Feeds

Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Also in the area of law enforcement we have David P. Peterson, forensic scientist with the Minnesota Bureau of Criminal Apprehension, who covers the development of standards:

I trust you will continue in your research and determine just what is being questioned these days in the science of fingerprints. When you pin down our critics, you find that they agree that fingerprints are unique to every individual. They are questioning the methods we use to make the determination of a positive identification.  In the United States, it has been a problem of inconsistency because there are so many law enforcement agencies and no standard policies. That is beginning to change. The FBI has been working on standards that will hopefully be adopted by all agencies that do fingerprint comparisons. In our state lab here in Minnesota, we have established guidelines that are followed in every case. With regard to the uniqueness of fingerprints, think of this. In the 103 history of the fingerprint branch of Scotland Yard and the 100 year history of fingerprint comparisons in the U.S., no two prints have ever found to match to each other. Identical twins may have the same DNA but they do not have duplicate fingerprints... each finger is difference. Our database contains over 10 million fingerprint images. When someone is arrested for a subsequent offense, the system identifies the fact there is already a set of ten prints in the file that match the person arrested. If no prior arrest exits, a new record is made. Again, no fingerprints have been found to match another person in the database. There is no cause for alarm down the road. The fingerprint science is sound and we are extremely confident that that we will be able to overcome any challenges as they are presented.

Respectfully, David P. Peterson

The issue of standards is particularly important, and will impact the ability of governments to exchange fingerprint databases, and to use new ID databases in conjunction with existing fingerprint data. Existing databases are highly variable, and will often consist of rolled prints, which have been historically favoured by law enforcement agencies because they provide a larger amount of data. As the NPL study reasonably points out, however, rolled systems simply will not support high volume throughput. The NPL recommends using a minimum of four, preferably five, prints obtained via a full handslap, so you've got four flat prints per individual. Reasonably controlled conditions for the taking of the initial 'enrollment' prints will also be required, so while the accuracy of matching between the UK database and UK standard readers ought to be predictable, it'll likely be less so comparing, say, UK-read prints with a US database. And trying to match new standard prints up with the FBI's existing 40 million database could quite easily prove impossible. For law enforcement, David's points clearly suggest that effective interstate matching needs the new FBI standards and new databases, while for general ID we're also talking new databases. But David, don't you think that saying "There is no cause for alarm down the road" is a bit like saying, "Hi, I'm from the government, I'm here to help."?

I freely concede that the philosophical digression on the nature of identity at the tail end of my first piece might have been a little on the self-indulgent side, but my intent was to get people to question the assumption that identity was something fixed that could be absolutely nailed down, or indeed that it mattered. daan Strebe (wonder if he's small-d daan in his passport?) spots the self-indulgence but misses the intent:

Many of the arguments tendered in this article assume that the ID card must correctly identify a person in order to be effective. That axiom is wrong. When he enters the UK, it matters not that the human born as Ebrahim el-Ajar in Oman carries identification claiming he is Mohammed Khalfallah from Tunisia. While such a person may carry greater risk than someone else, and an ID system may fail to discern that particular risk, that failure does not eliminate the ways an ID system might succeed.

(I think I did make the point that ID systems would in some cases have to just assign an arbitrary ID, but don't recall making any massive assumptions based on this)

If an ID card contains a biometric signature indisputably uniquely associated with some individual, then the individual's real name, lineage, family, even nationality really don't matter. In the end, those are just labels. What matters is that the UK (for instance) has on record another individual named Habib Banki from Iran who carries the same biometric signature. Or that the biometric signature, regardless of the name attached to it, is associated with terrorist events in Egypt or car theft in Algeria.

(This depends on the overseas record being available, accurate, compatible. Using other people's watch lists effectively will in my opinion prove desperately difficult, but what do I know? daan's entire case incidentally rests on that "If... indisputably uniquely". If not, little else follows.)

The article does seem to acknowledge this point (even going so far as to dismiss it because of the impracticalities of matching every 'fingerprint' against every other one), but it was so heavily diluted with the "correct identity" red herring as to leave me unmoved. I'm agnostic about IDs for many reasons, and I definitely understand the enormous practical difficulties of using them in the theoretical ways they could be useful. On the other hand, having watched the relentless climb of computational power over the past few decades, even an O(n^2) algorithm for finding duplicates amongst 7 billion humans, and an O(n) algorithm for real-time comparisons at borders, no longer strikes me as unrealistic. It makes no sense to wait until such power is cheap if we're ever going to do it, since it *will* be cheap, probably sooner than later. It takes far more time to institute "standards" and apply them across populations than it does to develop faster computers to do something with data. In any case, biometric signatures can be coded in ways that categorize them efficiently, drastically reducing the number of comparisons required, so it's not clear to me that such a system would be impractical even today.

Tossing out most of the article for its "correct identity" red herring, and tossing out some of the remainder for its pooh-poohing of technology's present supposed inability to, or enormous cost in, dealing with the data, I'm not sure there's much left. Surely it's wiser to concentrate on the civil liberties aspect, if there is anything novel to be said there.

Regards, daan Strebe

Another candidate for a word from mum about how little good manners cost, I fear. daan's faith in the climb of computational power as the answer is, it seems to me, undermined by the difficulties associated with obtaining standard data sets to work with. But there I go pooh-poohing the technology again.

Security for virtualized datacentres

More from The Register

next story
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.