May 9, 2014 -
Stephen Wilson is an outspoken advocate for privacy and identification rights online and has been working on security systems as a software engineer and a private consultant for nearly 20 years.
Known on Twitter as @Steve_Lockstep, Wilson is an active contributor to discussions on online privacy and has commented on several BiometricUpdate.com articles in the past few years.
Wilson has held a number of principal consulting and R&D roles – for groups like Price Waterhouse Cooper, KPMG and Securenet. 10 years ago, he formed The Lockstep Group to be an independent consultant.
“I wanted to move away from vendors and have a bit of intellectual freedom to analyze these issues,” Wilson said.
BiometricUpdate.com had the chance to chat with Wilson about biometrics, federated identity, security, privacy and his own personal professional background. What follows is a snapshot of that conversation.
“I started a privacy practice at the same time [as I formed Lockstep] and my view is that identity management is ‘what do I need to know about you to do business with you’ and I reckon that privacy is exactly the opposite ‘what do I not need to know about you and still be able to do business with you,’” Wilson said. “Privacy is about restraint – what you don’t do, rather than what you do do.”
Roughly six months ago, Wilson joined Constellation Research and heads up its work surrounding identity and privacy from his home base of Sydney.
“The first thing I always say is that there’s no such thing as perfect privacy. Privacy involves a lot of paradoxes that need to be resolved and balanced.”
As we’ve reported extensively in the past on BiometricUpdate.com, privacy is a prevalent theme in discussing the deployments of biometric technologies. According to Wilson, an aspect of this conversation that is often missed or overlooked is the concept of exceptions and collection limitations.
“There are some unintended consequences of biometrics that arise from exceptions, and I don’t think this gets nearly enough coverage,” Wilson said. “When you’re selling a biometric system and when you’re talking about the business case, naturally everybody focuses on the 95% of cases and the best-case performance. But when you look at real world exception handling in biometrics, it creates a new privacy problem that I don’t think gets much coverage.”
Wilson points to false negatives and false positives, as well as the inability to enroll, and what the ramifications of this can be on users, particularly in a school or airport setting, where stigmatization for people whose faces aren’t captured properly or whose fingerprints aren’t captured by a scanner is something to be considered.
“If you take any biometric system, 2 or 3 percent of people are going to fail to enroll, and in a school situation, you might have two or three percent of students that cannot have their fingerprint captured,” Wilson said. “What that means then, is that you have to handle the exception. We need to factor it into our expectations.”
“The way that you handle false-positives or false matches really requires a deft touch and a lot of policy work and I think there’s a hidden cost in biometrics in having to do all of the heavy lifting in policy and exception handling.”
“I’ve been involved with federated identity projects for 19 years. Back in 1995 we thought that there’d be the universal PKI, where you’d have a digital passport – people called it a gold certificate,” Wilson said. “We thought that you’d be able to do internet shopping and do company email and pay your taxes with a single digital certificate. It turns out that wasn’t the case, and I actually think that we still have a fantasy in federated identity land that this will still happen. I don’t think it every will because every silo has its own risk profiles and business conditions. So, when I take that thinking and I apply it back to biometrics, I think that people need to know that national security biometrics is different from consumer biometrics, is different from data center biometrics and so on.”
“I think [biometrics] works very well in high-security facilities. I’ve used it many times myself,” Wilson said.
“If a data center security operator has to spend 15 seconds staring into a camera to get a really high quality scan, or even if they have to do it again, they’ll know what’s going on and it won’t bother them in the slightest if it takes them 20 seconds to get through the door. Play that into consumer biometrics and you’ve got a totally different set of user expectations.”
For the record, Wilson uses an iPhone 5S and is mostly happy with the performance of the device.
In terms of the recent spoof attacks on both the iPhone 5S and the Samsung S5 smartphones that have recently hit the market, Wilson says, “I’m not particularly worried that people are going to run around stealing phones, cloning fingerprints and stealing data from phones. I don’t think that’s the point of the exercise. The point to me is two-fold: It just shows that these things are more complicated than you think and it also exposed some mythology around liveness detection.”
“I’ve looked long and hard to find where Apple said there was liveness detection and they actually never did. Lots of people described the AuthenTec technology as having liveness detection and [with this] you allow this impression to be given that the protection is easy and that it’s universal and it’s just not,” Wilson said. “So I think the purpose of that so-called hack was to reset people’s expectations that these things don’t work like science fiction – the real word is not at all like Minority Report. We just need to be a bit more sober in the way that we set up consumer expectations.”
In case you missed either of these reports, here is BiometricUpdate’s coverage of the iPhone 5S hack, and of the more recent spoofing attack on Samsung’s Galaxy S5 smartphone.
“There are some good features to the iPhone and there are some good features to the Samsung FIDO implementation that I really salute,” Wilson said. “Obviously, template matching on the device is something that’s really important.”
“FIDO is all about being able to do a local template match on the device but then send a small parcel of authentication status information out to a server, so that’s the key I think to federating biometric access control.”
“I think that’s really important architecture.”