Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Letters My piece on biometrics and compulsory ID earlier this month produced a substantial mailbag, most of it - even the couple of rude ones - constructive. Several of you provided links to useful research in the area, and the follow-up piece drawing attention to doubts about the infallibility of fingerprinting produced some more. As this will be a key factor in the mass rollout of biometric ID systems, it makes sense to start here.

First, a confession. I'm largely happy with the original piece, but I feel that I regrettably fell in with the general assumption that fingerprints are infallible, unique ID. The truth is that this may or may not be the case, but that is not necessarily relevant to the operation of a mass ID card system. So here, we should determine what we're talking about.

As the New Scientist piece cited in the second article pointed out, there is no unchallenged data supporting the claim that fingerprints are unique. The DoJ sponsored study concludes that the probability of a match is so low as to make them effectively unique, but the methodology of this study is now being questioned. Contrariwise, no two people have ever been found to have the same fingerprints, and it does seem kind of plausible that even similar fingerprints must be different in some way. On the third hand (which would be convenient in the case of an unfortunate match of the other ten fingers), it also seems plausible that two sets of prints could be sufficiently similar for it to be difficult, perhaps impossible, for us to be able to spot the differences. Which takes us to what we should be talking about.

The UK's National Physical Laboratory has published a quantity of biometric research here, one of the most useful pieces for our purposes being the identity card feasibility study, conducted for the Home Office. This research was actually intended to produce recommendations regarding the introduction of an entitlement card, so makes assumptions about initial throughput that will be significantly lower than in the case of a full-scale ID card, but it's nevertheless valuable because it examines implementation and the associated challenges in some detail, and because it does anticipate the database growing to 50 million.

As regards uniqueness/infallibility, the study makes it clear that the level of this is something you set for yourself, balancing the level of failed matches i.e. failure to identify someone you should identify, with the level of false matches, i.e. perfectly innocent people being interrogated until the authorities are convinced that they're not the person the machine's matched them up as.

So you can set the sensitivity at a level where you have a very high likelihood of making matches, but the price of this is such a high level of false matches that you bring the system to its knees and the security services into widespread disrepute. In reality, the study suggests a 1 in 1,000 false alarm rate, with a 5-10 per cent false non-match rate, as a reasonable compromise. Having only a 1 in 10 or 1 in 20 chance of slipping through is probably enough to deter most thinking terrorists and social services fraudsters, although a 1 in 1,000 false alarm rate could still produce hefty logistical problems, depending on how frequent routine ID checks became. 1 in 1,000 is one every two to three Jumbos.

But it's clear that using current technology in mass machine-read systems, arguments about the uniqueness of fingerprints are academic. They will not of themselves be unique identification, because of the parameters we will have to set. Uniqueness is however very important in another area, so we'll move straight over to the first of our critics, Andrew Rutherford of the Australian police:

Your article doesn't make any sense. It appears from the article that you don't know very much about Fingerprints, and as such, you probably shouldn't be writing articles on the subject until your understanding of its fundamentals improves.

I assume that the fingerprint comparisons, involving the 50000 images used in the study that you mention in your article, and the subsequent results were from computer comparisons. If this is the case, then you must realise that computer systems used throughout the world for fingerprint comparisons are only a tool used by fingerprint experts. If a fingerprint search is conducted using a fingerprint computer system, the computer will produce a candidate list of images from its database that it finds most like the search print. The fingerprint expert conducts comparisons of the images from the candidate list and they decide if the fingerprints are identical or not. If the search print is identified, then in the majority of cases it will be the first candidate on the list, however sometimes this is not the case and the identified print may be well down the candidate list. In some cases the computer may not find the print on its database even though it is there. This is why computers are only used as tools to assist in a computer search and why fingerprint experts make fingerprint identifications and not computers.

Mistakes are made and many are well known throughout the world, but the mistake is always a human error, and never has the cause of a wrong fingerprint identification been the breakdown of the fundamental principles of fingerprint identification.

If people, like you who write these articles, want to attack the infallibility of fingerprints, then you like should only question the competency of the fingerprint expert. Many people who claim to be fingerprint experts have limited training and/or experience (especially in the US).

Regards Andrew Rutherford

I'll leave Andrew's manners to his mother, and I don't entirely recall writing quite the article he seems to have been reading. But as he points out, fingerprint identification as used in the legal process deploys machine reading as a guide for fingerprint experts. These experts will clearly not be present or feasible for general ID systems, but what he has to say about their fallibility is worth noting as a corrective to the general impression of fingerprint evidence as absolutely conclusive. Yes, it might be in theory, but in practice the system's dependence on human experts means that it's not. This fact obviously does matter to those people who are in prison on the basis of an expert witness' mistake, and surely deserves to be more widely publicised.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Holy vintage vehicles! Earliest known official Batmobile goes on sale
Riddle me this: are you prepared to pay US$180k?
'Open source just means big companies can steal your code.' O RLY?
Plus: Flame of the Week returns, for one night only!
Bible THUMP: Good Book beats Darwin to most influential tome title
Folio Society crowns fittest of surviving volumes
U wot? Silicon Roundabout set to become Silicon U-BEND
Crap-spouting London upstarts to get permanent road closure
Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG
Stick it on the steering wheel and wait for the airbag to fire
NEWSFLASH: It's time to ditch dullard Facebook chums
Everything hot in tech, courtesy of avian anchor Regina Eggbert
Useless computer engineer Barbie sacked after three-way fscking
Tale of two lads and wannabe game dev makes for great management material
Microsoft to bring back beloved 1990s super-hit BATTLETOADS!?*
* Or maybe not. It is just a trademark filing, after all
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.