US Policy and Standards on Biometrics
There are two principal documents issued by the US Government pertaining to Biometric standards.
1. NSTC Policy for Enabling the Development, Adoption and Use of Biometric Standards
The goal of this Policy is to establish a framework to reach interagency consensus on biometric standards adoption for the Federal government. Federal agency adoption of these recommended standards, and associated conformity assessment programs, will enable necessary next generation Federal biometric systems, facilitate biometric system interoperability, and enhance the effectiveness of biometrics products and processes.
2. Registry of USG Recommended Biometric Standards Version 2.0 August 10, 2009 issued by the Subcommittee on Biometrics and Identity Management
This document supplements the NSTC Policy for Enabling the Development, Adoption and Use of Biometric Standards, This Registry is based upon interagency consensus on biometric standards required to enable the interoperability of various Federal biometric applications, and to guide Federal agencies as they develop and implement related biometric programs. The Registry will be constantly reviewed and updated. The latest version of this document is available on the Federal government's web site for biometric activities at www.biometrics.gov/standard
Standardization Efforts by European Commission
With cooperation from UK, Germany, France, Netherlands, Italy, Austria and Belgium, this research project entitled “"Biometrics Deployment Study: Identifying challenges and threats facing large-scale biometrics deployment in Europe” was undertaken by the Institute for Prospective Technological Studies (IPTS) at the Joint Research Centre under the aegis of the European Commission. The results of the research and surveys, presented and discussed in the 3rd European Biometrics Forum’s Research Conference held in October 2007, have been included in the Final Report published in October 2008.
Some of the most relevant points identified by the experts and presentations in the conference were:
• Biometrics may not prevent frauds entirely. Threats to security in terms of false fingerprints, multiple names in biometric databases and biometrics skimming cannot be totally eliminated.
• In terms of acceptance by the public it is important to maintain proportionality of data collection with respect to ‘clearly-defined’ purpose.
• The security problems should be approached with a total perspective of technological and organizational issues – e.g. preventing unauthorized reading from RFID chips could be one of them.
• Rationalization of standards is essential in order to bring inter-operability. For example, 2 different test suites for ISO/IEC 19794-2 (Information technology – Biometric data interchange formats - Part 2: Finger minutiae data), one provided by ILO and one by Fraunhofer that yield different results for the same set of data. Therefore, a common standard framework must be created.
• Testing and Certification standards and capabilities must be built. The BioTesting Europe project is a first step in the right direction.
• Error Rates – Firstly there should be agreed norms for error rates for specific applications. Secondly, Testing, Certification and Training Standards must be evolved so as to minimize the impact of environmental issues on performance.
• The EU Joint Research Centre will take a lead role in providing inputs for achieving a pan-European Biometric system.
Future Areas of application
Banking and e-commerce: Biometrics would replace or complement authentication now based on PIN or password. This would be a verification process which could improve secure authentication provided that the link of personal data with biometrics is secure. However, currently reported error rates would be not acceptable at automatic teller machines.
Recommendations
Following recommendations made in respect of biometrics applied to law enforcement and border control apply largely to mobile phone biometrics with banking and e-commerce applications as well. The situations described in the context of individual EU countries vis–a-vis a centralized authority in Europe / centralized data base can also be applied to other private applications such as banking or e-commerce with oversight by the national government in question.
Recommendation I
The enrolment process must be standardized and certified on a European level.
This must include data quality control (biometric and non-biometric), usability for the enrolment application and user training for operating personnel. An unenrollment process must also be implemented to account for wrong or expired data
A review of the findings concerning central and decentralized databases, and tokens resulted in the pros and cons given below:
Central databases:
• Difficult (in terms of decision making) to have wrong or poor data corrected.
• Technical issues with very-large scale statistical searches (performance and error rates can increase exponentially).
• Possibility that data already stored would be used for other purposes than originally intended, even against the will of a particular EU Member State.
• Many users are authorized to have access most likely under different legal frameworks.
• Lack of experience, unresolved issues with backup and outsourcing procedures.
Decentralized databases (central databases linked together):
• Increases the risk potentials for wrong decisions by having the same person’s data in different qualities giving unpredictable matching results.
• Risk exists of having the same data being kept safely in one country, but undisclosed in another.
• On the other hand, correcting or deleting incorrect data is easier in decentralized environments. However this implies a decision whose data is the correct one and procedures to correct it in the other databases.
Tokens:
• Since tokens can be lost or stolen, they must provide high data security to prevent misuse.
• If data on the token is wrong, it usually cannot be corrected on the token.
• User responsibility for the token may cause problems in case of children, handicapped, etc.
Recommendation II
Based on the advantages and disadvantages of the storage options, central databases should be avoided where possible. In the case that it is decided to use central databases, high data quality must be guaranteed.
There should be a legal obligation and practical procedures in place for enrolled persons to have their stored data revoked or corrected when there is a possibility that they are not correct or of poor quality.
Biometric data should also not be stored raw, but rather in encrypted templates which achieves the same matching result but reduces the risk of ID theft and some function creep.
The biometrics identifier should not automatically lead to the connected personal data as this should only happen in correspondence to a clearly explained purpose by as few authorized users as possible.
Recommendation III
Multi-modal biometrics is recommended as the most secure option to prevent spoofing. Future deployments of large-scale biometrics systems should opt for multimodality and all stakeholders in secure identification scenarios should give the complete security cycle its proper attention: enrolment, storage, acquisition, matching and the entire back-end system.
Enrolment and matching should be performed using ‘Live and wellness’ detection especially in unattended environments and/or the process should be supervised wherever possible.
Encrypted templates should be applied rather than original samples for storing and matching.
It is concluded that matching against tokens yields the highest security level and therefore is preferable. Regarding specific applications, the new ePassports should contain personal data that is protected by Extended Access Control (EAC) which implies implementing an effective key management.
Few results are available on test data and common European standards are still lacking and need to be formulated
Recommendation IV
An accreditation and certification structure must be established on a European level as there is currently an urgent need for a common framework
As the BioTesting Europe project is aiming to improve the current situation of test data, there must be a provision of much more data to appropriately cope with the large system dimensions. Therefore, the results of that project could be the step in the right direction for improving future large scale deployment.
Recommendation V
More detailed guidelines on system and process design are needed to perform targeted threat analysis and quality assessments. This includes the human factor in the interaction with / operating of biometric devices.
In order to assess the risks involved in implementing large scale biometric systems it is needed to define in more detail what these system are in terms of functionality. Once that has been made clear, targeted assessments can be carried out on security, privacy, proportionality and overall quality of the system.
Recommendation VI
A European approach is needed to overcome differences between member states in the handling of privacy and data protection issues.
Recommendation VII
Public awareness should be created amongst all the EU citizens about the purpose and use of biometric technologies in large schemes such as passports and public administrations.
Recommendation VIII
European testing and certification capabilities based on European requirements in the area of biometric enabled id-systems are urgently needed in order to improve interoperability, conformance, security and overall trust.
Recommendations VI, VII and VIII may particularly apply to inter-governmental applications such as border control, visa issuance etc. However, any biometric application on a large scale in the private sector pre-supposes such a wide-area infrastructure, standardized, tested, audited and controlled. For countries like the USA with federal government and state government structures, these principles can be suitably extended so as to achieve uniformity throughout the country surpassing the borders of the federal states. This will ensure least confusion and inconvenience to the users and will help in earning the user’s trust and confidence in the biometric system thus resulting in voluntary compliance.
A few initiatives have been undertaken to develop capabilities in testing and certification e.g. by Bio Testing Europe and Minutiae Template Interoperability Testing Project (MTIT). Much remains to be done in coordination and endorsement of these activities.
Recommendation IX
Biometrics is not yet wide spread as a technology and is still an area for specialists; it is therefore necessary to bring independent expert opinions together on a European level.
Political Dimensions:
Questions such as proportionality of data collection and privacy cannot be left to experts alone but involves political judgment as well. Political acumen and threat perceptions should guide in drawing up the dividing line between personal freedom and achieving the targeted security protection. Furthermore, while formulating rules and regulations, it would be well to remember no implementation can guarantee 100% security. Difficult as all political decisions are, unless a consensus is reached on these crucial issues, widespread application of biometrics, especially in the private sector, cannot make headway.
India working on Standards for Biometrics
As noted earlier, India has made small beginnings in use of smart cards using biometrics. The government and the industry and the academia realize the need to develop standards for biometrics to provide “level playing field”. There is a consensus on some of the major aspects that the standards should imbibe:
1. Standards should be open avoiding dependence on any one vendor technology.
2. Security of data, purpose- related data collection and use, due consideration of privacy issues.
3. Separation of biometric data from personal data
4. Taking the national ID card as an example, standards should take cognizance of different stakeholders deployed in enrolment, creation of database, generating algorithms, verifying and distributing the cards.
5. Data to be highly protected with several cyber-controls and encryptions in place, in both online and offline mode."
Some of the key national level organizations to be associated in evolving these standards are:
• Data Security Council of India, a self-regulatory organization led by Nasscom. This organization handles Data Security issues.
• The National Association of Software and Services Companies (NASSCOM) is the premier trade body and the chamber of commerce of the IT-BPO industries in India.
• Centre for Development of Advanced Computing (C-DAC) develops applications for e-government projects.
Reference:
http://www.biometrics.gov/Standards/default.aspx
http://www.biometrics.gov/Standards/Biometric_Standards_Registry_v2.pdf
http://www.a-sit.at/pdfs/biometrics_report.pdf
http://www.zdnetasia.com/india-working-on-standard-for-biometrics-62058101.htm
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment