NSW's Roads and Traffic Authority at the Biometrics Institute conference in Sydney in May ruled out an Enemy of the State approach to database sharing that would see images captured for one purpose used surreptitiously for another, a process known as "function creep".
"Access to the RTA's photo images is very restricted," the authority's general manager of strategy and systems in driver and vehicle services David Putt told delegates.
"Law enforcement can only access those images under certain prescriptive criteria. And in terms of facial recognition, they won't have access. So there'll be no linking CCTV (security cameras) to RTA facial recognition to determine people's identity."
The most common form of biometric data shared today is the fingerprint. Interpol maintains a global database and encourages member nations to share their images through the promotion of a common protocol and technology provided by Sagem.
Biometrics work best when combined with other forms or "factors" of identification to authenticate people, says Arcot Systems chief technology officer, Jim Reno.
At last month's CA World in Sydney and Melbourne he explained how factors such as one-use tokens, passwords, digital certificates, smart cards and multiple biometrics such as iris and fingerprints combine with software authentication in ArcotID, a small file that sits on the client computer to aid secure login to e-commerce sites, for example.
Arcot has a solution that monitors how a transaction is exercised and whether it varies from the norm. For instance, if a user typically accesses a bank website from a Windows Vista machine but the latest access is from a Linux box, the credibility of that transaction would be scored lower and possibly flagged for investigation or denied access, he says.
The issue with all biometrics, says RSA principal IT security consultant Greg Singh, is that accuracy is a trade-off with accessibility: there needs to be some wiggle room in biometric data or else even small changes to the finger or how it was applied to the scanner, for example, would lead to too many false negative readings and access denials making it too difficult to use in the real world.
Nationally, there is no unified database and each government and law enforcement agency has its own systems and access to different types of data from photos to fingerprints and DNA.
CrimTrac, a federal agency established in 2000 with a grant of $50 million to consolidate data-sharing efforts, is embarking on an ambitious biometrics project that includes DNA to match families, trace missing persons, track criminals and apply national face recognition processes.
In April, NSW was the final state to enter into the CrimTrac-managed National Crime Investigation Database that holds more than 400,000 DNA samples collected from felons and evidence found at crime scenes. DNA is the next great biometrics pioneer, says NEC's Heather.
He says a scenario such as that painted in Gattaca, where people are traced and identified based on blood samples, is just around the corner.
"DNA is going to be the real breakthrough in quick identification especially in disaster and law enforcement," Heather says. The Victorian bushfires were recent examples when people could have had their identities reconstructed from their DNA data.
NEC is developing portable DNA units that despatched worldwide to verify identity, he says. And within two years, such DNA data will be common on passports, he says.
Privacy remains one barrier to sharing biometric information. Privacy was a challenge for Centrelink when it installed a voice-recognition system for its 6.5 million customers, says project manager Ross Summerfield.
Its solution based on Intervoice proprietary interactive voice response and Nuance text-to-speech systems outdid Hollywood in many ways.
"Who thinks security is a consideration with a speaker verification or identification system?" he asked the biometrics conference. "What about privacy, is that a consideration?
"Let me tell you, the voice experts are mostly not security experts. The vendors there had absolutely no concept of security."
Centrelink, the Commonwealth agency that handles transfer payments, eventually came to an accommodation that it "could live with", says Summerfield, to secure its 32 million phone calls and 18 million online transactions a year.
Testing the claims of biometrics technology makers is high on the Biometrics Institute's agenda, says founder and technical committee chair Ted Dunstone. It is working on a vulnerability assessment program to systematically test members' technology, he says.
"You could shoot yourself in the foot by putting systems out there that aren't as secure as they should be," Dunstone says, citing the ease with which fingerprint readers are hacked. "Nobody tests these systems."
The institute's efforts, backed by the Department of Prime Minister and Cabinet, resulted in its 2004 privacy code for the use of biometrics that echoes national privacy legislation.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
