Wednesday, October 19, 2005

What are the Legal & Policy Challenges in the use of Biometrics?

CNET reported that UK's National Identity Card system that incorporates Biometric technology will in fact turn out to be a probably security risk did not come as a surprise to many in the tech security industry. The UK system works on centralised database system and the dangers are well spelt out in the CNET Report found here. [print version] Microsoft exec: ID cards pose security risk | CNET News.com

However, its worthwhile considering the question posed in the header here. The answer, in my opinion is in two basic parts. The first relates to the regulation of the collection and protection of biometrics data. Second, the interaction of evidence law and biometrics.

Securing Biometric Data:
Biometric data is usually stored either on the token smart card or on centralized database systems. Unfortunately, a critical risk of centralized biometrics database system is the opportunity it provides to hackers and errant employees to exploit it.

Further, there is a real risk that once the biometric data of a subject is compromised (whether distributed or centralized), he or she will be permanently excluded from using the system unless new biometric data is scanned and stored – presuming those data have not already been compromised. It is critical to remember that each individual has a limited amount of biometric information. Hence, once the security of the biometric database has been breached, it cannot be cured by changing the authentication parameters (i.e. it is not possible to change the ‘password’) because the biometric identifiers by their nature are unique to the individual.

Further it is also important to realize that the compromise of one biometrics database security system will impact other third party biometric systems because all biometrics based systems essentially share a common biometric data (i.e. the same fingerprint or iris scan).

Accordingly, there is a need for some form of regulation to protect the manner of collection, storage and use of biometric data – possibly similar to the European Union Data Protection Directive - if biometrics is to take root in Singapore as a commonly utilized form of authentication. What
exactly then is envisioned by such regulation? Hopefully it would be able to mirror the provisions of the European directive and have the force of law as well as forceful sanctions for breach to prevent private organizations and private individuals from misusing the biometric data.

Biometrics use under the Law
As for the second issue, a central concern of biometrics is that of reliability. It must be understood that biometrics is not a panacea to problems of identification and verification as its reliability varies depending on the technologies used and the chosen calibration of the false rejection rate. The calibration allows for the statistical rate for scans to be accepted or rejected. Hence the process is clearly one determined by probability and not certainty.

It must also be noted that biometric information carries with it the risk of being tampered with or falsified. As such, everyone in the legal profession as well as in law enforcement must understand that biometrics does not create a fail safe environment vis-à-vis proof and that like all authentication system, its security and accuracy is only as good as its weakest link (whether systemic or user).

In conclusion, contrary to popular belief, biometrics should not be used as a replacement for passwords and that it is ideally used as an enhancement only (i.e. as the second of a two factor authentication process) or as the username function.

0 Comments:

Post a Comment

<< Home

Site Meter