|
|||||||||
|
|||||||||
|
| You are here: CESG > Policy and Technologies > BWG > Management Summaries > | ||||||||||||
|
Frequently Asked Questions about Biometrics - MS02
This summary lists some general questions often asked about Biometrics. 1. What do we mean by biometric verification? “Biometric verification” (often referred to simply as “biometrics”) is the automatic identification or identity verification of living human individuals based on behavioural and physiological characteristics. Examples include iris recognition, hand geometry, fingerprinting, and speaker recognition. 2. Is this a new technology? These technologies have been deployed for access control for over 30 years. As long ago as 1961, advanced thinkers were predicting that biometrics would be used for credit systems, for access control to military bases, and for financial transfers. 3. What are the primary biometric verification techniques being used today? The main types are:
4. Where have biometric technologies been used in the public and private sector? Biometric technologies have been used for access control to schools, gymnasiums, and government buildings. Trials involving access to banking services have used hand, speaker and iris recognition. Trials and applications also exist in areas of immigration and border control in various countries. 5. Will I be required in the future to use biometrics to access government and commercial services? In Great Britain, asylum seekers are required to give fingerprints as a condition for receiving financial aid and maintaining their status. There have been no decisions made as to whether such programs will be expanded in the future. There are active programmes in many countries aimed at including biometrics in passports to meet future US requirements for entry to the USA under the Visa Waiver programme (N.B. this includes the UK and most EC countries). Governments everywhere are taking a cautious approach to biometrics, making sure that the technological and privacy complexities are understood before widely deploying these devices. 6. What is the difference between “verification” and “identification”? In an identity “verification” application, a user claims to be associated with a specific enrolled identity. The user’s biometric measures are compared only to those enrolled with the claimed identity to determine if the claim is correct. In “identification” applications, the user’s make no claim of identity, allowing the system to attempt to find them among all enrolled records. Actual systems, however, may use much more complicated approaches, comparing a user with many enrolled identities even in verification applications or with only a few in identification applications. 7. Can biometrics invade my privacy? This is a complex question and depends on what is meant by an invasion of privacy and depends upon national law. The use of a biometric device for identity verification does not, in itself, affect your privacy. In some circumstances the storage of biometric information together with other information about you could be considered to be personal data. In this case the information held about you should be treated with the same controls as for any other personal information, and would be subject to the same legal restraints (such as the European Privacy Protection Act and the 1998 Data Protection Act in the UK). Biometric technology can offer strong direct identification and authentication of individuals. As such, it provides opportunities for both privacy enhancement and privacy invasion depending on how the technology is used in applications. For example, biometrics could protect medical records from access by anyone other than the individual concerned; equally it could be used for criminal surveillance operations that would also capture the biometric features of innocent members of the public, which some people might regard as an invasion of privacy. 8. What is the best biometric technology? Fingerprinting, faces, voice, hand geometry, iris patterns are just a few of the measures used for biometric authentication. Each has advantages and disadvantages according to the application and the population using the devices. The use of biometrics is tailor-made. No single technique is “best” for all applications. [See Management Summary MS03] 9. Are biometric measures unique? Biometric characteristics are said to be “distinctive”, but not “unique”. The distinctiveness of a biometric characteristic varies by technique and, because no biometric characteristic is exactly repeatable, the effective distinctiveness depends also upon the degree of similarity chosen to declare a “match”. While a biometric characteristic may be highly distinctive, an image or measurement of that characteristic may not. 10. Can governments use biometric measures to track my movements? Biometric measures are hard to acquire remotely and, because of their variability, are hard to match to existing records. It would be possible in theory to track individual movements depending upon the precise application of the technology. A specific application would need to be carefully analysed in order to ascertain whether this was possible Other information, such as credit card and phone usage, are much better for tracking personal movement. 11. Why are biometrics necessary? Biometrics represent the only practical method of establishing that an individual has only one record in a system and does not have multiple records under different names or identities. Therefore, biometric identity verification is desirable in many types of social service and benefit systems. For other types of applications, such as access control, other technologies may be suitable. 12. Can biometrics be used to prevent identity theft? Biometrics can be a useful tool in making identity theft more difficult. While a card can be stolen, and a PIN number may be fraudulently obtained, biometrics cannot be easily copied and used. A biometric used with a token (such as a card) and/or a password (or PIN) can be even more secure. Biometrics are certainly likely to reduce the scale of identity theft. They can never be a guarantee to prevent it completely. Because biometrics offers a strong binding between the individual and the proxy identifier used by a system, the “ownership” of the biometric feature or the template confers a strong claim to identity. If the integrity of the binding process is high, this offers a high degree of protection against identity theft. If there are weaknesses in the binding integrity, they may be exploited by an impostor and lead to identity theft. 13. What if I don’t wish, or am not easily able to give my biometric?” Any biometric system is likely to be used with a backup system - for those occasions when a biometric does not work. For example, a fingerprint system will not work for users without the appropriate fingers, and iris recognition may not work for blind users. Users who insist on not using biometrics may be allowed to use an alternative method but there is no guarantee of this. It is possible that some systems will not allow for an alternative method. For example, an automated ATM system using iris recognition may not be able to provide a practicable alternative. (The alternative may be to use another ATM or go to a local bank!) In any case, the alternative method is likely to be slower and less convenient than the standard use of a biometric. There are various reasons why a person may be unable or unwilling to use a specific biometric, or biometrics generally, either temporarily or permanently. For these reasons, implementers of biometric systems will need to include alternative forms of identification and authentication (ID&A). However, there may be a penalty to users in that the alternative may be slower or less convenient than the mainstream biometric authentication. 14. How accurate are these techniques? The UK National Physical Laboratory has completed a test of the accuracy of 7 biometric techniques in a computer access control scenario. [See Management Summary MS 11] [Biometric Test Report] 15. Can biometrics reveal health information? There is currently no evidence that any biometric authentication device can significantly reveal any health information. It is true that injuries or changes in health can prevent recognition, but the technologies have no capability of determining the causes of the recognition failure. The biometric images (e.g. face, fingerprint, eye images etc, or voice signals) acquired by the system may show features that can reveal health information. In some cases, some of this information may remain in the template (e.g. if a template stores a compressed version of the image). [See Management Summary MS 07] There can be medical systems that capture similar images to biometric systems, but use the information for diagnosis of disease and not identification. Back to Management Summary Index The UK Biometric Working Group, managed by CESG, supports the UK government and provides advice and information about the implementation and use of biometric authentication systems. For further details telephone +44 (0) 1242 221491 extension 34124 |
|||||||||||
 |
|||
|