Biometric Honey. No More.
New technology means that there are intelligent ways to store biometric data
Dateline: Threadbo, 16th August 2024.
I am sure that responsible commentators on the world of digital finance are not supposed to have a favourite data breach, but I cannot help it. I have a new favourite data breach pretty much every week. One of my current favourites comes from El Salvador, where more than five million personal records, including high-definition facial photos labelled with the individual’s El Salvador national ID document number (DUI), have been made available for free.
(The number and nature of the records prompted speculation on social media that the breach is from the Chivo Bitcoin wallet.)
Honey
Now you may be wondering, as I was, why a responsible digital wallet operator would create a centralised database of personal information, particularly when that information may be of considerable assistance to criminals of many varieties. And, in particular, you may be wondering why the digital wallet operator would store the facial photos at all, never mind in an unencrypted format. If the selfies were required for onboarding (to match an individual face against a photo on a driving licence or some other ID card) then they should have been deleted immediately after the match was made. If they are retained for future “step up” authentication, then the operator should have stored the biometric templates, not the biometrics.
These biometric templates are typically much smaller in size compared to raw biometric data, such as a facial picture, which makes storage and transmission efficient, and they are much more secure because they do not store the biometric itself but an abstraction of it. The abstraction is a mathematical representation of the distinct biological traits that are extracted from their raw biometric data through a process known as "feature extraction”.
This is how FaceID works, for example. When you unlock your iPhone, the sensors scan your face and extract the features, then match these features against the template that was stored when you set up your phone. If someone was to break into the secure element in your iPhone they wouldn’t find a picture of your face but a data representation of the key features of your facial biometric. This reduces the risk of misuse if the data is compromised because it is very difficult to reverse-engineer a stolen template into the original biometric data.
It reduces but it does not eliminate the risk, it is important to note, because if an attacker steals the your face template, for example, they may not be able to use it to reconstruct your face, but they may well be able to use it to construct a face that the identification algorithm will match to your template, if you see what I mean. In the face of such “inversion attacks”, where the bad guys can use knowledge of the feature extractor to generate synthetic biometric samples that matches the stored biometric template, the biometric templates themselves must in practice be protected with the same degree of security as the biometrics themselves.
with kind permission of Helen Holmes (CC-BY-ND 4.0)
What all of this means is that if you are not going to store the biometric (or the biometric template) in the phone but in a central server, then it would be a good idea not to store it in a form in which it can be stolen!
Sam Altman’s Worldcoin has switched to just such an implementation. Instead of storing the biometric, or the biometric template, they break up the template into encrypted pieces stored in different places. Working within a field of cryptography known as secure multi-party computation (SMPC), they have applied new techniques to the biometric templates of people’s irises (known as "iris codes”) that enable Worldcoin to determine an individual’s uniqueness. The techniques (open source and available in a Github repository) allow iris codes to be individually encrypted into multiple different secret shares held by multiple parties. These parties can then work together to compute results over the secret information without learning anything about the secret itself.
With this, World ID can bring a new level of privacy to the verification of uniqueness of biometric templates. I spoke to their head of blockchain Remco Bloeman about the need for the new technology, and he told me that it brings a step change to the handling of population-scale biometrics and demonstrates their continued commitment to both privacy and security.
(Following migration of their stored iris codes to the new SMPC system, the old iris codes were securely deleted.)
A Big Step
This is an important step, because SMPC protocols have historically been very resource intensive which is why, despite their privacy protective qualities, they have not seen extensive use for safeguarding these kinds of biometric templates. However, recent work on powerful optimisations in SMPC protocols that make them efficient for machine learning problems has advanced the state of the art. In joint work between the Worldcoin Foundation and TACEO, these optimisations have been adapted to create an SMPC protocol for comparing iris codes. This optimisation makes it possible to apply SMPC to the problem of iris code uniqueness and achieves a speedup of more than 10,000 times, greatly extending the use cases.
Zero Knowledge
Now, like zero-knowledge proofs and homomorphic encryption, this kind of cryptography may seem like magic — comparing a biometric template of your iris to a stored biometric template of your iris without ever bringing together the broken-up stored pieces of the biometric and decrypting them — but it is a tried, tested and well-understood cryptographic method, one of a class of techniques that have long fascinated me because they give us the potential to “square the circle” by providing both privacy and security.
New York-based Anonybit, as one example, has deployed similar technology to provide privacy and security to organisations across a variety of sectors. Their CEO Frances Zelazny told me that these cryptographic techniques "represent the future of how biometrics will be stored and managed". I have said that I wholly agree with her view that there is really no reason to store biometric templates in a form that renders them vulnerable to theft or ransomware.
The era of biometric honeypots is over. Or, at least, it should be over.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?
Great blog Dave, really helpful for non-quants like me to functionally understand how the good guys are busy working on securing security.!