TECHNOLOGY TODAY ISSN 0969-4765 January 2020 Security Contents

biometric

TECHNOLOGY TODAY ISSN 0969-4765 January 2020 www.biometricstoday.com security Contents

Kaspersky reports surge in cyber-attacks News Kaspersky reports surge in cyber-attacks on on selfies and other biometry selfies and other biometry 1 Seattle airport halts its facial ID rollout 2 major rise in cyber-fraudsters Kruglov, commented: “The existing situation New UK Government backs biometric Astealing people’s selfie photos and with biometric data security is critical and border control 3 other biometric data has been discov- needs to be brought to the attention of industry US and China among most invasive users of biometrics 3 ered by security giant Kaspersky. and government regulators, the community of The company released a report last month information security experts, and the general NatWest unveils biometric fob for contactless payments 11 that found over one-in-three computers pro- public. Though we believe our customers are Amsterdam airport’s facial ID fooled by cessing biometry – such as fingerprint, face, cautious, we need to emphasise that the infec- simple photo 11 voice and iris templates – were targeted by tion caused by the malware we detected could NIST launches datasets to help cut error rates 12 malware in Q3 2019. Overall, 37% of servers have negatively affected the integrity and con- and workstations running Kaspersky software fidentiality of biometric processing systems. Features were attacked by cyber-criminals in what it This is particularly the case for databases where The future of biometrics in policing calls “a surge in fraud related to the stealing of biometric data is stored, if those systems were worldwide 5 personal and confidential documents through not protected.” The use of biometrics by police forces worldwide photos and selfies, often required for registra- To protect against cyber-attacks, Kaspersky has hit significant hurdles, including bans in several US cities and a halt of police biometric tion or identification purposes”. experts advise: trials across the UK over mass surveillance Kaspersky’s ‘Threats for biometric data pro- • Minimise how exposed biometric systems concerns. But equally police forces are under cessing and storage systems’ report also strongly are to the internet and internet-related threats. pressure to use this cost-effective technology to fight crime. Jason Tooley of Veridium examines criticised the security efforts made by biometric It is better if they are a part of air-gapped infra- how the police can best address the public’s systems suppliers, saying: “It is remarkable how structure. fears of facial ID and data privacy, to reap the careless biometric authentication system devel- • Ensure the highest level of cyber-security benefits of this maturing technology. opers and users are about protecting these sys- is applied to the infrastructure that contains Ready for take-off: how biometrics tems and the biometric data collected by them biometric systems, including extensively train- and blockchain can beat aviation’s against computer attacks.” ing operating staff to resist possible attacks. quality issues 8 Kaspersky cited last year’s BioStar 2 breach • Regularly conduct security audits to iden- Biometric systems have been widely embraced by the aviation industry, but significant barriers when up to 1 million fingerprint records and tify and eliminate possible vulnerabilities. still prevent their universal adoption, says facial images were exposed on an open database Kruglov added: “We believe that exposing Zamna’s Irra Ariella Khi. She suggests that a by South Korean security platform supplier biometric systems to random cyber-threats is combination of biometrics and blockchain technology could ensure airlines and airports Suprema (see BTT, September 2019). a huge risk for both the service provider and trust biometrics to accurately verify their Kaspersky said the threats posing the big- the people who have entrusted their biometric passenger data and provide the secure data gest danger to biometric data processing and data to it.” sharing and standardisation they need. storage systems include spyware, phishing Kaspersky’s report also highlighted the Regulars attacks – mostly spyware downloaders and danger of over-confidence in biometric secu- Events Calendar 3 droppers – ransomware and banking Trojans. rity, saying: The concept of biometric data News in Brief 4 And the company warned: “It can be expected as a unique personal identifier that cannot be Product News 4 that mass-distributed malware designed to steal forged is fundamentally wrong and can foster biometric data from banks and financial sys- a false sense of security. Biometric data, once Company News 4 tems will appear in the near future.” compromised, is compromised for good: users Comment 12 Kaspersky’s analysis shows that the internet is cannot change their stolen fingerprints the the main source of threats to biometric systems, way they do stolen passwords. An individual including malicious and phishing websites, and will therefore potentially be affected for the web-based email services. rest of his or her life.” Visit us @ Kaspersky senior security expert, Kirill Continued on page 2... www.biometricstoday.com

ISSN 0969-4765/20 © 2020 Elsevier Ltd. All rights reserved. This publication and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is requiredVisit for all other photocopying, us including@ multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. www.membrane-technology.com

Visit us @

Visit us @ www.networksecuritynewsletter.com

Visit us @ www.sealingtechnology.info

Visit us @ www.filtrationindustryanalyst.com

Visit us @ www.computerfraudandsecurity.com

Visit us @ www.pumpindustryanalyst.com NEWS

...Continued from front page Seattle has secured support for this delay Kaspersky’s study follows a ‘Voice from the US Customs and Border Protection Editorial Office: Intelligence Report’, published last November (CBP) agency, which is in charge of the US Elsevier Ltd by voice identity solutions provider Pindrop, national rollout of facial ID. Some 20 US air- The Boulevard Langford Lane which found that an average of 90 voice fraud ports have already introduced NEC NeoFace- Kidlington attacks occur every minute in the US. Pindrop based systems. Oxford OX5 1GB, UK described “skyrocketing fraud rates”, with Seattle devised its new strategy after seeking Tel: +44 1865 843239 Email: [email protected] voice fraud attacks climbing more than 350% the views of airlines, cruise lines, federal agen- Website: www.biometricstoday.com between 2014 and 2018. cies, and civil liberty and migrant rights groups For the report, Pindrop analysed over 1 bil- in public meetings late last year. The civil soci- Publishing Director: Sarah Jenkins lion phone calls at large call centres in the US, ety groups raised concerns about FRT’s threat

Editor: Tim Ring including eight of the top 10 banks, five of the to privacy and inherent bias. Email: [email protected] seven leading insurers, and three of the top five Port of Seattle Commission president, financial services companies. Stephanie Bowman, said: “We feel that our Production Support Manager: Lin Lucas Email: [email protected] The report identifies the latest security community expects more than to have this threats, including deepfakes and synthetic voice kind of technology rolled out without any Subscription Information attacks. It said: “In the near future, we will public discussion or input. We know of more An annual subscription to Biometric Technology Today see fraudsters call into contact centres utilising than 20 other airports that have implemented includes 10 issues and online access for up to 5 users. synthetic voices to test whether companies have facial recognition technology, but no other Port Subscriptions run for 12 months, from the date payment is received. the technology in place to detect them, particu- has undergone a public process to ensure that larly targeting the banking sector.” implementation would protect passenger rights, More information: www.elsevier.com/journals/insti- Pindrop said these attacks are dependent and be limited, transparent and ethical. When tutional/biometric-technology-today/0969-4765 on deep learning and generative adversarial this Commission adopts policies, we will have This newsletter and the individual contributions contained in it are networks (GANs), a deep neural net architec- the opportunity to create the nation’s best prac- protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: ture comprised of two neural nets, pitting one tices for public-facing biometrics.”

Permissions may be sought directly from Elsevier Global Rights against the other. GANs can learn to mimic Seattle Port said it will only use facial ID to Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 any distribution of data – augmenting images confirm passengers’ identity, replacing its cur- 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page with animation, or video with sound. These rent manual passport control and boarding pass (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright technologies use machine learning to generate processes for international flights. The Port & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 audio from scratch, analysing waveforms from a added that it will not support biometrics for Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 database of human speech and re-creating them “mass surveillance”. 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham at a rate of 24,000 samples per second. The CBP has so far introduced FRT to process Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; end result includes voices with subtleties such international arrivals at 11 US airports and six fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. as lip smacks and accents, making it easier for cruise terminals, while FRT for international fraudsters to commit breaches. departures has been implemented at 20 airports. Derivative Works These include Atlanta, Dulles, Fort Lauderdale, Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their aviation Houston, JFK, Las Vegas, LAX, Miami, Orlando, institutions. Permission of the Publisher is required for resale or San Diego, San Jose and Portland, Oregon. distribution outside the institution. Permission of the Publisher According to the principles championed by is required for all other derivative works, including compilations Seattle airport halts and translations. Seattle Port, the use of public-facing FRT at its facilities must be: Electronic Storage or Usage its facial ID rollout Permission of the Publisher is required to store or use elec- • Justified – done for a clear and intended tronically any material contained in this publication, including eattle-Tacoma International Airport purpose and not mass surveillance. any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval S(Sea-Tac) has become the first • Voluntary – reasonable alternatives should system or transmitted in any form or by any means, electronic, airport in America to resist the US be provided for US citizens who do not wish to mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests Government’s drive to expand the use participate through an opt-in or opt-out process. to: Elsevier Science Global Rights Department, at the mail, fax and of facial recognition technology. • Private – data should be stored for a lim- email addresses noted above. Sea-Tac is Seattle’s main city airport ited time and secure. Notice and part of the Port of Seattle transport • Equitable – the technology should be rea- No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products hub, which last month decided to halt its sonably accurate in identifying people of all liability, negligence or otherwise, or from any use or operation biometrics rollout until it developed best- backgrounds. of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical practice principles that “ensure that the imple- • Transparent – the use of biometrics should sciences, in particular, independent verification of diagnoses and mentation of public-facing facial recognition be communicated to visitors and travellers. drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in technology (FRT) is clearly justified, equitable • Lawful and ethical – complying with all laws, this publication does not constitute a guarantee or endorsement and transparent”. including privacy and anti-discrimination laws. of the quality or value of such product or of the claims made of it by its manufacturer. A management working group has been The Port said that once its new policies are set up to turn a series of ethical principles for in place after June, it will consider airline and 12985 passenger processing into policies – and no cruise line applications to use facial recognition Digitally Produced by Mayfield Press (Oxford) Ltd biometric technology will be introduced at Sea- on a case-by-case basis. Tac or other Port facilities until after 30 June, According to The Seattle Times, the Port’s when the new policies are due to go live. moratorium delayed a plan by Delta Air Lines to

2 Biometric Technology Today January 2020 NEWS roll out facial recognition cameras at its Sea-Tac Authorisations (ETAs) which travellers would boarding gates by the end of December. But have to obtain before entering the UK. The it’s reported that biometric technologies already aim is to store biometric data such as finger- EVENTS in use at the airport –including the CLEAR prints or retina scans on all ETAs, to provide service aimed at frequent travellers – will con- an extra security layer. CALENDAR tinue operating. And a CBP plan to install The Government said this new biometric- 11–12 March 2020 based system would enable border officers to facial recognition at a new facility to process Connect: ID arriving international travellers, opening in July, better screen arrivals against watchlists and Washington DC, USA will proceed as planned as the area where the block those judged to be a threat from enter- This international conference and exhibition focuses cameras will be located is controlled by the US ing the country. Automated exit and entrance on the management of identity technologies, highlighting how disruptive technology and policy federal government. checks would also make it harder for people decisions are driving change. The conference pro- Airlines like Delta will need to show how with serious criminal convictions to enter the gramme offers one-day summits focused on subjects they plan to comply before the Port permits UK from EU countries. including combatting document fraud, privacy and consent, securing citizens, trusted authentication, them to install facial recognition cameras. In The Government added that this combina- mobile ID, digital identity fraud, blockchain in action a statement, Delta said it believed its facial tion of automated entry and exit checks and and traveller identity. recognition systems “meet or exceed the guid- requirement for biometric passports will enable More information: https://www.terrapinn.com/exhibition/connect-id/ ing principles in the motion that the Port of it to “know who and how many people are index.stm Seattle adopted”. The airline said its tech- in the country, and to identify individuals nology “adheres to high standards for data who have breached the terms of their visa and 31 March–3 April 2020 security and customer privacy – a responsibil- restrict illegal immigration”. World Border Security Congress Athens, Greece ity Delta takes extremely seriously”. Announcing the proposals, UK Home The World Border Security Congress offers a forum Secretary Priti Patel said: ”The consequence where border management and security industry of EU law limiting our border capability is professionals can discuss the challenges faced in border control protecting borders, and the new technologies that brought home to me every day. It is a sad contribute to this. Provisional topics for this year’s New UK Government fact that drugs and guns reach our streets event include: the latest threats and challenges at from Europe, fuelling violence and addiction. the border; capacity building and training in border and migration management; understanding threats backs biometric People traffickers don’t think twice about risk- and challenges for maritime borders; pre-travel risk ing people’s lives for profit. Most shockingly assessment and trusted travellers; and the develop- border control of all, we know that terrorists have been able ing role of biometrics in identity management and document fraud prevention. This will include exam- to enter the country by exploiting free move- he UK’s newly elected Conservative ining the role of biometrics in managing identity ment. I am committed to doing everything we and borders. Government has put biometrics at T can to secure the border and protect the UK.” More information: the heart of its planned border control http://world-border-congress.com/ policy. regulation 5–8 April 2020 This follows Prime Minister Boris Johnson’s KNOW Identity promise to deliver ‘Brexit’, which means the Las Vegas, USA UK will officially leave the European Union US and China among This is a leading industry event focused on digital this month and move away from the EU’s identity and trust in the data economy. The organis- ers are expecting over 2,000 attendees, 200-plus migration policy. In the lead-up to its election most invasive users speakers and around 100 exhibitors. Key topics will victory last month, the Government said this of biometrics include biometrics & multi-factor authentication; ‘free movement’ policy had “made it easier for privileged access management; customer identity & access management (CIAM); identity resolution; illicit goods such as drugs, guns and explosive new study has ranked 50 countries data privacy & GDPR; and identity verification, KYC precursors, as well as illegal immigrants and and customer on-boarding. Speakers will include Aon how extensively and invasively Roger Dingledine, co-founder of the Tor Project; terrorists to enter the UK, as well as costing an they use biometric surveillance, and in researcher Ashkan Soltani, who is former chief estimated £5 billion each year due to excise, contrast who best regulates the tech- technologist for the Federal Trade Commission; customs and tariff evasion.” and Frank Lawrence, chief compliance officer at nology. China is named the poorest per- To counter this, the UK plans to intro- Facebook Payments. former of all, but perhaps surprisingly More information: duce an American and Canadian-style visa it is joined by the US in the five worst https://www.knowidentity.com/ waiver scheme, based on Electronic Travel countries – while the UK is ranked 19–21 May 2020 among the top five best-regulated. Counter Terror Expo The survey, by consumer information London ExCeL, UK Now in its 12th year, the Counter Terror Expo (CTX) website Comparitech, analysed the countries is a networking event for security professionals from according to how much biometric information industry, infrastructure, government and policing. It they collect from their citizens, what it’s used showcases technology to improve security and combat terrorism, in partnership with its sister events for and how it’s stored. the World Counter Terror Congress, Forensics Europe China topped the list for its extensive and Expo and Ambition. CTX’s key themes are protect- invasive use of biometrics and/or surveillance. ing people, protecting infrastructure, and policing and specialist operations. Conference topics include The next-worst performers were Malaysia, smart surveillance, human-led behavioural detec- Pakistan and the USA, with India, Indonesia, tion, and border and transport security. UK PM Boris Johnson plans to roll out biometric The Philippines and Taiwan all tying in fifth More information: https://www.ctexpo.co.uk/ passports as part of ‘Brexit’. Continued on page 11...

3 January 2020 Biometric Technology Today NEWS

NEWS IN BRIEF

Leading cyber-security firm Trustwave has Precise Biometrics CEO Stefan Persson said: ‘scratch-free’ optical sensor and a glass rather predicted that fake attacks on facial recogni- “Innovatrics is truly a front runner in face than plastic prism for better print identification systems will be one of the biggest hacking recognition modality and their proprietary tion. Mantra claims the MFS500 has one threats in 2020. Karl Sigler, threat intelligence technology will be one of the cornerstones in of the lowest FRR (false recognition rates) manager with Trustwave SpiderLabs, said: Precise YOUNiQ.” amongst biometric print scanners on the mar- “The widespread prevalence of facial recog- ket. It has also been certified by the FBI to nition used by apps and devices could draw Fingerprint Cards (FPC) is providing a the FAP10 standard. The scanner can run on deepfake attacks. We expect to see deepfake fingerprint sensor to secure the latest ‘smart’ Android, Windows and Linux-based devices. videos increasingly used to tarnish the careers suitcase launched by French luggage supplier, Mantra offers a range of fingerprint and iris or reputations of individuals, particularly poli- Kabuto. The FPC sensor negates the need recognition sensors and devices, to customers ticians as we near the 2020 US presidential for a key or passcode to open the suitcase. including the Indian Government’s Aadhaar election.” Sigler added: “Deepfakes are in Meanwhile, FPC has also teamed up with scheme. their infancy and it remains to be seen how far leading global smartphone provider Xiaomi cyber-criminals will go. High-profile people to include its FPC1540 side-mounted fin- COMPANY are perhaps most at risk, as deepfakes require gerprint sensor in Xiaomi’s recently launched abundant source material already available to Redmi K30 phone. This is the first device to Austrian biometric sensor provider AMS pull audio and video required to create realistic include the sensor, which is positioned on has succeeded in a takeover bid for the simulations.” Next month’s issue of BTT will the side of the phone inside the power but- well-known German-based lighting group feature a full analysis of the deepfake threat to ton. FPC senior vice president Ted Hansson Osram. AMS says it has secured agreement facial ID systems. said: “As an early pioneer of side-mounted to acquire over 59% of Osram’s shares in fingerprint sensors, we’re excited to see our a bid worth an estimated E4.6 billion. BIO-key’s biometric software systems have technology featured in this launch and to AMS employs about 9,000 people globally been selected by Orange County, Florida enable innovation and differentiation.” The and provides facial recognition and other to secure access to all its public records and FPC1540 can fit in a range of smartphone sensors to customers including Apple for voter data. BIO-key’s ID Director biometric designs, including borderless and foldable the iPhone. AMS CEO Alexander Everke software platform will be used to secure the phones. It is described as ultra-slim and can said: “We have been successful in achiev- county’s voter data and files. During elections, be customised to match the colour of the ing the minimum acceptance threshold in Orange County hires new employees and vol- device. Finally, FPC has collaborated with our offer for Osram. We look forward to unteers, often working in shared workstation global payment technology provider Valid to creating a European-based global leader environments. To control this, staff members launch a contactless biometric payment card in sensor solutions and photonics.” Olaf will be enrolled and identified using BIO- featuring FPC’s T-Shape fingerprint sensor Berlien, CEO of Osram, echoed this saying: key’s PIV-Pro and EcoID fingerprint scan- module. FPC said T-Shape has now been “Following AMS’ successful takeover bid, ners. EcoID has been certified by Microsoft adopted by all the top five payment smartcard we can now jointly establish a world-class to support the biometric authentication in its suppliers globally. photonics and sensor champion.” AMS Windows Hello for Business app. Orange is plans to finalise the takeover during the the fifth county in Florida to sign up for BIO- US-based AboutTime Technologies has first half of this year. key’s systems. “We are gratified by the growing added facial recognition to its WorkMax adoption of our biometric solutions among pIME system, which is used by companies to Paris-based secure identity specialist IN various County Supervisors of Elections, as track their mobile workforce. The company Groupe (formerly Imprimerie Nationale) they take steps to secure their election systems claims its new facial ID system “takes stand- has acquired fellow French biometric sys- for the coming presidential election,” said ard employee face capture to a new level”. It tems supplier SURYS for an undisclosed BIO-key CEO Mike DePasquale. “Our soft- automates the photo comparison process with sum. SURYS specialises in providing docu- ware is sold on a monthly subscription basis intelligent computing so businesses increase ment security and image analysis systems, and therefore provides needed flexibility to the probability that their employees clocking and its security features are present in an adapt to a changing workforce.” in and out are performing the work they’re estimated 50% of the world’s passports. IN being paid for. The new feature also aims Groupe’s aim is to build a centre developing PRODUCTS to eliminate ‘Buddy Punching’ – where an electronic and optical components to secure employee gets a co-worker to clock them in identities and banking transactions. This Precise Biometrics and Innovatrics have before they arrive at work or clock them out business will combine SURYS’ operations joined forces to launch Precise YOUNiQ, after they’ve left. WorkMax’s facial recognition with the IN subsidiary SPS, which pro- which combines Innovatrics’ face recogni- measures the similarity of the employee’s provides electronic components for chip cards. tion technology with Precise’s identification file photo against the daily selfies the employee SURYS has manufacturing plants in France software for access control. Precise YOUNiQ takes when clocking in and out. “WorkMax and the US, and R&D units in France, enables companies to securely grant employees face recognition helps reduce time theft and Germany and the US. It also has access to and visitors access to offices and restricted automates the process for our customers. This the world’s largest database of identity docu- premises, by validating them using Innovatrics’ results in paying the right employees for their ments, through its subsidiary Keesing based facial recognition and liveness detection. The work accurately,” said AboutTime CEO Ryan in the Netherlands. Its solutions have been companies claim that Innovatrics’ combina- Remkes. adopted by over 130 countries (passports in tion of passive facial recognition and live- France, Brazil and China, bank notes in the ness detection sets the system apart from India’s Mantra Softech has launched its Philippines) and by large brands to combat other access control identification systems. MFS500 fingerprint scanner, which features a counterfeit goods.

4 Biometric Technology Today January 2020 FEATURE The future of biometrics in policing worldwide

Jason Tooley, Veridium Jason Tooley

The use of biometrics by police forces has rarely been out of the headlines over the past year. As with many emerging technologies, it has hit significant hurdles. Recently in an unprecedented move, the UK’s Information regularly carry body-worn cameras or record Commissioner’s Office (ICO) – the government body responsible for GDPR images in cars without asking for consent – and and data privacy enforcement – launched an independent investigation into while none of this data is encrypted, the general the use of facial recognition at London’s King’s Cross train station, after it was public accept its usage. Video has a certain revealed that the general public were having their faces scanned without con- implicit public tolerance, exemplified by the sent. This scandal triggered the halt of police biometric trials across the coun- widespread use of CCTV cameras: the average try, while the South Wales Police force was taken to court over a similar issue. Londoner is caught on camera over 300 times per day. Yet the public generally accept CCTV Likewise in the US, Amazon was hit by a share- Nevertheless, the debate surrounding facial as they are familiar with the technology and holder revolt last year for selling its facial rec- ID has highlighted the fact that the public’s recognise the security benefits4. So what must ognition technology to US police forces, while perception and acceptance of biometrics is police forces do for their use of biometric tech- San Francisco became the world’s first city to just as important as the maturity and the cost- nology to reach this level of approval? outlaw facial recognition. The city set a trend effectiveness of the technology, for the police to It is vital to show the public that biometrics by completely banning the emerging technolo- really reap the benefits. has the potential to greatly improve services. gy from being used in law enforcement, as well However, it’s also important to ensure secu- as by local government agencies and transport “San Francisco set a trend by rity and privacy in the way the data is stored, authorities. becoming the world’s first city as having this type of information stolen can Yet alongside all this, police forces – like to outlaw facial recognition. have serious consequences. In June last year, many public services around the world – are Eurofins Scientific, the British police’s main under increasing cost pressures. In the UK for It banned the technology forensic outsource supplier, suffered a huge example, direct government funding has fallen from being used in law ransomware attack and data breach. This not 30% in the last eight years. And as a result enforcement, as well as by only disrupted the police’s forensics analysis, biometric systems are finding their way into local government agencies but impacted public confidence in its ability to government usage as a way to enhance the and transport authorities” store sensitive data such as biometrics. quality and efficiency of policing whilst also If police forces adopt a clearly transparent pol- cutting costs1. So despite the controversy, the icy on how biometric data is interpreted, stored UK Home Office is planning to invest a huge Data privacy and used, then public privacy worries are sig- £97 million into a wider biometric technology nificantly diminished, which in turn will trigger approach to safeguard the country’s streets2. So what are the public’s concerns? The key consent and acceptance. It is also key to manage Similarly, the Australian Government is plan- issue is data privacy, particularly with regards to expectations around biometrics and how the ning a colossal nationwide facial recognition the use of automated facial recognition for sur- technology will be used, especially in surveillance database3. veillance. Of course police officers worldwide use cases. As the technology matures, there is a need to understand how biometrics as a whole can aid identity verification at scale and how to achieve extensive public acceptance as part of a wider digital policing initiative. Police officers worldwide regularly carry body- Public perception worn cameras, Another core issue facing biometrics, and and even though none of this data particularly facial recognition, is the public’s is encrypted, the perception that this technology is not yet fully general public accurate. Digital fingerprint-based authenti- accept its usage. cation, which is broadly viewed as being the most mature biometric technology, has an implicit acceptance linked to an individual’s identity and the fact that it delivers a lower false positive result.

5 January 2020 Biometric Technology Today FEATURE

more likely to consent to technology that they engage with on their digital devices – leveraging widely used consumer technology such as smart- Fingerprint tech- phones in one-to-one scenarios. nology has a high So police forces that integrate a multimodal, level of consumer adoption because open approach to biometrics, selecting the of its use on mobile right biometric mode for the right use case, will devices, and in derive the most value from the technology. For airports. Citizens example, one European police force is using will have the same expectation of facial mobile biometrics in order to quickly scan a recognition – but it suspect’s fingerprints in the field, verify them suffers from its per- against their national database, and confirm ceived inaccuracy. identity within seconds. The best approach for police is to look to use strategies that the public have the highest degree of confidence in, and manage public expectations around success and The public’s understanding of the varying ed in a 96% rate of false positives5. In addition, how the technology is to be used. maturity levels of biometrics – for example racial and gender bias as well as problems work- fingerprinting compared to automated facial ing in conditions such as poor lighting or when “Police forces that integrate recognition (AFR), and their effective use – has the person is wearing accessories, impacts on a multimodal open approach strong links back to existing physical processes reliability. Indeed, even the UK Home Office to biometrics, selecting the and widespread consumer adoption. So, finger- has acknowledged that passport facial recogni- print technology has a high level of consumer tion checks are less effective on people with dark right biometric mode for the adoption because of its use on mobile devices, skin6. All this leads to a reluctance or refusal to right use case, will derive and in applications such as airports using flat- accept AFR technology among the public. the most value from the bed scanners – which are widely understood technology” and help immensely with acceptance. Citizens who are accustomed to using finger- Identity versus print biometrics on their personal devices will surveillance Currently, there are obstacles in the way of have the same expectation of facial recognition. biometrics which will be overcome as trust in However, when used as a stand-alone biometric, When biometrics are used in identity verification the technology becomes the norm. As men- AFR suffers from its perceived inaccuracy – eight use cases, as opposed to surveillance, it is much tioned, fingerprinting is the most mature and trials between 2016 and 2018 in London result- easier to gain public acceptance. Individuals are widely used biometric system, with high levels

Case study: Peruvian National Police The Peruvian National Police needed a way viable. The National Police wanted to avoid scan people’s fingerprints quickly and the to quickly verify the identity of people who purchasing separate mobile fingerprint images were of high enough quality to match were selected for random security screenings scanners, as, in addition to the expense, they against the national database. Having all this at the 2019 Pan American Games, which didn’t want to force their officers to carry information in their smartphones made the brought 420,000 spectators, athletes and supplementary hardware. officers’ jobs easier, both in terms of ease of use coaches from 41 countries to the country’s In order to meet these security requirements, and public acceptance, and an interest in the capital city, Lima. the police used Veridium biometric software technology made screenings easier to carry out. To identify people while out in the to verify the identity of people selected for Providing officers with people’s fingerprints field, Peru’s National Police were using a random security screenings. This contactless in addition to the information contained in smartphone mobile app that scanned the biometric authentication system uses a their national identity cards also allowed the individual’s national ID card. For the Pan smartphone’s rear-facing camera to capture an police to more accurately identify individuals. American Games, the police wanted their individual’s four fingerprints simultaneously, It also proved straightforward to teach officers smartphones to have the additional ability to with no supplementary hardware required. The how to use the fingerprinting technology. The capture fingerprints. technology is similar to that used in traditional Peruvian National Police force has now decided The police needed a product that could flatbed scanners, and was integrated into the to continue using this method after seeing quickly take people’s fingerprints, that was police force’s existing application, allowing how it improved the officers’ ability to confirm easy to use in the field, and could capture officers to turn their mobile devices into people’s identities – offering a fast, reliable and high-quality images that could be matched fingerprint readers. economic solution that was easy to integrate against those stored in Peru’s national and use. biometric database. Ideally, the product This case study underlines how effective would be software-based and integrate with Outcome biometric technology can be when it is the app the police force was already using. By integrating the biometric software, the used by police forces in a strategic way to This integration was the only way to make police were able to conduct random security offset violent crime, leveraging widely used the project financially and operationally checks efficiently and effectively – they could consumer technology to gain acceptance.

6 Biometric Technology Today January 2020 FEATURE

ciency and improved accuracy. Then, as both the technology and public acceptance matures, biometrics will become essential to the success of any digital policing strategy. About the author Jason Tooley is chief revenue officer at Veridium and has over 25 years’ business leadership experience in the technology sector. He is a board member of techUK, where he uses his expertise to support the challenges and opportunities presented to the tech industry in Britain. Veridium’s authentication platform enables companies to secure identity and privacy in a digital world by proving people are who they say they are, via biometrics and their smartphone. Veridium reduces the need for passwords, and integrates multi-factor solutions with utilising technology such as its 4 Fingers Touchless ID. This ensures compliance whilst also providing a more convenient, secure experience. See www. veridiumid.com for more details. With the many different use cases to address, it’s imperative to utilise the right biometric for the right police requirement. References 1. ‘Police funding in England and Wales’. of acceptance today. It is easily adopted by efficiently verify citizens and combat violent Full Fact, 28 September 2018. Accessed police, although it doesn’t work for surveillance crime. December 2019. https://fullfact.org/ purposes. Police forces across the world are see- crime/police-funding-england-and- ing the value in moving to a digital fingerprint wales/. capture mechanism, rather than physical. Strategy is key 2. ‘Biometrics technologies: a key enabler In terms of surveillance at scale, automated Summing up, police forces around the world for future digital services’. European facial recognition is the appropriate solution. But are looking to integrate the latest advances in Commission, January 2018. Accessed in the face of the substantial challenges relating technology to enhance public security and cut December 2019. https://ec.europa.eu/ to its relative lack of maturity, the best way to costs – and biometric solutions are fundamental growth/tools-databases/dem/monitor/ gain public acceptance is by taking advantage of to this. With the maturing of biometric tech- sites/default/files/Biometrics%20technolo- more mature biometric technologies like finger- niques and many different use cases to address, gies_v2.pdf. printing. This can be used to build acceptance, it’s imperative to utilise the right biometric for 3. Josh Taylor. ‘Plan for massive facial recog- and importantly public confidence, in the use of the right police requirement, and to create a nition database sparks privacy concerns’. the technology. transparent strategy that incorporates the use of The Guardian, 28 September 2019. multiple biometrics. Accessed December 2019. https://www. Innovation theguardian.com/technology/2019/sep/29/ “As both the technology and plan-for-massive-facial-recognition-data- Innovation in the field of biometric technol- public acceptance matures, base-sparks-privacy-concerns. ogy offers a significant way to quickly gain 4. Jordan G Teicher. ‘Gazing Back at the public approval and consent, and build citizen biometrics will become Surveillance Cameras That Watch Us’. New confidence in different police use cases. High essential to the success of York Times, 13 August 2018. Accessed levels of false positive rates and performance any digital policing strategy” December 2019. https://www.nytimes. concerns are typical of all nascent technolo- com/2018/08/13/lens/surveillance-camera- gies, not just biometrics. Think of the prob- photography.html. lems around video quality or internet speeds Police forces must look to adopt a strategic 5. Lizzie Dearden. ‘Facial recognition during their infancy. approach as they trial different biometric tech- wrongly identifies public as potential Innovations like behavioural biometrics now nologies, and not focus on one single biometric criminals 96% of time, figures reveal’. offer the ability to verify an individual from approach. With the rapid rate of innovation The Independent, 7 May 2019. Accessed their unique mannerisms such as the way they in the field, an open biometrics strategy will December 2019. https://www.independ- walk. Advanced finger vein recognition has also give police the ability to use the right biometric ent.co.uk/news/uk/home-news/facial- been developed – and both these modalities are techniques for the right requirements, acceler- recognition-london-inaccurate-met-police- nearly impossible to replicate or hack, therefore ate the benefits associated with digital policing trials-a8898946.html. providing the most secure identity verification. and thereby achieve public acceptance. 6. ‘Passport facial recognition checks It’s crucial that regulation doesn’t stifle this Acceptance and consent are key to the suc- fail to work with dark skin’. BBC, 9 type of innovation; the right balance must be cessful use of biometrics in the many digital October 2019. Accessed December 2019. achieved in order for police forces globally to police use cases. By digitalising current physical https://www.bbc.co.uk/news/technol- benefit from biometric technology in order to processes, police forces can create both effi- ogy-49993647.

7 January 2020 Biometric Technology Today FEATURE Ready for take-off: how biometrics and blockchain can beat Irra Ariella Khi aviation’s quality issues Irra Ariella Khi, Zamna

Biometric technologies have been embraced and adopted in aviation and international border control more than in any other industry. This is due to the emphasis on airline and border security and increasing pressure from governments to control and monitor immigration and the movement of There is therefore a critical need to use people. However, biometrics are still not at the stage of universal adoption biometric solutions to manage this growing and face several significant barriers that need to be overcome. throughput of passengers while maintaining and improving both security and the passen- Iris scans, facial recognition and fingerprint biometrics often play a complementary role in ger experience throughout all airport touch- readers have become much more commonplace authenticating the physical aspects of passenger points. In the words of IATA director general in modern airports, and some of the more for- identity, manual biographic passport checks Alexandre de Juniac: “Biometric recognition ward-looking pilot schemes have begun to com- are still exclusively used as the primary method using the One ID concept modernises the pletely replace the use of passports for passenger of passenger verification, with the exception of airport experience for passengers and improves identification with biometric data. For example, the Smart Tunnel system. We’ve still got some the efficiency and security of identification pro- Dubai Airport’s ‘Smart Tunnel’ project has work to do before a seamless, biometric-based cesses. Every traveller will appreciate the con- demonstrated that facial recognition technology passenger experience – where travellers can move venience of getting from the kerb to the gate can replace the manual passport control process through the airport without any physical docu- without ever having to show a paper passport entirely, shortening it to 15 seconds and remov- ment checks – becomes a reality for us all. or boarding pass.” ing the need for human intervention1. Still, there is no lack of enthusiasm for new Yet despite the increased use of biometric sys- technology within the aviation industry. In fact, “We’ve still got some work tems in airports, these solutions are still far from the use of biometrics underpins the main cross- to do before a seamless, being widely trusted to accurately verify pas- industry transformation project that the airline biometric-based passenger senger data – in or before the airport. And while trade association, the International Air Transport Association (IATA), created in 2016: ‘One ID’. experience – where travellers The aim of One ID is to create an “end-to-end can move through the passenger experience that is secure, seamless and airport without any physical efficient”, and it has the potential to address the document checks – becomes a key management challenges facing the airline reality for us all” industry: namely, passenger facilitation and security, plus government data regulations: • Passenger facilitation and security. Firstly, • Government data regulations. One ID also new biometric technology could help to meet responds to the increased pressure from interna- rising passenger expectations for more efficient tional governments for airlines to provide more journeys. IATA research shows that the majority accurate information on passengers – namely of passengers now find a queuing time of more APIS (Advance Passenger Information System) than 10 minutes unacceptable, and increasingly data – for the purposes of immigration, border prefer ‘ready-to-fly’ options such as validating control and national security decision-making. travel documents and checking in bags from Airlines are also under increasing commercial home before they head to the airport2. These pressure to comply with regulations in order to rising expectations come as the number of air- reduce the potential burden of hefty government line passengers continues to grow year-on-year, fines each year. A build-up of these fines has a New biometric technology could help to meet rising passenger expectations, just as airline putting further strain on aviation infrastructure. detrimental impact on an airline’s government passenger numbers continue to grow year-on- IATA’s ‘20-Year Air Passenger Forecast’ found relations, and can also impact their landing year, putting further strain on aviation infra- that the number of travellers is set to double by rights in a particular country. On top of that, structure. 2037, reaching 8.2 billion people a year3. One ID could reduce the onerous operational

8 Biometric Technology Today January 2020 FEATURE costs of airport real-estate and airline staff, both Data Protection Regulation (GDPR) in Europe. of which are needed for manually checking each So while more sophisticated data sharing will aid passenger’s documents. verification and improve the passenger experience, the protection and control of the personally identifiable information (PII) involved is Three key challenges paramount, and the highest standards of data Of course, the vision of One ID cannot be real- Due to the highly valuable personal data they security have to be upheld in any system that is ised until the need for manual identity checks hold, airlines are particular targets for data sharing biometric data for passenger validation. is vastly reduced – which is why data quality breaches. In the industry’s biggest security Regulators’ increasing focus on the security will play a critical role in both passport and incident to date, an attack on Cathay Pacific of personal and public data is reflected in public left 9.1 million customers exposed. biometric checking processes4. Let’s consider opinion. Recent high-profile consumer data the three data management challenges to the be established between airlines, biometric tech- breaches have propelled this issue into mainstream widespread adoption of biometric technology nology providers and passenger data regulators. public awareness, raising legitimate concerns as and how they might be overcome: However, the key problem the industry faces to what personal biographic and biometric data 1. Data standardisation and verification. with standardisation is not around data struc- is being collected and shared – and how it can be If biometrics are to be widely adopted, both tures, but the absence of cross-industry sharing used and mis-used, whether by international gov- airlines and government authorities must be protocols and schemes that would allow that ernments or private companies. able to trust that the biometric data provided data to be shared in the first place. Furthermore, due to the highly valuable on passengers is both accurate and high-quality. personal data they hold, government agencies, There are two root causes of the current scepti- “Until a comprehensive travel companies and airlines are particular cism here: a lack of standardisation of passenger standard is deployed, any targets for data breaches. In recent years, biometric data; and the lack of a reliable source biometric verification process we’ve seen a number of such cases: the US against which that biometric data can be vali- Government’s database of its security-cleared dated for accuracy and integrity. In addition, will always be limited, employees was successfully hacked by a hostile there is the challenge of connecting biometric since the biometric data foreign government; Marriott Hotels exposed data with the passenger’s biographic/passport produced or verified by any 383 million sensitive data records in one of the data (known as API or advance passenger single airline, airport or largest data breaches in history; and an attack information). Combine this with the increased government can never be on airline Cathay Pacific left 9.1 million cus- public scrutiny on personal data security, and tomers exposed in what was the airline indus- the scale of the problem becomes clear. wholly trusted by another” try’s biggest security incident to date. A number of biometric pilot schemes are Linking biometric data to an individual’s underway in airports around the world, but they 2. Secure data sharing. No data can currently existing personally identifiable biographic data, are all independent – using different technolo- be securely shared between different airlines and such as their passport, will create an even more gies, biometric markers, data standards and pro- government agencies, and therefore it cannot sensitive data set, and therefore an even more cessing techniques. And while the International be validated for accuracy and integrity by either appealing target for attackers. So before any Civil Aviation Organisation (ICAO) has estab- party. This is the case for both biometric and standardised system of sharing biometrics can lished a standard for biometric data, alongside biographic/passport data. Without a trusted sys- be rolled out, the industry has to agree on a biographic/passport data, not every country tem for sharing any type of information, airlines solution that addresses the data security con- adheres to these rules and principles. and governments maintain it siloed across their cerns of regulators and passengers. Until a comprehensive standard is adopted own systems. This means the same passenger’s 3. Biometrics meets the blockchain. This and consistently deployed, any biometric veri- data must be checked and re-checked manually. challenge of how to successfully and securely share fication process will always be limited, since These repeated checks result in delays at biometric data for validation can be resolved by the biometric data produced or verified by any airports, with passengers queuing at various applying blockchain technology. The blockchain single airline, airport or government can never checkpoints, waiting for their documents to be principles of decentralisation and immutability, be wholly trusted by another. This has forced scanned several times over. This is regardless coupled with its ‘privacy-by-design’ approach, the industry to default to traditional manual of how many times the passenger has travelled make it the ideal solution to data standardisation, passport data as a source of both trust and verifi- before, even if that individual is connecting onto verification and security challenges. By utilising cation for passenger IDs. And currently there is another flight on the very same day, or even if blockchain, a record can be made each time any no standardised way to either verify or connect that second flight is with the same airline. biometric data is validated or queried. When it passport and biometric data in order to identify This inability to securely share data is one of the is successfully validated, reputational value builds a passenger: an ePassport along with a biometric- main barriers to One ID and means that, even if and can also be recorded. Conversely, when comparing capability could solve that, but there biometric data is of high quality and in a standard- biometric data presents repeated errors, its repu- is still a need for passengers to enrol each time, ised form, it still has to be re-validated as a one-off tational value can be lowered. When combined and still no aggregation of verifications that can occurrence by each airline and government agency with blockchain’s inherent immutability, this be shared within the industry. every time that person travels. In other words, there means that airlines, airports and international A consistent standard for biometric data will is currently no way to put the hard work of one governments can be confident in the accuracy and undoubtedly come to the fore as biometric hard- data check in the service of the next check. validity of any data, using blockchain to corrobo- ware systems mature, and as governments and The difficulty of sharing biometric data rate its reputational value. airlines further progress their pilot programmes between multiple parties is worsened by the fact What’s more, blockchain’s system of decentral- into full adoption. These efforts can, of course, that the information is – rightly – protected ised storage and management means data verifica- be speeded up, so long as close collaboration can under data privacy laws, such as the General tion can be secured and re-secured at each stage

9 January 2020 Biometric Technology Today FEATURE of the process, assuring data provenance with no Standardisation and international regulation are single point of compromise and no central store. the next steps towards the widespread adoption Essentially, the blockchain process involves mak- of biometrics in the airline industry. However, ing records of data verification that would make biometrics alone cannot provide the seamless no sense to anyone unless they were in possession passenger experience envisioned by One ID. It’s of the original data. important that first, the biographic API data is According to independent security testers, accurate, of the highest quality, and can be shared using blockchain enables tech companies to cre- IATA’s One ID is an ambitious vision for the and validated by airlines and governments. ate systems that would take millions of years to airport of the future, based on combining This is where blockchain can play a crucial breach. Its privacy-by-design approach, as advo- accurate biographic data and biometric role in both securing and sharing these sensitive technology for passenger verification. cated in the GDPR, means systems can be built data sets. Blockchain alone is not the answer, around an un-compromisable concept of data reliant on correct data being provided by pas- and neither is accurate biographic data – but security, rather than having security elements sengers, 50% of whom make mistakes when together, they are the first step towards One ID. added in retrospect. Innovative technologies, submitting their API data. For example, consider Only when blockchain and biometrics are jointly that combine blockchain and privacy-by-design the role that passenger data plays in helping deployed can there be assurance of accuracy and to ensure improved biometric data accuracy airlines and governments establish whether that trust in identifying each physical passenger. without exposing underlying personal data, are traveller’s data matches a valid visa or ETA Without this level of data quality, the adop- already readily available on the market. (electronic transit authorisation). Today, bio- tion of biometrics as part of One ID will not be graphic data alone is used to establish whether possible. Yet without innovative solutions, the the passenger has the right status to travel to a dual problem of data protection limitations and One ID’s mission particular country or destination. Increasingly, the technical inability to share data between IATA’s One ID relies on coupling accurate pas- this could be established using both biographic biometric providers will continue to limit any senger biographic data (known as APIS) with and biometric data as part of One ID. data quality. Accurate, trusted and re-trusted the early authentication of each passenger’s In the context of passenger ETAs and visas, data alone can meet the demands for compre- biometric identity, followed by instant biometric ensuring data accuracy and validity will become hensive biographic and biometric processes, recognition at every touchpoint thereafter. With increasingly important across Europe as the EU both in the aviation industry and beyond. every successful verification, the data’s authentic- prepares to introduce its ETIAS (European Travel ity grows, and the need for extra and repeated Information and Authorisation System). This will About the author manual checks is eliminated. In practice, this require passengers from visa-free countries – such Irra Ariella Khi is the CEO and co-founder of combination of biometrics and blockchain as the US, Canada, Australia, New Zealand, Zamna (formerly VChain Technology), which negates the need for passengers to present multi- and possibly soon the UK – travelling into the provides the first venture-backed blockchain secu- ple documents at multiple touchpoints through- Schengen area to hold a valid ETA authorisation. rity solution for the aviation industry. Zamna’s out their airport experience. Airlines will also be required to establish that the patented, GDPR-compliant Identity-as-a-Service Using blockchain, tech companies can create passenger has the correct status prior to boarding. (IDAAS) solution connects the data sets of airlines, innovative decentralised solutions that can secure ETIAS is intended to speed up and modernise governments and security agencies, reducing the passenger data. Then, assuming international border procedures in the EU. However, without need to check physical passenger IDs in airports. standardisation and regulation, the reputational better systems for validating passenger data ahead Irra has co-authored Zamna’s first three patents, score of the data could become the basis of shared of the flight, staff will be forced to manually check and leads the deployment of its software to major insights between airlines and governments, who passports in order to cross-reference ETIAS details international airlines and governments. would in turn be able to trust that the validation once the passenger arrives at the airport. This will and re-validation is accurate. As a result, wherever potentially create queues and slow down the sys- References in-person checks still have to be performed, the tem; in some cases it means that passengers may 1. ‘Dubai airport trials “Smart Tunnel” data verification process will allow airlines and be informed too late that they do not have a valid that allows passengers to clear passport government agencies to focus on screening pas- ETIAS and won’t be able to fly on the day. control in 15 seconds’. Arabian Business, senger behaviour rather than verifying biographic/ Without accurate passenger data, there is no 11 October 2018. Accessed December passport data, making the checking process at reliable way to establish their status or check 2019. https://www.arabianbusiness.com/ airports and borders much more efficient. whether they have a valid ETA. Combining transport/406044-dubai-airport-trials-smart- IATA also suggests One ID can meet passen- biographic data alongside biometrics would drive tunnel-that-allows-passengers-clear-passport- gers’ desire for ‘ready-to-fly’ options – in other the industry towards better passenger identifica- control-in-15-seconds. words, presenting and validating their biographic tion, and towards realising the aim of One ID. 2. IATA. ‘2016 Global Passenger Survey’. and biometric details from home. Passengers Airlines will know that the data they are pro- https://www.iata.org/publications/store/ could use a mobile device to submit their person- vided with ahead of the flight is accurate, and no Documents/GPS-2016-Highlights-Final.pdf. ally identifiable information directly to the neces- passenger will need to be off-loaded or manually 3. ‘SAP and VChain execs discuss how technol- sary parties (such as airlines, immigration, border re-processed due to a data error. ogy is changing the travel experience’. Aviation control) ahead of their journey, further shortening Business, 12 May 2019. Accessed December the validation process at the airport. 2019. https://www.aviationbusinessme.com/ This ability could bring major benefits to air- Airport of the future airports/technology/18757-sap-and-vchain- lines, which are increasingly required to provide In summary, IATA’s One ID is an ambi- execs-discuss-how-technology-is-transforming- accurate passenger information to government tious vision for the airport of the future, based the-passenger-travel-experience. agencies ahead of the flight. This currently poses on combining accurate biographic data and 4. IATA. ‘One ID’. https://www.iata.org/ a major challenge for airlines as they are wholly biometric technology for passenger verification. whatwedo/passenger/Pages/one-id.aspx.

10 Biometric Technology Today January 2020 NEWS

Schengen Agreement so doesn’t take biometrics ...News continued from page 3 NatWest key worst place. Comparitech said: “These coun- upon entry.” But the company added: “There fob: enables tries show a concerning lack of regard for the are some doubts over Ireland’s use of facial rec- shoppers to privacy of people’s biometric data. They use ognition CCTV cameras.” make higher- Likewise, the UK scores well because it only has value payments biometrics to a severe and invasive extent.” without need- The five best countries, in terms of how well small biometric databases – one for criminals and ing a phone or they restrict and regulate biometric use and sur- one for non-UK citizens who enter the country, bank card. veillance, were Ireland, Portugal, Cyprus, the and it is governed by GDPR rules. Comparitech NatWest effortless payments, commented: “After UK and Romania. added: “Facial recognition CCTV in the UK also the successful pilot of our biometric debit card Commenting on the results, Comparitech seems to be governed well. For example, facial we are looking at how we can further develop analyst Paul Bischoff said: “While China top- recognition technology was being used at King’s the technology and push the boundaries to inte- ping the list perhaps doesn’t come as too much Cross Station but without prior notification and grate it into our customers’ everyday lives.” of a surprise, residents of (and travellers to) thus consent. It has now been switched off and The fobs are the same size as a standard key other countries may be concerned at the extent plans to develop it further have been placed on ring. They can also be used for buying goods of biometric information that is being collected hold. It is also being tested in other areas but con- online, and work at existing contactless and on them and what is happening to it afterward. tinues to meet ongoing protests.” chip-and-pin terminals. Users initially activate “Despite many countries recognising The company highlighted the fact that the fob by uploading their fingerprint and reg- biometric data as sensitive, increased biometric European Union countries overall score well istering their account via their mobile phone. use is widely accepted. Facial recognition CCTV in its survey, due to the GDPR’s control of NatWest is working with both Visa and is being implemented in a large number of biometrics, especially in the workplace. However, German-owned Giesecke and Devrient (G+D) countries, or at least being tested. EU countries Comparitech adds that most EU countries fall Mobile Security to develop the fob technol- scored better overall than non-EU countries due down over their use of biometric data in visas, due ogy. Jeni Mundy, Visa’s UK managing direc- to General Data Protection Regulation (GDPR) to the entry/exit system being introduced this year tor, commented: “We are constantly looking regulations protecting the use of biometrics in in the EU as part of the Schengen Agreement. for ways to innovate with our partners to the workplace to an extent.” The company explained: “This creates a vast give consumers greater choices in how they Among China’s faults, Comparitech cites biometric database spanning 28 countries, and pay. Following the launch of the UK’s first that it has no specific law to protect citizens’ each member country’s law enforcement will biometric debit card earlier this year, we are biometrics, but keeps an extensive national have access to it. This is alongside various other again pleased to collaborate with RBS on this biometric database that is currently being databases shared across Schengen member coun- pilot. Our research tells us that people have a expanded to include DNA. China also makes tries including the Visa Information System, strong interest in biometric technologies which widespread and invasive use of facial recognition which already contains over 60 million visa can make their lives easier as well as increasing technology, tracking its Uighur Muslim minor- applications and 40 million sets of fingerprints.” the security of their payments.” ity population, among others. Beijing is also The UK’s role in this may change post-Brexit. G+D UK managing director, Axel Lange, trialling facial recognition at security checkpoints said: “With the changing requirements in pay- on the subway so it can divide travellers into banking ment authentication, G+D Mobile Security wel- groups, a system it’s hoping to expand to include comes the opportunity to pilot different ways to buses, taxis and other travel services. NatWest unveils pay and we see biometrics as a key enabler to do Comparitech also cites China’s lack of secure and yet convenient payments.” safeguards for employees in the workplace. biometric fob for “Companies have even been permitted to contactless payments hacking monitor employees’ brain waves for productiv- ity while they’re at work,” it said. he UK’s NatWest Bank is trialling Amsterdam airport’s The US ranks low because it collects Ta new, compact biometric key fob biometrics widely in passports, ID cards and that can be used by customers to make facial ID fooled by bank accounts, and has a biometric voting sys- contactless payments worth up to tem yet lacks a specific law to protect citizens’ £100, without the need for a mobile simple photo biometric data – with only a handful of states phone or bank card. protecting people’s privacy. Comparitech com- The new device is currently being tested for acial recognition terminals in sites mented: “Many US citizens’ biometrics are three months, starting last December, among Franging from Amsterdam’s Schiphol exposed as there is no federal law in place,” a mix of 250 NatWest customers in England airport to retail stores in Asia were adding: “The FBI and ICE have recently been and Wales and Royal Bank of Scotland (RBS) easily spoofed by face masks and sim- criticised due to their use of facial recognition customers in Scotland. Both NatWest and RBS ple photos, in tests run by AI solutions technology to scan driver’s licence photos, with- are part of the RBS banking group. provider Kneron. out gaining the citizens’ consent beforehand.” Shoppers can make a purchase by simply Kneron’s researchers used high-quality 3D Conversely, Ireland is ranked the best- holding the key fob against a store’s card reader, masks to hack into facial ID-based AliPay and performing country because, Comparitech said: while identifying themselves by pressing their WeChat payment systems and make illicit pur- “Ireland succeeds in protecting biometric data thumb against the fob fingerprint reader. Once a chases in a number of stores in Asia, according by only having a small database that includes light indicates their print has been matched suc- to Fortune.com. And at the self-boarding termi- criminal profiles, having extra safeguards for cessfully, the transaction goes through. nal at Schiphol, Holland’s largest airport, they employee biometric data which go beyond NatWest has previously tested fingerprint- tricked the sensor using a photo on a phone GDPR requirements, and it isn’t part of the based bank cards and David Crawford, head of Continued on page 12...

11 January 2020 Biometric Technology Today NEWS/COMMENT

...Continued from page 11 NIST said. Its computer scientist Greg Fiumara carry out. This features prints taken with con- added: “The data will help anyone who is tactless fingerprint devices, a technology that interested in testing the error rates of biometric could simplify and speed up print gathering as identification systems.” it improves. “It also includes latent fingerprint The files are the first in what’s planned to be data, in which prints are left while handling a growing collection of biometric resources, and everyday objects,” Fiumara said. “Realistically are organised into three special databases (SDs) and expertly collected latent data is difficult to named SD 300, SD 301 and SD 302. come by.” SD 301 is the first ever multimodal dataset All the individuals represented in SD 301 NIST has released. It contains linked face, and 302 have consented to the inclusion of fingerprints and iris scan markers, so it can be their data and its distribution for research use, used to test systems that apply a combination he said. The data has also been scrubbed of Kneron used specially made masks to spoof biometric payment systems. of these identification approaches. “This opens identifying information such as their names Photo copyright Kneron. up possibilities for types of multimodal research and places of residence. that haven’t been done before,” Fiumara said. SD 300 houses a collection of fingerprints screen. Kneron’s team also gained access to rail “We want to get more secure and more accu- taken from 900 old ink cards. All the record stations in China where commuters use facial rate identification, as multimodal systems are cards have been stripped of identifying recognition to pay their fares and board trains. harder to spoof.” data and are from individuals who are now The tests highlight weaknesses that could SD 302 contains fingerprint data from a few deceased. According to Fiumara, this dataset lead to identity theft and terrorist access to key hundred people gathered by a mixture of eight can help manufacturers evaluate how well transport sites, undermining the security claims commercially available and prototype devices. their modern systems can interoperate with of biometric systems. It includes data gathered during the Nail to hard-copy ink records, which will remain a In statements to Fortune and the Daily Mail, Nail Fingerprint Challenge, an IARPA-funded requirement of the criminal justice system Kneron CEO Albert Liu said: “Technology competition that NIST helped to design and for some time. providers should be held accountable if they do not safeguard users to the highest standards. There are so many companies involved that it highlights an industry-wide issue with sub- COMMENT standard facial recognition tech. The technology is available to fix these issues but firms have not upgraded it. They are taking shortcuts at One of the more by the respondents, though the survey also the expense of security.” intriguing recent news reported that up to 70% of Chinese citizens But Kneron acknowledged that the masks it stories about biometric believed facial recognition made public used could not be mass-deployed as they had tech appeared just places safer. to be sourced from specialist mask makers in before Christmas: a The findings challenge any assumptions Japan. It also confirmed that its tests failed to survey found that the majority of Chinese that people living in China are more accept- fool some facial recognition apps, including citizens are worried about their country’s ing of mass biometric surveillance than Apple’s iPhone X. use of facial recognition. those in the West. The survey also followed Schiphol, WeChat and AliPay did not The research, by the Beijing-based Nandu shortly after the widely reported case of respond to requests for comment from Fortune. Personal Information Protection Research Chinese university professor, Guo Bing, who Centre, is one of the first major studies of pub- announced he was suing his local zoo for research lic attitudes to biometrics in a country that is enforcing facial recognition. Guo, a season notorious for its widespread and unconstrained ticket holder at Hangzhou Safari Park, had NIST launches datasets use of mass surveillance technology. used his fingerprint to check-in for years, but The Centre found that 57% of the 6,100 was no longer able to do so. to help cut error rates respondents were concerned about their move- And as the BBC reported, this case was ments being tracked by facial recognition covered in China’s state-owned media, S NIST (the National Institute of cameras. And a significant 84% wanted to be indicating that the country’s government is UStandards and Technology) has able to check and potentially delete the data willing to see the use of facial ID debated in released three new biometric data- that facial recognition systems had collected public. bases – featuring fingerprints, facial on them, according to reports by the BBC, Yet China evidently still has some way photographs and iris scans – designed Financial Times, ZDNet and other media. In to go. As our page 3 report shows, it was to help researchers reduce the error addition, 80% of those surveyed were worried ranked the worst in a Comparitech study of rates of biometric systems. that facial recognition system operators had 50 countries that examined how extensively The data, which is stripped of identifying infor- lax security measures, and 74% wanted to be and invasively biometric ID and surveillance mation and created expressly for research purpos- able to use traditional ID methods like identity systems were being deployed. es, can be downloaded from NIST’s website. cards, driver’s licences or passports rather than Even so, the good news is that increasingly “Few available resources exist to help devel- facial ID to verify their identity. China’s citizens are biting back against Big opers evaluate the performance of the software Fears about the biometric data being Brother. algorithms that form the heart of biometric hacked or leaked was the main concern cited Tim Ring systems, and the data will help fill that gap,”

12 Biometric Technology Today January 2020