FIDIS Future of Identity in the Information Society Title: “D3.16: Biometrics: PET or PIT?” Author: WP3 Editors: Annemarie Sprokkereef (TILT) Bert-Jaap Koops (TILT) Reviewers: Mireille Hildebrandt (VUB) Eleni Kosta (KU Leuven, ICRI) Identifier: D3.16 Type: [Report] Version: 1.0 Date: 20 August 2009 Status: [Final] Class: [Public] File: fidis-WP3-del3.16-biometrics-PET-or-PIT.pdf Summary Biometrics plays a vital role in identity management. Biometric data are, however, sensitive and vulnerable, and there is a need to develop biometric applications as a privacy-enhancing technology (PET) rather than a privacy- invasive technology (PIT). Building on earlier FIDIS research, this report studies technical, organizational, and policy decisions in the development of biometrics applications that influence their becoming PETs or PITs. These decisions balance the interests of individuals to have control over their pers- onal data against commercial, societal, and political interests, security, con- venience, and efficiency. This report identifies criteria for determining the ‘PET’ content of technologies and looks at several case studies of decision- making processes in biometrics: biometric pseudonyms and iris recognition, Privacy Impact Assessments, voice recognition, the German ePass, and the Dutch central database of passport biometrics. These case studies suggest a possible gap between expectations and assessments based on technical knowledge and between economic and political expectations of and require- ments for biometric applications. Based on this finding, recommendations are given to enhance awareness of privacy-enhancing technologies and to apply value-sensitive design in the development of biometric applications. Copyright © 2004-08 by the FIDIS consortium - EC Contract No. 507512 The FIDIS NoE receives research funding from the Community’s Sixth Framework Program FIDIS D3.16 Future of Identity in the Information Society (No. 507512) Copyright Notice This document may not be copied, reproduced, or modified in whole or in part for any purpose without written permission from the FIDIS Consortium. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All rights reserved. PLEASE NOTE: This document may change without notice – Updated versions of this document can be found at the FIDIS NoE website at www.fidis.net. [Final], Version: 1.0 Page 2 File: fidis-WP3-del3.16-biometrics-PET-or-PIT.pdf FIDIS D3.16 Future of Identity in the Information Society (No. 507512) Members of the FIDIS consortium • Goethe University Frankfurt Germany • Joint Research Centre (JRC) Spain • Vrije Universiteit Brussel Belgium • Unabhängiges Landeszentrum für Datenschutz Germany • Institut Europeen D'Administration Des Affaires (INSEAD) France • University of Reading United Kingdom • Katholieke Universiteit Leuven Belgium • Tilburg University Netherlands • Karlstads University Sweden • Technische Universität Berlin Germany • Technische Universität Dresden Germany • Albert-Ludwig-University Freiburg Germany • Masarykova universita v Brne Czech Republic • VaF Bratislava Slovakia • London School of Economics and Political Science United Kingdom • Budapest University of Technology and Economics (ISTRI) Hungary • IBM Research GmbH Switzerland • Institut de recherche criminelle de la Gendarmerie Nationale France • Netherlands Forensic Institute Netherlands • Virtual Identity and Privacy Research Center Switzerland • Europäisches Microsoft Innovations Center GmbH Germany • Institute of Communication and Computer Systems (ICCS) Greece • AXSionics AG Switzerland • SIRRIX AG Security Technologies Germany [Final], Version: 1.0 Page 3 File: fidis-WP3-del3.16-biometrics-PET-or-PIT.pdf FIDIS D3.16 Future of Identity in the Information Society (No. 507512) Versions Version Date Description (Editor) 0.1 09.03.2009 • template circulated (BJK, AS) 0.2 30.03.2009 • first contributions of all chapters (all) 0.3 09.04.2009 • edited version (AS) 0.4 15.06.2009 • revised chapters (all) 0.5 13.08.2009 • final draft version for internal review (AS, BJK) 1.0 20.08.2009 • final version (BJK, AS) [Final], Version: 1.0 Page 4 File: fidis-WP3-del3.16-biometrics-PET-or-PIT.pdf FIDIS D3.16 Future of Identity in the Information Society (No. 507512) Foreword FIDIS partners from various disciplines have contributed as authors to this document. The following list names the main contributors for the chapters of this document. Executive Summary Bert-Jaap Koops, Annemarie Sprokkereef (TILT) 1 Introduction Annemarie Sprokkereef (TILT) 2 Summary of earlier research findings all authors 3 Concepts and Definitions Annemarie Sprokkereef (TILT) 4 Technical decisions Introduction Annemarie Sprokkereef (TILT) 4.1 Biometric pseudonyms B. Anrig, E. Benoist, D.-O. Jaquet-Chiffelle, F. Wenger and iris recognition (VIP) 4.2 Privacy Impact Martin Meints (ICPP) Assessment 5 Testing-stage decisions 5.1-5.2 Centre Link and Vassiliki Andronikou (ICCS), Annemarie Sprokkereef ABN AMRO voice recog- (TILT) nition 5.3 ePass Stefan Berthold (TUD) 6 Political decisions Annemarie Sprokkereef, Bert-Jaap Koops (TILT) 7 Conclusion Bert-Jaap Koops, Annemarie Sprokkereef (TILT) [Final], Version: 1.0 Page 5 File: fidis-WP3-del3.16-biometrics-PET-or-PIT.pdf FIDIS D3.16 Future of Identity in the Information Society (No. 507512) Table of Contents Executive Summary ................................................................................................................. 8 Abbreviations.......................................................................................................................... 10 1 Introduction .................................................................................................................... 11 2 Summary of earlier FIIDS research findings .............................................................. 13 3 Analysis of concepts and definitions............................................................................. 16 3.1 Introduction .............................................................................................................. 16 3.2 A set of criteria to assess privacy-enhancing features.............................................. 22 3.2.1 Obligatory or voluntary nature......................................................................... 22 3.2.2 Choice of biometric to be presented................................................................. 22 3.2.3 Authentication or verification .......................................................................... 24 3.2.4 Personal Control............................................................................................... 25 3.2.5 Multi factor system........................................................................................... 25 3.2.6 Access to biometric data stored on RFID chip................................................. 26 3.2.7 Room for function creep .................................................................................. 27 3.2.8 Data quality ...................................................................................................... 28 3.2.9 Right to object .................................................................................................. 29 3.2.10 Direct identification ability, interoperability, linkability and profiling ........... 29 3.3 Conclusion................................................................................................................ 30 4 Early-stage decisions...................................................................................................... 31 4.1 Technical decisions: biometric pseudonyms and iris recognition............................ 31 4.1.1 Biometrics and pseudonyms............................................................................. 32 4.1.1.1 Advantages and disadvantages of biometrics............................................... 32 4.1.1.2 Unlinkability of personal information.......................................................... 32 4.1.1.3 Data protection and revocability .................................................................. 34 4.1.1.4 Biometric pseudonyms................................................................................. 34 4.1.2 BioCrypt – Biometric Pseudonyms in the Example of Iris Data ..................... 35 4.1.2.1 Image Acquisition ........................................................................................ 36 4.1.2.2 Template Production and Analysis .............................................................. 36 4.1.2.3 Template matching (verification vs. identification)..................................... 37 4.1.2.4 Iris biometric pseudonyms ........................................................................... 38 4.1.3 Conclusion........................................................................................................ 40 4.2 Organizational and technical decisions: Privacy Impact Assessment...................... 41 4.2.1 Introduction ...................................................................................................... 41 4.2.2 Privacy vs. data protection ............................................................................... 41 4.2.3 PIA – Background and Methodology............................................................... 41 4.2.3.1 PIA – Description of the methodology .......................................................