A Privacy Protection Architecture in Sharing Biometric Information for NATO Applications

A Privacy Protection Architecture in Sharing Biometric Information for NATO Applications

Qinghan Xiao

Senior Member, IEEE

Defence R&D Canada - Ottawa
3701 Carling Avenue

Ottawa, ON K1A 0Z4

Canada

Abstract
In recent years, biometric technologies have been playing more and more important role in the Global War on Terror. As a NATO program, the International Security Assistance Force (ISAF) implemented the US biometric systems as part of ISAF force protection and overall security efforts in Afghanistan in February 2007. Sharing biometric data in combat applications to identify Red Force allows the alliance members to eliminate the terrorist’s advantage of anonymity. However, it raises privacy and legal concerns under the current system architecture when the system is used for identifying terrorist suspects and verifying NATO citizens. To address the challenge, a privacy protection architecture is presented that can reduce privacy violations and legal risks in sharing biometric data. The objective is to provide a privacy protection solution for the future development of NATO biometric system.

Index Terms— Biometrics, data sharing, privacy, NATO counter-terrorism operations

I. INTRODUCTION

Since the September 11th terrorist attacks, biometrics has gained increasing attention and become an important consideration for security-related applications ranging from physical and logical access control to terrorist attack prevention. In fighting the long war on terrorism, it is necessary to link an enemy combatant or similar national- security threat to his/her previously used identities with past activities. Biometric technology is a powerful weapon because it can provide a reliable and convenient mechanism for establishing and verifying identities using the characteristic that is uniquely part of a person.

In February 2007, a biometric system was put into operation by NATO’s International Security Assistance Force (ISAF) in Afghanistan as part of ISAF force protection and overall security efforts [1]. The system consists of a NATO/ISAF server, and the US biometric devices called Biometric Automated Toolset (BAT) and Handheld Interagency Identification Detection Equipment (HIIDE). The system provides the military and intelligence communities the capabilities to accurately recognize an individual encountered is a friend or foe especially when enemies hide among the civilian populations like the situation in Afghanistan. The objective of the ISAF biometric program is to collect, reference, and analyze biometric data along with associated information to support timely individual verification/identification to enhance Afghanistan missionelements. The key capabilities include the following: controlling physical access, identifying an individual encountered during tactical operations, locating and tracking a person of interest, distinguishing allies with enemy force individuals that were detained by coalition forces, and collecting forensic evidence and sharing the information.

Sharing biometric data in combat applications to identify Red Force allows the alliance members to eliminate the terrorist’s advantage of anonymity. It was reported that “Information coming in from fingerprinting around the globe is proving to be extremely beneficial to efforts in the War on Terror” [2]. However, it raises privacy and legal concerns under the current system architecture when collecting and sharing biometric data on citizens of allied countries. The Canadian Press reported on 5 May 2009 “Journalists covering the war in Afghanistan are now required to submit to a biometrics scan before being accredited to travel with NATO units or visit military bases. The data, including fingerprints and a retina scan, are used to verify identity and apparently checked against an archive of known terrorists. ... A legal expert described the new security crackdown as “strange and offensive” and said the Conservative government needs to be asking tough questions of its allies before any Canadian citizen submits to such a procedure” [3]. The concern is raised not only because the BAT “was first introduced to track prisoners being funneled into U.S. military-run prisons in occupied Iraq”, but also because “it would seem that it's actually still being operated by American personnel (which means the Americans presumably also keep the database for their own uses)” [4], but “ISAF doesn’t provide a privacy guarantee” [5]. To address the issues, a privacy protection architecture is presented in this paper for the development of future NATO biometric system. The rest of the paper is organized as follows. Section 2 discusses the privacy challenges in the current ISAF biometrics application. Section 3 analyzes the privacy issues in a biometric system model-by- model. Section 4 presents a system architecture to deal with privacy and legal challenges of biometric data-sharing in NATO applications. Finally, Section 5 provides the conclusions.

II. BACKGROUND AND PRIVACY CHALLENGES

At the end of February 2007, ISAF successfully fielded both BAT and HIIDE developed by the US as part of ISAF force protection and overall security efforts in Afghanistan. BAT is a multimodal biometric collection, data management and exploitation system that provides biometric and associated information for operational and intelligence decision making. HIIDE is a portable multimodal biometric enrollment and recognition device and can be used to match fingerprints, iris and facial images, and biographical contextual data of persons of interest.

image001
Fig. 1. Biometrics process [6].

Biometric technologies have been used in such applications as force protection to control military base access; combat identification to identify the “friend”, “foe”, or “neutral”; civil-military operation to locate and track members of population; and collect forensic evidence to connect geographically separate attacks, such as improvised explosive device (IED) attacks, to individual people. Application of the technology has been extended from defensive – restrict access to secure facilities by vetting unknown people to offensive – actively look for known threats (Figure 1).

According to Cross Match Technologies, in Afghanistan the prisoners at remote locations are fingerprinted and the electronic fingerprints and demographic information are transmitted through both analog phone lines and satellite communications. The information is also copied to disk during the process and stored onto CD-ROM at the end of the day. The CDs and the electronic transfers are sent to the FBI Criminal Justice Information Services (CJIS) Division that has assisted the U.S. Military in consolidating, formatting, and exchanging identification information. The information saved in that FBI database is accessible by law enforcement personnel to determine if the detainees have criminal histories in the United States [7]. The use of biometric technology is considered as a critical step in eliminating the terrorist’s advantage of anonymity. It is reported that [1]:

NATO and its partners are involved in ongoing operations on three continents and the Mediterranean Sea, near the nexus of known criminal and terrorist activities (i.e., Afghanistan, Sudan, and the Balkans). They probably interact routinely with many people who are associated with terrorist threats or criminal activity and have already been identified by allies. Biometric applications will help identify links across those regions.

The reason that biometrics plays a key role in the War on Terror lies in its ability of enabling a true identity of an anonymous individual. Not only can biometrics be applied with human users, but also with locations and travel sequences by associating position information from GPS. ISAF has advantageously utilized the combination of biometrics with location tracking information to help improve security [1].

As more people, threat or not, are identified traveling among the operating locations, different travel routes and mechanisms will also be illuminated. This information will facilitate more effective security and stability operations overall.

In order to take the full advantage of biometrics, we need to facilitate biometric data sharing and cooperation among the NATO nations. Sharing biometric data makes such applications possible as

  • quickly searching and exchanging biometric data on persons that were detained by NATO members to assist in the prevention of terrorism and international crime
  • showing the movement of a person that was biometrically identified by different nations within their controlled locations

However, a new policy “Media interested in visiting any ISAF locations in Afghanistan are required to be accredited, receive a media registration card and be entered in the Biometric Automated Toolset (BAT) through ISAF HQ” [8] brought up an issue of privacy. The major concerns are [3]:

  • When NATO first using biometric system in Afghanistan, the application at the time was to screen local Afghans working at military bases
  • Next the system was used to keep a database of terrorists, insurgents, local workers and detainees
  • Then an expanded screening program that included journalists was ordered

One of the key recommendations in biometric policy of Canadian Department of National Defence stated that “information on Canadian citizens or permanence residents of Canada must not be held in the ISAF database” [9]. Research has been conducted to address the privacy concerns raised with ISAF biometric system. A privacy protection architecture is presented in this paper for the development of future NATO biometric system.

III. PRIVACY ISSUES IN BIOMETRIC SYSTEM

Biometrics is the science and technology of recognizing a person based on the unique human physiological or behavioral characteristics. A biometric system is essentially a pattern recognition system that consists of the following processing stages: data capture, signal processing, template generation, feature comparison, and decision making (Figure 2).

In the beginning, we use a combination of software and hardware to capture biometric data. Then, the data is processed to enhance the biometric trait. The next procedure is extracting biometric features to generate a template that is stored into a database for comparison. In general, converting biometric data to biometric template is a one way function. Therefore it is almost impossible to restore the original data from the template. The comparison stage measures the similarity between a newly captured biometric data and the stored biometric template and sends the result to the decision stage. Since a biometric system can operate in verification

image003
Fig. 2. A Biometric Data Capture

mode or identification mode, the decision can be represented either as “acceptance or rejection” for verification, or “candidate list” for identification. Following we are going to analyze privacy issues in each processing model and with different application scenarios.

In many non-criminal applications, users can voluntarily participate in a biometric program. To gain user permission, an authority needs to explain the benefits and risks before capturing biometric data. Privacy issue regarding biometric data collection is absolutely critical in such applications. On the contrary, biometric data collection can be regulated as a mandatory requirement in a criminal or anti-terrorism application. An arresting officer collects the information, such as the event, charge and biometric data, and the activity does not violate privacy rights.

The captured biometric data can be used to either enroll a person into the system or compare with a biometric database. The purpose of enrolment is to register an individual into a biometric database so that the data can be used for subsequent comparison. Enrolment can be categorized as either positive enrollment or negative enrollment:

  • Positive enrolment results in a biometric database of trusted subjects with the purpose of positive verification and/or identification. In general, the positive biometric databases are built with voluntary enrollees.
  • Negative enrollment will create a biometric database of questionable subjects with the purpose of identifying unauthorized individuals. Often the negative biometric databases are collected without subject cooperation or even knowledge.

Considering the ISAF biometric program, it captures both local people and NATO citizens’ biometric data, performs both positive and negative enrollments, and mixes up criminal and non-criminal applications. The following issues needs to be addressed to reduce privacy violations and legal risks.

  • What biometric traits will be enrolled
  • How is the data being captured
  • Where will the data be used and for what purpose
  • Who has the authority to access, administer and maintain databases

After the data is captured, a digital presentation needs to be generated and sent to the signal processing stage that enhances the original biometric trait and extracts biometric features. Based on the enhanced digital presentation, a set of unique characteristics, called a template, is created to represent the biometric measurement. The templates are not standardized and vary with different biometric technologies. In general, they need to contain sufficient information suitable for comparison against subsequently submitted biometric traits, but cannot be restored to get the original biometric images. Therefore, template-generating algorithm is viewed as one way function [10]. Since the privacy risk of storing biometric templates is lower than that of maintaining the original biometric images, typically the biometric vendors claimed that their products only store the templates instead of biometric images. However, in a criminal or anti-terrorismapplication, most likely the database keeps both original biometric images and biometric templates. Keeping original biometric data is considered as more privacy intrusive than that of storing the template the easier the misuse, the higher the privacy risk.

C. Data Storage

As for data storage, there are three possible database configurations in a biometric system centralized database, localized database, and personalized storage. In a biometric verification system that performs one-to-one matching, biometric data can be stored on a token or smart card. In such a way, a user will carry his/her own biometric templates to reduce the risk that biometric data may be misused [11]. In a biometric identification system that performs one-to-many searching, the templates need to be stored in the local database or central database depending on the environment and goal of the application. The localized biometrics databases are very often used by service providers, such as banks, retail stores and hospitals, to verify the customer identities. However, it can be used in military applications, too.

In general, the government, law enforcement, and intelligent agencies would like to store biometric data into a central database, such as the FBI’s massive fingerprint database and the DoD’s Red Force biometric database. From a scientific standpoint, a central database offers the following advantages over local databases:

  • Provides a common point of entry for all agencies that use the biometric data
  • Assures consistent control over standards and data quality
  • Easy to update algorithms and format as technology and methodology improve
  • Easy to enforce the security standards for data access

As a summary, the biometric templates can be stored in a central database, a local database, or recorded on a user-held medium. Depending on the application, a biometric system may store the template or original data. Table 1 lists the different data store and management combinations with corresponding privacy risks.

image005

D. Comparison

In biometric comparison stage, the similarity is measured between a currently presented biometric sample and the stored template. Unlike passwords and tokens, two biometric traits cannot be 100% matched because “every time a biometric is captured, the template is likely to be unique” [12]. In addition, there is a template aging problem “the longer the period of time since the individual enrolled in the system, the less accurate the system may be” [13]. The comparison result will be sent to the decision stage as a quantitative measurement called a matching score. Matching score quantifies the similarity between the current input and the stored templates. A false acceptance could allow unauthorized access to a user's personal data and account information.

E. Decision

The final stage is to process the matching score to determine whether two biometric traits, the current input and stored data, are from the same individual. In most of the application, the higher the matching score, the closer the similarity between the biometric samples. Very often the matching score is compared with a predefined threshold that is determined by examining the receiver operating characteristics (ROC) curve. Scores above the threshold value are declared as “matches” even though the templates themselves are not identical [14], while scores below the threshold are designated as “non-matches”. The outcome of the decision model will either be a yes/no answer or a candidate list according to the verification or identification rationale, respectively.

The terms “verification” and “identification” are commonly used in biometric applications. Although some people interpreted them as similar terms, verification and identification have two distinct meanings [15] explained as follows.

  1. Verification: is a process that associates a particular individual with a claimed identity (called one-to-one matching). First, it is necessary to make a claim of identity by presenting a PIN or token. Then, a biometric sample is collected and compared to the previously stored template associated with the claimed identity. If the input sample matches with the pre-stored template, the biometric system confirms the claimed identity. Otherwise, the system denies the applicant’s claim of identity. Verification is commonly used to enhance the level of security for physiological and logical access control and transaction authentication.
  2. Identification: is a process that compares a person’s unclaimed identity to all of previously collected biometric data (called one-to-many searching). In this case, a biometric sample is collected and compared to all the templates in a previously collected database. The purpose is to find out who the sample belongs to. There are two kinds of outcomes: either establishing an individual’s identity or confirming that the individual is not enrolled with another identity. Identification is typically used by law enforcement and intelligent gathering agencies that may maintain large databases of multiple biometric templates as well as original images.

In summary, a key distinction between biometric verification and identification lies in that verification is a one-to-one comparison, while identification is a one-to-many search in a database. They perform different functions since verification is used to confirm one’s identity and identification is used to find one’s identity. Therefore, identification has the potential to be more privacy invasive than verification.

image008
Fig. 3. The architecture of the decentralized data access schema.

PRIVACY PROTECTION ARCHITECTURE

As analyzed above in each processing stage of a biometric system there exist privacy issues. All of them are related with biometric data, such as data capture purpose, data representation format, data storage and sharing. Privacy policies on using biometrics may differ from country to country. For example, the Privacy Act in using biometric technologies for civilian applications may not impact the applications for law enforcement and national security purposes in one country, but not the other. It is difficult or almost impossible to make a common biometrics policy that satisfies with all the participate nations. Therefore, a privacy protection architecture is presented to address this challenge.

A. Central Data Archive with Decentralized Data Access

Currently, the ISAF biometric system uses a centralized approach to manage the biometric data and facilitate data sharing. Biometric data collected by different nations are sent through an ISAF biometrics server to a centralized database. An individual who has an authority to access the ISAF biometrics server could launch a search on the database. That is the person could directly search the biometric data collected by the other nations without a need to get the permission from these nations. This simplifies data management, reduces the total cost, and makes the system easy to implement.

However, it may increase the privacy and legal risks because each nation has its own privacy concerns or legal restrictions. It is mentioned that “Although the (biometrics) technology has great promise, significant steps must be taken to achieve full implementation, including the formulation of policy and procedures for information collection and sharing that will be acceptable across the alliance” [1]. An approach of central data archive with decentralized data access is proposed (Figure 3). The authentication process involves four parties: user, local server, destination nation and application. The data is logically partitioned into private and shared segments. Each nation decides by itself to generate its own private data set and delegate permissions to allow the other nations to access its private data set. Therefore, the responsibility for protecting NATO citizens’ biometric data is distributed to each nation by developing its own privacy constraint model.

B. Privacy Constraint Model

As discussed above, a biometric database can store biometric templates, original biometric images, and personal information. A partial biometric database is a subset of the complete biometric database, which can appear in three forms:

  • Biometric templates and original images
  • Biometric templates and personal data

  • Original images and personal data

In most biometric systems, the original image will be discarded after template generation. However, this is not the case of ISAF biometric system. It is possible that the full data set, biometric template, original biometric image, and personal information is stored together in the central database. A method to reduce the privacy risk is to add a privacy constraint module to share biometric information to some extent. There are three possible ways to share such information: original image, biometric template, and biometric matching result. Among them, presenting the matching result (yes/no) to the nation that sends the query has the lowest privacy/legal impact. In such a way, we can make certain information known to the others, while retaining more details for the host nation uses only. To reach this goal, it is not enough to use laws or policies to restrict the use of biometric data. Controls need to be built with unique hardware and software algorithms to handle biometrics sharing with different nations and government agencies. A security and privacy constraint model is proposed to control the biometric database. Figure 4 shows a possible architecture in which the security constrains will make the biometric database hard to copy and prevent it from being transmitted to a third party, and the privacy constrains will guarantee the sharing will be either matching result, biometric image, or template with what sorts of personal information. The users from different nations and agencies will have different authority and capabilities to retrieve biometric data synchronized by guiding principles.

IV. CONCLUSIONS

In this paper, we analyzed the privacy and legal challenges in the current ISAF biometric program. Since it is almost impossible to make a common biometrics policy to satisfy with all participate nations, only part of NATO members have joined the ISAF biometric program at the moment. To address the issue, a privacy protection architecture is presented that aims to reduce privacy violations and legal risks in biometric data sharing by allowing each nation to build its own private biometric data set, control data access, and develop nation’s own privacy constraint model. The importance of this paper lies not only in presenting a potential solution to deal with privacy and legal challenges for the development of future NATO biometric system, but also in its identification of privacy issues in biometrics enterprise deployment because the governments are seeking to enhance capabilities in sharing biometric data on various applications. They will face the same challenges that we are trying to resolve in this paper, such as how to share biometric data with others, how to delegate permissions to access the files, and how to protect the privacy. The future work will be in establishing a NATO project to develop a NATO biometric system that can be acceptable across the alliance, therefore to achieve full implementation for the greater international fight against terrorist.

image009

Fig. 4. Privacy constraint model.


VI. REFERENCES

[1] T. Chappell, “ISAF biometrics”, The Guardian, Winter 2007, vol 9, no 3, pp. 9-15, 2007.

  1. [2]  “Foreign fighter fingerprint database turns up U.S. arrest records”, Fox News, Sunday, July 06, 2008. Available: http://www.foxnews.com/printer_friendly_story/0,3566,37 6859,00.html
  2. [3]  M. Brewster, “Journalists required to have biometric scan in Afghanistan”, The Canadian Press, May 5, 2009. Available: http://cnews.canoe.ca/CNEWS/MediaNews/2009/05/05/9 361726-cp.html
  3. [4]  R. Dave “NATO now using prison ID system to track journalists in Afghanistan”, Wednesday, May 6, 2009. Available: http://terribledepths.blogspot.com/2009/05/nato-now- using-prison-id-system-to.html
  4. [5]  T. Beard, “Afghanistan: Pictures not taken”, Nieman Reports, Spring 2009. Available: http://www.nieman.harvard.edu/reportsitem.aspx?id=100 983
  5. [6]  T. Dee, “Stand-off biometric identification”, NDIA Disruptive Technologies Conference, September 4-5, 2007, Washington, DC. Available: http://www.dtic.mil/ndia/2007disrupt/Dee.pdf
  6. [7]  Case Study, “Global security at your fingertips”, Cross Match Technologies, Sept. 9, 2002. Available: http://www.crossmatchtech.com/pdf/sep_09_02.pdf
  7. [8]  “Media registration card”, NATO. Available: http://www.nato.int/isaf/services/media_card.html
  8. [9]  S. Gregson, “Biometrics policy issues”, The 1st Canadian Forces Biometrics Community of Interest Conference, June 1-4, 2009, Ottawa.
  9. [10]  A. K. Jain, A. Ross, and U. Uludag, “Biometric template security: Challenges and solutions”, in Proceedings of European Signal Processing Conference
  10. [11]  B. Nordin, “Match-on-Card Technology”, Precise Biometrics. Available: http://www.ibia.org/membersadmin/whitepapers/pdf/17/Pr ecise%20Match-on-Card%20technology.pdf, April 2004.

[12] J. R. Vacca, Biometric Technologies and Verification Systems, Butterworth-Heinemann, Amsterdam, 2007.

[13] “Hearingontheuseofbiometricstoimproveaviation security”, committee on Transportation and Infrastructure, May 19, 2004. Available: http://www.iwar.org.uk/comsec/resources/biometrics- aviation-security/05-19-2004-hearing.htm

[14] L.Acharya,“Biometricsandgovernment”,Libraryof Parliament, 11 September 2006. Available: http://www.parl.gc.ca/information/library/PRBpubs/prb063 0-e.pdf

[15] “Biometrics: The unique identification of human characteristics”. Available: http://et.wcu.edu/aidc/BioWebPages/Biometrics_Technol ogy.html

VII. VITA

Qinghan Xiao graduated from the University of Regina in 1994 with a Ph.D. degree in Computer Science. He has been a scientist with the Defence R&D Canada, Ottawa, ON, Canada since 2002. He is a Canadian delegate of the ISO/IEC JTC1 SC37 standards committee on biometrics. He currently chairs the Task Force on Biometrics of the IEEE/CIS Technical Committee on Intelligent