Biometrics by the book

October 2012 Access Control & Identity Management

When considering implementing a fingerprint biometric solution, most companies take the advice of their installer or integrator as to which product to use; others simply look for the cheapest readers available in the belief that a biometric reader is a biometric reader. The reality, however, is significantly different: all biometric readers are not created equal.

Hi-Tech Security Solutions spoke to Ideco’s CEO, Marius Coetzee to find out more about how end users should be choosing biometric readers. In this article we focus on two aspects of selecting biometric devices: standards and the admissibility of biometric evidence in court.

Biometric standards

Focusing on fingerprint biometrics, as fingerprints represent the majority of all biometrics in use by far, Coetzee’s first comment on standards is that the device must be AFIS (Automated Fingerprint Identification System) compliant. AFIS is a digital fingerprint system used by law enforcement and governments the world over, including by SAPS and Home Affairs. Being AFIS compliant will allow these authorities to process the fingerprint effectively without having to resort to manual procedures or to manipulate the images.

Furthermore, although PIV (Personal Identity Verification) standards are US-based, Coetzee says some tenders are calling for compliance in order to ensure their biometric systems are compatible with the highest security standards. More information is available in the Personal Identity Verification of Federal Employees and Contractors document at http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.

To round it off, Coetzee also recommends all biometric devices should be compliant with the image quality standards set by the FBI. These standards have been incorporated into the related ISO and SABS (South African Bureau of Standards) standards. The ISO relevant standards include ISO 19794 (Biometric data interchange formats) and ISO 18013 (Personal identification), as well as ISO 19092 and ISO 19785. Further standards relating to other biometric types and templates are also available. For a full listing of ISO standards see http://en.wikipedia.org/wiki/List_of_International_Organization_for_Standardization_standards#ISO_15000.E2.80.93ISO_19999, or refer to http://www.iso.org.

The SABS incorporates these standards into its own and they have specific committees dealing with various aspects of electronic information and biometrics. SC71F deals with information security, for example, while SC71J deals with cards and personal information, and SC71Q deals specifically with biometric standards.

All these standards deal with the appropriate and compliant use of personal information and images, of which an individual’s biometric data is one. It is therefore important for the biometric device one selects to comply to specific standards to ensure interoperability, but also to ensure that the service one obtains matches internationally accepted standards.

Interoperability

ISO 19794 is important in that it deals specifically with interoperability along with standards from the USA’s NIST (National Institute of Standards and Technology). Coetzee says interoperability standards are critical as they allow fingerprint templates saved from one compliant reader to be exported and read by another compliant reader from a different manufacturer.

Coetzee notes that certain biometric technologies, such as Multispectral imaging, do not comply with all the standards, which could result in incompatibility with AFIS systems as well as a high percentage of false minutiae (the features of a fingerprint that are used to identify them and make comparisons). If the algorithm used to identify the minutiae is not accurate, templates can fail to identify people accurately or assign the wrong identity to people.

In response to the standards question, Lumidigm, a company using Multispectral imaging in its biometric readers noted, “Lumidigm meets the ISO, ANSI and MINIX standards for template interoperability”. More specifically, the company’s devices meet the following standards: “Interoperability: ANSI 378, ISO 19794-2:2005, ANSI 381, ISO 19794-4:2005, NFIQ compliant; MINEX-certified algorithm; Device certifications: CE, FCC Part 15 Class B, EN 60950, IEC 62471, RoHS”.

Securing biometrics as evidence

Another aspect to consider when looking at using biometrics is the various regulations in South African law contending with the protection of personal information, as well as the ability of companies to use digital biometrics in court.

Coetzee explains that evidence presented in court must not only be unaltered in any way from when it was presented, but the chain of evidence showing it has been stored securely and has not been manipulated at anytime is crucial.

From a biometric perspective, this means that the prosecution or complainant needs to be able to show that the finger put on the reader was read and the template stored accurately, according to accepted standards. It must also show that it was stored on a system in a way that did not alter it and was protected from manipulation by any party while stored and being brought into court as evidence. If this is not done and cannot be shown to have been done, the court may reject the biometric evidence.

For example, a recent episode saw a CEO accused of stealing a few million from his company. This individual’s password was used to log into the system and transfer the money. However, the CEO simply said he did not do it and someone must have used his password. There was no way to prove anything different so the case remains unsolved.

If biometrics had been used to log into the system, the perpetrator would have been caught, as his (or her) fingerprint would have been the proof that he actually committed the fraud. In court, however, if the biometric device had not been compliant with the relevant standards the defendant could claim the fingerprint template had been manipulated and was not admissible.

We have not seen such a case in court yet, but Coetzee warns that it only has to happen once to create serious problems for the biometrics industry. Any manipulation, no matter how small could result in the biometric evidence being ruled inadmissible, causing headaches for those companies using compliant biometric systems. In other words, the CEO’s fingerprint may have been captured when he stole his loot, but because the reader used does not comply with the standards mentioned above, he could claim it was manipulated when read or stored and the court could refuse to accept the biometric evidence on that ground alone.

Protecting personal information

There are various laws in effect which govern the use of personal information. The Electronic Communications Security Act, for example, in part deals with the protection and security of electronic communications between systems and people and the prevention of unauthorised access. The new Protection of Personal Information Act focuses on how and when to store personal information (and what constitutes personal information), including the prevention of tampering or manipulation of this data. In addition, the Electronic Communications and Transactions Act encourages and governs electronic communications, dealing with issues such as tampering and securing the information in transactions.

These laws do not directly deal with biometrics, but do govern authentication to systems and the security of information citizens, customers or suppliers provide, as well as the secure transmission of the data. The company holding the information (and this includes biometric data if it is used to authenticate and allow or disallow access) must ensure it is securely stored and is free from tampering or manipulation from the moment is it entered. Not only will failing to do so fall foul of the law, but, again, it could compromise the admissibility of the information in court.

A simple example Coetzee provides concerns AFIS. If your biometric device does not comply with the AFIS standard when reading fingerprints, it will have to alter the image to make it compatible. What then are the legal implication of that alteration? How can the company be sure the alterations are done consistently and uniformly so that it will not cause legitimate users’ prints to be rejected or illegitimate prints to be accepted under the incorrect identity?

In concluding, Coetzee notes that it is a case of Buyer Beware. The responsibility for the quality and interoperability of your devices ultimately lies with the individual or company purchasing the solution. If you are simply looking for access to your premises and will not be using biometrics for employee verification or sensitive transactions, perhaps compliance is not critical.

However, when looking at the growth of biometrics and its increased use in financial transactions and identity verification processes, it may be the wiser choice to opt for a solution that complies with international standards to ensure your own peace of mind as well as the ability to safely and reliably transact with external systems using biometric data. And let us be honest, if your biometric reader complies with FBI standards, it is unlikely to be rejected as evidence in court.

As a starting point, to ascertain if your biometrics reader does comply with FIPS (Federal Information Processing Standard) and FBI standards, you can search for the manufacturer and device via these two links:

1.) http://fips201ep.cio.gov/apl.php

2.) https://www.fbibiospecs.org/IAFIS/Default.aspx


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

TAPA: The role of an effective treasury function in business risk management
June 2019, Technews Publishing , News
Neil Le Roux, the Founder of Diligent Advisors will speak at the TAPA SA (Transported Asset Protection Association) annual conference on 26 July 2019.

Read more...
iLegal 2019: Putting a face on surveillance services
August 2019, Technews Publishing , News, Conferences & Events
iLegal 2019 will be held on 12 September 2019 at The Rosebank Crowne Plaza in Johannesburg. iLegal is the surveillance industry’s premier one-day conference hosted jointly by Hi-Tech Security Solutions and Dr Craig Donald.

Read more...
Residential Estate Security Conference 2019: Making AI work for you
August 2019, Technews Publishing , News, Conferences & Events
Gerhard Furter will deliver the keynote at the Residential Estate Security Conference 2019, providing a brief introduction into what AI really is and its application in estates.

Read more...
From the editor's desk: The difference between potential and skills
August 2019, Technews Publishing , News
This issue of Hi-Tech Security Solutions includes our annual Local Manufacturing feature and it’s great to know that local security manufacturers are still going strong, even if the general manufacturing ...

Read more...
HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Read more...
Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

Read more...
iLegal 2019: Enhancing and empowering your control rooms
July 2019, Technews Publishing , News, Conferences & Events
iLegal 2019 will be held on 12 September 2019 at The Rosebank Crowne Plaza in Johannesburg. iLegal is the surveillance industry’s premier one-day conference hosted jointly by Hi-Tech Security Solutions and Dr Craig Donald.

Read more...
Residential Estate Security Conference 2019: Managing for efficiency
July 2019, Technews Publishing , News, Conferences & Events
The Residential Estate Security Conference 2019 will be held on 20 August 2019, once again at the Indaba Hotel in Fourways, Johannesburg.

Read more...
Spending to save
August 2019, Technews Publishing , News
As residential estates and complexes grow like weeds across South Africa, often promoting themselves as more secure than a stand-alone house, many are finding that close proximity to a neighbour or a ...

Read more...
Risk assessment or product placement?
August 2019, Technews Publishing, Alwinco, SMC - Security Management Consultants , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Hi-tech security solutions asked a couple of experts to provide estate managers and security managers with some insights into what a ‘real’ risk assessment includes.

Read more...