PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit edu-cational classroom use.
NewsKaspersky reports surge in cyber-attacks on
selfies and other biometry 1
Seattle airport halts its facial ID rollout 2
New UK Government backs biometric border control 3
US and China among most invasive users of biometrics 3
NatWest unveils biometric fob for contactless payments 11
Amsterdam airport’s facial ID fooled by simple photo 11
NIST launches datasets to help cut error rates 12
FeaturesThe future of biometrics in policing
worldwide 5
The use of biometrics by police forces worldwide has hit significant hurdles, including bans in several US cities and a halt of police biometric trials across the UK over mass surveillance concerns. But equally police forces are under pressure to use this cost-effective technology to fight crime. Jason Tooley of Veridium examines how the police can best address the public’s fears of facial ID and data privacy, to reap the benefits of this maturing technology.
Ready for take-off: how biometrics and blockchain can beat aviation’s quality issues 8Biometric systems have been widely embraced
by the aviation industry, but significant barriers still prevent their universal adoption, says Zamna’s Irra Ariella Khi. She suggests that a combination of biometrics and blockchain technology could ensure airlines and airports trust biometrics to accurately verify their passenger data and provide the secure data sharing and standardisation they need.
RegularsEvents Calendar 3
News in Brief 4
Product News 4
Company News 4
Comment 12
Contents
biometric TECHNOLOGY
ISSN 0969-4765 January 2020 www.biometricstoday.com
TO
DA
Y
A major rise in cyber-fraudsters stealing people’s selfie photos and
other biometric data has been discov-ered by security giant Kaspersky.
The company released a report last month that found over one-in-three computers pro-cessing biometry – such as fingerprint, face, voice and iris templates – were targeted by malware in Q3 2019. Overall, 37% of servers and workstations running Kaspersky software were attacked by cyber-criminals in what it calls “a surge in fraud related to the stealing of personal and confidential documents through photos and selfies, often required for registra-tion or identification purposes”.
Kaspersky’s ‘Threats for biometric data pro-cessing and storage systems’ report also strongly criticised the security efforts made by biometric systems suppliers, saying: “It is remarkable how careless biometric authentication system devel-opers and users are about protecting these sys-tems and the biometric data collected by them against computer attacks.”
Kaspersky cited last year’s BioStar 2 breach when up to 1 million fingerprint records and facial images were exposed on an open database by South Korean security platform supplier Suprema (see BTT, September 2019).
Kaspersky said the threats posing the big-gest danger to biometric data processing and storage systems include spyware, phishing attacks – mostly spyware downloaders and droppers – ransomware and banking Trojans. And the company warned: “It can be expected that mass-distributed malware designed to steal biometric data from banks and financial sys-tems will appear in the near future.”
Kaspersky’s analysis shows that the internet is the main source of threats to biometric systems, including malicious and phishing websites, and web-based email services.
Kaspersky senior security expert, Kirill
Kruglov, commented: “The existing situation with biometric data security is critical and needs to be brought to the attention of industry and government regulators, the community of information security experts, and the general public. Though we believe our customers are cautious, we need to emphasise that the infec-tion caused by the malware we detected could have negatively affected the integrity and con-fidentiality of biometric processing systems. This is particularly the case for databases where biometric data is stored, if those systems were not protected.”
To protect against cyber-attacks, Kaspersky experts advise:
• Minimise how exposed biometric systems are to the internet and internet-related threats. It is better if they are a part of air-gapped infra-structure.
• Ensure the highest level of cyber-security is applied to the infrastructure that contains biometric systems, including extensively train-ing operating staff to resist possible attacks.
• Regularly conduct security audits to iden-tify and eliminate possible vulnerabilities.
Kruglov added: “We believe that exposing biometric systems to random cyber-threats is a huge risk for both the service provider and the people who have entrusted their biometric data to it.”
Kaspersky’s report also highlighted the danger of over-confidence in biometric secu-rity, saying: The concept of biometric data as a unique personal identifier that cannot be forged is fundamentally wrong and can foster a false sense of security. Biometric data, once compromised, is compromised for good: users cannot change their stolen fingerprints the way they do stolen passwords. An individual will therefore potentially be affected for the rest of his or her life.”
Continued on page 2... www.biometricstoday.com
www.membrane-technology.com
www.networksecuritynewsletter.com
www.sealingtechnology.info
www.filtrationindustryanalyst.com
www.computerfraudandsecurity.com
Visit us
www.pumpindustryanalyst.com
@
Visit us @
Visit us @Visit us @@
Visit us @
Visit us @
Visit us @
Visit us @
Visit us @
Visit us @
Visit us @
security
Kaspersky reports surge in cyber-attacks on selfies and other biometry
Subscription InformationAn annual subscription to Biometric Technology Today includes 10 issues and online access for up to 5 users.Subscriptions run for 12 months, from the date payment is received.
More information: www.elsevier.com/journals/insti-tutional/biometric-technology-today/0969-4765
This newsletter and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments.
Derivative WorksSubscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations.
Electronic Storage or Usage Permission of the Publisher is required to store or use elec-tronically any material contained in this publication, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above.
NoticeNo responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advan ces in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
12985 Digitally Produced by
Mayfield Press (Oxford) Ltd
2
NEWS
...Continued from front pageKaspersky’s study follows a ‘Voice
Intelligence Report’, published last November by voice identity solutions provider Pindrop, which found that an average of 90 voice fraud attacks occur every minute in the US. Pindrop described “skyrocketing fraud rates”, with voice fraud attacks climbing more than 350% between 2014 and 2018.
For the report, Pindrop analysed over 1 bil-lion phone calls at large call centres in the US, including eight of the top 10 banks, five of the seven leading insurers, and three of the top five financial services companies.
The report identifies the latest security threats, including deepfakes and synthetic voice attacks. It said: “In the near future, we will see fraudsters call into contact centres utilising synthetic voices to test whether companies have the technology in place to detect them, particu-larly targeting the banking sector.”
Pindrop said these attacks are dependent on deep learning and generative adversarial networks (GANs), a deep neural net architec-ture comprised of two neural nets, pitting one against the other. GANs can learn to mimic any distribution of data – augmenting images with animation, or video with sound. These technologies use machine learning to generate audio from scratch, analysing waveforms from a database of human speech and re-creating them at a rate of 24,000 samples per second. The end result includes voices with subtleties such as lip smacks and accents, making it easier for fraudsters to commit breaches.
Seattle airport halts its facial ID rollout
Seattle-Tacoma International Airport (Sea-Tac) has become the first
airport in America to resist the US Government’s drive to expand the use of facial recognition technology.
Sea-Tac is Seattle’s main city airport and part of the Port of Seattle transport hub, which last month decided to halt its biometrics rollout until it developed best-practice principles that “ensure that the imple-mentation of public-facing facial recognition technology (FRT) is clearly justified, equitable and transparent”.
A management working group has been set up to turn a series of ethical principles for passenger processing into policies – and no biometric technology will be introduced at Sea-Tac or other Port facilities until after 30 June, when the new policies are due to go live.
Seattle has secured support for this delay from the US Customs and Border Protection (CBP) agency, which is in charge of the US national rollout of facial ID. Some 20 US air-ports have already introduced NEC NeoFace-based systems.
Seattle devised its new strategy after seeking the views of airlines, cruise lines, federal agen-cies, and civil liberty and migrant rights groups in public meetings late last year. The civil soci-ety groups raised concerns about FRT’s threat to privacy and inherent bias.
Port of Seattle Commission president, Stephanie Bowman, said: “We feel that our community expects more than to have this kind of technology rolled out without any public discussion or input. We know of more than 20 other airports that have implemented facial recognition technology, but no other Port has undergone a public process to ensure that implementation would protect passenger rights, and be limited, transparent and ethical. When this Commission adopts policies, we will have the opportunity to create the nation’s best prac-tices for public-facing biometrics.”
Seattle Port said it will only use facial ID to confirm passengers’ identity, replacing its cur-rent manual passport control and boarding pass processes for international flights. The Port added that it will not support biometrics for “mass surveillance”.
CBP has so far introduced FRT to process international arrivals at 11 US airports and six cruise terminals, while FRT for international departures has been implemented at 20 airports. These include Atlanta, Dulles, Fort Lauderdale, Houston, JFK, Las Vegas, LAX, Miami, Orlando, San Diego, San Jose and Portland, Oregon.
According to the principles championed by Seattle Port, the use of public-facing FRT at its facilities must be:
• Justified – done for a clear and intended purpose and not mass surveillance.
• Voluntary – reasonable alternatives should be provided for US citizens who do not wish to participate through an opt-in or opt-out process.
• Private – data should be stored for a lim-ited time and secure.
• Equitable – the technology should be rea-sonably accurate in identifying people of all backgrounds.
• Transparent – the use of biometrics should be communicated to visitors and travellers.
• Lawful and ethical – complying with all laws, including privacy and anti-discrimination laws.
The Port said that once its new policies are in place after June, it will consider airline and cruise line applications to use facial recognition on a case-by-case basis.
According to The Seattle Times, the Port’s moratorium delayed a plan by Delta Air Lines to
roll out facial recognition cameras at its Sea-Tac boarding gates by the end of December. But it’s reported that biometric technologies already in use at the airport –including the CLEAR service aimed at frequent travellers – will con-tinue operating. And a CBP plan to install facial recognition at a new facility to process arriving international travellers, opening in July, will proceed as planned as the area where the cameras will be located is controlled by the US federal government.
Airlines like Delta will need to show how they plan to comply before the Port permits them to install facial recognition cameras. In a statement, Delta said it believed its facial recognition systems “meet or exceed the guid-ing principles in the motion that the Port of Seattle adopted”. The airline said its tech- nology “adheres to high standards for data security and customer privacy – a responsibil-ity Delta takes extremely seriously”.
New UK Government backs biometric border control
The UK’s newly elected Conservative Government has put biometrics at
the heart of its planned border control policy.
This follows Prime Minister Boris Johnson’s promise to deliver ‘Brexit’, which means the UK will officially leave the European Union this month and move away from the EU’s migration policy. In the lead-up to its election victory last month, the Government said this ‘free movement’ policy had “made it easier for illicit goods such as drugs, guns and explosive precursors, as well as illegal immigrants and terrorists to enter the UK, as well as costing an estimated £5 billion each year due to excise, customs and tariff evasion.”
To counter this, the UK plans to intro-duce an American and Canadian-style visa waiver scheme, based on Electronic Travel
Authorisations (ETAs) which travellers would have to obtain before entering the UK. The aim is to store biometric data such as finger-prints or retina scans on all ETAs, to provide an extra security layer.
The Government said this new biometric-based system would enable border officers to better screen arrivals against watchlists and block those judged to be a threat from enter-ing the country. Automated exit and entrance checks would also make it harder for people with serious criminal convictions to enter the UK from EU countries.
The Government added that this combina-tion of automated entry and exit checks and requirement for biometric passports will enable it to “know who and how many people are in the country, and to identify individuals who have breached the terms of their visa and restrict illegal immigration”.
Announcing the proposals, UK Home Secretary Priti Patel said: ”The consequence of EU law limiting our border capability is brought home to me every day. It is a sad fact that drugs and guns reach our streets from Europe, fuelling violence and addiction. People traffickers don’t think twice about risk-ing people’s lives for profit. Most shockingly of all, we know that terrorists have been able to enter the country by exploiting free move-ment. I am committed to doing everything we can to secure the border and protect the UK.”
US and China among most invasive users of biometrics
A new study has ranked 50 countries on how extensively and invasively
they use biometric surveillance, and in contrast who best regulates the tech-nology. China is named the poorest per-former of all, but perhaps surprisingly it is joined by the US in the five worst countries – while the UK is ranked among the top five best-regulated.
The survey, by consumer information website Comparitech, analysed the countries according to how much biometric information they collect from their citizens, what it’s used for and how it’s stored.
China topped the list for its extensive and invasive use of biometrics and/or surveillance. The next-worst performers were Malaysia, Pakistan and the USA, with India, Indonesia, The Philippines and Taiwan all tying in fifth
Continued on page 11...
border control
UK PM Boris Johnson plans to roll out biometric passports as part of ‘Brexit’.
11–12 March 2020Connect: IDWashington DC, USAThis international conference and exhibition focuses on the management of identity technologies, highlighting how disruptive technology and policy decisions are driving change. The conference pro-gramme offers one-day summits focused on subjects including combatting document fraud, privacy and consent, securing citizens, trusted authentication, mobile ID, digital identity fraud, blockchain in action and traveller identity. More information: https://www.terrapinn.com/exhibition/connect-id/index.stm
31 March–3 April 2020World Border Security CongressAthens, GreeceThe World Border Security Congress offers a forum where border management and security industry professionals can discuss the challenges faced in protecting borders, and the new technologies that contribute to this. Provisional topics for this year’s event include: the latest threats and challenges at the border; capacity building and training in border and migration management; understanding threats and challenges for maritime borders; pre-travel risk assessment and trusted travellers; and the develop-ing role of biometrics in identity management and document fraud prevention. This will include exam-ining the role of biometrics in managing identity and borders.More information: http://world-border-congress.com/
5–8 April 2020KNOW IdentityLas Vegas, USAThis is a leading industry event focused on digital identity and trust in the data economy. The organis-ers are expecting over 2,000 attendees, 200-plus speakers and around 100 exhibitors. Key topics will include biometrics & multi-factor authentication; privileged access management; customer identity & access management (CIAM); identity resolution; data privacy & GDPR; and identity verification, KYC and customer on-boarding. Speakers will include Roger Dingledine, co-founder of the Tor Project; researcher Ashkan Soltani, who is former chief technologist for the Federal Trade Commission; and Frank Lawrence, chief compliance officer at Facebook Payments.More information: https://www.knowidentity.com/
19–21 May 2020Counter Terror ExpoLondon ExCeL, UKNow in its 12th year, the Counter Terror Expo (CTX) is a networking event for security professionals from industry, infrastructure, government and policing. It showcases technology to improve security and com-bat terrorism, in partnership with its sister events the World Counter Terror Congress, Forensics Europe Expo and Ambition. CTX’s key themes are protect-ing people, protecting infrastructure, and policing and specialist operations. Conference topics include smart surveillance, human-led behavioural detec-tion, and border and transport security.More information: https://www.ctexpo.co.uk/
Leading cyber-security firm Trustwave has predicted that fake attacks on facial recogni-tion systems will be one of the biggest hacking threats in 2020. Karl Sigler, threat intelligence manager with Trustwave SpiderLabs, said: “The widespread prevalence of facial recog-nition used by apps and devices could draw deepfake attacks. We expect to see deepfake videos increasingly used to tarnish the careers or reputations of individuals, particularly poli-ticians as we near the 2020 US presidential election.” Sigler added: “Deepfakes are in their infancy and it remains to be seen how far cyber-criminals will go. High-profile people are perhaps most at risk, as deepfakes require abundant source material already available to pull audio and video required to create realistic simulations.” Next month’s issue of BTT will feature a full analysis of the deepfake threat to facial ID systems.
BIO-key’s biometric software systems have been selected by Orange County, Florida to secure access to all its public records and voter data. BIO-key’s ID Director biometric software platform will be used to secure the county’s voter data and files. During elections, Orange County hires new employees and vol-unteers, often working in shared workstation environments. To control this, staff members will be enrolled and identified using BIO-key’s PIV-Pro and EcoID fingerprint scan-ners. EcoID has been certified by Microsoft to support the biometric authentication in its Windows Hello for Business app. Orange is the fifth county in Florida to sign up for BIO-key’s systems. “We are gratified by the growing adoption of our biometric solutions among various County Supervisors of Elections, as they take steps to secure their election systems for the coming presidential election,” said BIO-key CEO Mike DePasquale. “Our soft-ware is sold on a monthly subscription basis and therefore provides needed flexibility to adapt to a changing workforce.”
P R O D U C T S
Precise Biometrics and Innovatrics have joined forces to launch Precise YOUNiQ, which combines Innovatrics’ face recogni-tion technology with Precise’s identification software for access control. Precise YOUNiQ enables companies to securely grant employees and visitors access to offices and restricted premises, by validating them using Innovatrics’ facial recognition and liveness detection. The companies claim that Innovatrics’ combina-tion of passive facial recognition and live-ness detection sets the system apart from other access control identification systems.
Precise Biometrics CEO Stefan Persson said: “Innovatrics is truly a front runner in face recognition modality and their proprietary technology will be one of the cornerstones in Precise YOUNiQ.”
Fingerprint Cards (FPC) is providing a fingerprint sensor to secure the latest ‘smart’ suitcase launched by French luggage supplier, Kabuto. The FPC sensor negates the need for a key or passcode to open the suitcase. Meanwhile, FPC has also teamed up with leading global smartphone provider Xiaomi to include its FPC1540 side-mounted fin-gerprint sensor in Xiaomi’s recently launched Redmi K30 phone. This is the first device to include the sensor, which is positioned on the side of the phone inside the power but-ton. FPC senior vice president Ted Hansson said: “As an early pioneer of side-mounted fingerprint sensors, we’re excited to see our technology featured in this launch and to enable innovation and differentiation.” The FPC1540 can fit in a range of smartphone designs, including borderless and foldable phones. It is described as ultra-slim and can be customised to match the colour of the device. Finally, FPC has collaborated with global payment technology provider Valid to launch a contactless biometric payment card featuring FPC’s T-Shape fingerprint sensor module. FPC said T-Shape has now been adopted by all the top five payment smartcard suppliers globally.
US-based AboutTime Technologies has added facial recognition to its WorkMax pIME system, which is used by companies to track their mobile workforce. The company claims its new facial ID system “takes stand-ard employee face capture to a new level”. It automates the photo comparison process with intelligent computing so businesses increase the probability that their employees clocking in and out are performing the work they’re being paid for. The new feature also aims to eliminate ‘Buddy Punching’ – where an employee gets a co-worker to clock them in before they arrive at work or clock them out after they’ve left. WorkMax’s facial recognition measures the similarity of the employee’s pro-file photo against the daily selfies the employee takes when clocking in and out. “WorkMax face recognition helps reduce time theft and automates the process for our customers. This results in paying the right employees for their work accurately,” said AboutTime CEO Ryan Remkes.
India’s Mantra Softech has launched its MFS500 fingerprint scanner, which features a
‘scratch-free’ optical sensor and a glass rather than plastic prism for better print identifica-tion. Mantra claims the MFS500 has one of the lowest FRR (false recognition rates) amongst biometric print scanners on the mar-ket. It has also been certified by the FBI to the FAP10 standard. The scanner can run on Android, Windows and Linux-based devices. Mantra offers a range of fingerprint and iris recognition sensors and devices, to customers including the Indian Government’s Aadhaar scheme.
C O M P A N Y
Austrian biometric sensor provider AMS has succeeded in a takeover bid for the well-known German-based lighting group Osram. AMS says it has secured agreement to acquire over 59% of Osram’s shares in a bid worth an estimated E4.6 billion. AMS employs about 9,000 people globally and provides facial recognition and other sensors to customers including Apple for the iPhone. AMS CEO Alexander Everke said: “We have been successful in achiev-ing the minimum acceptance threshold in our offer for Osram. We look forward to creating a European-based global leader in sensor solutions and photonics.” Olaf Berlien, CEO of Osram, echoed this saying: “Following AMS’ successful takeover bid, we can now jointly establish a world-class photonics and sensor champion.” AMS plans to finalise the takeover during the first half of this year.
Paris-based secure identity specialist IN Groupe (formerly Imprimerie Nationale) has acquired fellow French biometric sys-tems supplier SURYS for an undisclosed sum. SURYS specialises in providing docu-ment security and image analysis systems, and its security features are present in an estimated 50% of the world’s passports. IN Groupe’s aim is to build a centre developing electronic and optical components to secure identities and banking transactions. This business will combine SURYS’ operations with the IN subsidiary SPS, which pro-vides electronic components for chip cards. SURYS has manufacturing plants in France and the US, and R&D units in France, Germany and the US. It also has access to the world’s largest database of identity docu-ments, through its subsidiary Keesing based in the Netherlands. Its solutions have been adopted by over 130 countries (passports in France, Brazil and China, bank notes in the Philippines) and by large brands to combat counterfeit goods.
N E W S I N B R I E F
5January 2020 Biometric Technology Today
FEATURE
Jason Tooley
The future of biometrics in policing worldwide
Likewise in the US, Amazon was hit by a share-holder revolt last year for selling its facial rec-ognition technology to US police forces, while San Francisco became the world’s first city to outlaw facial recognition. The city set a trend by completely banning the emerging technolo-gy from being used in law enforcement, as well as by local government agencies and transport authorities.
Yet alongside all this, police forces – like many public services around the world – are under increasing cost pressures. In the UK for example, direct government funding has fallen 30% in the last eight years. And as a result biometric systems are finding their way into government usage as a way to enhance the quality and efficiency of policing whilst also cutting costs1. So despite the controversy, the UK Home Office is planning to invest a huge £97 million into a wider biometric technology approach to safeguard the country’s streets2. Similarly, the Australian Government is plan-ning a colossal nationwide facial recognition database3.
Nevertheless, the debate surrounding facial ID has highlighted the fact that the public’s perception and acceptance of biometrics is just as important as the maturity and the cost-effectiveness of the technology, for the police to really reap the benefits.
“San Francisco set a trend by becoming the world’s first city to outlaw facial recognition. It banned the technology from being used in law enforcement, as well as by local government agencies and transport authorities”
Data privacySo what are the public’s concerns? The key issue is data privacy, particularly with regards to the use of automated facial recognition for sur-veillance. Of course police officers worldwide
regularly carry body-worn cameras or record images in cars without asking for consent – and while none of this data is encrypted, the general public accept its usage. Video has a certain implicit public tolerance, exemplified by the widespread use of CCTV cameras: the average Londoner is caught on camera over 300 times per day. Yet the public generally accept CCTV as they are familiar with the technology and recognise the security benefits4. So what must police forces do for their use of biometric tech-nology to reach this level of approval?
It is vital to show the public that biometrics has the potential to greatly improve services. However, it’s also important to ensure secu-rity and privacy in the way the data is stored, as having this type of information stolen can have serious consequences. In June last year, Eurofins Scientific, the British police’s main forensic outsource supplier, suffered a huge ransomware attack and data breach. This not only disrupted the police’s forensics analysis, but impacted public confidence in its ability to store sensitive data such as biometrics.
If police forces adopt a clearly transparent pol-icy on how biometric data is interpreted, stored and used, then public privacy worries are sig-nificantly diminished, which in turn will trigger consent and acceptance. It is also key to manage expectations around biometrics and how the technology will be used, especially in surveillance use cases. As the technology matures, there is a need to understand how biometrics as a whole can aid identity verification at scale and how to achieve extensive public acceptance as part of a wider digital policing initiative.
Public perceptionAnother core issue facing biometrics, and particularly facial recognition, is the public’s perception that this technology is not yet fully accurate. Digital fingerprint-based authenti-cation, which is broadly viewed as being the most mature biometric technology, has an implicit acceptance linked to an individual’s identity and the fact that it delivers a lower false positive result.
Jason Tooley, Veridium
The use of biometrics by police forces has rarely been out of the headlines over the past year. As with many emerging technologies, it has hit signifi-cant hurdles. Recently in an unprecedented move, the UK’s Information Commissioner’s Office (ICO) – the government body responsible for GDPR and data privacy enforcement – launched an independent investigation into the use of facial recognition at London’s King’s Cross train station, after it was revealed that the general public were having their faces scanned without con-sent. This scandal triggered the halt of police biometric trials across the coun-try, while the South Wales Police force was taken to court over a similar issue.
Police officers worldwide regu-larly carry body-worn cameras, and even though none of this data is encrypted, the general public accept its usage.
6Biometric Technology Today January 2020
FEATURE
The public’s understanding of the varying maturity levels of biometrics – for example fingerprinting compared to automated facial recognition (AFR), and their effective use – has strong links back to existing physical processes and widespread consumer adoption. So, finger-print technology has a high level of consumer adoption because of its use on mobile devices, and in applications such as airports using flat-bed scanners – which are widely understood and help immensely with acceptance.
Citizens who are accustomed to using finger-print biometrics on their personal devices will have the same expectation of facial recognition. However, when used as a stand-alone biometric, AFR suffers from its perceived inaccuracy – eight trials between 2016 and 2018 in London result-
ed in a 96% rate of false positives5. In addition, racial and gender bias as well as problems work-ing in conditions such as poor lighting or when the person is wearing accessories, impacts on reliability. Indeed, even the UK Home Office has acknowledged that passport facial recogni-tion checks are less effective on people with dark skin6. All this leads to a reluctance or refusal to accept AFR technology among the public.
Identity versus surveillanceWhen biometrics are used in identity verification use cases, as opposed to surveillance, it is much easier to gain public acceptance. Individuals are
more likely to consent to technology that they engage with on their digital devices – leveraging widely used consumer technology such as smart-phones in one-to-one scenarios.
So police forces that integrate a multimodal, open approach to biometrics, selecting the right biometric mode for the right use case, will derive the most value from the technology. For example, one European police force is using mobile biometrics in order to quickly scan a suspect’s fingerprints in the field, verify them against their national database, and confirm identity within seconds. The best approach for police is to look to use strategies that the public have the highest degree of confidence in, and manage public expectations around success and how the technology is to be used.
“Police forces that integrate a multimodal open approach to biometrics, selecting the right biometric mode for the right use case, will derive the most value from the technology”
Currently, there are obstacles in the way of biometrics which will be overcome as trust in the technology becomes the norm. As men-tioned, fingerprinting is the most mature and widely used biometric system, with high levels
Fingerprint tech- nology has a high level of consumer adoption because of its use on mobile devices, and in airports. Citizens will have the same expectation of facial recognition – but it suffers from its per-ceived inaccuracy.
The Peruvian National Police needed a way to quickly verify the identity of people who were selected for random security screenings at the 2019 Pan American Games, which brought 420,000 spectators, athletes and coaches from 41 countries to the country’s capital city, Lima.
To identify people while out in the field, Peru’s National Police were using a smartphone mobile app that scanned the individual’s national ID card. For the Pan American Games, the police wanted their smartphones to have the additional ability to capture fingerprints.
The police needed a product that could quickly take people’s fingerprints, that was easy to use in the field, and could capture high-quality images that could be matched against those stored in Peru’s national biometric database. Ideally, the product would be software-based and integrate with the app the police force was already using. This integration was the only way to make the project financially and operationally
viable. The National Police wanted to avoid purchasing separate mobile fingerprint scanners, as, in addition to the expense, they didn’t want to force their officers to carry supplementary hardware.
In order to meet these security requirements, the police used Veridium biometric software to verify the identity of people selected for random security screenings. This contactless biometric authentication system uses a smartphone’s rear-facing camera to capture an individual’s four fingerprints simultaneously, with no supplementary hardware required. The technology is similar to that used in traditional flatbed scanners, and was integrated into the police force’s existing application, allowing officers to turn their mobile devices into fingerprint readers.
OutcomeBy integrating the biometric software, the police were able to conduct random security checks efficiently and effectively – they could
scan people’s fingerprints quickly and the images were of high enough quality to match against the national database. Having all this information in their smartphones made the officers’ jobs easier, both in terms of ease of use and public acceptance, and an interest in the technology made screenings easier to carry out.
Providing officers with people’s fingerprints in addition to the information contained in their national identity cards also allowed the police to more accurately identify individuals. It also proved straightforward to teach officers how to use the fingerprinting technology. The Peruvian National Police force has now decided to continue using this method after seeing how it improved the officers’ ability to confirm people’s identities – offering a fast, reliable and economic solution that was easy to integrate and use.
This case study underlines how effective biometric technology can be when it is used by police forces in a strategic way to offset violent crime, leveraging widely used consumer technology to gain acceptance.
Case study: Peruvian National Police
7January 2020 Biometric Technology Today
FEATURE
of acceptance today. It is easily adopted by police, although it doesn’t work for surveillance purposes. Police forces across the world are see-ing the value in moving to a digital fingerprint capture mechanism, rather than physical.
In terms of surveillance at scale, automated facial recognition is the appropriate solution. But in the face of the substantial challenges relating to its relative lack of maturity, the best way to gain public acceptance is by taking advantage of more mature biometric technologies like finger-printing. This can be used to build acceptance, and importantly public confidence, in the use of the technology.
InnovationInnovation in the field of biometric technol-ogy offers a significant way to quickly gain public approval and consent, and build citizen confidence in different police use cases. High levels of false positive rates and performance concerns are typical of all nascent technolo-gies, not just biometrics. Think of the prob-lems around video quality or internet speeds during their infancy.
Innovations like behavioural biometrics now offer the ability to verify an individual from their unique mannerisms such as the way they walk. Advanced finger vein recognition has also been developed – and both these modalities are nearly impossible to replicate or hack, therefore providing the most secure identity verification. It’s crucial that regulation doesn’t stifle this type of innovation; the right balance must be achieved in order for police forces globally to benefit from biometric technology in order to
efficiently verify citizens and combat violent crime.
Strategy is keySumming up, police forces around the world are looking to integrate the latest advances in technology to enhance public security and cut costs – and biometric solutions are fundamental to this. With the maturing of biometric tech-niques and many different use cases to address, it’s imperative to utilise the right biometric for the right police requirement, and to create a transparent strategy that incorporates the use of multiple biometrics.
“As both the technology and public acceptance matures, biometrics will become essential to the success of any digital policing strategy”
Police forces must look to adopt a strategic approach as they trial different biometric tech-nologies, and not focus on one single biometric approach. With the rapid rate of innovation in the field, an open biometrics strategy will give police the ability to use the right biometric techniques for the right requirements, acceler-ate the benefits associated with digital policing and thereby achieve public acceptance.
Acceptance and consent are key to the suc-cessful use of biometrics in the many digital police use cases. By digitalising current physical processes, police forces can create both effi-
ciency and improved accuracy. Then, as both the technology and public acceptance matures, biometrics will become essential to the success of any digital policing strategy.
About the authorJason Tooley is chief revenue officer at Veridium and has over 25 years’ business leadership experi-ence in the technology sector. He is a board member of techUK, where he uses his expertise to support the challenges and opportunities presented to the tech industry in Britain. Veridium’s authentica-tion platform enables companies to secure identity and privacy in a digital world by proving people are who they say they are, via biometrics and their smartphone. Veridium reduces the need for pass-words, and integrates multi-factor solutions with utilising technology such as its 4 Fingers Touchless ID. This ensures compliance whilst also providing a more convenient, secure experience. See www.veridiumid.com for more details.
References1. ‘Police funding in England and Wales’.
Full Fact, 28 September 2018. Accessed December 2019. https://fullfact.org/crime/police-funding-england-and-wales/.
2. ‘Biometrics technologies: a key enabler for future digital services’. European Commission, January 2018. Accessed December 2019. https://ec.europa.eu/growth/tools-databases/dem/monitor/sites/default/files/Biometrics%20technolo-gies_v2.pdf.
3. Josh Taylor. ‘Plan for massive facial recog-nition database sparks privacy concerns’. The Guardian, 28 September 2019. Accessed December 2019. https://www.theguardian.com/technology/2019/sep/29/plan-for-massive-facial-recognition-data-base-sparks-privacy-concerns.
4. Jordan G Teicher. ‘Gazing Back at the Surveillance Cameras That Watch Us’. New York Times, 13 August 2018. Accessed December 2019. https://www.nytimes.com/2018/08/13/lens/surveillance-camera-photography.html.
5. Lizzie Dearden. ‘Facial recognition wrongly identifies public as potential criminals 96% of time, figures reveal’. The Independent, 7 May 2019. Accessed December 2019. https://www.independ-ent.co.uk/news/uk/home-news/facial-recognition-london-inaccurate-met-police-trials-a8898946.html.
6. ‘Passport facial recognition checks fail to work with dark skin’. BBC, 9 October 2019. Accessed December 2019. https://www.bbc.co.uk/news/technol-ogy-49993647.
With the many different use cases to address, it’s imperative to utilise the right biometric for the right police requirement.
Iris scans, facial recognition and fingerprint readers have become much more commonplace in modern airports, and some of the more for-ward-looking pilot schemes have begun to com-pletely replace the use of passports for passenger identification with biometric data. For example, Dubai Airport’s ‘Smart Tunnel’ project has demonstrated that facial recognition technology can replace the manual passport control process entirely, shortening it to 15 seconds and remov-ing the need for human intervention1.
Yet despite the increased use of biometric sys-tems in airports, these solutions are still far from being widely trusted to accurately verify pas-senger data – in or before the airport. And while
biometrics often play a complementary role in authenticating the physical aspects of passenger identity, manual biographic passport checks are still exclusively used as the primary method of passenger verification, with the exception of the Smart Tunnel system. We’ve still got some work to do before a seamless, biometric-based passenger experience – where travellers can move through the airport without any physical docu-ment checks – becomes a reality for us all.
Still, there is no lack of enthusiasm for new technology within the aviation industry. In fact, the use of biometrics underpins the main cross-industry transformation project that the airline trade association, the International Air Transport Association (IATA), created in 2016: ‘One ID’. The aim of One ID is to create an “end-to-end passenger experience that is secure, seamless and efficient”, and it has the potential to address the key management challenges facing the airline industry: namely, passenger facilitation and secu-rity, plus government data regulations:
• Passenger facilitation and security. Firstly, new biometric technology could help to meet rising passenger expectations for more efficient journeys. IATA research shows that the majority of passengers now find a queuing time of more than 10 minutes unacceptable, and increasingly prefer ‘ready-to-fly’ options such as validating travel documents and checking in bags from home before they head to the airport2. These rising expectations come as the number of air-line passengers continues to grow year-on-year, putting further strain on aviation infrastructure. IATA’s ‘20-Year Air Passenger Forecast’ found that the number of travellers is set to double by 2037, reaching 8.2 billion people a year3.
There is therefore a critical need to use biometric solutions to manage this growing throughput of passengers while maintaining and improving both security and the passen-ger experience throughout all airport touch-points. In the words of IATA director general Alexandre de Juniac: “Biometric recognition using the One ID concept modernises the airport experience for passengers and improves the efficiency and security of identification pro-cesses. Every traveller will appreciate the con-venience of getting from the kerb to the gate without ever having to show a paper passport or boarding pass.”
“We’ve still got some work to do before a seamless, biometric-based passenger experience – where travellers can move through the airport without any physical document checks – becomes a reality for us all”
• Government data regulations. One ID also responds to the increased pressure from interna-tional governments for airlines to provide more accurate information on passengers – namely APIS (Advance Passenger Information System) data – for the purposes of immigration, border control and national security decision-making. Airlines are also under increasing commercial pressure to comply with regulations in order to reduce the potential burden of hefty government fines each year. A build-up of these fines has a detrimental impact on an airline’s government relations, and can also impact their landing rights in a particular country. On top of that, One ID could reduce the onerous operational
New biometric technology could help to meet rising passenger expectations, just as airline passenger numbers continue to grow year-on-year, putting further strain on aviation infra-structure.
Irra Ariella Khi
Ready for take-off: how biometrics and blockchain can beat aviation’s quality issuesIrra Ariella Khi, Zamna
Biometric technologies have been embraced and adopted in aviation and international border control more than in any other industry. This is due to the emphasis on airline and border security and increasing pressure from governments to control and monitor immigration and the movement of people. However, biometrics are still not at the stage of universal adoption and face several significant barriers that need to be overcome.
9January 2020 Biometric Technology Today
FEATURE
costs of airport real-estate and airline staff, both of which are needed for manually checking each passenger’s documents.
Three key challengesOf course, the vision of One ID cannot be real-ised until the need for manual identity checks is vastly reduced – which is why data quality will play a critical role in both passport and biometric checking processes4. Let’s consider the three data management challenges to the widespread adoption of biometric technology and how they might be overcome:
1. Data standardisation and verification. If biometrics are to be widely adopted, both airlines and government authorities must be able to trust that the biometric data provided on passengers is both accurate and high-quality. There are two root causes of the current scepti-cism here: a lack of standardisation of passenger biometric data; and the lack of a reliable source against which that biometric data can be vali-dated for accuracy and integrity. In addition, there is the challenge of connecting biometric data with the passenger’s biographic/passport data (known as API or advance passenger information). Combine this with the increased public scrutiny on personal data security, and the scale of the problem becomes clear.
A number of biometric pilot schemes are underway in airports around the world, but they are all independent – using different technolo-gies, biometric markers, data standards and pro-cessing techniques. And while the International Civil Aviation Organisation (ICAO) has estab-lished a standard for biometric data, alongside biographic/passport data, not every country adheres to these rules and principles.
Until a comprehensive standard is adopted and consistently deployed, any biometric veri-fication process will always be limited, since the biometric data produced or verified by any single airline, airport or government can never be wholly trusted by another. This has forced the industry to default to traditional manual passport data as a source of both trust and verifi-cation for passenger IDs. And currently there is no standardised way to either verify or connect passport and biometric data in order to identify a passenger: an ePassport along with a biometric- comparing capability could solve that, but there is still a need for passengers to enrol each time, and still no aggregation of verifications that can be shared within the industry.
A consistent standard for biometric data will undoubtedly come to the fore as biometric hard-ware systems mature, and as governments and airlines further progress their pilot programmes into full adoption. These efforts can, of course, be speeded up, so long as close collaboration can
be established between airlines, biometric tech-nology providers and passenger data regulators. However, the key problem the industry faces with standardisation is not around data struc-tures, but the absence of cross-industry sharing protocols and schemes that would allow that data to be shared in the first place.
“Until a comprehensive standard is deployed, any biometric verification process will always be limited, since the biometric data produced or verified by any single airline, airport or government can never be wholly trusted by another”
2. Secure data sharing. No data can currently be securely shared between different airlines and government agencies, and therefore it cannot be validated for accuracy and integrity by either party. This is the case for both biometric and biographic/passport data. Without a trusted sys-tem for sharing any type of information, airlines and governments maintain it siloed across their own systems. This means the same passenger’s data must be checked and re-checked manually.
These repeated checks result in delays at airports, with passengers queuing at various checkpoints, waiting for their documents to be scanned several times over. This is regardless of how many times the passenger has travelled before, even if that individual is connecting onto another flight on the very same day, or even if that second flight is with the same airline.
This inability to securely share data is one of the main barriers to One ID and means that, even if biometric data is of high quality and in a standard-ised form, it still has to be re-validated as a one-off occurrence by each airline and government agency every time that person travels. In other words, there is currently no way to put the hard work of one data check in the service of the next check.
The difficulty of sharing biometric data between multiple parties is worsened by the fact that the information is – rightly – protected under data privacy laws, such as the General
Data Protection Regulation (GDPR) in Europe. So while more sophisticated data sharing will aid verification and improve the passenger experi-ence, the protection and control of the person-ally identifiable information (PII) involved is paramount, and the highest standards of data security have to be upheld in any system that is sharing biometric data for passenger validation.
Regulators’ increasing focus on the security of personal and public data is reflected in public opinion. Recent high-profile consumer data breaches have propelled this issue into mainstream public awareness, raising legitimate concerns as to what personal biographic and biometric data is being collected and shared – and how it can be used and mis-used, whether by international gov-ernments or private companies.
Furthermore, due to the highly valuable personal data they hold, government agencies, travel companies and airlines are particular targets for data breaches. In recent years, we’ve seen a number of such cases: the US Government’s database of its security-cleared employees was successfully hacked by a hostile foreign government; Marriott Hotels exposed 383 million sensitive data records in one of the largest data breaches in history; and an attack on airline Cathay Pacific left 9.1 million cus-tomers exposed in what was the airline indus-try’s biggest security incident to date.
Linking biometric data to an individual’s existing personally identifiable biographic data, such as their passport, will create an even more sensitive data set, and therefore an even more appealing target for attackers. So before any standardised system of sharing biometrics can be rolled out, the industry has to agree on a solution that addresses the data security con-cerns of regulators and passengers.
3. Biometrics meets the blockchain. This challenge of how to successfully and securely share biometric data for validation can be resolved by applying blockchain technology. The blockchain principles of decentralisation and immutability, coupled with its ‘privacy-by-design’ approach, make it the ideal solution to data standardisation, verification and security challenges. By utilising blockchain, a record can be made each time any biometric data is validated or queried. When it is successfully validated, reputational value builds and can also be recorded. Conversely, when biometric data presents repeated errors, its repu-tational value can be lowered. When combined with blockchain’s inherent immutability, this means that airlines, airports and international governments can be confident in the accuracy and validity of any data, using blockchain to corrobo-rate its reputational value.
What’s more, blockchain’s system of decentral-ised storage and management means data verifica-tion can be secured and re-secured at each stage
Due to the highly valuable personal data they hold, airlines are particular targets for data breaches. In the industry’s biggest security incident to date, an attack on Cathay Pacific left 9.1 million customers exposed.
10Biometric Technology Today January 2020
FEATURE
of the process, assuring data provenance with no single point of compromise and no central store. Essentially, the blockchain process involves mak-ing records of data verification that would make no sense to anyone unless they were in possession of the original data.
According to independent security testers, using blockchain enables tech companies to cre-ate systems that would take millions of years to breach. Its privacy-by-design approach, as advo-cated in the GDPR, means systems can be built around an un-compromisable concept of data security, rather than having security elements added in retrospect. Innovative technologies, that combine blockchain and privacy-by-design to ensure improved biometric data accuracy without exposing underlying personal data, are already readily available on the market.
One ID’s missionIATA’s One ID relies on coupling accurate pas-senger biographic data (known as APIS) with the early authentication of each passenger’s biometric identity, followed by instant biometric recognition at every touchpoint thereafter. With every successful verification, the data’s authentic-ity grows, and the need for extra and repeated manual checks is eliminated. In practice, this combination of biometrics and blockchain negates the need for passengers to present multi-ple documents at multiple touchpoints through-out their airport experience.
Using blockchain, tech companies can create innovative decentralised solutions that can secure passenger data. Then, assuming international standardisation and regulation, the reputational score of the data could become the basis of shared insights between airlines and governments, who would in turn be able to trust that the validation and re-validation is accurate. As a result, wherever in-person checks still have to be performed, the data verification process will allow airlines and government agencies to focus on screening pas-senger behaviour rather than verifying biographic/passport data, making the checking process at airports and borders much more efficient.
IATA also suggests One ID can meet passen-gers’ desire for ‘ready-to-fly’ options – in other words, presenting and validating their biographic and biometric details from home. Passengers could use a mobile device to submit their person-ally identifiable information directly to the neces-sary parties (such as airlines, immigration, border control) ahead of their journey, further shortening the validation process at the airport.
This ability could bring major benefits to air-lines, which are increasingly required to provide accurate passenger information to government agencies ahead of the flight. This currently poses a major challenge for airlines as they are wholly
reliant on correct data being provided by pas-sengers, 50% of whom make mistakes when submitting their API data. For example, consider the role that passenger data plays in helping airlines and governments establish whether that traveller’s data matches a valid visa or ETA (electronic transit authorisation). Today, bio-graphic data alone is used to establish whether the passenger has the right status to travel to a particular country or destination. Increasingly, this could be established using both biographic and biometric data as part of One ID.
In the context of passenger ETAs and visas, ensuring data accuracy and validity will become increasingly important across Europe as the EU prepares to introduce its ETIAS (European Travel Information and Authorisation System). This will require passengers from visa-free countries – such as the US, Canada, Australia, New Zealand, and possibly soon the UK – travelling into the Schengen area to hold a valid ETA authorisation. Airlines will also be required to establish that the passenger has the correct status prior to boarding.
ETIAS is intended to speed up and modernise border procedures in the EU. However, without better systems for validating passenger data ahead of the flight, staff will be forced to manually check passports in order to cross-reference ETIAS details once the passenger arrives at the airport. This will potentially create queues and slow down the sys-tem; in some cases it means that passengers may be informed too late that they do not have a valid ETIAS and won’t be able to fly on the day.
Without accurate passenger data, there is no reliable way to establish their status or check whether they have a valid ETA. Combining biographic data alongside biometrics would drive the industry towards better passenger identifica-tion, and towards realising the aim of One ID. Airlines will know that the data they are pro-vided with ahead of the flight is accurate, and no passenger will need to be off-loaded or manually re-processed due to a data error.
Airport of the futureIn summary, IATA’s One ID is an ambi-tious vision for the airport of the future, based on combining accurate biographic data and biometric technology for passenger verification.
Standardisation and international regulation are the next steps towards the widespread adoption of biometrics in the airline industry. However, biometrics alone cannot provide the seamless passenger experience envisioned by One ID. It’s important that first, the biographic API data is accurate, of the highest quality, and can be shared and validated by airlines and governments.
This is where blockchain can play a crucial role in both securing and sharing these sensitive data sets. Blockchain alone is not the answer, and neither is accurate biographic data – but together, they are the first step towards One ID. Only when blockchain and biometrics are jointly deployed can there be assurance of accuracy and trust in identifying each physical passenger.
Without this level of data quality, the adop-tion of biometrics as part of One ID will not be possible. Yet without innovative solutions, the dual problem of data protection limitations and the technical inability to share data between biometric providers will continue to limit any data quality. Accurate, trusted and re-trusted data alone can meet the demands for compre-hensive biographic and biometric processes, both in the aviation industry and beyond.
About the authorIrra Ariella Khi is the CEO and co-founder of Zamna (formerly VChain Technology), which provides the first venture-backed blockchain secu-rity solution for the aviation industry. Zamna’s patented, GDPR-compliant Identity-as-a-Service (IDAAS) solution connects the data sets of airlines, governments and security agencies, reducing the need to check physical passenger IDs in airports. Irra has co-authored Zamna’s first three patents, and leads the deployment of its software to major international airlines and governments.
References1. ‘Dubai airport trials “Smart Tunnel”
that allows passengers to clear passport control in 15 seconds’. Arabian Business, 11 October 2018. Accessed December 2019. https://www.arabianbusiness.com/transport/406044-dubai-airport-trials-smart-tunnel-that-allows-passengers-clear-passport-control-in-15-seconds.
2. IATA. ‘2016 Global Passenger Survey’. https://www.iata.org/publications/store/Documents/GPS-2016-Highlights-Final.pdf.
3. ‘SAP and VChain execs discuss how technol-ogy is changing the travel experience’. Aviation Business, 12 May 2019. Accessed December 2019. https://www.aviationbusinessme.com/airports/technology/18757-sap-and-vchain-execs-discuss-how-technology-is-transforming-the-passenger-travel-experience.
IATA’s One ID is an ambitious vision for the airport of the future, based on combining accurate biographic data and biometric technology for passenger verification.
...News continued from page 3worst place. Comparitech said: “These coun-tries show a concerning lack of regard for the privacy of people’s biometric data. They use biometrics to a severe and invasive extent.”
The five best countries, in terms of how well they restrict and regulate biometric use and sur-veillance, were Ireland, Portugal, Cyprus, the UK and Romania.
Commenting on the results, Comparitech analyst Paul Bischoff said: “While China top-ping the list perhaps doesn’t come as too much of a surprise, residents of (and travellers to) other countries may be concerned at the extent of biometric information that is being collected on them and what is happening to it afterward.
“Despite many countries recognising biometric data as sensitive, increased biometric use is widely accepted. Facial recognition CCTV is being implemented in a large number of countries, or at least being tested. EU countries scored better overall than non-EU countries due to General Data Protection Regulation (GDPR) regulations protecting the use of biometrics in the workplace to an extent.”
Among China’s faults, Comparitech cites that it has no specific law to protect citizens’ biometrics, but keeps an extensive national biometric database that is currently being expanded to include DNA. China also makes widespread and invasive use of facial recognition technology, tracking its Uighur Muslim minor-ity population, among others. Beijing is also trialling facial recognition at security checkpoints on the subway so it can divide travellers into groups, a system it’s hoping to expand to include buses, taxis and other travel services.
Comparitech also cites China’s lack of safeguards for employees in the workplace. “Companies have even been permitted to monitor employees’ brain waves for productiv-ity while they’re at work,” it said.
The US ranks low because it collects biometrics widely in passports, ID cards and bank accounts, and has a biometric voting sys-tem yet lacks a specific law to protect citizens’ biometric data – with only a handful of states protecting people’s privacy. Comparitech com-mented: “Many US citizens’ biometrics are exposed as there is no federal law in place,” adding: “The FBI and ICE have recently been criticised due to their use of facial recognition technology to scan driver’s licence photos, with-out gaining the citizens’ consent beforehand.”
Conversely, Ireland is ranked the best-performing country because, Comparitech said: “Ireland succeeds in protecting biometric data by only having a small database that includes criminal profiles, having extra safeguards for employee biometric data which go beyond GDPR requirements, and it isn’t part of the
Schengen Agreement so doesn’t take biometrics upon entry.” But the company added: “There are some doubts over Ireland’s use of facial rec-ognition CCTV cameras.”
Likewise, the UK scores well because it only has small biometric databases – one for criminals and one for non-UK citizens who enter the country, and it is governed by GDPR rules. Comparitech added: “Facial recognition CCTV in the UK also seems to be governed well. For example, facial recognition technology was being used at King’s Cross Station but without prior notification and thus consent. It has now been switched off and plans to develop it further have been placed on hold. It is also being tested in other areas but con-tinues to meet ongoing protests.”
The company highlighted the fact that European Union countries overall score well in its survey, due to the GDPR’s control of biometrics, especially in the workplace. However, Comparitech adds that most EU countries fall down over their use of biometric data in visas, due to the entry/exit system being introduced this year in the EU as part of the Schengen Agreement.
The company explained: “This creates a vast biometric database spanning 28 countries, and each member country’s law enforcement will have access to it. This is alongside various other databases shared across Schengen member coun-tries including the Visa Information System, which already contains over 60 million visa applications and 40 million sets of fingerprints.” The UK’s role in this may change post-Brexit.
NatWest unveils biometric fob for contactless payments
The UK’s NatWest Bank is trialling a new, compact biometric key fob
that can be used by customers to make contactless payments worth up to £100, without the need for a mobile phone or bank card.
The new device is currently being tested for three months, starting last December, among a mix of 250 NatWest customers in England and Wales and Royal Bank of Scotland (RBS) customers in Scotland. Both NatWest and RBS are part of the RBS banking group.
Shoppers can make a purchase by simply holding the key fob against a store’s card reader, while identifying themselves by pressing their thumb against the fob fingerprint reader. Once a light indicates their print has been matched suc-cessfully, the transaction goes through.
NatWest has previously tested fingerprint-based bank cards and David Crawford, head of
NatWest effortless payments, commented: “After the successful pilot of our biometric debit card we are looking at how we can further develop the technology and push the boundaries to inte-grate it into our customers’ everyday lives.”
The fobs are the same size as a standard key ring. They can also be used for buying goods online, and work at existing contactless and chip-and-pin terminals. Users initially activate the fob by uploading their fingerprint and reg-istering their account via their mobile phone.
NatWest is working with both Visa and German-owned Giesecke and Devrient (G+D) Mobile Security to develop the fob technol-ogy. Jeni Mundy, Visa’s UK managing direc-tor, commented: “We are constantly looking for ways to innovate with our partners to give consumers greater choices in how they pay. Following the launch of the UK’s first biometric debit card earlier this year, we are again pleased to collaborate with RBS on this pilot. Our research tells us that people have a strong interest in biometric technologies which can make their lives easier as well as increasing the security of their payments.”
G+D UK managing director, Axel Lange, said: “With the changing requirements in pay-ment authentication, G+D Mobile Security wel-comes the opportunity to pilot different ways to pay and we see biometrics as a key enabler to do secure and yet convenient payments.”
Amsterdam airport’s facial ID fooled by simple photo
Facial recognition terminals in sites ranging from Amsterdam’s Schiphol
airport to retail stores in Asia were easily spoofed by face masks and sim-ple photos, in tests run by AI solutions provider Kneron.
Kneron’s researchers used high-quality 3D masks to hack into facial ID-based AliPay and WeChat payment systems and make illicit pur-chases in a number of stores in Asia, according to Fortune.com. And at the self-boarding termi-nal at Schiphol, Holland’s largest airport, they tricked the sensor using a photo on a phone
Continued on page 12...
banking
NatWest key fob: enables shoppers to make higher-value payments without need-ing a phone or bank card.
hacking
12
NEWS/COMMENT
Biometric Technology Today January 2020
...Continued from page 11
screen. Kneron’s team also gained access to rail stations in China where commuters use facial recognition to pay their fares and board trains.
The tests highlight weaknesses that could lead to identity theft and terrorist access to key transport sites, undermining the security claims of biometric systems.
In statements to Fortune and the Daily Mail, Kneron CEO Albert Liu said: “Technology providers should be held accountable if they do not safeguard users to the highest standards. There are so many companies involved that it highlights an industry-wide issue with sub-standard facial recognition tech. The technol-ogy is available to fix these issues but firms have not upgraded it. They are taking shortcuts at the expense of security.”
But Kneron acknowledged that the masks it used could not be mass-deployed as they had to be sourced from specialist mask makers in Japan. It also confirmed that its tests failed to fool some facial recognition apps, including Apple’s iPhone X.
Schiphol, WeChat and AliPay did not respond to requests for comment from Fortune.
NIST launches datasets to help cut error rates
US NIST (the National Institute of Standards and Technology) has
released three new biometric data-bases – featuring fingerprints, facial photographs and iris scans – designed to help researchers reduce the error rates of biometric systems.
The data, which is stripped of identifying infor-mation and created expressly for research purpos-es, can be downloaded from NIST’s website.
“Few available resources exist to help devel-opers evaluate the performance of the software algorithms that form the heart of biometric systems, and the data will help fill that gap,”
NIST said. Its computer scientist Greg Fiumara added: “The data will help anyone who is interested in testing the error rates of biometric identification systems.”
The files are the first in what’s planned to be a growing collection of biometric resources, and are organised into three special databases (SDs) named SD 300, SD 301 and SD 302.
SD 301 is the first ever multimodal dataset NIST has released. It contains linked face, fingerprints and iris scan markers, so it can be used to test systems that apply a combination of these identification approaches. “This opens up possibilities for types of multimodal research that haven’t been done before,” Fiumara said. “We want to get more secure and more accu-rate identification, as multimodal systems are harder to spoof.”
SD 302 contains fingerprint data from a few hundred people gathered by a mixture of eight commercially available and prototype devices. It includes data gathered during the Nail to Nail Fingerprint Challenge, an IARPA-funded competition that NIST helped to design and
carry out. This features prints taken with con-tactless fingerprint devices, a technology that could simplify and speed up print gathering as it improves. “It also includes latent fingerprint data, in which prints are left while handling everyday objects,” Fiumara said. “Realistically and expertly collected latent data is difficult to come by.”
All the individuals represented in SD 301 and 302 have consented to the inclusion of their data and its distribution for research use, he said. The data has also been scrubbed of identifying information such as their names and places of residence.
SD 300 houses a collection of fingerprints taken from 900 old ink cards. All the record cards have been stripped of identifying data and are from individuals who are now deceased. According to Fiumara, this dataset can help manufacturers evaluate how well their modern systems can interoperate with hard-copy ink records, which will remain a requirement of the criminal justice system for some time.
research
COMMENT
One of the more intriguing recent news stories about biometric tech appeared just before Christmas: a
survey found that the majority of Chinese citizens are worried about their country’s use of facial recognition.
The research, by the Beijing-based Nandu Personal Information Protection Research Centre, is one of the first major studies of pub-lic attitudes to biometrics in a country that is notorious for its widespread and unconstrained use of mass surveillance technology.
The Centre found that 57% of the 6,100 respondents were concerned about their move-ments being tracked by facial recognition cameras. And a significant 84% wanted to be able to check and potentially delete the data that facial recognition systems had collected on them, according to reports by the BBC, Financial Times, ZDNet and other media. In addition, 80% of those surveyed were worried that facial recognition system operators had lax security measures, and 74% wanted to be able to use traditional ID methods like identity cards, driver’s licences or passports rather than facial ID to verify their identity.
Fears about the biometric data being hacked or leaked was the main concern cited
by the respondents, though the survey also reported that up to 70% of Chinese citizens believed facial recognition made public places safer.
The findings challenge any assumptions that people living in China are more accept-ing of mass biometric surveillance than those in the West. The survey also followed shortly after the widely reported case of Chinese university professor, Guo Bing, who announced he was suing his local zoo for enforcing facial recognition. Guo, a season ticket holder at Hangzhou Safari Park, had used his fingerprint to check-in for years, but was no longer able to do so.
And as the BBC reported, this case was covered in China’s state-owned media, indicating that the country’s government is willing to see the use of facial ID debated in public.
Yet China evidently still has some way to go. As our page 3 report shows, it was ranked the worst in a Comparitech study of 50 countries that examined how extensively and invasively biometric ID and surveillance systems were being deployed.
Even so, the good news is that increasingly China’s citizens are biting back against Big Brother.
Tim Ring
Kneron used specially made masks to spoof biometric payment systems.Photo copyright Kneron.
![Biometric Standards documents/Standards... · Biometric Profiles Biometric [Application] Profile – a conforming subset or combination of base standards used to effect specific biometric](https://static.documents.pub/doc/80x56/5f711372ce578d4ee02aea91/biometric-standards-documentsstandards-biometric-profiles-biometric-application.jpg)
