Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Maximilian Zinkus,Tushar M. Jois,Matthew Green

DOI: https://doi.org/10.48550/arXiv.2105.12613

2021-05-26

Abstract:In this work we present definitive evidence, analysis, and (where needed) speculation to answer the questions, (1) Which concrete security measures in mobile devices meaningfully prevent unauthorized access to user data? (2) In what ways are modern mobile devices accessed by unauthorized parties? (3) How can we improve modern mobile devices to prevent unauthorized access? We examine the two major platforms in the mobile space, iOS and Android, and for each we provide a thorough investigation of existing and historical security features, evidence-based discussion of known security bypass techniques, and concrete recommendations for remediation. We then aggregate and analyze public records, documentation, articles, and blog postings to categorize and discuss unauthorized bypass of security features by hackers and law enforcement alike. We provide in-depth analysis of the data potentially accessed via law enforcement methodologies from both mobile devices and associated cloud services. Our fact-gathering and analysis allow us to make a number of recommendations for improving data security on these devices. The mitigations we propose can be largely summarized as increasing coverage of sensitive data via strong encryption, but we detail various challenges and approaches towards this goal and others. It is our hope that this work stimulates mobile device development and research towards security and privacy, provides a unique reference of information, and acts as an evidence-based argument for the importance of reliable encryption to privacy, which we believe is both a human right and integral to a functioning democracy.

Cryptography and Security,Computers and Society

Anaelia Ovalle,Davi Liang,Alicia Boyd

2023-10-06

Abstract:Smartphones are integral to our daily lives and activities, providing us with basic functions like texting and phone calls to more complex motion-based functionalities like navigation, mobile gaming, and fitness-tracking. To facilitate these functionalities, smartphones rely on integrated sensors like accelerometers and gyroscopes. These sensors provide personalized measurements that, in turn, contribute to tasks such as analyzing biometric data for mobile health purposes. In addition to benefiting smartphone users, biometric data holds significant value for researchers engaged in biometric identification research. Nonetheless, utilizing this user data for biometric identification tasks, such as gait and gender recognition, raises serious privacy, normative, and ethical concerns, particularly within the queer community. Concerns of algorithmic bias and algorithmically-driven dysphoria surface from a historical backdrop of marginalization, surveillance, harassment, discrimination, and violence against the queer community. In this position paper, we contribute to the timely discourse on safeguarding human rights within AI-driven systems by providing a sense of challenges, tensions, and opportunities for new data protections and biometric collection practices in a way that grapples with the sociotechnical realities of the queer community.

Computers and Society,Artificial Intelligence

Abdulaziz Alzubaidi,Jugal Kalita

DOI: https://doi.org/10.48550/arXiv.1911.04104

2019-11-11

Cryptography and Security

Abstract:Smartphones and tablets have become ubiquitous in our daily lives. Smartphones, in particular, have become more than personal assistants. These devices have provided new avenues for consumers to play, work, and socialize whenever and wherever they want. Smartphones are small in size, so they are easy to handle and to stow and carry in users' pockets or purses. However, mobile devices are also susceptible to various problems. One of the greatest concerns is the possibility of breach in security and privacy if the device is seized by an outside party. It is possible that threats can come from friends as well as strangers. Due to the size of smart devices, they can be easily lost and may expose details of users' private lives. In addition, this might enable pervasive observation or imitation of one's movements and activities, such as sending messages to contacts, accessing private communication, shopping with a credit card, and relaying information about where one has been. This paper highlights the potential risks that occur when smartphones are stolen or seized, discusses the concept of continuous authentication, and analyzes current approaches and mechanisms of behavioral biometrics with respect to methodology, associated datasets and evaluation approaches.

Marcos Faundez-Zanuy

DOI: https://doi.org/10.1109/MAES.2005.9740719

2022-02-23

Abstract:In the XXIth century there is a strong interest on privacy issues. Technology permits obtaining personal information without individuals consent, computers make it feasible to share and process this information, and this can bring about damaging implications. In some sense, biometric information is personal information, so it is important to be conscious about what is true and what is false when some people claim that biometrics is an attempt to individuals privacy. In this paper, key points related to this matter are dealt with.

Cryptography and Security,Machine Learning

Juan Carlos Bernal-Romero,Juan Manuel Ramírez-Cortés,José de Jesús Rangel-Magdaleno

DOI: https://doi.org/10.1109/mim.2024.10472986

2024-03-19

IEEE Instrumentation and Measurement Magazine

Abstract:Nowadays, technological advancements have pushed the growth of cyber-physical ecosystems through wearable and smart devices in the interoperability of the Internet of Things (IoT), cloud computing, and information technology. All these IoT devices are designed to launch multiple services or applications that require identity management systems, i.e., user access control systems for services, applications, resources, or data. Furthermore, access control systems are based on pattern recognition systems, where patterns cannot be forgotten, swapped, counterfeited, lost, or stolen. Consequently, biometric systems present an excellent opportunity area for security, social acceptance, performance, and experience quality for users, because biometric traits are unique to each individual and persist throughout their lifetime, preventing swapping, loss, or forgetting. Nonetheless, some biometric traits are not secrets, i.e., some traits can be acquired without an individual's knowledge and consent, e.g., a person's face or voice in social media videos. At the same time, the development of artificial intelligence has facilitated identity swap, attribute manipulation, and realistic expression exchange through image, audio, or video synthesis techniques known as DeepFakes.

engineering, electrical & electronic,instruments & instrumentation

Marcus Smith,Seumas Miller

DOI: https://doi.org/10.1007/s00146-021-01199-9

2021-04-13

Abstract:Abstract Biometric facial recognition is an artificial intelligence technology involving the automated comparison of facial features, used by law enforcement to identify unknown suspects from photographs and closed circuit television. Its capability is expanding rapidly in association with artificial intelligence and has great potential to solve crime. However, it also carries significant privacy and other ethical implications that require law and regulation. This article examines the rise of biometric facial recognition, current applications and legal developments, and conducts an ethical analysis of the issues that arise. Ethical principles are applied to mediate the potential conflicts in relation to this information technology that arise between security, on the one hand, and individual privacy and autonomy, and democratic accountability, on the other. These can be used to support appropriate law and regulation for the technology as it continues to develop.

Feng Lin,Kun Woo Cho,Chen Song,Wenyao Xu,Zhanpeng Jin

DOI: https://doi.org/10.1145/3210240.3210344

2018-01-01

Abstract:In recent years, biometric techniques (e.g., fingerprint or iris) are increasingly integrated into mobile devices to offer security advantages over traditional practices (e.g., passwords and PINs) due to their ease of use in user authentication. However, existing biometric systems are with controversy: once divulged, they are compromised forever - no one can grow a new fingerprint or iris. This work explores a truly cancelable brain-based biometric system for mobile platforms (e.g., smart headwear). Specifically, we present a new psychophysiological protocol via non-volitional brain response for trustworthy mobile authentication, with an application example of smart headwear. Particularly, we address the following research challenges in mobile biometrics with a theoretical and empirical combined manner: (1) how to generate reliable brain responses with sophisticated visual stimuli; (2) how to acquire the distinct brain response and analyze unique features in the mobile platform; (3) how to reset and change brain biometrics when the current biometric credential is divulged. To evaluate the proposed solution, we conducted a pilot study and achieved an f -score accuracy of 95.46% and equal error rate (EER) of 2.503%, thereby demonstrating the potential feasibility of neurofeedback based biometrics for smart headwear. Furthermore, we perform the cancelability study and the longitudinal study, respectively, to show the effectiveness and usability of our new proposed mobile biometric system. To the best of our knowledge, it is the first in-depth research study on truly cancelable brain biometrics for secure mobile authentication.

Qian Li,Jianyu Zhou,Jennifer S. Stevenson

DOI: https://doi.org/10.1080/01947648.2024.2307624

2024-02-21

Journal of Legal Medicine

Abstract:The legal protection of biometric data is becoming an increasingly important issue in the information society. China attaches importance to the legal protection of biometric data. Over the past decades, the rapid development of digital technology has profoundly influenced Chinese information society. However, digital technology may also trigger substantial risks. In this article, we provide an in-depth examination of existing Chinese laws protecting biometric data. We explore general laws and facial recognition laws, administrative regulations, sector-based rules, judicial interpretations, regulatory documents, policy documents, and (draft) national standards. We find gaps in laws in China. Building on this analysis, we elaborate on five principles for the legal protection of biometric data: (1) legality, propriety, and necessity; (2) integrity; (3) purpose; (4) minimization; and (5) controllability. We provide three policy recommendations for the legal protection of biometric data: (1) sufficiently considering the purpose of the collection of biometric data, (2) creating controllable mechanisms, and (3) implementing regulatory compliance programs.

social sciences, biomedical,law

Yanyan Li,Junshuang Yang,Mengjun Xie,Dylan Carlson,Han Gil Jang,Jiang Bian

DOI: https://doi.org/10.1109/milcom.2015.7357627

2015-01-01

Abstract:Personal identification numbers (PIN) and unlock patterns are highly popular authentication mechanisms on smart mobile devices but they are not sufficiently secure. PIN or pattern mechanisms enhanced by additional, implicit behavioral biometric authentication can offer stronger authentication assurance while preserving usability, therefore becoming very attractive. Individual studies on PIN- and pattern-based behavioral biometric authentication on smartphones were conducted but their results cannot be directly compared. In this work, we present a comparison study on the authentication accuracy between PIN-based and pattern-based behavioral biometric authentication using both smartphone and tablet. We developed a uniform framework for both PIN-based and pattern-based schemes and used two representative methods-Histogram and DTW-for user verification. We recruited 15 users and collected behavioral biometric data for both simple and complex PINs and patterns. Our experimental results show that PIN-based and pattern-based behavioral biometric authentication schemes can achieve about the same level of accuracy but not all verification methods are equal. The Histogram method can achieve more consistent results and handle template aging better than the DTW method based on our results. Our findings are expected to shed light on the exploration and analysis of effective behavioral biometric verification methods and facilitate more comprehensive investigation on behavioral biometric authentication for mobile devices.

Mohamed Abomhara,Sule Yildirim Yayilgan

DOI: https://doi.org/10.48550/arXiv.2201.03401

2022-01-10

Cryptography and Security

Abstract:Biometric recognition is a highly adopted technology to support different kinds of applications, ranging from security and access control applications to low enforcement applications. However, such systems raise serious privacy and data protection concerns. Misuse of data, compromising the privacy of individuals and/or authorized processing of data may be irreversible and could have severe consequences on the individual's rights to privacy and data protection. This is partly due to the lack of methods and guidance for the integration of data protection and privacy by design in the system development process. In this paper, we present an example of privacy and data protection best practices to provide more guidance for data controllers and developers on how to comply with the legal obligation for data protection. These privacy and data protection best practices and considerations are based on the lessons learned from the SMart mobILity at the European land borders (SMILE) project.

Ana Valdivia,Júlia Corbera-Serrajòrdia,Aneta Swianiewicz

DOI: https://doi.org/10.48550/arXiv.2112.11193

2021-12-24

Abstract:In 2019, the UK's Immigration and Asylum Chamber of the Upper Tribunal dismissed an asylum appeal basing the decision on the output of a biometric system, alongside other discrepancies. The fingerprints of the asylum seeker were found in a biometric database which contradicted the appellant's account. The Tribunal found this evidence unequivocal and denied the asylum claim. Nowadays, the proliferation of biometric systems is shaping public debates around its political, social and ethical implications. Yet whilst concerns towards the racialised use of this technology for migration control have been on the rise, investment in the biometrics industry and innovation is increasing considerably. Moreover, fairness has also been recently adopted by biometrics to mitigate bias and discrimination on biometrics. However, algorithmic fairness cannot distribute justice in scenarios which are broken or intended purpose is to discriminate, such as biometrics deployed at the border. In this paper, we offer a critical reading of recent debates about biometric fairness and show its limitations drawing on research in fairness in machine learning and critical border studies. Building on previous fairness demonstrations, we prove that biometric fairness criteria are mathematically mutually exclusive. Then, the paper moves on illustrating empirically that a fair biometric system is not possible by reproducing experiments from previous works. Finally, we discuss the politics of fairness in biometrics by situating the debate at the border. We claim that bias and error rates have different impact on citizens and asylum seekers. Fairness has overshadowed the elephant in the room of biometrics, focusing on the demographic biases and ethical discourses of algorithms rather than examine how these systems reproduce historical and political injustices.

Computers and Society,Artificial Intelligence

Taylan Sen,Kurtis Haut,Denis Lomakin,Ehsan Hoque

DOI: https://doi.org/10.48550/arXiv.2102.08004

2021-02-16

Abstract:Imagine an app on your phone or computer that can tell if you are being dishonest, just by processing affective features of your facial expressions, body movements, and voice. People could ask about your political preferences, your sexual orientation, and immediately determine which of your responses are honest and which are not. In this paper we argue why artificial intelligence-based, non-invasive lie detection technologies are likely to experience a rapid advancement in the coming years, and that it would be irresponsible to wait any longer before discussing its implications. Legal and popular perspectives are reviewed to evaluate the potential for these technologies to cause societal harm. To understand the perspective of a reasonable person, we conducted a survey of 129 individuals, and identified consent and accuracy as the major factors in their decision-making process regarding the use of these technologies. In our analysis, we distinguish two types of lie detection technology, accurate truth metering and accurate thought exposing. We generally find that truth metering is already largely within the scope of existing US federal and state laws, albeit with some notable exceptions. In contrast, we find that current regulation of thought exposing technologies is ambiguous and inadequate to safeguard civil liberties. In order to rectify these shortcomings, we introduce the legal concept of mental trespass and use this concept as the basis for proposed regulation.

Computers and Society,Artificial Intelligence

Harold Abelson,Ross Anderson,Steven M Bellovin,Josh Benaloh,Matt Blaze,Jon Callas,Whitfield Diffie,Susan Landau,Peter G Neumann,Ronald L Rivest,Jeffrey I Schiller,Bruce Schneier,Vanessa Teague,Carmela Troncoso

DOI: https://doi.org/10.1093/cybsec/tyad020

2024-01-01

Journal of Cyber Security

Abstract:Abstract Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hindered access to evidence and intelligence. Some in industry and government now advocate a new technology to access targeted data: client-side scanning (CSS). Instead of weakening encryption or providing law enforcement with backdoor keys to decrypt communications, CSS would enable on-device analysis of data in the clear. If targeted information were detected, its existence and, potentially, its source would be revealed to the agencies; otherwise, little or no information would leave the client device. Its proponents claim that CSS is a solution to the encryption versus public safety debate: it offers privacy—in the sense of unimpeded end-to-end encryption—and the ability to successfully investigate serious crime. In this paper, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society, while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which CSS can fail, can be evaded, and can be abused.

Paul Balanoiu

DOI: https://doi.org/10.48550/arXiv.1002.3475

2010-02-18

Abstract:Most developed countries have started the implementation of biometric electronic identification cards, especially passports. The European Union and the United States of America struggle to introduce and standardize these electronic documents. Due to the personal nature of the biometric elements used for the generation of these cards, privacy issues were raised on both sides of the Atlantic Ocean, leading to civilian protests and concerns. The lack of transparency from the public authorities responsible with the implementation of such identification systems, and the poor technological approaches chosen by these authorities, are the main reasons for the negative popularity of the new identification methods. The following article shows an approach that provides all the benefits of modern technological advances in the fields of biometrics and cryptography, without sacrificing the privacy of those that will be the beneficiaries of the new system.

Cryptography and Security

Konark Modi,Lakshmipathi Devaraj

DOI: https://doi.org/10.48550/arXiv.2212.13187

2023-01-02

Abstract:Authentication plays a significant part in dealing with security in public and private sectors such as healthcare systems, banking system, transportation system and law and security. Biometric technology has grown quickly recently, especially in the areas of artificial intelligence and identity. Formerly, authentication process has depended on security measures like passcodes, identity fobs, and fingerprints. On the other hand, as just a consequence of these precautions, theft has increased in frequency. In response, biometric security was created, in which the identification of a person is based on features derived from the physiological and behavioral traits of a human body using biometric system. Biometric technology gadgets are available to the public as they are embedded on computer systems, electronic devices, mobile phones, and other consumer electronics. As the fraudulent is increasing demand and use of biometric electronic devices has increased. As a consequence, it may be possible to confirm a person's distinct identification. The goal of this study is to examine developments in biometric systems in the disciplines of medicine and engineering. The study will present the perspectives and different points of view of the secondary data, highlighting the need for more in-depth understanding and application of biometric technology to promote its development in the digital era. The study's findings may inspire people and businesses to more effectively incorporate biometric technologies in order to reduce the risks to data and identity security.

Cryptography and Security

Taeho Jung,Ryan Karl,Geoffrey H. Siwo

DOI: https://doi.org/10.48550/arXiv.2103.14741

2021-03-26

Cryptography and Security

Abstract:DNA fingerprinting is a cornerstone for human identification in forensics, where the sequence of highly polymorphic short tandem repeats (STRs) from an individual is compared against a DNA database. This presents significant privacy risks to individuals with DNA profiles in the database due to hacking by malicious attackers who may access the data and misuse it for secondary purposes. In this paper, we propose a novel cryptographic framework for jointly encrypting DNA-based fingerprints (STRs) with other biometric data, for example, facial images, such that the STRs and biometrics information of an individual are revealed only when a positive match is found, i.e. the STRs act as decryption keys. Specifically, when a search is performed on the encrypted database using STR sequences of an individual in the database, a perfect match generates the facial image and/ or other biometrics of the individual while the lack of a match returns a null result. By jointly encrypting DNA fingerprints and other biometrics using the unique STRs generated keys, our approach ensures perfect privacy of the encrypted information with decryption of only the record with STRs matching the query. This safeguards the information of other individuals in the same database. The proposed approach can also be used to securely authenticate the identity of individuals or biological material in scenarios beyond forensics including tracking the identity of samples for clinical genetics and cell therapies.

Seungjae Jeon,Jaehyun Chung,Doowon Jeong

DOI: https://doi.org/10.48550/arXiv.2308.09092

2023-08-18

Abstract:In the rapidly advancing technological landscape, smartwatches have materialized as multifunctional devices integral to our daily routines. Smartwatches store a substantial amount of personal information, potentially serving as repositories of digital evidence. Thus, digital forensic researchers have devoted considerable effort to exploring smartwatch forensic techniques. However, it has been observed that prior studies have primarily treated smartwatches as mere storage mediums for digital evidence, neglecting their potential role in criminal activities. This paper presents the information leakage perpetrated through smartwatches. We represent crime scenarios in an environment where smartphones are not available, considering that the perception that smartphones can be used as tools for criminal behavior prevails in many organizations, while the potential of similar-use smartwatches is often overlooked. We detail mechanisms for information leakage via file transfer and camera control using smartwatches. Additionally, we present methods to investigate each crime incident through smartwatch forensics. Finally, we describe the limitations of post-incident responses and propose proactive measures to prepare for potential crimes involving smartwatches. Keywords: Information Leakage, Smartwatch Forensics, Android Forensics, Mobile Device Management, Security Policy

Cryptography and Security

Marcos Faundez-Zanuy

DOI: https://doi.org/10.1109/MAES.2006.1662038

2022-02-23

Abstract:This paper presents an overview of the main topics related to biometric security technology, with the main purpose to provide a primer on this subject. Biometrics can offer greater security and convenience than traditional methods for people recognition. Even if we do not want to replace a classic method (password or handheld token) by a biometric one, for sure, we are potential users of these systems, which will even be mandatory for new passport models. For this reason, to be familiarized with the possibilities of biometric security technology is useful.

Cryptography and Security,Machine Learning

Emilio Mordini

DOI: https://doi.org/10.1007/978-3-319-50673-9_16

2017-01-01

Abstract:Ethical issues raised by forensic biometrics partly overlap with general ethical implications of biometrics. They include issues related to collecting, processing, and storing, personal data, privacy, medical information, and respect for body integrity, risks of misuse and subversive use, and respect for human dignity. There are, however, also ethical issues specifically raised by forensic biometrics. One of them is particularly intriguing. It concerns the nature of biometric evidence and to what extent biometric findings could be accepted as an evidence in court. At a first glance, this problem could seem purely legal, without major ethical implications. Yet, at a deeper analysis, it turns out to have significant ethical components. I will focus on them and on some recent policy developments in this field.