Feeds

DHS and UK ID card biometric vendor in false ID lawsuit

Right fingerprints, wrong felony and murder rap

  • alert
  • submit to reddit

Intelligent flash storage arrays

At San Jose Superior Court today (11 May) biometrics company Identix will seek to have a product liability and slander lawsuit against it and the States of California and Oregon dismissed. Plaintiffs Roger Benson and Miguel Espinoza are seeking restitution for the damage inflicted on them by duplication in police records which gave them other people's criminal records.

Benson was wrongfully imprisoned for 43 days for carrying a firearm when a convicted felon, although the felony on his record had been committed by someone else, while Espinoza, had his restaurant business destroyed by a false record of a criminally negligent homicide conviction. The plaintiffs claim that their problems stemmed from Identix's Livescan 10-print, a fingerprint scanner used to enter fingerprint data into police systems. Two months ago Identix was re-confirmed as the winner of a Department of Homeland Security Blanket Purchase Agreement (BPA) for fingeprint systems, this being worth and estimated $27 million over five years. Identix is also supplying equipment for the UK Passport Service's ID card pilot, so one might reasonably consider that the stakes in San Jose Superior Court will be rather high.

The case hinges on the origin of duplicate record ID numbers, but it is the fact that these actually existed that is of the broadest significance. Benson, whose case has been going through the courts longest, stepped into trouble when he was pulled in for a traffic violation and fingerprinted. This process was carried out using a Livescan system, which produced an Electronic Fingerprint Card (EFC). Each EFC is assigned a fingerprint control number, FPN, which is intended to be unique. Previous paper-based systems, which are still widely used in the US, use EFCs preprinted with a unique FPN, but this is not the case with EFCs produced with the Livescan system. Benson's EFC was created on February 6th 1998, and on September 10th 1998 one William Lee Kellog, charged with multiple felonies, was put through the booking process. Kellogg's EFC had the same FPN as Benson's.

FPNs are widely used in criminal justice databases, and the duplicate records entered the Oregon Judicial Information Network (OJIN), where Kellogg's convictions were attached to Benson's record. A routine inspection in California the next year uncovered a handgun in Benson's truck, and as his Oregon record said he was a thrice convicted felon, he was arrested for being in violation of the California Penal Code.

The plaintiffs' complaint alleges that the defendants have known since 1996 "that Livescan machines had the identified propensity of creating defective EFCs," and that they therefore knew that this was corrupting criminal justice databases and court records. It is not clear from the evidence presented that the blame rests entirely with the Livescan equipment, but it does seem clear that Oregon was aware that duplication incidents were occurring (a list of 97 of these was compiled), and it has certainly taken Benson some considerable time, against considerable opposition, to clear his name.

He was, for example, unaware of the biometric technology's influence on his case until 2002, and prior to this had come up with some decidedly paranoid theories to explain why his life was being destroyed because of a traffic violation. As indeed, you might.

For the rest of us, the real issue is how fallibility in software and human input can produce extremely serious errors in systems which are intended to provide virtually infallible identification. There is here no dispute that Benson's and Kellogg's biometric records are entirely different (Benson has only nine fingertips, for starters), but the processes operated in such a way that Benson's record got the convictions. These spread from Oregon to California, and Benson's attorney claims that he is still recorded by the FBI as having been arrested as a felon in possession of a firearm.

Organisations deploying such systems should of course be extremely concerned that they are not subject to such errors. Aside from the impact on the victims, the creation of false records will damage the integrity of the database they're used in initially, and the sharing of this data will result in the corruption spreading into other systems. The further it gets, the harder it will be to undo the damage. But the more sure the designers are that they've ruled out problems like this, the harder it will be to have errors corrected. If it's impossible, then the people complaining have got to be mad, right? The issue of how you deal with the data is actually far more important than getting the technology to produce a "unique" biometric. ®

Related links:

Benson's complaint

Glitches in ID card kit frustrate Blunkett's pod people

Intelligent flash storage arrays

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.