People are recognised by their faces, sometimes by their voices or handwriting, or by the way they move. Human scrutiny was the only way of checking the identity of international travellers, visitors seeking to enter business or government offices, or individuals withdrawing cash from banks. Nowadays, there is a new way of checking identity; using [...]

The Sunday Times Sri Lanka

Cyber surveillance using Biometric ID

View(s):

People are recognised by their faces, sometimes by their voices or handwriting, or by the way they move.
Human scrutiny was the only way of checking the identity of international travellers, visitors seeking to enter business or government offices, or individuals withdrawing cash from banks. Nowadays, there is a new way of checking identity; using automated methods and information and communication technologies (ICT) to recognise individuals based on physical or behavioural traits, a field known as biometrics.

From the recent introduction of fingerprints to Sri Lankan passports, to gait analysis in the new Mission Impossible movie, biometrics is all around us. The Business Times’ IT security columnist Sujit Christy takes a closer look.

The aim of biometric identification technologies like optical fingerprinting, iris scanning, and voice recognition is to bind identity to the body using digital representations of unique body parts, or, in the case of voice printing, by capturing, digitising, and analysing the sounds that the body produces.

There are now three main categories of biometric applications:

  • Forensic: Extensively used to meet the need for accurate identification in the fields of criminology and forensics
  • Governmental: Machine-readable passports, identity cards, voter registration, and so on
  • Commercial: Network login systems, finger vein recognition at automatic teller machines (ATM) in banks, credit card processing and face recognition in photographic software

Facial image
In each case, some combination of inherent characteristics are measured and automatically compared with templates stored on a token or in a database to find a match. The measured characteristics are often physical but may also be behavioural, such as a pattern of keystrokes in entering a word or phrase. A facial image, and a digital representation of fingerprints or the iris, is stored on a tiny radio-frequency identification (RFID) chip and this can be compared with information in a biometric database.

All biometric systems have a storage component containing biometric data samples of individuals linked to information on their identity. There is also a sensor to capture the person’s biometric data. The captured data sample is compared with a reference template, and a decision is taken on whether it matches. In tele-biometrics, the communication channels between these components of a biometric system may be wired or wireless telecommunications, or private or public networks, including the Internet. Whether the biometric trait is physical or behavioural, each individual should have that trait uniquely.

Also, the biometric trait should be invariant over a certain period of time, and should be measurable. With the wide acceptance of biometrics for identity verification, especially in an open network environment, the challenges of privacy, reliability and security of biometric data becomes more complicated and demanding.It is generally considered that biometric traits have the advantage of being virtually impossible to steal or forget, and difficult to guess. Yet biometric systems are vulnerable to attack. Any element of the biometric system could be the target: The sensor, the feature extractor, the matcher, the stored biometric templates or the decision endpoint. An attack could also take place by bypassing the biometric sensor, or by tampering with the feature extractor or template.

Biometrics is increasingly used to complement or replace personal identification numbers (PIN) or passwords. But biometric data cannot be kept secret. Photographs of faces, recordings of voices and copies of signatures are all easily made. Biometrics relies on highly sensitive personal information, but the security of an authentication system cannot rely on the secrecy of biometric data. A system must ensure the integrity and authenticity of biometric data in order to be operationally effective, and additional protective measures are needed to safeguard privacy.

Encrypting
Procedures to protect multimodal biometric data against attempts to intercept, modify or replace the data must be established and allow secure authentication. The procedures include encrypting, watermarking and transforming data.
Standards allow for the effective development of biometric systems by establishing common criteria and setting guidelines for the protection of privacy. Agreements on data formats and application software interfaces will help to reduce the cost of developing systems. Furthermore, the development of standards for applying biometrics and for testing accuracy contributes to clarifying vulnerabilities and guides the search for countermeasures to attacks.

Perhaps the most crucial aspect of a biometric system is its acceptance by the general public. For obvious reasons, non-intrusive methods are more acceptable than intrusive techniques. Although DNA is considered the ultimate biometric for identifying a person (other than an identical twin), DNA matching is too intrusive for extensive use in authenticating identity. Facial thermography, which detects the heat patterns created by blood vessels and emitted from the skin, is non-intrusive but too costly. Among the biometrics currently being considered for future deployment are blood pulse, body odour, skin composition, nail-bed pattern, gait and ear shape.

Cardless
Thus, technological advances has enabled incorporation of biometrics into a typical driver’s licenses, passports, and National Identity Cards will transform bureaucratised surveillance by adding a “cyber surveillance” component and data surveillance (dataveillance) component. The digitalised ID cards and “cardless” ID systems such as biometric ID databases or smartphones will facilitate a convergence of cyber surveillance-body tracking and dataveillance-biographical tracking in the future.

Whatever system is used, it must be secure, ensure privacy and produce accurate results. A system that is insecure, unreliable or invasive will undermine public trust and may lead to a general lack of acceptance of biometric recognition techniques. The need to protect privacy and safeguard sensitive biometric data remains fundamental.

(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He can be emailed at sujit@layers-7.com

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.