Monday, November 26, 2007

Biometrics are not a panacea for data loss

Along with several colleagues I have been worried by the government's emphasis over the last week on biometrics as a "solution" to data breaches such as those from HM Revenue & Customs. We wrote this morning to Parliament's Joint Committee on Human Rights to point out these problems as follows (now picked up by the Daily Mail, Computing, the Register, New Statesman and the IEEE):

Mr Andrew Dismore MP
Chair, Joint Committee on Human Rights
Committee Office
House of Commons
7 Millbank
London SW1P 3JA

cc: Committee members; David Smith, Deputy Information Commissioner

26 November 2007

Dear Mr Dismore,

The government, in response to the recent HMRC Child Benefit data breach, has asserted that personal information on the proposed National Identity Register (NIR) will be 'biometrically secured':

"The key thing about identity cards is, of course, that information is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be." - The Chancellor, Hansard Column 1106, 20/11/07

"What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected." - The Prime Minister, Hansard Column 1181, 21/11/07

These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ministers assert that people's information will be 'protected' because it will be much harder for someone to pass themselves off as another individual if a biometric check is made. This presupposes that:

(a) the entire population can be successfully biometrically enrolled onto the National Identity Register, and successfully matched on every occasion thereafter - which is highly unlikely, given the performance of biometrics across mass populations generally and especially their poor performance in the only, relatively small-scale, trial to date (UKPS enrolment trial, 2004). Groups found to have particular problems with biometric checks include the elderly, the disabled and some ethnic groups such as Asian women;

(b) biometrics are 'unforgeable' - which is demonstrably untrue. Biometric systems have been compromised by 'spoofing' and other means on numerous occasions and, as the technology develops, techniques for subverting the systems evolve too;

(c) every ID check will be authenticated by a live biometric check against the biometric stored on the NIR or at the very least against the biometric stored on the chip on the ID card which is itself verified against the NIR. [N.B. This would represent a huge leap in the cost of the scheme which at present proposes only to check biometrics for 'high value' transactions. The network of secure biometric readers alone (each far more complex and expensive than, e.g. a Chip & PIN card reader) would add billions to the cost of rollout and maintenance.]

Even if, in this fairy-tale land, it came to pass that (a) (b) and (c) were true after all (which we consider most unlikely), the proposed roll-out of the National Identity Scheme would mean that this level of 'protection' would not - on the Home Office's own highly optimistic projections - be extended to the entire population before the end of the next decade (i.e. 2020) at the earliest.

Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.

However, this concentration on citizens 'verifying' their identity when making transactions is only one issue amongst many when considering the leakage of personal data. Large-scale losses of personal data can have consequences well beyond an increase in identity fraud. For example, they could be potentially fatal to individuals such as the directors of Huntingdon Life Sciences, victims of domestic violence or former Northern Ireland ministers.

It is therefore our strongest recommendation that further development of a National Identity Register or National Identity Scheme (including biometric visas and ePassports) should be suspended until such time that research and development work has established beyond reasonable doubt that these are capable of operating securely, effectively and economically on the scale envisaged.

Government systems have so far paid little attention to privacy. Last week's events have very significant implications indeed for future government information systems development.

We would be pleased to clarify any of these points or provide further information if useful to the Committee.

Yours sincerely,

Professor Ross Anderson
Dr Richard Clayton
University of Cambridge Computer Laboratory

Dr Ian Brown
Oxford Internet Institute, University of Oxford

Dr Brian Gladman
Ministry of Defence and NATO (retired)

Professor Angela Sasse
University College London Department of Computer Science

Martyn Thomas CBE FREng


David Moss said...

My congratulations to the six of you. Biometrics is the final defence of the National Identity Scheme and that has now been undermined. The blue touchpaper has been lit. We had all better stand back. When this one goes off, it won't be just the UK that sees fireworks, so will every other member of the EU, the US, China and several other countries.

sjmurdoch said...

Also featured on The Register.

David Moss said...

There was an article about your letter in yesterday's London Evening Standard, ID cards scheme 'based on fairy tale technology', by Martin Bentham, Home Affairs Editor. Not on the Standard's website yet.

sy said...

Out dated information on biometrics. I see none of the Dr's have a background in working with biometrics or the technology so how can they comment on it?

people should not assume anything about biometric it has moved on alot from spoofing and being compromised.

Anonymous said...

To Sy -
I suspect the reason they quote that trial is because they are referring to the data that the govt themselves use.

Also, the principal point that this letter makes is that information security is about an awful lot more than biometrics (process and systems integration spring to mind) and this is an area that all of the signatories are more than qualified in.

slimpickins said...

I'm a bit confused by point C.

I thought the Government were expecting to make huge sums from businesses checking ID cards against the NIR and therefore there would be very large network of readers, surely that means that it will be more than just "high value" transactions?

Anonymous said...

We need much more people who actually know something about the
technology to speak up and hope our esteemed politicians will prove
themselved educateable. Thank you.

I like this letter a lot because it addresses problems inherent in
biometrics that are not part of the common knowledge that governments
base on. For the same reason RFID got pushed through without so much
as a peep by the bodies doing it regarding the possibilities for abuse.

This brings up three points I want to mention. The obvious one is
observing this is security engineering and the people designing the
systems, as well as those overseeing the whole, are clearly not up to
the task.

The second one is a bit of a hobby horse of mine: Trust goes both
ways, and if we deign make use of electronics, internets, and advanced
cryptography to make stuff hard to forge, we might as well build a
real trust infrastructure. I'm not talking about PKI, but I am talking
about those doing the identity checking proving they have the right to
ask you for your ID information. This also means governed ID issued to
government or other organisations (corporations, etc.) and authority
delegations to individual employees. Often those employess will not want
to give their entire identity with the proof (eg. police officers), but
they have to be identifyable in some way (eg. police office numbers).

So, why not device ways for both sides to fess up no more information
than strictly needed. Zero knowledge proofs are well known inside the
community, but not inside politics. This should change.

The third is that, perhaps paradoxically, this biometric argument
shows that a too strict identity binding is undesirable, both for the
identifyee and for the issuing governing body. Next question: how much
is desired exactly, and what parameters does it depend on? I think this
is an excellent subject to invent a math for.

Mary Hawking said...

Aren't there always going to be sizable groups without UK ID cards?
I'm thinking, in particular, of Irish citizens - entitled to work and live in the UK without border or immigration controls.I suppose the same applies to citizens of the EU.
It looks as though these groups would either have to function without an ID card - or be issued with one.
How robust could the system be at detecting efforts to obtain two identities for the same biometric?

Anonymous said...

Surely we need look no further than the "uncrackable" CSS encryption used for DVDs. They sold millions of DVDs and DVD machines, and when the encryption was broken it was a financial and logistical impossibility to change it. Result - the free ripping and swapping of films.
The breaking of the identity card is of course much more serious than the supposed loss of a few billions of revenue from DVD sales. Once my fingerprint, iris, and every other detail about me is cracked, everybody and his brother will have access to all that which is currently mine alone...

Robin Wilton said...

A week ago, I blogged another example of the kind of logic-defying leap policy-makers seem happy to make when talking about biometrics. It was the Chancellor again... saying how important it was to have biometrics as a defence against the kind of data breach recently experienced at the HMRC.

Here's the URL, if you're interested.

Best wishes,

Robin Wilton

Robin Wilton said...

Further to my previous comment... here's the URL of my follow-up blog post today.

Best wishes,

Robin Wilton

anarchic_teapot said...

I got this assurance from the FCO when trying to find out what the su=itation for expats will be (their emphasis):

"As an additional improvement to the passport issuing process, to safeguard the identity of the individual and to prevent passport fraud, IPS have introduced interviews for all first time adult passport applicants in the United Kingdom."

Soooo that's all right then. Can't fool an interviewer, can you? Fairytale technology and human infallibity.

DCorney said...

Excellent letter - I hope it has some useful impact. I especially like the line that data loss "could be potentially fatal to individuals such as the directors of Huntingdon Life Sciences, victims of domestic violence or former Northern Ireland ministers."
Plenty of ordinary people have very good reasons to keep their identity & location secret.

David Moss said...

Your letter has been picked up by Computing magazine.

David Moss said...

... and in the Gulf Times

David Moss said...

... and SpyBlog

David Moss said...

DCorney: "... I hope [your letter] has some useful impact". Marvellous understatement. Some useful impact, indeed. It's explosive.

The Atos Origin report on the UKPS biometrics enrolment trial came out in May 2005. Under Key Findings, in the Management Summary of the report, there for all to see, even government ministers, it listed the abysmal failure of the biometrics chosen.

In the same month, I posted a paper on the European biometrics portal, Is the biometrics emperor wearing any clothes? That'll set the cat among the pigeons, I thought.

Wrong. There has been no response for two years. And no response to successive letters to government ministers ever since then.

The wrong person writing to the wrong people, no doubt. This letter, on the other hand, written to the JCHR, written by the right people to the right person is a bombshell and may be expected to have some not inconsiderably useful impact.

Ian said...

Would it be OK for me to post this letter on my blog (with appropriate attribution)? I think it speaks for itself.

Ian Brown said...

Please do! Thanks everyone for the positive comments.

Watching Them, Watching Us said...

@ sy - are you sure ?

"Out dated information on biometrics. I see none of the Dr's have a background in working with biometrics or the technology so how can they comment on it?"

How about

"M. Angela Sasse is the Professor of Human-Centred Technology in the Department of Computer Science at University College London. With a background in Human-Computer Interaction, she has been carrying out research since 1996 to develop a user-centred perspective on security, privacy and trust. She has investigated usability and effectiveness of a number of security mechanisms, including passwords and biometrics.
She contributed to BIOVISION, the EU Roadmap project on biometrics, and conducted a usability and user acceptance study as part of a biometrics field trial with 2000 volunteers commissioned by the German Federal Office for information security. In 2004, she was appointed a Specialist Advisor to the Home Affairs Committee for its enquiry into the proposed introduction of ID cards in 2004, and currently serves on the Biometrics Advisory Group, an independent expert panel that advises the Home Office."

people should not assume anything about biometric it has moved on alot from spoofing and being compromised.

However, the man-in-the-middle attacks on physically insecure reader equipment have got more even sophisticated.

@ dcorney - how much worse will it be for, say, our frontline military personnel, if they get captured by the enemy in Iraq or Afghanistan or held by unfriendly Governments like Iran, if the details of the names of their children, spouses and home addresses etc. are even partially available to their captors ?

David Moss said...

Article on your letter in yesterday's New Statesman.

David Moss said...

I wouldn't normally record a reference to your letter on a mere blog, but the IEEE is different.

Dave Birch said...

" Aren't there always going to be sizable groups without UK ID cards?
I'm thinking, in particular, of Irish citizens "

But Irish citizens are getting their own Public Service Entitlement Card, so in a rational world they should be able to use that to access services that they are entitled to in the U.K. No ID card is an island?

David Moss said...

Dave Birch: "... in a rational world they should be able to use that to access services that they are entitled to in the U.K. No ID card is an island?"

-- What do you think about rationality in UK government?
-- I think it would be a very good thing.

Anonymous said...

Mr David Moss

Excellent work. However there is one extra point of stupidity which you missed.

Passports are traditionally expected to last for ten years. ePassports are sold by the government on the basis that they will work for that long.

Compare the ten year expected lifespan of the epassport with the maximum lifespan the manufacturer guarantees for the embedded RFID chip.

I think when I was interested about such matters I heard it was 3 years. Not only do you have to pay more for your passport, but also renew it three times as often if we keep on pretending this idea works.

David Moss said...

One of the chaps on No2ID spotted this.

DHS Begins Collecting 10 Fingerprints From International Visitors At Washington Dulles International Airport:

The U.S. Department of Homeland Security (DHS) is now collecting additional fingerprints from international visitors arriving at Washington Dulles International Airport (Dulles). The change is part of the department's upgrade from two- to 10-fingerprint collection in order to enhance security and fingerprint matching accuracy.

"Anyone who's watched the news or seen crimes solved on television shows can appreciate the power of biometrics," said Homeland Security Secretary Michael Chertoff. "They help the legitimate traveler proceed more quickly while protecting their identity and enable our frontline personnel to focus even greater attention on potential security risks. Biometrics tell the story that the unknown terrorist tries to conceal, and it causes them to question whether they've ever left a print behind."


This Chertoff quotation should be treasured, neatly demonstrating as it does how some advocates of ID cards confuse fact and fiction, reality and the TV, wishful thinking and scientific fact.

This 10-finger business is the result of a long fight between the US Department of Justice and the NIST on one hand, and the US State Department and the Department of Homeland Security (DHS) on the other, who wanted to stick to two fingers.

Will identification be any better with 10 fingers? Don't know. One thing I do know is that you can't just raise the one-finger probability to the power of 10 to estimate the probability of being able to individuate people. The National Physical Laboratory told me that fingers are not independent events, there are correlations.

So the DHS may register all 10 prints and yet still not be able to individuate people in the world population of 6 billion+ (which, I think, is the test).

Meantime, watch out for any more DHS activity based on TV programmes, fairy tales, native American folklore, etc ... And not just the DHS either -- IPS and IDABC, too.

David Moss said...

It's been two months+ since your letter to Mr Dismore. Has there been any useful response you can tell us about?

Ian Brown said...

Sadly not!

David Moss said...

As far as I know, IPS still haven't issued the invitation to tender for biometrics requirements for the NIS. It was due by June 2007 according to their own strategic action plan. There is still no sign of it.

Which implies that they can't award NIS contracts yet, to the dwindling band of suppliers still in the running.

But their timetable says that contracts should start to be awarded in Spring 2008, i.e. now.

Bit of a dilemma. Will they press ahead and just award the contracts anyway, never mind any acceptance criteria for biometrics? That's a possibility.

In order to try to head it off, it might be useful to alert people to anything known about the biometrics companies in the running. I have started with L1 Identity Solutions, Inc. Anyone know anything about the others?