Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

Top three mobile application threats

Also in the area of law enforcement we have David P. Peterson, forensic scientist with the Minnesota Bureau of Criminal Apprehension, who covers the development of standards:

I trust you will continue in your research and determine just what is being questioned these days in the science of fingerprints. When you pin down our critics, you find that they agree that fingerprints are unique to every individual. They are questioning the methods we use to make the determination of a positive identification.  In the United States, it has been a problem of inconsistency because there are so many law enforcement agencies and no standard policies. That is beginning to change. The FBI has been working on standards that will hopefully be adopted by all agencies that do fingerprint comparisons. In our state lab here in Minnesota, we have established guidelines that are followed in every case. With regard to the uniqueness of fingerprints, think of this. In the 103 history of the fingerprint branch of Scotland Yard and the 100 year history of fingerprint comparisons in the U.S., no two prints have ever found to match to each other. Identical twins may have the same DNA but they do not have duplicate fingerprints... each finger is difference. Our database contains over 10 million fingerprint images. When someone is arrested for a subsequent offense, the system identifies the fact there is already a set of ten prints in the file that match the person arrested. If no prior arrest exits, a new record is made. Again, no fingerprints have been found to match another person in the database. There is no cause for alarm down the road. The fingerprint science is sound and we are extremely confident that that we will be able to overcome any challenges as they are presented.

Respectfully, David P. Peterson

The issue of standards is particularly important, and will impact the ability of governments to exchange fingerprint databases, and to use new ID databases in conjunction with existing fingerprint data. Existing databases are highly variable, and will often consist of rolled prints, which have been historically favoured by law enforcement agencies because they provide a larger amount of data. As the NPL study reasonably points out, however, rolled systems simply will not support high volume throughput. The NPL recommends using a minimum of four, preferably five, prints obtained via a full handslap, so you've got four flat prints per individual. Reasonably controlled conditions for the taking of the initial 'enrollment' prints will also be required, so while the accuracy of matching between the UK database and UK standard readers ought to be predictable, it'll likely be less so comparing, say, UK-read prints with a US database. And trying to match new standard prints up with the FBI's existing 40 million database could quite easily prove impossible. For law enforcement, David's points clearly suggest that effective interstate matching needs the new FBI standards and new databases, while for general ID we're also talking new databases. But David, don't you think that saying "There is no cause for alarm down the road" is a bit like saying, "Hi, I'm from the government, I'm here to help."?

I freely concede that the philosophical digression on the nature of identity at the tail end of my first piece might have been a little on the self-indulgent side, but my intent was to get people to question the assumption that identity was something fixed that could be absolutely nailed down, or indeed that it mattered. daan Strebe (wonder if he's small-d daan in his passport?) spots the self-indulgence but misses the intent:

Many of the arguments tendered in this article assume that the ID card must correctly identify a person in order to be effective. That axiom is wrong. When he enters the UK, it matters not that the human born as Ebrahim el-Ajar in Oman carries identification claiming he is Mohammed Khalfallah from Tunisia. While such a person may carry greater risk than someone else, and an ID system may fail to discern that particular risk, that failure does not eliminate the ways an ID system might succeed.

(I think I did make the point that ID systems would in some cases have to just assign an arbitrary ID, but don't recall making any massive assumptions based on this)

If an ID card contains a biometric signature indisputably uniquely associated with some individual, then the individual's real name, lineage, family, even nationality really don't matter. In the end, those are just labels. What matters is that the UK (for instance) has on record another individual named Habib Banki from Iran who carries the same biometric signature. Or that the biometric signature, regardless of the name attached to it, is associated with terrorist events in Egypt or car theft in Algeria.

(This depends on the overseas record being available, accurate, compatible. Using other people's watch lists effectively will in my opinion prove desperately difficult, but what do I know? daan's entire case incidentally rests on that "If... indisputably uniquely". If not, little else follows.)

The article does seem to acknowledge this point (even going so far as to dismiss it because of the impracticalities of matching every 'fingerprint' against every other one), but it was so heavily diluted with the "correct identity" red herring as to leave me unmoved. I'm agnostic about IDs for many reasons, and I definitely understand the enormous practical difficulties of using them in the theoretical ways they could be useful. On the other hand, having watched the relentless climb of computational power over the past few decades, even an O(n^2) algorithm for finding duplicates amongst 7 billion humans, and an O(n) algorithm for real-time comparisons at borders, no longer strikes me as unrealistic. It makes no sense to wait until such power is cheap if we're ever going to do it, since it *will* be cheap, probably sooner than later. It takes far more time to institute "standards" and apply them across populations than it does to develop faster computers to do something with data. In any case, biometric signatures can be coded in ways that categorize them efficiently, drastically reducing the number of comparisons required, so it's not clear to me that such a system would be impractical even today.

Tossing out most of the article for its "correct identity" red herring, and tossing out some of the remainder for its pooh-poohing of technology's present supposed inability to, or enormous cost in, dealing with the data, I'm not sure there's much left. Surely it's wiser to concentrate on the civil liberties aspect, if there is anything novel to be said there.

Regards, daan Strebe

Another candidate for a word from mum about how little good manners cost, I fear. daan's faith in the climb of computational power as the answer is, it seems to me, undermined by the difficulties associated with obtaining standard data sets to work with. But there I go pooh-poohing the technology again.

High performance access to file storage

More from The Register

next story
Spanish village called 'Kill the Jews' mulls rebranding exercise
Not exactly attractive to the Israeli tourist demographic
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
Sleuths find nosy NORKS drones on the Chinternet
UAVs likely to have been made in the Middle Kingdom
Och aye! It's the Loch Ness Monster – but only Apple fanbois can see it
Fondleslab-friendly beastie's wake spotted... OR WAS IT?
Dorian Nakamoto gets $23,000 payout over Bitcoin invention saga
Maintains he didn't create cryptocurrency, but will join community
Japanese boffin EYES up big bucks with strap-on digi-glasses
AgencyGlass saddles user with creepy OLED display
Forget the beach 'n' boardwalk, check out the Santa Cruz STEVE JOBS FOUNTAIN
Reg reader snaps shot of touching tribute to Apple icon
Happy 40th Playmobil: Reg looks back at small, rude world of our favourite tiny toys
Little men straddle LOHAN, attend tiny G20 Summit... ah, sweet memories...
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.