Biometrics and surveillance: Identification, de-identification, and strategies for protection of personal data

In this thesis, I explore the current needs for and the state of conventionally deployed biometric systems as they relate to the following categories of societal concerns: (1) collection of personal information across domains linked by biometric identifiers, (2) errors that lead to a false accusation, (3) errors that lead to inconvenience, (4) collection/use without consent, and (5) use of biometrics data when not needed for a function or not proportional to potential for loss or risk.;A technique (k-Same) to minimize use of biometric data for secondary purposes is proposed and demonstrated in Chapter 2, which is a technical method proposed to begin to address the fourth category of concerns for data with facial images. In the context of sharing video surveillance data, a significant threat to privacy is face recognition software, which can automatically identify known people, such as from a database of drivers' license photos, and thereby track people regardless of suspicion. Chapter 2 introduces an algorithm to protect the privacy of individuals in video surveillance data by de-identifying faces such that many facial characteristics remain but the face cannot be reliably recognized. A trivial solution to de-identifying faces involves blacking out each face. This thwarts any possible face recognition, but because all facial details are obscured, the result is of limited use. Many ad hoc attempts, such as covering eyes, fail to thwart face recognition because of the robustness of face recognition methods. This paper presents a new privacy-enabling algorithm, named k-Same, that guarantees face recognition software cannot reliably recognize de-identified faces even though many facial details are preserved. The algorithm determines similarity between faces based on a distance metric and creates new faces by averaging image components, which may be the original image pixels (k-Same-Pixel) or eigenvectors (k-Same-Eigen). Results are presented on a standard collection of real face images with varying k.;The fourth and fifth categories are addressed in Chapter 3, where I discuss the concept of anonymity in public places, which is being rapidly eroded by new technology, security concerns raised by the threat of global terrorism, commercial interests and a variety of other forces. With proper foresight, and careful system design, most of the desirable social functions of advanced information systems, including improved security, could be achieved with little erosion of anonymity or individual privacy. To support this assertion, I discuss strategies for influencing design choices and offer specific examples involving systems for video surveillance, anonymous air travel, and biometric systems. I conclude that a set of best professional design practices, together with programs of certification, design and performance specifications for system acquisition, and similar strategies should be developed and widely adopted. There is also a need for a Presidential or other high-level Commission to review and evaluate current law; systematically examine the implications of current and likely future information technology for anonymity and privacy; articulate a vision of how best to balance conflicting legitimate social objectives that impact anonymity and privacy; and develop guidelines which can form the basis of a new set of legislative initiatives by the U.S. Congress. (Abstract shortened by UMI.);In Chapter 1, I examine the errors and use of biometrics as an identifier by reviewing the state of independent testing of common biometric modalities and performing a gap analysis. This gap analysis is then discussed with regard to the requirements of typical applications (personal security, forensic/surveillance applications, watchlists, and large-scale ID systems).