Biometric Recognition Security and Privacy Concerns

Biometrics

PUBLISHED BY THE IEEE COMPUTER SOCIETY � 1540-7993/03/$17.00 © 2003 IEEE � IEEE SECURITY & PRIVACY 33

I s Alice authorized to enter this facility? Is Bob enti-tled to access this Web site or privileged informa-tion? Are we administering our service exclusivelyto the enrolled users? Does Charlie have a criminal

record? Every day, a variety of organizations pose ques-tions such as these about personal recognition.

One emerging technology that is becoming morewidespread in such organizations is biometrics—automaticpersonal recognition based on physiological or behavioralcharacteristics.1 The term comes from the Greek wordsbios (life) and metrikos (measure). To make a personalrecognition, biometrics relies on who you are or whatyou do—as opposed to what you know (such as a pass-word) or what you have (such as an ID card).

Biometrics has several advantages compared withtraditional recognition. In some applications, it can ei-ther replace or supplement existing technologies; inothers, it is the only viable approach to personal recog-nition. With the increasing infrastructure for reliableautomatic personal recognition and for associating anidentity with other personal behavior, concern is nat-urally growing over whether this information mightbe abused to violate individuals’ rights to anonymity.We argue here, however, that the accountable, respon-sible use of biometric systems can in fact protect indi-vidual privacy.

Measurement requirementsWhat biological measurements qualify as biometrics?Any human physiological or behavioral trait can serveas a biometric characteristic as long as it satisfies the follow-ing requirements:

• Universality. Each person shouldhave the characteristic.

• Distinctiveness. Any two persons should be different interms of the characteristic.

• Permanence. The characteristic should be sufficiently in-variant (with respect to the matching criterion) over aperiod of time.

• Collectibility. The characteristic should be quantitativelymeasurable.

However, for a practical biometric system, we must alsoconsider issues of performance, acceptability, and cir-cumvention. In other words, a practical system mustmeet accuracy, speed, and resource requirements, and itmust be harmless to the users, accepted by the intendedpopulation, and sufficiently robust to various fraudulentmethods and attacks.

Biometric systemsA biometric system is essentially a pattern-recognition sys-tem that recognizes a person based on a feature vector de-rived from a specific physiological or behavioral charac-teristic that the person possesses. Depending on theapplication context, a biometric system typically operatesin one of two modes: verification or identification.(Throughout this article, we use the generic term“recognition” where we do not wish to distinguish be-tween verification and identification.)

In verification mode, the system validates a person’sidentity by comparing the captured biometric character-istic with the individual’s biometric template, which isprestored in the system database. In such a system, an in-dividual who desires to be recognized (for example, Bob)

SALIL

PRABHAKAR

DigitalPersona

SHARATH

PANKANTI

IBM T.J.WatsonResearchCenter

ANIL K. JAIN

MichiganStateUniversity

Biometric Recognition: Security and Privacy Concerns

Biometrics offers greater security and convenience than

traditional methods of personal recognition. In some

applications, biometrics can replace or supplement the existing

technology. In others, it is the only viable approach. But how

secure is biometrics? And what are the privacy implications?

Biometrics

claims an identity—usually via a personal identificationnumber (PIN), login name, smart card, or the like—andthe system conducts a one-to-one comparison to deter-mine whether the claim is true. The question being an-swered is, “Is this person Bob?” Identity verification istypically used for positive recognition, where the aim is toprevent multiple people from using the same identity.

In identification mode, the system recognizes an in-dividual by searching the entire template database for amatch. The system conducts a one-to-many compari-son to establish an individual’s identity (or fails if thesubject is not enrolled in the system database). Thequestion being answered is, “Who is this person?” Iden-tification is a critical component of negative recognitionapplications, in which the system establishes whetherthe person is who she (implicitly or explicitly) deniesbeing. The purpose of negative recognition is to preventa single person from using multiple identities. Identifi-

cation can also be used in positive recognition for con-venience (because the user is not required to claim anidentity). While the traditional methods of personalrecognition such as passwords, PINs, keys, and tokenswork for positive recognition, only biometrics can beused for negative recognition.

Figure 1 contains block diagrams of a verificationsystem and an identification system, both performingthe task of user enrollment. The enrollment moduleregisters individuals into the biometric system data-base. During the enrollment phase, a biometric reader(such as a fingerprint sensor or CCD camera) firstscans the individual’s biometric characteristic to pro-duce its digital representation. The system generallyperforms a quality check to ensure that successivestages can reliably process the acquired sample. To fa-cilitate matching, a feature extractor processes theinput sample to generate a compact but expressive rep-resentation, called a template. Depending on the ap-plication, the biometric system might store the tem-plate in its central database or record it on a smart cardissued to the individual.

Biometric system errorsTwo samples of the same biometric characteristic fromthe same person—for example, two impressions of yourright index finger—are not exactly the same because ofimperfect imaging conditions (such as sensor noise anddry fingers), changes in the user’s physiological or behav-ioral characteristics (such as cuts and bruises on the fin-ger), ambient conditions (such as temperature and hu-midity), and the user’s interaction with the sensor (such asfinger placement). Therefore, a biometric matching sys-tem’s response is typically a matching score s (usually asingle number) that quantifies the similarity between theinput and the database template representations. (Forsimplicity, we assume that the system actually communi-cates the matching score to the user. Some systems mightcommunicate only the final decision based on a predeter-mined matching criterion or a threshold.) The higher thescore, the more certain the system is that the two biomet-ric measurements come from the same person.

A threshold t regulates the system decision. The sys-tem infers that pairs of biometric samples generatingscores higher than or equal to t are mate pairs (that is,they belong to the same person). Consequently, pairs ofbiometric samples generating scores lower than t arenonmate pairs (that is, they belong to different persons).The distribution of scores generated from pairs of sam-ples from different persons is called an impostor distribu-tion; the score distribution generated from pairs of sam-ples from the same person is called a genuine distribution(see Figure 2).

A biometric verification system can make two typesof errors:

34 IEEE SECURITY & PRIVACY � MARCH/APRIL 2003

User interface

Featureextractor

Matcher(N matches)

Ntemplates

System databaseUser's identity or

"user unidentified"Identification

Name (PIN)

User interface System database

Claimed identity

Featureextractor

Matcher(one match)

Onetemplate

True/false

Verification

TemplateName (PIN)

User interface

Enrollment

Qualitychecker

Featureextractor

System database

Figure 1. Block diagrams of enrollment, verification, and identifi-cation tasks. Enrollment creates an association between an identityand its biometric characteristics. In a verification task, an enrolleduser claims an identity and the system verifies the authenticity ofthe claim based on her biometric feature. An identification systemidentifies an enrolled user based on her biometric characteristicswithout the user having to claim an identity.

Biometrics

• Mistaking biometric measurements from two differentpersons to be from the same person (called false match orfalse accept)

• Mistaking two biometric measurements from the sameperson to be from two different persons (called false non-match or false reject)

An operational biometric system makes a trade-offbetween false match rate (FMR) and false nonmatch rate(FNMR). In fact, both FMR and FNMR are functionsof the system threshold t: If the system’s designers de-crease t to make the system more tolerant to input varia-tions and noise, FMR increases. On the other hand, ifthey raise t to make the system more secure, then FNMRincreases accordingly. We can depict system performanceat all operating points (thresholds t) in the form of a receiveroperating characteristic (ROC) curve. An ROC curve plotsFMR against (1 – FNMR) or FNMR for various valuesof threshold t (see Figure 3).

Besides these two recognition error rates, we can alsouse the rates of failure to capture (FTC) and failure to enroll(FTE) to summarize a biometric system’s accuracy. TheFTC rate, which only applies when the biometric deviceimplements automatic-capture functionality, denotes thepercentage of times the biometric device fails to automat-ically capture a sample when presented with a biometriccharacteristic. This type of error typically occurs whenthe device cannot locate a biometric signal of sufficientquality—for example, if it receives an extremely faint fin-gerprint or an occluded face.

The FTE rate, on the other hand, denotes the per-centage of times users cannot enroll in the recognitionsystem. There is a trade-off between the FTE rate and theperceived system accuracy (FMR and FNMR). FTE er-rors typically occur when the system rejects poor-qualitytemplates during enrollment. Consequently, the databasecontains only high-quality templates, and the perceivedsystem accuracy improves. Because of the interdepen-dence among the failure rates and error rates, all theserates—FTE, FTC, FNMR, and FMR—constitute im-portant performance metrics of a biometric system.

Given a biometric system’s accuracy in verificationmode, we can approximately infer its accuracy in identifi-cation mode under simplifying assumptions. Let us de-note the identification false nonmatch and false matchrates as FNMRN and FMRN, where N represents thenumber of identities in the system database. (For simplic-ity, we assume a single identification attempt per subjectand a single biometric template per enrolled user.) Then,it can be shown that FNMRN ≅ FNMR, and FMRN = 1– (1 – FMR)N ≅ N × FMR. (This approximation holdsonly when N × FMR < 0.1.) A report by the UnitedKingdom Biometric Working Group includes a detaileddiscussion of accuracy issues.2

A biometric system’s accuracy requirements depend

greatly on the application. For example, in some forensicapplications, such as criminal identification, FNMR rate(and not FMR) is the critical design issue: that is, we donot want to miss a criminal even at the risk of manuallyexamining a large number of potentially incorrectmatches that the biometric system identifies. On theother extreme, FMR might be one of the most importantfactors in a highly secure access-control application,where the primary objective is deterring impostors.

http://computer.org/security/ � IEEE SECURITY & PRIVACY 35

Prob

abili

ty (

p)

Imposterdistribution

Decisionthreshold (t) Genuine

distribution

Matching score (s)

Falsenonmatch

Falsematch

Figure 2. Biometric system error rates: The curves show false matchrate (FMR) and false nonmatch (FNMR) rate for a given threshold tover the genuine and impostor score distributions. FMR is the per-centage of nonmate pairs whose matching scores are greater than orequal to t, and FNMR is the percentage of mate pairs whosematching scores are less than t.

Forensic applications

Fals

e m

atch

rat

e (F

MR)

Civilianapplication

False nonmatch rate (FNMR)

High-securityapplications

Figure 3. Receiver operating characteristic curve: Different biometricapplication types make different trade-offs between the false matchrate and false nonmatch rate (FMR and FNMR). Lack of under-standing of the error rates is a primary source of confusion inassessing system accuracy in vendor and user communities alike.

Biometrics

In several civilian applications, performance require-ments lie between these two extremes, and we need toconsider both FMR and FNMR values. In applicationssuch as bank ATM card verification, for example, a falsematch would mean the loss of several hundred dollars,while a high FNMR might lead to the loss of a valuedcustomer. Figure 3 depicts the FMR and FNMR trade-offs in different biometric application types.

Comparison of biometricsSeveral biometric characteristics are in use in various ap-plications. Each biometric has its strengths and weak-nesses, and the choice typically depends on the applica-tion. No single biometric can effectively meet therequirements of all applications—none is “optimal.” Wematch a specific biometric to an application depending

on the application’s operational mode and the biometriccharacteristic’s properties. For example, both the finger-print- and iris-based techniques are more accurate thanthe voice-based technique. However, in a telebankingapplication, the voice-based technique might be prefer-able because the bank could integrate it seamlessly intothe existing telephone system. Table 1 briefly comparesfive biometric techniques along seven factors. (TheHandbook of Fingerprint Recognition includes a more de-tailed list.3)

Applications of biometric systemsBiometric applications fall into three main groups:

• commercial applications, such as computer network lo-gins, electronic data security, e-commerce, Internet ac-cess, ATMs, credit cards, physical access control, cellu-lar phones, PDAs, medical records management, anddistance learning;

• government applications such as national ID cards, correc-tional facilities, driver’s licenses, social security, bordercontrol, passport control, and welfare-disbursement; and

• forensic applications such as corpse identification, crim-inal investigation, terrorist identification, parenthooddetermination, and missing children.

Figure 4 shows some examples of biometric applicationsin use. Traditionally, commercial applications have usedknowledge-based systems employing PINs and pass-words, government applications have utilized systemsbased on tokens such as ID cards and badges, and forensicapplications have relied on human experts to match bio-metric features.

Now let us examine the advantages and disadvantagesof biometrics in various applications. In the commercial


BIOMETRIC FINGERPRINT FACE HAND GEOMETRY IRIS VOICE

Barriers to Worn ridges; hand None Hand Visual Speechuniversality or finger impairment impairment impairment impairment

Distinctiveness High Low Medium High Low

Permanence High Medium Medium High Low

Collectibility Medium High High Medium Medium

Performance High Low Medium High Low

Acceptability Medium High Medium Low High

Potential for Low High Medium Low Highcircumvention

Table 1. Comparison of several biometric technologies (assessments based on authors’ perceptions).

Figure 4. Biometrics application examples. (a) Digital Persona’s fingerprint verification system provides personal recognition forcomputer and network login. (b) Indivos manufactures a fingerprint-based point-of-sale (POS) terminal that verifies customers beforecharging their credit cards. (c) BioThentica’s fingerprint-baseddoor lock restricts access to premises. (d) The Inspass immigrationsystem, developed by Recognition Systems and installed at majorairports in the US, uses hand geometry verification technology.

Biometrics

category, applications require positive recognition andmay use the biometric system either in verification oridentification mode. The government and forensic cate-gories consist of mainly negative-recognition applica-tions that require identification.

Positive recognition:Commercial applicationsAs mentioned, traditional technologies available forachieving a positive recognition include knowledge-based methods (using, for example, PINs and passwords)and token-based methods (using possessions such as keysand cards).

Most people set their passwords to words or digits theycan easily remember—for example, names and birthdaysof family members, favorite movie or music stars, and dic-tionary words. (In 2001, a survey of 1,200 British officeworkers found that almost half chose their own name, apet’s name, or a family member’s name as a password. Oth-ers based their passwords on celebrity or movie characternames, such as Darth Vader and Homer Simpson.4)

Such passwords are easy to crack by guessing or bysimple brute-force dictionary attacks. Although it is pos-sible, and even advisable, to keep different passwords fordifferent applications and to change them frequently,most people use the same password across different appli-cations and never change it. Compromising a single pass-word can thus cause a break in security in many applica-tions. For example, a hacker might create a bogus Website enticing users with free air miles or pornography ifthey register with a login name and password. The hackercould then have fair success in using the same login nameand password to attack users’ corporate accounts.

Longer passwords are more secure but harder to re-member, which prompts some users to write them downin accessible locations (such as Post-it notes hidden underthe keyboard). Strong passwords are difficult to remem-ber and result in more help desk calls for forgotten or ex-pired passwords. Cryptographic techniques can providevery long passwords (encryption keys) that the user neednot remember; however, these are in turn protected bysimple passwords, which defeats their purpose.

Given that a hacker needs to break only one passwordamong those of all the employees to gain access to a com-pany’s intranet, a single weak password compromises theoverall security of every system that user has access to.Thus, the entire system’s security is only as good as theweakest password.

Finally, when a user shares a password with a col-league, there is no way for the system to know who theactual user is.

Similarly, possession-based personal recognition suf-fers from many problems as well. For example, keys andtokens can be shared, duplicated, lost, or stolen, or an at-tacker could make a master key that opens many locks.

It is significantly more difficult to copy, share, or dis-tribute biometrics. Biometrics cannot be lost or forgot-ten, and online biometrics-based recognition systems re-quire the person being recognized to be present at thepoint of recognition. Biometrics are difficult for attack-ers to forge and for users to repudiate. Furthermore, thesecurity level is relatively equal for all users in a system,which means that one account is no easier to break thanany other (for example, through social engineering).The main advantage of a biometric system is that it givesusers greater convenience (they no longer have to re-member multiple, long and complex, frequently chang-ing passwords) while maintaining sufficiently high accu-racy and ensuring that the user is present at the point andtime of recognition.

Trojan horse attacks against a biometric system’s mod-ules and replay attacks against its communication chan-nels (see Figure 1) are similar to those against password-based personal recognition systems. We can securebiometric systems against these attacks using the buildingblocks of standard cryptographic techniques.

Withstanding brute-force attacksNow let us consider a brute-force attack on a commercialbiometric system operating in verification mode. Abrute-force attack’s chances of success depend on the bio-metric verification’s matching accuracy. Let us assumethat a certain commercial biometric verification systemoperates at 0.001 percent FMR. At this setting, severalbiometric systems (such as state-of-the-art fingerprint-and iris-recognition systems) easily deliver less than 1 per-cent FNMR.5 An FMR of 0.001 percent indicates that ifa hacker launches a brute-force attack with a large num-ber of different fingerprints, on the average, one out of100,000 attempts will succeed. We can consider this

equivalent to the security offered by a randomly chosenfive-digit PIN (although a brute-force attack against afive-digit PIN is guaranteed to succeed in 100,000 at-tempts and requires only 50,000 attempts on the average).To attack a biometric-based system, however, the hackermust generate (or acquire) a large number of samples ofthe biometric (for example, fingerprints); this is more dif-


Biometrics cannot be lost or

forgotten.... They are difficult

for attackers to forge and for

users to repudiate.

Biometrics

ficult than generating a large number of PINs or pass-words. Finally, system administrators can arbitrarily re-duce a biometric system’s FMR for higher security—atthe cost of the increased inconvenience to users resultingfrom a higher FNMR. (Similarly, longer PINs or pass-words also increase security while inconveniencing theusers who must remember and type them correctly.)

Certain commercial applications would prefer tooperate biometric systems in identification mode be-cause of the added convenience of not requiring eachuser to claim an identity. Usually, we see speed as thebiggest problem in scaling up an identification applica-tion, but identification accuracy actually scales evenworse than speed. Consider an identification applica-tion with 10,000 users. We can certainly find a combi-nation of a fast fingerprint-matching algorithm andspecial-purpose hardware capable of making an identi-fication in a few seconds. On the other hand, a match-ing algorithm with a verification FMR of 0.001 percentwill have an identification FMRN of 10,000 × 0.001percent, or 10 percent. In other words, an impostor hasa good chance of gaining access to the system simply byusing all 10 fingers on her two hands! Therefore, al-though small- to medium-scale commercial applica-tions (for example, those with a few hundred users)might still use single-biometric identification, the onlyobvious solution for building accurate identificationsystems for large-scale applications appears to be multi-modal-biometric systems (for example, requiring multiplefingerprints, a face and fingerprint, or some other com-bination, from each user).3

Risks of stolen biometricsInstead of launching a brute-force attack, a hacker mightuse a very specific target and present the system with acopy of a known person’s biometric sample. InterGov(www.intergov.org) reports that insiders commit about

80 percent of all cybercrimes (an assessment based onlyon reported security breaches). In such cases, the individ-ual breaching the system’s security very likely knows anauthorized user personally, can acquire a sample biomet-ric (for example, a latent fingerprint), can make a dupli-cate (such as a three-dimensional mold of the fingerprint)and present it to the biometric system.

Let us analyze this threat. To lift a latent fingerprint,the hacker must know the legitimate user’s whereaboutsand the surfaces she has touched. Next, the hacker mustlift a latent fingerprint of good quality. This is not easy inpractice because most latent fingerprints we leave are in-complete, wrapped around irregular surfaces, or partiallycanceled by fingers slipping. Then, the hacker has tomake an accurate three-dimensional model of the fingeras shown in Figure 5 (a simple two-dimensional finger-print image cannot deceive a typical live-scan finger-print sensor);3 this requires both expertise and laboratoryequipment such as a high-resolution scanner, a three-dimensional printing device (such as a stereo-lithogra-phy printer), and so on. Recently, Tsutomu Matsumotoand colleagues documented several detailed methods ofcreating a fake finger from silicone and gelatin to foolmany commercially available fingerprint sensors.6 Al-though producing a gummy clone of an available realfinger (from a consenting user) is relatively simple, re-constructing a fake finger from a latent fingerprint re-mains quite complicated. Additionally, a single fake fin-ger cannot serve in attacks against multiple users. Finally,creating a fake finger is as difficult the second or thirdtime as it was the first time, and thus there are noeconomies of scale in repeating the attack. In fact, a fake-biometric attack on a biometric-based network accessapplication presents a much smaller risk than an attackon a password-based system. This is because a hackercould launch an attack against a password-based networkaccess application remotely, without knowing any of theusers. Also, the hacker could use the same password (forexample, a dictionary word) to launch an attack againstall the enrolled users at no extra cost.

Vitality detection and multimodal-biometrics for increased securityMany commercial applications could improve their per-sonal recognition systems’ security by adding requiredcredentials or building blocks—for example, using atoken or password together with biometric recognition.However, in high-security applications (such as accesscontrol to nuclear energy facilities), it is important thateach component of the recognition system is secure in it-self and that the many components provide additionallayers of security. In many commercial applications,adding more credentials (such as passwords and tokens)can be undesirable because doing so reintroduces theproblems associated with knowledge- and possession-


Figure 5. Fake fingers made from consenting users. (a) Rubber stampmade from a live-scan fingerprint image. (b) Wafer-thin plastic sheethousing a three-dimensional replication of a fingerprint.

CO

PYRI

GH

T SP

RIN

GER

, USE

D B

Y PE

RMIS

SIO

N.

Biometrics

based systems (passwords can be forgotten or guessed, andtokens can be lost or stolen). In these applications, fakebiometric attacks remain a serious concern. However, wecan address this threat in two ways: first, by building vital-ity detection mechanisms in the biometric recognitionsystem hardware and software; second, by designing mul-timodal-biometric systems that incorporate several dif-ferent biometric characteristics (for example, face, finger-print, and hand geometry).

Fingerprint devices can incorporate vitality detectionby measuring optical, electric, or thermal properties ofthe human skin or other biomedical characteristics suchas pulse. Iris-recognition devices can measure the invol-untary pupillary hippus (constant small constrictions anddilations of the pupil caused by spontaneous movementsof the iris rather than external stimulation) to ensure thatthe eye is alive. The resources required to defeat biomet-ric sensors increase as they incorporate more methods ofvitality detection. If the hacker knows the vitality detec-tion method being used, however, she can probablythwart it. For example, if the fingerprint sensor also usesfinger pulse detection, the hacker can build a pulse gener-ator into the fake finger.

Therefore, in our opinion, the best method for vitalitydetection is to use a characteristic distinctive to each indi-vidual, and not easily available to an adversary for copy-ing—that is, another biometric. For example, we couldbuild a multimodal-biometric system that combines astrong biometric, such as a fingerprint, with another bio-metric (possibly a weaker one) that is difficult to acquirecovertly, such as a face thermogram. Another approachmight use a fingerprint system requiring each user to pre-sent several fingers in a specific order; a hacker would haveto find latent fingerprints from multiple fingers from bothhands and also know the order of presentation. Such a so-lution comes at a relatively low cost: It requires no othersensor, and an existing fingerprint-verification systemcould be easily adapted to handle impressions from multi-ple fingers. Interestingly, such multimodal-biometric

solutions could also significantly improve recognition ac-curacy—at the cost of longer acquisition and processingtimes (and possibly extra hardware).

Replacing compromised biometricsOne disadvantage of biometrics is that they cannot beeasily revoked.7 If a biometric is ever compromised, it iscompromised forever. With a credit card, the bank canissue the user a new card with a new number. But a userhas only a limited number of biometrics—one face, 10fingers, and so on—and they are not easy to replace. Also,because different applications might use the same bio-metric, a thief who acquires a person’s biometric in oneapplication could also use it in others.

However, integrating cryptographic techniques alongwith biometric matchers can help address this problem.8

For example, instead of storing the original biometricsignal in the system database during enrollment, the sys-tem could store only its noninvertible transformed ver-sion (for example, a hash). During recognition, the bio-metric sensor would transform the signal using the samenoninvertible transform and perform matching in thetransformed space. Different applications can use differ-ent noninvertible transforms (or different parameters ofthe same transform), so a template would be usable onlyby the application that created it. In fact, the user herselfcould provide the transform’s parameters in terms of apassword or PIN. If a hacker ever compromises such abiometric template, the system can issue a new one usinga different transform or different parameters. The disad-vantage of this technique is that invertible and simplenoninvertible transforms are not very strong (in the infor-mation-theoretic sense), and using strong noninvertibletransforms lowers system accuracy because the matchercannot effectively deal with all the biometric signal varia-tions (of the same person) in the transformed space.8 Asimple and effective method of creating an easily revoca-ble biometric template is to encrypt the biometric tem-plate with the user’s password.


For thousands of years, humans have used body characteristics

such as face, voice, gait, and so on to recognize each other. In

the mid 19th century, Alphonse Bertillon, chief of the criminal

identification division of the police department in Paris,

developed and then practiced the idea of using various body

measurements (for example, height, length of arms, feet, and

fingers) to identify criminals. In the late 19th century, just as his

idea was gaining popularity, it was eclipsed by a far more sig-

nificant and practical discovery: the distinctiveness of human fin-

gerprints. Soon after this discovery, many major law-enforcement

departments embraced the idea of “booking” criminals’ finger-

prints and storing them in databases (initially, card files). Later,

police gained the ability to “lift” leftover, typically fragmentary,

fingerprints from crime scenes (commonly called latents) and

match them with fingerprints in the database to determine

criminals’ identities.

Biometrics first came into extensive use for law-enforcement and

legal purposes—identification of criminals and illegal aliens, security

clearances for employees in sensitive jobs, paternity determinations,

forensics, positive identifications of convicts and prisoners, and so

on. Today, however, many civilian and private-sector applications

are increasingly using biometrics to establish personal recognition.

History of biometrics

Biometrics

Ultimately, in commercial applications, the decisionto add or replace existing personal recognition methodswith biometrics-based solutions should be based on acost-benefit analysis. For example, is the installation andmaintenance cost of a biometric-based computer loginsystem less than the currently used password system?According to the Gartner Group, between 20 percentand 50 percent of all help desk calls are for password re-sets. Forrester Research states that the average help desklabor cost for a single password reset is about US$38.

Negative recognition:Government and forensic applicationsNegative recognition applications, such as background-checking of employees and preventing terrorists fromboarding airplanes, must perform personal recognition inidentification mode. As we noted earlier, at a given levelof accuracy, identification is a much harder problem thanverification because an identification system must per-form a large number of comparisons.

To illustrate the difference, let us suppose airport au-thorities are looking for the FBI’s 100 most-wanted crim-inals (yielding a database size of 100), and that the state-of-the-art fingerprint verification system operates at 1percent FNMR and 0.001 percent FMR. If we deployedthis system in verification mode, it would fail to matchthe correct users 1 percent of the time and erroneouslyverify wrong users 0.001 percent of the time. Now con-sider what these numbers mean for the system deployedin identification mode. While the identificationFNMRN is about 1 percent, the identification FMRN isabout 100 × 0.001 percent, or 0.1 percent. This meansthat although the system has a 99 percent chance of catch-ing a criminal, it produces a large number of false alarms.For example, if 200,000 people use a major US airport inone day, the system produces 200 false alarms!

If the system used faces instead of fingerprints for theidentification—which might be preferable in the airportapplication, because cameras could acquire the facescovertly—the number of misses and false alarms would

be considerably higher: face identification systems haverather poor accuracy, especially in environments withcluttered backgrounds and varied lighting conditions.Thus, relying exclusively on automatic biometric systemsfor negative identification might be infeasible.

Adding traditional personal recognition tools such aspasswords and PINs would not be at all useful for negativerecognition. So, although biometric systems might notyet be extremely accurate in supporting large-scale iden-tification applications, they are the only choice for nega-tive recognition applications. Furthermore, a biometricsystem operating in semiautomatic mode, with a humanexpert examining all the alarms and making the final de-cision, can be quite effective. For example, if we need 100airport security agents to manually match every person atan airport against the FBI’s 100 most-wanted database,we might need only five agents to take a closer look at the200 daily alarms the biometric system generates. In suchsemiautomatic applications, the biometric system onlygenerates an alarm that calls for a closer, manual examina-tion of the individual; an alarm does not directly translateinto an arrest. In fact, the trade-off between FMR andFNMR rates in a biometric system is no different fromthat in any detection system—including the extant metaldetectors already in use at all airports.

Other negative recognition applications, such as back-ground checks and forensic criminal identification, canalso operate in semiautomatic mode, and their use followsa similar cost-benefit analysis. For example, in attemptingto match latent fingerprints, law enforcement agenciestypically use an automatic fingerprint identification sys-tem (AFIS) only to narrow down the number of finger-print matches from a few million to a few hundred for ahuman expert to perform. A forensic expert alwaysmakes the final decision.

In our opinion, using biometrics in negative recogni-tion applications does not infringe on civil liberties be-cause unless you are already in the “criminal database,”the recognition system has no record of you. However,we do need appropriate legislation to protect the abuse ofsuch systems.

Privacy and biometricsPrivacy is the ability to lead your life free of intrusions, to re-main autonomous, and to control access to your personalinformation. As the incidence and magnitude of identityfraud increase, strong biometrics such as fingerprints will in-creasingly come into play for positively recognizing people;the conventional technologies—knowledge- or token-based, for example—cannot deliver this functionality.

For instance, US legislation requires strong recogni-tion schemes such as biometrics to limit access to sensi-tive medical records. In some applications, developershave envisaged using biometrics for anonymous access.These applications could index sensitive individual in-


Identification is a much harder

problem than verification

because an identification

system must perform a large

number of comparisons.

Biometrics

formation without explicitly specifying the user’s name,and the access mechanisms would entail specific bio-metric-based recognition—for example, allowing ac-cess to the records if the person’s left index fingerprintmatches the fingerprint associated with the record. Fur-thermore, by requiring automated access mechanismsto go through a secure biometric system, system admin-istrators could track all accesses to the privileged infor-mation, improving accountability for transactionswithin the information systems. In other words, bio-metrics-based accesses are less repudiable than othertypes of access control mechanisms. Thus, biometricidentifiers—especially strong identifiers such as finger-prints—can clearly enhance the integrity of systemsholding personal information.

On the other hand, several privacy concerns sur-round the use of biometrics for personal recognition.We have traditionally conceived of human recognitionas a mutually reciprocated action between two individ-uals. Automatic methods of individual recognition, es-pecially those based on biometrics, might culturally beperceived as undignified to humans. In addition, somebiometrics (fingerprints, faces, and DNA) carry nega-tive connotations because of their prevalent use in crim-inal investigation.

On other fronts, some object to biometrics on reli-gious grounds, citing biblical references such as Revela-tion 13:16–17: “He also forced everyone, small andgreat, rich and poor, free and slave, to receive a mark onhis right hand or on his forehead, so that no one couldbuy or sell unless he had the mark, which is the name ofthe beast or the number of his name.” Still others haveraised concerns about the hygiene of biometric sensorsthat require contact. Given that we routinely touchmany objects touched by strangers—money, for exam-ple—this objection seems frivolous.

However, biometrics does raise three systematic pri-vacy concerns:9

• Unintended functional scope. Because biometric identi-fiers are biological in origin, collectors might glean ad-ditional (possibly statistical) personal information fromscanned biometric measurements. For instance, certainmalformed fingers might be statistically correlated withcertain genetic disorders. With the rapid advances inhuman genome research, fear of inferring further in-formation from biological measurements might also beon the rise. Such derived medical information couldbecome a basis for systematic discrimination againstsegments of the population perceived as “risky.”

• Unintended application scope. Strong biometric identi-fiers such as fingerprints allow the possibility of un-wanted identifications. For instance, persons legallymaintaining aliases (say, for safety reasons) could beidentified based on their fingerprints. In addition, bio-

metric identifiers could link bits and pieces of behav-ioral information about individuals enrolled in widelydifferent applications; detractors often construe thispotential as a means for organizations—governmentalor corporate—to accumulate power over individualsand their autonomy.

• Covert recognition. Biometric characteristics are not se-crets. It is often possible to obtain a biometric sample,such as a person’s face, without that person’s knowl-edge. This permits covert recognition of previously en-rolled people. Consequently, those who desire to re-main anonymous in any particular situation could bedenied their privacy by biometric recognition.

We can address the possible abuse of biometric informa-tion (or its derivatives) and related accountability proce-dures in several ways:

• legislation by governments and the public—for exam-ple, European Union legislation against sharing bio-metric identifiers and personal information;10

• assurance of self-regulation—for example, a consor-tium of biometric vendors could choose to adhere to aset of ethical guidelines in their product design; and

• autonomous enforcement by independent regulatory or-ganizations—for example, a central biometrics authority.

Until we reach consensus on the proper limits to bio-metrics use, many people will surely hesitate to provideeither raw or processed biometric measurements to cen-tralized applications and to untrustworthy applicationsthat might share the data with other applications. As a re-sult, applications delivering highly decentralized recog-nition capabilities will be the most acceptable for thetime being.

One way to decentralize a biometric system is to storethe biometric information not in a centralized server butin decentralized, encrypted databases, over which the in-dividual has complete control. For instance, a systemcould issue the user a smart card with her fingerprinttemplate stored on it. In addition, if the smart card wereto integrate onboard a small fingerprint sensor and pro-


Those who desire to remain

anonymous in any particular

situation could be denied their

privacy by biometric recognition.

Biometrics

cessing power to perform feature extraction and match-ing, it could compare the input fingerprint retrieved fromthe sensor directly with the resident template and deliverthe decision, possibly encrypted, to the outside world.Such a decentralized system would permit all the advan-tages of biometric-based recognition without many of itsstipulated privacy problems.

R eliable personal recognition is critical to many busi-ness processes. Because conventional knowledge-

and token-based methods rely on surrogate representationsof a person’s identity to establish personal recognition, anysystem assuring reliable positive personal recognition mustnecessarily involve a biometric component. In fact, asound personal recognition system design must incorpo-rate many biometric and nonbiometric components.

Biometric-based systems also have limitations withadverse implications for a system’s security. For example,the accuracy of current biometric systems is not perfect,and elaborate spoofing attacks can defeat a practical bio-metric system. Although the evolution of biometrictechnology will surely overcome some of these limita-tions, it is important to understand that foolproof per-sonal recognition systems simply do not exist—and per-haps never will. Security is a risk-management strategythat identifies, controls, eliminates, or minimizes uncer-tain events that can adversely affect system resources andinformation assets. A system’s security requirements de-pend on the application’s requirements (the threat model)and the cost-benefit analysis. In our opinion, properlyimplemented biometric systems are effective deterrentsto perpetrators.

Finally, the use of biometrics indeed raises several pri-vacy concerns. A sound trade-off between security andprivacy might be necessary; but we can only enforce col-lective accountability and acceptability standards throughcommon legislation. On the positive side of the privacyissue, biometrics provides tools to enforce accountablelogs of system transactions and to protect individuals’right to privacy.

As biometric technology matures, interaction will in-crease among applications, the market, and the technol-ogy. The technology’s value, user acceptance, and the ser-vice provider’s credibility will influence this interaction.It is too early to predict where and how biometric tech-nology will evolve and which applications will ultimatelyembed it. But it is certain that biometric-based recogni-tion will profoundly influence the way we conduct ourdaily business.

References 1. A.K. Jain, R. Bolle, and S. Pankanti, eds., Biometrics: Per-

sonal Identification in a Networked Society, Kluwer Acade-mic Publishers, 1999.

2. Best Practices in Testing and Reporting Biometric Device Per-formance, version 2.0, tech. report, United Kingdom Bio-metric Working Group, 2002; www.cesg.gov.uk/technology/biometrics.

3. D. Maltoni et al., Handbook of Fingerprint Recognition,Springer, 2003.

4. Password Clues, The CentralNic Password Survey Report,CentralNic, 13 July 2001; www.centralnic.com/page.php?pid=73.

5. D. Maio et al., “FVC2002: Second Fingerprint Verifica-tion Competition,” Proc. Int’l Conf. Pattern Recognition,vol. 3, IEEE CS Press, 2002, pp. 811–814.

6. T. Matsumoto et al., “Impact of Artificial Gummy Fin-gers on Fingerprint Systems,” Proc. SPIE, Optical Securityand Counterfeit Deterrence Techniques IV, vol. 4677, Int’lSoc. for Optical Engineering, 2002, pp. 275–289.

7. B. Schneier, “Inside Risks: The Uses and Abuses ofBiometrics,” Comm. ACM, vol. 42, no. 8, Aug. 1999,p. 136.

8. A. Jules and M. Sudan, “A Fuzzy Vault Scheme,” Proc.IEEE Int’l Symp. Information Theory, IEEE Press, 2002,p. 408.

9. J.D. Woodward, “Biometrics: Privacy’s Foe or Privacy’sFriend?” Proc. IEEE, vol. 85, no. 9, Sept. 1997, pp.1480–1492.

10. European Data Directive 95/46/EC, Feb. 1995; www.privacy.org/pi/intl_orgs/ec/final_EU_Data_Protection.html.

Salil Prabhakar leads the Algorithms Research Group at Digi-tal Persona. His research interests include pattern recognition,image processing, computer vision, machine learning, data min-ing, document analysis, biometrics, and multimedia applica-tions. He holds a BTech from the Institute of Technology,Banaras Hindu University, Varanasi, India, and a PhD fromMichigan State University, both in computer science and engi-neering. Contact him at [email protected].

Sharath Pankanti is with the Exploratory Computer Vision andIntelligent Robotics Group at the IBM T.J. Watson ResearchCenter. For the past few years he has been working on analy-sis and interpretation of video depicting human activities. Pre-viously, he worked on the Advanced Identification SolutionsProject, dealing with reliable and scalable fingerprint recog-nition systems. His research interests include biometrics, pat-tern recognition, computer vision, and human perception. Heholds a PhD from Michigan State University in computer sci-ence and engineering. Contact him at [email protected].

Anil K. Jain is a University Distinguished Professor in theDepartment of Computer Science and Engineering at Michi-gan State University. He works in the areas of statistical pat-tern recognition, exploratory pattern analysis, Markov randomfields, texture analysis, 3D object recognition, documentimage analysis, and biometric authentication. Jain is a fellowof both the IEEE and International Association of PatternRecognition (IAPR). He has received the Fulbright researchaward, a Guggenheim fellowship, and the Alexander vonHumboldt research award, and he delivered the 2002 PierreDevijver lecture sponsored by the IAPR. Contact him [email protected].


Documents

Biometric Recognition Security and Privacy Concerns