberty Alliance Project run by a consortium of big businesses including Vodafone, Nokia and American Express. However such monopolistic approaches are never comprehensive and involve surrendering an uncomfortable degree of control over our personal data.
OpenID, on the other hand, aims to give us complete control of our digital identities. An OpenID identity is just a URL. You can have multiple identities in the same way you can have multiple URLs. All OpenID does is provide a way to prove that you own a URL (identity). And it does this without passing around your password, your e-mail address, or anything you don't want it to.
Decentralisation is an ethos which permeates the internet and underlies many of the tools we use to cooperate with one another. If we don't want our digital and social identities to be hijacked by powers outside of our effective individual control then we need to use technology to take ownership of them ourselves and build our own webs of trust.
By Peter Ferne (www.petef.com)
Links
Biometrics - Wikipedia definition: en.wikipedia.org/wiki/Biometrics
Home Office Identity Cards site - Frequently Asked Questions: www.identitycards.gov.uk/faq.html
Passports are Changing: Biometric Information Campaign Launched in Manchester: www.passport.gov.uk/press_120905.asp
Thumbs do the Talking (at Loughborough Grammar): technology.guardian.co.uk/online/story/0,,1358563,00.html
Fun with Fingerprint Readers: www.schneier.com/crypto-gram-0205.html#5
Body Check: Biometric Access Protection Devices and their Programs Put to the Test: www.heise.de/ct/english/02/11/114/
Biometrics: Truths and Fictions: www.schneier.com/crypto-gram-9808.html#biometrics
Criminals to 'adapt to ID cards': news.bbc.co.uk/2/hi/science/nature/4213848.stm
The LSE Identity Project Report: is.lse.ac.uk/idcard/
Prof Ross Anderson's home page: www.cl.cam.ac.uk/users/rja14/
PGP - Pretty Good Privacy: www.pgp.com
GnuPG - Gnu Privacy Guard: www.gnupg.org
Web of Trust - Wikipedia definition: en.wikipedia.org/wiki/Web_of_trust
Tesco stocks up on inside knowledge of shoppers' lives: www.guardian.co.uk/business/story/0,3604,1573821,00.html
OpenID: openid.net
Microsoft Passport Network: www.passport.net
Liberty Alliance Project: www.projectliberty.org
Decentralisation - Wikipedia definition: en.wikipedia.org/wiki/Decentralisation
October 2005
|
|
