Legislation is naturally subject to change as governments come and go. It can also vary widely between jurisdictions and cultures, as can methods and capabilities related to enforcing legislation.

However, the general public’s expectations of governments or organisations which process its biometric data remains the same – respect for the personal privacy and general security of individuals. And while recognising the centrality of individual impacts, these governance frameworks should not inhibit innovation, but should provide appropriate support for the necessary and proportionate use of biometric technologies and the subsequent processing of biometric data.

This chapter of the State of Biometrics Report covers legislation, public perception and ethics, accessibility and inclusion, and standards and testing. 

To read the full report, become a member. Details on membership benefits and how to apply can be found here.

COVID-19 recovery | Digital identity | Commercial use of biometrics | Future directions | In the news

The post State of Biometrics Report 2021: Governance appeared first on Biometrics Institute.

This list complements the Top 10 Vulnerability Questions and has been prepared to help guide members in addressing vulnerability assessments in biometrics. Questions include: What are the common vulnerabilities for your technology? Do you have a risk management plan, and does it include the potential for biometric vulnerability?

How do members benefit?

The list has been prepared to help guide members in addressing vulnerability assessments in biometrics. It suggests questions that may be useful to consider when planning or implementing a biometric system from the perspective of vulnerability.

Who updates it?

The Institute’s Technology and Innovation Group (TIG) update the checklist every 3-4 years.

How to access the document

Members: Click here.
Non-members: Find out about becoming a member here.

The post Biometrics Vulnerability Assessment Checklist appeared first on Biometrics Institute.

A guiding document that provides clarification around some of the frequently asked questions about the spoofing of biometrics including:

• Can my biometric be stolen or compromised?
• How hard is it to steal a biometric?
• What if my biometric gets stolen or compromised?
• Are biometrics a good alternative to passwords?

How do members benefit?

This document supports our members by suggesting some general considerations and questions users many want to ask when choosing a biometric product.

Who updates it?

The Institute’s Technology and Innovation Group (TIG) update the questions every 3-4 years.

How to access the document

Members: Click here.
Non-members: Find out about becoming a member here.

The post Top 10 Vulnerability Questions appeared first on Biometrics Institute.

As a follow up, with the help of our Future Direction Group, we’ve put together our top 10 takeaways from this detailed report. We hope this will help policy makers, face recognition system developers and users better understand the algorithm they are working with so they can make informed decisions and improve future performance.

Please note: This document is strictly for Biometrics Institute member use only. Reproduction is limited to a single hard copy for internal use. Electronic access is restricted to one system at a time, and the document must not be transferred, shared, or uploaded to any network, either internally or externally.

The post NIST top 10 takeaways – demographic differences (members only) appeared first on Biometrics Institute.

Whilst a security vulnerability can include any aspect of the overall system, biometric vulnerabilities focus on those aspects relevant just to biometric applications. This includes for instance the use of fake biometric artefacts, for example masks, or weakness in biometric template storage or vulnerabilities in matching algorithms.

The Biometrics Vulnerability Assessment Checklist has been prepared by the Biometrics Institute Security and Integrity Expert Group to help guide members in addressing vulnerability assessments in biometrics. It suggests a few questions you may want to consider when planning or implementing a biometric system, from the perspective of vulnerability.

Please note: This document is strictly for Biometrics Institute member use only. Reproduction is limited to a single hard copy for internal use. Electronic access is restricted to one system at a time, and the document must not be transferred, shared, or uploaded to any network, either internally or externally.

The post Biometrics Vulnerability Assessment Checklist appeared first on Biometrics Institute.

The post Watch: Fireside chat on liveness detection at the Biometrics Congress 2017 appeared first on Biometrics Institute.

The post WATCH: GOOD PRACTICES FOR IMPLEMENTING BIOMETRICS appeared first on Biometrics Institute.

How much data do we need to collect? Who is watching us? And who is watching the police?

May 2018 – Some thought provoking questions have crossed my desk in the last few weeks which have no doubt been stimulated by recent news headlines on the failure rates of facial recognition technology (FRT) used by police and the data breach by Cambridge Analytica. The Australian Capital Territory says proposed FRT legislation exceeds agreements. I’ve also just discovered that Amazon are selling real-time facial recognition services to the police. It feels like our data is everywhere and our faces have become a sort of hot commodity and anyone’s property but our own. Where does it all stop?

I recently had a discussion with a colleague regarding privacy and the law, which posed a very important question: are authorities striking the right balance between using biometrics to counter-terrorism and increase security, whilst maintaining a citizen’s right to privacy? Is it even possible to achieve both simultaneously? Generally speaking, law enforcement agencies are not as restricted by the same privacy legislation as other organisations who acquire our personal data; but if this is the case, who is regulating them?

The UK actually has two important regulators in place to address this challenge, the Information Commissioner, Elizabeth Denham, and the Biometrics Commissioner, Paul Wiles. Elizabeth Denham posted an interesting blog on ‘Facial Recognition Technology and Law Enforcement’, indicating that she is making FRT used by law enforcement a priority area for her office. I recently met with Paul Wiles and we had a fascinating conversation about the challenges biometrics pose for collection, storage, retention and data sharing. It is interesting to note however, that FRT is outside of his remit as his focus is on fingerprints and DNA.

Scotland is also addressing potential areas of concern: a report published earlier this year by an independent advisory group called for the establishment of a code of practice to cover the acquisition, retention and disposal of biometrics such as fingerprints, DNA and photographs, as well as the creation of a new biometrics commissioner.

This discussion around the strengths and weaknesses of using biometric technology and the importance of privacy and human rights forms a critical part of the Compendium (the ‘United Nations Compendium of Recommended Practices for the Responsible Use and Sharing of Biometrics in Counter-Terrorism’) that the Biometrics Institute is working on with the United Nations Counter-Terrorism Executive Directorate (UN CTED). If we are using biometrics to counter-terrorism, then we need to acknowledge that biometric technologies are not perfect; there is always a risk that an innocent person may be matched with someone on a watchlist. And removing yourself from a watchlist you don’t belong on is not always an easy or quick task.

There is clearly also a need for a discussion around ‘oversight’ when it comes to using biometrics, not only in the private sector, but also in the public sector. Just consider that within the UN and INTERPOL, there are more than 190 countries who vary enormously in the privacy legislation they currently have in place alongside their use of biometric technologies.

I’ve also been thinking about whether or not there is a risk that without a proportionality scheme, FRT could become a ‘mass screening tool’ which poses its own set of questions around ethics and intended purpose. I’ve had several conversations with members and industry experts recently who were all asking whether someone in the industry needs to draw a line in terms of where, when and how much we use biometric technology. Currently there appears to be no limit. FRT was recently used to identify celebrities at Prince Harry’s wedding. Sounds harmless, but is some of this technology (which is not even being used to prevent crime) an unnecessary invasion of privacy?

And could the challenges around False Acceptance Rates (FAR) result in many innocent people being stopped (which could be quite intimidating or embarrassing if you are just having a nice day out with family or friends)? Grounds for suspicion based on dodgy algorithms rather that reasonable human intelligence sounds like it could be a recipe for disaster.

Arun Ross, a member of our Academic Research and Innovation Expert Group, kindly shared some of his comments on FRT and privacy which can be viewed in a brief video. He talks about the risks of Presentation Attacks and the potential for data abuse in FRT. Arun’s work on enhancing the privacy of facial templates received the Best Paper Award (Silver) at the 2018 International Conference on Biometrics in the Gold Coast, Australia. The paper can be accessed here and will be added to the Biometrics Institute Academic Papers Reading list.

On the positive side, Biometric identifiers can help to uniquely identify humans and they can contribute towards identity assurance and identifying known terrorists and criminals. They are automated processes and therefore offer a convenient solution. However, as with most security technologies, they do have vulnerabilities and the results of comparisons are probabilistic in nature, not determinative. Technology Risk (the risk that the technology will not perform as expected or fulfill the tasks desired of it) and Human Associated Risk (the risk that the users will not be able to adapt sufficiently to the new technology because of poor training or lack of support, or who don’t understand/have not experienced the benefits) can also contribute to poor results. There are mitigations available for some of the problems that will invariably occur; for example, there are a number of presentation attack detection systems available. However, it is important to remember, there simply are no silver bullets. Biometric solutions are complex; they demand capacity and technical capability from those implementing them.

The Biometrics Institute will continue to stress the importance of the responsible use of biometrics and bring together the thought-leaders in this space to debate these questions.

Our Biometrics Congress week in London (15-19 October 2018) will provide an important platform for many thought-provoking discussions and we will continue to drive the questions around privacy with a virtual meeting on ‘Biometrics and GDPR’.

Biometrics Institute

May 2018

www.biometricsinstitute.org

The post Who Doesn’t Have My Data? appeared first on Biometrics Institute.

Following on from the success of our Biometrics Privacy Guidelines, the Biometrics Institute – with the help of the members of the Technology Innovation Expert Group (TIEG) – has produced a guide to Understanding Biometrics – Considerations for Implementing a Biometric System (previously referred to as the Good-Practice Implementation Guide).

This guide is intended to be a simple, accessible and usable resource for members to refer to when considering the use and appropriateness of a biometric system, particularly for first time users. It is also relevant and useful for those contemplating upgrading their current system.

Once organisations have decided that adopting a biometric system is relevant and appropriate, the guide will lead them through various factors to consider when deciding which system to select. It highlights some sample biometric modalities and gives practical working examples to assist readers’ understanding of the factors to consider. The rationale is that with proper processes, checks and testing, a desired outcome can be achieved with fewer problems or unforeseen complications. 

Biometrics is a complex subject involving many overlapping domains of interest. The aim of this guide is particularly to help someone wanting to gain a better holistic understanding of the subject—to see the bigger picture, and how it fits together.

Using biometrics does not automatically guarantee success. It needs to be done well, and the result has to be fit for purpose. Are they being used in the right way? Are they reliable? Cost effective? Do they safeguard privacy? 

Understanding Biometrics includes thinking from several experts in the field, brought together by the Biometrics Institute. The guide, which will be a living document and will be updated as technologies progress, has been developed over the last 2 years. It is available for free to all Biometrics Institute Members.

The Institute also ran a virtual member meeting: Good Practices for Implementing Biometrics on Thursday 10 May 2018. This webinar provided insights into important considerations when implementing biometrics. Members from the Biometrics Institute’s various expert groups discussed privacy considerations including questions around informed-consent and accountability, as well as the importance of testing and managing risks. A recording of the webinar can be found below.

.

The post UNDERSTANDING BIOMETRICS – CONSIDERATIONS FOR IMPLEMENTING A BIOMETRIC SYSTEM appeared first on Biometrics Institute.

The definition for social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access. According to figures from UK Finance, in the first six months of 2017 over 19,000 people were a target of push payment scams, involving a total amount of over £100 million. Let’s explore how you can reduce this risk.

1 Passwords – Use a mix of uppercase, lowercase, numbers and symbols

Password security is imperative in protecting against social engineering and any cyber security attack in general. Bloomberg ran a study that found 6 letter passwords with only lower case letters could be cracked by hackers within 10 minutes.

Don’t use the same password for everything. This makes damage control from a social engineering attack a very difficult task. If you have an easily crackable password and someone manages to get access to the sensitive information you hold a fraudster will exploit it. Set mandatory password standards for your business.

Are you concerned about not being able to remember all your different passwords for different websites? Well tools such as Lastpass.com allow you to keep all your passwords in one place which is completely secure and hidden, even from them. If you don’t feel comfortable about storing your password in the cloud then 1password.com lets you keep all your passwords hidden with, you guessed it; one password. Utilising tools like this is super useful for avoiding cyber fraud, hacking and being more secure.

2 Social Media – avoid putting all your life details on open social media pages

We live in a society where people are comfortable putting everything they do on social media profiles which are open for the whole world to see. You should however choose wisely what you share and to whom. Keep personal information to yourself as fraudsters have an innovative way of being able to paint a clear picture of your life.

Imagine this; you’re posting about how excited you are for holiday on Facebook while Linkedin states your job title, location and company. That gives easy access for anyone to engineer an attack on a colleague. ‘Hey I’m still busy packing and haven’t had the chance to get this transfer authorised before I go away on holiday, could you just send it straight through as I’m on a time limit’.

That message has been sent from you, to a colleague who trusts you. They know your tight on time and so they authorise a payment to an unknown source without going through the proper channels. But you didn’t send it. A hacker did. They had access to all your information. How was your colleague meant to know? This is unfortunately a very common form of cyber fraud. Keeping sensitive and personal information off of social media is a way to reduce the risk.

3 Information requests – do not give requestors the benefit of the doubt

People asking for your personal details even from a seemingly legitimate source should not be trusted. Fraudsters have the ability to create emails which perfectly mirror emails sent by the companies that they are trying to emulate.

It may seem that you are getting a genuine request from your supplier to confirm your bank details in order to take a payment. The branding is the same. The email is the same style as ones you’ve been sent before. You have a payment due. But it is highly unlikely any legitimate company will ask for your personal details over email.

Always be sure to scrutinise any request for your personal information no matter who it is from and how trusted a source you think they may be first hand. Call the source of the email from what you know is their genuine number. Find out if this is standard protocol and don’t be afraid to stand your ground when it comes to yours or your businesses information. Often, the email address of try sender will have been changed subtly from the original.

4 Educate yourself

It is important to understand the potential approaches and risks of social engineering attacks. Websites such as social-engineering.org give you examples of common ways fraudsters try to get your information.

Did you know there are lots of different types of social engineering to watch out for, this includes but isn’t limited to;

• Phishing – Attackers will try to gain personal information from you, direct you to suspicious websites and use fear or threats to create a sense of urgency for you to act fast. This is the most common type of social engineering.
• Pretexting – Scammers create fabricated scenarios to gain trust from victims, using stories such as needing certain information to confirm identity. These scams tend to be more sophisticated than phishing scams and require more thought.
• Baiting – Using some kind of incentive to entice victims, baiting is similar to phishing in its aim to gain personal information. It will use offers of free music or free movie downloads in order to get hold of your details
• Quid pro quo – IT personnel from companies are impersonated. Fraudsters offer a service posing as IT from your company and installs malware on staffs computers under the guise that they are receiving a software update.

Keep up to date with the most common forms of social engineering and different types of attacks. This will mean you are able identify fraudster attempts and can be better prepared for them.

5 Utilise biotech available to dramatically reduce the risk of cyber attacks

If you’re in a company effected by fraud, SmilePass reduces the impact of social engineering fraud and therefore risk by providing a simple and cost-effective solution. We verify transactions and requests against a unique biometric ID.

At the beginning of a relationship with a customer or employee you create a unique identifier for that person by having them simply take a selfie. The vectors in an individual’s face provides significantly more identifiers than other forms of biometric security such as finger prints or voice. Our innovative technology cannot be spoofed like most other biotech methods.

The post 5 WAYS TO REDUCE THE RISK OF CYBER FRAUD AND PREVENT SOCIAL ENGINEERING appeared first on Biometrics Institute.