31 March 2019

Implantables and biometrics

A slow news day at the Canberra Times, with a breathless item today announcing that 'More than a hundred Canberrans have implantable microchips'.

Yes, we are back in Meow-Ludo Disco Gamma Meow-Meow  territory again, this time with reporting about an Australian entrepreneur who's an advocate of implanted tags.

The CT states
A convicted hacker is selling implantable microchips able to store data including credit card details, and more than 100 Canberrans have signed on to the new technology. 
Chip My Life, an Australian company which imports the technology and sells it domestically, has sold more than 100 microchips to ACT residents since operations began in 2016. 
The microchips are the size of a grain of rice and are implanted into the webbing between the thumb and forefinger in a procedure that takes less than a minute. The procedure can be carried out by specialists in Sydney, and a Canberra-based clinic is slated for the coming months. 
The company's co-founder, a convicted hacker, Skeeve Stevens said interest had surged in the national capital for the technology in recent years. 
He said the microchip was inserted into the webbing between the finger and thumb because the area had fewer pain nerves. 
In 1995, Mr Stevens was sentenced to three years in prison for stealing and publishing the credit card numbers of 1200 AUSNet subscribers. ... 
Mr Stevens laughed off privacy concerns about his business, saying the conviction didn't seem to matter in other parts of his career where he speaks to government departments about the implications of new technology. 
He said he does not have access to the data being placed on the chips. While the company provided the microchip, users were responsible for inputting their personal information. 
"In the three years we've been going, we've sent out around 1600 microchips," Mr Stevens said. "We don't know what people do with the chips once we send it to them," he said. "It's more secure than the card in your hip pocket or your wallet if you're using it for the same type of purposes." 
Mr Stevens is among those who have an implanted microchip. His holds codes for his front door and garage at home. He said the majority of microchip users use the technology to store data normally found in swipe cards. 
"Some of the chips use the same technology as swipe-card technology in that it holds a single serial number to open something like a garage door. "The other type of chips can hold a lot more information and people use it store personal information and things like credit card details."
An irreverent friend commented that 100 implants (primarily to black tshirt-wearing male geeks?)  is not a revolution and wondered whether there had been a similar uptake of Prince Alberts and other things that make most people scratch their heads of go ouch.

'Use and acceptance of biometric technologies in 2017' (AIC Trends and Issues in Crime and Criminal Justice) by Russell G Smith, Alexandra Gannoni and Susan Goldsmid comments 
As part of the Australian Government’s National Identity Security Strategy (AGD 2013), a sample of Australians were surveyed about their experience of identity crime and misuse and how they responded to the problem. In addition to finding out how prevalent misuse of personal information is, the surveys asked respondents to indicate how willing they were to use various biometric technologies to protect their personal information (Emami, Brown and Smith 2016). 
This paper presents the findings of the surveys conducted in 2014, 2016 and 2017 that relate specifically to previous use of biometrics and willingness to use biometrics in the future. It provides updated information on the findings of the 2014 survey, which was the first to assess the willingness of Australian victims of identity crime to use biometrics to enhance the security of their personal information (Emami, Brown and Smith 2016). The other more general findings of the identity crime and misuse surveys have been published elsewhere (Goldsmid, Gannoni and Smith 2018; Smith, Brown and Harris-Hogan 2015; Smith and Hutchings 2014; Smith and Jorna 2018). 
The place of biometrics in identity security 
Biometric technologies use an individual’s unique physiological or behavioural attributes as a means of identification. They include fingerprint matching, signature analysis, or recognition of a person’s retina, iris, face or voice. Facial recognition is now considered to be the dominant biometric technology globally and the one most likely to increase in use over the next few years. The findings of the Biometrics Institute’s annual surveys of members since 2010 have shown that facial recognition has continued to grow in importance. These surveys are conducted annually and are sent by the Biometrics Institute to its 6,000 individual members and other stakeholders worldwide. In June 2018, 310 individuals responded to the survey, representing suppliers of biometrics (48%), users (38%) and other interested organisations and industries (14%; Biometrics Institute 2018). The 2018 survey found that 47 percent of respondents considered facial recognition to be the biometric technology most likely to be on the increase over the next few years (Biometrics Institute 2018). This was followed by iris recognition (8%), fingerprint recognition (7%) and voice recognition (6%). A further 19 percent of survey respondents considered that multi-modal approaches that combine various biometrics would be most likely to increase over the next few years (Biometrics Institute 2018). 
Biometric technologies are currently used by a range of organisations in Australia to verify the identities of the people with whom they deal. For example, the Department of Home Affairs collects biometric information including fingerprints and facial images from offshore visa applicants, onshore protection visa applicants, immigration detainees, and certain categories of airline passengers (Department of Home Affairs 2018). 
Australian airports have facial recognition capabilities, known as SmartGates, that enable travellers with ePassports from Australia, New Zealand, the United Kingdom, Switzerland, Singapore and the United States to process themselves rather than undergoing the customs and immigration checks that are usually conducted by Australian Border Force officers (Department of Home Affairs 2018). Standards for the interoperability of biometric systems have also been developed to promote the effective operation of biometric systems between various government agencies (AGD 2012). 
In addition, biometrics have been introduced to verify an individual’s identity in a range of other settings. For example, a number of financial institutions are considering using biometric technologies such as fingerprint recognition for payment card authentication and for mobile banking services instead of passwords and PINs (Saarinen 2017). Iris recognition has also been used for cardless ATM transactions (Kim 2015). In Australia, the National Australia Bank and Microsoft have collaborated to design a proof of concept ATM using biometrics, cloud and artificial intelligence technologies; this would enable customers to withdraw cash from ATMs using facial recognition technology and a PIN (Planet Biometrics 2018). 
Respondents to the Biometrics Institute’s survey in 2018 indicated that the most significant development in the use of biometrics during the last 12 months related to border control/security, accounting for 20 percent of responses. This was followed by online identity verification (12%), largescale national identity deployments (9%), financial services (8%) and mobile payments/m-commerce, device access and surveillance (these last three types accounting for 7 percent each). Respondents also indicated that over the next five years the most important developments would occur in relation to online identity verification (20%), large-scale national identity deployments (11%) and border control/security (11%; Biometrics Institute 2018).
The authors conclude
As the use of digital technologies has become more widespread, and identity crime and misuse have continued to increase, the computer security industry has sought to improve avenues for the efficient and secure authentication of users’ identities. Existing systems that rely on username and password combinations have become problematic as criminals have become more adept at compromising passwords. The proliferation of username and password combinations has also made it impossible for users to manage this information without resorting to insecure ways of remembering their passwords, or having to purchase and use automated password management software (Emami, Brown and Smith 2016). 
Biometric technologies seek to solve this problem by enabling individuals to use their biological attributes as a means of identifying themselves. This report presents the findings of recent surveys that sought to quantify the extent to which a sample of Australians have made use of different biometrics in the past, and how willing they would be to use the selected biometrics in the future to minimise the risk of criminal misuse of personal information. 
With the rise of international security incidents, a balance must be struck between the need for personal security and the need for privacy and confidentiality of personal information. Prior research has found that concerns over privacy, data loss and spoofing (attempting to overcome biometric recognition systems) are important factors restraining the biometrics market. The present surveys confirmed that respondents were concerned about the privacy and confidentiality of personal information when using biometrics, particularly with systems operating outside government control. Understanding people’s perceptions of risk and their willingness to use technology as a security solution is of critical importance in devising appropriate policy measures that will be effective on the one hand, and accepted by the community on the other (Emami, Brown and Smith 2016).  
The current survey research showed that a relatively small percentage of respondents had used the specified biological biometrics in the past, but that use increased significantly between 2016 and 2017. It also showed that almost half (48%) of respondents in 2017 were willing to use one of the four biological biometrics to protect personal information in the future, and that this was a three percentage point increase on the same finding in 2016. Between 2016 and 2017 all the biometrics examined showed a statistically significant increase in user acceptance. In 2017, nine percent of respondents even reported being willing to use implanted chips to protect their personal information. It was also found that older respondents were significantly more willing to use any of the four biological biometrics than younger respondents, perhaps indicating greater concern among older Australians regarding the security of their personal information, or perhaps their need to guard their assets and life savings from theft. Alternatively, younger people might be reluctant to use technologies that appear to be complex and could be seen to impede their immediate access to information in the online world. Clearly, ongoing monitoring of these attitudes is needed to ensure that future generations of users are willing to use any biometric systems that are implemented. Respondents who reported recent victimisation were also significantly more likely than other respondents to report a willingness to use voice and iris recognition as well as chip implantation to protect their personal information, but not fingerprint or facial recognition systems. 
As the biometrics market continues to develop, further research is needed to understand users’ behaviour and willingness to use biometric technologies, particularly facial recognition and multimodal systems that combine various biometrics, which are developing strongly. Evidence is needed of the extent to which such systems are vulnerable to fraud and misuse and how individuals respond to victimisation and reinstate their personal information following compromise. In addition, evidence is needed of the crime displacement effects of introducing biometrics and how criminal behaviour adapts and changes as a result of enhanced user authentication processes. In particular, risks of violent crime and duress inflicted on users need to be examined and strategies developed to address any such problems.
The work is interesting because it will be embraced by particular advovcates and because much of the data is very discordant, with the authors recurrently referring to inconsistencies regarding claimed exposure to specific technologies rather than merely a wariness about stated attitudes. Like much professional research, it is an invitation to a deeper and more comprehensive study.