BEING A VICTIM of identity theft is no fun, but it is still possible to change your account numbers, it is a whole lot more difficult to change your eye color or height! Because of this, protecting biometric data is a particularly serious issue. Biometrics (physical measurements, voice or image and more) are used by many entities to improve authentication of the identity of passport and other ID holders.
As far back as 2004, the U.K. has been mucking about with various biometric ID schemes, including the National Biometric Identity Service (NBIS) database. NBIS is supposed to hold identifying information such as addresses and birth date in one set of records, and facial images, fingerprints and other biometric data in a separate database.
Recently, the UK Home Office announced that IBM had been asked to facilitate the sensitive and high profile project. Under the deal, IBM will function as the primary contractor and system integrator (SI). Of course, you can count on them recommending a bit of IBM hardware and software.
More vendors have signed on, and they seem like capable choices. On April 10th, Computerworld UK’s Leo King reported that IBM had selected Atos Origin and Sagem Sécurité as major subcontractors to the project. Atos Origin is a European system integrator and was responsible for running the project’s proof of concept. Cameras, iris recorders, hardware portals and other core functionality will be obtained via biometric sensors and software from Sagem Sécurité (part of the SAFRAN Group).
Barring public outcry or (gasp!) a sudden change of ruling party the SI feeding frenzy is slated to go on for seven years.
So, what are the benefits of biometric passports? Most nations include some amount of “biometric” data: hair and eye color, height, weight and so forth. All passports now issued in the UK currently contain biometric data. Hopefully, biometric details are somewhat unique to your body– common examples are fingerprint, the pattern of the iris of your eye, and the size and shape of your facial features. The biometric system analyzes a picture for certain data points, such as a mole location or eye size. The system identifies as many of these points as possible, assigning coordinates to each detail.
Once a set of coordinates have been established for the picture, the pattern recognition part of the software compares the coodinates to details already stored in its database. If two records are identical, then it’s probably the same person.
This sounds pretty straightforward, but these systems are notoriously difficult to design. You have to administer a reasonable system of cryptographic controls to protect passports from cloning (duplicating) and provide assurance that the data has not been altered. Plus, there are all the usual data security headaches encountered when maintaining information used by untrusted users on distributed systems.
Data security isn’t nearly as sexy as biometrics, but it will be a huge concern to any identity and access management project. Without a savvy data security and governance program, the National Biometric Identity Service may well find themselves increasing risk to the citizens of the UK. IBM will need to develop a well thought out governance, risk and compliance program, and then communicate that to lawmakers. The SI can then work with administration and security experts to ensure that proper controls are in place and that they being regularly monitored and updated. This foundation will allow the benefits of biometric data systems while providing some security to the credentials that we can’t replace; our biometric data. S|A