Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Also in the area of law enforcement we have David P. Peterson, forensic scientist with the Minnesota Bureau of Criminal Apprehension, who covers the development of standards:

I trust you will continue in your research and determine just what is being questioned these days in the science of fingerprints. When you pin down our critics, you find that they agree that fingerprints are unique to every individual. They are questioning the methods we use to make the determination of a positive identification.  In the United States, it has been a problem of inconsistency because there are so many law enforcement agencies and no standard policies. That is beginning to change. The FBI has been working on standards that will hopefully be adopted by all agencies that do fingerprint comparisons. In our state lab here in Minnesota, we have established guidelines that are followed in every case. With regard to the uniqueness of fingerprints, think of this. In the 103 history of the fingerprint branch of Scotland Yard and the 100 year history of fingerprint comparisons in the U.S., no two prints have ever found to match to each other. Identical twins may have the same DNA but they do not have duplicate fingerprints... each finger is difference. Our database contains over 10 million fingerprint images. When someone is arrested for a subsequent offense, the system identifies the fact there is already a set of ten prints in the file that match the person arrested. If no prior arrest exits, a new record is made. Again, no fingerprints have been found to match another person in the database. There is no cause for alarm down the road. The fingerprint science is sound and we are extremely confident that that we will be able to overcome any challenges as they are presented.

Respectfully, David P. Peterson

The issue of standards is particularly important, and will impact the ability of governments to exchange fingerprint databases, and to use new ID databases in conjunction with existing fingerprint data. Existing databases are highly variable, and will often consist of rolled prints, which have been historically favoured by law enforcement agencies because they provide a larger amount of data. As the NPL study reasonably points out, however, rolled systems simply will not support high volume throughput. The NPL recommends using a minimum of four, preferably five, prints obtained via a full handslap, so you've got four flat prints per individual. Reasonably controlled conditions for the taking of the initial 'enrollment' prints will also be required, so while the accuracy of matching between the UK database and UK standard readers ought to be predictable, it'll likely be less so comparing, say, UK-read prints with a US database. And trying to match new standard prints up with the FBI's existing 40 million database could quite easily prove impossible. For law enforcement, David's points clearly suggest that effective interstate matching needs the new FBI standards and new databases, while for general ID we're also talking new databases. But David, don't you think that saying "There is no cause for alarm down the road" is a bit like saying, "Hi, I'm from the government, I'm here to help."?

I freely concede that the philosophical digression on the nature of identity at the tail end of my first piece might have been a little on the self-indulgent side, but my intent was to get people to question the assumption that identity was something fixed that could be absolutely nailed down, or indeed that it mattered. daan Strebe (wonder if he's small-d daan in his passport?) spots the self-indulgence but misses the intent:

Many of the arguments tendered in this article assume that the ID card must correctly identify a person in order to be effective. That axiom is wrong. When he enters the UK, it matters not that the human born as Ebrahim el-Ajar in Oman carries identification claiming he is Mohammed Khalfallah from Tunisia. While such a person may carry greater risk than someone else, and an ID system may fail to discern that particular risk, that failure does not eliminate the ways an ID system might succeed.

(I think I did make the point that ID systems would in some cases have to just assign an arbitrary ID, but don't recall making any massive assumptions based on this)

If an ID card contains a biometric signature indisputably uniquely associated with some individual, then the individual's real name, lineage, family, even nationality really don't matter. In the end, those are just labels. What matters is that the UK (for instance) has on record another individual named Habib Banki from Iran who carries the same biometric signature. Or that the biometric signature, regardless of the name attached to it, is associated with terrorist events in Egypt or car theft in Algeria.

(This depends on the overseas record being available, accurate, compatible. Using other people's watch lists effectively will in my opinion prove desperately difficult, but what do I know? daan's entire case incidentally rests on that "If... indisputably uniquely". If not, little else follows.)

The article does seem to acknowledge this point (even going so far as to dismiss it because of the impracticalities of matching every 'fingerprint' against every other one), but it was so heavily diluted with the "correct identity" red herring as to leave me unmoved. I'm agnostic about IDs for many reasons, and I definitely understand the enormous practical difficulties of using them in the theoretical ways they could be useful. On the other hand, having watched the relentless climb of computational power over the past few decades, even an O(n^2) algorithm for finding duplicates amongst 7 billion humans, and an O(n) algorithm for real-time comparisons at borders, no longer strikes me as unrealistic. It makes no sense to wait until such power is cheap if we're ever going to do it, since it *will* be cheap, probably sooner than later. It takes far more time to institute "standards" and apply them across populations than it does to develop faster computers to do something with data. In any case, biometric signatures can be coded in ways that categorize them efficiently, drastically reducing the number of comparisons required, so it's not clear to me that such a system would be impractical even today.

Tossing out most of the article for its "correct identity" red herring, and tossing out some of the remainder for its pooh-poohing of technology's present supposed inability to, or enormous cost in, dealing with the data, I'm not sure there's much left. Surely it's wiser to concentrate on the civil liberties aspect, if there is anything novel to be said there.

Regards, daan Strebe

Another candidate for a word from mum about how little good manners cost, I fear. daan's faith in the climb of computational power as the answer is, it seems to me, undermined by the difficulties associated with obtaining standard data sets to work with. But there I go pooh-poohing the technology again.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Criticism of Uber's journo-Data Analytics plan is an Attack on DIGITAL FREEDOM
First they came for Emil – and I'm damn well SPEAKING OUT
'It is comforting to know where your data centres are.' UK.GOV does NOT
Plus: Anons are 'wannabes', KKK says, before being pwned
Google's whois results say it's a lousy smut searcher
Run whois google.com or whois microsoft.com. We dare you, you PIG◙◙◙◙ER
Holy vintage vehicles! Earliest known official Batmobile goes on sale
Riddle me this: are you prepared to pay US$180k?
'Open source just means big companies can steal your code.' O RLY?
Plus: Flame of the Week returns, for one night only!
NEWSFLASH: It's time to ditch dullard Facebook chums
Everything hot in tech, courtesy of avian anchor Regina Eggbert
Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG
Stick it on the steering wheel and wait for the airbag to fire
prev story


Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.