Biometrics and encryption aren’t exactly new. For most of us, neither is wildly exciting either. But the prospect of combining these two security pieces has sparked a call to action by Ontario’s privacy commissioner.
Ann Cavoukian has released the findings of a study on biometric encryption in a white paper she co-authored with Toronto-based biometrics scientist Alex Stoianov, entitled “Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security and Privacy.”
Cavoukian believes the full potential of biometric encryption – meaning both the encryption of biometric data and using biometric keys to decrypt data – can significantly reduce the risk of a breach of privacy, offering greater protection and control of sensitive data.
Biometric data typically contain sensitive personal information that must adhere to strict protection policies and security measures, asserts Cavoukian.
If a government collects biometric information on an individual, it will retain that sample data in a database, she explains.
Governments usually collect this kind of information for a good purpose (national security, for example), and the individual subsequently has no control over it. The possibility then arises for government to use this data in other areas, such as surveillance or profiling, says Cavoukian.
“This is the ‘Big Brother’ picture that privacy advocates fear when you talk about biometrics,” she says. “The reason the fear is so strong is because it (biometrics) is the ultimate unique identifier.”
As for using encryption alone, the same privacy concerns remain from within the government, law enforcement and intelligence communities, says Cavoukian, because “they are the ones encrypting the data, they possess the keys to decrypt the data.”
She adds: “Simply applying encryption to biometrics is not the ultimate solution in terms of a privacy-enhancing solution.”
What’s unique about biometric encryption is that the keys to that information are under the control of the individual, notes the commissioner.
A fingerprint is coded using an individual’s actual finger, and that biometrically encrypted template is then stored in a database. If it needs to be decrypted, the only one who can do this is the individual whose finger will be run across the fingerprint scanner, she explains.
“We’re not saying no to using biometrics, but realistically that’s not going to fly anymore,” says Cavoukian. “Since 9-11 there has been such widespread growth and adoption in the areas of biometrics that we know it’s futile to say don’t do it – it’s happening.”
She notes that in Deloitte and Touche’s technology predictions for 2007, biometrics was identified as one of the largest growth areas.
“A lot of the biometric technologies have been around for quite a while, the most common being the fingerprint technology and the iris scan,” says John Ruffolo of Deloite and Touche Canada.
“The difference now is that the biometric technologies have gotten a lot more reliable, in particular for the iris scan where they can now actually detect differences between identical twins,” adds Ruffolo. “And the cost of the technologies has really dropped over the past number of years.”
He notes that the biggest buyers of biometrics have been within government (airports) and what Ruffolo deems the more “security sensitive” industries.
But there hasn’t been a lot of political uptake to adapting biometric encryption technology, says Cavoukian. “Governments and law enforcement communities don’t want privacy-protected solutions to biometrics or anything else. It’s in their interests to have identifiable versions of biometrics.”
Cavoukian says privacy officials want uses and applications of biometrics that enhance privacy. “Biometric encryption gives you both the privacy and security benefits. It advances the view of privacy that you build privacy into the technology to really have true privacy protection.”
She says that with the release of the whitepaper, her office is hoping to attract technology companies and businesses to look at biometric encryption, and develop market applications. “You need the technological savvy and the political will to make this happen.”