How to create samples for the Unified biometric system and why it can be dangerous

Mark does not want a mortgage for him in Russia

From June 30, government agencies, banks and other organizations will receive the right to collect biometric data of citizens and identify them. At the same time, Law No. 482- establishes the criteria with which banks must meet, opening and keeping accounts of clients without their personal presence.

A single biometric system of identification will be launched in Russia on July 1.

For the project at the state level, two types of biometrics were chosen: voice and face, and not separately, but together, since bimodality allows us to define a “living person” rather than an imitation of his biometrics in a digital channel. In the future, it is possible to connect other biometrics, in particular, the iris of the eyes and vein patterns.

For access to the data of every citizen in a single identification database, banks will have to pay 200 rubles. At the same time, half of this amount will be received by the bank, which initially participated in the removal of primary biometrics, and another 100 rubles. will receive other participants of the system (the operator of the system itself, the portal of public services and vendors of technological solutions). Given that millions of people are active clients of banks, the amount is huge.

At the initial stage of the introduction of the system, only simple operations like transfer within their accounts will be available to customers; in the future, it will be possible to draw up loans and mortgages.

In the future, they plan to extend the system to public services, education, health care and other areas.

Two participation roles will be available to banks: a consumer and a biometric data provider.

It will be enough for the consumer to conclude an agreement with the EMU operator (Rostelecom) on the use of the biometric platform and ensure the integration of their front-end solutions using the oAuth technology.

The supplier of biometric data needs to additionally implement an automated workstation for carrying out primary identification. In addition to integration with ESIA and EBS, this workplace must meet the requirements for the technical characteristics of the equipment, the conditions of illumination and noise in the room, and also comply with the requirements for the created biometric control templates.

The Ministry of Communications and Mass Media, in turn, issued a draft order “On the approval of the processing procedure, including the collection and storage, parameters of biometric personal data for identification purposes, the procedure for placing and updating biometric personal data in a single biometric system, as well as requirements for information technology and hardware, intended to process biometric personal data for identification purposes. "

This Procedure establishes the procedure for processing, including the collection and storage of, parameters of biometric personal data, the placement and updating of biometric personal data in a single biometric system in order to identify a citizen of the Russian Federation, and also determines the requirements for information technology and technical means for processing biometric personal data for specified purposes.

Thus, in accordance with the Procedure, the processing of parameters of biometric personal data is carried out after the identification of a citizen with his personal presence in accordance with the requirements approved in accordance with paragraph 2 of part 2 of article 14.1 of the Federal Law No. 149- dated July 27, 2006 information technology and information protection ", as well as obtaining, according to Federal Law of July 27, 2006 No. 152-" On Personal Data ", consent to the processing of personal data and biometric personal data, in the form approved by the Government of the Russian Federation in accordance with paragraph 5 of article 14.1 of Federal Law No. 149-.

In the case of the withdrawal of personal data by the subject in accordance with Federal Law No. 152-FZ, there is no consent to the processing of personal data, the use of its biometric personal data for identification purposes.

Data integrity

Personal data will be stored in a secure circuit, and the system itself will undergo certification and certification in accordance with the requirements of the FSB, said Ivan Berov, director of the Rostelecom's “Digital Identity” office.

The digital platform itself is located in the cloud-protected infrastructure of Rostelecom, to which banks will get access through special communication channels of the Inter-Agency Electronic Interaction System (SMEV).

Berov also added that user data will be transmitted via secure communication channels using domestic cryptoalgorithms. To solve this problem, Rostelecom is developing a special mobile application with built-in cryptographic information protection tools.

What is the danger here?

Theoretically, such a biometric base can still be stolen, and for bank customers it is much worse than stealing passwords or access codes. Fingerprints, voice recording and facial images are based on the personality and uniqueness given to us at birth. If the criminals take possession of such data of citizens, they, to put it mildly, will get into trouble. After all, if a stolen password or pin-code can be changed, then your face or voice is impossible. As a result, the offender, having biometric data in addition to biographical data, in fact can perform any operations on behalf of the person.

Dear readers, please write your assumptions of what a person should do in case of leakage of his biometric data in the comments.

Biometric samples

In the process of processing the parameters of biometric personal data, biometric samples of the subject’s face image data (hereinafter referred to as facial image BO) and biometric voice data samples (hereinafter referred to as BO voice recording) are created.

Requirements for BO

The quality of the face image must meet the following criteria:

• the presence of one person in the image;
• lack of objects covering the face;
• face angle (tilt, turn, head deviation);
• face sizes in pixels;
• brightness / shade / motion blur;
• format and size of the image file.

The quality of voice recordings must meet the following criteria:

• the presence of speech in sound recordings;
• acceptable signal-to-noise ratio;
• sampling rate and coding method.

Bo face images

BW face images must meet the following requirements:

• colors of frontal type images should be represented in a 24-bit RGB color space, in which for each pixel there are 8 bits for each color component: red, green, and blue;
• head rotation should be no more than 5 degrees from the frontal position;
• head tilt should be no more than 5 degrees from the frontal position;
• head deflection should be no more than 8 degrees from the frontal position;
• the distance between the centers of the eyes should be at least 120 pixels;
• when the distance between the centers of the eyes is 120 pixels, the value of the horizontal size of the face image must be at least 480 pixels;
• when the distance between the centers of the eyes is 120 pixels, the value of the vertical size of the face image must be at least 640 pixels;
• hair or foreign objects should not overlap the image of the face across the entire width from the eyebrows to the lower lip;
• the image must contain only one person; the presence of other faces, fragments of other faces and portraits is not allowed;
• the expression should be neutral, the mouth closed, both eyes open normally for the subject concerned (including behavioral factors or medical illnesses);
• the face should be evenly lit so that there are no shadows and highlights in the face image;
• retouching and image editing are not allowed;
• framing of the image is allowed;
• in the case of photographing a person with glasses, sunglasses and bright light artifacts or flash reflection from glasses are not allowed;
• The face image must be saved in a .jpeg or .png file.

BO voice recording

BO voice recordings must meet the following requirements:

• signal-to-noise ratio for sound not less than 15 dB;
• quantization depth of at least 16 bits;
• sampling frequency not less than 16 kHz;
• container / format: RIFF (WAV);
• Compression Code: PCM / uncompressed (0x0001)
• number of channels in voice recording: 1 (mono mode) channel;
• noise cancellation is not allowed;
• the recording should contain the voice of one person;
• it is forbidden to receive a BW by recoding phonograms recorded using technical means of the public telephone network (PSTN);
• for text-dependent voice recognition algorithm:
• the duration of the voice recording depends on the size of the dictionary used;
• Subject speech content: passphrase;
• emotional and psychological state and state of health of the subject: a normal not excited state without obvious manifestations of any diseases (catarrhal, respiratory, etc.);
• list of languages ​​in which the subject can produce a speech message: Russian.

Biometric samples collected by authorized employees of bodies and organizations are automatically checked using the software of the unified biometric system installed in the information systems of such bodies and organizations for compliance with the requirements and criteria established in paragraphs 11-14 of this Procedure (hereinafter referred to as quality control).

In the case of passing the quality control, the compliance of biometric samples with the criteria and requirements specified above, such samples, as well as information established by acts of the Government of the Russian Federation, other information, including the date, time and place of collection of biometric personal data, as well as the number of attempts to pass quality control, are transmitted by the authorities and organizations to a single biometric system using the SREI.

Based on the provided biometric samples, biometric control templates are formed in a single biometric system, which are used in the process of identifying a citizen of the Russian Federation.

If, during the process of quality control, the biometric samples do not comply with the criteria and requirements, information, including the date, time and place of collecting biometric personal data, is transmitted into a single biometric system in accordance with the Regulations.

Storage of biometric personal data, including those placed in a single biometric system, for identification purposes is carried out in accordance with Article 19 of Federal Law No. 152-FZ in the manner prescribed by the Regulations for 3 years from the date of placement in the specified system.

Hardware Requirements

In addition to the requirements for biometric samples, the Procedure defines the requirements for technical means intended for processing biometric personal data.

Technical means for registration of BO images of the face:

a) to register a face image, you must use a photo or video camera (hereinafter referred to as the camera) with the following characteristics:

• Image resolution: at least 1280x720 pixels;
• when the subject is located at a distance of 0.3-0.5 m from the camera, the equivalent focal length should be from 31 to 100 mm; when the subject is located at a distance of 0.51-1.0 m from the camera, the equivalent focal length should be from 28 mm to 100 mm from the camera;
• Photo-video should be carried out using the automatic white balance color adjustment mode.

b) to ensure the natural color of the skin, it is recommended that the color temperature of the illuminators be from 4800 to 6500 K. The required color temperature is provided by fluorescent or LED light sources. The used light sources should create in the face area the illumination:

• for video / cameras without automatic light correction not less than 300 lux;
• for video / cameras with automatic light correction not less than 100 lux.

Technical means for registering voice BO:

a) To register a voice recording, you must use a microphone with the following characteristics:

• type: condenser (preferably electret), without automatic gain control;
• signal / noise ratio: at least 58 dB;
• frequency range: from 40 to 10,000 Hz;
• sensitivity: not less than minus 30 dB;
• form of pattern: omnidirectional, cardioid, supercardioid or hypercardioid.

In addition, the Procedure establishes that the technical means intended for processing biometric personal data for the purpose of identification should provide protection against the selection of non-genuine biometric samples in the amount of at least 10 ⁴ attempts per sample.

Other articles of our blog:

→ White Paper on the Federal Law №152 - a book that can be referenced in the processing of personal data
→ We will again be counted: National biometric platform and “pass-through identifier”
→ Biometric personal data of Russians
→ The main aspects of the legality of the processing of personal data in an employment relationship