Mobile, Biometrics, and Consumer
Privacy: Shutting Pandora’s Box
Stewart Room, PwC Legal
Todd Thiemann, Nok Nok Labs
AGENDA
• Biometric Authentication
• Privacy Issues Surrounding Biometrics
• FIDO Alliance & Emerging Standards
THE PRESENTERS
Stewart Room • Partner, Global Head of Cyber Security
and Data Protection & PwC Co-Global
Data Privacy Lead
• PwC Legal
Todd Thiemann • VP Marketing & Co-chair CSA Solution
Provider Advisory Council
• Nok Nok Labs
THE REALITY
Sources: https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/ http://gizmodo.com/the-personal-information-of-55-million-filipino-voters-1770064712
WHAT IS BIOMETRIC AUTHENTICATION?
• Authentication
– The process of determining whether someone or
something is who or what it is declared to be.
• Biometric Authentication
– The process of validating the identity of a user
by measuring some intrinsic characteristic of
that user.
Sources: https://kb.iu.edu/d/alqk https://hitachi-id.com/concepts/biometric_authentication.html
BIOMETRIC INFORMATION & TEMPLATES
Source: Nature - http://www.nature.com/nature/journal/v449/n7158/box/449038a_BX1.html
CLIENT-SIDE BIOMETRIC MATCHING
• Biometric match on device
• No central repository of biometric
information
– Biometric data never leaves device
SERVER-SIDE BIOMETRIC MATCHING
• Biometric match on server
• Central repository of biometric
information held on server (on premise or
in the cloud)
BIOMETRIC DATA & PRIVACY
• Purposes for biometric systems: – Identification
– Access (moving from token and knowledge based system)
– Surveillance
• Generally, all biometric systems operate on basis of either: – Automatic identification of a person
– Authentication / verification of a person
• What differs between biometric systems is: – Nature of biometric information/templates (physiological/ behavioural) (uni & multi-
modal)
– Type of matching (1:1 verification; 1:N identification; 1:Few segmented verification)
– Type of storage (server, client/device)
BIOMETRIC DATA = PERSONAL DATA
• Is biometric data considered personal data?
– Yes - where:
• processed for identification, authentication or verification of an individual
• it can be used to confirm the unique identity of an individual
• EU General Data Protection Regulation (“GDPR”):
– due to come into force in May 2018
– introduces definition of ‘biometric data’
– introduces restrictions on the processing of biometric data
GDPR: NEW DEFINITION
• Article 4(14) – introduces new definition of “biometric data” –
“means personal data resulting from specific technical processing relating to the
physical, physiological or behavioural characteristics of a natural person, which
allow or confirm the unique identification of that natural person, such as facial
images or dactyloscopic data”
• Article 9(1) – prohibits processing of biometric data unless one of the
grounds in Article 9(2) applies… – Biometrics are sensitive personal data!
GDPR: PROCESSING GROUNDS
Article 9(2)
Grounds for processing
biometric data
explicit consent of
data subject
necessary for purposes of carrying
out specific obligations / rights
necessary to protect vital interests
carried out in course of some
legitimate activities with appropriate
safeguards
relates to personal data made public by data subject
necessary for establishment,
exercise or defence of
legal claims
necessary for reasons of
substantial public interest
necessary for purposes of
preventative or occupational
medicine
necessary for reasons of public interest in public
health
necessary for archiving purposes
KEY PRIVACY PRINCIPLES
Organisations should consider the following key privacy principles when processing biometric data:
– Transparency –
• users must be notified of the collection of their data (regardless of how it is collected
i.e. iris scans, retina images)
• users must be provided with information about what the organisation is doing with
their data (i.e. through a privacy policy)
– Individual choice and control –
• freely given, informed consent is required before processing biometric data (if
consent ground relied upon)
• individuals must be able to access their data and correct it where necessary
KEY PRIVACY PRINCIPLES
Organisations should consider the following key privacy principles when processing biometric data:
– Security and confidentiality –
• biometric data is regarded as sensitive so requires enhanced levels of security
• organisations must establish technical and organizational measures to protect
biometric data
• staff must be appropriately trained on how to handle and protect biometric data
– Cross-border transfers of data -
• general prohibition on cross-border transfers of biometric data (as it is personal data)
• need to be mindful of transfer restrictions when storing on a central server / in the
cloud
PRO’S OF BIOMETRIC DATA
• Authentication and verification can be one
of most secure ways to control access to
restricted systems / information
• High level of accuracy
• Accountability – person can be directly
connected to a device
• Easy and safe to use
• Saves time ‘v’ traditional security methods
• No need to remember passwords!!
CON’S OF BIOMETRIC DATA
• Unique to an individual = particularly
sensitive
• Requires additional efforts to keep data
secure and confidential
• Lack of standardization across biometric
devices
• Reliability and accuracy still an area of
improvement
• Biometric data mechanisms overload!!
Hotel check-in process
…
EXPRESSIONS OF PRIVACY WORRY
• EU Article 29 Working Party - Opinion 3/2012 on developments in biometric
technologies:
– “genetic discrimination has become a real problem”
– “identity theft is no longer a theoretical threat”
– “while other new technologies that target large populations and have recently raised data protection concerns do
not necessarily focus on establishing a direct link to a specific individual…biometric data, by their very nature, are
directly linked to an individual. That is not always an asset but implies several drawbacks”
– “regarding biometric data, security should be a primary concern because biometric data are irrevocable:
therefore, a breach concerning biometric data threatens the further safe use of biometrics as identifier and the
right to data protection of the concerned persons for which there is no possibility to mitigate the effects of the
breach”
EXPRESSIONS OF PRIVACY WORRY
• EU Article 29 Working Party - Opinion 3/2012 on developments in biometric
technologies:
– “biometric technologies are closely linked to certain characteristics of an individual and some of them
can be used to reveal sensitive data…many of them allow for automated tracking, tracing or
profiling of persons and as such their potential impact on the privacy and the right to data protection of
individuals is high”
– “function creep has been a serious concern since the biometric technologies and systems were first
used…it is undoubtedly clear that the higher technical potential of new computer systems raises the risk
of data being used against their original purpose”
– “covert techniques allow for the identification of individuals without their knowledge, resulting in a
serious threat for privacy and a leak of control over personal data”
EXPRESSIONS OF PRIVACY WORRY
• Office of Privacy Commissioner of Canada Guidance “Data at your fingertips –
Biometrics and the challenges to privacy” (2011):
– “one concern is the covert collection and use of biometric data”
– “another privacy concern arises when a biometric trait collected for one purpose is used without a
person’s knowledge and consent for a different purpose”
– “many forms of biometric information, such as fingerprints and facial images, can also be collected
without a person’s knowledge, let alone consent. They can, therefore, be used to surreptitiously
monitor and track people’s movements and behavior”
– “it is imperative that government institutions and other organisations think carefully before proposing
initiatives that call for the collection, use or disclosure of biometric information”
EXPRESSIONS OF PRIVACY WORRY
• Privacy International point of view:
Biometric technologies capture and store the physiological and behavioral characteristics of individuals. Characteristics may include
voice and facial identifiers, iris patterns, DNA profiles and fingerprints. When stored in a database these characteristics can be
paired to individuals for later identification and verification. When adopted in the absence of strong legal frameworks and strict
safeguards, biometric technologies pose grave threats to privacy and personal security, as their application can be broadened to
facilitate discrimination, social sorting and mass surveillance, and the varying accuracy of the technology can lead to
misidentification, fraud and civic exclusion. As such, it is crucial that the export of biometric technologies is regulated and their
use is scrutinised.
Biometric databases compile and link multiple biometric identifiers. Although some databases can be used for legitimate purposes,
there are many risks associated with storing the very information that an individual’s identity is in part composed of. The
misappropriation of this information can deny individuals their identity and lead to limits on personal freedom. In many countries
strong data protection infrastructure does not exist and as a result deeply personal information has been repeatedly leaked.
Additionally, biometric data retention laws often do not specify the maximum storage length, further increasing the risk of
database leaks and introducing new dangers. The greatest of which is perhaps scope creep: seemingly benign biometric data stored
in databases can later pose significant threats to civil liberties. Images stored by facial recognition technologies can identify
different races. These applications raise concerns about discrimination, particularly in environments prone to social sorting.
https://www.privacyinternational.org/node/70
EXPRESSIONS OF PRIVACY WORRY
• Some other key reading:
https://www.privacyinternational.org/sites/default/files/Biometrics_Friend_or_foe.pdf
http://www.scientificamerican.com/article/biometric-security-poses-huge-privacy-risks/
https://www.sans.org/reading-room/whitepapers/authentication/biometrics-double-edged-sword-security-privacy-137
http://www.publications.parliament.uk/pa/cm201415/cmselect/cmsctech/734/73402.htm
https://www.dhs.gov/sites/default/files/publications/PIA%20DHS-ALL-I2B%2020151229.pdf
https://www.border.gov.au/Factsheets/Documents/PIA-31-08-15.pdf
DEVICE V SERVER
On Device On Server
• Individual has more control over the data • Individual has less control over the data
• Risk is lower, assuming individual keeps
possession of device
• Risk is higher, assuming 1:N system and
single database
• Data remains on-device = no transfers of
biometric data
• Global network of biometric authentication
users = international transfers of biometric
data
• Individuals can withdraw permission at any
point for the use of their data
• Policies required to ensure that once
permission is revoked, the data is adequately
destroyed
• Potential for loss of data limited to own
user’s biometric data
• Potential for large-scale loss of data is
increased dramatically
DEVICE V SERVER
Benefits of ‘on device’ biometrics:
– EU Article 29 Working Party Opinion (2012) –
• “warns of the risks involved in the use of biometric data for identification in large
centralised databases, given the potentially harmful consequences for the person
connected”
• “whenever it is permitted to process biometric data, it is preferable to avoid the
centralised storage of the personal biometric information”
• “especially for verification, the Working Party considers advisable that biometric systems
are based on the reading of biometric data stored as encrypted templates on media that
are held exclusively by the relevant data subjects”
DEVICE V SERVER
Benefits of ‘on device’ biometrics:
– Office of Privacy Commissioner of Canada Guidance (2011) –
• “centralized storage [of biometric data] heightens the risk of data loss or the
inappropriate cross-linking of data across systems”
• “whenever possible, biometric information should be stored locally rather than in
central databases”
• “the challenge is to design, implement and operate a system that actually improves
identification services, without unduly comprising privacy”
HOW TO MINIMIZE RISK - PIA
• CURRENT POSITION:
– In Europe & Canada it is currently best practice to carry out PIAs before
processing biometric data
– PIAs enable organisations to consider the impact new or materially different
data processing has on affected individual’s privacy and the organisation’s
compliance
• FUTURE POSITION:
– GDPR expressly identifies biometric data as a special category of data
– GDPR (Recital 91) states that a privacy impact assessment should be performed
in cases where biometric data are processed
FIDO ALLIANCE
• Biometric data is personal data
• ‘on device’ storage and matching of biometric data for authentication purposes is
gaining momentum and is an easier approach to satisfy:
– global privacy requirements on cross-border personal data transfers
– Individuals’ choice and control about their personal data
• Evidenced by growing support for solutions incorporating FIDO authentication
protocols
Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
Passwords Risk-Based Strong
MODERN
AUTHENTICATION
FIDO SCOPE
HOW OLD AUTHN WORKS
ONLINE
The user authenticates themselves online by presenting
a human-readable secret
HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates “locally” to their device
by various means
The device authenticates the user online using
public key cryptography
Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
*There are other types of authenticators
Second Factor Challenge
1
Authenticated Online
3
Insert Dongle* / Press Button
2
Biometric Verification*
2
Authentication Challenge
1
?
Authenticated
Online
3
No 3rd Party in the Protocol
No Secrets on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts
SUMMARY
• Consider privacy implications of processing biometric data
• Carry out a privacy impact assessment before processing biometric
data to assess impact on organization’s privacy compliance
• Consider using ‘on device’ as opposed to ‘on server’ biometrics to
mitigate privacy risks
• Consider a standards-based approach to mobile app authentication
ADDITIONAL RESOURCES & BACKGROUND
• The FIDO Alliance Whitepaper on Privacy
Principles
FIDO PRIVACY PRINCIPLES
1. Require explicit, informed user consent
for any operation using personal data
2. Provide clear context to the user for any
FIDO operations
3. Limit collection of personal data to
FIDO-related purposes
FIDO Privacy principles (cont’d 1)
4. Use personal data only for FIDO
operations
5. Prevent identification of a user outside
of FIDO operations
6. Biometric data must never leave the
user’s personal computing environment