The Biometric Society
- Risks and Opportunities

Dr. Manfred Bromba – Biometrics Consultant - Germany
Permanent address for citation: urn:nbn:de:0125-2008050805
2006-09-10
NATO Advanced Research Workshop
- Identity, security, and democracy -
Jerusalem 2006-09-02/04
The Biometric Society is a fictive future trend of the Information Society in which our daily life is dominated by biometric identification using a central data base. This has a lot of benefits for the users but at the same time enables a nearly total surveillance. Already today one can observe permanently advancing surveillance using data which are a by-product of state-of-the-art technologies and services. This kind of surveillance can effectively be used as a measure against terrorism, although it is also suspected to favor democide. Possibly, since there is no proven stringency that total surveillance is incompatible with democracy, there is little resistance against it.
Foreword of the author. This presentation was held on September 3rd, 2006, at a NATO sponsored Advanced Research Workshop in Jerusalem, see program. It is based on an investigation which was dedicated to the question "How dangerous is biometrics really?". As each new privacy-concerning technology, biometrics is suspected to be a considerable danger to our freedom and thus is antagonized as a matter of principle by many groups which defend human rights. Here I was in a predicament: On the one hand I actively support biometrics research and dissemination of this technology and on the other hand I feel devoted to said groups which fight against the corruption of liberal values. How does this match? To approach the problem, I created a model called the Biometric Society to try to simulate the worst case situation and to get a deeper understanding what the real risks of biometrics could be. Especially, I wanted to avoid that argumentation remains based on general principles without trying to get to the bottom. Each new technology needs a thorough investigation and discussion of all its pitfalls, before the first damage is to be complained. Only this enables precautionary measures at an early time. The question, whether the Biometric Society, as it will be defined, will ever become reality or even when this will happen, was not in the scope of the present investigation.

The Information Society

Never before it was so easy to gather, to distribute, to collect, and to process information of all kind. This became possible as a result of the advances in sensor technology, copy technology, storage technology, communication technology, computer technology, and applied mathematics.

Since all these advances will drastically change our life, the term "Information Society" has been created [1]. The impact of the Information Society on legal framework and privacy will be enormous. But many of us do not really perceive this because the change is a creeping process which often uses outstanding occurrences as justification. We are amid this process which yields a degeneration of liberal values, establishing as information surveillance, data retention, and censorship, while taking back banking secret and other rights. The question "Is this really a degeneration or is it a necessity for our survival?" disunites many people - and will not be answered in this presentation. 

Since I am working in the field of biometrics, it was exciting for me to draw a vision called "The Biometric Society" [2] which I presented at the 5th meeting of the Biometric Identification Technology Ethics group which was dedicated to the topic "Future Technologies". The actual presentation is an extract with special extensions on security. 

Biometrics as a unique identifier

Biometric identification has become popular because it offers the chance to deliver a unique identifier for each person. While certain identity numbers are supposed to fulfill the requirement of uniqueness perfectly, biometric features are far from being perfect in this respect. The reasons are, e.g., non-perfect technology and fundamental natural limitations which greatly depend on the type of feature. 

Today, it is possible for one fingerprint to separate more than 1 Million people while facial geometry as feature has its limit for less than 1000 people. As a consequence and in contrast to fears of many data protection commissioners, surveillance systems with face recognition are (and possibly will ever stay to be) poor candidates for Big Brother scenarios! On the other hand, using more than one finger possibly allows to separate the whole mankind.

Unfortunately, it is just the property of uniqueness of an identifier which is also susceptible to misuse. For that reason, the Federal Constitutional Court of Germany has forbidden to use personal identifiers for the registration of all German citizens in 1983.

Security model

Since security often is not really understood by those who like to use this term, let me define security in a technical way. The use in more general concepts such as politics is straight forward.

Security generally is loosely defined as absence of risk or danger to a value. To understand what security really is, I prefer a simple three-part model, comprising 

  • a value to be protected against a danger, 
  • a protection to avoid damage to the value, 
  • and the danger

Security Model

For example, the value may be jewels, the protection a safe, and the danger a thief who tries to steel the jewels. The same model works when human life is threatened by an attacker. In this scenery we have a lot of appropriate protection means: police, surveillance, flight passenger checks, etc. The type of protection varies with changing values. For example, if not a single person is threatened but a whole nation, the police is to be replaced by a defense army.

Security definition

I understand security as the probability for a value not to suffer a damage or loss. Security is not a digital entity. In fact, it is quite reasonable to define security as a number which may vary between 0 and 100 %. This is achieved when defining security as the "inverse" of risk according to the formula:

Security = 1 - Risk

Risk is technically defined as the product of two probabilities: the incidence rate for a damage and the extent of loss. As a result, security may be regarded as a probability, too. To quantify a probability practically, this cannot be done on the basis of a single event. Rather, a large quantity of incidents is needed!

How much security do we require?

For 100% security, it is sufficient that there is either no danger or a perfect protection. No danger means "not from this world" and a perfect protection can only be realized with indefinitely much money. So the question arises, how much security would be sufficient and how it can be quantified at least theoretically?

My proposal is that a value needs as much security that its mean natural lifetime is not significantly reduced by artificial damages.

For a human being the lifetime is about 100 years. Then the mean natural risk to die (which is a kind of inevitable damage) is 1 % per year. I think it makes sense to protect our life against artificial damages in such a way that the natural rate does not increase by more than, say, 1 %. That is, the artificial part of the yearly death rate should be smaller than 1% of 1%, i.e., 1:10000, increasing the natural death rate from 1% to 1.01%! 

Examples for required security

Is this a reasonable figure? Indeed, in Germany, the artificial yearly death rate without disease is about 4:10000, where the probabilities for a deadly traffic accident, a suicide, or a deadly fall is about 1:10000 each. This is accepted reality!

If we change from an individual to a nation as value to be protected, mainly the natural lifetime is different. If I suppose 10000 years as lifetime of a nation, in contrast to 100 years for an individual, and again assume that the artificial risks should at least be a factor of 100 below the natural one, the required security raises from 0.9999 to 0.999999 per year! Maybe, this is an explanation - not a justification - for the fact that individuals seem to be the big losers in a war between nations! 

Security and colloquial language

Now, how do we have to translate a politician, who says that security must be increased by introducing more surveillance because the danger by terrorism increases? Not the security has to be increased, it is the protection which must be improved! 

But the politician should not forget that he has it in his hands not only to improve protection. This can be very expensive. He may also manage that the probability of attacks is not increased by performing a dangerous politics which creates additional enemies and this way increases the threat potential. 

If you are looking for examples, you may be tempted to consider the latest shocking terrorist attacks in Spain and UK. But do not forget that security is a statistical phenomenon which never should be assessed on the basis of only a few events!

The Biometric Society and its benefits

The Biometric Society – how does it work?

In the Biometric Society, all actions and transactions are authorized by using biometric identification. As a result,
  • no token nor any other credential is necessary,
  • you cannot forget anything, and
  • your identity can neither be stolen nor lost.
As a special requirement, all services shall be available worldwide.

The Biometric Society is not the only solution which fits to this description. Alternative systems using implanted ID chips will mainly do the same and deliver almost the same benefits.

In the following, the beneficial impacts on our life will be shown, regarding payment transactions, traveling by car, health care, communication, computing, entertainment, and law enforcement as important examples.

Payment transactions

Cards such as credit cards, payment cards, and rebate cards as well as cash are completely replaced by biometric identification which is performed online and in real-time. 

Obtaining services by fraud is made impossible because always a unique biometric recognition together with a creditworthiness inquiry is performed before granting the service.

As a result, no tickets for bus, train, or flights, nor tickets for football games, concerts, and gyms are needed any more.

Traveling

Before a driver starts the car, a biometric check proves the permission to drive under consideration of the car ID number. This can be achieved using wireless communication.

This way, driving without permission, with stolen cars, or without sufficient creditworthiness is prevented from the very beginning. Only those types of cars can be driven for which an education has been performed.

The personal assignment of the universal street toll is managed automatically on the basis of the driver and car data.

Health care

Medical services are balanced biometrically without expensive and losable health cards.

After biometric identification, the patient may inspect his health records everywhere and anytime.

In the case of accidents, the rescue workers are able to inform about health data, blood type, immunizations, and allergies immediately. This is achieved with the aid of a mobile biometric identification on location and guarantees an optimum medical treatment.

In the case of fatality, the large expense of a manual identification is replaced by checking the biometric features.

Communication

Communication has grown to a basic requirement of our life. Especially internet and mobile communication have become indispensable.

In the Biometric Society, emails and phone calls are exclusively processed using biometric identification. This makes the user independent on any hardware. Nevertheless, stolen hardware can be identified by a unique device ID!

For addressing, only the data set of the biometric feature of the receiver is to be used. Names are not really necessary - they are merely needed for certain kind of direct inter-human communication.

Certainly, also every sender has to identify biometrically. This way, spamming and phishing is effectively prevented.

Computing

Secure computing will become self-evident to avoid the infection of computers with viruses, Trojan horses, and other malicious software and to solve the problems of the entertainment industry with respect to unwanted use of their products.

Biometrics ensures that only authorized persons are able to operate a computer and that all software can only be used with personal authorization. 

Biometrics even allows for new license models. For example, if a certain person has licensed a software, this person is allowed to use this software anywhere on any running system. Since only authorized persons are allowed to use it, a software may be copied and installed arbitrarily often without any loss to the software developer.

Secure data access can be achieved in a similar way as all data is personalized using biometric identification. Personal Information Rights Management (PIRM) is used to prevent content piracy and to retain authors' rights.

Entertainment

Any kind of entertainment is authorized by biometrics. This has a lot of advantages. For example, since birth date is stored centrally, age verification is easily achieved.

Services like pay per view are managed by ordering a film using biometric identification. Like in computing, each data access is personalized while the data are free, may be copied as often as one wants, but remain inaccessible for the unauthorized. As a result, audio and video downloads need not necessarily be authorized by biometrics. Peer to peer (P2P) file sharing services are no problem for the content owners any more. 

But how can I prevent unauthorized viewing and listening? Today, any transmission channel is secured using encryption techniques. Even the cable between receiver and monitor will be protected using HDMI (High Definition Multimedia Interface) [3]. However,  this method does not prevent copying from screen, using an ordinary camera. So several companies even think about disturbing the display output in such a way that the camera record becomes unusable.

Maybe, the problem will solve quite naturally if 3D TV becomes more popular and will use goggles. This way viewing video will be personalized. If the method becomes common enough, it will be combined with biometric identification to prevent unauthorized use of the 3D video (and audio) data. Here, iris recognition is the preferred biometric feature which naturally integrates into the goggles.

Law enforcement

Cosmopolitans who move outside the settled society standards, can effectively be sanctioned with restrictions of certain rights.

Examples are prohibitions for shoplifters to enter a certain store, for hooligans to enter a football stadium, or refusal of border crossing for undesired aliens.

Since the network of biometric registration is densely tied, wanted criminals and terrorists may be localized immediately. This is accomplished by using the position data accumulated from shopping, traffic toll, mobile communication systems, and public transportation.

Obviously, this cannot be a solution against terrorism since only known terrorists are detected. Therefore, prevention will be used to solve the problem. Prevention can be realized using profiler agents which permanently investigate all data collected with respect to certain crime patterns or unknown anomalies. This is assumed to significantly reduce crime rate.

The Biometric Society and its risks 

I distinguish two kinds of risk, i.e., security related risks and privacy related risks. It seems that security related risks are solvable by technical means while privacy related risks need political and legal measures! While security shortcomings mainly affect property, privacy more directly targets a person.

Security related risks

Since big values are moved, this may seduce criminals to steal an identity to take over foreign rights. There are many methods to fool a system with stolen identities – most of them can be met with known protection methods such as cryptography.

Mechanical copies of biometric features are the most critical challenges in our case. As countermeasure, a nearly perfect copy detection is essential.

Interestingly, with a perfect copy detection, publicity of a biometric feature is no problem any more – especially, there is no necessity to keep biometric templates secret!

Privacy related risks

With a perfect copy detection and a tamperproof system, the knowledge of biometric template data does hardly affect privacy if we suppose that the template data exclusively carries identity information but no other information such as health data. The realization eventually has to guarantee that the biometric data stem from the original feature owner.

The role of biometrics is only that of a unique identifier which enables easy database linking. This is a process which is mainly controlled by the operators of the identification application.

The real danger is the misuse of the identification application which collects and stores a lot of private information! For example, if the identification application is used to search for terrorist profiles, false assignments to innocents may be produced. And this issue may even question the whole application, respectively, the Biometric Society. This kind of risk cannot be solved technically.

The privacy matter is treated now, while focusing on giving up privacy with respect to the biometric identification system, its operators, and possible governmental users.

The Biometric Society and privacy

The central biometric identification system which is the heart of the Biometric Society enables nearly total surveillance by linking all transaction data!

This poses the following questions: 

  • Will total surveillance come along with the Biometric Society?
  • If total surveillance becomes reality, will it really be dangerous?
All these questions cannot be answered today! But we should discuss the possibilities!

Will total surveillance come?

Due to digitization of communication, it becomes extremely easy to create traffic data in form of log files. Due to advances in mass storage and computer technology, these log files can easily be stored and examined for all kind of information. It is very easy to use this traffic data for purposes, which are not in the intention of the feature owner. It's simply a software change.

As soon as something is technically realizable, there is a lot of demand to use these private data, especially for law enforcement, advertising, and criminal prevention.

Furthermore, it becomes extremely easy today to get the agreement for legal misappropriation of traffic data. There is little resistance from those who are affected. Commissioners for data protection have to do hard to stand up to government because their support from the public and media is surprisingly small. 

Today, it cannot be predicted where the extension of surveillance stops. I guess this will be a one-way process which never ends and which will never reach total surveillance. The process can be compared with a mathematical series like 1, 2, 3, 4, ... which tends to infinity, but will never reach infinity.

Alternatively, an inversion of this trend seems only be possible after a restart following a political disaster like that one in Germany 70 years ago.

Is total surveillance dangerous?

From a security and safety point of view, surveillance of objects is an effective method to prevent accidents or crime. 

Slightly different is the situation where people are monitored preemptively against crime and terrorism. In this case, surveillance and tracing directly affects privacy and is naturally rejected by many citizens. The reason for a bad reputation is that surveillance is regarded as a means to keep totalitarianism alive by keeping down opposition. Is surveillance also a means to establish totalitarianism?

Totalitarianism has been shown to correlate strongly with "democide". H. J. Rummel, a  professor emeritus of political science at the University of Hawaii, has shown that totalitarianism, in contrast to liberal democracy, is positively correlated with democide in a statistical sense [4]. The term "democide" he created to express "murder by government", as has been experienced, for example, under the dictatorship of Adolf Hitler. This enables two conclusions:

  1. totalitarianism is the cause for most democide, or 
  2. democracy has no chance to establish in environments which favor democide.

Observations

Most people agree that the most feared occurrence in life is an unwanted death. So I have collected some data which shall compare several reasons for unwanted deaths. All data refer to worldwide deaths per year. The figures are either recent data or have been averaged over a long time period [5, 4, 6, 4, 7]. A long-time averaging is reasonable in those cases where the data show strong yearly variations. 

For comparison, the estimated total number of deaths per year will be about 57 Mio. people in 2006 [11] which is about ten times as much as the smoking bar in the diagram.


Worldwide deaths per year (recent or mean value)

For many people it may be surprising that not terrorism or natural disasters are the reason for the most artificial deaths. Even wars are small in effect compared to traffic, democide, or smoking victims. Although the data may not be very reliable, changes by even a factor of 10 will not principally change this image. Since there is no commonly agreed definition of terrorism, I made the worst case assumption of 10 000 deaths per year. But even this pessimistic number is not able to show a visible bar in the diagram!

Note the border line between the red and green background which is defined by 1% of the natural death rate I have used to define the required security. This required security separates between "secure" and "insecure". 

I must confess, it was a surprise for me that for the chosen definition even the combined effect of wars, natural disasters, and terrorism does not qualify our world as an insecure world! And I have ceased to understand why terrorism shall really be a problem for this world while getting more and more concerned about certain reactions of democratic states.

Comments

Although the cause-of-death diagram only presents a worldwide average view and thus would actually need a more local consideration for an individual, this diagram provokes some critical comments. First, there seems to be a dramatic mismatch between real danger and felt danger. Second, there seems to be a dramatic mismatch between real problems and resulting activities.

For example, all German governments mainly acted for the German tobacco industry [10] when suing against the European tobacco product directive 2001/37/EC. In the meantime, other European countries like Ireland, Norway, Italy, Poland, and Spain felt responsible for their citizens and prohibited, for example, smoking in restaurants. 

On the other hand, Germany was among the first to introduce the biometric passport with the justification to fight against terrorism, although most experts are convinced about the ineffectiveness in this regard. 

And just the activities against terrorism often are suspected to help totalitarianism. Totalitarianism, however, is the medium for state terrorism and democide which is one of the real threats to humanity as shown in the diagram.

Conclusions on the risks of the Biometric Society

From all the statements above, I draw the following conclusions:
  • With respect to surveillance, biometrics is not the delinquent, it's only the accessory. 
  • Biometrics is not necessary to enable nearly total surveillance – but it can be very helpful.
  • (Nearly) total surveillance in a democracy need not be a danger - but a successful coexistence has not yet been shown in practice.

The Biometric Society and its Realizability

Realization proposal and requirements

The realizability of the Biometric Society has been described in some detail in my BITE presentation [2]. Here are the most important results, when assuming a central data base under international control as part of the biometric identification system: 
  • Storage requirements: 1 PB = 1000 TB (achievable today) 
  • Communication traffic requirements: 1017 B (achievable ~2010)
  • Processing power requirements
    • using special hardware: 1017 OPS (operations/s, achievable ~2016)
    • using special hardware and intelligent strategies: 1012 OPS (achievable today)
  • Biometric requirements: FAR ~ 10-22 (False Acceptance Rate, achievable today with at least 3 fingerprints or 2 irides)

Problems to be solved

While there seems to be no major hurdle for a technical implementation of the Biometric Society within 10 years, two points are difficult to answer today:

1. Without a nearly perfect fake detection, the normal operation of identification may suffer from fraud. Today, we are far away from a nearly perfect fake detection.

2. Not all people dispose of measurable biometric features anytime. This failure which is described by the Failure to Enroll Rate (FER) can never be zero. As a result, certain persons may be excluded from biometric identification and a fallback solution must be offered. This fallback solution may be utilized purposefully to escape the biometric identification. 

Introduction scenario

For that reason, the question is fundamental whether the Biometric Society needs a perfect system, or not. The answer is possibly no, the system need not be perfect, because it should be manageable
  • to start with smaller units, e. g., country-wide instead of worldwide. This reduces all technical and biometric requirements.
  • to allow alternative methods for identification to reduce enrollment requirements
  • to allow for voluntary participation to eliminate acceptance problems
  • to restrict the system to transactions of low value to reduce the demand for perfect liveness and copy detection.

Summary

To summarize, there is a good chance for the Biometric Society to be technically achievable. The advantages are unquestioned. The risks are imaginable but unpredictable. And that will be the real challenge!

Sources

Last visited 2006-08-13
 
[ 1]
 http://europa.eu.int/information_society/index_en.htm
[ 2]
 http://www.bromba.com/knowhow/BITE.htm
[ 3]
 http://www.hdmi.org/
[ 4]
 http://www.hawaii.edu/powerkills/
[ 5]
 http://www.euro.who.int/mediacentre/FactSheets/20031212_1
[ 6]
 http://de.wikipedia.org/wiki/Verkehrstote
[ 7]
 http://de.wikipedia.org/wiki/Naturkatastrophen#Katastrophenstatistiken
[ 8]
 http://www.bespacific.com/mt/archives/001999.html
[ 9]
 http://www.top500.org/lists/2005/11/
[10]
 http://www.zdf.de/ZDFde/inhalt/29/0,1872,3904477,00.html
[11]
 https://www.cia.gov/cia/publications/factbook/geos/xx.html