Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
My biggest concern with Biometric encryption, is what happens when the source is gone?
In other words, what if my finger gets cut off? What if my face is maimed? What if I lose an eye? If there's no template, then that data is lost forever, right?
The other issue is that data stolen might be harder without a template, but biometric systems can be fooled - like facial recognition can be thwarted with a simple picture. So, it may help stop mass data theft without storing a template, but biometrics are easier to crack - on an individual basis - than a password stored in your head.
The concern I've developed about biometric validation - and I've mentioned it before - is that if the database is breached its much harder to ask users to change their faces or fingerprints than their passwords.
The problem is that if biometric encryption were devised, it would be trusted as failsafe. The problem is nothing is. Biometric Encryptions sounds wonderful, until you take into account the mess of Key exchange. The premise behind Bio-Enc is that only you can decrypt the data because only you are you. But the computer doesnt know this. All it sees is a string of binary data. A simple side channel attack with the 'correct' binary string will make the computer think that you are someone you are not. This brings up the problem of burden of proof in legal cases. Attorney's will argue, 'He/She MUST have been there, because the file was encrypted/decrypted.' When in fact thats not the case. Anyone with the appropiate hash data could do whatever the supposed 'owner' was able to do. Not to metion other possible legal issues. The Federal Courts have recently ruled that law enforcement cannot force you to give up your encryption passwords, because its in your head... and thus testimonial and protected under the 5th ammendment. But if your password is your face or some other biometric data, all they have to do is get you to sit down in a chair and the system will decrypt your data and possibly then give them evidence they otherwise wouldnt have had. 5th ammendment doesnt protect you from your body identifiers... Thats a bed rock of criminal law... from finger prints to DNA analysis.
Then you have the problem of what happens if you're in an accident and loose a finger/hand or are horribly injured and you're face is damaged. Are you then out of luck? Facial Recog isnt that good, there have been locks for homes built around the concept of Facial Recog allowing entry, and anyone holding up a picture of the person was interupted as the real person.
While the whole idea of Bio-E SOUNDS great. Security wise its not.
Bruce Schneier has mentioned this several times in his blog, if you're interested in his thoughts you should go check them out.
Bio-E brings up more issues than it solves. And saldy it brings up issues that arent an issue with other forms of encryptions. Sure its got the Buzzword factor, and it sounds hi-tech. But most security people would never want to use it because of all the potential issues that arise out of it.
having no knowledge of the inner workings of biometric facial recognition I'm not prepared to comment on that aspect of it. However recently I ran across an issue with facial recognition that completely invalidated its use for any purpose, much less legal prosecution of a person.
I recently uploaded some photographs I had taken during my Navy career to my Facebook page one particular photograph, Michelangelo's Pieta - Mary and Jesus Statue, when I loaded it Facebook's highly reputed facial recognition software tried to tag the face of Mary (mother of Jesus) as one of my personal friends who lives in rural Virginia. So for me facial recognition in the legal realm belongs in the same arena as a polygraph. Not admissible as evidence, and certainly not grounds for obtaining an arrest warrant.
Same here, Mary. Ann Cavoukian will be our guest on IE Radio in December so we'll have the opportunity to ask her about these technologies and how she sees them being implemented going forward.
Absolutely. And the wider the exposure to these kinds of safeguards, the likelier it will be that companies not taking action start looking like laggards.
I'm happy to see government taking a real lead in security -- at least one key aspect of it.
I like that the Commissioner (between this blog and the one on Privacy by Design) poses technology solutions to technology problems. With these possibilities available, it's going to be harder for businesses and technologists to resist the idea of having privacy built right into systems.
Great suggestions and innovation here. Biometric facial recognition isn't going away, so we may as well get used to adopting specialized security measures. Biometric encryption is a terrific example.
Ann, if I understand correctly if the algorithm that creates the key is complex enough this mitigates against reverse engineering but theoretically reverse engineering is possible?
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
