Principles of Privacy Preserving Face Verification
Privacy by Design principles for systems
Privacy by Design principles for systems
In the previous section we have seen how SensePrints are data structures that are privacy preserving (it cannot be determined that two SensePrints, when compared to each other, were generated from the same person's face).
We have also seen how SensePrints have the property of Biometric Verifiability (given a person's face and a SensePrint, it is possible to verify that it was the same person for whom the SensePrint was generated earlier).
In this section, we highlight the Privacy by Design principles that should underscore any good system.
Unlinkability - Given two data structures (SensePrints) alone, it should be impossible to tell if they were generated from the same data (face + metadata) or from different data.
Irreversability - Given a SensePrint, it should be impossible to obtain the original face that was used to generate the SensePrint. This property is typically not satisfied by traditional Face Verification systems as they offer a similarity score between two templates. This similarity score makes traditional technology susceptible to Hill Climbing Attacks.
Revocability and Renewability - In traditional systems, it is possible to generate only one feature vector / template from a single image. Multiple SensePrints can be generated from the same person. While you can't change your face, you can change your SensePrint as needed.
If a SensePrint needs to be replaced, a new one can be generated from exactly the same image and data and such a SensePrint would be entirely different from the one being revoked.
