|
|||||||||
|
| You are here: CESG > Policy and Technologies > BWG > Management Summaries > | ||||||||||||
|
Health and Safety Issues in Biometrics - MS07
This document notes the potential use of biometrics in e-health and telemedicine applications, but it is mainly concerned with an examination of the possible health and safety issues, from the user standpoint, involved in the use of biometric systems. The subject may have some significance in the context of arguments about the safe use of biometrics involving the various players (e.g. trade unions and consumers’ associations). Independent safety testing with published results will do much to allay user concerns in this area and to promote user acceptance. General interactions between medical issues and biometrics Before approaching the area of the safety issues of biometrics, defined in this report as the potential medical threats caused by a biometric process, we note in passing that biometrics interact with medical issues in the area of e-health and telemedicine programmes. Several research or pilot programs, many of them developed in the framework of the European Community, have suggested the creation of centralized or distributed archives of patients’ medical data. The idea is not particularly innovative but (i) the recent availability and massive adoption of a standard for the exchange of diagnostic images (Dicom), (ii) the significant decrease of data storage costs and (iii) the increase of data transfer rates have given a stimulus to the development of such “telemedicine” programs. The secure access to medical information, considered to be very sensitive data, has always represented a significant obstacle to the development of centralized archives of patients’ data. As an enhancement in security in respect to traditional strong authentication methodologies, several new projects now consider the use of biometrics which, other than offering the known advantages, has undoubtedly a strong appeal among many users as an innovative and next-generation technology. There are a number of potential problems which are not yet resolved. For example, problems may arise from patients who cannot provide, permanently or temporarily, the requisite biometric characteristic and from the concept of “voluntarism” in providing the biometric characteristics of patients who suffer from mental disabilities. Other difficulties arise from the inclusion of so called “emergency modes” that will allow the availability of medical data to non-enrolled medical personnel in case of emergency (with associated legal issues). It is therefore clear that, in e-health applications, we should recognise that the proper use of biometrics in this area involves a trade-off between technical and legal issues and that a series of agreements or codes of conduct must be created to account for the lack of explicit rules for data protection. Biometrics and medical concerns Safety issues in biometrics, in general terms, make reference to the potential medical risk associated to the use of biometrics. Two aspects should be highlighted:
The direct medical risk associated to the use of biometrics Biometric techniques rely to the measure of physical/behavioural characteristics of an individual. In most cases, the measurement is performed by means of a physical interaction between the subject and the machine:
While it is reasonably possible to measure with good accuracy the radiant energy, and therefore to assess in an accurate way the (potential) risk associated to the biometric process, the risk analysis for the contamination by contact is much more complex due to the similarity of the risk with other threats produced by very popular objects such as doorknob or telephone keyboards. Contamination by contact A risk of contamination may occur when the body touches a surface handled previously by other users. Examples include: hand geometry, two-finger geometry, vein pattern, retinal scanning and, as an extreme level even fingerprint. Among all these biometric techniques, hand geometry should be considered the most significant, from the potential contamination point of view due to the larger surface of contact. However, it is certainly true that subjects every day touch several objects or surfaces which potentially may provide the same risks of contamination (e.g. doorknobs). In general, it is evident that it is not possible to refute such an observation. On the other hand, it should be understood that, where hand geometry is involved, different perceptions may occur than for the case of touching doorknobs,
The key factor for a successful implementation of a biometric process based on “contact” with the sensor is clear information about the rational potential risk associated with their use. Users should be informed that any risks that exist are directly comparable to other contamination risks in everyday life. In respect of the contamination risk, for example, users may be provided with plastic gloves, or the biometric unit may be cleaned and disinfected more a doorknob would be, or interaction with an operator could be made available so that users can discuss any concerns and keep the problem in a “rational domain”. These measures will help to increase the confidence of the users for the system. IR illumination A potential cause of concerns in biometrics arises from the use of radiant energy in the IR spectrum. For correct imaging of the biometric characteristic, ambient infrared levels are often insufficient and supplemental illumination is usually needed. Data available (from vendors) indicates that the IR energy emitted is not harmful under any conceivable conditions of normal use or even misuse. A reasonable further step would be to provide verification and validation of this technical data by accredited laboratories. This would prevent possible criticism which could arise from the observation that vendors are not independent, and technical data provided by vendors is therefore suspect. The indirect medical risk associated to the use of biometrics Biometric techniques may potentially reveal medical information. This concern is often linked to biometric techniques involving the eye. As previously mentioned, this kind of (potential) threats may be defined as an Indirect Medical Implication (IMI) Realistic significance of the Indirect Medical Implication It is generally a hard task to define realistic scenarios for the invasion of privacy arising from biometric technologies. Retinal scanning has frequently been targeted as a technology able to reveal a number of medical conditions, since it is true that an examination of the retina may disclose information about the vascular state of the patient and therefore indicate the state of advancement of the diabetes and of a hypertension (both very sensitive information). What should be clearly assessed is if and how this medical information could be accessible and usable by a fraudulent operator or by others involved in the biometric process. Retinal scanning, for example, at least in any previously known form, does not involve capturing the image of the retina. The information used by the biometric system is limited to a pattern which is not in any way related to a medical condition. An effective way to overcome concerns is therefore to ensure that any data that is displayed or used by the biometric system is not medically sensitive. This process, often known as “denaturalisation”, means that any images displayed to the operator of the biometric system, for example in the enrolment phase, is degraded or modified to remove any medical information. Conclusions: potential threats for biometrics and real risk for vendors Non-cleaned surfaces or IR illumination may potentially represent a threat but cleaning procedures, laboratory tests and accreditation processes can provide user assurance. What may represent a real risk to the vendors and to the biometric community is casual or intentionally distorted information on medical risks from biometrics spread indiscriminately by the media. Incorrect information may have serious effects both on the specific biometric technique that is the object of the criticism and on biometrics in general. Users, already reluctant in some cases to use biometric technologies may become more hostile if rumours abound that a biometric technology or application may affect their health or infringe their privacy. Independent safety testing of biometric technologies and publishing of results is a useful pre-emptive approach to help user confidence and nip unsubstantiated “scare stories” in the bud. An informed, aware user is probably one of the key factors contributing to a successful real-world deployment of biometrics. Back to Management Summary Index The UK Biometric Working Group, managed by CESG, supports the UK government and provides advice and information about the implementation and use of biometric authentication systems. For further details telephone +44 (0) 1242 221491 extension 34124 |
|||||||||||
 |
|||
|