In this article, which is a continuation of the one that appeared in KJD issue 32, the chairman of The Netherlands Biometrics Forum (NBF) formulates and explains ten principles concerning the meaningful, safe and reliable use of biometrics on the basis of the recent NBF position paper. Biometrics is becoming an indispensable element of our information society, but initially new technology might sometimes be used incorrectly. In practice, large-scale systems turn out to be only barely manageable, which implies that the first major biometrics applications can present worrying social risks for which effective solutions have yet to be found. All the more so when we take into consideration that those applications are predominantly based on biometric data that cannot be altered.

The term ‘biometrics’ is taken to mean the recognition of individuals based on biological or behavioural characteristics using information technology. Visually verifying a person from a passport photo or a description does not involve biometrics, but biometrics does come into play if the check is carried out using computer technology. These days, information technology enables us to quickly digitize biological or behavioural characteristics in order for us to either depict them or subject them to calculations. This can be done with the outline of a hand or a finger, a fingerprint or the pattern of an iris. Even variable characteristics such as their voice, the way they move their hand when signing a document, or their typing rhythm can be used for the biometric recognition of an individual.

Biometric verification involves comparing a previously measured characteristic against the result of a new measurement at the time and place of the check. The result of the previous measurement can be registered in the verifying authority’s information system, on a chip card or in another electronic document held by the person being checked.

Many people find it difficult to fathom the technology needed for biometric person recognition because it is based on the laws of probability and will thus necessarily lead to a number of erroneous acceptances and rejections (the extent of which depends on the tolerances set by the operator himself). For that reason biometrics never offers a 100% complete certainty that someone is the right person. That way, biometrics also makes erroneous connections between people and their documents or data. The fact that biometrics cannot make any statements about the integrity of these documents and data or about the accuracy of the link itself implies that biometrics is unable to conclusively establish who somebody is. Contrary to what many people think, biometrics can only calculate the probability that somebody is the right person.

The future of biometrics
The importance of computerised person recognition is becoming increasingly important in an anonymous information society characterised by increasing global mobility. As compared to administrative verification methods such as a PIN code, password or key, only biometrics is based on a person-related physical characteristic as the point of recognition. Biometrics will ultimately become indispensable, certainly for sensitive work processes in the public and private sectors. Biometrics is especially useful when we need to know for sure that the person we are dealing with is the right person, or when someone wants to prevent their identity from being stolen and misused by somebody else. That constantly sets different requirements for computerised person recognition, depending on the risks in a given context. To illustrate this, two examples are given.

A swimming pool organization wanted to use fingerprint verification to exclude a certain group of boys that was repeatedly harassing girls. A worthy aim, but the devil is in the detail. All visitors, both male and female, were asked to register their fingerprints in the swimming pool’s computer system. This application threatens the bright future of biometrics. First, if you have the fingerprints of the boys you want to exclude from swimming, it is sufficient to check the fingerprints of male visitors belonging to the relevant age group. Second, if someone’s fingerprint is included in the blacklist, he can be sent on his way. Therefore, there is no need to store fingerprints at all. Thirdly, there is no point whatsoever in checking and storing the fingerprints of girls. And the story gets even worse. A woman of 82 refused to co-operate with having her fingerprints checked and was therefore banned from the swimming pool.

The NBF’s position is that biometrics must be necessary and the purpose should be the deciding factor regarding the rights and wrongs of how biometrics is to be implemented and used.

A car rental company was having a lot of problems with the return of their rented cars. Many of them were not returned or were taken to the wrong place. Biometrics looked promising, but had to be relatively cheap. A creative employee came up with a solution that didn’t need expensive electronics: the fingerprint was placed on the paper rental contract with gel, with the assurance that the paper containing the fingerprint would be returned when the car was brought back. This experiment proved to be a resounding success: during the experiment no vehicles were stolen or incorrectly returned. This is all well and good, but be wary of potential pitfalls. This simple biometrics system was introduced elsewhere, too. A few months later this site’s administration was full of copies of rental contracts with fingerprints without there being any need for the fingerprints to be copied!

For that reason the NBF calls for attention to be paid to a biometrics application as a whole, the development of an application in the course of time being just as important as practical details such as the contracts’ administration.

These examples illustrate just how easy it is to use biometrics incorrectly. It creates unnecessary resistance among the public and undermines social acceptance. Because biometrics will ultimately become indispensable to our information society, the NBF considers this to be a problem. Both examples also highlight the importance of providing information to the public and organizations wishing to use biometrics. We must guard our biometric details closely, certainly those derived from unalterable biometric characteristics such as our fingerprints. Once compromised, the problem will for a long period of time remain without the possibility of defending ourselves by changing that biometric characteristic.

Fallacies of the wrong level
In information and computer science, in common with other social sciences, insights are often gained from small-scale applications, for example at the level of an individual or an organization. Those insights are then applied – usually without a second thought – to large-scale applications, for example at chain or social sector level. In doing so we are likely – often completely unaware – to make what is known as a ‘fallacy of the wrong level’. After all, insights are related to the level at which they are gained and are generally invalid at other levels (either higher or lower). This results in all kinds of assumptions and principles in large-scale systems being incorrect, so that these systems contain more shortcomings and risks than we think or expect them to have. Two examples regarding the biometric passport and the biometric visa illustrate this.

Biometric passport
Our first example concerns the new biometric passport, which is based on the notion that somebody can be accurately verified by their fingerprint. This essentially small-scale notion should not automatically be applied to the national or international scale of border control, as it is uncertain whether the biometric passport can live up to its expectations. Large-scale systems function differently from small-scale ones because they lack a co-ordinating or enforcing authority. Moreover, large-scale systems involve huge numbers of stakeholders (members of the public, travellers, patients), co-operating autonomous organizations and professionals, causing large-scale processes to be barely manageable. Despite all good intentions a great deal of things go wrong.

Biometrics, too, works differently at large-scale level (chain, sector, country) from what one might expect, and can sometimes be counterproductive. Imitating or counterfeiting the fingerprint on a passport can enable someone to get through border control without finding out afterwards who it was, since any traces left inherently point to the official holder, not to the person committing the identity fraud. Upscaling without taking a closer look at the risks of the large-scale situation is therefore a precarious undertaking. And even then it is advisable to upscale gradually, for instance, by having a fingerprint check carried out when a passport is applied for and delivered, without the prints being stored in the passport. During a later stage, the fingerprints could be stored in the passport on a voluntary basis, starting with for example those wishing to travel to the US, and so on.

Biometric visa
The biometric visa, the second example, has been introduced to keep out unwanted foreigners even before they come to The Netherlands. For that reason fingerprints of the visa applicant are taken at the Dutch embassy in the country of origin and sent to The Netherlands. If those fingerprints show up in the fingerprint database of unwanted foreigners, the visa is refused. It should be noted that for technical reasons it is not possible to place fingerprints on the visa as is now the case with the passport. Visa applicants are therefore checked using only the fingerprints in the database.

Biometrics can in some cases be counterproductive at that large-scale level. Take a situation where a criminal network wants to send someone to The Netherlands to commit a crime. If the visa is refused, the network knows that it will either have to send someone else or choose a route where the checks are less well-organised. That means that rather than tightening the grip on incoming passenger traffic (as anticipated), the target group of unwanted foreigners can imperceptibly become invisible.

With these two variants of biometrics, we can try out which of the two biometrics systems is the most flexible, if unforeseen problems arise in the future. It would of course have been preferable to have carried out such an experiment beforehand, since once introduced it is barely possible to alter a large-scale system such as this.

Identity fraud as the touchstone for a biometrics application
When using the term identity fraud we mean that a person with malicious intent is deliberately contriving the appearance of an identity that does not belong to him, using the identity either of someone else or of a non-existent person. An identity fraudster has no need for a document or identity card; he can also use a personal number, a photo, an occurrence or a biometric detail because they all contain a suggestion on which people base their conclusion as to who they are dealing with. Identity fraud proves to be easy and does not involve too great a risk. When carrying out identity checks we barely use any verification details other than those held by the person being checked. That reduces the chance of getting caught. And if someone gets caught, he still hasn’t done anything wrong (yet). If the identity fraud succeeds nobody is the wiser, while the benefits can be substantial and of long duration.

Official means of identification, such as an identity card, citizen service number or a biometric detail on the passport are even more useful to identity fraudsters because they can and must be used everywhere. Added to that is the fact that official verification procedures are known, uniform and predictable and can be inconspicuously observed in search of weak spots. Fallback procedures for situations in which the normal procedure cannot be followed, such as when you have forgotten your passport, or in the case of equipment failure, are usually sloppy and improvised and can be triggered by the identity fraudster himself without the identity checking officer knowing, for instance by deliberately using a wrong or invalid token or ID document.

On the other hand, there is the weak position of the victim to consider. As the world becomes more digital, identity fraud leaves more and more (technical) traces. Those traces, however, lead not to the perpetrator, but – inherent to the precise nature of identity fraud – to the victim, who is then faced with proving that he or she has not done something wrong. For that reason the safe use of biometrics makes it necessary to substantially reduce the predictability of identity checks and sharply increase the quality of exception and emergency procedures. Indeed, biometrics should help to achieve that, too. We therefore need to examine whether identity fraud is prevented by biometric verification rather than being made easier.

This specific safety aspect of a biometrics application could be scrutinised with questions such as:
– Can someone successfully pass the identity check by imitating the biometric characteristic of the rightful holder?
– Can someone influence the check and get wrongly recognised as the rightful holder?
– Is it possible to obtain certain information from the check results that can be used with malicious intent (see the example of the biometric visa)?

This is how the phenomenon of identity fraud functions as the touchstone for safe biometrics. This safety assessment always relates to the biometrics application as a whole, including the technology, organization, procedures and last but not least the extent to which people co-operate or, conversely, have a vested interest in errors or misuse.

The NBF regards fighting identity fraud as the touchstone for a safe biometrics application. Every biometric technology is in itself easy to mislead or to misuse. The NBF’s position is therefore that it is necessary to simultaneously use several biometric details or technologies in combination with other data or resources, since an identity fraudster will not be able to successfully make use of them all at the same time.

Privacy and safety
As mentioned before, the traces left by identity fraud lead not to the perpetrator but to the victim, and thus this fraud seriously violates the victim’s privacy. That is especially true of identity fraud using an unalterable biometric characteristic, since this form of identity fraud can continue to follow someone for a lengthy period without there being much they can do about it. Official bodies initially regard the victim as the perpetrator because all the clues point in his or her direction. That often leaves someone having to prove that they are not the perpetrator, which is often hard to do and wrongly leaves the victim under a cloud of suspicion. In the case of biometrics, privacy is thus closely related to safety and reputation, depending on how it has been misused. The discussion about privacy in the context of biometrics is therefore unlikely to abate any time soon; however, it will remain an abstract discussion for as long as the relationship with someone’s safety is not expressly made. The point frequently made in discussions about privacy along the lines of ‘I don’t mind what they know about me, I’ve got nothing to hide’ is put forward by people who have not yet faced a wrongful accusation. If that accusation is based on a misused unalterable biometric detail, the chances of putting up a good defence are not good. This is not a hypothetical risk; at present virtually all biometrics applications are unsafe, certainly in cases where an unalterable biometric characteristic is used on a large scale.

The NBF’s position is that those concerned about privacy should at this stage focus more sharply on the safety of the large-scale use of biometric personal details, taking into account the application as a whole and also target groups with other interests. This concept of safety goes far beyond the standard privacy discussions concerning the protection of these sensitive personal details. With a view to large-scale safety, the NBF’s position paper contains various requirements that will need to be met and can help us to assess the social acceptability of a specific biometrics application.

Example
The biometric passport provides us with an interesting example. In Germany, the discussion on privacy has led to two fingerprints being placed on the German passport without the government keeping a copy of any kind. As a consequence, the fingerprints of the person being checked can only be compared to the fingerprints on the passport. That seems fair enough at a small-scale level, but it is completely inadequate for large-scale applications. The German government now faces a situation where, after issuing a passport, it can no longer independently verify whether the fingerprints on that passport are still the original ones and whether the person present really is the same as the passport’s official holder. For the first purpose exact copies are needed of the two fingerprints that have been put on the passport. For the second purpose one or two additional fingerprints of the official holder are needed that have not been put on the passport, because the ones on the passport can be imitated or counterfeited. For that reason the Dutch government has opted to store the fingerprints of four different fingers in a municipal database: two fingerprints on the passport and two others: the first two to verify the integrity of the passport and the second pair to directly – i.e. independently of the passport – establish whether the person present is the same person as the legitimate passport holder. If used correctly, these databases facilitate the detection and prevention of identity fraud.

In The Netherlands the privacy discussion is also criticizing the biometric passport system’s underlying municipal databases and is endangering the safety of our large-scale biometric passport system by encumbering these integrity and authenticity checks. Thus, concerns about privacy could inadvertently hugely increase the social risks of large-scale biometrics applications. It must be made clear to those with serious concerns about privacy that the assessment criterion ‘safety’ implies the protection of privacy, but that this is not necessarily the case the other way round.

In this introductory stage of biometrics applications our focus must be on avoiding teething troubles and on gaining experience with the use of biometric details at a smaller scale. Moreover, when biometrics applications are upscaled, more attention must be paid to assumptions and expectations that might not be valid at that level. Risk assessments must uncover the inherent security and safety problems. Risk management must form an essential aspect of an adequate administration of biometric data, always relating to the application as a whole, including technology, organization, procedures and, last but not least, the extent to which people can be expected to co-operate or, conversely, have a vested interest in errors or misuse.

Previous articleA new anti-counterfeiting technology
Next articleInteroperability of IAS systems
Jan Grijpink
Jan Grijpink (1946) is an economist and lawyer by education. He is currently employed as Principle Advisor at the Strategy Development Department of The Netherlands Ministry of Justice. In 1997 he obtained his Ph.D. at the Technical University of Eindhoven. In March 2004 he was appointed part-time professor at the Center for Content and Knowledge Engineering at the Institute of Information and Computing Sciences of Utrecht University. He is Chairman of The Netherlands Biometrics Forum (NBF).