Biometrics Put to the Test
TRAVELERS TO some European airports will now encounter devices at entry gates that scan passengers’ faces and compare the data from those images to digital photos stored on a chip in travelers’ passports. And as of June 2009, the European Commission began requiring that most European passports contain fingerprints to supplement the digital photographs required since 2006. European travelers get fingerprinted at border crossings in Europe. Immigration officers then ensure that the travelers’ fingerprints match those on the electronic passport. The technology is also being used to help secure 2012 Olympic Park construction in London.
These are just a few examples of the biometric technologies that are being employed in Europe. As fears about terrorism, identity theft, and bank-card fraud have risen, consumers worldwide have become increasingly accepting of various biometric technologies, ranging from fingerprint recognition to retinal scans, according to the annual Unisys Security Index, which was based on surveys of consumers in nine countries, including Germany, the United Kingdom, Belgium, Spain, and the Netherlands.
Most biometrics installations—approximately 80 percent—are still in government applications, says Matia Grossi, a London-based analyst for Frost & Sullivan. But companies are becoming more sophisticated about biometrics, says Neil Norman, CEO of Human Recognition Systems, the United Kingdom’s largest independent biometric integrator. “We spent many years in the beginning showing people what an iris camera was and how it worked,” he says. “We no longer do that. Now we show companies how they can solve particular [problems] or how they can navigate around particular legislative issues that come about and how they can ensure that they are meeting their mandate as per the industry standards and per what their board and investors require.”
For example, U.K. law provides that if a construction company’s failure to have appropriate health and safety measures on site is later found to have been the underlying cause of an accident that results in death, the directors of that company can be held liable for manslaughter. That legislation has led to a demand for a stronger form of authentication on site, says Norman, whose company is helping to secure 140 construction sites in Europe. Many companies are using biometrics to help ensure that only authorized personnel have access to construction sites.
Any company implementing a biometric system in an EU member state must make sure that it does not run afoul of that country’s laws related to the EU’s Data Protection Directive, which regulates the processing of personal data. The depth and strength of the implementation of data protection laws varies by country.
Data protection and privacy laws are strictest in France and Germany, where regulators only allow technologies that are deemed proportionate to the risk. For instance, where the laws are strict, biometric technologies that have the potential to “identify” rather than simply “verify,” like iris or fingerprint recognition, would probably not be proportionate to the risk for time and attendance, but they might be considered proportionate for securing a bank or data center.
Privacy laws have effectively ruled out fingerprint recognition for commercial applications in France, says Norman. However, because vein recognition technology is not considered as a strong identification biometric, it is allowed.
In the United Kingdom, however, companies are increasingly using fingerprint recognition for time and attendance applications, because these systems are becoming more affordable, says Remco Veeneman, head of Ingersoll Rand’s strategic business unit Interflex.
To address data protection and privacy concerns in the U.K. applications, these systems mostly use a “template on card” approach with fingerprint verification, rather than having the fingerprints stored on a central database.
A Test Case
One company that has turned to biometrics for security and succeeded in addressing the EU’s privacy concerns is the McLean, Virginia-based Graduate Management Admission Council (GMAC). This organization owns and administers the Graduate Management Admission Test (GMAT), a standardized test required for admission to many graduate business and management programs worldwide. In 2008, approximately 260,000 people took the GMAT in one of 450 testing centers located in 110 countries.
The organization remains vigilant against different types of cheating, whether perpetrated by the individual test taker or professional test takers, known as proxies, who take the test on behalf of someone else for payment. In 2003, the company busted half a dozen proxies, which resulted in the cancellation of more than 100 scores.
GMAC employs a variety of security measures to protect the exam from fraud, including photographing test takers during the registration process, collecting digital signatures, and monitoring the test rooms using surveillance cameras.
Since 1996 and until recently, the organization also collected fingerprints from test takers in many testing facilities. GMAC used the fingerprints after each of the two test breaks to ensure that the same test taker fingerprinted during registration reentered after the breaks. The organization also stored the digital template created from the fingerprint and used it to validate test takers that later retested, which is about 15 to 20 percent worldwide, according to Allen Brandt, GMAC’s corporate counsel for data protection and privacy.
Fingerprinting test takers in some parts of Europe, however, presented challenges. “Test takers and some of the staff at the test locations were not comfortable [giving or] collecting a fingerprint, because, culturally, only criminals get fingerprinted, or only the government fingerprints,” Brandt says.
Many were concerned about a private company collecting fingerprints, particularly because test takers also left their fingerprints behind on computer keyboards during the exam. Some worried about fingerprints being collected from the keyboards without the subject’s knowledge or consent.
A few governments objected to the use of fingerprint recognition by a private company. In some countries, Brandt says, data privacy regulators denied GMAC’s application.
In France, where the regulatory authority known as the CNIL states in guidance that “it is important to know whether the proposed system is the most suitable for the previously defined purpose with regards to any risks it may involve for personal data protection and as compared with other potentially usable systems,” GMAC withdrew its application to collect fingerprints.
“Local counsel said, ‘It’s not going to happen,’” Brandt says. Within 18 months of rolling out the use of fingerprints to secure the test, GMAC knew it would have to make a change.
Solution in hand. GMAC then started looking for an alternative biometric technology that would comply with international data privacy laws. It wanted a technology that it could use worldwide.
One of the factors important to the testing company was that the biometric be “traceless technology,” meaning that it cannot capture the biometric of the subject without that person’s knowledge. The organization also needed a biometric that could be easily captured without a specially trained staff. Finally, GMAC wanted a technology that a wide variety of test takers around the world would feel comfortable using.
GMAC considered iris recognition, a traceless technology, but potential test takers in the United States reacted negatively to the idea of having their irises scanned, Brandt says. Another downside was that the biometric is more difficult to capture than others. “You’re constantly: Come closer, come out, up, down, in, and out,” Brandt says. “There was no way in 100 plus countries that was going to be an easy thing to do.”
Pearson VUE, the company that is responsible for administering the test for GMAC, enlisted the help of the International Biometrics Group (IBG), the biometric industry’s leading independent integration and consulting firm. IBG evaluated several technologies to replace fingerprint recognition in GMAC’s security measures and recommended palm vein pattern recognition.
The palm vein pattern biometric is considered one of the most accurate. While a fingerprint can degrade based on work history, making it difficult for a reader to recognize it, a palm vein pattern within a person’s hand is easy to capture, unique to the individual, and does not change over time.
GMAC selected Fujitsu’s PalmSecure system, which uses a near infrared light to capture the vein pattern in the palm of a subject’s hand. GMAC and Pearson VUE piloted the palm system in a 90-day trial at test centers in Korea and India. After the pilot, the companies conducted surveys, which showed that most test takers accepted the technology and liked that the technology was touchless and, therefore, more hygienic.
In September 2008, GMAC submitted another application with the CNIL. In June 2009, the CNIL approved GMAC’s use of palm vein pattern recognition to secure the GMAT in France. In its approval, the CNIL noted that the palm vein pattern “is not likely to be captured without the knowledge of the person concerned and, therefore, presents very little risk for the civil liberties and fundamental rights of the individuals.”
One caveat to the CNIL’s approval and its agreement to allow Pearson VUE and GMAC to transfer data to the United States for storage was permission to audit, at will, the testing centers in France as well as the system and process for transferring and storing data in the United States. The CNIL has not yet performed such an audit.
The PalmSecure system being used by GMAC and Pearson VUE at testing centers is only active when an operator activates it. Moreover, it requires that a hand be placed within about five centimeters of the device for the palm vein pattern to be read, Brandt notes, which further ensures that the vein pattern cannot be captured without the subject’s knowledge.
Another advantage of the system is that it does not require the staff at testing centers to be specially trained. The organization was able to roll out the technology in some test centers using video training for staff, Brandt says.
GMAT test takers must still bring a valid photo ID on the day of the exam, and they must have a photograph taken. The photograph is sent to schools that request it along with the test score. Test takers must also sign a digital signature pad.
Those taking the test for the first time are required to have both palms scanned, which takes less than a second for each hand, Brandt says. The reader scans each palm and stores the vein pattern data as a digital template, which is encrypted immediately.
A registrant who is retaking the test and has a fingerprint on file, but not a vein print, must provide another fingerprint to ensure that there is a match, verifying that the same person is retaking the test. The test taker must then have both palms scanned as well. If test takers leave the test room for breaks, they must place their hands in front of the sensor again and have their vein pattern scanned before they are permitted to reenter the room. The technology helps GMAC identify professional imposters or anyone else attempting to sit in for the person purportedly taking the test.
At the end of the day, each test taker’s template, test results, and personal information are packaged together and then encrypted again. The package is sent to the United States, where test takers’ names and test results are stored separately from their templates.
The organization worked with the vendor to ensure that the encryption algorithm was unique to Pearson VUE testing centers. “The idea behind it is that even if someone else were using the exact same system, the same hardware, similar software, that the template would not be compatible,” Brandt says. “So if somehow somebody grabbed the template and tried to use it in the same exact system, it would not read.”
Fears that someone might hack into the system were secondary to preventing function creep, which was a concern of the CNIL, Brandt says. Using an encryption algorithm unique to Pearson VUE adds another wall to isolate the template so that the information cannot be used for any other purpose.
GMAC is currently using the palm vein system in more than 90 percent of test centers worldwide. The organization is still waiting for a decision from regulators in a few countries.
Brandt’s advice for other companies that want to adopt biometrics and comply with privacy issues is to take it slow and consider the cultural implications of the decision. “Think it through and involve people in different countries around the world to understand the culture,” Brandt says. “We would not have done fingerprint had we done that,” he adds.
GMAC’s effort illustrates both the potential benefits of using biometrics and the inherent challenges associated with individual and governmental concerns over protection and privacy. Companies interested in employing biometrics in Europe must adjust their strategies to meet changes in the threatscape, the technology, and the legal environment.
Stephanie Berrong is an assistant editor at Security Management.