Privacy Protection Schemes for Fingerprint Recognition Systems Emanuela Marasco and Bojan Cukic Department of Computer Science University of North Carolina Charlotte 9201 University City Blvd., Charlotte, NC (USA) 28223-0001 ABSTRACT The deployment of fingerprint recognition systems has always raised concerns related to personal privacy. A fingerprint is permanently associated with an individual and, generally, it cannot be reset if compromised in one application. Given that fingerprints are not a secret, potential misuses besides personal recognition represent privacy threats and may lead to public distrust. Privacy mechanisms control access to personal information and limit the likelihood of intrusions. In this paper, image- and feature-level schemes for privacy protection in fingerprint recognition systems are reviewed. Storing only key features of a biometric signature can reduce the likelihood of biometric data being used for unintended purposes. In biometric cryptosystems and biometric-based key release, the biometric component verifies the identity of the user, while the cryptographic key protects the communication channel. Transformation-based approaches only a transformed version of the original biometric signature is stored. Different applications can use different transforms. Matching is performed in the transformed domain which enable the preservation of low error rates. Since such templates do not reveal information about individuals, they are referred to as cancelable templates. A compromised template can be re-issued using a different transform. At image-level, de-identification schemes can remove identifiers disclosed for objectives unrelated to the original purpose, while permitting other authorized uses of personal information. Fingerprint images can be de-identified by, for example, mixing fingerprints or removing gender signature. In both cases, degradation of matching performance is minimized. Keywords: Fingerprint Recognition, Privacy, Image De-Identification

1. INTRODUCTION Fraud identification and prevention of terrorism acts are two issues of paramount importance in today’s society. Recent advances in biometrics have shown clear capabilities in protecting the society against these threat. However, protections against misuse of biometric data are equally important.1, 2 Information privacy addresses issues related to the use of information pertaining to an individual. When deploying biometrics for personal recognition, along with security and convenience, comes a concern for information privacy. Privacy concern is similar in commercial and government mandated applications. Specifically, an individual who provides a biometric sample preserves her own legal rights, and the organization collecting the biometrics remains responsible for data protection. Risks related to the possibility of linking one’s identity to her fingerprint in the public domain are real and justified. Privacy considerations guide access to personal information. Successful implementation of privacy policies enhances the degree of acceptability of the biometric technology. Generally speaking, biometric applications requiring a central database of samples cause higher privacy concerns than applications in which data are not stored or are stored without centralized repository. Security tokens such as smart cards allow for a local storage of sensitive information. Such systems offer individuals more control over their personal information.3 Facial recognition technology deployed in some social networks can be used without the knowledge or consent of the individual. For instance, a face captured in a photo can be matched against a database. Studies have shown that, with some effort, sensitive data (e.g., social security numbers) can be linked to public social network profiles which, in turn, are discovered using face matching.4–7 As we go into a store, video cameras capture Further author information: E. Marasco: E-mail: [email protected], B. Cukic: E-mail: [email protected] Biometric and Surveillance Technology for Human and Activity Identification XII, edited by Ioannis A. Kakadiaris, Ajay Kumar, Walter J. Scheirer, Proc. of SPIE Vol. 9457, 94570D © 2015 SPIE · CCC code: 0277-786X/15/$18 · doi: 10.1117/12.2178978 Proc. of SPIE Vol. 9457 94570D-1 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

our faces and enable possible future identification. In this regard, serious questions about privacy have been risen about the Mobile Offender Recognition and Information System (MORIS)∗ designed to improve speed and accuracy of police work at stations and out in the crowd. In principle, a photograph of person’s face acquired with mobile cameras can be transmitted and matched with a database of criminals without the person’s consent or probable cause. MORIS may potentially become a blueprint of a general surveillance system. Finally, advances in human genomic research cause worries about the possibility of inferring medical information from the data stored for identification purposes. Such worries are not new and have lead to a commercial demise of human recognition based on retina. The focus of this paper is on privacy enhancement schemes for fingerprint recognition systems. The ease of use and low error rates are the main factors contributing to the success of fingerprint - based authentication and identification. Fingerprint sensors are currently used for unlocking the phone (e.g., iPhone 5S) or to engage in financial transactions and make purchases. A fingerprint is permanently associated to an individual and it does not change significantly over time. However, fingerprints cannot be considered a secret since we ordinarily leave their imprints on objects we touch and leave behind. This makes the replication of real fingerprint patterns in artificial materials possible. If such imprints are use for impersonation, the techniques is referred to as spoof presentation attack. Various spoof detection methods have been developed to determine whether the object being placed on the sensor corresponds to a live finger or an artificial material.8, 9 Intrusions, i.e., unauthorized accesses exploit vulnerabilities in the biometric recognition process. Attacks to interfaces between modules of a recognition system are also possible. The communication channel is secured through cryptography avoiding interceptions or unwanted modifications of data being transferred. Replay and hill-climbing are examples of threats possible. Modules and templates stored in the database can be corrupted as well. If an intruder can gain access to the fingerprint templates stored in the database, any template can be replaced with the one that represents the intruder. Occasionally, a stolen template can be replayed to the matcher and used for unauthorized access.10–12 In the rest of the paper we review the most effective techniques to address some of these attach scenarios. Challenges to privacy related to fingerprint collections can be categorized as follows:

ˆ Covert Recognition becomes possible when one can obtain biometric data without subject’s consent. Latent fingerprints are frequently left on hard surfaces, can be easily collected and improperly used in recognition systems.13 ˆ Unintended Secondary Information. Until recently it was believed that fingerprints do not reveal personal information such as age, race, gender and health. However, it is now known that certain types of medical information, such as genetic disorders, can be predicted from malformed fingers. This could lead towards a discrimination of a subset of the population. In a different example, recent research reveals that automated algorithms can infer age and gender from fingerprint images.14–17 Even if we cannot identify the owner of a latent fingerprint, revealing the age or gender may lead to undesirable consequences.18 ˆ Unintended Secondary Purpose. Fingerprint data can be acquired for an initial purpose but used for a different purpose later. Once the fingerprint image or a template is stored, it can potentially be used for multiple purposes. Beyond matching, secondary information such as gender and age can be predicted from stored fingerprint images and exploited, for example, in advertising. Privacy protection schemes aim to provide choice and control over what personal information to reveal and to whom. In many applications of fingerprint systems, the user may chose to deposit sensitive information. But the question is always whether the given system acts in the best interest of that individual. The potential risks to privacy is always expected to be proportional to or outweighed by the gained benefits. ∗

http://www.popsci.com/bown/2010/product/b12-technologies-moris

Proc. of SPIE Vol. 9457 94570D-2 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

2. FINGERPRINT TEMPLATE PROTECTION Storing only a limited subset of key features of a biometric signature reduces the likelihood of biometric data being stolen or otherwise used for unintended purposes. A categorization of template protection schemes used for fingerprints and discussed in this paper is illustrated in Fig. 4. Privacy enhancing technologies such as

Template Protection

Feature Transformation

Salting

Non -Invertible transform y Cancelable

templates

Biometric Cryptosystems

Key

Key

Binding

Generation

I Fuzzy

Schemes J

Figure 1. A categorization of the fingerprint template protection schemes. Taxonomy originated in IEEE Certified Biometrics Professional (CBP) material.

biometric cryptosystems and cancelable biometrics are referred to also as untraceable biometrics. Specifically, cancelable templates perform biometric matching in the encrypted domain and present the advantage of being replaceable.19–21 Additionally, different applications may utilize different cancelable templates. This approach prevents cross-matching that would be possible if various applications shared the same biometric templates.

2.1 Biometric Cryptosystems The goal of a cryptosystem is to achieve confidentiality through the implementation of a specific sensitive service. Typical cryptosystems consist of three component algorithms, for key generation, for encryption and decryption, accompanied by a key sharing protocol. Traditional encryption / decryption mechanisms are not able to adequately protect biometric templates. Encrypted templates, in principle, preclude matching. Templates that are very similar in unencrypted form will appear dramatically different upon encryption due to information dispersion property inherent in encryption algorithms. In biometric cryptosystems, security enhancement is achieved by combining a biometric component with a cryptographic system. The biometric element verifies the identity of a specific user while the cryptographic key secures the communication channel. Biometric cryptosystems embed a secret code into the template. The ode is retrieved upon correct biometric authentication. The resulting fingerprint template representations match, but their form does not reflect the appearance of the original fingerprint images, to protect the identity of the person from intruders. No original fingerprint image or template is stored but only a digital code, i.e., the key created from it.22–24 This key is re-extracted upon presentation of the genuine fingerprint. However, factors such as conditions of the finger (e.g., moist / dry, cuts) induce variations in fingerprint images acquired over a time period and challenge the design of biometric algorithms.25 Furthermore, biometric cryptosystems are threatened by various specialized attacks. In particular, Adler discussed a mechanism to obtain the secret code and intrude upon a biometric encryption algorithm.25 Biometric cryptosystems can be implemented through helper data methods. A helper data typically corresponds to some public information related to biometric signature to assist retrieving original biometric template.

Proc. of SPIE Vol. 9457 94570D-3 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Enrollment Fingerprint Gallery (G)

Authentication

Helper Data Extraction

Fingerprint Helper Data

H= F(G;K)

Probe (P)

Recovery

W Extracted Non -biometric

Key (K)

Key (K)

Match/ Non -match

Figure 2. An illustration of the key-binding scheme applied to fingerprint recognition. Templates and cryptographic keys are protected because they are discarded and only the helper data is stored. Successful key extraction indicates a match. The helper data is designed for the specific biometric modality and for a particular user population.

It does not reveal any important information about original template but it is necessary during authentication for generating the cryptographic key from the probe in matching. Two existing helper data-based biometric cryptosystems are described below.

ˆ Key-Binding scheme starts with the enrollment. At that time a digital random key is produced independently of the biometric signature. The key is linked to the biometric reference and a helper data is created. The biometric and the key are both discarded, while the helper data is stored publicly. Therefore, the cryptographic key is updatable since, after being generated, it is simply bound to the biometric template. In this method, the access to the biometric features stored in the template is not required.26, 27 The matching operation is performed in the encrypted domain where it becomes a verification of the validity of the key extracted from the helper data. This process is illustrated in Fig. 2. Public auxiliary information is combined with biometric information using a generating function and a reproducing function. The generating function takes as input a fingerprint from the gallery G and a user-specific key K, to produce a public string H and a secret non-biometric key. The reproducing function takes as input a fingerprint probe P and the public string H to produce the secret string. This secret encryption key can be accessed only by the authorized user by providing the genuine fingerprint for matching. Fuzzy commitment schemes are key-binding approaches in which an error-correcting code is included in the cryptographic key to accommodate intra-class variability. The probe, a genuine user, is expected to fall within the error tolerance of the error correcting code. In Fuzzy vault schemes, the key is converted into a polynomial and the helper data consists of genuine points as well as chaff points (i.e., false features) to make it difficult to find the true features in the helper data. Only the authorized user can obtain the encryption key by presenting his / her fingerprint.26 Successful reconstruction of the polynomial indicates genuine matching, but practical implementations suffer significantly lower matching performance than the traditional systems.

ˆ In Key-Generation scheme, the key K is derived directly from the fingerprint which parameterizes it. The presentation of a genuine probe allows for extraction of key K from the helper data. The process is similar to the key-binding scheme except that the helper data is a function of the biometric information. Intraclass variations may impact the size of the key space. The matching operation corresponds to checking the validity of the extracted key.

Proc. of SPIE Vol. 9457 94570D-4 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Enrollment Fingerprint Gallery (G)

Authentication Fingerprint

Helper Data Extraction

Helper Data

H =F(G)

Probe (P)

Recovery

Extracted Key (K)

Match/ Non -match

Figure 3. An illustration of the key generation scheme applied to fingerprint recognition. Templates do not need to be revealed during matching since successful key extraction indicates a match. This scheme is not specific to fingerprints.

2.2 Feature Transformation Approaches The effectiveness of a template protection scheme is estimated based on the degree of trustworthiness provided, its revocability and the impact on matching performance.28 Intra-user variability represents one of the main challenges for this privacy protection mechanism. A transformation function ϕ is applied to the biometric template T , as shown in Eqn. 1, where K is a random key featuring the parameters of the transformations. The ′ transformed template T is stored in the database. ′

T = ϕ(T, K)

(1)

Several types of feature transformation approaches exist, but the two best known are described below:

ˆ In Biometric Salting (Invertible) Transformation biometric features are modified based on a key presented by the user during authentication. The key needs to be securely stored or remembered by the user.28 This transformation is invertible and makes the approach highly vulnerable to stolen secret keys. ˆ Non-Invertible Transformation performs an irreversible transformation of minutiae locations and orientations.29 A one-way function makes it computationally hard to recover the original template, even if the key is known; subsequently, secrecy of the key is not essential. Fingerprint images can be discarded soon after the acquisition, upon the application of the transformation function. In principle, this scheme offers a higher security compared to salting.30 In all the transformation approaches, the original fingerprint is not stored. Features are transformed and the transformed template is stored. The transformed version is either distributed on a smart-card or deposited centrally in a database. Matching uses transformed templates, as illustrated in Fig. 4. The transformation process may negatively impact matching accuracy of the system. Additionally, vulnerabilities of this solution emerge if a substitution attack occurs just before matching, or if an intruder discovers the transform function used. Table 1 reports details about the evaluation of existing template protection approaches for fingerprints. 2.2.1 Cancelable Fingerprint Templates A cancelable template can be generated through a non-invertible process able to construct multiple identifiers from a fingerprint of an individual. The generated identifiers possess the advantage of being exchanged if compromised.19, 34 The design of cancelable biometrics faces various challenges. First of all, a cancelable transform is expected to be repeatable between different instances of the same fingerprint. This can be accomplished by registering the impressions before performing the cancelable transform. Second, the cancelable transform

Proc. of SPIE Vol. 9457 94570D-5 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Fingerprint

Transform Function F

Gallery (G)

Transform Function F

Fingerprint Probe (P)

W

Transformed Transformed

Probe F(P,K)

Gallery F(G,K)

Figure 4. Fingerprint feature transformation scheme. Features extracted from the fingerprint image acquired during enrollment (i.e., the gallery sample) are transformed. Only the transformed template is stored. At verification / identification time, features extracted from the probe image are transformed as well, and matching is carried out in the transformed domain.

Table 1. Matching performance with and without fingerprint template protection schemes. Baseline indicates matching results achieved without applying template protection. Performance indicates matching results when template protection is applied. FMR: False Match Rate, FNMR: False Non-Match Rate.

Method Tuyls et al.31

Database FVC2000 Twente

Jin et al.32

Nandakumar et al.33

FVC2002 DB1 Set B FVC2004 DB2 Set B FVC2002 DB1 FVC2002 DB2

Resolution 500 dpi 256 × 364 500 dpi 452 × 492 500 dpi 388 × 374 500 dpi 296 × 560 500 dpi 388 × 374 500 dpi 296 × 560

# Of Fingerprint 110 fingers 8 samples per finger 500 fingers 5 samples per finger 100 fingers 8 samples per finger 100 fingers 8 samples per finger 100 fingers 8 samples per finger 100 fingers 8 samples per finger

Baseline 1.4% EER

Performance 4.5% EER

1.6% EER

4.2% EER

0% EER

5.19% EER

0% EER

11.64% EER

0% EER

0.02% FMR 14.1% FNMR 0.02% FMR 9.6% FNMR

0% EER

Proc. of SPIE Vol. 9457 94570D-6 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Figure 5. Cancelable fingerprint template transformation scheme.

may increase intra-class variability and introduce false rejections. Furthermore, the degree of individuality of the transformed fingerprint is expected to correspond to that of the original fingerprint without any loss of discriminative information. Finally, the transformed fingerprint should not to match to the original one. In the implementation, the coordinate system is divided into cells of fixed size. The mapping of the cells is handled by a dedicated mapping matrix. Multiple cells of the original coordinate system are mapped to the same cell of the transformed pattern. This guarantees that details about the original minutiae points remain hidden since there are several locations from which feature points could have been originated. The format of biometric features is preserved; thus, transformed features are still recognizable by unmodified matchers. Additionally, in the transformed domain the discriminative power of each template is preserved as well. Functions that have been used for generating cancelable fingerprint templates are Cartesian and Polar transformations, defined in Eqn. 2 ′ and Eqn. 3, respectively; and functional transformations, defined in Eqn. 4. C and C indicate, respectively, the original and the transformed pattern (i.e., the position of the cells), while M refers to the mapping matrix. In the Cartesian system, minutiae are located in rectangular coordinates; their position and orientation are modified during the transformation process. In the Polar transformation, minutiae positions are measured in polar coordinates, where the center axis is determined by the position and orientation of the fingerprint core. The mapping is governed by a translation key. ′

C =C ∗M ′

C =C +M

(2) (3)

A functional transformation is featured in the parametric form where the parameter is a random key. The input fingerprint is first aligned based on its core coordinates; then, the parametric function alters position and orientation of the original minutiae points, see Fig. 5. Ratha et al. mapped features based on a Gaussian function.19 Table 2.2.1 reports performance of some of the existing transformation approaches in the context of fingerprint recognition. The security degree of cancelable biometrics depends on how costly is the computation effort to reconstruct the original biometric data and, subsequently, how feasible is the possibility of inverting the applied transforms. ′

X = x + fX (x, y), ′

(4a)

Y = y + gY (x, y),

(4b)

θ = mod(θ + hθ (x, y), 2π)

(4c)

′

3. FINGERPRINT IMAGE DE-IDENTIFICATION Commercial records (e.g., transaction data) and public information (e.g., tax records) represent sources of personal information. They may contain extensive profiles of people, which include name, address, marital status,

Proc. of SPIE Vol. 9457 94570D-7 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Method Ratha et al.19 Teoh et al.35, 36 Tulyakov et al.36, 37 Ang et al.38

Category Non-invertible Transform Biometric Salting Hash Function Non-invertible Transform

Error Rate FRR=15 / FAR=10−4 EER=5.31 FRR=25.9 / FAR=0 EER=4

Table 2. Performance of some of the existing transformation approaches applied to fingerprints.

age, gender, education and income levels. These characteristics correspond to overt identifiers, i.e., personal information that alone or in combination with other data can be used to identify a specific individual. De-identification consists of removing identifiers from personal information disclosed for objectives unrelated to the original purpose, for which the information was obtained. The goal of de-identification is to mitigate misuse or data sharing and protect privacy, while permitting the authorized uses of personal information.39 De-identification of fingerprint images allows us to store transformed data, from which the original images are computationally very hard to retrieve.40 In this section, we discuss methods for de-identifying fingerprint images with respect to the identity, i.e., by mixing fingerprints and eliminating soft biometrics such as gender signatures.

3.1 Mixing Fingerprints Fingerprints from two different identities can be mixed up in order to obscure identity information.41 The output of the mixing process is a new entity that appears just like a typical fingerprint image and that can still be processed by traditional fingerprints algorithms. Thus, an intruder will not be able to determine if a given fingerprint is mixed (an imaginary identity) or not (a real fingerprint). A fingerprint can be globally represented by ridge frequency and ridge orientation. However, the frequency representation is not effective in the presence of discontinuities (e.g., minutiae points). Thus, in this approach the fingerprint image intensity is modeled by the hologram representation. Such a model is based on amplitude and frequency modulated (AM-FM) functions, as shown in Eqn. 5, where a(x, y) corresponds to the intensity offset, b(x, y) to the amplitude, ϕ(x, y) to the phase and n(x, y) to noise.42 f (x, y) = a(x, y) + b(x, y)cos[ϕ(x, y)] + n(x, y)

(5)

Singularities are avoided by focusing on the phase and not on instantaneous frequencies. Given a fingerprint image, the phase is decomposed into the sum of a continuous component ϕC (x, y) (longitudinal, irrotational) and a spiral component ϕS (x, y) (transverse, rotational), according to the Helmholtz Decomposition Theorem (HDT), see Eqn. 6. ϕ(x, y) = ϕC (x, y) + ϕS (x, y) (6) After decomposition, the continuous ϕC (x, y) and the spiral ϕS (x, y) components are appropriately aligned based on a reference point and an alignment line. Specifically, the components are centered with respect to a reference point estimated using the Novikov’s method that applies the Hough Transform.43 The alignment line is determined by considering the distances between the reference point and all the high curvature points detected in the fingerprint skeleton. The high curvature points nearest to the reference point are selected, and a line is fitted through them in order to determine the alignment. The high curvature points correspond to global features in the fingerprint pattern; in particular, they do not provide any information about the specific location or orientation of the minutiae points.44 The mixed fingerprint M F1 is obtained by combining its continuous component ϕC2 with the spiral ϕS1 of the other fingerprint M F2 , see Eqn. 7. The two fingerprints F1 and F2 being mixed are paired based on a compatibility measure C defined in Eqn. 8, where OD is the difference in orientation fields between F1 and F2 , F D is the frequency map difference, while α and γ are empirically determined weights. M F1 = cos(ϕC2 + ϕS1 ), M F2 = cos(ϕC1 + ϕS2 )

(7a) (7b)

C = 1 − (αOD + γF D)

(8)

Proc. of SPIE Vol. 9457 94570D-8 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Table 3. Matching performance before and after mixing fingerprints.

Database WVU FVC2002 DB2 A

Number Of Fingerprints 500 fingers 2 samples per finger 100 fingers 2 samples per finger

Baseline Performance 0.5% EER 99% Accuracy 0.2% EER 100% Accuracy

Mixed Fingerprints Performance 6% EER 85% Accuracy Cross-Mixing with WVU 7% EER 83% Accuracy

The successful match of the original fingerprint with the mixed one is hard to achieve. A summary of the matching performance when mixing two fingerprints pertaining to two different identities is reported in Table 3.41 New virtual identities are generated by considering two mixing scenarios: i) gallery and probe fingerprints taken from the same database; and ii) gallery and probe fingerprints taken from two different databases.

3.2 De-Identifying Soft Biometrics from Fingerprints The need for de-identifying fingerprint images with respect to soft biometrics, for example when releasing research data sets, is increasing.39 These approaches disallow the successful extraction of soft biometric information without significantly changing the appearance of fingerprint images. In order to avoid an undesired loss of the individuality in fingerprints, the reliability of minutiae extraction should be preserved. In other words, an effective soft biometrics de-identifier minimizes degradation of matching performance, while reducing the possibility of estimating soft biometric information. There is a lack of literature focused on de-identification of fingerprint images by removing soft biometric information. We recently proposed an efficient fingerprint gender de-identifier et al.45 This method reduces the ability of estimating gender from fingerprint images, while not degrading the matching performance. The algorithm is based on ad-hoc image filtering and scaling in the frequency domain to degrade the performance of gender estimation algorithms.18 In such an approach, variations in fingerprint images that stem from gender diversity are captured through textural features extracted at both global and local levels. Specifically, the energy concentration is computed related to different equally spaced frequency bands of the Fourier spectrum. Each sub-band is constructed by computing the difference of two equally spaced low-pass Butterworth filters. These features are fused with the histograms obtained by two local descriptors, i.e., the Local Phase Quantization (LPQ) and the Local Binary Patterns (LBP). The de-identification technique attenuates or amplifies the most discriminative frequency components. The general model used for filtering the image follows: G(u, v) = H(u, v)F (u, v)

(9)

The considered transfer function H(u, v) is a zero-phase-shift filter that affects real and imaginary parts of the Fourier Transform without altering its phase. It is constructed from differences of two Butterworth functions which allows for a band-specific scaling in the frequency domain. Specifically, the linear filtering process applies blurring by attenuating high-frequency content or sharpening by increasing the magnitude of high-frequency components. Certain frequency components in the Fourier Transform are suppressed, while others are amplified. The Fourier coefficients of each band are multiplied by a random scalar (selected within the specific range) based on the energy distribution. The de-identified image is created using the inverse of the Fourier Transform. The constant selected for scaling varies according to the energy distribution of the given band. The main steps of the procedure are summarized by Table A. The challenge of integrating a de-identification algorithm in a biometric system is avoiding the reduction in performance of the matching operation. Matching performance is expressed using False Match Rate (FMR) and False Non-Match Rate (FNMR). The de-identification algorithm is evaluated by considering the performance of soft biometric estimator, desired desired to fail as often as possible, and the accuracy of biometric identity matcher. At de-identification time, two types of errors can occur:

Proc. of SPIE Vol. 9457 94570D-9 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

Table A. Fingerprint De-Identification for Gender Estimation. Input: Let I(x, y) be the original fingerprint image. Let B be the number of frequency bands. Let w0 and w1 represent the male and female classes, respectively. Output: DI(x, y) de-identified image. 1. Compute the Discrete Fourier Transform F (u, v) of the image I(x, y). 2. Filter the image in the frequency domain: Gk (u, v) = Hk (u, v)F (u, v), k = 1, · · · B 3. Estimate the energy distributions for w0 and w1 : Ek,w0 = |Gk (u, v)|2 Ek,w1 = |Gk (u, v)|2 , k = 1, · · · B 4. Compute scaling parameters ak , k = 1, · · · B µk,w0 = mean(Ek,w0 ) µk,w1 = mean(Ek,w1 ) ak = (µk,w0 − µk,w1 )/2 5. Apply the scaling in the frequency domain: If w1 F ∗ (u, v) = (ak + 1)F (u, v) else F ∗ (u, v) = ak F (u, v) 6. Compute the inverse of F ∗ (u, v).

ˆ Undermarking represents a failure to remove soft biometric information from the image. The True Soft Biometric Detection Rate (TSDR) measures these error rates. It is defined as the proportion of de-identified images from which the estimated soft biometric characteristic is correct. ˆ Overmarking may remove of more information than required thus reducing the correctness of matching of de-identified images. When overmarking occurs, it does not matter if de-identification succeeds or not; it causes an increase of FNMR. The de-identification system is typically expected to perform at an operating point which guarantees the best trade-off between undermarking and overmarking. Here we consider the case in which the algorithm for automatic de-identification is integrated in the sensor and all the acquired images are de-identified. The data set used in this study consists of fingerprints from 494 users collected at West Virginia University. Fingerprints were acquired using a live-scan optical sensor with 500 dpi resolution. Match scores between all de-identified image pairs were generated using the Identix BioEngine Software Development Kit. Quality measures were extracted with NFIQ, part of National Institute of Standard Technology (NIST) Biometric Image Software (NBIS)† .

ˆ Visual Impact of Fingerprint De-Identification. Fig. 6 shows that, visually, the impact of the de-identification process on the fingerprint images is not pronounced. ˆ Gender Estimator Accuracy on De-Identified Fingerprint Images. Fig. 7 illustrates the energy distributions for two different frequency bands before and after de-identification. Frequency components in original images separate females from males well. The same frequency components in de-identified images show that females and males overlap, therefore decreasing the discriminative power. Similar behavior was observed for the remaining bands. This results in a loss of gender estimation accuracy: the initial 88.7% accuracy is reduced to 50.5%. †

http://www.nist.gov/itl/iad/ig/nbis.cfm

Proc. of SPIE Vol. 9457 94570D-10 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

(a)

(b)

Figure 6. Fingerprint images before performing image de-identification ad-hoc for automatic gender estimation: (a) Fingerprint image pertaining to a female subject. (b) Fingerprint image pertaining to a male subject.

Energy Distribution of Band 25 - [175 -179 Hz] with no De- Identification 150

Energy Distribution of Band 12 - [105 -109 Hz] with no De- Identification 150 >. 100

0 50

á 50

o

00 0.01

0.02

0.03 0.04 Energy

0.05

0.06

0.07

0.02

0.04

0.06

0.08

01

Energy

Energy Distribution of Band 25 - [175 -179 Hz] with De- Identification 60

Energy Distribution of Band 12 - [105 -109 Hz] with De- Identification

150

40

>,100 '7, C w

- Male

.

C N

00

- Female

100

C

o 50 00

.,1:-.-___ 0.01

0.02

0.03

0.04

0.05

ó

20

00

0.06

0.01

Energy

(a)

0.02

0.03 0.04 Energy

0.05

0.06

0.07

(b)

Figure 7. Energy distribution across different frequency bands before and after de-identification. Selected frequency bands, originally discriminative for gender, cannot be used for gender classification fter de-identification.

Proc. of SPIE Vol. 9457 94570D-11 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

ˆ Matching Performance on De-Identified Fingerprint Images. Fig. 8 quantifies the effectiveness of the proposed de-identification algorithm with respect to matching performance. As desired, the variations DET Curves Before and After De- Identification

- Before De- Identification After De- Identification

0.5

00

0.05

0.1

0.15

0.2 FAR (°A)

0.25

0.3

0.35

04

Figure 8. DET curve pertaining to the matching performance before and after fingerprint de-identification. The deidentifier module incorporated in the fingerprint recognition system does not significantly impact the verification performance.

induced in the images do not significantly change verification error rates. Results show this method is very effective in preventing gender estimation from fingerprint images. In particular, the proposed de-identification approach results in a loss of gender estimation accuracy from the initial 88.7% to only 50.5%. As desired, variations induced in the images do not drastically affect matching performance.

4. SUMMARY Fingerprints are a very popular modality for biometric identification. We often leave them on surfaces we touch opening a potential for covert collection and misuse. In this paper, we reviewed privacy protection schemes developed for fingerprint recognition systems at image and feature levels. We presented pros and cons of privacy protection schemes and overviewed their effectiveness. Template protection schemes store key feature information, rather than the fingerprints, to reduce the likelihood of fingerprint being stolen. Biometric Encryption and Cancelable Biometrics are two privacy enhancing technologies. They support fingerprint matching in the encrypted domain. De-identification of fingerprint images allows us to use transformed fingerprint representations that make recovering original images computationally difficult. Additionally, we discussed automated fingerprint de-identification algorithms that prevent inferring age / gender from fingerprint images. Revealing age and gender of individuals enables a potential invasion of privacy and / or tracking. Many of the privacy enhancing approaches discussed in this paper are new and largely untested in large-scale public applications. Only cancelable biometrics have seen limited commercial deployment. Therefore, we expect that privacy enhancing techniques for biometric systems will remain an active area of research for quite some time.

REFERENCES [1] Sherman, D., “Biometric Technology: The Impact on Privacy,” CLPE Research Paper (5) (2005). [2] Prabhakar, S., Pankanti, S., and Jain, A., “Biometric Recognition: Security and Privacy Concerns,” IEEE Security & Privacy 1(2), 33–42 (2003). [3] Clancy, T. C., Kiyavash, N., and Lin, D. J., “Secure Smart Card-Based Fingerprint Authentication,” ACM Workshop on Biometrics Methods and Applications , 45–52 (2003). [4] Acquisti, A. and Gross, R., “Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook,” Privacy Enhancing Technologies , 36–58 (2006).

Proc. of SPIE Vol. 9457 94570D-12 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

[5] Acquisti, A., Gross, R., and Stutzman, F., “Faces of Facebook: Privacy in the Age of Augmented Reality,” (2011). [6] Gross, R. and Acquisti, A., “Information Revelation and Privacy in Online Social Networks,” ACM Workshop on Privacy in the Electronic Society , 71–80 (2005). [7] Newton, E., [Biometrics and Surveillance: Identification, De-Identification, and Strategies for Protection of Personal Data ], ProQuest (2009). [8] Marasco, E. and Ross, A., “A Survey on Antispoofing Schemes for Fingerprint Recognition Systems,” ACM Computing Surveys (CSUR) 47(2), 28 (2014). [9] Johnson, P., Lazarick, R., Marasco, E., Newton, E., Ross, A., and Schuckers, S., “Biometric Liveness Detection: Framework and Metrics,” International Biometric Performance Conference (IBPC) 1 (2012). [10] Ratha, N., Connell, J., and Bolle, R., “Enhancing Security and Privacy in Biometrics-based Authentication Systems,” IBM Systems Journal 40(3), 614–634 (2001). [11] Cukic, B. and Bartlow, N., “Biometric System Threats and Countermeasures: A Risk-based Approach,” Biometric Consortium Conference (BCC) (2005). [12] Ratha, N., “Privacy Protection in High Security Biometrics Applications,” Ethics and Policy of Biometrics , 62–69 (2010). [13] Maltoni, D., Maio, D., Jain, A., and Prabhakar, S., “Handbook of Fingerprint Recognition,” Springer (2003). [14] Modi, S., Elliott, S., Whetsone, J., and Kim, H., “Impact of Age Groups on Fingerprint Recognition Performance,” IEEE Workshop on Automatic Identification Advanced Technologies , 19–23 (2007). [15] Badawi, A., Mahfouz, M., Tadross, R., and Jantz, R., “Fingerprint-based Gender Classification,” IPCV , 41–46 (2006). [16] Gnanasivam, P. and Muttan, D. S., “Estimation of Age through Fingerprints using Wavelet Transform and Singular Value Decomposition,” International Journal of Biometrics and Bioinformatics (IJBB) 6(2), 58–67 (2012). [17] Kaur, R. and Susmita, G., “Fingerprint based Gender Identification using Frequency Domain Analysis,” International Journal of Advances in Engineering and Technology 3(1), 295–299 (2012). [18] Marasco, E., Lugini, L., and Cukic, B., “Exploiting Quality and Texture Features to Estimate Age and Gender from Fingerprints,” SPIE Defense and Security 9075, 90750F–10 (2014). [19] Ratha, N., Chikkerur, S., Connell, J., and Bolle, R., “Generating Cancelable Fingerprint Templates,” IEEE Transactions on Pattern Analysis and Machine Intelligence 29(4), 561–572 (2007). [20] Rathgeb, C. and Uhl, A., “A Survey on Biometric Cryptosystems and Cancelable Biometrics,” EURASIP Journal on Information Security 2011(1), 1–25 (2011). [21] Jin, Z., Teoh, A., Ong, T., and Tee, C., “Generating Revocable Fingerprint Template using Minutiae Pair Representation,” IEEE 2nd International Conference on Education Technology and Computer (ICETC) 5, V5–251 (2010). [22] Cavoukian, A. and Stoianov, A., “Biometric Encryption,” Encyclopedia of Cryptography and Security , 90–98 (2011). [23] Hao, F., Anderson, R., and Daugman, J., “Combining Cryptography with Biometrics Effectively,” University of Cambridge Computer Laboratory, Technical Report (2005). [24] Barni, M. and et al., “A Privacy-Compliant Fingerprint Recognition System based on Homomorphic Encryption and Fingercode Templates,” Biometrics: Theory Applications and Systems (BTAS) , 1–7 (2010). [25] Adler, A., “Vulnerabilities in Biometric Encryption Systems,” Audio-and Video-Based Biometric Person Authentication , 1100–1109 (2005). [26] Uludag, U., Pankanti, S., and Jain, A., “Fuzzy Vault for Fingerprints,” Audio-and Video-Based Biometric Person Authentication , 310–319 (2005). [27] Dodis, Y., Reyzin, L., and Smith, A., “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” Advances in Cryptology-Eurocrypt , 523–540 (2004). [28] Jain, A., Nandakumar, K., and Nagar, A., “Biometric Template Security,” EURASIP Journal on Advances in Signal Processing 2008, 113 (2008).

Proc. of SPIE Vol. 9457 94570D-13 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx

[29] Soutar, C., Roberge, D., Stoianov, A., Gilroy, R., and Kumar, B., “Biometric Encryption Using Image Processing,” Photonics West’98 Electronic Imaging , 178–188 (1998). [30] Breebaart, J., Busch, C., Grave, J., and Kindt, E., “A Reference Architecture for Biometric Template Protection based on Pseudo Identities.,” BIOSIG , 25–38 (2008). [31] Tuyls, P., Akkermans, A., Kevenaar, T., Schrijen, G., Bazen, A., and Veldhuis, R., “Practical Biometric Authentication with Template Protection,” Audio-and Video-Based Biometric Person Authentication , 436– 446 (2005). [32] Jin, Z., Teoh, A., Ong, T., and Tee, C., “Fingerprint Template Protection with Minutiae-based Bit-String for Security and Privacy Preserving,” Expert Systems with Applications 39(6), 6157–6167 (2012). [33] Nandakumar, K., “A Fingerprint Cryptosystem based on Minutiae Phase Spectrum,” IEEE International Workshop on Information Forensics and Security (WIFS) , 1–6 (2010). [34] Ratha, N., Connell, J., Bolle, R., and Chikkerur, S., “Cancelable Biometrics: A Case Study in Fingerprints,” IEEE International Conference on Pattern Recognition (ICPR) 4, 370–373 (2006). [35] Teoh, A. and Ngo, D., “Biophasor: Token Supplemented Cancellable Biometrics,” IEEE International Conference on Control, Automation, Robotics and Vision (ICARCV) , 1–5 (2006). [36] Teoh, A. and Yuang, C., “Cancelable Biometrics Realization with Multispace Random Projections,” IEEE Transactions on Systems, Man, and Cybernetics 37(5), 1096–1106 (2007). [37] Tulyakov, S., Farooq, F., and Govindaraju, V., “Symmetric Hash Functions for Fingerprint Minutiae,” Pattern Recognition and Image Analysis , 30–38 (2005). [38] Ang, R., Safavi-Naini, R., and McAven, L., “Cancelable Key-based Fingerprint Templates,” Information Security and Privacy , 242–252 (2005). [39] Gellman, R., “The De-Identification Dilemma: A Legislative and Contractual Proposal,” Fordham Intell. Prop. Media & Ent. LJ 21, 33 (2010). ¨ Luo, Y., and Szolovits, P., “Evaluating the State-of-the-Art in Automatic De-Identification,” [40] Uzuner, O., Journal of the American Medical Informatics Association 14(5), 550–563 (2007). [41] Othman, A. and Ross, A., “On Mixing Fingerprints,” IEEE Transactions on Information Forensics and Security 8(1), 260–267 (2013). [42] Larkin, K. and Fletcher, P., “A Coherent Framework for Fingerprint Analysis: are Fingerprints Holograms?,” Optics Express 15(14), 8667–8677 (2007). [43] Novikov, S. and Kot, V., “Singular Feature Detection and Classification of Fingerprints using Hough Transform,” Sixth International Workshop on Digital Image Processing and Computer Graphics , 259–269 (1998). [44] Campisi, P., [Security and Privacy in Biometrics ], Springer (2013). [45] Lugini, L., Marasco, E., Cukic, B., and Dawson, J., “Removing Gender Signature from Fingerprints,” Information and Communication Technology, Electronics and Microelectronics (MIPRO) , 1283–1287 (2014).

Proc. of SPIE Vol. 9457 94570D-14 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 12/15/2015 Terms of Use: http://spiedigitallibrary.org/ss/TermsOfUse.aspx