Afghanistan biometrics risks: Better consultation could maintain confidence
The possibility of biometric databases covering millions of Afghans falling into the hands of the Taliban has led to renewed calls for a better approach to establishing such databases in the first place.
The initial shock of the Taliban takeover of Afghanistan and capture of devices used by the U.S. military for capturing biometrics triggered calls for the erasure of such systems. Further reports consider the sheer amount of data held in the system and the possibility that the Taliban has had certain access for several years.
Now researchers at the ICRC and World Economic Forum are urging a different approach to digital identity systems in terms of consultation on the setup, data minimization as well as technical ways to make the data held less powerful if intercepted. Confidence in the entire biometric sector could be damaged if reassurances are not provided, warns one.
The hashing and dicing of biometrics
The nature of biometrics and mission creep from biometric projects mean that data captured for one purpose and stored in its full extent can be extrapolated for other purposes even without a data breach. It simply should not be kept in this form, according to some.
And so biometric data and databases need to take an approach more like that of passwords transmitted via authentication systems where hashes are created, write ICRC strategic technology advisers Vincent Graf Narbel and Justinas Sukaitis in a blog post (which also provides a thoughtfully digestible overview of the principles behind biometric systems).
“The ideal scenario would be to identify people with systems that do not expose the biometrics data, so that if data is lost or leaked it is not even recognizable as biometrics but instead look more like ‘junk data,’” write the advisors.
When a password is entered, a hash of it is created – a unique code. The side receiving the password has also created a hash and these hashes have to match – not the original letters or numbers entered as a password. But the exact password has to be entered to generate the correct hash.
“And therein lies the challenge: because biometrics are never exactly the same when collected (due to lighting, position, angle, dust and other factors), using hashes is prohibited. The match is decided via a probability threshold: for instance, if the two compared biometrics are 95 percent the same, then it is considered a match,” write Narbel and Sukaitis.
This is the challenge the biometrics sector needs to overcome, and research is underway, but lacks resources according to the pair. Efforts to standardize biometric data are also very much a work in progress. In the meantime, the ICRC restricts the biometric data held on tokens by individuals, such as smartcards in refugee settings.
The issue of the uniqueness of biometrics could be sidestepped. While a person can change their password after a breach, they cannot change their iris, but the use of other data with biometric data could also help create a template which could be changed if there were any issues with the original database.
Another way would be to reduce the uniqueness of the biometrics captured by dicing them up. “These methods remove parts of the biometric sample (e.g. cutting an image into blocks and discarding most of the blocks) or obfuscate the biometric data by distorting it or adding noise to it. These transformations make it so that the stored and processed data cannot be linked to the original one entirely.”
Narbel and Sukaitis conclude that “there is therefore a certain urgency to invest more in the technical research to protect people from function creep. With this in mind, we are calling for partnerships on the issue, and in this case at least, a public-private collaboration is necessary as biometrics-based identification systems are being rolled out at increasing speed.”
Consultation to maintain confidence in biometrics
Algirde Pipikaite, lead of Strategic Initiatives at the World Economic Forum also calls for more discussion on how biometric systems are established and plans devised from the outset for dealing with emergencies.
“If security challenges are not adequately addressed and emergency plans are not put in place when developing digital identity systems, confidence in the digital identity ecosystem could be dented, which could prevent its full potential value being unlocked,” writes Pipikaite in an article for the Forum.
In the same way that entities devise plans to both prevent and deal with cyber-attacks on public and private sectors, consideration is needed for systems for identity. Pipikaite argues that more collaboration can lead to better security: “To avoid situations where biometric data could be exposed or compromised, a close cooperation between government, the private sector and civil society needs to be established.”