Biometric Security - Expert Article

Successful biometric implementation programs have a controlled enrollment process where identity validation of individuals is initiated and biometric devices are located in a monitored and secured environment. The emerging industry standard for biometric programs requires user opt-in and protections for individuals’ biometric data.

In this article, biometric security expert Mark Songer provides an introduction to biometric data applications and the technical issues most frequently disputed in biometric litigation.

Biometric Security - Expert Article

WHAT IS BIOMETRICS?

Biometrics describes the process of using physiological traits or behavioral characteristics to identify human beings. The long term potential applications of Biometrics are extremely broad, but biometric identification is commonly used in building security systems, payroll and employee timekeeping systems, laptop PCs and smartphones. There are generally two categories of biometric data:

  • Physiological characteristics – acquired through heredity, include finger & palm prints, face and DNA recognition and retina recognition
  • Behavioral characteristics acquired naturally over time, include signature, voice, keystroke dynamics, and gait recognition.

WHY BIOMETRICS?

Because biometric data is unique to each individual, it is one of the most secure methods of individual identification. Physiological and behavioral characteristics are virtually impossible to replicate, and best in class systems currently available will convert individual values into algorithms or unique derivatives of the original value that cannot be reverse engineered.

Biometric Templates – In some biometric implementation programs, the image itself is discarded and a mathematical representation of it is used in the individual verification process. This mathematical file is called a biometric template. These templates should be encrypted to prevent reverse engineering the data into the original biometric image.

Cancellable Biometrics Mathematical algorithms can also be used to transform the original biometric characteristic into a distorted value that is unique to each individual, but not true to their physiology. This process is non-reversible, and cannot be used to obtain the original value.

Not all biometric systems on the market utilize best in class technologies, and there are still biometric systems in use that store unencrypted or weakly encrypted depictions of users’ biometric data. Strong security measures should be prioritized in the selection and implementation of any new biometrics systems, and older systems should be updated or replaced to comply with current best in class security standards.

BIOMETRIC STANDARDS

The following organizations are involved in developing standards relevant to biometric systems and data:

  • The International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) subcommittee 37 is responsible for creating biometric standards at the international level.
  • The International Committee for Information Technology Standards (INCITS) coordinates the development of biometric standards based on consensus development with the industrial, academic, and government communities. INCITS operates under the American National Standards Institute (ANSI).
  • The National Institute of Standards and Technology (NIST), has been developing biometric standards for law enforcement and government agencies since the 1980’s.

FORENSIC INVESTIGATIONS

Privacy is at the center of most biometrics disputes. In 2008, the State of Illinois became one of the first to enact a Biometric Information Privacy Act, which provides specific protections for a person’s biometric identifiers or biometric information. Since that time, other states have passed similar laws.

Forensic investigations involving biometrics data vary in scope, but typically include an assessment of specific elements of policies and procedures. Three main procedural categories are:

  • Data Collection: Consent to collect biometric data should be acquired through Controlled Enrollment, where notice is provided to the individual, and consent is granted via written release.
  • Data Storage: How the collected biometric data is safeguarded through the hardware and software used, and the procedural protections in place. Data may be stored on the device itself, on a cloud server, USB, or through a 3rd party vendor. Vendors should also have compliant security procedures in place per the standards as outlined by INCITS and ANSI.
  • Data Disposal: Policies should be in place for how long an individual’s biometric data is retained and how/when it is destroyed.

BIOMETRIC SECURITY INVESTIGATIONS

If the biometric security practices of a business or employer are in question, a Certified Biometric Security Professional may be called upon to review the policies and procedures in place, analyze the device(s) to confirm how data was collected, stored, and disposed of, and whether it is in compliance with the applicable laws and industry standards.

For more information, contact the author of this article or submit an inquiry.