printer friendly version

Biometrics by the book

When considering implementing a fingerprint biometric solution, most companies take the advice of their installer or integrator as to which product to use; others simply look for the cheapest readers available in the belief that a biometric reader is a biometric reader. The reality, however, is significantly different: all biometric readers are not created equal.

Hi-Tech Security Solutions spoke to Ideco’s CEO, Marius Coetzee to find out more about how end users should be choosing biometric readers. In this article we focus on two aspects of selecting biometric devices: standards and the admissibility of biometric evidence in court.

Biometric standards

Focusing on fingerprint biometrics, as fingerprints represent the majority of all biometrics in use by far, Coetzee’s first comment on standards is that the device must be AFIS (Automated Fingerprint Identification System) compliant. AFIS is a digital fingerprint system used by law enforcement and governments the world over, including by SAPS and Home Affairs. Being AFIS compliant will allow these authorities to process the fingerprint effectively without having to resort to manual procedures or to manipulate the images.

Furthermore, although PIV (Personal Identity Verification) standards are US-based, Coetzee says some tenders are calling for compliance in order to ensure their biometric systems are compatible with the highest security standards. More information is available in the Personal Identity Verification of Federal Employees and Contractors document at http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.

To round it off, Coetzee also recommends all biometric devices should be compliant with the image quality standards set by the FBI. These standards have been incorporated into the related ISO and SABS (South African Bureau of Standards) standards. The ISO relevant standards include ISO 19794 (Biometric data interchange formats) and ISO 18013 (Personal identification), as well as ISO 19092 and ISO 19785. Further standards relating to other biometric types and templates are also available. For a full listing of ISO standards see http://en.wikipedia.org/wiki/List_of_International_Organization_for_Standardization_standards#ISO_15000.E2.80.93ISO_19999, or refer to http://www.iso.org.

The SABS incorporates these standards into its own and they have specific committees dealing with various aspects of electronic information and biometrics. SC71F deals with information security, for example, while SC71J deals with cards and personal information, and SC71Q deals specifically with biometric standards.

All these standards deal with the appropriate and compliant use of personal information and images, of which an individual’s biometric data is one. It is therefore important for the biometric device one selects to comply to specific standards to ensure interoperability, but also to ensure that the service one obtains matches internationally accepted standards.

Interoperability

ISO 19794 is important in that it deals specifically with interoperability along with standards from the USA’s NIST (National Institute of Standards and Technology). Coetzee says interoperability standards are critical as they allow fingerprint templates saved from one compliant reader to be exported and read by another compliant reader from a different manufacturer.

Coetzee notes that certain biometric technologies, such as Multispectral imaging, do not comply with all the standards, which could result in incompatibility with AFIS systems as well as a high percentage of false minutiae (the features of a fingerprint that are used to identify them and make comparisons). If the algorithm used to identify the minutiae is not accurate, templates can fail to identify people accurately or assign the wrong identity to people.

In response to the standards question, Lumidigm, a company using Multispectral imaging in its biometric readers noted, “Lumidigm meets the ISO, ANSI and MINIX standards for template interoperability”. More specifically, the company’s devices meet the following standards: “Interoperability: ANSI 378, ISO 19794-2:2005, ANSI 381, ISO 19794-4:2005, NFIQ compliant; MINEX-certified algorithm; Device certifications: CE, FCC Part 15 Class B, EN 60950, IEC 62471, RoHS”.

Securing biometrics as evidence

Another aspect to consider when looking at using biometrics is the various regulations in South African law contending with the protection of personal information, as well as the ability of companies to use digital biometrics in court.

Coetzee explains that evidence presented in court must not only be unaltered in any way from when it was presented, but the chain of evidence showing it has been stored securely and has not been manipulated at anytime is crucial.

From a biometric perspective, this means that the prosecution or complainant needs to be able to show that the finger put on the reader was read and the template stored accurately, according to accepted standards. It must also show that it was stored on a system in a way that did not alter it and was protected from manipulation by any party while stored and being brought into court as evidence. If this is not done and cannot be shown to have been done, the court may reject the biometric evidence.

For example, a recent episode saw a CEO accused of stealing a few million from his company. This individual’s password was used to log into the system and transfer the money. However, the CEO simply said he did not do it and someone must have used his password. There was no way to prove anything different so the case remains unsolved.

If biometrics had been used to log into the system, the perpetrator would have been caught, as his (or her) fingerprint would have been the proof that he actually committed the fraud. In court, however, if the biometric device had not been compliant with the relevant standards the defendant could claim the fingerprint template had been manipulated and was not admissible.

We have not seen such a case in court yet, but Coetzee warns that it only has to happen once to create serious problems for the biometrics industry. Any manipulation, no matter how small could result in the biometric evidence being ruled inadmissible, causing headaches for those companies using compliant biometric systems. In other words, the CEO’s fingerprint may have been captured when he stole his loot, but because the reader used does not comply with the standards mentioned above, he could claim it was manipulated when read or stored and the court could refuse to accept the biometric evidence on that ground alone.

Protecting personal information

There are various laws in effect which govern the use of personal information. The Electronic Communications Security Act, for example, in part deals with the protection and security of electronic communications between systems and people and the prevention of unauthorised access. The new Protection of Personal Information Act focuses on how and when to store personal information (and what constitutes personal information), including the prevention of tampering or manipulation of this data. In addition, the Electronic Communications and Transactions Act encourages and governs electronic communications, dealing with issues such as tampering and securing the information in transactions.

These laws do not directly deal with biometrics, but do govern authentication to systems and the security of information citizens, customers or suppliers provide, as well as the secure transmission of the data. The company holding the information (and this includes biometric data if it is used to authenticate and allow or disallow access) must ensure it is securely stored and is free from tampering or manipulation from the moment is it entered. Not only will failing to do so fall foul of the law, but, again, it could compromise the admissibility of the information in court.

A simple example Coetzee provides concerns AFIS. If your biometric device does not comply with the AFIS standard when reading fingerprints, it will have to alter the image to make it compatible. What then are the legal implication of that alteration? How can the company be sure the alterations are done consistently and uniformly so that it will not cause legitimate users’ prints to be rejected or illegitimate prints to be accepted under the incorrect identity?

In concluding, Coetzee notes that it is a case of Buyer Beware. The responsibility for the quality and interoperability of your devices ultimately lies with the individual or company purchasing the solution. If you are simply looking for access to your premises and will not be using biometrics for employee verification or sensitive transactions, perhaps compliance is not critical.

However, when looking at the growth of biometrics and its increased use in financial transactions and identity verification processes, it may be the wiser choice to opt for a solution that complies with international standards to ensure your own peace of mind as well as the ability to safely and reliably transact with external systems using biometric data. And let us be honest, if your biometric reader complies with FBI standards, it is unlikely to be rejected as evidence in court.

As a starting point, to ascertain if your biometrics reader does comply with FIPS (Federal Information Processing Standard) and FBI standards, you can search for the manufacturer and device via these two links:

1.) http://fips201ep.cio.gov/apl.php

2.) https://www.fbibiospecs.org/IAFIS/Default.aspx

Share this article:

Further reading: