EAB explores how to comply with GDPR mandate for biometric template protection
The European Union’s General Data Protection Regulation imposes new requirements for protecting biometric data, but debates and uncertainty about how best to do so continue to dog the industry, motivating the latest workshop from The European Association for Biometrics.
The EAB’s ‘Workshop on Protection of Biometric Data Under GDPR’ was held online this week, bringing together leading researchers from different continents and fields.
Moderator Udo Mahlmeister pointed out at the start of the workshop that the topic touches on legislation, technology and standards, and introduced how they intersect in biometric protection under GDPR. One-way encryption is an area of particular focus.
IEEE 2410-2021 presents a different approach from the ISO standards, by making reference to laws in different jurisdictions. Compliance with the standard, according to its documentation, implies compliance with laws like GDPR and the U.S. State of Illinois’ BIPA, but does not ensure it.
The standard calls for homomorphic encryption to protect template security. This brings the data out of scope of GDPR, because it is anonymized, the standard says.
Mahlmeister also offered a critique of the lack of specificity and other shortcomings of ISO/IEC 24745-2011, which preceded the development of the IEEE standard.
Recital 26 is the only passage in GDPR that refers directly to biometrics, and Mahlmeister provides a breakdown of data protection classes under the regulation, from personal through pseudonymized to anonymized. Whether biometrics can ever really be fully anonymized under the GDPR definition, and if so how, is the key, as-yet unanswered question.
European law preceding GDPR defines anonymization as requiring irreversibility. The downside of one-way encryption, however, includes larger templates, and with some methods, reduced biometric performance.
How ISO standards align
U.S. National Institute of Standards and Technology’s Patrick Grother reviewed the ISO standards.
ISO/IEC 24745 sets a standard for biometric information protection, and ISO/IEC 30136 sets a standard specifically for the protection of templates, without specifying a particular biometric modality.
There are “at least a dozen” schemes and families of schemes for template protection, Grother says. The various schemes all conceive of a template protection roughly in terms of a pseudonymous identifier encoder and auxiliary data, with a recoder on the verification side. Raw feature data is discarded.
The 24745 standard addresses irreversibility and unlinkability, and their validation based on the 30136 standard. Irreversibility can be achieved under the standard data reduction during feature extraction, which Grother characterizes as the typical template generation method in the biometrics industry, encryption with a key held only by the system operator, or renewable biometric references protected with irreversible transforms.
Four methods of unlinkability are also identified.
ISO 30136 calls for analysis of the accuracy yielded by using a template protection scheme, the probability that an attack will be successful, what information leaks is the protection scheme is compromised. It also specifies how to report on the diversity and unlinkability of templates.
The standard also reviews threat models and provides guidance on performance metrics.
Methods of demonstrating irreversibility and unlinkability must be theoretical or empirical, and evaluations must be published in peer-reviewed forums, Grother says.
Despite the standards being good and aligned with each other, according to Grother, requiring compliance to them would not be enough to ensure biometric templates are effectively protected. The specific application or use case, threat models and mechanisms used must also be required, along with the details of data separation (such as auxiliary data from templates).
Further, large scale performance and cryptography tests on template protection schemes are a necessary next step.
The FRVT program run by Grother at NIST may explore template protection in the future, he says.
A cryptographer’s view
Florian Hahn of the University of Twente explained symmetric and asymmetric key encryption, with the latter combining a public key and a private key. Without the latter, the process is supposed to be irreversible.
Homomorphic encryption is based on computation with encrypted data, and preserves encryption in the result. Different versions have been developed, but Hahn says that “fully homomorphic encryption” represents “the Holy Grail” in the field.
He refers to Kerkhoff’s Principle that the security of the system depends on the secrecy of the key, rather than of the algorithm that combines it with the biometric data.
Secret sharing can also help to reduce the risk of encrypted data being reversed or otherwise undermined. Distributed data can be further protected with secure multiparty computation.
Another newer method that could protect templates is “functional encryption,” which refers to the use of the secret key to create another key, the function key, to deliver the evaluation result. Semantic security is needed, however, to ensure that plaintext information cannot be extracted from the ciphertext.
Deterministic one-way functions like has functions or keyed hash functions could be a helpful cryptographic tool for preserving semantic security.
Hahn explained the security properties of hash functions and the use of bloom filters to compare then for matches. Bloom filters can introduce the possibility of false positive matches, however.
The workshop continued with an explanation of how biometric data relates to GDPR, and a round-table discussion, which will be covered in a follow-up article on Biometric Update.