Ontario’s privacy commissioner orchestrates voice biometrics integration

Ontario’s privacy commissioner has played a role in match-making two emerging technologies.

Combining encryption with voice biometrics shows promise for protecting privacy while also improving consumer services, said Ann Cavoukian, Information and Privacy Commissioner (IPC) of Ontario, in an announcement.

The announcement noted that Bell Canada contacted Cavoukian shortly after the release of an IPC research paper to share information about work done in this area by PerSay, a voice biometrics provider based in Israel.

The carrier enrolled 600,000 customers last year using PerSay’s systems, which allow Bell’s customers to access call centre agents using their voices as passwords.

Cavoukian was also aware of research done in biometric encryption (BE) by Philips Priv-ID, a Netherlands-based security provider, and she urged the two companies to work together to integrate their technologies and create a superior product.

The results of the first phase of this project are very encouraging, she stated in the announcement. “What is newsworthy and particularly gratifying is that the performance results are exceedingly positive. When Philips Priv-ID applied their BE technology to PerSay’s voice biometrics, the performance of the combined technologies remained at a world-class level with respect to accuracy, plus invaluable privacy and security benefits.”

A new approach to biometrics

In the next phase of the project, PerSay plans to incorporate Philips’ BE engine into their voice biometrics systems and test it in live environments, says Almog Aley-Raz, CEO of PerSay. “This type of project has not been done before.”

What is unique about the project is the creation of a key that represents voiceprints, he says. Many biometric systems work by storing a template that represents a person’s voiceprint or fingerprint on an employee badge or card, he explains. To access a system, the template on the employee’s card is matched to the master template stored on a central server.

But there’s a risk this highly-sensitive biometric information may be intercepted by hackers if it’s sent via the Web to authenticate remote users, which can cause serious issues. Unlike passwords and PINs, a person’s voiceprint, fingerprint or other biometrics can’t be changed or cancelled if an identity thief steals the template.

In PerSay’s new integrated BE approach, an algorithm takes the voiceprint and creates a mathematical representation, says Aley-Raz. “When you speak, your biological system generates a signal and that gets recorded. What we do is model the way your system works but it’s not a physical model, it’s a mathematical representation of the bio-mechanics, for example, of air flow into the lungs.”

The approach also reverses the usual authentication process, so the server sends the BE key to the user’s device for authentication, instead of the user sending biometric information to the server. “There’s no risk at all, as the key doesn’t have any personal information, it can be revoked, and you can’t reverse engineer it to get back the audio voiceprint,” says Aley-Raz.

While these security measures can fortify biometrics, these technologies have been plagued by more practical issues about their accuracy, he says. “But the voice world has made some big improvements in the past couple of years.”

PerSay’s systems, which have been benchmarked by the National Institute of Standards and Technology (NIST), have a 1 per cent failure rate, compared with 2 per cent for fingerprints. And one major advantage of voice-printing over fingerprinting is the huge number of microphones that’s already installed in laptops, cell phones and other devices, which means no special reading device is needed.

PerSay is working on several government applications, including a project for the Department of Homeland Security in the U.S., he says “Immigrants with temporary visas used to have to report physically to the DHS’ agents periodically, but now they’ve replaced that with a remote phone-based attendant system.”

The voice of government

While voice biometrics offer some interesting features, there are already many more established security technologies such as tokens, digital certificates and smart cards, says James Quin, senior analyst at the London-based Info-Tech Research Group. “Biometrics tend to have high error rates unless big investments are made in the platform, but there are many inexpensive token-based solutions on the market that are pretty much infallible.”

Quin is unimpressed with arguments that token-generating devices are hard on forgetful users. “They remember to bring their cell phones and car keys to work, so why can’t they remember to bring their tokens?” But he concedes voice biometrics are more user-friendly, and the error-rates are declining.

On a different note, he says the Ontario privacy commissioner’s announcement about the companies involved in this emerging area surprised him. “By comparison, if you look at the more recent PIPEDA