Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

The Power of One Brief: Top reasons to choose HP BladeSystem

Also in the area of law enforcement we have David P. Peterson, forensic scientist with the Minnesota Bureau of Criminal Apprehension, who covers the development of standards:

I trust you will continue in your research and determine just what is being questioned these days in the science of fingerprints. When you pin down our critics, you find that they agree that fingerprints are unique to every individual. They are questioning the methods we use to make the determination of a positive identification.  In the United States, it has been a problem of inconsistency because there are so many law enforcement agencies and no standard policies. That is beginning to change. The FBI has been working on standards that will hopefully be adopted by all agencies that do fingerprint comparisons. In our state lab here in Minnesota, we have established guidelines that are followed in every case. With regard to the uniqueness of fingerprints, think of this. In the 103 history of the fingerprint branch of Scotland Yard and the 100 year history of fingerprint comparisons in the U.S., no two prints have ever found to match to each other. Identical twins may have the same DNA but they do not have duplicate fingerprints... each finger is difference. Our database contains over 10 million fingerprint images. When someone is arrested for a subsequent offense, the system identifies the fact there is already a set of ten prints in the file that match the person arrested. If no prior arrest exits, a new record is made. Again, no fingerprints have been found to match another person in the database. There is no cause for alarm down the road. The fingerprint science is sound and we are extremely confident that that we will be able to overcome any challenges as they are presented.

Respectfully, David P. Peterson

The issue of standards is particularly important, and will impact the ability of governments to exchange fingerprint databases, and to use new ID databases in conjunction with existing fingerprint data. Existing databases are highly variable, and will often consist of rolled prints, which have been historically favoured by law enforcement agencies because they provide a larger amount of data. As the NPL study reasonably points out, however, rolled systems simply will not support high volume throughput. The NPL recommends using a minimum of four, preferably five, prints obtained via a full handslap, so you've got four flat prints per individual. Reasonably controlled conditions for the taking of the initial 'enrollment' prints will also be required, so while the accuracy of matching between the UK database and UK standard readers ought to be predictable, it'll likely be less so comparing, say, UK-read prints with a US database. And trying to match new standard prints up with the FBI's existing 40 million database could quite easily prove impossible. For law enforcement, David's points clearly suggest that effective interstate matching needs the new FBI standards and new databases, while for general ID we're also talking new databases. But David, don't you think that saying "There is no cause for alarm down the road" is a bit like saying, "Hi, I'm from the government, I'm here to help."?

I freely concede that the philosophical digression on the nature of identity at the tail end of my first piece might have been a little on the self-indulgent side, but my intent was to get people to question the assumption that identity was something fixed that could be absolutely nailed down, or indeed that it mattered. daan Strebe (wonder if he's small-d daan in his passport?) spots the self-indulgence but misses the intent:

Many of the arguments tendered in this article assume that the ID card must correctly identify a person in order to be effective. That axiom is wrong. When he enters the UK, it matters not that the human born as Ebrahim el-Ajar in Oman carries identification claiming he is Mohammed Khalfallah from Tunisia. While such a person may carry greater risk than someone else, and an ID system may fail to discern that particular risk, that failure does not eliminate the ways an ID system might succeed.

(I think I did make the point that ID systems would in some cases have to just assign an arbitrary ID, but don't recall making any massive assumptions based on this)

If an ID card contains a biometric signature indisputably uniquely associated with some individual, then the individual's real name, lineage, family, even nationality really don't matter. In the end, those are just labels. What matters is that the UK (for instance) has on record another individual named Habib Banki from Iran who carries the same biometric signature. Or that the biometric signature, regardless of the name attached to it, is associated with terrorist events in Egypt or car theft in Algeria.

(This depends on the overseas record being available, accurate, compatible. Using other people's watch lists effectively will in my opinion prove desperately difficult, but what do I know? daan's entire case incidentally rests on that "If... indisputably uniquely". If not, little else follows.)

The article does seem to acknowledge this point (even going so far as to dismiss it because of the impracticalities of matching every 'fingerprint' against every other one), but it was so heavily diluted with the "correct identity" red herring as to leave me unmoved. I'm agnostic about IDs for many reasons, and I definitely understand the enormous practical difficulties of using them in the theoretical ways they could be useful. On the other hand, having watched the relentless climb of computational power over the past few decades, even an O(n^2) algorithm for finding duplicates amongst 7 billion humans, and an O(n) algorithm for real-time comparisons at borders, no longer strikes me as unrealistic. It makes no sense to wait until such power is cheap if we're ever going to do it, since it *will* be cheap, probably sooner than later. It takes far more time to institute "standards" and apply them across populations than it does to develop faster computers to do something with data. In any case, biometric signatures can be coded in ways that categorize them efficiently, drastically reducing the number of comparisons required, so it's not clear to me that such a system would be impractical even today.

Tossing out most of the article for its "correct identity" red herring, and tossing out some of the remainder for its pooh-poohing of technology's present supposed inability to, or enormous cost in, dealing with the data, I'm not sure there's much left. Surely it's wiser to concentrate on the civil liberties aspect, if there is anything novel to be said there.

Regards, daan Strebe

Another candidate for a word from mum about how little good manners cost, I fear. daan's faith in the climb of computational power as the answer is, it seems to me, undermined by the difficulties associated with obtaining standard data sets to work with. But there I go pooh-poohing the technology again.

The smart choice: opportunity from uncertainty

More from The Register

next story
NSA man: 'Tell me about your Turkish connections'
Spooks ask Dabbsy to suggest a nice hotel with pool
In space... no one can hear you're green...
Indian techies-in-training face down MAN-EATING LEOPARD - and WIN
Big cat causes big trouble at Mumbai college
Carlos: Slim your working week to just three days of toil
'Midas World' vision suggests you retire later, watch more tellie and buy more stuff
Yahoo! Japan! launches! service! for! the! dead!
If you're reading this email, I am no longer alive
Plucky Rockall podule man back on (proper) dry land
Bold, barmy Brit adventurer Nick Hancock escapes North Atlantic islet
Motorist 'thought car had caught fire' as Adele track came on stereo
'FIRE' caption on dashboard prompts dunderheaded hard shoulder halt
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.