Wednesday, 22 January 2014

GreenInk 10: Private Eye Crook of the Year 2014 awards

(Hat tip: No2ID)

Sadly, there seems to have been no space in the latest edition of Private Eye for the following letter:
From: David Moss
Sent: 10 January 2014 14:05
To: Letters to the editor
Subject: The Gnome Business Awards for 2013, p.32, Eye #1357


Gnome awards Crook of the Year 2013 to James McCormick. He bought novelty golf ball-finders and sold them as explosives detectors to governments whose gullibility or corruption must also be award-winning.

When it comes to the 2014 awards, perhaps Gnome's panel would like to consider the McCormicks selling mass consumer biometrics technology which is meant to identify us uniquely and verify our identity.

Three world-class experts reviewed the literature and determined that biometrics is "out of statistical control". I.e. it's not a science [1]. By way of a practical example, they cite the charade at the US National Institute of Standards and Technology (NIST).

Under the terms of the USA PATRIOT Act 2001 section 403(c)(1), NIST have to certify all biometrics systems before they are deployed to federal law-enforcement agencies. What the scientists at NIST say in their certificates is: "This evaluation does not certify that any of the systems tested meet the requirements of any specific government application". By issuing certificates, NIST abide by the Act even if the certificates say that they haven't got a clue whether the biometrics systems work.

It's not just the USA. The panel will be spoilt for choice [2]. Governments all over the world are handing over public money to McCormicks talking biometricsballs.


David Moss

If only they had seen ENISA's latest report.

ENISA is the European Union Agency for Network and Information Security and in eID Authentication methods in e-Finance and e-Payment services they say:
6.1 Biometrics adoption related risks
The results of the survey show that very few professionals incorporate biometrics as an eIDA method solution for e-banking. The rationale behind this phenomenon is that institutions must be able to comply with the GDPR. There exist legal issues when dealing with personal information (different legislation for every country). In Europe, a specific authorization from customers is required, which is a difficult task, since the majority of people do not feel comfortable with granting permission on the storage of their biometric information (i.e. personal body patterns). This, in general, is only manageable if a strong juridical base exists and the use is adequate, relevant and not abusive in correspondence with the goals and reasons for biometric data to be collected, used or saved, resulting in an important challenge to be addressed.

Moreover, there exist high associated risks, mainly due to the potential attacks to a centralised data base storage of biometrics parameters. The risk of compromise of the biometric information DB (even if it’s encrypted, hashed, etc.) is real and non-acceptable for CISOs and directors of the e-banking sector. The sensitive nature of biometric information: data is compromised forever (i.e. it’s not possible to change the hand print, Iris, fingerprints, etc.), resulting in both high risk, and great responsibility to be accepted, especially if other eIDA methods are suitable.

Another important factor is the usability, since current technologies do not provide 100% of accuracy at the first try. There are still open issues related to the False Rejection Rate (FRR) and the False Acceptance Rate (FAR), which remain open even in scientific experiments or proof of concepts.

In summary, because of the associated risks, the financial sector is still not prepared to use biometry neither as a unique authentication factor nor a second authentication factor.

Biometry is used in emerging countries, where there are no other means of unique identification of the persons, due to lack of governmentally supported credentials, and also in countries where Personal Data protection is not a priority, like it is in EU.

Specialists are working in finding a solution to the high risk associated to using the biometry, and one solution that is being analysed and starting to be implemented is the local storage of biometric identification profiles. This has three advantages: 1) the responsibility of the storage is transferred to the end user, 2) the chances of a successful threat to steal large amount of biometric information is low, because the threat should be successful on many devices and stores, 3) the biometric identification vector doesn’t have to travel over the network.
If the banks don't think that today's mass consumer biometrics are up to the job, why do governments waste our money on this magical non-technology?

No comments:

Post a Comment