Feeds

Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

The Power of One Infographic

Letters My piece on biometrics and compulsory ID earlier this month produced a substantial mailbag, most of it - even the couple of rude ones - constructive. Several of you provided links to useful research in the area, and the follow-up piece drawing attention to doubts about the infallibility of fingerprinting produced some more. As this will be a key factor in the mass rollout of biometric ID systems, it makes sense to start here.

First, a confession. I'm largely happy with the original piece, but I feel that I regrettably fell in with the general assumption that fingerprints are infallible, unique ID. The truth is that this may or may not be the case, but that is not necessarily relevant to the operation of a mass ID card system. So here, we should determine what we're talking about.

As the New Scientist piece cited in the second article pointed out, there is no unchallenged data supporting the claim that fingerprints are unique. The DoJ sponsored study concludes that the probability of a match is so low as to make them effectively unique, but the methodology of this study is now being questioned. Contrariwise, no two people have ever been found to have the same fingerprints, and it does seem kind of plausible that even similar fingerprints must be different in some way. On the third hand (which would be convenient in the case of an unfortunate match of the other ten fingers), it also seems plausible that two sets of prints could be sufficiently similar for it to be difficult, perhaps impossible, for us to be able to spot the differences. Which takes us to what we should be talking about.

The UK's National Physical Laboratory has published a quantity of biometric research here, one of the most useful pieces for our purposes being the identity card feasibility study, conducted for the Home Office. This research was actually intended to produce recommendations regarding the introduction of an entitlement card, so makes assumptions about initial throughput that will be significantly lower than in the case of a full-scale ID card, but it's nevertheless valuable because it examines implementation and the associated challenges in some detail, and because it does anticipate the database growing to 50 million.

As regards uniqueness/infallibility, the study makes it clear that the level of this is something you set for yourself, balancing the level of failed matches i.e. failure to identify someone you should identify, with the level of false matches, i.e. perfectly innocent people being interrogated until the authorities are convinced that they're not the person the machine's matched them up as.

So you can set the sensitivity at a level where you have a very high likelihood of making matches, but the price of this is such a high level of false matches that you bring the system to its knees and the security services into widespread disrepute. In reality, the study suggests a 1 in 1,000 false alarm rate, with a 5-10 per cent false non-match rate, as a reasonable compromise. Having only a 1 in 10 or 1 in 20 chance of slipping through is probably enough to deter most thinking terrorists and social services fraudsters, although a 1 in 1,000 false alarm rate could still produce hefty logistical problems, depending on how frequent routine ID checks became. 1 in 1,000 is one every two to three Jumbos.

But it's clear that using current technology in mass machine-read systems, arguments about the uniqueness of fingerprints are academic. They will not of themselves be unique identification, because of the parameters we will have to set. Uniqueness is however very important in another area, so we'll move straight over to the first of our critics, Andrew Rutherford of the Australian police:

Your article doesn't make any sense. It appears from the article that you don't know very much about Fingerprints, and as such, you probably shouldn't be writing articles on the subject until your understanding of its fundamentals improves.

I assume that the fingerprint comparisons, involving the 50000 images used in the study that you mention in your article, and the subsequent results were from computer comparisons. If this is the case, then you must realise that computer systems used throughout the world for fingerprint comparisons are only a tool used by fingerprint experts. If a fingerprint search is conducted using a fingerprint computer system, the computer will produce a candidate list of images from its database that it finds most like the search print. The fingerprint expert conducts comparisons of the images from the candidate list and they decide if the fingerprints are identical or not. If the search print is identified, then in the majority of cases it will be the first candidate on the list, however sometimes this is not the case and the identified print may be well down the candidate list. In some cases the computer may not find the print on its database even though it is there. This is why computers are only used as tools to assist in a computer search and why fingerprint experts make fingerprint identifications and not computers.

Mistakes are made and many are well known throughout the world, but the mistake is always a human error, and never has the cause of a wrong fingerprint identification been the breakdown of the fundamental principles of fingerprint identification.

If people, like you who write these articles, want to attack the infallibility of fingerprints, then you like should only question the competency of the fingerprint expert. Many people who claim to be fingerprint experts have limited training and/or experience (especially in the US).

Regards Andrew Rutherford

I'll leave Andrew's manners to his mother, and I don't entirely recall writing quite the article he seems to have been reading. But as he points out, fingerprint identification as used in the legal process deploys machine reading as a guide for fingerprint experts. These experts will clearly not be present or feasible for general ID systems, but what he has to say about their fallibility is worth noting as a corrective to the general impression of fingerprint evidence as absolutely conclusive. Yes, it might be in theory, but in practice the system's dependence on human experts means that it's not. This fact obviously does matter to those people who are in prison on the basis of an expert witness' mistake, and surely deserves to be more widely publicised.

Seven Steps to Software Security

More from The Register

next story
Carlos: Slim your working week to just three days of toil
'Midas World' vision suggests you retire later, watch more tellie and buy more stuff
Motorist 'thought car had caught fire' as Adele track came on stereo
'FIRE' caption on dashboard prompts dunderheaded hard shoulder halt
Brit Rockall adventurer poised to quit islet
Occupation records broken, champagne corks popped
Accused! Yahoo! exec! SUES! her! accuser!, says! sex! harassment! never! happened!
Allegations were for 'financial gain', countersuit claims
Yahoo! Japan! launches! service! for! the! dead!
If you're reading this email, I am no longer alive
Plucky Rockall podule man back on (proper) dry land
Bold, barmy Brit adventurer Nick Hancock escapes North Atlantic islet
NSA man: 'Tell me about your Turkish connections'
Spooks ask Dabbsy to suggest a nice hotel with pool
Japanese artist cuffed for disseminating 3D ladyparts files
Printable genitalia fall foul of 'obscene material' laws
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.