Accenture: Moratorium on biometrics – What to do?

Over the past twenty years we’ve seen rapid growth in the biometrics market – personal, commercial, and governmental use cases all on the rise.  The greatest spike in the usage of biometrics was seen with the release of the iPhone 5 which added millions of biometric sensors and an awareness of the benefits of usability and security that automated recognition has to offer. In the same period, we have seen a rapid increase in biometrics used to automate border clearance, increase inclusion for the undocumented, and add security to financial transactions.  There are scores more examples where automated recognition systems facilitate and secure our public and private interactions.

As these systems have become more part of our daily lives we have also heard of, and perhaps experienced, some of the downsides of automated recognition systems.  Perhaps because of the success of biometric systems they are receiving more scrutiny – are they accurate enough? Do they discriminate?  In response to this some jurisdictions have banned the use of biometric systems outright and some have put moratoria in effect.

The relative performance of biometric recognition systems is extremely use case dependant, so it is difficult to understand outright bans that don’t delineate factors such as:

• Is the system overt or covert?
• Is the system performing authentication or identification?
• Does the system require informed consent of the data subject?
• Under which privacy regulations does the system operate?
• Under which performance requirements does the system operate?
• To which security requirements does the system conform?

We know that all biometric systems have Type I and Type II errors (False Rejects and False Accepts) and we know that these error rates can be influenced by factors such as quality and age of the biometric data and the sex, age, and ethnicity of the data subjects.

Given the rapid adoption and utility of biometric systems in the public, private, and humanitarian sectors, one would think that effective regulation would follow suit – it has not – and outright bans and moratoria with no corresponding action plan does not resolve this issue.

If the perceived, or actual, problem with a biometric system for the intended use case is that it is not accurate enough or that its performance is impacted by demographic differentials then bans should be replaced with performance requirements and moratoria with regulations that require certification to specified conformance criteria for the intended use case.  The sharing, retaining, and protecting of personal data, including biometric information are all fundamental data privacy provisions as are portability, accuracy, redress, and breach alerts that must have corresponding regulation and enforcement– and liability.

There is an understanding gap that should be reconciled with education – regulators need to understand how biometric systems work in their many and varied applications and legislate accordingly as they did with Health Information, Vehicle Emissions, Food Safety, etc. With proper education, legislation, and certification biometric systems can continue to facilitate and secure our lives – while preserving our privacy and human dignity – for the next twenty years and beyond.

Accenture                           
Daniel Bachenheimer
Daniel.bachenheimer@accenture.com
Director, Biometrics Institute

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Accenture appeared first on Biometrics Institute.

The Department of Foreign Affairs and Trade Australia

Department of Foreign Affairs and Trade Australia: The Australian Passport Office: Helping shape the future of biometrics

What’s in a name?  Nothing, compared to the value of a face, or other biometric indicator, when it comes to securing your identity.

More than a century ago, the Australian Government recognised the value of biometric information well before ‘biometrics’ was even a term.

The first photos appeared in an Australian passport in 1915, when passports became compulsory as a temporary measure during World War I for all departing males of military age.

Back then, a passport included some personal details and a simple black and white photo.  This image served as an important security feature, allowing authorities to confirm a person’s identity.

As technology evolved, so did the Australian passport.  Since then, there have been a further 20 iterations of Australia’s passport over the years, but the inclusion of an image to recognise someone’s facial biometrics has always been there.

In 2005, the Australian Passport Office (APO), which is part of Australia’s Department of Foreign Affairs and Trade (DFAT), launched its first biometric passport—one of the first countries to do so—by embedding an electronic chip containing biometric information.  This small silicon chip helps authenticate the identity of the passport holder in over 140 countries.

Few Australians appreciate how advanced and secure their passports really are.

The APO’s pioneering work on face biometrics is a big part of that story.  Since the introduction of the biometric passport, facial recognition checks have been a standard part of the APO’s processing.

Every time a customer applies for a passport, be it first time applicant or a renewal, APO staff check the photo against the entire database of facial images to ensure the person does not exist in any other identity.  Currently holding over 29 million passport photos, this database is one of Australia’s largest facial biometric banks.

These checks are still amongst the world’s most thorough.  APO staff are highly trained to pick up discrepancies as part of the facial recognition check.  In fact, DFAT was one of the first organisations anywhere to test the aptitude of staff performing facial comparison tasks.

Of course, it’s not possible for APO staff alone to compare an image against a database of that magnitude.  So that’s where the use of cutting-edge algorithms comes in.

Face comparison algorithms can spot anomalies humans would miss.  The programs the APO uses to run these algorithms are industry-leading and are upgraded regularly to introduce further performance improvements to our systems.

Investing in facial recognition systems also delivers wider benefits for passport customers—using their face to confirm their identity through the Government’s face-matching service.  For example, the APO facilitated access to its passport face-matching service so Services Australia could fast-track financial assistance to those affected by last year’s bushfires.

The APO’s facial recognition system is also central to the Government’s digital transformation agenda by supporting customers to create secure, trusted digital identity credentials.

Digital identities for the digital world are the future.

Customers no longer want paper-based products.  The service environment is electronic, self-serve and almost instantaneous (think online shopping).  Environmental events like COVID-19, where people are unable to meet in person, also push us closer to a digital future.

So how does a passport – a physical document with important biometric data and over 100 security features woven into the seams – meet these digital expectations?  It evolves.

What this will look like will be interesting to watch, but two things are certain:

• Biometrics will be essential to both securing your identity and the integrity of any future Australian passport, and
• Any future success will require the continued work and collaboration of the APO and the Biometrics Institute.

APO is proud to be a founding member of the Biometrics Institute.  We have benefitted immensely from the Institute’s insights, and the close working relationships it has helped us forge with key agencies in the biometrics field.

We want to acknowledge the Biometrics Institute’s tremendous contributions over the past 20 years and congratulate it on reaching this important anniversary.  The APO looks forward to working closely with you for the next 20 years!

Australian Department of Foreign Affairs and Trade (DFAT)
Shashi Samprathi
Head of the Borders User Group, Biometrics Institute                                    
DFAT were a Founding Member in Australia

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Department of Foreign Affairs and Trade Australia appeared first on Biometrics Institute.

Department of Home Affairs Australia

Department of Home Affairs Australia: Biometrics: Use of the Face Verification Service to assist Australians in need

The Face Verification Service (FVS) is a secure online service that helps people to verify their identity in a way that is fast, secure and private, without having to present documents in person, making it easier to access government services.

The FVS enables Australian government agencies to check a person’s photo against a government-issued photo identity document record. This is called a ‘one-to-one’ check and helps to confirm the identity of a known person. A small number of Australian government agencies have commenced trialling use of the Face Verification Service, with consent from the individuals involved and in circumstances where this is permitted by current laws.

The FVS helps to protect people from identity crime, which is a key concern for many Australians.

• 1 in 10 Australians are impacted by identity crime each year.
• The total economic impact of identity crime in Australia is approximately $3.1 billion per year. This includes $2.1 billion in direct costs and a further $1 billion in costs associated with lost outputs, prevention and response costs incurred by government, business and individuals.

(Australian Institute of Criminology Report “Counting the costs of identity crime and misuse in Australia, 2018-19”).

The FVS also helps victims of identity crime reclaim their identity faster, and helps in other cases where people can’t access their identity documents, such as natural disaster victims.

The FVS builds on the success of the Document Verification Service (DVS), which has been available to Australian government agencies for more than 10 years, and to the private sector since 2014.

The DVS is a national online system that enables organisations to compare a customer’s identity information, such as name and date of birth, with government records and is currently used by more than 160 Australian Commonwealth, state and territory agencies and almost 2000 private sector organisations.

During the 2019-20 summer, Australia was experiencing catastrophic bushfires. Services Australia responded to the emergency with an FVS pilot to reduce the burden on people seeking disaster relief payments. The pilot was focused on helping people to prove who they are in the absence of physical documents.

Twelve Service Centres across New South Wales and Victoria trialled the use of the FVS for the emergency payments for bushfires. During this period, more than 700 customers confirmed their identity using the FVS, including people unable to retrieve identity documents due to the continued fire threat.

In accordance with FVS requirements, individuals were asked if they consented to their identity being biometrically verified. Images of their faces were captured via a camera attachment (similar to a webcam) that was positioned on service officers’ computer monitors, and compared online to government identity records to confirm a match.

Using the FVS supported individuals and families by saving them from sourcing additional identity documents, such as an Australian Birth Certificate or Australian Citizenship Certificate, avoiding the need for customers to return to a Service Centre with their identity documents and reducing administrative burdens at a distressing time in their lives, thus reducing the emotional toll.

Here are just two of the success stories from this pilot:

• A 91 year old customer attended a Service Centre to provide identity documents for an Australian Government Disaster Recovery Payment claim. The customer’s husband, also claiming, was in the car. He was unable to walk into the office as he did not have his walker with him. The couple had been evacuated from their home due to the bushfires and were staying in a motel. Both customers had a current passport but did not have the passports with them. With customer consent, the Services Australia team used the FVS Portal for customer number one. The team then walked out to the car and spoke with customer number two. With his consent, they captured his image while he sat in the car and successfully matched it through the FVS Portal.

Without the FVS, the customer would have been required to come back at a later date with physical identity documents. This was a great outcome for them and for Services Australia.

• A customer in his 90’s attended a Service Centre in early January. He had been evacuated from his home, leaving all his belongings (including all identity documents) thinking he would return when it was safe. Unfortunately, his home and property were destroyed by bushfire. The Services Australia team was able to grant an emergency payment for the customer on the spot and without identity documents by using an image of his face in the FVS portal to verify his identity with the government’s records.

The majority of customers responded positively to the technology and its use, saying they felt their identity was being protected by the Agency. Many customers reflected on how easy the service was to use and the amount of time it saved them from trying to locate a physical document and come back to a Service Centre with that document. Less than 5% of participants asked did not consent to use the technology.

The FVS offers immediate, contactless identity verification to assist with disaster recovery activities, such as the timely provision of relief payments, or re-issuance of lost or stolen identity credentials.

Outcomes from the pilot demonstrated that the use of the FVS can more confidently provide vulnerable customers with the payments and services they need, when they need them, as seamlessly as possible.

Australian Department of Home Affairs
Matt Huntington
+ 61 (02) 5127 7301
Matt.Huntington@homeaffairs.gov.au
Department of Home Affairs were a Founding Member in Australia

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Department of Home Affairs Australia appeared first on Biometrics Institute.

The pre-digital age:  A personal reflection

Biometric data such as fingerprints and photographs have been used in policing and criminal justice in Scotland as a means of verification, identification, and exclusion for more than 100 years.

In April 2021, I was appointed by Her Majesty the Queen on the nomination of the Scottish Parliament as the first Scottish Biometrics Commissioner. My own career as a police officer in Scotland, and my personal biometric journey had commenced 43 years earlier in Edinburgh, Scotland. Back in 1978, the police had only the most basic of technologies and it would be another 5 years before the launch of Microsoft Word. Fingerprints of persons arrested were taken manually with ink, and photographs were taken on the ‘latest’ Kodak camera complete with spool and reel. DNA profiling had not yet been established for criminal investigations, and there were no automated biometric databases.

Police forensics were similarly constrained requiring a blood stain the size of large coin to simply identify a blood type.^[1] With limited science and technology, the pre-digital age of policing was beset with unsolved high-profile crimes. In 1978 Edinburgh, this included the ‘World’s End Murders’ a colloquial name given to the murder of two girls Christine Eadie and Helen Scott, both aged 17 years, who were last seen alive after leaving The World’s End pub in Edinburgh’s Old Town in October 1977.

The digital era

Since the late 1980s, the advent of the forensic technique of DNA profiling has transformed the investigation of crime. It is used daily in the investigation of a wide range of offences to identify offenders from minuscule amounts of body fluids and tissues. In sexual offences, DNA profiling can untangle complex mixtures of body fluids, typically found in such cases, to provide evidence that was previously unavailable. Through the introduction of DNA24, Scottish Police Authority Forensic Services now provides Police Scotland with one of the most advanced DNA interpretation capabilities in world policing. The digital era also witnesses the introduction of automated fingerprint capture and recognition systems, automated facial search capability, and the introduction of ISO standards for forensic laboratory work and the independent accreditation and validation of the underpinning scientific techniques.

DNA time capsules

In 2014, one year after the creation of a single national police service for Scotland (Police Scotland) and a single forensic services provider (Scottish Police Authority Forensic Services) advances in DNA technology contributed directly to the conviction of Angus Sinclair for the 1977 ‘World’s End Murders’ concluding a 37-year long police investigation. Sinclair (now deceased) was given the longest sentence ever handed down by a Scottish Court.

Similarly, in May 2021 the mystery of the 1984 murder of Mary McLaughlin in Glasgow was solved after forensic experts extracted 35-year-old biological material from inside the knot of a ligature used on the victim.^[2] Using Scotland’s world leading DNA24, forensic scientists profiled 24 genomic sequence markers (the UK and Interpol policing standard is 17 DNA markers) establishing a DNA profile match against convicted sex offender Graham McGill. These cases, demonstrate just how far forensics and biometrics have advanced in the last two decades and how forensic techniques and biometric technologies have contributed positively to society. Such technologies do not of course establish innocence or guilt, but they do assist human investigators in ways which are often unquantifiable. Biometrics help fix identity, and will continue to enhance incriminatory, exculpatory, and deterrence value in the future. By illuminating ‘DNA Time Capsules’ in cold case reviews, they also provide redress to the families of victims from earlier decades who had long given up any hope of justice.

Our biometric future

More recently there has been an exponential growth in a range of new biometrics in law enforcement, perhaps most controversially the use of public space facial recognition surveillance by the police in other jurisdictions. There has also been a proliferation of databases operating and exchanging biometric data over different legal and functional jurisdictions, including the application of artificial intelligence to those databases to develop algorithms for biometric matching.

Such issues raise important questions for society, including how best to balance our need for public safety and security, with broader privacy, ethical, human-rights, and equalities considerations.

In 2020, The Biometrics Institute devised the ‘Three Laws of Biometrics’ to prompt its members to remember the fundamentals of using biometric technology responsibly and ethically:

1. Policy – comes first: Any use of biometrics is proportionate, with basic human rights, ethics, and privacy at its heart.
2. Process – follows policy: Safeguards are in place to ensure decisions are rigorously reviewed, operations are fair, and operators are accountable.
3. Technology – guided by policy and process: Know your algorithm, biometric system, data quality and operating environment and mitigate vulnerabilities, limitations, and risks.

In Scotland, the policy first approach has witnessed the creation of a single national police service, a single national forensic services provider, significant investment in advanced biometric technology, and the appointment of an independent Scottish Biometrics Commissioner answerable to the Scottish Parliament. Reflecting on the title of this article ‘From Worlds End – to World Leading’ I would posit that the approach to biometrics delivery and oversight for policing and criminal justice purposes in Scotland safeguards our biometric future by following the ‘Three Laws of Biometrics’ advocated by the Biometrics Institute. In jurisdictions where the use of biometric technologies has proved more controversial, these rules have sometimes been overlooked, and technology has not been adequately guided by policy and process.^[3]

                ‘New technology is not good or evil in and of itself. It’s all about how people choose to use it’

(David Wong, podcast geeks guide to the galaxy, science-fiction podcast, episode 171. October 2015).

[1] Forensics stop people getting away with murder, BBC, 13 August 2021: https://www.bbc.com/news/uk-scotland-58188079

[2] Mary McLaughlin Murder: Killer jailed after DNA solves 35-year mystery, BBC, 18 May 2021: https://www.bbc.com/news/uk-scotland-glasgow-west-56505250

[3] UK Court of Appeal, Case No C1/2019/2670, 11 August 2020 in review of case of Bridges vs Chief Constable of South Wales Police: https://www.judiciary.uk/wp-content/uploads/2020/08/R-Bridges-v-CC-South-Wales-ors-Judgment.pdf

Scottish Biometrics Commissioner
Brian Plastow
Brian.Plastow@biometricscommissioner.scot

Joined in 2021

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Scottish Biometrics Commissioner appeared first on Biometrics Institute.

Department of Homeland Security, U.S. Customs and Border Protection

Department of Homeland Security, U.S. Customs and Border Protection: The Development of the Biometric Entry/Exit Program as a Key Recommendation in the 911 Commission Report

As we mark a key milestone – the 20^th anniversary of the tragic events of September 11, 2001 – we remember where we were on that devastating day, think of the victims and their families, and remember the lasting impacts on our country. Following the terrorist attacks, the Department of Homeland Security (DHS) was created in 2003, through the integration of all or part of 22 different federal departments and agencies into a unified Department. The Entry/Exit mission, which included the development of an automated entry-exit system that would collect records on foreign travelers who arrived to and departed from the United States, was transferred to the newly created US-VISIT Program office at DHS.

Through several pieces of legislation that followed and as a key recommendation of the 911 Commission Report, the development of an Entry/Exit system would now include the collection of biometrics – two fingerprints and a photograph — for foreign travelers on arrival and departure.  US-VISIT successfully launched biometric entry in phases starting in 2004 – collecting two fingerprints and a photograph – of foreign travelers at airports and seaports and implemented a biometric entry process at all U.S. land borders at the end of 2005.

However, the implementation of a biometric exit process posed several challenges given the co-mingling of domestic and international travelers and the lack of infrastructure for exit processing at U.S. airports and land borders. Over the years, US-VISIT implemented a variety of biometric exit pilots, including testing some concepts in partnership with U.S. Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) to evaluate the optimal process to collect biometrics for departing travelers. Given the cost and amount of resources needed to build and staff a new biometric exit process, it became clear that DHS would need to come up with an innovative solution to successfully meet this security mandate.

When the Entry/Exit mission was transferred to CBP in 2013, we took the challenge head on by deploying new pilots and working closely with stakeholders in the air travel industry and biometrics industry to plan a path forward. The collaboration and partnership, combined with CBP’s creative approach to the way we use our own data, resulted in real momentum, and led us to where we are today: the expansion of biometric exit fully, or partially, to 32 airports.

To advance the biometric exit mandate, we have partnered with the air travel industry to implement a secure, stand-alone system that can be seamlessly integrated into the boarding process. While the airlines and airports have purchased the facial biometric technology (camera) for biometric exit, we have built a facial biometric matching service that the airlines, airports, and TSA can access wherever traveler identity verification is required throughout the air travel journey such as check in, bag drop, security checkpoint, and boarding.

A camera can be installed at an airline departure gate without any necessary changes to existing airport infrastructure and is minimally disruptive to the flow of travel. We chose facial biometrics because of the photographs that are already in government holdings that CBP can compare against (e.g. passport, visa, and previous entries); it is an intuitive process as just about everyone knows how to take a photo; and it integrates seamlessly into the airport boarding process. When departing from select airports during international travel, passengers pause for a photo at the departure gate and in a matter of seconds, our biometric facial comparison service will compare that photo to images the traveler has already provided.

Currently, we have commitments from several airlines and airports to implement secure, touchless biometric boarding and enhance the departure process. To date, we have processed almost 20 million travelers using facial biometrics upon departure from the United States with a match rate above 98 percent.

To complement biometric boarding, we have implemented a similar process at entry at select airports known as Simplified Arrival, an enhanced international arrival process that uses facial biometrics to automate the manual document checks that are already required for admission into the United States. As the severity of the COVID-19 pandemic was becoming clear in the first half of 2020, we recognized the health and safety benefits of a touchless biometric identification service and accelerated the deployment schedule to ensure maximum utilization of Simplified Arrival. As a result, CBP is part of the travel recovery efforts to build passenger confidence in safer travel.

Currently, we have implemented biometric facial comparison technology partially or fully at entry into the United States at 198 airports, including Preclearance locations. As part of our land border innovation efforts and building upon the successful implementation of Simplified Arrival at the airports, we expanded the use of facial biometrics to the pedestrian lanes at U.S. land borders. Currently, Simplified Arrival has been deployed in varying degrees to 78 locations representing 46 Ports of Entry (21 on the Northern Border and 25 on the Southern Border). Each of these locations has a 1:1 biometric facial matching process, in which the traveler’s live photo is compared to the document the traveler presents. 

This month, we also began a Simplified Arrival pilot in select vehicle lanes at the Anzalduas International Bridge Port of Entry (POE) in Texas for travelers arriving in the United States. As part of this 120-day pilot, we will evaluate the system’s ability to capture a quality facial image for each occupant in the vehicle, as well as the accuracy of the biometric matching to inform future biometric enhancements for vehicle entry processing. 

In the sea environment, we have deployed biometric facial comparison technology into the debarkation process at eight seaports in the U.S., in partnership with nine cruise lines. In addition, we are expanding our data sharing agreements with cruise partners to enhance security. This effort will provide a more complete analysis of passengers in advance of travel and streamline inspections.

In collaboration with the Transportation Security Administration (TSA), we continue to explore how CBP and TSA can expand the use of facial biometrics in the curb to gate travel experience, leveraging CBP’s facial biometric matching service. We have partnered with TSA on several multi-phased operational tests to assess the use of facial biometrics to further secure and enhance travel at the TSA checkpoint.

To date, CBP has processed over 100 million travelers using facial biometrics. Whether air, land, or sea innovation, the use of facial biometrics is secure, efficient, and touchless and enhances the customer experience. Biometric facial comparison technology has been proven to decrease aircraft boarding times. For example, airlines have reported that they have boarded travelers on A380 planes in 20 minutes through the biometric boarding process. Additionally, post-cruise satisfaction surveys by travelers have been exceedingly positive and highlight the ease and efficiency of facial biometrics in the debarkation process.

In addition to streamlining travel, the use of facial biometrics protects the identity of travelers and adds another layer of security. Since September 2018, we have used biometric facial comparison technology to identify over 950 impostors. Recently, CBP officers prevented an impostor from entry at the Laredo, Texas land border port of entry:

https://www.cbp.gov/newsroom/local-media-release/laredo-cbp-officers-detect-impostor-through-facial-biometrics

As with the use of any new emerging technology, it’s critical that accuracy and privacy concerns are appropriately addressed at the forefront to ensure the public’s acceptance and use. At CBP, we use a high-quality facial comparison algorithm, which shows virtually no measurable differential performance in results based on demographic factors. We continually evaluate the performance of this algorithm and have partnered with the National Institute of Standards and Technology (NIST) to further enhance the biometric facial comparison process.

At CBP, we also take our privacy obligations very seriously and are dedicated to protecting the privacy of all travelers. We have published multiple Privacy Impact Assessments (PIA) that explain all aspects of CBP’s biometric Entry/Exit program, to include policies and procedures for the collection, storage, analysis, use, dissemination, retention, and/or deletion of data. In addition, the Entry/Exit program includes four primary safeguards to secure passenger data, including encryption during data storage and transfer, irreversible biometric templates, brief retention periods, and secure storage.

Photos of U.S. citizens and select foreign travelers who are not statutorily required to provide biometrics are securely held in CBP systems and deleted within 12 hours. Photos of all other foreign travelers are stored in a secure DHS database. U.S. citizens are welcome to participate in the biometric facial comparison process; however, if they do not wish to do so, they can simply notify a CBP officer who will perform a manual document check. In addition, foreign travelers who prefer not to participate in the biometric boarding process upon departure from the U.S. can also request a manual document check.

In November 2020, we published a Notice of Proposed Rulemaking (NPRM), which proposes to amend  CBP’s Entry/Exit regulations by eliminating references to pilot programs and the port limitation to permit the collection of photographs or other biometrics from non-U.S. travelers departing from airports, land ports, seaports, or any other authorized point of departure. We have been analyzing all comments received and will respond in the Final Rule, including making any adjustments as necessary.

The September 11th anniversary continues to reinforce the critical importance of the biometric Entry/Exit mission each year, and we are proud of the progress we have made on this security mandate. Although the COVID-19 pandemic has severely impacted international travel in the air, land, and sea environments, there is also a significant opportunity to transform and enhance the future of touchless travel by expanding public-private partnerships and leveraging technology.

Department of Homeland Security, U.S. Customs and Border Protection
Kimberly Weissman
Kimberly.Weissman@cbp.dhs.gov

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Department of Homeland Security, U.S. Customs and Border Protection appeared first on Biometrics Institute.

Digital Transformation Agency Australia

Digital Transformation Agency Australia: Australia and Digital Identity

The world is changing quickly, it’s becoming smaller and bigger at the same time, with the importance of safe, simple and secure digital services never more important.

Using biometrics as a default means to access services would have been unthinkable only a few years ago but with technological advances and social adoption, it is now second nature to verify a transaction with a tap of a finger.

People are engaging online at unprecedented rates, accelerated by the COVID-19 pandemic—even for activities like telehealth and remote employee onboarding. At the heart of these traditional in-person services is identity, needing a way to securely prove who you are online.

The shift to online has brought communities closer together while opening up a whole new world of risk and reward for us to navigate. Including privacy concerns, the need for businesses to keep up, as well as new opportunities engage, transact, and grow our economy.

Governments and the private sector need to focus on how identity is perceived, it’s critical to build trust in the technology, ensure consumers are protected, and have strong policies that set the foundation for change.

Digital Identity underpins the Australian government’s Digital Economy Strategy that will allow Australian businesses, and in particular small business, to capitalise on the opportunities that digital technologies are creating, enabling them to grow and create jobs as part of Australia’s economic recovery following the COVID-19 Pandemic.

Following an inquiry into the financial sector in 2014, the Australian Government took the first steps towards a national approach to digital identity to support our country’s economic growth.

The objective was to develop a national federated Digital Identity Framework, which would guide the development of a world class solution that could improve digital transactions across Government and the broader economy. To achieve this, we looked at international best practise and consulted extensively on the policy underpinning the Australian Government’s Digital Identity System (the System). 

Our guiding principles are privacy by design, putting the user first and taking an iterative approach in everything we do to make sure Digital Identity not only meets but exceeds community expectations.

Putting people first, we also need to consider and ensure that in-person services remain for those in our community who can’t or don’t have access to engage online. Inclusive system design is crucial to support as many people as possible to access online services with a digital identity.

Central to our System is the Trusted Digital Identity Framework or TDIF. It sets the standards, rules and guidelines for usability, accessibility, privacy protection, security, risk management, fraud control for Digital Identity providers. Anyone who participates in the System must meet these strict requirements.

The high standards set out in the TDIF allow for a true whole-of-economy digital identity system where people can have complete trust that their security and privacy is protected when using the System to access services.

This is especially crucial when they’re asked for their biometric information. 

When we talk about biometrics in the context of our System, we refer to the method of access and face verification for remote onboarding. “Biometrics” refers to a full breadth of measures to verify someone’s identity and it can be a confronting concept. It’s important to understand that with Digital Identity we’re simply verifying that the photo taken by a person on the end of the phone (or device) matches their photo ID. In the future, this may extend to other biometrics to suit the appropriate use case. 

Face verification is only required for people to access higher risk or higher value transactions—like those that currently require you to prove your identity in person at a government shopfront or service centre.

The key privacy features we’ve implemented for Digital Identity face verification and use of biometrics are express consent, one-to-one matching only, no central data base for storing images, and images are not shared across the System.

This means that any data that is required to prove your identity will need your express consent before it’s shared. This is a principle that applies to the whole System.

Face verification is only used for ‘one-to-one’ matching. This means the System matches a photo you take of yourself with a photo you have provided as part of your identity verification. This very important security and privacy principle ensures the System only collects the information needed to establish and maintain a digital identity.

This is an important distinction from ‘one-to-many’ matching which matches a person’s face against many images stored in an identity database and then adds that photo to the database.

And there is no central database where data will be stored for the System. Once a person’s photo has been used for its consented purposes—including where you’ve consented to it being used for quality assurance testing and fraud detection—it will be deleted.

It’s important that we ensure this system is secure and as robust as possible. We’re working to enshrine these principles, the TDIF requirements, and strict security and privacy standards including protections around the use of biometrics in legislation, giving the Australians trust and confidence in Digital Identity.

Privacy is important to Australians, and to us, and we need a digital identity system that Australians can trust. A consent-based, regulated system will support people to do their business, big and small, online without compromising their security or their privacy.

Australia already performs well in government service delivery relative to other countries—ranking second for E-Government in the IMD’s 2019 Digital Competitiveness and fifth in the UN’s 2020 E-Government Survey. But there is more to do. Our goal is to provide safe, secure and convenient government services online. The Australian Government Digital Identity System will change the way that Australians and Australian businesses engage with the government services they need, and with each other, online.

Australian Digital Transformation Agency                                                        
Jonathon Thorpe
Jonathon.thorpe@dta.gov.au
Director, Biometrics Institute

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Digital Transformation Agency Australia appeared first on Biometrics Institute.

ID Transnational Consulting & INTERPOL

ID Transnational Consulting & INTERPOL: 2004 Southeast Asian Tsunami – Victim Identification in Thailand

Introduction

On the 26th December 2004 a massive 9.1 magnitude earthquake struck off the north coast of the Indonesian island of Sumatra. This resulted in one of the largest tsunamis ever recorded spreading across the Indian Ocean and striking the coasts of many Southeast Asian and East African countries. More than 230,000 people were subsequently killed. The operation to identify the deceased in Thailand was centred in Phuket. It was jointly led by the Royal Thai Police and the Australian Federal Police with Interpol supplying and operating the AFIS and DNA biometric search systems. Other countries, whose nationals were missing in the disaster, supplied Disaster Victim Identification (DVI) teams of police and forensic science personnel to aid in the identification of the deceased, regardless of their respective nationalities.

Disaster Victim Identification (DVI) is a protocol employed by law enforcement agencies around the world to identify the deceased in mass casualty events such as natural disasters, aviation incidents and terrorist attacks. The three primary identifiers used in DVI are:

• Fingerprints: In cases where a putative identity has been established, post-mortem fingerprint  impressions are taken from the victim and compared 1:1 with ante-mortem finger marks that may have been developed, for example, on personal items such as household contents, diaries etc. or official fingerprints (if held). In cases where there is no indication as to the identity of the deceased then an Automatic Fingerprint Identification System (AFIS) is usually employed to conduct a biometric search of the post-mortem fingerprints against a database containing the ante-mortem finger marks.
• DNA:  Similarly, DNA profiles generated from samples obtained from the deceased can be compared 1:1 with ante-mortem DNA profiles taken from personal items such as tooth or hair brushes or DNA profiles of surviving close family members (familial/kinship matching). DNA Databases can be used in the same way as an AFIS to search the victim’s DNA profile against the profiles produced from all the victims’ personal items. Additionally, links may be established between the DNA profiles of victims from the same family. This only applies to biological relatives.
• Forensic Odontology: A comparison of the victim’s teeth with ante-mortem dental records, X-rays and charts. A search capability of dental records is usually not possible because of the decentralised record systems used in most countries.

Challenges and critical success factors

Fingerprints

The immersion of the deceased in salt water for long periods resulted, in many cases, in the detachment of the epidermal layer of skin from the hands in the form of a ‘glove.’ It is this layer that contains the papillary ridges of the fingers and palms that make up a person’s ‘fingerprints.’ The dermal skin layer beneath contains the ‘anchoring’ ridges that hold the epidermal ridges in place. There are two dermal ridges for each epidermal ridge and therefore this made impressions obtained from the dermal layer of skin largely incompatible with AFIS search systems i.e. attempting to match double ridge formations with single ridge formations of the same person. Any epidermal ‘gloves’ recovered with a body was examined by experts to determine whether or not the ‘glove’ had turned inside out when detaching from the hand. If the skin had turned inside out then the fingerprint impression taken from the glove would be in reverse direction, when recorded, and therefore would not be found during an AFIS search.

Of special note was the action taken in respect of the Myanmar workers who had lived in huts on the beaches of Phuket. It was originally assumed that because they had no possessions or property left after the destruction of the beaches that they would remain unidentified. However, it transpired that all Myanmar immigrants had been fingerprinted (two fingers recorded on cards) on entry to Thailand. These fingerprints were loaded into the Interpol AFIS and searches of the victims’ post-mortem fingerprints revealed a significant number of matches.

DNA

The prolonged exposure of the victims to the intense heat and humidity of the Thai climate meant that many of the ‘normal’ post-mortem samples obtained from the deceased were ‘denatured’ and no usable DNA profiles could be generated. DNA from bone marrow was found to be suitable but the extraction of DNA from bones was a highly specialised process in 2004/5 and very few laboratories could undertake the process, especially in bulk. However, eventually the samples were sent to the International Commission on Missing Persons (ICMP) facility in Sarajevo. Their considerable expertise in identifying numerous skeletal remains from the 1990s conflict in the former Yugoslavia proved invaluable. The DNA profiles were sent to the Interpol DNA Database in Phuket for search and many victims were successfully identified and, where appropriate, repatriated, including family groups linked by their DNA.

Forensic odontology

In most countries, dental records had to be collected from the individual dental surgeries of the missing persons. In Scandinavia, however, the dental records of several countries are collated in a centralised database. This allowed all the required records, charts and x-ray sheets to be accessed, collated and dispatched to Phuket within a very short time after the tsunami. Consequently, many Scandinavian victims were identified and repatriated in the first few months of 2005. Other countries took much longer to obtain dental records, on an individual basis, and use them in the Thai reconciliation process to establish identity.

Outcome & developments

More than 5000 people died and nearly 3000 were missing after the tsunami hit the coast of Thailand. In the two years after the event over 3600 of the deceased had been positively identified by the DVI process using one or more of the primary biometric identifiers.

In the 17 years since this disaster there have been significant developments not only in terms of scientific advancements e.g. DNA extraction and profiling technologies but also in the processing power and accuracy of the biometric search algorithms that are available to DVI specialists today.

ID Transnational Consulting
Roger Baldwin
Member of the Advisory Council, Biometrics Institute
idtransnational@gmail.com

INTERPOL
Mark Branchflower
m.branchflower@interpol.int

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: ID Transnational Consulting & INTERPOL appeared first on Biometrics Institute.

Paul Cross

Paul Cross: Thoughts as the former Head of the Border User Group, on the 20-year anniversary of the Institute

Congratulations to the Biometrics Institute for 20 years of providing leadership and advice to all stakeholders associated with biometric technology.

For 20 years the Institute has provided access to global expertise on biometrics from the technical, academic, privacy and user perspectives, as well as unparalleled networking opportunities for professionals who are involved with this technology.

For me this is an opportunity to reflect on what I have gained from my association with the Institute over 10 years. In my time with the Institute, I have been a member of the Border User Group and of the Future Directions Group, I have acted as a Director from 2011-2015 and from September 2020, have presented at 25 events, and attended some 95 different Institute events!

Imagine what you learn from attending 95 industry events on biometrics, and from all the many papers, presentations and discussions the Institute has organised, that have involved the very best experts and authorities on biometric technology from around the world.

It’s important to also acknowledge the value we all get from the Expert and Sector Groups that the Institute maintains. Much of that value is hard to quantify. These groups produce papers and products for members that explain important concepts and that help us to maximise the benefits and manage the risks that accompany the use of this technology. They are also invaluable information sharing opportunities, where members with similar interests get to talk about their challenges and their successes, and inevitably, members continue to interact offline to focus further on areas of common interest.

I remember when we started the Border User Group (or BUG), in July 2015. It was at a time when many countries were planning or developing major biometric capabilities and programs to better manage their borders, and all were facing similar challenges. From 13 members in June 2016, the BUG grew to 27 members in June 2017 representing different agencies from a range of countries, and it formed a professional biometrics international network that still thrives today.

The Future Directions Group (FDG) was formed in June 2019, as a group of dedicated industry-watchers with different backgrounds and a shared interest in monitoring developments that will shape our future. This group works hard to produce various thought leadership products, including the annual State of Biometrics Report covering the important events and developments each year, explaining their impacts and predicting where we are headed next. My favourite part of FDG meetings is a roundtable discussion on ‘what’s new, what’s different?’ where we each share insights into the latest developments, explore what is behind them and what implications they have for all of us.

The Biometrics Institute has certainly been a huge success and I wish the Institute the very best for the next 20 years as well.                         

Paul Cross
Director, Biometrics Institute and former Head of the Borders User Group
+61 (2) 9911 7551
paul.cross@sita.aero
SITA were a Founding Member in Europe

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Paul Cross appeared first on Biometrics Institute.

Brett Feldon

Reason360: Among us

In September 2001 I would reach into my pocket to take out a small folding leather case; another pocket contained a portable telephone for telephone calls, short messages, and Snake. In the leather case were about ten plastic cards – perhaps a little smaller than my palm – most containing magnetic coding. Having selected the appropriate card, I would insert it into a machine, enter a short numeric code known only to me and wait a few pregnant seconds for the machine to confirm its satisfaction with both card and code. Finally, I would remove the card and replace it in the case, and then the case in my pocket. All up this took perhaps 30 seconds, although sometimes – say when two different cards were needed to track my activity and pay for it – it might have taken as long as a minute.

In September 2021 my watch observed my pulse to determine whether it had stayed on my wrist since receiving input that morning of a numeric code known only to me. If it had, I could indicate approval for it to communicate with the next compatible reader it encountered by double-tapping a button, then presenting the wrist and watch to such a reader to complete a transaction. This took perhaps 10 seconds in all, including both removing and replacing hand in pocket if so desired.

For information requiring a greater area for presentation such as providing evidence of my licence to drive, the portable telephone had been replaced with a portable computer that recognised me by face and allowed me to present this information securely on screen upon demand. The leather case was consigned to the drawer for things never to be needed again.

Just like the rest of humanity’s technological output, consumer adoption of biometrics has been led by convenience. And just like other recent technological advances that have out-convenienced the alternatives, vague notions of information trust have underpinned acceptance of biometrics in consumer devices. Simultaneously a different need for trust at a much larger scale – that between organisations, governments, and individuals – has combined with the inconvenience of the alternatives to drive usage of biometrics with explicitly centralised control over biometric information.

Many other examples of biometric-driven transition over the last 20 years can be cited. In some, like in my own field of customer service delivery at scale, biometric service delivery experiences are engineered with the utmost in simplicity and customer self-reliance in mind; in other fields such as border control, the continuous presence of real people in a physical area where movements are being controlled allows a high level of confidence from the combined biometric-human operation; in yet others, biometrics have been used to simplify everyday activities such as photography.

This two-decade rise in biometric usage has happened at the same time as another civilisation-wide transformation: the slow increase in artificial intelligence. While the intellect demonstrated artificially today is deficient in many ways, it is nearly certain that this will improve, and that we will end up with a new set of actors influencing the world around us. It is entirely possible (albeit by no means certain) that these artificial actors – ‘the machines’ if you like – will appear among us within the next 20 years.

Fundamentally this leaves us with a question: do we want these machines to be able to recognise us?

It also leaves us with the inverse question: what if the machines could *not* recognise us? Is it conceivable that they could even exist, absent the capacity for recognising us?

These big picture questions translate into hundreds of smaller points about individual biometric implementations, selections of use cases, data exchanges, security requirements, relationships between physical and digital identities, vulnerabilities to confusion, privacy, and many other subjects.

The first 20 years of the Biometrics Institute’s existence have largely been spent helping the many types of engaged stakeholders to think carefully about these points, by connecting people and providing guidance. In that time the bigger picture questions have loomed over us, casting an indistinct image across our work. But that image is slowly coming into focus, and will I expect demand greater attention from both the Institute and society at large over the next 20 years as we shape this most important part of our future world.

In September 2041 I take the goods and commission the services I want when I want them; and any identity information or transactions required are automatically performed according to my chosen preferences – unless I instruct an ever-present artificial assistant otherwise. I spend time on exception cases when needed, not on typical daily occurrences; and the watch is worn for decoration, not function.

Hundreds of years of technological advancement have slowly brought benefits and convenience once only available to the wealthy down to the average citizen. And here we are contemplating no longer having to carry means of payment or information, a little like the Queen.

It could be argued that the price of great wealth is fame – that is, a lack of anonymity.

Hopefully that is not the price of convenience for all of us.

Reason360
Brett Feldon
Head of the Digital Identity Group, Biometrics Institute
+61 457 817 326
brett@reason360.com.au

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: Reason360 appeared first on Biometrics Institute.

WorldReach, an Entrust company: Biometrics for the people: In defence of the responsible use of emerging identity technologies

On the 20-year birthday of the Biometrics Institute, we at Entrust are proud to be active members, joining with industry partners to promote the responsible use of biometrics for the public good. We believe that, with proper legal safeguards, whether we’re accessing services at home or crossing international borders, biometrics will continue to improve all our lives as citizens.

A new paradigm

We are in the early stages of a new paradigm in the way citizen-consumers communicate with government and commercial service providers. Public expectations are shifting towards digital services and away from waiting rooms, paper forms, and valuable documents sent through the mail.

These changes are in part the result of rapid improvements in biometric technologies. For example, according to the Centre for Strategic and International Studies, “Facial recognition has improved dramatically in only a few years. As of April 2020, the best face identification algorithm has an error rate of just 0.08% compared to 4.1% for the leading algorithm in 2014, according to tests by the National Institute of Standards and Technology (NIST)^[1].”

Public understanding of biometrics

The view taken by many across the industry is that facial recognition technology (FRT) has recently reached or surpassed the accuracy of other biometric modes such as fingerprints and iris, and that all these options are significantly better at identifying individuals than is the naked eye^[2].

Despite this, biometrics generally – and FRT, in particular – have often taken a beating from the press, politicians and some academics. A notable example is the 2020 New York Times piece on the social media scraping activities of Clearview AI^[3], now facing several lawsuits, and the anti-biometric campaign waged by the Toronto Globe and Mail^[4]. Moreover, some municipalities, including San Francisco, have banned the use of FRT for some purposes^[5].

Much of this critique is legitimate and well intentioned. It is arguable that technology is moving faster than legislation, leading to concerns about overreach, particularly in law enforcement use cases. But the critique is often guilty of conflating separate issues and oversimplifying issues on which the public would benefit from a more nuanced understanding. Here are two examples.

Much of the animus directed at FRT is focused on just one use case: police surveillance. Press articles often use ‘facial recognition’ and ‘surveillance’ interchangeably, never taking the trouble to distinguish between one-to-one, one-to-few and one-to-many use cases, or to explain the differences between face detection, face recognition and face verification. The evidence given by Chuck Romine of NIST to the US House Committee on Oversight and Reform in January 2020 is an object lesson in how to do so in a way that’s easily understood.^[6]

Secondly, concerns about the sometimes-differing performance of FRT across demographic groups have led to misleading headlines about ‘bias’, giving the impression that the makers or users of such technologies have racist or sexist intentions, without giving the whole story about the issues and how the industry is tackling them. That story is told in its most complete form in the 2019 NIST report on demographic effects.^[7]

One of NIST’s key conclusions was that the most accurate facial algorithms in fact show very little by way of differing accuracy across demographic groups. Another notable conclusion is that algorithms are only as good as the data sets on which they have been trained. Given the huge diversity of the real world, the most accurate algorithms are those which have been developed on the most diverse data sets.^[8]

A good news story

Those of us in the identity industry are not naïve about the challenges ahead on the public acceptance of biometrics, but we often wish the good news about improvements to the lives of ordinary people was as prominent as the controversies about surveillance.

Here’s one example that’s close to the hearts of those of us in the Identity Verification team at Entrust. Following the UK’s 2016 decision to the leave the EU, the Home Office was faced with a significant challenge: how to identify and register several million EU nationals living and working in the UK under freedom of movement provisions, in order to grant them a new settled status in UK law.

Since 2018, we have worked with the Home Office on the innovative EU Settlement Scheme, which allowed applicants for the new status to apply entirely remotely (if they chose to do so), augmenting the online application with an identity verification process performed on a smartphone in just a few minutes. This process uses market-leading facial matching and liveness capabilities (as well as an NFC document check) to confirm that the applicant is a real person and the owner of a genuine passport. This powerful data packet allows the Home Office to grant permanent settlement in the UK, without seeing applicants in person or receiving their passports in the mail, in most cases.

By the time the scheme came to an end in June 2021, more than 6 million people had applied, the overwhelming majority choosing to identify themselves through the digital route. According to Home Office figures, at the time of writing almost 5.5 million of those applicants have been granted settled status in the UK.^[9]        

Here is just one example of biometric technologies making life better. There is no surveillance in play here, and no agency overreach. Facial matching was used only on a one-to-one basis (to link the person securely to their own passport), the digital route was entirely voluntary, and the scheme adhered to both GDPR and UK government requirements for the handling of personal data, none of which is retained by Entrust.

The scheme was so successful that this approach to remote applicant identification is now being rolled out across several other UK immigration programs.

A way forward

Concerns about the responsible use of biometrics are well-founded. This is precisely why Biometrics Institute membership includes lawyers, privacy advocates and academics as well as technology providers.

But we need to elevate the public debate by accurately capturing different use cases and appropriate legal responses.

We at Entrust firmly believe that, when used responsibly, in ways that enhance individual privacy – whether we’re traveling seamlessly across borders or securely accessing digital services – biometric technologies will continue to improve lives.

[1] https://www.csis.org/blogs/technology-policy-blog/how-accurate-are-facial-recognition-systems-%E2%80%93-and-why-does-it-matter

[2] https://www.cbsnews.com/news/facial-recognition-60-minutes-2021-05-16/

[3] https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html

[4] https://www.theglobeandmail.com/opinion/article-what-happens-when-our-faces-become-data/

[5] https://www.nytimes.com/2019/05/14/us/facial-recognition-ban-san-francisco.html

[6] https://www.nist.gov/speech-testimony/facial-recognition-technology-frt-0

[7] https://www.nist.gov/publications/face-recognition-vendor-test-part-3-demographic-effects

[8] https://itif.org/publications/2020/01/27/critics-were-wrong-nist-data-shows-best-facial-recognition-algorithms

[9] https://www.gov.uk/government/collections/eu-settlement-scheme-statistics

Entrust
Jon Payne, Director Strategic Alliances, Identity Verification
+1 703 883 7022
Jon.payne@entrust.com

Applications and use cases | Privacy and policy | Research and development | Technology innovation

The post 20-year Anniversary Report: WorldReach appeared first on Biometrics Institute.