More importantly, its semantics is built on internal, observer centered, ideas: In this case 1: The routine nature of work at registration centres caused a shortage of workers with the necessary skills to cope with the rapid growth and expansion of centres. Direct download 2 more. Under the guise of health and the well-being of the population, people are vaccinated against a pseudo-epidemic with products that one wants to study.
Check Your Investment Professional. Check out updates on the SEC open data program, including best practices that make it more efficient to download data.
Securities and Exchange Commission. Be Aware Before You Share. We Inform and Protect Investors. The Ombudsman will listen to your inquiries, complaints, and issues, review the information you provide, and help identify procedures, options, and resources. The Ombudsman is also available to clarify certain SEC decisions, policies, and practices, and serve as an alternate channel of communication between retail investors and the SEC.
We Facilitate Capital Formation. Check out our new Small Biz site, with info to help companies that want to raise capital. Chairman Jay Clayton's remarks include discussion of initiatives of interest to small business. Capital Raising in the U. We Enforce Federal Securities Laws. Although these measures do not always point towards a practical attack, they are useful in assessing the required effort for certain attacks. Two definitions of entropy have been considered for measuring the information leakage of a KBTP system.
Due to its rich mathematical theory, this measure allows a very comprehensive analysis of information leakage in a KBTP system [Ig09]. This defines an upper bound for the success probability of an attacker who tries to guess X from AD. For some special choices of the entropy function e. Moreover, it is expected that similar bounds will hold for any KBTP system.
The details of using entropy measures to estimate the required effort of a practical attack are a point of further research. Based on this uniform format, after defining the adversary capabilities, attacks can be defined that affect the privacy goals as defined in [ISO10]. High level attacks are independent of the algorithmic details of the underlying KBPT method while low level attacks must be targeted at a specific KBTP method.
The presented reference framework can be used as a first step to set up practical methods assess and compare the privacy properties of commercial KBTP systems. Robust distance measures for face recognition supporting revocable biometric tokens, Proc. Biometric template protection, the need for open standards. Datenschutz und Datensicherheit - DuD, Vol. New directions in cryptography. Theory, IT, 6, , pp How to generate strong keys from biometrics and other noisy data, Proc.
A Tool for Information Security. Information Forensics And Security, v. ACM Press, N, A fuzzy vault scheme. A cryptographic biometric authentication system based on genetic fingerprints, Proc. New shielding functions to enhance privacy and prevent misuse of biometric templates.
Siguenza, Hill-climbing and brute-force attacks on biometric systems: A case study in Match-on-Card fingerprint verification", Proc. Biometrics and cryptography - On biometric keys, their information content and proper use, Conference on Biometric Feature Identification and Analysis, Göttingen,7 September Enhancing security and privacy in biometrics- based authentication systems.
IBM Systems Journal, 40 3: Vijaya Kumar and P. Biometric Encryption using image processing, in Proc. Fuzzy vault for fingerprints, in Lecture Notes in Computer Science. The fuzzy vault is an error tolerant authentication method that ensures the privacy of the stored reference data. The results allow an assessment of the capacity of the scheme and an appropriate selection of parameters. However, the storage of biometric reference data poses considerable information security risks to the biometric application and concerns regarding data protection.
As a potential solution to this dilemma, biometric template protection systems [BBGK08] use reference data which reveal only very limited information on the biometric trait. Another term frequently used for these schemes is biometric en- cryption. Additional investigations, pseude codes and more detailed results are presented in the full paper [MIK" 10b]. However, a subsequent anal- ysis in [MMT09] has revealed that the parameters suggested do not provide security beyond 50 bit cryptographic keys.
This article is structured as follows: Finally, in Section 5, we draw conclusions and identify open issues for future investigations. For authentication and recovery of the secret polynomial, another set of attributes the query set has to be presented. The selected points are then used to try to recover the secret polynomial using Reed-Solomon decoding. Details are given in Section 2. A pseudo code description and more details are given in the full paper [MIK' 10b]. The impact of these optimizations are evaluated in Section 4.
For this reason, we use multiple measure- ments during enrollment and consider only those minutiae in the feature vector that have been detected in all measurements. However, an increase of false matches requires stronger error correction by lowering the degree k of the secret polynomial, which decreases the security of the scheme. This task is performed by the minutiae matching algorithm described in Section 2. Since this constraint reduces the number of possible reference tem- plates its impact on security must be analyzed.
Minutiae outside the considered set M, i. This set T of t reliable minutiae can be considered the biometric template to be protected by the fuzzy vault scheme.
A pseudo code description of the enrollment is given in the full paper [MIK' 10b]. However, if the match rate disperses considerably, it may by necessary to slightly deviate from this value, in order to reduce the False Rejection Rate. As we will see in Section 4. It is understood that there are other types of attacks against biometric template protection schemes to which the fuzzy vault is susceptible [SB07].
In particular, the cross matching of the vaults from several independent enrollments of a user represents a serious threat to the fuzzy vault. However, a comprehensive analysis of all potential attacks against the fuzzy vault would go beyond the scope of this paper. With this adaptation the attack systematically searches through all subsets i1 ,. Accord- ing to [MMT09], the number of trials needed is 1.
However, in the latter estimation an explicit constant of 18 for multiplication of the polynomials see Corollary 8. Assuming a density 0. Since this number varies considerably among individuals and measurements, acceptable Failure To Enroll FTE rates can only be achieved, if the required number of reliable minutiae is considerably lower than its average value.
The results of this evaluation are listed in Table 1. The average match rate, i. This aspect is further discussed in Section 4. Therefore, we will subsequently focus on these cases. Minimum quality Q Av. The results are listed in Table 3. An example plot is presented in Figure 1. Nevertheless, for various parameters we consistently found a value Q between 0.
As explained in Section 2. The results of this evaluation are displayed in Figure 2 by the curves of the match rate and the rate of successful enrollment. The decrease of the successful enrollment rate is similar to the case of Figure 2. The results of Section 4.
The deviation is presumably due to those outliers resulting from an incorrect determination of the isometry: Parameters for a security level of 2Sec. Both optimizations are very sensitive to the respective thresholds, which must be carefully set on the basis of empirical data. Finally, we would like to stress that our security analysis only covered template recovery attacks.
Other types of attacks have been published [SB07] and need to be addressed before the scheme can be considered ready for use. Cambridge University Press, 2nd edition edition, A Fuzzy Vault Scheme. Theory, page , Provable Security for the Fuzzy Fingerprint Vault. Forensics Security, 2 4: Suitable Uses and Achievable Information Content. Scheirer and Terrance E. Fuzzy Vault with Helper Data.
Fuzzy Vault for Fingerprints. National Institute of Standards and Technology, Biometric gait recognition is a well suited method for authentication on mobile devices as it is unobtrusive and concurrent. Hence, in contrast to PIN authen- tication it is no extra-effort for the user.
The characteristic gait of a subject can be recorded using accelerometers which are nowadays already contained in many mobile devices. From this data biometric feature vectors can be extracted and stored as ref- erence data on the device. Only if the user is not recognized by his walk an active authentication via PIN is necessary. As the number of attacks on mobile devices increases it cannot be assumed that the data stored on the device is under constant control of the subject.
Therefore, template protection techniques should be applied to secure biometric data. The method is tested with gait data of 48 subjects recorded using a mobile phone and the results are compared to the ones obtained without template protection. This implies that in most cases everybody who has physical access to the device can directly access all stored information.
As the proportion of sensitive information contacts, emails,. But most mobile devices do not offer a suitable alternative. Accelerometer-based gait recognition is such an alternative. In contrast to PIN authentication no active input of the user is necessary.
Most smartphones do contain accelerometers for games or changing the orientation of the display. When a subject is walking with his phone he is di- rectly authenticated based on his gait. Recently, Gafurov et al. Using data collected with dedicated accelerometers i. These include identity theft, cross-matching, and the exposure, often irrevocable, of sensitive private information, as well as traceability of individuals. This has stimulated research on the protection of stored biometric data in recent years, primarily focusing on preventing information leakage.
Template protection techniques, also referred to as biometric encryption, untraceable biometrics, cancelable or revoca- ble biometrics, have been developed. These convert biometric data elements into mul- tiple ideally uncorrelated references, from which it is infeasible to retrieve the orig- inal information and in some cases have already been integrated into existing systems [gen, pri].
They exhibit the following key properties: The derivative references can be com- pared to a biometric datum under similarity metrics for the underlying biometric template. This allows the successful comparison of measurements exhibiting small variations or measurement errors to a derivative reference.
Diversity and Randomness Template protection can create numerous secure references from one biometric feature with the references independent on each other, i. This eliminates the problem of cross-matching and tracebility. Although the research on accelerometer based biometric gait recognition shows that it of- fers a promising way to provide a more convenient method for authentication on mobile devices, no research has been done so far in the area of template protection for biometric gait data collected using accelerometers.
One reason for this might be, that biometric data stored on the mobile device seems to be under control of the subject similar to systems using on-card biometric comparison, see [iso]. Nevertheless several attacks on mobile devices have been reported [HJO08, Win] which make clear that data stored on the mobile devices should be protected.
The paper is structured as follows. The next section gives an overview over the collected gait data and the extracted feature vectors. Section 3 describes the developed template pro- tection method and section 4 explains the test and states the obtained results.
This resulted in protected templates of length In our basic case the distance between bins at the same position will be zero, neighboured bins have distance one and so on. The result is compared with the one obtained without template Figure 6: DET-curves obtained with and without template protection.
The distance used for comparison in that case is dynamic time warping DTW [M07]. By using the proposed template protection method this increases to The reason for this will be the loss of information introduced by the histogram calculation, due to which no temporal information remains. Accelerometer based gait recognition is such a method as it is able to authenticate a subject unobtrusively whithout his intervention. Up to now, no publications about template protection for accelerometer based gait recognition exist.
The feature vectors are converted into protected templates via histogram generation. Di- versibility is obtained by applying different permutations to the template for different ap- plications. Future work will focus on developing template protection methods which keep this information to guarantee a lower EER. Identifying people from gait pattern with accelerometers. VTT Electronics, Fin- land. A channel coding approach for human authentication from gait sequences.
Transactions on Information Forensics and Security, 4 3: A reference archi- tecture for biometric template protection based on pseudo identities. Biometrics and Electronic Signatures, Authentication of users on mobile telephones - A survey of attitudes and practices. Journal of Computers, 1 7 , Gait recognition using wearable motion recording sensors.
A practical analysis of the robustness and sta- bility of the network stack in smartphones. In Computer and Information Technology, Springer-Verlag New York, Inc. Ratha, Sharat Chikkerur, Jonathan H. Connell, and Ruud M. Generat- ing Cancelable Fingerprint Templates. A metric for distributions with applications to image databases. In Computer Vision, Sixth International Conference on, pages 59 —66, Challenges Arising from Theory to Practice, August Akkermans, Fei Zuo, and Prof Holstlaan.
Face Biometrics with Renewable Templates. Windows Mobile trojan sends unauthorized infor- mation and leaves device vulnerable. Projektgruppe verfassungsverträgliche Technikgestaltung provet Universität Kassel Wilhelmshöher Allee Kassel gerrit. The privacy and data protection challenges posed by biometric systems have been discussed in detail in the last years.
Both security opportunities and privacy risks however may develop and change with the technical enhancement of the respective systems, which also induces the emergence of new application scenarios. One group of such new scenarios appears to be the prevention of criminal or in other ways dangerous behaviour. From a legal point of view, this brings about new challenges which go well beyond the problems of authentication as such.
While some of the features of the scenarios discussed below may not be feasible in the short term, it is apparent that the associated fundamental rights and data protection law problems will have to be addressed in the future. This applies to the international plane as well as to national legal orders, for which Germany will serve as an example in the following.
This is however in no way a sole characteristic. Rather, it appears that virtually 1 Acknowledgement: It has been argued that the two concepts differ to a considerable extend. According to [HeGu06] [GuHe08], privacy should be understood as an opacity tool, guaranteeing non-interference in individual matters by the state and private actors. However, this useful distinction may be misleading as regards specific legal provisions, which may serve both or other purposes.
Given this fact however, there are some privacy and data protection risks particularly associated with biometric data, which are due to their inherent characteristics.
In short, the most relevant of these risks appear to be the following [Al03, ff. Biometric systems get better as such i. Not all of these developments pose new legal questions. However, even the plain enhancement of the comparison algorithm of a given system or the improvement of its spoof prevention mechanisms may require a new legal assessment, because this leads to an ever stronger link between the data subject and the respective biometric samples.
Interestingly, while this significantly reduces some of the aforementioned privacy and data protection risks, other risks may increase at the same time.
A strong link may most notably lower the risk of identity theft, but add to the possibilities of tracking and surveillance. In the future, these new technological developments could enable police authorities to introduce biometric systems for the prevention of crime. Subsequently, two examples of possible scenarios will be given. On the other hand, there are digital biometric authentication systems, where the biometric data of a present person is collected and compared with the reference data on a one-to-one or one-to-many basis.
Technological development appears to allow for a combination of the two in order to digitally collect fingerprint data at everyday objects, i. At the same time, biometric fingerprint systems may even play a role in new preventive scenarios. The systems could, among other things, even be able to find and scan fingerprints on baggage and freight in the airport in order to singling out dangerous materials in the baggage and freight.
To this end, it could automatically detect and collect fingerprints and even further proceed by comparing them with a list of dangerous persons. This procedure is only viable because in respect of fingerprints, one could make use of the already existing automation of fingerprint comparison conducted by national police offices such as the German Federal Criminal Police Office Bundeskriminalamt.
Clearly, these systems have ever improved, allowing for higher image quality and the analogous or now digital storage of the data for later analysis. The next technological step however could bring about major changes as regards both the security opportunities and the privacy risks of CCTV. Smart cameras renounce image transmission in favour of essential abstracted environmental information. These smart cameras shall be able to identify moving objects, track them and simultaneously compare their motion to common patterns.
If it differs from these common patterns and is subsequently identified as a security threat, private or state security services could be alarmed automatically. Likewise, smart cameras can be interconnected. Long track logs can be created by linking shorter track logs of several camera places. These long tracks can be interpreted to detect conspicuous movement patterns. In future, smart camera surveillance systems could easily be combined with biometric techniques of facial recognition or other biometric or non-biometric means of personal identification.
Meanwhile technical problems have to be solved. Recognition and tracing of temporary or partly hidden persons and high dynamic scenarios such as different perspectives and lightings are issues that must be resolved.
This brings about problems with the data protection principle of transparency. In particular, this principle protects the individual by requiring the controller to inform the data subject about the collection of personal data. For Germany in particular, police legislation of the German Länder likewise provides for a precedence of direct over indirect collection of personal data [Pi07, f. As regards biometric systems, this precedence is particularly important since data subjects unintentionally leave their fingerprints on objects and facial data may be captured by cameras in the public domain.
Further, indirect and covert collection of biometric data also disables the individual to seek legal remedy against unjustified processing of personal data. Additionally, large-scale applications may significantly influence the legal assessment as regards the principle of proportionality. While this is already a problem in 1: In respect of prevention, police authorities may exploit their investigative powers in dangerous and endangered places [Pi07, ff.
In relation to fingerprints, national AFIS throughout the world allow for automated recognition of fingerprints of criminals and immigrants. As to both fingerprints and the human face, most states built up databases for passport and ID card registers, or plan to do so in the future. For the time being, the automatic transfer of this data to German police authorities is restricted to single cases of urgency in which the passport or ID card authorities are not reachable [Ho07, ].
It remains to be seen whether this will change in the future. Associated with the new type of preventive large-scale applications, there may also be a tendency towards 1: Biometric systems for preventive law enforcement necessitate this identification functionality in order to determine the suspect, that is, they need to include a significant group of the population in order to have successful searches. In general however, identification leads to greater privacy problems than 1: Biometric encryption, a means of biometric template protection, is suitable to reduce privacy threats.
This approach avoids the storage of biometric data and template data by encrypting a random number on the basis of the collected biometric data since [TSS96]; lately [Br09]. It is however crucial that the random numbers are not stored in the same database, in order to avoid 1: Otherwise any biometric characteristic could be combined with every random number and the result of that combination could be compared with reference data. This comparison establishes the association of a biometric characteristic with a data set which may identify a person.
Further, the principle of purpose specification is at stake. Biometric data do not as such tie the processing to a certain purpose. For instance, ID card registries process facial data for the purpose of issuing ID cards and certain CCTV surveillance cameras process data for crime prevention purposes.
If biometric data can be extrapolated from the video images, ID card images could be used to identify persons located by means of the camera system. If a fingerprint scanning system would be introduced in airports, the data contained in the national AFIS for the purpose of preventing crimes and illegal claims of asylum and residence could be utilised to identify persons of this group that are located by the fingerprint scanner.
In both cases, interoperability appears to lead to additional privacy and data protection concerns. Data subjects may also become subject to further security measures. As regards the identification after an incident, the severity of this risk depends on the reliability of the biometric system.
Smart cameras may be able to observe people and their motion and to compare this motion to common patterns in order to alarm private or state security services in the event that the motion differs and is identified as a security threat.
In result, concrete measures against persons may take place just because of an automatic process. The reason is that data subjects who feel like being watched, may abstain from deviant behaviour patterns and accommodate themselves to behavioural adaptations. The new intelligent and self-organising smart cameras could become able to track human routes, so that complete targeted monitoring and tracing in public places becomes feasible.
Clearly, this brings about major legal and ethical problems regarding the general possibilities to describe deviant behaviour, the reliability of the system, its decision structure, and the possibilities of ultimate human decision-making. Legal Requirements and Challenges The risks of the use of biometric systems in future preventive scenarios may lead to violations of several human rights protected by the EU Charter of Fundamental Rights, the European Convention of Human Rights and national constitutions such as the German Grundgesetz.
These laws do not only include the rights to privacy and data protection, as well as national particularities such as the German right to informational self-determination.
Finally, the right to travel and the freedom of movement could be at risk in case that data subjects are tracked and continuously monitored in different places. In addition, property as a fundamental right in case of confiscation , the right to innocence until proven guilty if the system or its design suffer from errors , the right to judicial review in non-transparent systems , and the prohibition of arbitration in case of unspecified purpose of use may be violated.
This plurality of possible infringements on basic rights causes difficulties to discuss the use in conformity with privacy and data protection requirements. On the other hand, the general legal data protection requirements have been well discussed and may be applied to new biometric systems as well.
As those systems in principle process personal data within the meaning of Article 2 a DPD, they are subject to the respective national Data Protection Acts which implement this Directive.
Albeit differing in detail, the national acts follow common principles due to the harmonising effects of the European legislation. These principles are frequently but not in all countries fostered by fundamental rights of national constitutions such as the German right to informational self-determination, recognised by the Bundesverfassungsgericht since [BV83] on the concept see e.
Thus the following principles are in general also vested with the power of constitutional rights in Germany and other national legal orders. In short, the processing needs to be based on legislation or effective consent by the data subject, personal data may only be collected and used for specified purposes, the data must be anonymised or deleted once this purpose is accomplished, data must not be processed beyond the absolute minimum required data minimisation , the interference with personal privacy must be proportional to the purpose, the data processing must be transparent for the data subject, proper organisational and technical security measures must be in place to protect the data, and the data subject enjoys certain rights, e.
As regards the new scenarios above, there are some common legal challenges which apply to all EU Member States. First of all, these security applications cannot be based on the consent of the data subjects because they are used to take preventive police measures against the will, and possibly even without notice, of the data subject.
Thus there is the need of legislation specifying in detail the circumstances and requirements of the processing of biometric data.
In Germany in particular, it is in both cases very doubtful whether the existing police and data protection laws allow for the use of biometrics in the described manner. In contrast, this may be possible in the case of criminal investigation using digital capturing of fingerprints, as this appears to merely replace the analogue measures used hitherto. Police intervention in endangered places requires the establishment of such a suspicion beforehand [Pi07, However, since it cannot automatically be determined whether or not a person is dangerous without collecting personal data, a decision of the Bundesverfassungsgericht could solve this conflict.
In the case of number plate recognition [BV08], the Court ruled that collecting data from car number plates does not interfere with the right to informational self-determination if the data stay anonymous and are instantly and untraceably deleted in case that the comparison with the police search database is negative [BV08, para. For fingerprint recognition, this could mean that the German legislator is allowed to provide for the scanning of baggage and freight in airports for preventive purposes.
It remains to be seen whether other national courts and data protection authorities of other countries will take up this approach. There has so far been no occasion for the Bundesverfassungsgericht to deliberate on the preventive use of a biometric system, and the same appears for other national constitutional courts.
Nonetheless, existing data protection legislation might be applicable to preventive biometric scenarios. Additionally, there must be no indications of overriding legitimate interests of the data subject. Furthermore, suitable measures shall be taken to indicate that the area is being monitored and to identify the data controller.
Section 6b 3 BDSG governs the processing and use of the collected data. Whether the authorisation of this section provides for biometric comparison of the collected data or not has not been investigated so far.
The new technology aims at detecting behavioural patterns, but may also detect sensitive data such as disabilities or ethnic groups on the basis of behavioural patterns or appearance. As Section 6b BDSG was not drafted for these cases, the question will have to be answered whether the law provides for this new level of data processing.
Another common feature of public, large-scale scenarios is the unclear situation as regards the competence for the collection of biometric data, its processing and the possible subsequent danger prevention measures. From a legal point of view, this raises severe questions of competence and accountability [Gu01] [St97].
It could also come into conflict with the concept of informational separation of powers recognised by the Bundesverfassungsgericht in the population census decision Volkszählungsurteil [BV83, 69]. As regards CCTV systems and fingerprint recognition systems, there need to be clear legal provisions about the data controller, the data collection and transmission between public authorities and possible private actors.
For instance, several bodies may be in charge to control baggage and freight in airports. Further, private security firms may be obliged to carry out these control measures see Sections 8 and 9 of the German Aviation Security Act, Luftsicherheitsgesetz.
One example for this could be the conviction of a subject on the basis of the outcome of a biometric comparison: On which threshold of a biometric system could this be based in different settings?
For prevention scenarios in particular, the requirement for subsequent measures is usually a threat to public safety. So far, it remains completely unclear under which circumstances the existence of such a threat may be solely based on the outcome of a biometric process or technical behavioural analysis. In the end, the new systems must comply with legal requirements concerning the privacy-friendly technical design.
According to the principle of data minimisation see Article 6 1 c DPD and Section 3a BDSG respectively , the processing of data must not be excessive in relation to the purposes for which they are collected. Thus anonymous or at least pseudonymous data must be used wherever possible. Conclusion It has become clear that new technical possibilities of biometric systems lead to new challenges for personal privacy and data protection.
At least in Germany, data protection laws do not specifically cover biometric data, which for example represent fingerprints or behavioural patterns of data subjects. In addition, data subjects are so far often not aware of the information quality that is revealed from latent fingerprints and bodily movements. The amount of the new challenges depends on the respective technical design. Automated collection of biometric data enables law enforcement authorities not only to prosecute the accused but also proactively collect information about an unspecified group of persons.
Hence, entire societies may be posed under suspicion if there are no technical and legal safeguards in place. In consequence, citizens may feel of being watched and adapt their behaviour so that they hide individual characteristics. Technology may on the other hand, depending on the design, also preserve personal privacy and data protection.
However, this may be limited in certain scenarios if the sole aim of a biometric system is the identification of an unknown person in a large group of other persons or the mapping of a large amount of newly captured biometric data on a biometric database.
For certain purposes such as prevention of serious crime, a biometric system might be a pressing need for the society.
Further, secret collection of data may be necessary for police work. Prevention however, by the very nature of the concept, cannot be restricted to a group that only consists of dangerous persons. The specific aspects of biometric characteristics necessitate a very cautious approach because of the unique and durable relation to the data subject. Hence, biometric template protection regimes that utilise renewable and irreversible representations of biometric data may be an option to ensure that data can only be used by a certain authority for a certain purpose in a certain biometric system.
This sort of purpose limitation by design could also prevent or reduce the risk of identity theft. Moreover, long-term storage of biometric data may require regular data security measures, for example, fresh re- encryption since state-of-the-art cryptosystems may become ineffective after a certain period of time. Finally, users of biometric systems for law enforcement purposes need to take error rates into account.
Beerman succeeds Robert Collins who has been Controller since and will be taking a role outside of the Company. We thank him for his years of dedication and hard work and wish him well in his next endeavor. Since November , Ms. Prior to that, she served in a consulting role to the Alcoa Inc.
From to , she held numerous leadership positions with Alcoa Inc. In this role, Ms. Beerman designed operational efficiency in requisition-to-payment and supplier management. She was also Manager of North America Financial Accounting Services, where she led the team that provided accounting services to numerous locations.