Privacy by Design in Practice: Reasoning about Privacy Properties of Biometric System Architectures

  • Julien Bringer
  • Hervé Chabanne
  • Daniel Le Métayer
  • Roch Lescuyer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9109)


The work presented in this paper is the result of a collaboration between academics, industry and lawyers to show the applicability of the privacy by design approach to biometric systems and the benefit of formal methods to this end. The choice of particular techniques and the role of the components (central server, secure module, terminal, smart card, etc.) in the architecture have a strong impact on the privacy guarantees provided by a biometric system. However, existing proposals were made on a case by case basis, which makes it difficult to compare them and to provide a rationale for the choice of specific options. In this paper, we show that a general framework for the definition of privacy architectures can be used to specify these options and to reason about them in a formal way.


Smart Card Biometric System Homomorphic Encryption Biometric Template Reference Template 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: ACM Symposium on Principles of Programming Languages, POPL 2001, pp. 104–115. ACM Press (2001)Google Scholar
  2. 2.
    Antignac, T., Le Métayer, D.: Privacy architectures: Reasoning about data minimisation and integrity. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 17–32. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  3. 3.
    Antignac, T., Le Métayer, D.: Trust driven strategies for privacy by design. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) IFIPTM 2015. IFIP AICT, vol. 454, pp. 60–75. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  4. 4.
    Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: IEEE Symposium on Security and Privacy, S&P 2006, pp. 184–198. IEEE Computer Society (2006)Google Scholar
  5. 5.
    Becker, M.Y., Malkis, A., Bussard, L.: S4P: A generic language for specifying privacy preferences and policies. Technical report, Microsoft Research / IMDEA Software / EMIC (2010)Google Scholar
  6. 6.
    Blanton, M., Gasti, P.: Secure and efficient protocols for iris and fingerprint identification. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 190–209. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Bringer, J., Chabanne, H., Izabachène, M., Pointcheval, D., Tang, Q., Zimmer, S.: An application of the Goldwasser–Micali cryptosystem to biometric authentication. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 96–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols: A taster. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 289–309. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    European Parliament. European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. General Data Protection Regulation, Ordinary legislative procedure: first reading (2014)Google Scholar
  12. 12.
    Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning About Knowledge. MIT Press (2004)Google Scholar
  13. 13.
    Fournet, C., Kohlweiss, M., Danezis, G., Luo, Z.: ZQL: A compiler for privacy-preserving data processing. In: USENIX 2013 Security Symposium, pp. 163–178. USENIX Association (2013)Google Scholar
  14. 14.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM Press (2009)Google Scholar
  15. 15.
    Govan, M., Buggy, T.: A computationally efficient fingerprint matching algorithm for implementation on smartcards. In: Biometrics: Theory, Applications, and Systems, BTAS 2007, pp. 1–6. IEEE Computer Society (2007)Google Scholar
  16. 16.
    Gürses, S., Troncoso, C., Díaz, C.: Engineering Privacy by Design. Presented at the Computers, Privacy & Data Protection Conference (2011)Google Scholar
  17. 17.
    Halpern, J.Y., Pucella, R.: Dealing with logical omniscience. In: Conference on Theoretical Aspects of Rationality and Knowledge, TARK 2007, pp. 169–176 (2007)Google Scholar
  18. 18.
    Huang, Y., Malka, L., Evans, D., Katz, J.: Efficient privacy–preserving biometric identification. In: Network and Distributed System Security Symposium, NDSS 2011. The Internet Society (2011)Google Scholar
  19. 19.
    Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Techn. 14(1), 4–20 (2004)CrossRefGoogle Scholar
  20. 20.
    Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Cryptography 38(2), 237–257 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  21. 21.
    Kanak, A., Sogukpinar, I.: BioPSTM: a formal model for privacy, security, and trust in template-protecting biometric authentication. Security and Communication Networks 7(1), 123–138 (2014)CrossRefGoogle Scholar
  22. 22.
    Kerschbaum, F.: Privacy-preserving computation (position paper). In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 41–54. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  23. 23.
    Lai, L., Ho, S.-W., Poor, H.V.: Privacy-security trade-offs in biometric security systems – Part I: single use case. IEEE Transactions on Information Forensics and Security 6(1), 122–139 (2011)CrossRefGoogle Scholar
  24. 24.
    Lai, L., Ho, S.-W., Poor, H.V.: Privacy-security trade-offs in biometric security systems – Part II: multiple use case. IEEE Transactions on Information Forensics and Security 6(1), 140–151 (2011)CrossRefGoogle Scholar
  25. 25.
    Li, H., Pang, L.: A novel biometric–based authentication scheme with privacy protection. In: Conference on Information Assurance and Security, IAS 2009, pp. 295–298. IEEE Computer Society (2009)Google Scholar
  26. 26.
    Maffei, M., Pecina, K., Reinert, M.: Security and privacy by declarative design. In: IEEE Symposium on Computer Security Foundations, CSF 2013, pp. 81–96. IEEE Computer Society (2013)Google Scholar
  27. 27.
    McSherry, F.: Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In: ACM Conference on Management of Data, SIGMOD 2009, pp. 19–30. ACM Press (2009)Google Scholar
  28. 28.
    Le Métayer, D.: Privacy by design: A formal framework for the analysis of architectural choices. In: ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 95–104. ACM Press (2013)Google Scholar
  29. 29.
    Mulligan, D.K., King, J.: Bridging the gap between privacy and design. University of Pennsylvania Journal of Constitutional Law 14, 989–1034 (2012)Google Scholar
  30. 30.
    National Institute of Standards and Technology (NIST). MINEXII – an assessment of Match–On–Card technology (2011),
  31. 31.
    International Standard Organization. International standard iso/iec 24787:2010, information technology – identification cards – on-card biometric comparison (2010)Google Scholar
  32. 32.
    Osadchy, M., Pinkas, B., Jarrous, A., Moskovich, B.: SCiFI – A system for secure face identification. In: IEEE Symposium on Security and Privacy, S&P 2010, pp. 239–254. IEEE Computer Society (2010)Google Scholar
  33. 33.
    Pucella, R.: Deductive algorithmic knowledge. J. Log. Comput. 16(2), 287–309 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  34. 34.
    Spiekermann, S., Cranor, L.F.: Engineering privacy. IEEE Trans. Software Eng. 35(1), 67–82 (2009)CrossRefGoogle Scholar
  35. 35.
    Ta, V.-T., Antignac, T.: Privacy by design: On the conformance between protocols and architectures. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P.W.L. (eds.) FPS 2014. LNCS, vol. 8930, pp. 65–81. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  36. 36.
    Tang, Q., Bringer, J., Chabanne, H., Pointcheval, D.: A formal study of the privacy concerns in biometric-based remote authentication schemes. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 56–70. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  37. 37.
    Troncoso-Pastoriza, J.R., Pérez-González, F.: Fully homomorphic faces. In: International Conference on Image Processing, ICIP 2012, pp. 2657–2660. IEEE Computer Society (2012)Google Scholar
  38. 38.
    Uludag, U., Pankanti, S., Jain, A.K.: Fuzzy vault for fingerprints. In: Kanade, T., Jain, A., Ratha, N.K. (eds.) AVBPA 2005. LNCS, vol. 3546, pp. 310–319. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Julien Bringer
    • 1
  • Hervé Chabanne
    • 1
    • 2
  • Daniel Le Métayer
    • 3
  • Roch Lescuyer
    • 1
  1. 1.MorphoIssy-Les-MoulineauxFrance
  2. 2.Télécom ParisTechParisFrance
  3. 3.Inria, Université de LyonLyonFrance

Personalised recommendations