What is privacy really all about?

| March 4, 2009

You can expect national security advisers to have some disdain for privacy, but they cannot simply re-define it.

Here's one of the most bizarre lines I've ever seen in biometrics and national security.  It provides a good spur to revisit what privacy is really all about.  

Fingerprints 'not particularly private,' security czar says
Edmonton
Sun, Thu 10 April 2008
 

The U.S. homeland security czar says Canadians shouldn't fear plans to expand international sharing of biometric information such as fingerprints. Michael Chertoff says a person's fingerprints are like footprints."They're not particularly private," Chertoff said yesterday during a visit to Ottawa."Your fingerprint's hardly personal data, because you leave it on glasses and silverware and articles all over the world."

Actually there is a technical legal principle here that Chertoff is ignoring (or maybe trying to subvert).  In most privacy law, if information is personally identifiable, then it is treated as "private", insofar as there are legislated limitations on what anyone can do with that information, how they may collect it, store it and share it.  In general, if you collect personally identifiable information — in any way about any individual — then you owe certain duties of disclosure to that individual.  That's what privacy is all about!  It's not about security per se, and it isn't nullified just because fingerprints are readily available for collection.  It's about a duty of care.  

From a common sense perspective, even if people do leave fingerprints lying around, they surely have a presumption of privacy? If you try to have a quiet conversation in a park then you expect some privacy, even if your voice might be picked up by a sensitive microphone at a distance.

I also leave DNA all over the place. How soon before national security people say that's "public" too? Remember the legal principle: any personally identifiable information, collected by any means, comes under privacy law.  Certainly there are national security provisions that trump privacy, but they're not automatic, and they do not change the legal status of any personally identifiable data like fingerprints, on the basis that fingerprints are easily collected and "not particularly private".  

Even granting that fingerprints are left lying around in public, if someone else goes to the trouble of picking them up, scanning them, digitising them, linking them to my identity, and running checks to track my whereabouts then they commit a host of privacy invasions relating to the Collection and Secondary Use principles.

Finally and rather ironically, the reasons given for saying fingerprints are not private amount to an argument that they're really not much good for security!

Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity
management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.

www.lockstep.com.au/technologies  

SHARE WITH:

0 Comments

  1. sally.rose

    March 9, 2009 at 4:59 am

    It’s important that laws

    It's important that laws keep up to date with biometrics and take into account the degree to whcih their privacy is open to abuse. As you point out – the fact that they are private and identifying does not mean that they are secure. As valuable as DNA eveidence is, the seemingly irrefutable proof it offers can be manipulated to frame innocent people. Do you think this will eventually lead to restrictions on the circumstances in which DNA evidence is admissable in Australian courts?

  2. StephenWilson

    March 10, 2009 at 6:39 am

    DNA evidence probably should remain admissable

    IANAL* and for that matter IANAMB** but I don't see that we should forbid DNA evidence across the board.  But I certainly believe that DNA evidence (like biometric authentication) has an aura about it that leads the public to have an inflated view of its powers.  

    Most everyone has heard of the human genome project, which mapped the values of the base pairs (i.e. the letters of the genetic "code": A or C or G or T) at every point in every gene.  Forensic DNA testing on the other hand looks at particular stretches of DNA known to have high variability between individuals, and maps only one of those stretches.  The upshot is that these DNA results are not unique.  Instead, there is a small probability that two different people will have the same base pair sequence in that stretch. 

    I recommend this story which features the thoughts of the acknowledged founder of DNA testing, Dr Alec Jeffreys: DNA fingerprinting sparks fresh worries; discoverer says genetic databases could be misused, Associated Press, 8 Sept 2004; http://www.cbsnews.com/stories/2004/09/08/tech/main641998.shtml.  Extract:

    DNA testing is not an infallible proof of identity. While Jeffreys’ original technique compared scores of markers to create an individual “fingerprint,” modern commercial DNA profiling compares a number of genetic markers — often 5 or 10 — to calculate a likelihood that the sample belongs to a given individual.  Jeffreys estimates the probability of two individuals’ DNA profiles matching in the most commonly used tests at between one in a billion or one in a trillion, “which sounds very good indeed until you start thinking about large DNA databases.” In a database of 2.5 million people, a one-in-a-billion probability becomes a one-in-400 chance of at least one match. 

    [The point about databases at the end of the passage is about the wild idea that once we have big DNA databases, it would be good to start trawling through them to look for matches.  In what's called the "Birthday Paradox" you can have a tiny probability of two particular people matching, but a very high probability that somewhere in the database, there will be a pair of people that match.  We're getting off topic, but it's a rich vein eh?!]

    For juries to understand these subtleties is surely a challenge, but I guess this is why we have rules of evidence.  

    But if I was President, I'd ban TV shows depicting forensic DNA and biometrics as perfect, instantaneous, and sexy!

    Cheers,

    Stephen.

    *   I am not a lawyer.
    ** I am not a microbiologist, to coin a phrase. 

     

    Stephen Wilson is Managing Director of the Lockstep Group.

    Lockstep Consulting provides independent advice and analysis on identity
    management, PKI and smartcards. Lockstep Technologies develops unique
    new smart technologies to address transaction privacy and web fraud.

  3. MikeM

    March 10, 2009 at 10:40 am

    Many candidates: how to choose?

    The point about databases at the end of the passage is about the wild idea that once we have big DNA databases, it would be good to start trawling through them to look for matches. In what's called the "Birthday Paradox" you can have a tiny probability of two particular people matching, but a very high probability that somewhere in the database, there will be a pair of people that match. We're getting off topic, but it's a rich vein eh?!

    At risk of derailing the thread, this is akin to what mathematicians describe as the Secretary Problem.

    Suppose you are reviewing a database of 100 people's DNA. You might elect to check all of them. What about 1,000? Or 1,000,000?

    If the conditions are these:

    1. There is a single position to fill.

    2. There are n applicants for the position, and the value of n is known.

    3. The applicants can be ranked from best to worst with no ties.

    4. The applicants are interviewed sequentially in a random order, with each order being equally likely.

    5. After each interview, the applicant is accepted or rejected.

    6. The decision to accept or reject an applicant can be based only on the relative ranks of the applicants interviewed so far.

    7. Rejected applicants cannot be recalled.

    8. The object is to select the best applicant. The payoff is 1 for the best applicant and zero otherwise.

    Then the optimal strategy is to interview the first n/e candidates and reject them all, where e is the base of the natural logarithms (approximately 2.71828183), then choose the next candidate who ranks above the previous best. If n is large, the probability of selecting the overall best is 1/e, or approximately 36.8% and, unless you are very unlucky, the choice will be close to best. If that doesn't sound great, choosing at random out of 100 candidates gives you a probability of 1% and the chance that who you select may be a real dud.

    Returning to the main topic of the thread, yes, DNA evidence should be admissable unless there are good reasons to not do so. But it can be misleading. It might be easy to leave a used tissue, a coffee cup or cigarette butt belonging to an innocent party at the scene of a crime. There may even be cases where forensic testing finds that two DNA samples match, when a more exhaustive test would find that they did not.

    Furthermore, biometric evidence may be subject to forgery techniques that are yet to be discovered:

    Companies using fingerprint readers to increase security now have to worry about a new threat: the gummy finger.

    A Japanese researcher presented a study on Tuesday at the International Telecommunications Union's Workshop on Security in Seoul, Korea, showing that fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin sporting prints lifted from a glass, for example.

    The results should be enough to send fingerprint sensor makers back to the drawing board, said Bruce Schneier, chief technology officer with Counterpane Internet Security.

    "He didn't use expensive equipment or a specialized laboratory," he wrote in his monthly newsletter Cryptogram, which first reported the study. "He used $10 of ingredients you could buy and whipped up his gummy fingers in the equivalent of a home kitchen."

    Despite its rudimentary nature, the technique defeated 11 different commercial fingerprint readers. Biometric security makers, though, are not quite ready to eat their technology.

    "None of this came as a great surprise, except of his positioning about how easy this is," said Vance Bjorn, chief technology officer for fingerprint-security product maker Digital Persona. "He has put together and documented a fairly elaborate process which worked in a lab environment."

    MikeM's fingers are gum-free and he warns that there are dangers in using the secretary principle to choose a wife.

  4. StephenWilson

    March 12, 2009 at 7:15 pm

    Now everybody, repeat after me: “Biometrics are not perfect”

    So a fingerprint scanner vendor tried to play down the practicality of the Gummy Bear attack: "None of this came as a great surprise, except of his positioning about how easy this is … He has put together and documented a fairly elaborate process which worked in a lab environment."

    This bit of spin side-steps some really important lessons. 

    Firstly, it is supposed by many lay people that biometrics are perfect, that they cannot be stolen, that each biometric scan is unique.  So it bears repeating and repeating again, "Biometrics are not perfect".  To steal and replay a biometric  at all is a very significant achievement, it undermines the very premise of trying to "uniquely" identify anyone.  See the silicone fingerprint spoof on Mythbusters (http://www.youtube.com/watch?v=LA4Xx5Noxyo); the reader in question was said by its manufacturer to have never been subverted.  So even an "elaborate" attack is significant when it succeeds.

    Secondly, in the event of compromise, you cannot revoke the fingerprint and re-issue it. So in principle any possibility of attack, even if it needs to be "elaborate", should be taken extremely seriously.  It's not good enough to build in "liveness" detection, because all that does is assume the system can be made perfect, and defers the creation of a contingency plan to cope with biometric ID theft.  But there is no fallback plan for any biometric that I know of, despite the truism that there is no such thing as perfect security.  In any event, liveness detection is easily fooled; again, see Mythbusters. 

    Finally, the attack really isn't all that elaborate — it's a few hours work.  So what if it "worked in a lab environment"?  Organised criminals have labs! 

    Stephen Wilson is Managing Director of the Lockstep Group.
    Lockstep Consulting provides independent advice and analysis on identity
    management, PKI and smartcards. Lockstep Technologies develops unique
    new smart technologies to address transaction privacy and web fraud.