Almost everyone in the European Union, and the world for that matter, has shared their biometric information. Perhaps the most prominent example is governments collecting biometric data for passports and driver's licenses, yet this sharing extends beyond one’s own country’s government (for example, airport immigration). Given the sheer volume and importance of citizens’ biometric data that is stored in government systems, these systems require a tremendous amount of security. To achieve the security, given the prevalence of cybercrime in our world, the EU must increase its support of pre-existing private-public partnerships, in addition to collaborating with more technology-oriented research institutes.
The possible assumption that sensitive data is safe in governments’ large, powerful hands is incorrect. The latest ransomware epidemic, Bad Rabbit, is on the rise. Unwitting victims of this software download a false Adobe Flash Installer from a host of unverified websites. Running the infected Installer on their devices exposes them, and any sensitive information they may have stored, to malware. These attacks started in Russia, targeting Ukraine’s Ministry of Infrastructure and Kiev’s public transportation system, and are now spreading across Germany and Turkey. Such widespread attacks on government databases are especially worrisome because they bear testimony to the the power of ransomwares in penetrating even the most securely guarded security systems.
In an effort to safeguard against large-scale, organized cybercrime, the EU has developed a defense mechanism by the name of Tabula Rasa. It aims to address the issue of direct attacks to biometric systems, technically known as spoofing. These direct attacks are executed by tricking the security system through the use of false or replicated fingerprints and other scans. The project’s guiding framework includes creating a draft set of standards to examine the hacking problem and to propose countermeasures to it.
One of the most noteworthy features of the project is the meticulous experimentation and testing to which potential security systems are exposed. As part of the project, Sébastien Marcel, the head of the biometrics group at the IDIAP Research Institute, is building security systems that are increasingly difficult to hack into, through trial and error experimentation. Through this experimentation, Marcel is attempting to incorporate unique biometric data using electrophysiological signals that are difficult to replicate, such as gait and heartbeat, in addition to the fingerprint and face-scanners that we’ve seen with companies such as Apple.
This project could lead to many potential benefits. It could prove successful in creating a more comprehensive assessment mechanism requiring the integration of multiple inputs such as a fingerprint scan, iris scan, and palm scan. A multiple input security system is particularly safe since breaking into a database necessitates hacking through multiple levels with different biometric inputs serving as different levels of security, the system becomes resistant to hacking efforts directed at the recreation of just one specific biometric feature. One such example is that master prints, fingerprints that can work for 35–40 percent of the target population, are no longer useful.
However, with more biometric data stored in each system comes increased vulnerability. If hackers still somehow manage to outsmart the system, they would then has access to a much larger pool of biometric information for an individual, making identity theft easier. Unfortunately, the strength of the system also weakens it. The sheer amount of biometric data that the system collects increases the probability of data leaks, as the storing and handling of this large volume of data is more difficult, giving hackers multiple entry points.
To mitigate these risks, the European Commission must increase collaboration with technological research institutes, such as Marcel’s IDIAP biometrics group, and private firms to keep up with evolving technologies and increasingly sophisticated hacking techniques, which can be used to safeguard citizens’ biometric data. To ensure that these ventures reach their full potential, they should be, at least partially, government-funded, with government-instituted guidelines for each company’s objectives. Developing these public-private partnerships will speed up the process of developing the standardized biometric systems. Although existing systems are presented as relatively foolproof, the systems should not be left stagnant. Further, in terms of handling the data once the system is developed, data compression techniques could be used to store it, which would lead to an effective handling of data, subsequently increasing security.
With the massive investments from the European Union into cybersecurity research, the future of the use of biometric data for security looks bright. The challenges that the new systems will pose to hackers make us optimistic of the prospect of such technology in dramatically decreasing the number of cybersecurity attacks and in allowing governments to better protect sensitive citizen data. Thus, if concerns regarding the immunity of biometric data from hacking attacks are addressed, citizens across the world will be able to breathe easy, in an increasingly securitized world.
Nitya Somani is a member of EUChicago, the University of Chicago’s chapter of the transatlantic think tank, European Horizons. The image featured in this article is licensed under the Creative Commons and can be found here.