Biometric Systems Private by Design: Reasoning about privacy properties of biometric system architectures

TL;DR

This paper demonstrates how formal methods and a general privacy architecture framework can be applied to biometric systems to analyze and improve their privacy guarantees, enabling systematic comparison of different designs.

Contribution

It adapts a formal privacy architecture framework to biometric systems, allowing systematic reasoning about privacy properties across various architectures.

Findings

Formal framework can specify biometric system privacy architectures

Different component choices significantly impact privacy guarantees

Systematic analysis enables comparison of biometric privacy designs

Abstract

This work aims to show the applicability, and how, of privacy by design approach to biometric systems and the benefit of using formal methods to this end. Starting from a general framework that has been introduced at STM in 2014, that enables to define privacy architectures and to formally reason about their properties, we explain how it can be adapted to biometrics. The choice of particular techniques and the role of the components (central server, secure module, biometric terminal, smart card, etc.) in the architecture have a strong impact on the privacy guarantees provided by a biometric system. In the literature, some architectures have already been analysed in some way. However, the existing proposals were made on a case by case basis, which makes it difficult to compare them and to provide a rationale for the choice of specific options. In this paper, we describe, on different architectures with various levels of protection, how a general framework for the definition of privacy architectures can be used to specify the design options of a biometric systems and to reason about them in a formal way.