Biometrics: how is it with us, and with "them"
Photo source: Avangard Media Group
Not long ago we talked about the biometric data of Russians - Biometric personal data of Russians , How to create samples for the Unified biometric system and why this could be dangerous .
Russian banks have already begun to report that they have begun collecting biometric data (so far in test mode). And so, at the last SOC-Forum on November 27-28, 2018 , the Central Bank pointed out to the FSB that it is impossible to fully comply with its requirements for the protection of citizens' biometric personal data collected by banks.
It's about cryptography of course. The first deputy head of the Information Security Department of the Central Bank, Artem Sychev, noted that there is no domestic cryptographic equipment that can ensure the protection of biometric data collected from citizens on the HF class. But it is precisely this protection class (at the level of state secrets) that is defined in the order of the Federal Security Service No. 378.
At the same time, the deputy head of the 8th center of the FSB of Russia, Igor Kachalin, expressed the hope that the Central Bank "will take a tough stance" on all means of protection when working with biometric data of citizens. Here, of course, it should be noted that there are KV class products on the Russian market, but they cannot be used - they all require appropriate coordination.
Here are the explanations of some participants of the SOC-forum (from the publication in the newspaper Kommersant ):
“In order to encrypt the collected images sent to a single biometric system, it is necessary to integrate special equipment (HSM module) into the systems, and then receive KV class electronic signature certificate keys,” said a Kommersant source at a large bank.According to some reports, the introduction of HSM is in 26 banks, but nowhere is it finished. However, banks declare their readiness to fulfill the requirements of the FSB when at least one complete solution appears. In the meantime, participants continue to work and hope that the Central Bank with the FSB will resolve the issue of information protection of the transmitted biometrics, otherwise the collection of biometric data will have to be simply stopped.
Keys of class KV are released only by FSUE Scientific Research Institute Voskhod, and the procedure for issuing keys was approved only in the middle of October 2018. As reported by “Kommersant” in Rostelecom, “Voskhod” possesses the necessary number of keys. “However, there is no method of correctly embedding HSM, after integrating the module, you need to get the FSB opinion,” the source said in a large bank. “But without a methodology, getting an FSB report is unrealistic.”
While this situation is observed in us with biometric personal data, it is interesting to see how it is with “them” with this case. Consider just a few countries with the most interesting results. This is especially interesting given the fact that the Russian EBS system is copied from a similar system in India, where representatives of Russia went for experience.
After a series of terrorist attacks in Mumbai in 2008, the Aadhaar biometric identification system (translated from Sanskrit as “basis”) was adopted in India. Citizens were promised deliverance from the three main problems: terrorism, corruption and unfair elections, and also to provide the poor with food and fuel. Registration in the system was declared voluntary, but without it access to public services and subsidies is impossible. To build the system, a government agency UIDAI was created with a budget of more than $ 1.5 billion.
The Indian authorities collected digital identification data of almost all citizens of the country at the Aadhaar base - more than 1.4 billion. When registering at Aadhaar, each resident was assigned a unique number to which his fingerprints, face photos and irises were associated. This number also includes a passport, bank accounts, SIM cards, a cloud service for storing documents, medical cards, inventories, as well as documents for holding elections. All of these should simplify the procedures for using electronic signatures and government documents for business purposes, financial transactions and obtaining public services.
However, the Aadhaar data very quickly went beyond the limits of state projects.
The government of India has allowed the use of biometric data of its citizens to large companies and start-ups in the field of medicine, IT, finance, and others, and they began to use the information for commercial purposes. For example, the Edugild Business Incubator (Pune, India) provides support to three small IT firms that use iris scans of citizens to monitor school attendance and prevent fraud during exams (delivered by others on behalf of the students).In India, there are no laws and government agencies protecting information, however, many Indians support the initiative to create a national database of identity cards, hoping that it will eliminate petty corruption and reduce dissatisfaction when interacting with government agencies and companies.
Alixor Venture, another Indian business incubator, collaborates with a number of application developers who also use the Aadhaar database. These applications allow people to provide their own medical data to any medical institution, receive insurance policies and open mutual funds using smartphones. A TrustID program launched by former Goldman Sachs banker helps employers check applicants for work for criminal record, view information about graduated schools, etc.
However, not everything went smoothly - in 2016, 210 Indian government websites leaked to the network the personal data of millions of Indians, who are still freely given by the search engine. Further more - in May 2017, unique numbers of 135 million citizens of India were additionally shared.
In January 2018, journalist Rakhna Kaira showed how in 10 minutes and $ 8 you can get the keys to Aadhaar with citizens' data from an anonymous dealer, $ 5 to get a biometric ID card software, and for $ 95 she was promised access to UIDAI administrators accounts . The government of India denies everything, but immediately blocked access to the base for 5,000 UIDAI employees and filed a police complaint with Rakhna about the theft of classified information.
Recently, the Home Office published a project to create a centralized biometric database. Information from such a database will help the police to solve crimes faster, as well as check all visa applications and screen out unwanted migrants right at the border.
The 27-page “Biometric Strategy” report was ordered four years ago, but it was published only in July 2018. It contains a number of recommendations on how the UK government should collect, analyze and store biometric data. To date, the police, immigration and passport services of the country have already collected information on DNA, fingerprints and face images of 12.5 million people. The authors of the report suggest combining all these data into a single database. This will avoid duplication of data and waste of time on their delivery from the office to the office.
This plan immediately after its publication was sharply criticized by human rights defenders. For example, it is unclear what the British Ministry of the Interior is referring to when it claims “legal data collection” in conditions where laws remain uncertain. Many defenders also find face recognition dangerous and unethical. With access to CCTV cameras and UAVs, the police can at any time "cancel" anonymity.
The authors of the report, of course, mentioned in it the need to strengthen control over the security of storing and transmitting biometric data. However, experts consider this to be a half-measure, which, in fact, boils down to the creation of a consulting council giving recommendations to the government. There is no clear strategy for the use of biometrics.
The British system of collecting and storing biometric data is not the first time "fails." Thus, in the spring of 2018, an official of the Ministry of the Interior declared that innocent people would not be removed from criminal databases, because it was “too expensive.” And in May, it turned out that the face recognition system used in Wales at the Champions League final is wrong 90% of the time. Based on these data, the organization Big Brother Watch intends to achieve a complete ban on face recognition in the country.
In March 2018, Estonia offered its citizens free DNA tests as part of a national medical initiative. In response, the government promises Estonian citizens free decoding of their DNA. The proposal states that those who pass the test can find out if they are prone to type 2 diabetes, whether cardiovascular diseases, breast cancer or other health problems await them in the future. By May 2018, 38,000 Estonians had already signed up for testing, and this is the result in just 3 months. To date, DNA samples have already been taken from more than 100 thousand citizens.
They started studying the DNA of citizens in Estonia even earlier, wanting to learn how to predict the occurrence of the disease. A senior researcher at the Estonian Genetic Center at the University of Tartu says that even before this initiative was launched, the center’s biological bank had 50,000 Estonian genome samples, and a specific person’s medical record was associated with each DNA sample.The essence of this project is plausible - to make the entire medical field more personalized; study the Estonian genome and learn how to solve specific health problems of the country's citizens. The government believes that this approach will help make medicine more qualitative while reducing costs. It is assumed that, thanks to research, it will become globally known which diseases are most susceptible to Estonians. And medicine will start to fight not with the symptoms, but with the causes of the problems.
By examining these samples, we have already managed to find many characteristic and common diseases for different people. Moreover, Estonian scientists proved that their disease prognosis for many citizens came true within 3-5 years. After this, it was decided to expand the initiative. And she gained great popularity, judging by the fact that in a few months tens of thousands of people responded.
Sources: Kommersant Newspaper , thenextweb.com , www.stoletie.ru , hightech.plus