Privacy Enhancing Biometric Authentication (PEBA)
User controlled biometric authentication that limits unnecessary audit trails and undesirable surveillance whilst providing appropriate assurance for transactions
Many digital identity systems utilise biometrics such as fingerprints. These are used both to uniquely identify an individual (i.e. via some form of deduplication) and to authenticate their transactions with a relying party. In practice, however, many current implementations of biometric authentication either under- or over- use biometric authentication. Under-utilisation arises when the recorded biometric is not checked at the time of authentication, for example by relying on physical inspection of an associated identity credential. Over-utilisation, in contrast, can arise when the biometric needs to be checked against the central identity database for any type of transactions. Over use of biometric authentication by centralised checking creates a detailed audit trail of the individual's identification actions and associated locations which can lead to unnecessary surveillance.
Whilst deduplication can remove ghost accounts from a welfare system, under-utilisation of biometric authentication can result in ongoing leakages where a valid identifier continues to be used, for example, even after the owner has died. The privacy risks of biometric over-utilisation are readily apparent but also suggest that the role of identity in the underlying transaction has not been thought through properly. That is, the level of assurance provided by an "against the central identity database" biometric authentication is much higher than is typically required for many welfare scenarios, resulting in unnecessary cost, complexity and associated privacy risks.
Modern smartphones (and increasingly featurephones) include biometric scanners (e.g. fingerprint readers) and this provides an opportunity for low cost biometric authentication that is privacy enhancing and puts the use of the biometrics more directly under user control.
The technical challenge that needs to be addressed is to link the fingerprint presented to the device with the fingerprint on the central identity database.
PEBA proposes a secure, one-time binding of the fingerprint on the phone with the associated fingerprint held on the central identity database. Once this binding has been undertaken, for regular transactions there is no longer any need to compare the fingerprint biometric with the record on the central identity databases. Instead, the local biometric check is undertaken (and limited to) the phone. Assuming a match, the phone can share (suitably encrypted) the authorised identification number (or appropriate tokenised version of the identification number) to the relying party. For lower assurance transactions in a well designed environment, this "phone based" proof will be all that is necessary to authorise the transaction. Modern smartphones do not (need to) share the fingerprint biometric beyond the device and hence cannot create a privacy destroying audit trail of these low level transactions.
In order to succeed, the solution requires a combination of technological innovations (linking fingerprints to specific individuals rather than just anyone who is authorised to unlock the phone), administrative practices (particularly around the secure one time binding of the fingerprint on the central identity database with the fingerprint on the device) and process redesign (recognising that device guaranteed biometric authentication is sufficient for the required assurance of many transactions.
- Idea
The solution combines the application of existing technologies (e.g. biometric sensors on phones) with an appreciation of the risks of unnecessary audit trails and sharing of biometrics beyond what is required for the transaction's level of assurance.
Cavoukian proposes seven principles for PbyD, PEBA satisfies them all:
It is proactive and preventative (don't share biometrics unnecessarily)
It has privacy as the default setting (don't share biometrics unnecessarily)
It embeds the privacy in the design (by redesigning existing processes)
It supports full functionality (transactions that require an official identification number are fully supported)
It supports end to end security with only the minimal sharing of data (e.g. at binding) and does so with complete transparency and hence respects user privacy and control
The solution is digital by default, indeed it explicitly avoids the understandable but unfortunate (cost and privacy wise) fall back to visual inspection of physical credentials.
Unlocking a phone using biometrics is increasingly the norm in advanced economies and makes security a natural activity for phone users. Unlocking access to welfare services in the same way is an obvious next step.
The key challenge is the secure binding of the identity number to the local biometric. This is both a process issue and a technology issue - and could easily be part of an open standard.
Once the binding has been made to the device, there is no need to connect to the central identity database, hence low connectivity is not an issue. Similarly, presenting the fingerprint does not require literacy / numeracy.
There are two forms of benefits. First, PEBA will mean that under-utilisation of authentication is removed as it becomes the defacto norm for accessing services. Over-utilisation of biometrics will be addressed as organisations come to accept the assurance of device based authentication as being sufficient for their transactions.
- United Kingdom
- Academia/Research
- Academic/Researcher
- 1-5
- 10+ years
These ideas have been developed as a result of ongoing work in the UK, reports for Omidyar and a book chapter about Aadhaar. I have fed into the World Bank work on privacy principles for identification systems
I have strong interactional expertise for engaging with technology suppliers, biometrics specialists and public service delivery staff.
Once the technology has been developed, there will be an ongoing cost for binding the identity number to the device. This could be provided for free at time of enrolment / renewal or charged for as a value added service (e.g. for additional devices).
This is an idea I have been thinking about for many years. The challenge has required me to articulate and develop my thoughts more clearly.
Technically - making a direct link between a fingerprint and the unique ID (most current phones allow multiple biometrics to unlock the device - e.g. other family members can add their fingerprints)
Organisationally - having relying parties trust a device based authentication as equivalent to data from the central identity database