Bhartiya Vidyapeeth Deemed University

New Law College ,Pune

Research paper
On
Protection Of Biometrics

Guided by:
Dr. Rajlakshmi Wagh

Submitted by:
Tanu Rathi, C-42

1
 Nishtha Tiwari, C-43

Abstract

With the rise of data/ identity thefts it has become more difficult to prevent
unauthorized access to information resources and installations. Biometric
technologies which are used to verify the person’s identity and existence is highly
vulnerable as it has various sensitive data of person’s information. Until now
biometric technology products were not used much often but with the introduction
of new computer science and technology and such biometric technology becoming
less expensive has become affordable for any newly established enterprise. With a
Biometrics technology a living person’s identity can be positively authenticated
and verified making it difficult for imposters to access resources by stealing
someone else’s identity. This paper discusses how secured is a biometric
technology what are the privacy issues associated with the deployment of a
Biometric technology, what are the responsibilities and liabilities in case of data
theft and vulnerabilities associated with it and appropriate mechanisms of
disposing of such data.

Keywords

Biometric technology,Characteristics, Authentication, System , Identification,

Security Analysis, Attack, Aadhar, Databases, Deployment, Information

2
Technology, Password, Pins, SPDI, Body Corporate, Lawful Purpose, Information
Provider, Agencies.

Index

1. What is an electronic biometric technology and its working?

 What is electronic biometrics?

 Working of the electronic biometrics?
 Human identity and biometrics

2. Security and Threat modeling

3. Concerns for using biometrics

4. Recent deployments in biometrics and misuse of biometrics
5. IT Act vis-à-vis disposing of data, privacy issues

 What is SPDI?
 What are the Reasonable Security Practices and Procedures to be
followed?

 How to collect SPDI?

 Is transfer of SPDI possible
 Is disclosure to third party permitted ?
 Need for Private policy
 Appoint grievance officer

6. Conclusion

7. Bibliography
3
1.What is an electronic biometric technology and its working?

What is electronic biometrics?

Biometrics is [Automated] recognition of [living] persons based on observation of

behavioral and biological (anatomical and physiological) characteristics, as defined
by the e-governance standards of India.1 The word Biometric can be divided into
two, wherein bio means life and metric means to measure. With the advancement
in technology the biometrics are given more importance than the traditional
identification methods such as PIN numbers and passwords for its more
accurateness and more reliability. Considering the security standards biometrics
can be considered as a trustworthy store for information.

Based on the working standards and the methods employed the biometrics can be
divided into two major categories namely physical and behavioral biometric
characteristics. Physical biometric characteristics include retina scanning, iris
scanning, fingerprints recognition or identification, palm or hand geometry and
facial characteristics. While the behavioral biometric characteristics include voice
or speaker authentication, signature, typing or keystroke patterns and gait.

1
http://egovstandards.gov.in/biometrics

4
 Working of the electronic biometrics

For security purposes there are three different types of authentication systems used:

 What we know – a password, a PIN or a piece of personal

information.
 What we have – a card key, a token or a smart card.
 What we are – a biometric.

Different Biometric systems are a bit complex, but they all work on the same three
basic guidelines:

 Enrollment – every biometric authentication system firstly takes the

input of some data like the name, age, sex or an identification number,
only then it starts recording your specific train to create an identity
 Storage – mostly these traits are not stored in the exact same manner
they are recorded, usually the system converts the data into a code or a
graph, sometimes even into a smart card like Adhaar which can be
carried with the individual.
 Comparison – later on when you see the system it compares the traits
we presented to it to be recorded with the traits we possess and based
on that the system either gives us the access or denies it.

The basic components of all the electronic biometrics system are also the same:

 Sensor – to examine the trait we present to it.

 Computer – which is used to read and record the traits and the data.

5
  Software – to analyze the characteristics then, to change it into a storable
format of a code or a graph and then the last function to perform the
actual comparisons.

Human identity and biometrics

Essential to the above definition of biometrics is that, unlike the definition

sometimes used in the biometrics technical community, it does not necessarily link
biometrics to human identity, human identification, or human identity verification.
Rather, it measures similarity, not identity. Specifically, a biometric system
compares encountered biological/behavioral characteristics to one or more
previously recorded references. Measures found to be suitably similar are
considered to have come from the same individual, allowing the individual to be
recognized as someone previously known to the system. A biometric system
establishes a probabilistic assessment of a match indicating that a subject at hand is
the same subject from whom the reference was stored. If an individual is
recognized, then previously granted authorizations can once again be granted. If
we consider this record of attributes to constitute a personal “identity,” as defined
in the NRC report on authentication,2 then biometric characteristics can be said to
point to this identity record. However, the mere fact that attributes are associated
with a biometric reference provides no guarantee that the attributes are correct and
apply to the individual who provided the biometric reference. Further, as there is
no requirement that the identity record contain a name or other social identifier,
biometric approaches can be used in anonymous applications. More concisely,

2
National Research Council, Who Goes There? Authentication Through the Lens of Privacy, Washington, D.C.: The
National Academies Press (2003)

6
such approaches can allow for anonymous identification or for verification of an
anonymous identity. This has important positive implications for the use of
biometrics in privacy-sensitive applications. However, if the same biometric
measure is used as a pointer to multiple identity records for the same individual
across different systems, the possibility of linking these records (and hence the
various social identities of the same person) raises privacy concerns.

2. Security and Threat modeling

Security considerations are critical to the design of any recognition system, and
biometric systems are no exception. When biometric systems are used as part of
authentication applications, a security failure can lead to granting inappropriate
access or to denying access to a legitimate user. When biometric systems are used
in conjunction with a watch list application, a security failure can allow a target of
investigation to pass unnoticed or cause an innocent bystander to be subjected to
inconvenience, expense, damaged reputation, or the like. In seeking to understand
the security of biometric systems, two security-relevant processes are of interest:
(1) the determination that an observed trait belongs to a living human who is
present and acting intentionally and (2) the proper matching (or nonmatching) of
the observed trait to the reference data maintained in the system. Conventional
security analysis of component design and system integration involves developing
a threat model and analyzing potential vulnerabilities—that is, where one might
attack the system.3

As described above, any assessment of the effectiveness of a biometric system

(including security) requires some sense of the impostor base rate. To estimate the

3
Biometric Recognition: Challenges and Opportunities

7
impostor base rate, one should develop a threat model appropriate to the setting.30
Biometric systems are often deployed in contexts meant to provide some form of
security, and any system aimed at security requires a well-considered threat
model.31 Before deploying any such system, especially on a large scale, it is
important to have a realistic threat model that articulates expected attacks on the
system along with what sorts of resources attackers are likely to be able to apply.

Of course, a thorough security analysis, however, is not a guarantee that a system

is safe from attack or misuse. Threat modeling is difficult. Results often depend on
the security expertise of the individuals doing the modeling, but the absence of
such analysis often leads to weak systems. As in all systems, it is important to
consider the potential for a malicious actor to subvert proper operation of the
system. Examples of such subversion include modifications to sensors, causing
fraudulent data to be introduced; attacks on the computing systems at the client or
matching engine, causing improper operation; attacks on communication paths
between clients and the matching engine; or attacks on the database that alter the
biometric or non biometric data associated with a sample.

3. Concerns for using biometrics

Over the last seven years India has been building up the world’s largest biometric
database. 1.17 billion people, nearly 90% of India’s population, have been
registered in Aadhar database. By linking individuals to their biometric details,
India has provided a form of identification for rural Indians, making it easier for
them to register for bank accounts, get a driver’s license, or receive government
subsidies. Registered users need only scan a fingerprint or retina to confirm their

8
identity and access government or even private services. But is this system hack
proof and safe ? Is the data that we provide secured so that it can not be misused ?

There are various security issues relating to Aadhaar and they are serious. The
most important ones are discussed below:

1. Flawed Design
Aadhaar’s design is based on a centralised database called the Central
Identities Data Repository that stores every individual’s demographic and
biometric information. The aggregation of personal information in one
centralised database makes it vulnerable to exploitation, making it a valuable
target for hackers, states and identity thieves. Additionally,
research suggests that in addition to external threats, centralised databases
are also vulnerable to errors and misuse by custodians of the database
themselves.

2. Problematic Application
The dual use of Aadhaar as an identifier as well as an authenticator increases
the probability of identity theft. An authenticator works well if it
is confidential. Conversely, an identifier’s efficacy depends on it being
openly available and widely used. It is well established that biometrics, too,
are fallible. From creating gummy fingers – artificial fingers made of gelatin
– to capturing fingerprints from photographs, biometric technology has been
compromised even without sophisticated tools or methods. On the contrary,
the use of biometrics raises the additional concern that in the event they are
compromised, they cannot be re-issued like ordinary passwords or PINs.
When biometrics are combined with a universal identifier like Aadhaar and

9
 subsequently compromised, an identity thief can instantly gain access to
multiple services, while simultaneously preventing the individual from
obtaining legitimate benefits she might be entitled to.

3. Inadequate legal framework

The Aadhaar Act and its corresponding regulations reveal several
weaknesses at multiple stages – at the time of enrolment itself, in detecting
identity theft, and with respect to legal remedies after the crime has been
detected. The law allows an individual to enrol for Aadhaar without any
document as proof of identity, through an introducer. An introducer can be
any individual who vouches for the identity of the person in question, so
long as she has an Aadhaar number herself. This makes it easy for
individuals to enrol with a false or fraudulent identity.While identity theft is
a punishable offence under the Aadhaar Act, an individual has no power to
initiate proceedings even if the crime has been detected. The Act only allows
the Authority to initiate criminal proceedings.The poor drafting of the
legislation only exacerbates the architectural vulnerabilities of Aadhaar. The
law lacks effective checks to prevent identity theft and provide adequate
redresses to victims of the crime.

4.Recent deployments in biometrics and misuse of biometrics

Biometric devices are not hack-proof. It depends on the ease with which this can
be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition
system simply chopped off the owner's finger. When a biometric attendance

10
system was introduced at the Institute of Chemical Technology (ICT) in Mumbai,
students continued giving proxies by using moulds made from Fevicol4.

Earlier this year, researchers at NYU and Michigan State University revealed that
they were able to generate a "MasterPrint", which is a "partial fingerprint that can
be used to impersonate a large number of users". While there are potential
safeguards, they require re-capturing everyone's biometrics.

Biometrics devices can be hacked. They have fingerprint sensors, which only
check the pattern. It is possible to recreate these patterns through various
techniques. Technically, it is difficult to recreate biometrics from a high-resolution
picture. However, by using other image rendering tools we can recreate the
patterns. Security experts and hackers have already proved that they can bypass
mobile fingerprint scanners using a collection of high-resolution photographs taken
from different angles using standard photo cameras to make a latex replica print.

Most of the biometric scanners have a date set of all fingerprints and other
identities inside the device database. Not every manufacturer in India undergoes
enough security auditing. Most of the companies manufacture low-cost biometric
devices which are highly vulnerable. These devices are imported from China and
other countries but they do not conduct or go through any security audits in our
country. They may have kernel level back doors, which are highly vulnerable and
can lead to launch of an any kind of attack, including compromising an
organization’s network. Only a handful of companies conduct audits of their
products as part of security practice.

5.IT Act vis-à-vis disposing of data, privacy issues

4
As explained by Pranesh Prakash, policy director, The Centre for Internet & Society

11
Right to privacy has long been read into Article 21 (right to life and personal
liberty) of the Constitution of India. However, with the proliferating use of the
internet and the exorbitant rise in transfer of data through multiple technologies,
the concepts of ‘data privacy’ and ‘data protection’ have started demanding greater
attention than ever before. Therefore, such concepts were introduced in the
Information Technology Act, 2000 (Act) through Section 43-A (Compensation for
failure to protect data) and Section 72-A (Punishment for disclosure of information
in breach of lawful contract).

Section 43-A primarily deals with compensation for negligence in implementing

and maintaining reasonable security practices and procedures in relation
to sensitive personal data or information (SPDI). Section 72-A deals with
personal information and provides punishment for disclosure of information in
breach of lawful contract or without the information provider’s consent.

On 13 April 2011, the Ministry of Communications and Information Technology

(MCIT), Government of India, notified the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011 (Rules). Further, on 24 August 2011, the MCIT released a press note
(Press Note) which clarified a number of provisions of the Rules. Amongst others,
the Press Note clarified that the Rules relate to SPDI and are applicable to body
corporate (i.e. organisation) or any person located in India. The Press Note
exempts outsourcing companies in India from the provisions of collection and
disclosure, as set out under the Rules.

What is SPDI?

12
Essentially, SPDI consists of the following:

 Passwords;

 Financial information such as bank account or credit card or debit card or

other payment instrument details;

 Physical, physiological and mental health condition;

 Sexual orientation;

 Medical records and history;

 Biometric information.

What are the Reasonable Security Practices and Procedures to be followed?

Section 43-A of the Act defines ‘reasonable security practices and procedures’ to
mean security practices and procedures designed to protect such information from
unauthorised access, damage, use, modification, disclosure or impairment, as may
be specified in an agreement between the parties or as may be specified in any law
for the time being in force…

In light of the above, the Rules now stipulate that the requirement of ‘Reasonable
Security Practices and Procedures’ will be satisfied if a body corporate has
implemented such security practices and standards and have comprehensive
documented information security programmes and policies that are commensurate
with the information assets being protected.

The Rules also set out that International Standards (IS / ISO / IEC 27001) is one
such standard (Standards) which could be implemented by a body corporate. If any

13
industry association, etc are following standards other than IS / ISO / IEC 27001
for data protection, they need to get their codes (Codes) approved and notified by
the Central Government.

The Rules state that the bodies corporate who have implemented the Standards or
Codes need to get the same certified or audited by independent auditors approved
by the Central Government. The audit is required to be carried out by the auditor at
least once a year or as and when there is a significant upgradation of processes and
computer resources.

How to Collect SPDI?

The Rules provide that a body corporate should obtain prior consent from the
information provider regarding purpose of usage of the SPDI. The information
should be collected only if required for a lawful purpose connected with
functioning of the body corporate and if collection of such information is
necessary.

The body corporate is required to take reasonable steps to ensure that the
information provider knows that the information is being collected, the purpose of
collecting such information, the intended recipients and the name and address of
the agency collecting and retaining the information. The information should be
used only for the purpose for which it is collected and should not be retained for a
longer period than is required.

The Rules further provide that a body corporate is required to permit the
information provider to review / amend the SPDI and give an option to withdraw
consent at any time, in relation to the information so provided. In case of

14
withdrawal of consent, the body corporate has the option not to provide the goods
or services for which the concerned information was sought.

2. Security and Threat modeling

Security considerations are critical to the design of any recognition system, and
biometric systems are no exception. When biometric systems are used as part of
authentication applications, a security failure can lead to granting inappropriate
access or to denying access to a legitimate user. When biometric systems are used
in conjunction with a watch list application, a security failure can allow a target of
investigation to pass unnoticed or cause an innocent bystander to be subjected to
inconvenience, expense, damaged reputation, or the like. In seeking to understand
the security of biometric systems, two security-relevant processes are of interest:
(1) the determination that an observed trait belongs to a living human who is
present and acting intentionally and (2) the proper matching (or nonmatching) of
the observed trait to the reference data maintained in the system. Conventional
security analysis of component design and system integration involves developing
a threat model and analyzing potential vulnerabilities—that is, where one might
attack the system.5

As described above, any assessment of the effectiveness of a biometric system

(including security) requires some sense of the impostor base rate. To estimate the
impostor base rate, one should develop a threat model appropriate to the setting.30
Biometric systems are often deployed in contexts meant to provide some form of
security, and any system aimed at security requires a well-considered threat
model.31 Before deploying any such system, especially on a large scale, it is

5
Biometric Recognition: Challenges and Opportunities

15
important to have a realistic threat model that articulates expected attacks on the
system along with what sorts of resources attackers are likely to be able to apply.

Of course, a thorough security analysis, however, is not a guarantee that a system

is safe from attack or misuse. Threat modeling is difficult. Results often depend on
the security expertise of the individuals doing the modeling, but the absence of
such analysis often leads to weak systems. As in all systems, it is important to
consider the potential for a malicious actor to subvert proper operation of the
system. Examples of such subversion include modifications to sensors, causing
fraudulent data to be introduced; attacks on the computing systems at the client or
matching engine, causing improper operation; attacks on communication paths
between clients and the matching engine; or attacks on the database that alter the
biometric or non biometric data associated with a sample.

3. Concerns for using biometrics

Over the last seven years India has been building up the world’s largest biometric
database. 1.17 billion people, nearly 90% of India’s population, have been
registered in Aadhar database. By linking individuals to their biometric details,
India has provided a form of identification for rural Indians, making it easier for
them to register for bank accounts, get a driver’s license, or receive government
subsidies. Registered users need only scan a fingerprint or retina to confirm their
identity and access government or even private services. But is this system hack
proof and safe ? Is the data that we provide secured so that it can not be misused ?

There are various security issues relating to Aadhaar and they are serious. The
most important ones are discussed below:

16
1. Flawed Design
Aadhaar’s design is based on a centralised database called the Central
Identities Data Repository that stores every individual’s demographic and
biometric information. The aggregation of personal information in one
centralised database makes it vulnerable to exploitation, making it a valuable
target for hackers, states and identity thieves. Additionally,
research suggests that in addition to external threats, centralised databases
are also vulnerable to errors and misuse by custodians of the database
themselves.

2. Problematic Application
The dual use of Aadhaar as an identifier as well as an authenticator increases
the probability of identity theft. An authenticator works well if it
is confidential. Conversely, an identifier’s efficacy depends on it being
openly available and widely used. It is well established that biometrics, too,
are fallible. From creating gummy fingers – artificial fingers made of gelatin
– to capturing fingerprints from photographs, biometric technology has been
compromised even without sophisticated tools or methods. On the contrary,
the use of biometrics raises the additional concern that in the event they are
compromised, they cannot be re-issued like ordinary passwords or PINs.
When biometrics are combined with a universal identifier like Aadhaar and
subsequently compromised, an identity thief can instantly gain access to
multiple services, while simultaneously preventing the individual from
obtaining legitimate benefits she might be entitled to.

3. Inadequate legal framework

17
The Aadhaar Act and its corresponding regulations reveal several
weaknesses at multiple stages – at the time of enrolment itself, in detecting
identity theft, and with respect to legal remedies after the crime has been
detected. The law allows an individual to enrol for Aadhaar without any
document as proof of identity, through an introducer. An introducer can be
any individual who vouches for the identity of the person in question, so
long as she has an Aadhaar number herself. This makes it easy for
individuals to enrol with a false or fraudulent identity.While identity theft is
a punishable offence under the Aadhaar Act, an individual has no power to
initiate proceedings even if the crime has been detected. The Act only allows
the Authority to initiate criminal proceedings.The poor drafting of the
legislation only exacerbates the architectural vulnerabilities of Aadhaar. The
law lacks effective checks to prevent identity theft and provide adequate
redresses to victims of the crime.

18