I got caught in a semantic discussion about a piece of SP 800-63B – which I thought might be worth consideration by this august body. 

 

In section 5.2.3 (Use of Biometrics) it says:

 

… Biometric samples collected in the authentication process MAY be used to train comparison algorithms or — with user consent — for other research purposes. Biometric samples and any biometric data derived from the biometric sample such as a probe produced through signal processing SHALL be zeroized immediately after any training or research data has been derived.

 

In the criteria we have render this as:  “  63A#0680 - The CSP SHALL zeroize the biometric sample (including any associated biometric data) immediately after any training or research data has been derived.”

 

At first glance this seems to say biometric data that is used for training or research should be zeroized after its use.  It might mean, but doesn’t quite seem to say,  biometric data should be zeroized, but you can keep it long enough to use it for training or research.

 

That being said,  in light of some conversations we’ve had about retaining identity evidence and due diligence, I’m wondering f this isn’t more complicated.  Recently, we discussed how our criteria exceeded 800-63 to require the recording of evidence showing the identity process had been performed correctly.  Certainly, the photo on a scanned driver’s license or passport would be such evidence and would also include “biometric data”.   So would a selfie or even minutia. 

 

How are we reconciling our need to be able to prove the identity process was performed correctly with this requirement to delete all the photos and biometrics?

 

Jimmy

.