Original URL: http://www.theregister.co.uk/2004/04/19/biometrics/
Fingerprints as ID - good, bad, ugly?
Well, there's an effectiveness:usability trade-off, for starters
Letters My piece on biometrics and compulsory ID earlier this month produced a substantial mailbag, most of it - even the couple of rude ones - constructive. Several of you provided links to useful research in the area, and the follow-up piece drawing attention to doubts about the infallibility of fingerprinting produced some more. As this will be a key factor in the mass rollout of biometric ID systems, it makes sense to start here.
First, a confession. I'm largely happy with the original piece, but I feel that I regrettably fell in with the general assumption that fingerprints are infallible, unique ID. The truth is that this may or may not be the case, but that is not necessarily relevant to the operation of a mass ID card system. So here, we should determine what we're talking about.
As the New Scientist piece cited in the second article pointed out, there is no unchallenged data supporting the claim that fingerprints are unique. The DoJ sponsored study concludes that the probability of a match is so low as to make them effectively unique, but the methodology of this study is now being questioned. Contrariwise, no two people have ever been found to have the same fingerprints, and it does seem kind of plausible that even similar fingerprints must be different in some way. On the third hand (which would be convenient in the case of an unfortunate match of the other ten fingers), it also seems plausible that two sets of prints could be sufficiently similar for it to be difficult, perhaps impossible, for us to be able to spot the differences. Which takes us to what we should be talking about.
The UK's National Physical Laboratory has published a quantity of biometric research here, one of the most useful pieces for our purposes being the identity card feasibility study, conducted for the Home Office. This research was actually intended to produce recommendations regarding the introduction of an entitlement card, so makes assumptions about initial throughput that will be significantly lower than in the case of a full-scale ID card, but it's nevertheless valuable because it examines implementation and the associated challenges in some detail, and because it does anticipate the database growing to 50 million.
As regards uniqueness/infallibility, the study makes it clear that the level of this is something you set for yourself, balancing the level of failed matches i.e. failure to identify someone you should identify, with the level of false matches, i.e. perfectly innocent people being interrogated until the authorities are convinced that they're not the person the machine's matched them up as.
So you can set the sensitivity at a level where you have a very high likelihood of making matches, but the price of this is such a high level of false matches that you bring the system to its knees and the security services into widespread disrepute. In reality, the study suggests a 1 in 1,000 false alarm rate, with a 5-10 per cent false non-match rate, as a reasonable compromise. Having only a 1 in 10 or 1 in 20 chance of slipping through is probably enough to deter most thinking terrorists and social services fraudsters, although a 1 in 1,000 false alarm rate could still produce hefty logistical problems, depending on how frequent routine ID checks became. 1 in 1,000 is one every two to three Jumbos.
But it's clear that using current technology in mass machine-read systems, arguments about the uniqueness of fingerprints are academic. They will not of themselves be unique identification, because of the parameters we will have to set. Uniqueness is however very important in another area, so we'll move straight over to the first of our critics, Andrew Rutherford of the Australian police:
Your article doesn't make any sense. It appears from the article that you don't know very much about Fingerprints, and as such, you probably shouldn't be writing articles on the subject until your understanding of its fundamentals improves.
I assume that the fingerprint comparisons, involving the 50000 images used in the study that you mention in your article, and the subsequent results were from computer comparisons. If this is the case, then you must realise that computer systems used throughout the world for fingerprint comparisons are only a tool used by fingerprint experts. If a fingerprint search is conducted using a fingerprint computer system, the computer will produce a candidate list of images from its database that it finds most like the search print. The fingerprint expert conducts comparisons of the images from the candidate list and they decide if the fingerprints are identical or not. If the search print is identified, then in the majority of cases it will be the first candidate on the list, however sometimes this is not the case and the identified print may be well down the candidate list. In some cases the computer may not find the print on its database even though it is there. This is why computers are only used as tools to assist in a computer search and why fingerprint experts make fingerprint identifications and not computers.
Mistakes are made and many are well known throughout the world, but the mistake is always a human error, and never has the cause of a wrong fingerprint identification been the breakdown of the fundamental principles of fingerprint identification.
If people, like you who write these articles, want to attack the infallibility of fingerprints, then you like should only question the competency of the fingerprint expert. Many people who claim to be fingerprint experts have limited training and/or experience (especially in the US).
Regards Andrew Rutherford
I'll leave Andrew's manners to his mother, and I don't entirely recall writing quite the article he seems to have been reading. But as he points out, fingerprint identification as used in the legal process deploys machine reading as a guide for fingerprint experts. These experts will clearly not be present or feasible for general ID systems, but what he has to say about their fallibility is worth noting as a corrective to the general impression of fingerprint evidence as absolutely conclusive. Yes, it might be in theory, but in practice the system's dependence on human experts means that it's not. This fact obviously does matter to those people who are in prison on the basis of an expert witness' mistake, and surely deserves to be more widely publicised.
Also in the area of law enforcement we have David P. Peterson, forensic scientist with the Minnesota Bureau of Criminal Apprehension, who covers the development of standards:
I trust you will continue in your research and determine just what is being questioned these days in the science of fingerprints. When you pin down our critics, you find that they agree that fingerprints are unique to every individual. They are questioning the methods we use to make the determination of a positive identification. In the United States, it has been a problem of inconsistency because there are so many law enforcement agencies and no standard policies. That is beginning to change. The FBI has been working on standards that will hopefully be adopted by all agencies that do fingerprint comparisons. In our state lab here in Minnesota, we have established guidelines that are followed in every case. With regard to the uniqueness of fingerprints, think of this. In the 103 history of the fingerprint branch of Scotland Yard and the 100 year history of fingerprint comparisons in the U.S., no two prints have ever found to match to each other. Identical twins may have the same DNA but they do not have duplicate fingerprints... each finger is difference. Our database contains over 10 million fingerprint images. When someone is arrested for a subsequent offense, the system identifies the fact there is already a set of ten prints in the file that match the person arrested. If no prior arrest exits, a new record is made. Again, no fingerprints have been found to match another person in the database. There is no cause for alarm down the road. The fingerprint science is sound and we are extremely confident that that we will be able to overcome any challenges as they are presented.
Respectfully, David P. Peterson
The issue of standards is particularly important, and will impact the ability of governments to exchange fingerprint databases, and to use new ID databases in conjunction with existing fingerprint data. Existing databases are highly variable, and will often consist of rolled prints, which have been historically favoured by law enforcement agencies because they provide a larger amount of data. As the NPL study reasonably points out, however, rolled systems simply will not support high volume throughput. The NPL recommends using a minimum of four, preferably five, prints obtained via a full handslap, so you've got four flat prints per individual. Reasonably controlled conditions for the taking of the initial 'enrollment' prints will also be required, so while the accuracy of matching between the UK database and UK standard readers ought to be predictable, it'll likely be less so comparing, say, UK-read prints with a US database. And trying to match new standard prints up with the FBI's existing 40 million database could quite easily prove impossible. For law enforcement, David's points clearly suggest that effective interstate matching needs the new FBI standards and new databases, while for general ID we're also talking new databases. But David, don't you think that saying "There is no cause for alarm down the road" is a bit like saying, "Hi, I'm from the government, I'm here to help."?
I freely concede that the philosophical digression on the nature of identity at the tail end of my first piece might have been a little on the self-indulgent side, but my intent was to get people to question the assumption that identity was something fixed that could be absolutely nailed down, or indeed that it mattered. daan Strebe (wonder if he's small-d daan in his passport?) spots the self-indulgence but misses the intent:
Many of the arguments tendered in this article assume that the ID card must correctly identify a person in order to be effective. That axiom is wrong. When he enters the UK, it matters not that the human born as Ebrahim el-Ajar in Oman carries identification claiming he is Mohammed Khalfallah from Tunisia. While such a person may carry greater risk than someone else, and an ID system may fail to discern that particular risk, that failure does not eliminate the ways an ID system might succeed.
(I think I did make the point that ID systems would in some cases have to just assign an arbitrary ID, but don't recall making any massive assumptions based on this)
If an ID card contains a biometric signature indisputably uniquely associated with some individual, then the individual's real name, lineage, family, even nationality really don't matter. In the end, those are just labels. What matters is that the UK (for instance) has on record another individual named Habib Banki from Iran who carries the same biometric signature. Or that the biometric signature, regardless of the name attached to it, is associated with terrorist events in Egypt or car theft in Algeria.
(This depends on the overseas record being available, accurate, compatible. Using other people's watch lists effectively will in my opinion prove desperately difficult, but what do I know? daan's entire case incidentally rests on that "If... indisputably uniquely". If not, little else follows.)
The article does seem to acknowledge this point (even going so far as to dismiss it because of the impracticalities of matching every 'fingerprint' against every other one), but it was so heavily diluted with the "correct identity" red herring as to leave me unmoved. I'm agnostic about IDs for many reasons, and I definitely understand the enormous practical difficulties of using them in the theoretical ways they could be useful. On the other hand, having watched the relentless climb of computational power over the past few decades, even an O(n^2) algorithm for finding duplicates amongst 7 billion humans, and an O(n) algorithm for real-time comparisons at borders, no longer strikes me as unrealistic. It makes no sense to wait until such power is cheap if we're ever going to do it, since it *will* be cheap, probably sooner than later. It takes far more time to institute "standards" and apply them across populations than it does to develop faster computers to do something with data. In any case, biometric signatures can be coded in ways that categorize them efficiently, drastically reducing the number of comparisons required, so it's not clear to me that such a system would be impractical even today.
Tossing out most of the article for its "correct identity" red herring, and tossing out some of the remainder for its pooh-poohing of technology's present supposed inability to, or enormous cost in, dealing with the data, I'm not sure there's much left. Surely it's wiser to concentrate on the civil liberties aspect, if there is anything novel to be said there.
Regards, daan Strebe
Another candidate for a word from mum about how little good manners cost, I fear. daan's faith in the climb of computational power as the answer is, it seems to me, undermined by the difficulties associated with obtaining standard data sets to work with. But there I go pooh-poohing the technology again.
Why are we just talking about fingerprints, aren't there other kinds of biometrics? I'm glad you asked me that. Iris recognition is potentially a simpler recognition job, and the NPR humorously (?) observes that fraudsters tend to be more reluctant to mess with their eyes than their fingerprints (slightly useless factoid: "over 1 in 1,000 fingers are missing or have no fingerprint", but only 1 in 10,000 lack a usable iris for recognition purposes).
There have been no widespread deployments of iris scanning systems, and there are difficulties associated with broad deployment of enrollment and reading systems. Current systems require careful alignment and good lighting conditions, and enrollment systems will be more costly to operate and will have a poorer throughput than for fingerprints. And we can perhaps entertain unworthy thoughts about how the police might best achieve optimum conditions with mobile iris recognition systems after dark - slam suspect up against wall, shine bright light in their eyes...
Facial recognition meanwhile is rejected entirely by the NPL study. It quotes one study as finding a false match rate of 1 in 1,000 with a false non-match rate of 1 in 10, but points out that a longer time lapse between enrollment and check, and less optimum lighting conditions would produce a false non match rate of 6 in 10 at a false match rate of 1 in 1,000. The best you can say is it's not ready for prime time, but it might have an application as a supporting biometric to reduce false matches from the primary one.
NPL's observations about the lower possibility of people trying to falsify their eyeballs does however raise the possibilitiy of fingerprint falsification. David Westcott reminds us about the use of gummy false prints. The feasibility of these means some degree of observation of the hand will be necessary when it's placed on the reader, and that the use of fingerprint recognition in unattended security scenarios is of dubious value.
What about DNA? Pete Austin rightly corrects me for another unwarranted assumption:
Actually, if my DNA is found at the scene of a crime, it only means that my DNA is there. But DNA is easy to aquire. For example, like most people, I don't guard my wheely bin to stop criminals nicking vacuum cleaner dust, much of it hair and skin cells brimming with my DNA, to scatter at any crime scene of their choice.
Quite right, Pete. But as you, the container of the vast majority of your DNA, are likely to be present at an ID check, we don't necessarily need to be talking forensic worries here. They can just watch you, er, leak into a handy receptacle, or something. Kristoffer Winther Sørensen suggests that it actually is currently possible to do on-site DNA fingerprinting:
In the biomedical industri and academia we use a device called a PCR lightcycler to basically copy/clone DNA. As far as I know this technique was developed by the US military to facilitate the identification of possible biological agents used in biological warfare. The device is small enough to be carried on the back of a soldier and costs around $15.000. So I don't think there is a technical problem to "on-site" DNA fingerprinting.
Is there no end to the US Army's specialist hardware collection? Kristoffer however points out that DNA fingerprinting can give rise to false positives, "even if the material is of superb quality."
From memory, the methods used in Denmark will give a positive in 1 out of 100.000 persons. So if all danes were in a DNA register, on average 52 persons (population of 5.2 million) would match a crime-scene DNA-profile. That's a lot of suspects.
And we've had many more emails on the subject. We've skipped the ones saying what David Blunkett is (true, people, but this is established), and we've skipped the one claiming authorship of a system "paying 2.5 million people a month using fingerprint technology." We couldn't help noticing that in the country in question there seems to have been some debate about the effectiveness of this system, so we'll just have to call it 'jury still out.'
Honourable mention though to Bruce Schneier, who didn't write to us at all but who has produced a well-argued case against a US national ID card in Crypto-Gram. And finally, although this has gone on for long enough already, we present Irdial Discs' argument in favour of using digital signatures to secure the passport, thus entirely negating the need for a central database at all. This is so sane and rational that it stands no chance at all of being adopted by the powers that be. But we can all dream, can't we?
If any document is issued correctly, and is not tampered with, it must be assumed that the holder is the person named on the document, whether it has biometric information in it or not.
If the document has been tampered with, then the holder might not be the person named in the passport. This is the only type of check that needs to be made in passports.
Biometrics are not needed to ensure that the holder of a passport is the named person in the passport. Certainly, there is no need for a central database of all biometrics (photograph, fingerprint, iris scan) to check the identity of each person every time a passport is used. A simple test to see if the passport has been tampered with is all that is required.
This is how you do it.
~ # Each passport or ID document contains a cryptographically signed digital portrait of the holder, signed by the passport issuing authority. ~ # When your passport is swiped, your picture comes up on the screen, loaded from the passport, and NOT a central database ~ # The digital signature of the passport photo is also downloaded. ~ # A PGP-like signature check is done against the public key of the national passport issuing authority, which is stored on the keyring of the swiping device.
If the signature is good, the document is genuine. If the signature is bad, the document is a forgery.
This system does several things.
~ # It decentralizes the management of photo authentication. ~ # It stops the inevitable abuses of centralized databases. ~ # Each passport photo is digitally unique. This means that every time that you get your photo taken for your passport, it is a different cryptographically signed number that ends up in your passport. You will never have a unique identifier tied to your identity, even though its your face in every photograph. ~ # Big brother gets a kick in the balls. ~ # Passport/ID fraud is basically eliminated, except for the fake ones made to order at the request of MI6 and the like.
There is no need for the centralized passport biometrics database that they are planning; the means exist right now, with military grade crypto and digitally signed photographs that will create a rock solid, absolutely authenticatable, user friendly, non big brother solution to passport fraud, that protects documents and does not further erase our rights as free people.
The crypto to do this is in the public domain, and so zero-cost license wise. My solution is cheaper than the centrally held database solution.
Now of course, there is nothing to stop people from collecting these signature numbers, but if that is the only part of the passport that is readable, and this readable part does not contain your name or any other personally identifiable information, it will be harder for people to create a database connected to your biometric ID. If you are the nervous type you could change your id every month; in any case, I devised this ID scheme to demonstrate that there is no reason to create a centralized database from the outset. There are other, better ways to manage document authenticity. All someone has to do is simply THINK about the problem. Unfortunately, the people who are behind the deployment of this disaster are the companies that sell the systems that will be used to fleece the population for decades to come. Money is the true root cause for centralization, that and the lust for absolute control that slobbering pigs like David Blindkid and John Asscroft dreamed about.
Actually, Ms Manners isn't sure about that last bit either, but we'll let it pass. ®