18th International Privacy and Data Protection Conference

Biometric Encryption - New Developments in Biometrics

September 19, 1996

Dr. George J. Tomko

---

Protection of an individual's privacy is one of the major issues in the coming decade. I don't think this is news to any one of you in the audience. Our increasing reliance on informational databases that are networked, on electronic forms of commerce and more effective surveillance techniques to guard our security, are but a few examples of why privacy protection is one of society's pivotal issues. There are a lot of pressures potentially infringing on privacy.

For example, for the first time in history, lack of security will directly inhibit growth in commerce, that is, the areas of electronic commerce, finance and administration. The reality though is that electronic commerce is happening, security methods will be adopted, but the fear is that it will happen at the expense of privacy. And this would be a regression in our evolution as a civilized society.

So the challenge is twofold:

• How do we maximize privacy without compromising security because the two don't necessarily go hand in hand;
• And how do we maximize security without infringing on personal privacy?

I am going to discuss how a new development in biometrics, a measure of a body characteristic such as fingerprints, hand shape or iris patterns, can be used to both enhance privacy and improve security.

First, sorne applications of traditional biometrics that are currently being considered:

Mastercard is about to conduct a trial wherein a fingerprint is placed on a Mastercard and then used to compare against the fingerprint of a person trying to access services or money. Mastercard also plans to test whether customers will send a copy of their fingerprint in the mail imprinted on special paper along with their name for batch processing. Banks in Denver may begin fingerprinting non-customers who want to cash cheques at their banks.

Both hand geometry and fingerprints are being tested in Canada, the U.S. and Europe for efficient passage of frequent business travelers across borders.

Hand geometry was used at the Atlanta olympics to allow secure entry for approximately I5O,OOO athletes, coaches and staff. The U.S. government has endorsed using fingerprints to process electronic benefits transfers such as welfare and food stamps. They would also like to store the fingerprint on file to be used as evidence to prosecute attempted double-dippers, a person trying to obtain benefits under different names, for example. Governments everywhere are talking about positive identification systems, that is biometrics, that will reduce fraud, cut costs and enable them to offer faster, more convenient services.

Similarly, banks are looking for secure ways to conduct electronic business and credit card companies need secure methods to reduce fraud.

World wide, markets are demanding security. And world wide, they are looking at biometrics as the aswer to solving the security problem and the reason for this is quite simple - it's the missing link. That is because biometrics completes the triad of secure access methods - what you know, such as a PIN; what you have, for example, access cards; and what you are, which is the biometric.

The push to make electronic commerce viable in all its various forms is one of the major reasons biometrics will become prevalent in our society. And the biometric that is the strongest contender to become the de facto standard is the fingerprint.

For centuries we have known that the human finger pattern - a wonderfully intricate and totally unique structure - was the ultimate personal signature. In fact, it has been used for tying documents to their authors long before it was used to identify criminals which only started in 19O2 at Levinworth Prison.

But there is a rub. The electronic networking of our society, privacy and security, as we mentioned, don't necessarily go hand in hand. We can place the fingerprints of people receiving government benefits in a central database to compare against new applicants. That will eliminate fraud in the way of double dipping - it's secure. But does this protect the privacy of the individual?

There are a number of ways an individual's privacy could be infringed upon if their fingerprints were in a central file. Let's explore this a little more to see why. The issue here is not just fingerprints. The issue is whether it is right for society to subordinate the privacy of people in order to reduce fraud perpetrated by the few.

I will outline some scenarios where biometrics as conventionally understood are used to eliminate fraud. I'll then speak about how these methods can infringe on an individual's privacy. Next, I will talk about sone recent developments in biometrics, more specifically called Biometric Encryption, which enhances privacy for the individual but at the same time prevents fraud. It also uses a biometric, such as a finger pattern to add value in a variety of electronic commerce applications.

With the following scenarios, we assume the citizens of any jurisdiction have been required to leave their fingerprints in a central database in order to access a government service such as health care or welfare benefits.

Scenario One

I go to a night club and leave my latent fingerprints there. Later that night, a crime is committed at the night club. My latent fingerprints are picked up and matched to the health care database which identifies me. A little later, I get a knock at my door by a policeman wanting to ask questions about my stay at that particular night club.

A clear infringement of my privacy. Now, one can say that the health care database will be off limits to the police by virtue of legislation. This may be the case with the current government, wherever it may be. But how can we ensure it will be the case with the next government and that does not address the issue of unauthorized access to the health care database. The temptation for secondary uses of such a database beyond its original intent will be very great, especially if crime and terrorism increases in the society.

Scenario Two

New digital biometric technologies do not require that the actual fingerprint is stored. They convert the fingerprint or finger scan to a unique number and, in most cases, that number cannot be converted back to the original fingerprint. So what is stored in the central database is a set of numbers which, in a one-to-one fashion, represent the fingerprint of the individual. These numbers can also be encrypted by a key to further make them more secure. This is referred to as an encrypted biometric in the literature.

But, again, if in our example above, the police obtain access to a similar finger scanner and place my latent fingerprints through the system, they will generate my same unique number. You are really no further ahead because you have just replaced the unique identifier of a fingerprint pattern with that of a number.

These are real concerns with traditional biometrics and in my view a serious flaw that must be acknowledged.

Let me now describe a new development in biometrics called Biometric Encryption which does not stigmatize individuals and which uses the finger pattern to actually enhance individual privacy and at the same time allow governments to be more efficient and stop fraud.

Biometric Encryption uses the information in a finger pattern to scramble an alphanumeric string. The alphanumeric string can be a PIN, an eacryption key, a pointer in a computer database, or a word like "eligible".

Biometric Encryption uses the power of optical computing to take the two-dimensional information in a finger pattern and use it to scramble the inforrnation you wish to code into a uniquc pattern called a Bioscrypt (a compound of the words Biometric Encryption).

The optical computer is superior because it processes entire images such as finger patterns in parallel and at the speed of light. It is approximately one billion times faster than a Pentium computer doing an equivalent task.

The finger pattern acts as the scrambling key of the alphanumeric and is not stored anywhere during the process. It stays on your finger. A latent print lifed off an object won't do. Only the Bioscrypt is stored and it's irreversible without your live finger pattern. Since the Bioscrypt is a string encoded by a finger pattern, it does not have to be encrypted or kept secret in order to be kept secure.

The Bioscrypt can only be descrambled by positioning the correct live finger pattem at the input of the optical computer. The operation of successfully descrambling the Bioscrypt releases the string of alphanumerics which can therefore be used for a variety of applications as discussed below. In other words, the system provides a private transaction associated with extremely high security.

Going back to our health care database scenario, individuals would no longer have to leave their fingerprint in a datahase or present their fingerprints to a finger scanning reader to generate a unique number. With Biometric Encryption the individual's finger pattern can be used to scramble a random string of characters which has no connection to their identity.

Accordingly, my latent finger pattern picked up at a night club would be useless to the police since the latent fingerprint itself could not generate the random string of characters in the health care database.

However, should I attempt to apply for government benefits under a pseudonym, my live finger pattern would be matched to the set of stored Bioscrypts in the database and, if I previously scrambled a random string of characters, that string would be descrambled. This descrambled string can now serve as a database pointer to access directly or indirectly my identity to confirn that I actually tried to defraud the system. The system preserves the privacy of the individual through tight and specific controls and stops fraud.

Other applications for Biometric Encryption include the following:

Portable Databases

With portable databases such as smart cards or optical cards, the concern is if they are lost or stolen - someone could access the information. With Biometric Encryption, the finger pattern serves as the encryption to ensure only the proper individual can access the data on the card. Internet Application: With Biometric Encryption, one can use finger patterns to scramble messages transmitted over the Internet. Furthermore, in the "sliding of the finger" one can achieve confidentiality by virtue of encryption, authentication in that only the "sender's finger pattern"; could have sent the information, and, in certain cases, non-repudiation since only the "receiver's finger"; could have read it. Biometric Encryption technology can also be applied to Internet banking or shopping, for financial transactions and inter-office private communications.

Telephones

Biometric Encryption technology will add a whole new dimension to telephones in their use as ATMs and generally intelligent terminais. It can be used to download cash to smart cards or disbursement of government benefits and voting.

Anonymous Database

Biometric Encryption can also be used to de-identify information contained in a database. That is, to anonymize the information by separating the identity of an individual from their sensitive information. The link between a person's identity and their information is the finger pattern which scrambles a computer pointer linking the two. This now places the individual in complete control of the information in his database. When applied to healthcare databases, this will allow sharing of health-related information without concern for privacy. So now we can do epidemiological, post-clinical and outcomes management studies which will benefit society as a whole but which to date have never been possible because of the concern for the privacy of the individual.

I realize that some of you are saying that this might look like great technology but why use fingerprints, given their historical association with criminality? Why not use a face or iris pattern, anything but a fingerprint? And yes, we could use anything. Optical technology processes patterns. It does not care what kind of pattern, so we could do the same thing with any biometric such as a face, hand, eye, etc.

The fact is that nothing is as reliable and as easy to use as finger patterns. You just have to slide them. They arenon-intrusive. They can also discriminate millions of people. They are reasonably consistent over time since they change very little over the adult life of an individual. And they cannot be cosmetically attered without it being obvious.

Second, whether we like it or not, other jurisdictions are already using fingerprints. They are becoming the de facto standard. So it may be important to use fingerprints with a technology which does not infringe on privacy, and which can achieve society's dual objectives of security and privacy enhancement. To date, the trade-off has been privacy or security. As a result, the issue has been relegated to the level of a policy decision. Biometric Encryption technology precludes the necessity to infringe on privacy in order to enhance security in our networked society. With such technology, we will remove part of the issue from the policy to the technological level, and we as a society do not have to sacrifice one freedom to gain another.

What is required is a paradigm shift. We all have up to ten encryption keys residing at the ends of our fingers to protect our privacy. This technology allows you to authenticate eligibility for goods or services without divulging identity. The point in any transaction is not to identify the user, but to authenticate eligibility for services.