FB pixel

Afghanistan biometrics risks: Better consultation could maintain confidence

Afghanistan biometrics risks: Better consultation could maintain confidence
 

The possibility of biometric databases covering millions of Afghans falling into the hands of the Taliban has led to renewed calls for a better approach to establishing such databases in the first place.

The initial shock of the Taliban takeover of Afghanistan and capture of devices used by the U.S. military for capturing biometrics triggered calls for the erasure of such systems. Further reports consider the sheer amount of data held in the system and the possibility that the Taliban has had certain access for several years.

Now researchers at the ICRC and World Economic Forum are urging a different approach to digital identity systems in terms of consultation on the setup, data minimization as well as technical ways to make the data held less powerful if intercepted. Confidence in the entire biometric sector could be damaged if reassurances are not provided, warns one.

The hashing and dicing of biometrics

The nature of biometrics and mission creep from biometric projects mean that data captured for one purpose and stored in its full extent can be extrapolated for other purposes even without a data breach. It simply should not be kept in this form, according to some.

And so biometric data and databases need to take an approach more like that of passwords transmitted via authentication systems where hashes are created, write ICRC strategic technology advisers Vincent Graf Narbel and Justinas Sukaitis in a blog post (which also provides a thoughtfully digestible overview of the principles behind biometric systems).

“The ideal scenario would be to identify people with systems that do not expose the biometrics data, so that if data is lost or leaked it is not even recognizable as biometrics but instead look more like ‘junk data,’” write the advisors.

When a password is entered, a hash of it is created – a unique code. The side receiving the password has also created a hash and these hashes have to match – not the original letters or numbers entered as a password. But the exact password has to be entered to generate the correct hash.

“And therein lies the challenge: because biometrics are never exactly the same when collected (due to lighting, position, angle, dust and other factors), using hashes is prohibited. The match is decided via a probability threshold: for instance, if the two compared biometrics are 95 percent the same, then it is considered a match,” write Narbel and Sukaitis.

This is the challenge the biometrics sector needs to overcome, and research is underway, but lacks resources according to the pair. Efforts to standardize biometric data are also very much a work in progress. In the meantime, the ICRC restricts the biometric data held on tokens by individuals, such as smartcards in refugee settings.

The issue of the uniqueness of biometrics could be sidestepped. While a person can change their password after a breach, they cannot change their iris, but the use of other data with biometric data could also help create a template which could be changed if there were any issues with the original database.

Another way would be to reduce the uniqueness of the biometrics captured by dicing them up. “These methods remove parts of the biometric sample (e.g. cutting an image into blocks and discarding most of the blocks) or obfuscate the biometric data by distorting it or adding noise to it. These transformations make it so that the stored and processed data cannot be linked to the original one entirely.”

Narbel and Sukaitis conclude that “there is therefore a certain urgency to invest more in the technical research to protect people from function creep. With this in mind, we are calling for partnerships on the issue, and in this case at least, a public-private collaboration is necessary as biometrics-based identification systems are being rolled out at increasing speed.”

Consultation to maintain confidence in biometrics

Algirde Pipikaite, lead of Strategic Initiatives at the World Economic Forum also calls for more discussion on how biometric systems are established and plans devised from the outset for dealing with emergencies.

“If security challenges are not adequately addressed and emergency plans are not put in place when developing digital identity systems, confidence in the digital identity ecosystem could be dented, which could prevent its full potential value being unlocked,” writes Pipikaite in an article for the Forum.

In the same way that entities devise plans to both prevent and deal with cyber-attacks on public and private sectors, consideration is needed for systems for identity. Pipikaite argues that more collaboration can lead to better security: “To avoid situations where biometric data could be exposed or compromised, a close cooperation between government, the private sector and civil society needs to be established.”

Article Topics

 |   |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

G7 digital identity lingo aligned, technical standards not so much

An attempt to match the digital identity systems of some of the world’s richest countries against each other shows a…

 

Report: Synthetic identity fraud is growing

A new U.S. Government Accountability Office (GAO) report on its recent audit of the US Social Security Administration’s (SSA) Electronic…

 

Biometric sensors for road safety launched by Infineon, Rheinmetall Dermalog

Infineon Technologies and Rheinmetall Dermalog Sensortec have each introduced biometric identification and authentication tools, one based on fingerprints and other…

 

New tools, Authenticate presentations coax hesitant businesses to adopt passkeys

The FIDO Alliance has launched a pair of tools at its Authenticate 2024 event online and in Carlsbad, California, Passkey…

 

How to get passkeys working for a billion Microsoft users and beyond

The FIDO Alliance has kicked off the Authenticate 2024 conference with a campaign urging people to “free yourself with passkeys,”…

 

French regulator releases technical reference on age verification for porn

France’s Regulatory Authority for Audiovisual and Digital Communication, Arcom, has published its Technical Reference on Age Verification for the Protection…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events