BSI Seeks New Biometrics Standard to Protect UK Business and Consumers

The British Standards division of BSI is producing new international standards for biometric technology - the science of using biological properties to identify individuals - for example, fingerprints, iris scan and facial recognition - which is set to be used in all new passports and the UK Government’s proposed ID Cards.

Seven international standards for finger, iris and facial formats could be published as early as May 2005.

Whilst fighting terrorism has been the catalyst behind these standards, BSI is also striving to protect both individuals against ID inaccuracies and UK commercial interests in the biometrics industry.

After the USA PATRIOT Act and the Enhanced Border Security and Visa Entry Reform Act 2002 were passed, the US asked the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) to create a new international committee on. Its goal would be to focus on the rapid yet comprehensive development and approval of formal international standards.

The first meeting of the international committee was held in December 2002 in Orlando, Florida, and was attended by delegates from the new technical committee from Britain. Since then, the UK delegation’s input has helped to keep the international work on track. Britain is the second largest contingent attending the International Standards Organisation’s (ISO) meetings after the Americans.

Bob Carter says: "This standardisation work is important because it will support the rapid deployment of open system, standard-based security solutions for areas such as homeland security or the prevention of ID theft."

The BSI delegation is working with industry specialists around the world to collate data and negotiate a global consensus on how this technology should be designed to interface effectively and safely with fingerprints, faces, voices and eyes.

Worried by the threat of further terrorist attacks and in the wake of new laws (the US Visit Program), the US Federal Government recently announced that all visitors would be fingerprinted and photographed on entry into the country.

The US introduced legislation that mandated the use of biometrics as a counter to international terrorism. The driver used was the US Visa Waiver programme and the introduction of biometric-enabled passport books. Because the legislation stipulated using ISO standards, these are now being created rapidly, yet comprehensively and collaboratively.

The technology consists of a reader or scanning device; software that converts the scanned data into digital form and a database that stores the biometric data for later comparison. The challenge for global governments and private companies is to work collectively, to create an infrastructure of biometric systems that not only protect societies from attack but also individuals from an invasion of privacy.

Bob Carter, adds: "If the technology is to be successfully understood, deployed and integrated across any jurisdiction, the internationally recognised standards are crucial. "It really started before 9/11, The International Civil Aviation Organization (ICAO) was trying to find a way to improve immigration control by processing passengers quickly, using biometrics.

Mike Low, the director of British Standards, comments: "Whilst political pressure is certainly expediting this process, there is also growing demand from the biometric and IT industry itself to develop ISO standards for this important and increasingly used technology.

"The aim of these standards is to make the implementation and application of biometric technology and the associated data easier for industry. The specifiers of such equipment will have a clear standard on which to use and the manufacturers will be able to utilise the specifications to trade with greater confidence. It is essential to understand the reliability of a particular biometric system and to know how one can trust the claims made by the suppliers. Ultimately, this is standardisation creating business opportunities for UK industry."

The British Government will benefit from maintaining a biometrics knowledge base since UK scientists had helped lead the way with the development of this technology. For example, biometric applications are being proposed for immigration/asylum and border crossing processes.

Developing a technology to international standards also increases the potential market for a supplier, as not only will their products be suitable for the home market but also equally acceptable for the global market.

The creation of international standards is expected to be of substantial advantage to UK companies, given the strong technical base and position of international leadership that they have established.

Achieving a standardised approach to biometrics not only involves technologies but also procedures. With all biometrics a good image means having a better chance of successfully comparing that data in the future. There are numerous ways of taking and recording an image but people have been rushing the initial template. The British committee believes in spending more time to develop a better quality image.

In 2005 several new biometric ISO standards will be published covering biometric data interchange formats for iris, facial and fingerprint data. These will be followed by standards on signature, profiles for specialised workers, testing and reporting and a technical report covering cross-jurisdictional and societal aspects. A further standard on biometric vocabulary should also be finalised.

The initial potential market for these standards may be limited to governments and particularly suppliers of border management and passport solutions. That said, commercial interest in biometrics will increase as ISO Standards are developed and compliance with them is increasingly stipulated by commercial customers.

While British delegation members understand the technological issues surrounding biometrics, BSI has been able to structure their suggestions into a format that is acceptable to the ISO. "We lack expertise on the nuances of the rules, which is where BSI helps," he says. "It has also helped us look at the sociological issues – biometrics affects privacy and that is an emotive issue. We are looking at how best to introduce the technology."

Biometrics affects privacy and that is an emotive issue. But used properly, it can protect privacy.

N.B. The primary source of information for this article is the June/July issue of Business Standards, the magazine of the BSI Group.

• BSI: Mike Low, director of British Standards, Richard Taylor, marketing development manger for e-commerce & information security and Anne Cassidy Programme Manager All are available to discuss high level BSI activity in this area and other related standards development activity relating Information Security

• Bob Carter - Committee Chairman - Lead Technical Contact. Bob is best placed to cover the technical detail with regard to the standards development programme and the impact of biometrics and the leading applications such as US homeland security and the potential ID Card Scheme in the UK.

Contact Steven Brassey for high-resolution images.

The four main headings for biometric standards are:

1. Raw processed data and data interchange
2. Program interfaces
3. Independent certification
4. Industry conduct

• The raw processed data covers such issues as the basic biometric templates. For example, examining such issues as exactly what data is collected from the finger image the facial image or the iris and how is this data processed and stored.

• The data interchange deals with such issues as how the collected data is presented to other parts of the system.

• The program interfaces covers how the collected data and or results of searches are communicated or interchanges with other sections of the overall system.

• Perhaps one of the prime reasons for Standards is to facilitate interoperability between systems. It is equally sensible for system integrators not to have to rely on a single proprietary source for a particular technology. Therefore, being able to use one supplier’s technology and mix and match with another supplier not only enables increased competition but also reduces the commercial risk in relying solely on one particular supplier.

• The larger-scale applications that demand many different styles of end user equipment to meet a particular segment of the proposed solution can in many cases only be achieved through a variety of different technologies that all conform to the same technical Standard.

• There is a difference between national standards and International Standards. If the application is purely national based there is less of a need for the technology to conform to International Standards, however, if the application requires interoperability between different nations it makes sense for the technology to comply with Internationally agreed Standards.

• During 2005 it is anticipated that several new ISO Standards will be created and become available for publication. These are:

1. ISO 19784 BioAPI

2. ISO 19785-1 CBEFF – Data Element Specification

3. ISO 19785-2 Procedures for the Operation of the Biometric Registration Authority

4. ISO 19794-2 Biometric data interchange formats
Finger Minutiae Data

5. ISO 19794-4 Biometric data interchange formats
Finger Image Data

6. ISO 19794-5 Biometric data interchange formats
Face Image Data

7. ISO 19794-6 Biometric data interchange formats
Iris Image Data

• These Standards will rapidly be followed by Standards covering, Signature, Profiles for various categories of specialised workers, Testing and Reporting and a Technical Report covering Cross Jurisdictional and Societal Aspects. A further Standard covering Biometric Vocabulary is also expected to be finalised during 2005 and this work will form part of the existing Standing Document on Definitions ISO/IEC 2382.