Roger Clarke's Web-Site © Xamax Consultancy Pty Ltd,  1995-2024
HOME	eBusiness	Information Infrastructure	Dataveillance & Privacy	Identity Matters	Other Topics
What's New		Waltzing Matilda	Advanced Site-Search

The Scope for Privacy-Sensitive Biometric Architecture

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 23 February 2003

© Xamax Consultancy Pty Ltd, 2002-03

This document is at http://www.rogerclarke.com/DV/BioArch.html

Introduction

This document is one of a series of papers relating to biometrics. It is an amplification of slides 33-35 in the PowerPoint slide-set presented at the University of Hong Kong on 13 May 2002.

Biometric technologies, devices and applications have to date been extremely poorly conceived, have performed excruciatingly badly, and (whether or not they work) are extraordinarily privacy-invasive.

The purpose of this brief note is to provide an outline of my argument that it is entirely feasible to devise an architecture for biometric applications that is sensitive to privacy needs.

If and when engineers stop excusing themselves, and discover that they have a professional responsibility to consider the social implications of their work, the biometrics industry could apply such architectures, and thereby stop producing dangerous lemons and bankruptcies.

Conventional Architectures

The following diagram depicts the typical architecture that has been used for biometrics products to date.

A sensor measures a physical feature of a person. The measure is compared against a database of reference measures. The results are then transmitted to an application of some kind, commonly including the identifier(s) acquired from the person and/or from the database.

This is seriously privacy-invasive in a whole host of ways, which are discussed elsewhere in my papers.

Note that the depiction in this section is presented in a sufficiently abstract manner that it encompasses a wide range of potential applications, both:

• identification applications, through one-against-many matching; and
• authentication applications, through one-to-one matching.

Alternative Architectures

This section describes an architecture for one particular kind of biometric application. It is contended that architectures can be developed for other kinds of application, which are similarly protective of the privacy of that vast majority of people who are not found to be in breach of the organisation's rules.

The category addressed here is authentication against a block-list. An example of such an application would be at a border-checkpoint, where the intention is to screen travellers against a database that contains biometric reference-measures for persons who are not to be permitted to cross the border. This could include such categories as convicted drug-runners, people who have previously over-stayed or otherwise breached their visas, and terrorists.

The architecture is as follows:

A process to apply that architecture could proceed as follows:

• a sensor gathers a test-measure;
• the sensor provides the test-measure to a Secure Processing Module (SPM);
• the SPM enters into a two-way authentication process with a token carried by the individual (e.g. in a chip-card performing the function of a passport);
• the SPM requests from the token the biometric reference-measure, which has been previously stored in it;
• the token provides the biometric reference-measure;
• the SPM computes the result. If the test-measure and reference-measure are not sufficiently similar, then exception-handling procedures need to be called into play. The remainder of this outline process description deals with the mainstream case of an affirmation that the person presenting themselves is the person to whom the token was issued;
• the SPM requests from the token relevant data about the individual, which has been previously stored in it (e.g. passport-number, date of issue, and name);
• the token provides the relevant data;
• the SPM checks the relevant data against the block-list;
• the SPM provides to the application only the authentication results:
  • 'The person does/does not match the token'; and
  • 'The person's identifier is /is not blocked'.

In a number of presentations, I have made the assertion that border-guards generally do not need to know who the person is who they permit to go past them. They need only know that the test-measure matches the reference-measure on the person's token, and that the identity on that token is permitted to enter the country.

This assertion is true, but of course involves the normal sleight-of-hand needed to wake an audience up. The simple trick is that the story is incomplete. In order to support the management of aliens present in the country, the SPM needs to also send details of the border-crossing transaction to the Immigration system. But this is a quite separate function from the display on the border-guard's console: the assertion I make is true - the border-guard does not need to know the person's identity.

Personalia

Photographs Presentations Videos

Access Statistics

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer

Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916

Created: 13 May 2002 - Last Amended: 23 February 2003 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/BioArch.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy