Introduction to BiometricsOutlineAssessing Privacy in Biometric SystemsAssessing Privacy in Biometrics SystemsSome Privacy concernsData Mining as a Threat to PrivacyBest Practices: Scope and capabilitiesSlide 8Slide 9Slide 10Best Practices: Data ProtectionSlide 12Slide 13Best Practices: User Control of Personal DataSlide 15Best Practices: Disclosure, Audit, Accountability and OversightSlide 17Slide 18Slide 19Slide 20Slide 21Paper for Further ReadingPrivacy Preserving Biometrics?Slide 24Introduction to BiometricsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #20Biometrics and Privacy - IINovember 2, 2005OutlineAssessing Privacy in Biometrics SystemsBest Practices in Designing Privacy Sympathetic Biometric SystemsAustralia’s Federal Privacy Commissioner's Report on Biometrics and PrivacyPrivacy Preserving BiometricsReference-Chapter 16-http://www.bioprivacy.org/continuum.htm-http://www.privacy.gov.au/news/speeches/sp80notes.pdfAssessing Privacy in Biometric SystemsOne of the complexities of discussing biometrics and privacy is that biometric deployments, even those based on the same core technology, can be privacy-invasive, privacy-neutral, privacy-sympathetic, or privacy-protective. Although some biometric technologies can be more directly associated with privacy concerns than others - finger and facial scan, primarily - it is the use of the technology which determines the levels of privacy risks involved.Finger scan technology, for example, can be incorporated into a smart card solution such that the bearer of the card has possession of his or her biometric information.Assessing Privacy in Biometrics SystemsDeployments can be either privacy-invasive, privacy-neutral, privacy-sympathetic, or privacy-protective.The BioPrivacy Impact Framework can be used to make top-level assessments of a project's potential privacy-enhancement or privacy-invasiveness. (Lecture 18)When assessing specific technologies, the BioPrivacy Technology Risk Ratings are a valuable tool. (Lecture 18)BioPrivacy Best Practices can be implemented to determine what types of protections are necessary for a given deployment.Some Privacy concernsIdeally, a deployment will address all BioPrivacy Best Practices, but some deployments by their nature must incorporate some elements which slightly heighten the privacy risk. At some point, the privacy impact of a specific deployment is balanced with other interest such as fraud reduction, cost savings or public safety. Once one has determined the risks involved in a particular usage of biometric technology, protections can be developed sufficient to fully address these risks. Protections and controls on the use of biometric technology must be consistent with both the nature of the biometric deployment and the privacy risks involved.Data Mining as a Threat to PrivacyBest Practices are guidelines for privacy-sympathetic and privacy-protective deployment, providing institutions with an understanding of the types of protections and limitations commonly implemented. These Best Practices are meant to address the full breadth of biometric applications and technologies, from small-scale physical access to nationwide identification programs. It is not expected that any deployment will be compliant with all Best Practices, and non-compliance with one or more Best Practices does not necessarily make a deployment privacy-invasive. The categories of Best Practices are -(1) Scope and Capabilities,-(2) Data Protection,- (3) User Control of Personal Data, and -(4) Disclosure, Auditing, Accountability, Oversight.Best Practices: Scope and capabilitiesScope Limitation- Biometric deployments should not be expanded to perform broader verification or identification-related functions than originally intended. -Any expansion or retraction of scope should be accompanied by full and public disclosure, under the oversight of an independent auditing body, allowing individuals to opt-out of system usage if possible. Establishment of a Universal Unique Identifier-Biometric information should not be used as a universal unique identifier. Sufficient protections should be in place to prevent, to the degree possible, biometric information from being used as a universal unique identifier. -Universal unique identifiers facilitate the gathering and collection of personal information from various databases, and can represent a significant threat to privacy if misused.Best Practices: Scope and capabilitiesLimited Storage of Biometric Information. -Biometric information should only be stored for the specific purpose of usage in a biometric system, and should not be stored any longer than necessary.-Biometric information should be destroyed, deleted, or otherwise rendered useless when the system is no longer operational- Specific user information should be destroyed, deleted, or otherwise rendered useless when the user is no longer expected to interact with the system.-This also applies to templates generated during comparison attempts, such as a template generated in the verification stage of a 1:1 application.Best Practices: Scope and capabilitiesEvaluation of Potential System Capabilities. -When determining the risks a specific system might pose to privacy, the system's potential capabilities should be assessed in addition to risks involved in its intended usage. -Few systems are deployed whose initial operations are privacy-invasive.-Instead, systems may have capabilities, such as the ability to perform 1:N searches or the ability to be used with existing databases of biometric information, which could have an impact on privacy.-Although systems with the potential to be used in a privacy-invasive fashion can still be deployed if accompanied by proper precautions, their operations should be monitored: the maximum protections possible should be taken to prevent internal or external misuse.Best Practices: Scope and capabilitiesCollection or Storage of Extraneous Information. -The non-biometric information collected for use in a biometric verification or identification system should be limited to the minimum necessary to make identification or verification possible. . Storage of Original Biometric Data-If consistent with basic system operations, biometric data in an identifiable state, such as a facial image, fingerprint, or vocal recording, should not be stored or used in a biometric system other than for
View Full Document
Unlocking...