Biometrics by the book

Access & Identity Management Handbook 2013 Access Control & Identity Management

When considering implementing a fingerprint biometric solution, most companies take the advice of their installer or integrator as to which product to use; others simply look for the cheapest readers available in the belief that a biometric reader is a biometric reader. The reality, however, is significantly different: all biometric readers are not created equal.

Hi-Tech Security Solutions spoke to Ideco’s CEO, Marius Coetzee to find out more about how end users should be choosing biometric readers. In this article we focus on two aspects of selecting biometric devices: standards and the admissibility of biometric evidence in court.

Biometric standards

Focusing on fingerprint biometrics, as fingerprints represent the majority of all biometrics in use by far, Coetzee’s first comment on standards is that the device must be AFIS (Automated Fingerprint Identification System) compliant. AFIS is a digital fingerprint system used by law enforcement and governments the world over, including by SAPS and Home Affairs. Being AFIS compliant will allow these authorities to process the fingerprint effectively without having to resort to manual procedures or to manipulate the images.

Furthermore, although PIV (Personal Identity Verification) standards are US-based, Coetzee says some tenders are calling for compliance in order to ensure their biometric systems are compatible with the highest security standards. More information is available in the Personal Identity Verification of Federal Employees and Contractors document at http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.

To round it off, Coetzee also recommends all biometric devices should be compliant with the image quality standards set by the FBI. These standards have been incorporated into the related ISO and SABS (South African Bureau of Standards) standards. The ISO relevant standards include ISO 19794 (Biometric data interchange formats) and ISO 18013 (Personal identification), as well as ISO 19092 and ISO 19785. Further standards relating to other biometric types and templates are also available. For a full listing of ISO standards see http://en.wikipedia.org/wiki/List_of_International_Organization_for_Standardization_standards#ISO_15000.E2.80.93ISO_19999, or refer to http://www.iso.org.

The SABS incorporates these standards into its own and they have specific committees dealing with various aspects of electronic information and biometrics. SC71F deals with information security, for example, while SC71J deals with cards and personal information, and SC71Q deals specifically with biometric standards.

All these standards deal with the appropriate and compliant use of personal information and images, of which an individual’s biometric data is one. It is therefore important for the biometric device one selects to comply to specific standards to ensure interoperability, but also to ensure that the service one obtains matches internationally accepted standards.

Interoperability

ISO 19794 is important in that it deals specifically with interoperability along with standards from the USA’s NIST (National Institute of Standards and Technology). Coetzee says interoperability standards are critical as they allow fingerprint templates saved from one compliant reader to be exported and read by another compliant reader from a different manufacturer.

Coetzee notes that certain biometric technologies, such as Multispectral imaging, do not comply with all the standards, which could result in incompatibility with AFIS systems as well as a high percentage of false minutiae (the features of a fingerprint that are used to identify them and make comparisons). If the algorithm used to identify the minutiae is not accurate, templates can fail to identify people accurately or assign the wrong identity to people.

In response to the standards question, Lumidigm, a company using Multispectral imaging in its biometric readers noted, “Lumidigm meets the ISO, ANSI and MINIX standards for template interoperability”. More specifically, the company’s devices meet the following standards: “Interoperability: ANSI 378, ISO 19794-2:2005, ANSI 381, ISO 19794-4:2005, NFIQ compliant; MINEX-certified algorithm; Device certifications: CE, FCC Part 15 Class B, EN 60950, IEC 62471, RoHS”.

Securing biometrics as evidence

Another aspect to consider when looking at using biometrics is the various regulations in South African law contending with the protection of personal information, as well as the ability of companies to use digital biometrics in court.

Coetzee explains that evidence presented in court must not only be unaltered in any way from when it was presented, but the chain of evidence showing it has been stored securely and has not been manipulated at anytime is crucial.

From a biometric perspective, this means that the prosecution or complainant needs to be able to show that the finger put on the reader was read and the template stored accurately, according to accepted standards. It must also show that it was stored on a system in a way that did not alter it and was protected from manipulation by any party while stored and being brought into court as evidence. If this is not done and cannot be shown to have been done, the court may reject the biometric evidence.

For example, a recent episode saw a CEO accused of stealing a few million from his company. This individual’s password was used to log into the system and transfer the money. However, the CEO simply said he did not do it and someone must have used his password. There was no way to prove anything different so the case remains unsolved.

If biometrics had been used to log into the system, the perpetrator would have been caught, as his (or her) fingerprint would have been the proof that he actually committed the fraud. In court, however, if the biometric device had not been compliant with the relevant standards the defendant could claim the fingerprint template had been manipulated and was not admissible.

We have not seen such a case in court yet, but Coetzee warns that it only has to happen once to create serious problems for the biometrics industry. Any manipulation, no matter how small could result in the biometric evidence being ruled inadmissible, causing headaches for those companies using compliant biometric systems. In other words, the CEO’s fingerprint may have been captured when he stole his loot, but because the reader used does not comply with the standards mentioned above, he could claim it was manipulated when read or stored and the court could refuse to accept the biometric evidence on that ground alone.

Protecting personal information

There are various laws in effect which govern the use of personal information. The Electronic Communications Security Act, for example, in part deals with the protection and security of electronic communications between systems and people and the prevention of unauthorised access. The new Protection of Personal Information Act focuses on how and when to store personal information (and what constitutes personal information), including the prevention of tampering or manipulation of this data. In addition, the Electronic Communications and Transactions Act encourages and governs electronic communications, dealing with issues such as tampering and securing the information in transactions.

These laws do not directly deal with biometrics, but do govern authentication to systems and the security of information citizens, customers or suppliers provide, as well as the secure transmission of the data. The company holding the information (and this includes biometric data if it is used to authenticate and allow or disallow access) must ensure it is securely stored and is free from tampering or manipulation from the moment is it entered. Not only will failing to do so fall foul of the law, but, again, it could compromise the admissibility of the information in court.

A simple example Coetzee provides concerns AFIS. If your biometric device does not comply with the AFIS standard when reading fingerprints, it will have to alter the image to make it compatible. What then are the legal implication of that alteration? How can the company be sure the alterations are done consistently and uniformly so that it will not cause legitimate users’ prints to be rejected or illegitimate prints to be accepted under the incorrect identity?

In concluding, Coetzee notes that it is a case of Buyer Beware. The responsibility for the quality and interoperability of your devices ultimately lies with the individual or company purchasing the solution. If you are simply looking for access to your premises and will not be using biometrics for employee verification or sensitive transactions, perhaps compliance is not critical.

However, when looking at the growth of biometrics and its increased use in financial transactions and identity verification processes, it may be the wiser choice to opt for a solution that complies with international standards to ensure your own peace of mind as well as the ability to safely and reliably transact with external systems using biometric data. And let us be honest, if your biometric reader complies with FBI standards, it is unlikely to be rejected as evidence in court.

As a starting point, to ascertain if your biometrics reader does comply with FIPS (Federal Information Processing Standard) and FBI standards, you can search for the manufacturer and device via these two links:

1.) http://fips201ep.cio.gov/apl.php

2.) https://www.fbibiospecs.org/IAFIS/Default.aspx



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Facial access control for ministry
Issue 1 2020, ZKTeco , Access Control & Identity Management
The Ministry of Culture in Saudi Arabia has adopted ZKTeco’s facial recognition technology and fingerprint biometrics to manage access control into its building.

Read more...
New Door Pilot app from dormakaba
Issue 1 2020, dormakaba South Africa , Access Control & Identity Management
With new dormakaba Door Pilot, automated doors can also now be operated on the basis of remote control technologies. The system, comprising the Door Pilot app for smartphones and a Wi-Fi interface for ...

Read more...
The instruments for investigation
Issue 1 2020, Technews Publishing , Security Services & Risk Management
Regardless of the reason for investigation, the investigation is only as good as the investigators.

Read more...
Do we really want simplicity?
Issue 1 2020, Technews Publishing , News
Everything today has to be simple, easy and fast. Even access to your bank account has to fit these adjectives and banks spend significant time and money trying to ensure their web and mobile interfaces ...

Read more...
Security events you can’t miss in 2020
Issue 1 2020, Technews Publishing , News
Hi-Tech Security Solutions will host a number of focused events in 2020 to highlight the latest in security technology and the operational benefits they deliver.

Read more...
Identity lifestyle
Issue 1 2020, Suprema , Access Control & Identity Management
Once the technology of the future, biometrics has quietly snuck into our daily lives through smartphones and access controls into our places of work.

Read more...
Leaders in risk and security: You have to know it to manage it
Issue 1 2020, Technews Publishing , Security Services & Risk Management
Hi-Tech Security Solutions profiles Nash Lutchman, Senior Vice President and Head of Protection Services at Sibanye-Stillwater.

Read more...
Trends 2020
Issue 1 2020, Technews Publishing , Editor's Choice
Hi-Tech Security Solutions asked a few people from diverse companies to join us in a round-table discussion about what they expect to see happening in their environments in the coming year.

Read more...
The move to services and RMR
Issue 1 2020, Merchant West, G4S South Africa, Technews Publishing , Integrated Solutions
Project work used to be the staple diet for system integrators, but that was before the services model changed the way businesses buy and use their security systems.

Read more...
Securing BP’s new head office
Issue 1 2020, ISF SFP , Access Control & Identity Management
ISF SFP was awarded the contract to secure the first development phase for Oxford Parks, the new head office for BP South Africa.

Read more...