< Day Day Up > |
Employee's Right to PrivacyThe employee's right to privacy and the employer's need to protect its corporate interests have always been at conflict. Early on, employees were treated like property. Once in the employ of a company, the corporation controlled many aspects of the employee's life. It wanted to know with whom the employee associated, to what organizations the employee belonged, the religious affiliation an employee held, and other aspects of the employee's personal life that could affect the company. The advent of trade unions and other such groups did much to remove these intrusions into the employee's everyday life. Today, the employee is facing a number of privacy issues that never before existed or were of little interest to the employer. Protection of Personal Data Collected by the EmployerNot long ago, an employee's personal file contained relatively little information. The most confidential piece of information contained in the file was the employee's social security number. The government required this number so that taxation could be applied to the employee's salary. In today's data-rich world, most employees would be surprised to see what information their employer has about them. This information could include:
The simple fact that this data has been collected can be very unsettling to an employee. The employee would be rightly concerned over who is viewing this data, and what it is being used for. As discussed in the section describing the employer's requirement for privacy, biometrics can be implemented to help enhance the privacy of the employer. When biometric systems are in place, they can be used by the employer to help protect the employee's privacy. However, the same biometric that is helping to protect the privacy of the employer and the employee could also be used to invade the employee's privacy. What follows next is a discussion of the impact of biometrics on the privacy of the employee. Biometrics as an enabler of employee privacyEmployees do have a concern over who can view the personal information collected about them. Biometrics can help in this area. If the information about an employee is stored electronically, we can use biometrics to protect access to this information. This way, only other employees who have a requirement to access this information could do so. It would also deter the employees who have access to this information from sharing it with others. If the employees with access to this sensitive information know that they can be positively identified as accessing other employees' confidential information, they may be less likely to provide this information to a third party or gossip about what they know. Physical access biometrics can be used to prevent unauthorized employees from gaining entry to securely stored paper records. If a biometric authentication is required to access paper documents, it will deter unauthorized access and help manage required access. It should also give the employee some sense that the company is doing what it can to safeguard personal data. Biometrics used to invade employee privacyAn employee needs to be made aware of what personal information is being collected and what it is being used for. Most employers have the legal right to monitor what an employee does in conducting business on behalf of the employer. The employer has the right to monitor how corporate resources are used. The employer may listen to employee phone calls and voicemails. The employer may do this to determine with whom the employee is communicating. The employer may hear personal information being communicated at the time. This information could then be stored or recorded for future use. The employer may use digital surveillance cameras to watch for unauthorized access. These cameras can record digitally and their output can be stored indefinitely. A group of anonymous employees meeting in a hallway and talking may not be of any interest to an employer. However, if one of the employees in the group turns out to be supplying information to a competitor, the employer may want to know to whom they were speaking. Many companies now require an employee to submit to a background check. These background checks are mainly carried out using fingerprints . The employer collects the prospective employee's fingerprint images digitally and sends them off for a background check. The number of industries doing this type of checking has increased since September 11, 2001. Without even realizing it, an employee may give the employer a sample of his/her biometric traits. Voicemail or recorded conversations can be used with voice-based biometrics. Digital surveillance cameras can provide both face and gait biometric information. Lastly, the collection of a fingerprint can be used for fingerprint biometric verification. There are really two issues here that are of concern for the employee. First, the biometric data collected for use with voice, face, and gait biometrics could be obtained without the employee's consent or knowledge. Second, how is the employer going to use the biometric data collected? Collecting employee biometric data can be done either covertly or overtly. In an overt collection of biometric data, the employee knowingly submits to the collection of data. In a covert system, the employee does not know about his/her biometric data collection. In the cases of voice, face, and gait data collection, the employee may not be aware that the employer was collecting this data. The employer could argue that the surveillance cameras are visible and well-known, that the employee should not have the expectation of privacy while at his/her place of employment. With the collection of fingerprint biometric data, the employee knows that it is being collected. The employee needs to be present and actively submit his/her finger for fingerprinting. In this case, the employee knows that the biometric data is being collected for a background check. The second, more invasive problem is, what other uses does the employer have for this data? An employee can never know for sure, but the company's privacy statement can give some indication of how the data will be used. In general, the privacy statement should make mention of disclosure policies for third parties. Some policies say that for business or legal reasons, private information may be shared. The policy will often go on to state that any third party will abide by the same privacy statement as the company releasing the data. It may also say that the company releasing the data is liable for the third party's misuse of the data. This can be reassuring, but who monitors whether or not the third party breached its agreement? It is generally the responsibility of the company that shared the data originally. It would be in the company's best interest not to find any breaches, as it would be liable for them. Thus, you have self-regulation that does not really work. What is an employee to do? The best an employee can do is to be diligent in how his/her personal information is used and provide only the absolute, bare minimum. Be aware that your personal data is a valuable commodity. Any interaction you have with an entity that is not tracked is a lost opportunity for data gathering. The lost opportunity can be seen as possibly lost revenue if sold, or lost intelligence on the employee. The real onus of providing a positive biometric privacy environment falls on the company. It is the company that wants to use biometrics to enhance its authentication. If a company wants to use biometrics, it must create a privacy policy that respects the employee as an individual, yet at the same time affords the company a strong factor of authentication. Creating a Positive Biometric PolicyThe largest obstacle to overcome in a successful biometric implementation is user acceptance. A user will not accept biometrics for any number of reasons. These could include fear, ignorance, stigmatism, religious beliefs, and the loss of privacy. A pro-privacy policy statement can address the user 's concerns. The policy statement should address the following areas:
Let's expand on each in more detail. Biometric enrollmentA privacy policy must clearly state what biometric are being enrolled and how data will be captured. A pro-privacy policy will allow only biometric enrollment through overt means. This means that both passive and active biometrics will be taken only with the user's full knowledge and consent. Passive biometric measures like face, voice, gait, and to a lesser extent, eye-based biometrics can be taken from the user without his/her knowledge or consent. A camera in the lobby could record a person's face and/or gait. A camera in an elevator by the floor selection panel could read retina and iris biometrics. A microphone in a hallway or elevator, or the user's phone handset, could be used to record a voice biometric. In all these cases, the user would never know that his/her biometric had been enrolled. It is paramount that if these types of biometrics are used, the user is clearly told when they are being enrolled to allow him/her to consent to the enrollment. Active biometrics like finger, hand, and vein biometrics require the user to actively submit to enrollment. These types of biometrics would be seen as more privacy-friendly. At the same time, the user still needs to be made aware that he/she is being biometrically enrolled in order to allow him/her to consent to the enrollment. The enrollment portion of a pro-privacy policy statement should also clearly outline that what is about to take place is a moment of trust. The enrollment agent or someone else of authority must positively identify the user being enrolled. The greatest risk of fraud in a biometric system comes at enrollment time. The user must be prepared to produce appropriate documentation and/or have other trusted parties in the company vouch for his/her identity. It should be made clear that this is being done for both the protection of the employee and the employer. From the employee's perspective, positive identification means that he/she will be the only one claiming to be him/her when the biometric system is used. This way, if a biometric audit log is used to verify who did a particular action, the employee knows he/she will not be falsely identified. When biometric enrollment takes place, the company needs to disclose the following regarding the enrollment:
Template storage and transmissionWhen an employee is being biometrically enrolled, templates need to be stored somewhere. Templates can be stored in relational databases, in smart cards, as files on a user's computer, or in a corporate lightweight directory access protocol (LDAP) directory. The employee's and employer's privacy concerns are different depending on where the template is stored. For discussion purposes, let's group the storage of templates into locations. LDAP directories and relational databases are network-based and are thus available online; local files and smart cards can be considered offline storage. Privacy concerns with templates being online are:
Each point needs to be examined from both the employee's and employer's perspective.
For both parties, the security of online template storage is important. Online storage in either a relational database or an LDAP directory has similar properties that cause concern. Both have the following characteristics:
ACLs are security mechanisms that are applied to records in a relational database or attributes in an LDAP directory. The ACLs control who can read, write, delete, or make changes to records themselves. These ACLs can be set for individual users or groups, or they can be inherited from higher up in their access tree. ACLs have the potential for privacy invasion if they are not set and managed properly. One of the biggest failings with ACLs is the over-assignment of rights. This over-assignment of rights normally occurs when there are problems with accessing certain data. Instead of analyzing why the data cannot be accessed, the administrator will keep on granting higher levels of rights until access is achieved. In doing so, the administrator may inadvertently grant access to information that should not be made available to everyone. This can cause the template to be accessible and might lead to its compromise. The proper way to handle this is to assign the ACLs with a minimum amount of privileges. If the templates need only read and write access for the users, then the users do not need delete or other properties concerning the ACLs themselves . Also, the ACLs for templates should be set through group ACLs. This way, if a server or a new administrator needs access to the templates, they can be added to the group. And, if an administrator no longer needs access, he/she can be removed from the group, and not as an individual. When templates are stored on a network-based resource, they are network-accessible . This way, it would be possible for almost any machine in the firm to reach their storage location. Networks can be partitioned and routing can be disabled to different subnets, but if you need to have free seating, then you cannot limit where a user can access these templates. A better solution would be to have a trusted proxy between the requests for templates. This trusted proxy would be the only means of accessing the templates. It would be better still if the actual matching of the templates took place on a trusted server. This way, the server could also act as the proxy and return a template only to itself. Using this approach, the templates would never leave the trusted server, and on the server acting as the proxy, the templates would have the appropriate ACLs for access. The only flaw in this solution is that database or LDAP directory that is being used for template storage could also be used for other applications. These other applications may require that end-users directly access the database or directory. So, even if the templates have the proper ACLs on them, unauthorized access attempts can still be made. For example, there are well-known attacks that can be carried out on databases and directories for unauthorized access. The fact that these do exist demands that the security group of a company make every effort to keep the network secure and the data repositories patched with the latest fixes from their vendors . This way, the risk may be mitigated or reduced. The economies of scale that corporations have reaped from implementing TCP/IP have also proved to be a security risk. TCP/IP is the networking protocol that allows everything to be connected and share the network infrastructure. TCP/IP is what allows corporations to connect to the Internet, send and receive email, browse the Web, and offer applications and data for use by partners and customers. This TCP/IP network is also the one that lets the attackers and hackers right in the company's front door. As discussed in Chapter 2, TCP/IP provides the mechanisms for these attacks to occur. This, combined with the templates being stored by network-based resources, provides the opportunity for compromise. Again, protecting the templates from being compromised is part of the network security group's responsibility. If access to the templates is compromised either from the inside or the outside, the templates can be posted and moved around the world in fractions of a second. The sheer computing power available on the Internet could then be put to work for compromising the templates. The simple fact that the templates have left the control of the employer is in and of itself cause for concern. The connections between the template repository and the verification location can also be cause for concern. There are TCP/IP hacker attacks that can be used to receive the packets destined for the proper recipient. These attacks allow hackers to access the packets or interact with the application listening on the server. Proper operating system choices, applying all the operating system and application patches, and good security models in the biometric software can help alleviate these risks. The network-based resources in which the templates are stored are high on a hacker's target list. Databases and directories contain information that others would probably want. As such, they are frequent victims of hacker attacks. Since they are such highly valued targets, large numbers of hackers try out the latest exploits to compromise these systems. As such, the probability that the servers where the templates reside will have well-known attacks is high. It is imperative that the servers that hold the database or LDAP directory be secured both physically and digitally. These servers should be on the inside of the firewall, and not host any applications or services that would require external connectivity. These simple security practices will reduce the risk of external attack, but they may still be vulnerable to an internal attacker. Most security intrusions are either perpetrated by an insider or with the assistance of insiders. As such, the greatest weakness once again is the human condition. While biometrics provide a means to mitigate some of the human risk, they cannot mitigate all of the associated risk. Good human resource (HR) and IT policies can also address the insider threat. HR policies can stipulate that unauthorized access to corporate resources, or the disclosure of company information, is a punishable offense. IT policies can force administrators to follow best practices and mandate the rotation of personnel to prevent fraud from being perpetrated for extended periods of time. Personnel rotation is very common in the banking industry. The idea behind it is that employees in all positions either rotate out of their positions or have mandatory holiday time. This time away is meant to prevent the ongoing cover-up of illegal activities. An employee cannot cover up his/her actions if he/she is not present. This works well, assuming that the employer has a way to check on illegal activities, or suspects something. VerificationOnce an employee is enrolled, the reference template is used for verification. The privacy concerns of verification are as follows:
Let's examine these verification concerns in more detail. Reason for verificationLike any factor of authentication, a request for verification should not be taken lightly. When an employee verifies, he/she is confirming his/her identity with a high level of certainty . This creates a point of recognition. The employee is no longer an anonymous entity. The employee now has an identity and associations can be made. If the verification is done in the course of doing company business, then it is a justifiable verification. If the verification is frivolous or intended to create non-business- related associations, a breach of privacy has taken place. Examples of justifiable verification are:
Examples of unjustified verification are:
What are the reasons behind justifiable and unjustifiable verifications? Justifiable verifications
Unjustifiable verifications
Where verification takes placeThe act of verification is purely computational. Wherever there is sufficient computing power, a verification could take place. Historically, biometric verifications take place on:
Let's examine each in more detail. ServersServer matching seems to offer the ideal solution. The match takes place away from the client and on a machine that is in a secure facility. This server is, to a large degree, considered trusted. It has not been physically or logically compromised. When the reference template is used for verification, it is never exposed to the PC in any way. The software on the client machine making the request is expecting back a simple yes or no answer from the server. Assuming the communications between server and client are secured, the server solution is ideal. The reference template is never exposed and the authentication can be automatically audited . One of the drawbacks of using servers is the problem of how employers can support offline users. The obvious answer is they cannot with server-based authentication only. This leaves two other choices: Use the user's workstation/laptop or use a portable token like a smart card. WorkstationsUsing workstations for authentication provides location convenience. In general, the user will always have access to one and will normally carry a laptop if traveling. The use of a workstation creates additional concerns, however. These additional concerns are the inherent distrustful nature of workstations and how templates get to the workstation for verification. Workstations in general are not to be trusted. Employees can load almost any software they like on them. They will modify and change security settings on their workstations because the security administrator granted them full access so as not to have any access- denied issues. Workstations and laptops tend to be lost or stolen at an alarming rate. The storage of templates on any local machine is a concern if a laptop is compromised. Most biometric solution providers have a mechanism to get templates to a workstation. Once there, they are stored and encrypted until needed for verification. Thus, the templates can be attacked continuously if a laptop is stolen or compromised. A better solution would be to age the templates and then delete them. An aged template is one whose continued access has been blocked by some means. An aged/blocked template could be reactivated if the workstation talks to a server online or has the aged template reactivated. Aged templates are securely deleted from workstations after a predetermined number of days. This way, a thief or attacker has a limited timeframe in which to access the templates. Smart cardsSmart cards have been used historically for stored value purchasing and lately for more logical access requirements. Smart cards are great. They come with their own processor and memory. The speed and size of the smart card chip dictate the type of processing of which the card is capable. With biometric verification, a match using a smart card can occur on the card if the biometric vendor supports a match on the card. A variation of this is to create a comparison template on a PC, then send the new comparison template to the smart card. The smart card does the comparison and then returns a yes or no. If the return is yes, then the user is verified . Smart cards also contain reference templates. The biggest benefit of the smart card is the secure storage of the templates. For someone to hack a card, he/she would need access to it, and would have to have a very detailed understanding of the card's structure and operating system. With a smart card system, the employee gets offline access to applications and the employer gets secure storage of the templates. Terms of use and audit statementsThe terms of use and audit statements in a positive biometric policy should define the following:
Let's expand on the above points What can the biometric data be used for?Once an employer has possession of biometric data, it should be clear from the terms of use of the positive biometric policy when and how it will be used. It should clearly state when biometric verifications will be required and how the results of the verifications will be used. It needs to state the requirements the employer will put on the employee for re-enrollment and any other possible uses. Will it be used in correlation with other data?This part of the statement will give the employee some idea of what other uses the employer has for the data. If the employer is going to correlate verifications against other data, the employer needs to clearly outline what this new combined data will be used for. If it is to be used for third-party disclosures, the employee, by default, should be able to opt out of this. Any exposure of correlated data to a third party for uses other than the core business of the employer should be clearly defined. No employee should have as a condition of employment the sharing of his/her data with third parties other than for core business reasons. The employee should also have the right to view all data that has been correlated against moments of recognition. Length of storage of the biometric dataThe employee has the right to know how long the employer intends to keep the employee's biometric data. The length of time should be reasonable to ensure the employer sufficient protection, and at the same time, the employee should have confidence that the data will be properly disposed of. A positive biometric policy should outline the number of days, weeks, months, or years the data will be kept in case the employee leaves, is dismissed, retires, or dies. The policy should also state how the data will be destroyed , and if any data correlations will also be destroyed. Audit trails for access to the biometric dataThe employee has a right to expect that only authorized business access will take place with biometric data. To ensure this, audit trails must be kept. An audit trail should show enrollments, deletions, modifications, time last accessed, and time last accessed by user ID. This way, the employer is forced to examine the logs for its own protection. If there is evidence of illegal activity, the employer could be held liable for any damages an employee incurs. Audit trails created for verificationWhen a user is challenged for a moment of recognition, there must be an audit trail of this event. The audit trail needs to show the location of the request, the date and time, the application that requested the authentication, the challenged username, the FAR, and if the request was a success or failure. These audit trails need to be administered by someone outside the security and biometrics group. That way, there can be no question as to the validity of the audit file entries. How the employer is audited against terms of useThere is no use having a positive biometric policy if it cannot be enforced. Before the policy can be enforced, it must be seen and validated . The policy must clearly state the organization that will be responsible for the audit, the arbitrator who will be available to settle disputes, how frequently audits will happen, and how the auditor 's report will be sent out. Will biometric data be shared with third parties?The sharing of biometric data to an unknown third party is never good. The employee loses control over his/her data and the employer may become liable for additional injuries suffered by the employee. The sharing of data must be optional, and as such, the default decision for sharing employee data must be no. To have biometric data shared requires the user to proactively opt in. Some sharing of data with law enforcement organizations may be necessary. It can be a condition of employment that all employees have background checks performed. This is a reasonable example of when data can be shared with a third party. What options do employees have who cannot or will not use biometrics?As much as biometrics have been hyped as the "silver bullet" to secure information technology, there will be portions of the population that will not want to, or can't, use them. For any given biometric, there is approximately 3 “6% of the user population that is unable to use the biometric for one reason or another. This small group still needs strong authentication solutions offered to it. The secondary factor of authentication needs to have as much as possible the same high level of assurance as biometrics. This fallback authentication plan is what the hackers will go after. It is a lot easier to hack something that does not have biometrics as the primary means of authentication. Biometric authentication does not suffer from the same types of brute-force attacks as passwords. Fallback mechanisms should try to provide the same level of user convenience that would be enjoyed by biometrics, if possible. |
< Day Day Up > |