One research area that the OPC tracks is biometrics – using physical features and behaviours to automatically identify people. Although biometric technologies can be very useful for establishing identities, they can also raise important privacy concerns. Biometric technology is constantly changing and the ability of systems to accurately recognize people is increasing. OPC staff recently attended the International Conference on Biometrics: Theory, Applications and Systems (BTAS) held in Washington D.C. where they heard about the latest research results.
An area of particular interest to the OPC is private biometrics. This refers to methods that transform or protect the biometric information so that it is replaceable, useless when stolen, and not linkable across applications. One well-known method for accomplishing this is biometric encryption, where biometric information is combined with cryptographic keys, but other methods involve geometric and mathematical transformations of the biometric data.
A research group from France presented a paper that described a method for combining biometric information with cryptographic systems. They used a shuffling scheme to transform the biometric information, where the shuffle was different for each user and application. They also developed a protocol to share crypto-biometric keys between clients and servers and a method to establish session keys. They found that the system was quite successful when applied to face recognition, but since biometric samples are naturally variable, error correction codes had to be applied at authentication time. The conclusion was that information protection methods can be combined with key management protocols to build effective user verification with privacy protection.
One of the limitations of some private biometric methods is that, at a point during the processing, the original biometric information may have to be recovered in order to perform matching, compromising the privacy protections. An interesting topic at this conference was homomorphic encryption, a method that allows biometric matching to be done while the data is encrypted. For example, if a is a set of fingerprint features (minutiae) that describe a fingerprint offered at authentication time and b is a set of features for a fingerprint stored in a database, the difference between the two feature sets can be calculated on the encrypted sets, without ever revealing the original information. A group of researchers from Italy and France presented a paper that evaluated homomorphic encryption in a fingerprint recognition system. Their proof-of-concept system combined fingerprints and homomorphic encryption and produced a fair level of matching performance. Although more work is needed, homomorphic encryption methods are worthy of further consideration for protecting the privacy of biometric information.
In addition to privacy protection research, the OPC is also tracking systems that can be very privacy invasive. At this conference there was a strong emphasis on face recognition for surveillance systems. For example, General Electric and Lockheed Martin demonstrated a face-at-a-distance system that showed impressive performance. The system uses both a wide field of view camera and a pan-tilt-zoom camera to locate people in a scene, find a face, zoom in, and then perform recognition. The system is able to detect faces at 25-50 meters from the cameras, and perform successful face recognition at 15-20 meters. It is also able to track multiple people simultaneously and record 10 facial images per second. This performance, combined with the recognition accuracy that is now possible, means that covert face recognition at a distance is feasible on a large scale.
The privacy implications of biometric systems can vary a great deal depending on the biological characteristics that are used and the way the systems are designed. Biometrics can greatly improve identification services without unduly affecting privacy, or they can be privacy invasive. The OPC will continue to track research in this area and work with organizations to explore all the technical options.