My goal with this article is to point out the fact, given the state of current cybersecurity systems and their many faults combined with the fact that biometric data for the most part is immutable, that it would be ill advised for us in Australia to use biometrics as any measure of security or identification measure.
A Brief Introduction to Biometrics
Before we start talking about biometrics being used as a means of identification by governments and private companies, we first need to define what biometrics is and how has it been used in the past.
So, we can define biometrics as a technical term for body measurements and calculations. It refers to standardised measurements related to human characteristics.
Biometric authentication is used in computer science for means of identification and control of access, as well as a tool to identify individuals and or groups that are under surveillance (Marciano, 2019) (“Biometrics: Overview”, 2019) (“Biometrics Research Group”, 2019).
Now, when we say biometrics, we usually think of high-tech tools such as retina scanners, voice recognition software, facial recognition and more of the modern tools that are being used today. But it is important to note that biometrics have in one form or another been used to identify people based on their inherent physical traits for millennia.
There evidence of hand prints being used as form of identification in burglaries in Qin Dynasty (221-206 BC) China. A Persian book from the 14th century AD talks about using a person fingerprints as a means of identification (Ed German, 2019).
Some Modern Uses
The first modern and standardised system that used fingerprints as a means of identification was proposed by Sir E.R. Henry the then head of the Metropolitan Police of London in his book “The Classification and Use of Fingerprints”. (“The Henry Classification System”, 2019)
The idea of using an iris as a means of identification first came about in the 1930’s but the first successful algorithmic implementation happened in 1993 (Daugman, 1993).
And now bringing us back to the present the in 2001 at the Super Bowl in Tampa, Florida, USA facial recognition was used to capture an image of tens of thousands of the fans attending the event and had those images crossed checked against arrest shots of the Tampa police (McCullagh et al., 2019).
Some argumets as to why we should use biometrics
Now let us look at some benefits that come from using biometrics in a large scale both in the private and the public sector.
It could make lead to a more efficient governmental system, where identifying those in need of social welfare would be rendered much easier (“India’s Biometric ID System”, 2019). It could make rendering a wide range of public services easier (“Biometric Authentication to Access Public Service in Scotland”, 2019).
Another example of its use in the real world would be the 2014 Yemeni elections where over 14 million voters used TrueVoter™ biometric voter registration services to register to vote (“Biometric Voter Registration Software Deployed in Yemen – FindBiometrics”, 2019).
Another import benefit of using biometrics as a means of identification is that is very accurate (“5 Advantages of Biometric Security Systems, 2019), as it relies on unique physical traits such as fingerprints, retinal patterns, facial characteristics, voice recognition as so on. These factors allow system employing biometric identification technology to reach much higher accuracy levels than other security system currently on the market.
Some other benefits are:
- Less time consuming
- Very hard to falsify
- User friendly
- More durable
- Good solution for mobile transactions
- Requires minimal training
It would also do it justice to mention that biometric identification methods are already being used by many countries around the world for various purposes.
An example of Australia’s usage could be its introduction of passports with biometric chips. The embedded chip stores the owners digitised photograph, name, sex, date of birth, nationality, passport number and the passport expiry date (“Biometrics”, 2019). This chip allows you to use the “Smartgate” technology that can be found in major airports in Australia (“Smartgates”, 2019), which makes going through passport control a breeze.
Some other benefits of using biometric passports are:
- They provide highest level of security and traveller privacy protection
- First and accurate identification of travellers and effective border crossing
- Automated check in to any airport/ border without physical contact
(“Biometric Passports/ePassports and their Benefits”, 2019)
Downsides of using biometrics
Now that we have listed some of the benefits of using biometrics as means of identification of people in groups, I think it is vitally important to point out some of the many drawbacks of using these system at large and especially by the various governments of the world.
A good point to start of is to point out that while yes, biometrics are more secure than traditional methods like passwords, they are not unbreakable. Meaning they are vulnerable to attack and there have been demonstrations of these flaws.
One such exploit has been demonstrated at the 25th USENIX Security Symposium. Where a group of security researchers for the University of North Carolina presented a system that uses publicly available photos of people from the internet and used them to build 3-D facial models. They did this using a mobile virtual reality technology, that rendered a VR style face that has 3 dimensions. It also gave of visual, motion and depth ques that a biometric security system would be looking for (Xu, Price, Frahm & Monrose, 2016).
This exploit that managed to fool four out of the five systems it was used against, shows an intrinsic fault with using biometric data as a security tool, it generally doesn’t change. Meaning if your biometric data is publicly available or worse yet leaked or maliciously obtained it could easily be exploited.
This leads me to my next point, setting aside the overabundance of , freely available and easily accessible, personal data that can be found on social media platforms like Facebook, Instagram, Twitter and others the there is another source of data that is not freely available and is more concerning, Data Breaches.
Data breaches and cyber-attacks are far more often than most people are aware of and they happen to government and private institutions alike (Armerding, 2019) (“15 Biggest Data Breaches in The Last 15 Years (Infographic)”, 2019).
On this wiki page you can find very concerning and very long list of data breaches that have happened in recent times.
I am talking about all this, because I want you to understand how vulnerable our private data is to malicious individuals, groups and even foreign governments.
And in knowing that how inadvisable the idea to put our immutable biometric data online is, as once it gets stolen which is not as unlikely as you might think(Milkovich, 2019)(“Cyber Security Chicago 2019 – Dynamic pages template”, 2019). It could and most likely will be used against us.
The Equifax incident
Just to hammer down the point of how much our data is vulnerable, I will briefly mention the Equifax (link to Equifax here) data breach that occurred in July 2017. What happened was one of the largest cyber security incidents in history, where personal data from about 145 million people was stolen.
This information contained:
- Social Security Numbers
- Birth Dates
- Drivers License Numbers
In short, all the information needed to take out a bank loan, make a car purchase, file for insurance or any other form of identity theft (“One Year Later: The Impact of Equifax’s Data Breach | Transforming Data with Intelligence”, 2019). Now just imagine if they also gained access to peoples biometric data as well.
India’s Aadhaar System, biometrics gone wrong
What is the Aadhaar system?
It is a program launched by the Indian government back in 2009, by which India aimed to give every citizen a unique, biometrically verifiable identification number. The number would be linked to people’s biometric information, namely iris scans and fingerprints, which would be used in all interaction with the Indian state (“https://time.com”, 2019).
The idea behind the system was to rule out the corruption, fraud and to increase tax revenue. India is a country in which only about 2 percent of people pay income tax, only four in then births are officially recorded and many people who may be eligible for welfare are not receiving it. Either because of over complicated bureaucracy or nefarious middlemen who steal people’s identity (Arun, 2017).
The issue with the system arose with the fact that private companies, were forcing people to give their Aadhaar numbers to be able to get bank accounts, phone numbers and loans among other things. While almost certainly immoral this was not prohibited by law, until India’s supreme court ruling on the issue.
Where the court ruled that while the act of asking for peoples Aadhaar number for services of private companies was illegal and unconstitutional it stated that the Aadhaar system itself can continue to be used by the government (Arun, 2017). This has raised some concerns from opponents of the system and the government about its future implementation and privacy issues concerning it (“India expands its controversial biometrics database Aadhaar – netzpolitik.org”, 2019).
With all the above being said, the question that is presented before us is should we in Australia use biometric technology and data as a means of identification for both governmental service such as Centrelink, RTA etc. and private services such as banks, hospitals or schools?
Given with what I tried to show in the article above it is my belief that the answers is a stern NO.
At least not in the near future, maybe with some improvement in field of cyber security by which there could be some sort of guarantee of data security.
Until then just the probability of peoples biometric data, data that is unalterable, being stolen or leaked and possibly freely available to all sort of malicious influences is too big of a risk.
A risk shared by the Australian government, Australian companies and most importantly the citizens of Australia to whom it all belongs and who would be hit hardest by a very probable mishap regarding their data.
15 Biggest Data Breaches in The Last 15 Years (Infographic). (2019). Retrieved 11 October 2019, from https://hostingtribunal.com/blog/biggest-data-breach-statistics/
5 Advantages of Biometric Security Systems | Veridin Systems Canada Inc. (2019). Retrieved 11 October 2019, from https://www.veridin.com/blog/5-advantages-of-biometric-security-systems/
Armerding, T. (2019). The 18 biggest data breaches of the 21st century. Retrieved 11 October 2019, from https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Arun, P. (2017). Uncertainty and Insecurity in Privacyless India: A Despotic Push towards Digitalisation. Surveillance & Society, 15(3/4), 456-464. doi: 10.24908/ss.v15i3/4.6618
Biometric Authentication to Access Public Service in Scotland. (2019). Retrieved 11 October 2019, from http://www.m2sys.com/blog/news/biometric-authentication-to-access-public-service-in-scotland/
Biometrics Research Group. (2019). Retrieved 3 October 2019, from http://biometrics.cse.msu.edu/info/index.html
Biometrics. (2019). Retrieved 11 October 2019, from https://immi.homeaffairs.gov.au/help-support/meeting-our-requirements/biometrics
Biometrics: Overview. (2019). Retrieved 3 October 2019, from https://web.archive.org/web/20120107071003/http://biometrics.cse.msu.edu/info.html
Biometric Passports/ePassports and their Benefits. (2019). Retrieved 11 October 2019, from https://www.linkedin.com/pulse/biometric-passportsepassports-benefits-patrick-mutabazi
Biometric Voter Registration Software Deployed in Yemen – FindBiometrics. (2019). Retrieved 11 October 2019, from https://findbiometrics.com/biometric-voter-registration-software-deployed-in-yemen/
Cyber Security Chicago 2019 – Dynamic pages template. (2019). Retrieved 11 October 2019, from https://cybersecurity-chicago.com/chicago/en/node/newsitem-odds-of-a-cyber-attack-compared
Daugman, J. (1993). High confidence visual recognition of persons by a test of statistical independence. IEEE Transactions On Pattern Analysis And Machine Intelligence, 15(11), 1148-1161. doi: 10.1109/34.244676
Ed German, F. (2019). The History of Fingerprints. Retrieved 3 October 2019, from http://onin.com/fp/fphistory.html
Marciano, A. (2019). Reframing biometric surveillance: from a means of inspection to a form of control. Ethics And Information Technology, 21(2), 127-136. doi: 10.1007/s10676-018-9493-1
McCullagh, D., McCullagh, D., Knight, W., Martineau, P., Finley, K., & Staff, W. et al. (2019). Call It Super Bowl Face Scan I. Retrieved 3 October 2019, from https://www.wired.com/2001/02/call-it-super-bowl-face-scan-i/
Milkovich, D. (2019). Know the Odds: The Cost of a Data Breach in 2017 | Cybint. Retrieved 11 October 2019, from https://www.cybintsolutions.com/know-the-odds-the-cost-of-a-data-breach-in-2017/
https://time.com. (2019). Retrieved 11 October 2019, from https://time.com/5409604/india-aadhaar-supreme-court/
India expands its controversial biometrics database Aadhaar – netzpolitik.org. (2019). Retrieved 11 October 2019, from https://netzpolitik.org/2019/india-expands-its-controversial-biometrics-database-aadhaar/
India’s Biometric ID System. (2019). Retrieved 11 October 2019, from https://www.npr.org/2018/10/01/652513097/indias-biometric-id-system-has-led-to-starvation-for-some-poor-advocates-say
One Year Later: The Impact of Equifax’s Data Breach | Transforming Data with Intelligence. (2019). Retrieved 11 October 2019, from https://tdwi.org/articles/2018/10/29/biz-all-impact-of-equifax-data-breach.aspx
Smartgates. (2019). Retrieved 11 October 2019, from https://www.abf.gov.au/entering-and-leaving-australia/smartgates/arrivals
The Henry Classification System. (2019). Retrieved 3 October 2019, from https://web.archive.org/web/20110713000747/http://static.ibgweb.com/Henry%20Fingerprint%20Classification.pdf
Xu, Y., Price, T., Frahm, J., & Monrose, F. (2016). Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos. Austin, TX: The University of North Carolina at Chapel Hill. Retrieved from https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/xu