Biometrics should only be stored on smart-cards
This is a sometimes heard expression of concern about the potential misuse of
biometric data stored on central databases. It refers to the threat to privacy that such
centralised collections of personal data could pose if compromised.
Biometric data are regarded as personal data and hence subject to the controls
appropriate to personal data. There is a perceived fear that biometric data may be
shared between applications, perhaps without the knowledge or consent of the
subjects. This concern may be amplified if biometric images are stored, rather than the
coded template data only, particularly for large-scale public applications where there
may be perceived Orwellian overtones. This area is addressed in the UK by the Data
Protection Act -1998 (DPA), which applies to biometric data just as much as to other
personal data. Codes of conduct may be needed to provide specific interpretation of
the DPA for biometric applications.
Biometric data are not usually held in isolation. They are typically associated with other
personal data that may form part of the identification and authentication process itself,
or subsequently for access control permissions. Associated data is normally not
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
15
unique to biometric authentication systems, and is commonly stored centrally on nonbiometrics
applications, not apparently eliciting equivalent concern.
Solutions
A potential solution is seen in the storing of personal data on secure tokens or smart
cards that are held by the users themselves. The assumption is that this will obviate the
need for a central database of biometric data, and therefore negate any privacy
concerns. This is attractive because it promotes the idea of anonymous authentication.
However, anonymous authentication has its limits and may not be tenable in many
circumstances. For example in government applications, it will typically not be
sufficient to know that the person applying for the benefit payment/passport/driving
licence is who they claim to be. It will also be necessary to check that they are entitled
to the service or payment requested and not enrolled multiple times under different
identities. To do this a central database of claimants will almost certainly be needed,
even if a token or smart card is used as part of the authentication process. In these
cases, the privacy protection advantage ascribed to user-held tokens or smart cards
will be largely illusory.
To mitigate the risk of functional creep, the biometric data can be bound to the
application through the use of cryptographic signature techniques.