The World Bank Group’s Identification for Development (ID4D) Initiative prepared a Primer on Biometrics for ID Systems (Primer) as a reference document for practitioners, civil society organizations, development partners and other stakeholders on the responsible use of biometric recognition in official or government-recognized identification (ID) systems, such as
national IDs, civil registration, population registers, and others. Over the past 30 years, countries have increasingly incorporated digital biometric recognition into these ID systems, either as part of identity proofing (de-duplication) and/or to provide verification and authentication to service providers. However, given the specialized and often proprietary nature of most biometric technology, the stakeholders mentioned above have not always had access to information they need to effectively
consider the appropriate and responsible use of this technology. The Primer reflects experiences in a range of countries from different regions, with different legal systems, and at different stages of economic development. It also takes into account existing literature, international conventions, and norms and principles. It is based on evolving international good practice, as understood by ID4D. This Primer aims to help fill this
knowledge gap, serving as an introduction to key biometrics-related terms and concepts. It also provides good practices and approaches for determining whether or not biometric recognition is necessary for an ID system and—if so—how to use it responsibly, considering several domains (e.g. technical, deployment, operational, and legal). The Primer includes: Despite the potential benefits of biometric recognition in detecting duplicate registrations and enabling authentication, including security and inclusion advantages over other authentication methods in some cases, deploying these technologies in ID systems presents various challenges. These challenges range from operational,
technical, and legal to ethical considerations and include, for example, data protection, security, performance, inclusion, biometric recognition for children and elderly persons, implementation in harsh environments, technology and vendor selection, literacy, cost, and more. We hope this Primer will help countries more carefully weigh these potential benefits, challenges, and risks, and where biometric recognition is used, adopt good practices for minimizing risk and safeguarding
inclusion and data protection. The Primer does not advocate for the use of biometric recognition, or any particular biometric technology. Rather, it provides analysis and approaches for evaluating the use of the technology and design options for various contexts and applications. The use of biometrics for purposes beyond official ID systems—e.g., for the purpose of surveillance, law enforcement, public security—is outside the scope
of this Primer. In addition, the Primer does not address the broader security and technological issues involved with ID systems, which are addressed in other materials, including in through international standards. As with any system that processes personal data, ID systems are vulnerable to attack or misuse given enough time, resources, and determination. The Primer is not intended to be a guide for planning World Bank operations. There is no guarantee that addressing all the issues raised in
this Primer will result in successful use of biometrics in and ID system in a country—that will depend on many factors that must be considered, and which may be different from country to country. While every attempt has been made to be complete, there may be issues affecting the design, establishment of operation of the use of biometrics in an ID system that are not addressed in this Primer, or that are addressed in the context of certain assumptions, facts and circumstances that do not apply
equally to every situation. Nothing in this Primer constitutes legal advice and no inference should be drawn as to the completeness, adequacy, accuracy or suitability of any of the analyses or recommendations as applied to any particular situation. This Primer is a reference tool only. As a result, when contemplating the use of biometric recognition for an ID system, policymakers, practitioners and other stakeholders must carefully balance these risks, as well as potential benefits and
alternatives. Biometrics in ID Systems Frequently Asked Questions (FAQs) The primary purpose of a biometric system is to use automated recognition technology to accurately And requires the following activities: For more information on the workings of biometric systems, please see Section 1. Unlike password-based systems, where a perfect match between two “passwords” is necessary to validate For more information on biometric performance metrics, please see Section 6.5. Establishing a business or operational need involves investigating and documenting the costs, benefits, risks, and alternatives to biometric use. The primary role of biometrics as part of ID system is increased trust and
confidence in a person’s uniqueness and identity and as a potential authentication mechanism. This can be achieved by using biometrics to check for duplicate identities (identification) or using biometrics to validate a person against a previously stored biometric for that individual (e.g., for authentication during transactions). The requirements for each of these functions will be unique to the local environment, and benefits must be balanced against the costs and risks (both security and
privacy)—such as those related to data protection and privacy, inclusivity and non-discrimination—both of the biometric systems and potential alternatives (e.g., relying on existing forms of identification and demographic deduplication for identity proofing). Such an evaluation should be done during the project planning phase, and involve technical and legal experts, as well as consultations with the public and other potential stakeholders (e.g., the relying parties who will use the system
for identity services). Biometric recognition involves several distinct processes: The verification process is where a
captured biometric is compared against a single individual’s existing biometric data within a database or stored on a credential. This is known as a one-to-one match (1:1). This comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator. Enrollment in an ID system occurs through users providing their biographic data for registration. That captured data can then be compared against the enrollment database to ensure that the person is not already enrolled. Deduplication can be performed by comparing biometric data, biographic data, or a combination of both. The deduplication process lowers the risk of identity fraud by helping prevent people from obtaining multiple identities within an ID system that seeks to establish the uniqueness of enrollees, such as most foundational ID system. Biometric deduplication is used globally in over 130 developed and developing countries as part of the issuance process for national IDs, population and civil registers, or similar foundational ID systems. For more information on biometric applications, please see Section 1.3. The verification process is where captured data is compared against a single individual’s existing data within a database. This is known as a one-to-one match (1:1). Verification can be performed by comparing biometric data, biographic data or a combination of both.Where biometrics are used, this comparison produces a match score that is indicative of likelihood of the match being from the same individual. The individual is then considered verified if their match score exceeds a system defined threshold. Where the match verification fails, a manual verification check may be undertaken by a human operator. Nonbiometric authentication uses either something you know (e.g., passwords or personal Identification numbers [PINs]) or something you have (e.g., a smart card or passport). For more information on biometric applications, please see Section 1.3. A variety of different biometrics can be used in ID systems; however, the most commonly used traits are fingerprint and iris for identity deduplication, as well as face for identity verification. Fingerprints are currently the most commonly used modality for biometric recognition in systems such 58 PRIMER & FAQS as foundational IDs. This technology relies on the unique minutiae of a fingerprint and requires specific technology (fingerprint readers) for use. A fingerprint pattern under normal circumstances is permanent and unchanging; however, there are factors that can influence the quality of a person’s fingerprints such as employment types, age, and some medical conditions. Iris recognition is a highly accurate and automated method of biometric identification of someone’s unique and stable eye patterns using pattern-recognition techniques on video. In comparison to other biometric modalities, iris recognition may also provide better protection against spoofing and other attacks. The distinct iris pattern is made up of a number of features within the eye muscle, such as collagenous fibres, crypts, colour, rifts, and coronas. The high stability of the modality is based on the iris pattern’s minimal change from formation prior to birth through the first two years of life. Facial recognition technology (FRT) has undergone a technology revolution over the last five years. The greatly increased accuracy of FRT has led to the widespread adoption of FRT solutions for both foundational and functional types of ID systems particularly for 1:1 verification against a mobile device. This biometric technology is well-developed, and commonly engaged for many different use cases. For example, FRT is a fundamental component of international passport usage through International Civil Aviation Organization (ICAO) standards for e-passports and is commonly used as part of the passport issuance process. Smartphone devices and applications are increasingly using FRT to verify owners or users, which is leading to growing acceptance. However, there are some specific data protection and discrimination risks related to FRT---particularly when used for 1:N matching---due to the widespread availability of photos online, the ability to capture facial images at a distance, the increasing use of FRT for law enforcement, and bias in facial matching algorithms. For more information on different biometric modalities, please see Sections 2, 3 and 4. The process of fusing (i.e., combining) different sources of information is called multibiometric or multimodal biometrics. It is in particular relevant for large-scale biometric identification and de-duplication systems with millions of enrollment records (for example the foundational ID systems used in India, the Philippines, and Indonesia). There are two major benefits to multibiometric recognition:
Improvements of multibiometric systems also come at a cost, in terms of added complexity, lower acquisition throughput, or increased price. For example, capturing multiple samples of the same finger will add complexity and increase the effort of the acquisition process. In addition, capturing fingerprints from different fingers may require more expensive fingerprint scanners or the use of multiple biometric traits may require additional capture devices increasing the overall cost of the system. Also, multibiometric systems will require additional storage capacity and increased bandwidth and computation resources. Given the unique sensitivity of biometric data used for identification purposes, such data should only be collected where necessary for a narrowly defined and lawful purpose. Collecting more biometric data than necessary to establish uniqueness or for a specific use case would, therefore, not be justifiable and goes Acronyms and Abbreviations 59 against general data minimization principles. The potential for re-identification through linked data is also increased as there is more personal data being stored. For more information on multimodal systems, please see Section 4 of the Primer. Fingerprints: Infants and small children that have not fully developed cannot yet have their fingerprint taken, and aging results in the loss of collagen, making the skin loose and dry, negatively affecting the quality of fingerprints acquired by sensors. Manual laborers and persons with disabilities may also have difficulty with fingerprints. Furthermore, risks and challenges in the use of fingerprint recognition include a wide array of spoofing possibilities, universal master print attacks, replay attacks (where stolen fingerprint data is sent to the host remotely) or other kinds of attacks Face: Unlike other biometric modalities such as fingerprint or iris, facial images are easily available in high volume online through social media channels and can be silently acquired at a distance by cheap equipment (CCTV, smartphones). Facial characteristics can also be used to identify race, gender, ethnicity, and other characteristics that could potentially be used to discriminate or otherwise cause harm. Facial images can be easily captured and matched with the subject from which the biometric was taken without any action or knowledge required directly by the subject. Face recognition algorithms can show varying degrees of bias against certain demographics of a population if they have not been trained on a sufficiently diverse gallery of face images. Iris: Iris systems can be expensive to implement, requiring relatively niche capture devices. Capture for iris systems is more controlled than some other modalities. Potential issues include eye rotation, pupil dilation, occlusion, movement, environment, eyelash obscuration, glare and height. Iris may also exclude subsets of the population, including those with common medical conditions such cataracts and glaucoma and those that commonly use glasses or contact lenses as well as people with albinism. Additionally, there is the potential for a higher failure to acquire for younger subjects and some racial sub-groups have little visible iris structure which may make capture difficult. Voice: An individual’s unique voice print can be used for verification, validation, and authentication purposes but is generally not reliable for 1:N identification or deduplication. Because, an individual’s voice prints can change over time and due to several factors, such as sickness, environmental conditions etc. therefore, regular updates of individuals’ voice samples are generally necessary for voice recognition systems. For more information on modality specific risks, please see Sections 2, 3 and 4. Like other sensitive personal data, biometrics must be adequately protected from theft and misuse through a combination of legal, technical, and operational measures. Technical mitigation methods include:
Operational mitigation methods include:
A comprehensive legal and regulatory framework will include data protection measures including:
For more information on mitigation methods, please see Sections 5, 6 and 7. Some of the key questions when deciding whether or not to use biometrics for either 1:N identification (e.g., to establish uniqueness) or 1:1 verification (e.g., to authenticate for transactions) include:
Both ABIS (automated biometric identification system) and AFIS (automated fingerprint identification systems) are software applications designed to undertake the enrollment, matching, and management of biometric information focused on the permanent storage of biometric templates and matching. AFIS are focused on fingerprints only while more modern systems (ABIS) support multiple different types of biometrics. Common examples of ABIS system modalities include fingerprint, face, and iris. For more information on ABIS and AFIS, please see Section 6.1.2 There are several international not-for-profit membership-based organizations working on biometrics, including:
There are various procedures that may be followed to ensure good quality biometrics.
Support for those unable to use a biometric system is critical to ensure inclusion. Large scale systems have addressed this issue in a variety of ways:
For more information on acquisition issues, please see Section 1.1.1. Biometric data is considered to be sensitive personal data and so needs to be protected with greater rigor than less sensitive types of data. This is particularly the case for government ID systems since they are an active target for sophisticated internal and external attacks. Many of the controls listed are the same as those needed for any large-scale identity system such as ISO/IEC 27001 and ISO/IEC 29100 from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These standards support defining system security and the data protection safe-guarding requirements. Biometric data generally refers to either the raw biometric capture or the biometric template. Depending on the use this data can be stored and used either on a credential or device, inside a central system, with a node of a distributed application, or in a cloud storage bucket. The appropriate location for this data depends on the security requirements, data protection requirements, speed and network connectivity, the computing infrastructure available, and the type of application. For more information on data storage, see Section 6.1. Biometric data is considered sensitive personal information. Some countries treat this as sovereign data that must be stored onshore within a country. Options exist (and are utilized by some major biometric implementations) to host externally to a government agency but within private clouds established onshore with the appropriate level of security and control. The choice to host the biometrics solution externally must be informed by strict data access controls, high levels of independently assessed security, both physical and logical, the ability to ensure all data is stored in the country of origin, and that no third parties can access or transmit this data apart from the managing agency. For more information on cloud storage, please see Section 6.1.3. For more information on third party management, please see Section 7.14.1. The raw biometric data (known as the biometric sample) is data gathered directly from the sensor before any processing has been carried out. A template is the refined, processed, and stored representation of the distinguishing characteristics of a particular individual. The template is the data that gets stored during an enrollment and which later will be used for matching. Because of variations in the way a biometric 64 PRIMER & FAQS sample is captured, two templates from the same biometric will never be identical. This is the origin of the probabilistic nature of biometrics, as the matching process can only give a decision confidence, not an absolute assurance. There are two primary reasons to store raw biometric data in addition to templates:
Both requirements mean that it is usually too impractical and expensive to remove the original raw data— as this would have to be re-collected from the population to re-template. However, the original biometric data is also sensitive and should be separated from the template and personal data. For more information on biometric templating, please see Section 6.1.1. Biometric data can be captured offline by mobile or fixed devices. Where data is captured in an offline environment the challenges are ensuring that data is accurately synchronized, that any stored data is protected in case of theft or loss, and that the data is protected against alteration. For more information on offline environments, please see Section 7.10. For face recognition—e.g., for 1:1 authentication against a mobile device—there are several challenges caused by uncontrolled capture devices such as mobiles including:
For instances where the person enrolling is responsible for the acquisition process, there is limited opportunity to provide instruction or correction for presentation of the biometric. Any instructions should, therefore, focus on key aspects, pose, and lighting that can have more significant impacts on the acquisition of a high-quality face image. In some unsupervised use cases, the acquisition process may also include liveness detection features for the purposes of presentation attack detection. Inclusion of this technology in the acquisition can have an impact on the ability to capture a high-quality biometric as it could require the user to alter Acronyms and Abbreviations 65 behavior. The user instructions, including the use of presentation attack detection technology, should also consider accessibility issues where it may prove more challenging for specific users to provide a highquality biometric. These user instructions could be, for example, supported by both visual and audio cues. For more information on face biometrics, please see Section 3.2. UNICEF’s 2019 guidance on the impact of biometrics on children,49 they identifies that exclusion due to system design or technological constraints and faults, as well as unintentional usage of linked data are all concerns for children. In addition to the basic hazards associated with any identity management system, the possible influence on minors should be considered for some key reasons, including:
Other populations that can have issues with biometric systems include:
In all cases such individuals need to be provided alternate mechanisms for proof of identity. Multimodal biometric systems can also support individuals that cannot use one modality. Good governance ensures that reporting is made available on the reasons for failures to enroll in operation. A biometric system is composed of several different subsystems. Each subsystem may have several different points of attack, and for each point of attack there may be one or more potential exploits. Although such attack points exist in all matching systems, not all are equally vulnerable. Enrollment fraud can occur when an individual is able to procure fake foundational documents, take over another person’s identity, subvert the enrollment by using a fake biometric, or corrupt the enrollment process (perhaps through a bribe). For more information on risks during the enrollment process, please see Section 1.5. Technical risk mitigation measures include presentation attack detection, tamper mitigation, and biometric template protection Biometric spoofs or fakes could be used to attack a system. Such spoofs can be produced from biometric data obtained directly or covertly from a person online or through hacked systems. This attack could involve a printed photo, an image or video of a person on a tablet, or the presentation of a 3D mask or a fake silicone fingerprint. Presentation attack detection (PAD) refers to detecting a biometric spoof when it is presented to a biometric sensor. Tamper mitigation involves the integrity of the sensor being both electronically tested and physically secured to ensure that no modifications or substitution have been undertaken. Tamper-proofing might include physically sealing all the internal hardware in resin and using electronic sensors to detect if seals have been broken. Biometric template protection, or biometric encryption, is a method that increases the difficulty of accessing biometric information from stored data. This involves mechanisms to restrict the use of the biometric through active changes to the information stored. For more information on technical risk mitigation methods, please see Section 6.6. There are a wide range of biometric fingerprint acquisition devices, and new devices are constantly being developed. When comparing different scanner technologies, the following are the high-level considerations:
For more information on fingerprint modality, please see Section 2.2. Standards aim to establish generic sets of rules for different products and to facilitate interoperability, data exchange, consistency of use, and other desirable features. International biometric standards on interoperability allow stability and consistency of biometric technologies and products. Some well-known biometric standards for ensuring interoperability are referenced in Section 6.5.1. Biometric system performance heavily relies on the quality of the acquired input samples. Compliance to the corresponding international biometric standards advising on data quality ascertains a betterquality assurance management process. Hence, with the use of standards, great flexibility and modularity can be achieved. Biometric standards for quality assurance are referenced in Section 6.6.2. For more information on standards for ID Systems, please see the Catalog of Technical Standards for Digital Identification Systems.50 While it is technically possible to generate an image from a biometric template, it is not a practical attack vector in most cases. The process is called "hill-climbing." It relies on having access to the original algorithm that was used to generate the template, and then successively updating an initially random image until the new image is closer and closer to generating the same template. Once the original template is close enough, the new image would pass a biometric match, even when the image itself might look substantially different from the original image. The computing power and setup required to do this is usually more complex than other forms of attack. A token is representation of the captured biometric data that has had some minimal amount of processing applied. For passports, the ICAO definition of the facial token to be stored on the passport chip is a cropped and scaled representation of the actual image. This is processed by the chosen matching algorithm. The reason for storing the image, rather than extracted features, is that any recognition algorithm can be used to process the "raw" data and advances in matching are not precluded. This is known as template interoperability. Another good reason for using a token is that advances in algorithms may discover new ways of extracting distinctive features from the original biometric sample. Using a token can allow seamless upgrading of algorithms. For more information on biometric data protection methods, please see Section 7.0. With the digital identity space advancing at an accelerating pace, there has been an increase in biometric standards that are critical for identification systems to be robust, interoperable, and sustainable. Some international standards that apply to the use of biometrics in an ID system are referenced in Section 6.5.3. For more information on standards, please see Section 6.5. The establishment of a robust governance structure is necessary to ensure that biometric systems stay in compliance with operational goals. Governance structures should be designed to effectively implement and monitor the risk mitigation strategies outlined by threat modeling and data protection and other impact assessments. A robust governance framework will ensure that all governance roles are given specific, detailed, and transparent responsibilities. Several questions should be asked when designing a governance structure, including:
In addition, robust auditing processes will facilitate accountability and enable remediation where required. The processing of sensitive and personal data should be monitored by an appropriate, independent oversight authority and, to the extent possible, by data subjects themselves. Audit logs must be made easily accessible to the relevant authority while maintaining user privacy. A transparent audit system can also reinforce public support and uptake of the system. For more information on governance best practice, please see Section 7.8. Communications and public engagement are vital for the rollout of biometric systems. This includes internal communications to staff around the use and benefits of the technology and a communications and marketing strategy to the wider population of users to ensure that they understand how and why Operations Acronyms and Abbreviations 71 biometrics are being used and where they can seek more information. Good communications strategies are needed to address common concerns around the use of biometric technology without oversimplifying or downplaying risks. Beyond one-way communications, effective engagement strategies are also essential for soliciting public feedback on concerns and solutions, and improving overall trust in the system. For more guidance, see forthcoming ID4D guides on engaging with civil society organizations (CSOs) and communications strategies The migration of biometric and identity data to a new or upgraded biometric system can be complex and error prone. This is because of one or more the following factors:
To reuse the change of errors, it is recommended to ensure a comprehensive planning phase for migration is undertaken, including an analysis of the existing data as well as third-party audit mechanisms to provide assurance, that there is no data loss or corruption. There are several possible risks that have caused a global concern over the use of biometric systems:
For more information on biometric risk factors, please see Section 1.5. In general, the use of biometrics must satisfy the principles of necessity and proportionality, meaning the measure is necessary to meet a specific and legitimate need (and would be effective in doing so) and there is no less intrusive way of achieving that end. A balancing test must be undertaken to strike a fair balance between the risks to and impact on the individual and the apparent benefit to society or the public interest. Data Protection, Privacy, and Governance Acronyms and Abbreviations 73 This test can take the form of a data protection impact assessment and accompanying policy document. Appropriate safeguards must also be implemented to ensure data minimization, purpose limitation, robust data security, the prevention of unauthorized access or use, and strict retention and disposal requirements. Data must not be repurposed or shared with third parties without their knowledge, and, in every case, there must be a lawful basis for the data processing. Finally, there should be a mechanism for human intervention and oversight, including an easy way to exercise individual rights, lodge complaints, and seek redress. For more information on data protection, please see Section 5.2. Each country’s legal system is unique and therefore, different measures may be required in different countries. In turn, there must be a clear lawful basis under the data protection legal and regulatory framework for processing biometric data in an ID system. Most ID systems mandate participation and enrollment; therefore, consent is unlikely to be a suitable lawful basis for the associated processing of biometric data. The imbalance of power between individuals and public authorities also means that the former may feel pressured to give their consent even if not mandatory (especially if failure to give consent means they may not access a particular government service or benefit). Rather than relying on consent, a public authority should, therefore, be able to demonstrate that the collection of biometric data is necessary for a reason of substantial public interest relating to the ID system, on the basis of a law that contains adequate safeguards (e.g., in respect of transparency, data security, data minimization, purpose limitation, and accuracy). For more information on laws and regulations, please see Section 5. The US Department of Labor defines PII as "Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means."51 Biometrics are almost always deemed to be PII due to their ability to uniquely identify an individual. Moreover, they are typically classified as “sensitive” PII, which entails greater risk to the individual if compromised or disclosed without authorization and therefore requires higher levels of protection. The following terminology is used:
Note that in literature, FAR versus FMR and FRR versus FNMR are often used interchangeably. There is, however, a subtle difference in that FAR and FRR are system level errors, taking into account, for example, samples that failed to be acquired. Other terminology that is used in literature is the true acceptance rate (TAR), which is defined as 1 – FRR, measuring the degree that a biometric system correctly matches the biometric from the same person. For more information on biometric performance metrics, please see Section 6.4. Biometric data should be securely stored and protected to prevent processing by unauthorized parties, loss, theft, unwanted destruction, and damage. Given the increasing occurrence of large-scale cyber-attacks on IT systems (including well-documented cases of breached systems holding biometrics), it is vital to ensure that data is adequately secured. The biometric data must be protected throughout all system components and during all phases of the system lifecycle. Technical mitigations that assist with data protection include:
For more information on technical mitigation measures, please see Section 6. All physical and electronic security systems have vulnerabilities that require a variety of different levels of expertise to exploit. Any security system can be circumvented with enough access, time, and resources. No single security technique can remove all possible points of vulnerability in a system. As such, it is important to consider security infrastructure as a series of complementary interconnecting factors that are enforced by appropriate levels of governance. In addition, new methods of attack are being constantly invented due to the evolving global technological landscape. For example, attack artifacts such as realistic latex masks and 3D printed fingerprints are now increasingly available. This trend will mean that sophisticated attack scenarios that were once restricted by availability, resources, and skill will become increasingly frequent. It is important to note that concerns about risks vary by different stakeholders. For example, citizens may be concerned about their privacy, discrimination, and function creep, whereas governments may be more concerned about public trust and reputational damage. For more information on technical mitigation measures, please see Section 6. Most foundational ID systems, particularly those based on face and fingerprint recognition, require the use of human operators to assist the automated system in resolving matches with match scores that fall between the automatic rejection and acceptance thresholds. If the algorithm assessing the similarity of two images fails to verify the match because the match score falls below a predefined threshold, the transaction can be referred to the manual resolution team (sometimes called manual adjudication) for processing. As the capability and performance of current biometric solutions improve, the cases that absolutely require humans to perform the identification process will become increasingly difficult, in the sense that the amount and type of such cases requiring manual processing will necessitate humans having improved training and tools. Section 7 contains more information on the operation of biometric systems. System operators should receive comprehensive system training, both on how to use the system and on how to avoid misusing it. Operators should also be audited on a regular basis by a transparent and independent authority to ensure that individuals only have access to the functions needed for their specific job function or role. Furthermore, the system design should restrict any individual's ability to alter or delete data or make changes to the system's operation (such as changing the matching threshold). Strong auditing processes will facilitate accountability and allow for remediation where necessary. The processing of sensitive and personal data should be overseen by an appropriate, independent oversight authority, as well as, where possible, by the data subjects themselves. Audit logs must be easily accessible to the appropriate authority while protecting user privacy. A transparent audit system can also boost public support and adoption of the system. Section 7.1 contains more information on operational security The integrity of a biometric system is obviously an important attribute in maintaining public trust and ensuring that sensitive and personal data is not compromised. New methods of attack are being constantly invented due to the evolving global technological landscape. For example, attack artifacts such as realistic latex masks and 3D printed fingerprints are now increasingly available. This trend will mean that sophisticated attack scenarios that were once restricted by availability, resources, and skill will become increasingly frequent. For more information on system compromise, please see Sections 7.4 and 7.5. It is recommended that biometric systems undergo regular audit at least yearly. This audit should look at various measures of system performance including failure rates, transaction performance, and acquisition quality. Another useful activity is to have a biometric penetration attack undertaken. This can help ensure the system is operating as expected. A periodic and systematic (weekly and after each patch or change brought to automated biometric identification system [ABIS] configuration) accuracy testing of the ABIS by an independent third-party can ensure the ABIS is not “silently broken.” In addition, it is recommendation to regularly collect data not only on system performance, but also to assess the efficacy of enrollment procedures, operator performance and adherence to procedures, and people’s experiences enrolling and using biometrics. This will help identify potential issues that could lead to exclusion, poor quality data, and/or reputational damage. This can be done via the ID and biometric systems and through periodic surveys, audits and mystery shoppers, and process observation. To ensure that the legal, operational, and technical data protection practices of any third-parties with access to biometric systems match or exceed those employed by the implementing agency. Additional measures that should be considered include:
For more information on third-party system access, please see Section 7.14.1 A primary principle to help reduce the impact of data breaches is the logical separation of biometric data into different data stores. The data includes both the original raw image and the template. The link between an individual’s biometrics and other sensitive personal data in these data stores should be a unique string that is not used for any other purpose. Should the biometric database be compromised, the attacker should not be able to link any data back to specific individuals. To be effective, separation must be managed with other technical and organizational controls, including encryption and access controls, to prevent an attacker from easily taking all the data in a single breach. For more information on data separation, please see Section 6.2.1. Biometric data is especially sensitive and so needs to be protected with greater rigor than less sensitive data. This is particularly the case for ID systems since they are an active target for sophisticated internal and external attacks. Biometric template protection, or biometric encryption, is a method that increases the difficulty of accessing biometric information from stored data. This involves mechanisms to restrict the use of the biometric through active changes to the information stored. These mechanisms can introduce restrictions for the use of the biometric system for the purposes of
For more information on biometric encryption, please see Section 6.1.4. Biometric systems have several parameters that control accuracy such as the threshold and quality settings. An incorrectly tuned biometric system may perform very poorly either being easily fooled or by rejecting too many of the correct individuals. For any large system it is important to recognize the importance of tuning the various parameters after operation has commenced to ensure optimal performance. For more information on biometric configuration, please see Section 6.4.1. All matching algorithms need to be trained on data, both to create and tune the algorithm. This is done using large sets of labeled data that vendors have compiled. The output of this process is a model that can be used to predict similarity, but its robustness depends upon the data that was available for training. Face recognition tends to be the main biometric modality that is subject to further training. This is because it is often more sensitive to demographics, capture technology, and environment than other modalities. Many modern biometric systems use machine learning to train the algorithm what faces are from the same as compared to different people. When this is undertaken on enormous numbers of individuals, the algorithm learns to become better and better at recognition. Recently some implementations have allowed customers to train on their own local data, resulting in more precise algorithms for local conditions. This can be beneficial but must be approached with caution as it is easy to “overfit” the training data so that performance is better on the set of faces in the training but much worse for unseen faces. While it is technically possible to include "online" learning to adjust their accuracy during operation, most implementations where learning is available do this as a batch process. This is because of risks associated with poor or misleading training data arising from mislabeled data (ground truth). For more information on matching algorithms, please see Section 1.2. While algorithmic bias—i.e., variation in the accuracy of biometric systems based on demographics such as ethnicity or race—may be technically present in all biometric systems, it is mainly systems that use facial recognition technologies (FRT) where most concern about the adverse consequences of system bias are found. As most FRT algorithms are generated by training the system to detect several faces from a database, bias is highly likely in systems where the database is not sufficiently diverse. Early FRT algorithms often had high bias and poor accuracy; however, newer algorithms have corrected for much of this by ensuring they employ a larger and more diverse database for training algorithms. Current FRT systems are not bias free, however, and the risk of engineering systems that contain bias is still present. It may be possible that bias cannot be eliminated for the FRT, even where the training data has the perfect demographic distribution; therefore, the goal is to minimize bias as much as possible. For more information on matching algorithms, please see Section 1.2 Assessed biometric performance claims can be complex for those without a statistical background. When assessing performance claims it is important to consider several factors:
For more information on biometric accuracy, please see Section 6.4.2. The comprise of any system holding personal data is extremely serious. This is particularly the case for ID systems that hold biometric data, as a person’s biometrics cannot be practically changed. For the individual, that can cause concern about identity theft and loss of control of personal information. Each country will have different laws about what is required in terms of notification after a data breach. Best practice, however, involves outreach to all those affected, an attempt to track down those responsible for the breach, and to remove any copies found online. Additional watch mechanisms may be placed on the accounts of those affected to compensate for an elevated risk of attack. The use of biometrics is as just one part of the overall identity confirmation process and helps to control risk, not eliminate risk. Modern biometric systems should have presentation attack detection to reduce the chance of a stolen biometric being used. To prevent data being stolen it is important to have state-of-theart data encryption for data, both at rest and in transit, and not link biometric data to demographic data (including “public” personal identifiers). For more information on securing biometric information, please see Section 6.1 Biometric operations are by their very nature probabilistic. Therefore, it is not possible to say with 100% certainty in most cases that an identity match has positively identified an individual. Sources of misidentification are modality dependant but can include twins, poor quality sample, or a poorly tuned algorithm. Handwritten signatures are currently used to “attest” a transaction for many legal purposes, and the traditional signature is just a type of biometric. Other biometrics can have a significantly higher accuracy than signatures but they are not foolproof. Ultimately, proof of a transaction rests with the legal framework in a jurisdiction and the risk tolerance of the organization using the biometrics. For more information on legal considerations, please see Section 5 A functioning biometric system requires all the standard personnel needed to ensure a functioning IT solution including but not limited to security, operations, governance, database, and performance. Biometric systems, however, do have some specific types of personnel that are different from a standard IT system. These individuals include identity resolution specialists (these need training for each different modality that is used), acquisition staff (the people that are capturing the biometrics), and performance and accuracy experts (experts in how to ensure the biometric system is running accurately). There are three methods to evaluate vendors’ past performance and quality that can be used in combination:
Biometric specific factors for a good tender include the following:
For more information, please see the ID4D Procurement Guide and Checklist for Digital Identification Systems.52 Vendor lock-in occurs because of technology choices that are not sufficiently flexible and do not anticipate system changes. In a biometric system this may, for instance, relate to the templates that have been generated from a particular algorithm and cannot be used with another vendor. In most cases templates are proprietary and, therefore, not easily transferred between technologies (or even versions). Consequently, it's extremely important for ID systems store and backup the original biometric images outside of the ABIS. Planning for how this data will be protected and used for re-enrollment is a critical part of the system lifecycle. Systems that have highly modular architectures should also allow for the replacement of algorithms and the addition of new modalities. For more information, please see the ID4D Procurement Guide and Checklist for Digital Identification Systems.53 Open-source solutions are solutions where the code is available for use without commercial restrictions and where the technology has been placed in the public domain. This can allow for significant advantages in terms of customization and integration. Its disadvantage is that it may not be as accurate or perform as well as commercial offerings that have had significant additional investment. Open source can be involved with many different components of a system from the algorithm through to the integration framework. Some solutions will mix both open and closed source solutions. When information is duplicated in multiple places it is known as data redundancy True False?Data redundancy occurs when the same piece of data is stored in two or more separate places and is a common occurrence in many businesses.
Which database object makes it easier to enter data into a database and displays information in an easy to read layout?form—A database object that makes it easier to enter data into a database, and displays information in an easy to read layout. GIS (Geographic Information System)—An information system that combines layers, or datasets of geographically referenced information about the surface of the earth.
Is a set of rules that are used to apply a knowledge base to each situation?inference engine: A set of rules for applying a knowledge base to each particular situation.
Which of the following would make the best primary key in a table?Integer (number) data types are the best choice for primary key, followed by fixed-length character data types. SQL Server processes number data type values faster than character data type values because it converts characters to ASCII equivalent values before processing, which is an extra step.
|