January/February issue
Biometrics: what are they good for?
SA Mathieson
Biometric technology is being deployed in anger, in the
wake of the Twin Towers attack, and other security incidents. SA
Mathieson looks at the strengths and weaknesses of biometric technologies.
Biometrics are not new. The first book-style passports issued by
Britain in 1915 contained more biometric measures than the same
country's planned biometric identity card database, due to start
in 2008.
A biometric is, after all, just a measurement of the human body,
and the 1915 passport included a photograph, descriptions of the
shape of the holder's face, his or her complexion and other measurements:
‘nose: large, forehead: broad, eyes: small’, to quote
an example given by the UK Passport Service.
As a result, UK human rights group Liberty does not oppose the
use of biometrics, even if an iris scan is far more sophisticated
than ‘eyes: small’. "Our position has always been
that, given we don't object to passport with a traditional photograph,
the fact that you're using another identifier isn't the problem,"
says Barry Hugill, a spokesman for the group. "It's the use
to which it is put. We think it's delusional to believe that biometrics
are some kind of magic solution that can't be faked."
This is not the position of many governments, including the United
States, a consensus within the European Union and, in particular,
Britain: computerised biometric measurements (unlike all those in
the 1915 passport, which would be checked by human eye) are the
fashionable security solution. But are they up to the job?
The countries have agreed to add a contactless microchip containing
the old biometric — the photograph passports already carry
— to their passports. This measure doesn't change the data
on the passport, it just makes it harder to forge.
But the United States has effectively bounced the 27 countries
within its visa waiver scheme into introducing further biometrics,
through its Enhanced Border Security and Visa Entry Reform Act of
2002. This originally required all member countries to start issuing
passports with biometrics (which for the US means, primarily, fingerprints)
by 26 October, 2004, or leave the programme — meaning every
visitor to the US from that country would have to apply in person
at an embassy for a biometric visa. Last August, the US extended
its deadline by one year, but as a holding measure visa waiver programme
users must now give fingerprints and have a photo taken when entering
the US.
The European Union looks to be following suit: in October 2003,
the Justice and Home Affairs Council of Ministers agreed that member
nations will add digitised fingerprints as well as photos by the
end of 2007. The UK, whose government is among the most enthusiastic,
will use iris scans as well.
Cutting the mustard
But is the technology up to the job? Crucially, there are two ways
of using biometrics. The first is a one-to-one check: checking someone
is who they say they are, by comparing the bearer with their recorded
biometrics, either on a document they present or a central database.
Even a relatively low rate of success, such as 90% accuracy, would
be of some use with one-to-one checks — but a 10% failure
rate was reported for such passports in October.
The other is a one-to-many check, and this is where many biometrics
become unstuck. The UK's plan for an identity register does not
require citizens to carry the card, as any important identity checks
will require a scan of the person's irises and/or fingerprints.
The person will then be looked up on the database, with their biometrics
acting as a human bar-code.
This kind of check requires the biometrics in question to work
incredibly well. A system that makes a mistake on a one-to-one match
one time in every million would be excellent for one-to-one checks.
But for a one-to-many check, it depends on the size of the database
the system has to scan. The chances of the system finding the one
correct match — no more, no less — can be calculated
by its one-to-one success rate to the power of the database size.
If the database size is two, this would make the one-to-many success
rate equal to 0.999999 squared, or 0.999998. A database of 100 people
would produce a 0.9999 success rate, excellent for, say, proximity
access to a company's secure department. But increasing the database
to 100,000 reduces this to a 0.9048 success rate, and a database
of the UK's adult population (50 million) leads to a success rate
of less than one in five thousand billion billion. In other words,
the chances of the one-in-a-million system coming up with only the
one true match is essentially zero.
The answer could be to stick to the one-to-one check, but this
significantly degrades such schemes. Firstly, it requires individuals
to carry their identity card or passport at all times it may be
needed, creating a new crime to be policed. Secondly, it means accepting
that the database will include false identities, as only an accurate
one-to-many check is capable of confirming that someone has not
already enrolled. Thirdly, going on from the second, it makes forging
identity documents worthwhile.
UK government ministers have said the only reason they are moving
ahead with an identity register now is because biometrics make it
possible to run one-to-many checks: but is this true? It doesn't
help to use several biometrics, as this simply compounds errors:
what do you do if the iris system comes up
with one person, and the fingerprint another? The only solution
is to use one primary biometric that is good enough to cope with
a database of tens of millions of people, even if a secondary one
has to be used for those who cannot use the first one.
Irises
Iris scanning could be that biometric. Its inventor, Dr John Daugman,
says that statistically, it is capable of picking out one person
from a database of 50 million, with a failure rate of just one in
a million. (Daugman explains why false match probability does not
accumulate in large database searches at http://www.cl.cam.ac.uk/users/jgd1000/largedatabases.html).
Furthermore, iris scans have some advantages for privacy. They
are not physically invasive, yet it is difficult to take an iris
scan without permission or knowledge. Images from the average surveillance
cameras are too low in resolution to produce a scan, although high-quality
posed photographs can be used. In 2002, iris scans gathered from
a portrait of Sharbat Gula, an Afghan woman in her late 20s, were
compared by Dr Daugman to scans from the image of an Afghan girl
which appeared on the front cover of National Geographic magazine
in 1985. (The fact that Gula remembered being photographed in the
mid-1980s back up Daugman's finding that she and the girl on the
1985 cover were the same person).
However, iris scanning has its disadvantages. Firstly, a photograph
or another ‘copy’, such as the wearing of special contact
lenses, can fool some cameras. There are ways around this, such
as changing the light levels and watching to see that the pupil
changes in size, but this adds to the cost of the equipment.
The second is the difficulty of acquiring a usable image. Markus
Kuhn, a lecturer at Cambridge University's computer laboratory,
says that individual iris scans suffer from a relatively high rejection
rate, due to such things as people blinking. Although a repeat test
usually solves the problem, it helps if the equipment has a human
operator to advise users — making it a good option for borders,
but less suitable for lower-value transactions.
Thirdly, some equipment cannot take a scan from subjects who cannot
control theireyes. More expensive camera equipment can get around
this, but people without irises and those with opaque corneas cannot
use the technique at all.
The overall problem is high cost. "Iris doesn't come in a cheap
and cheerful version," says Graham Titterington, a principal
analyst for research firm Ovum. "It's Rolls Royce or nothing."
This can price it out of even relatively high-value uses. Nationwide
building society (a UK mutually-owned bank) trailed iris recognition-driven
cash machines at its head office branch in Swindon during 1998/9.
It says this was successful and popular with users, with a six-month
test extended to two years, but that extending it to all branches
would have had huge cost implications.
Fingerprints
Fingerprints are a more familiar biometric, having first been used
by Dr Henry Faulds, who in the 1870s disproved the guilt of a man
in Tokyo who was accused of robbery, having seen that fingerprints
appear to be unique to each individual.
They do have privacy problems compared with iris scans, as people
leave prints behind all the time, hence their value in fighting
crime. Last year [2004], a memorial to Dr Faulds was unveiled in
his hometown of Beith in Scotland.
The unveiling ceremony was attended by Shirley McKie, another Scot,
whose case throws doubt on the reliability of fingerprints —
at least single ones — as a unique identifier. In February
1997, as a detective constable with Strathclyde Police, a thumbprint
was found at a murder scene which appeared to belong to McKie: the
match was confirmed by four experts at the Scottish Criminal Record
Office (SCRO), which handles fingerprints for all police forces
in Scotland. (Police officers' prints are stored alongside those
of criminals).
At the murder trial, McKie denied having been in the room where
the print was found. Although the trial successfully convicted David
Asbury for murder, McKie was put on trial for perjury (lying to
a court). However, with the aid of fingerprint experts who said
the prints did not match, she was found not guilty.
Asbury, whose conviction was based on fingerprint evidence processed
by SCRO, was also released from prison after having served three
years and a half of his life term, and in 2002 his sentence was
quashed.
This could be blamed on problems with this agency, or the difference
between a scene-of-crime print (which, obviously, is not taken in
ideal conditions) and those used in an identity check. But they
do show that fingerprints are fallible. "A single finger has
a quite noticeable 1 in 100 to 1 in 1,000 equal error rate,"
says Dr Kuhn: the equal error rate refers to the failure rate if
the sensitivity of the equipment is adjusted so that false positives
equal false negatives. (One of the two will normally be preferable:
banks may prefer false negatives, as they may be happier to write
off a few wrongly-authorised transactions than annoy customers and
lose retailers sales by falsely rejecting them; whereas failing
to give an employee immediate access to a nuclear power plant is
better than letting in someone who should be denied). "If you
want to use them with large databases, you will need to use several
fingerprints to get the necessary entropy," Dr Kuhn adds.
Fingerprints have the advantage of cheapness: Graham Titterington
says scanners can start at $20, and are appearing in hardware such
as laptops. However, there is a drawback: "Most of them store
data about the image, rather than the image," he says.
A computerised check will compare the co-ordinates of key points
in a fingerprint, such as where ridges bifurcate, to establish a
match. However, for a stronger manual check (such as those used
by police forces), an image of the fingerprint is needed.
An image can help in spotting casts of fingerprints, which have
been able to fool recognition systems by displaying the same bifurcation
points, and with matching scene-of-crime prints, which are usually
incomplete. Other methods of checking for a real print include checking
for electrical current transmitted through perspiration: this could
catch both casts and the grisly alternative of dead, removed fingers.
Faces
We currently rely on the human eye and brain as a facial recognition
systems for controlling checkpoints: although this does a decent
job one-to-one, it is not an option for swift one-to-many check.
For a computer to perform such checks requires it to take a variety
of measurements of key points on the face.
But these computerised versions currently have a poor reputation:
"It's useless at the moment," says Graham Titterington,
for picking an individual from a crowd. The face is a three-dimensional
biometric, which can be disguised with items such as hats, facial
hair and glasses without attracting attention. Although a controlled
situation can remove most of these problems, there is also the extreme
option of plastic surgery.
"There are massive privacy implications if it ever works in
future, but for now it's [only suitable for] one-to-one," adds
Titterington. Unlike an iris or a fingerprint, someone walking around
London can expect to have a record of this particular biometric
recorded several hundred times a day.
Other options
Hand geometry presents an alternative to fingerprints, although
it is not currently widely used. It could be useful for those unable
to give fingerprints, such as manual workers whose prints can get
worn away temporarily, ethnic groups with weaker prints, or even
for workers with dirty hands.
Another possibility comes from voice recognition. "A few years
ago, I expected voice recognition to do well, but it hasn't made
progress," says Titterington. It would be cheap to deploy —
with the prevalence of microphones and mobile phones, the hardware
is already in place — but is not currently seen as reliable.
The big drawback
There is a final problem with all biometric measurements: if yours
are compromised, they are compromised for life. "If you don't
have live tissue verification, [such as for] unsupervised sensors
for building access control, your biometric becomes a password,
something to keep secret," says Dr Kuhn. "That I find
a worry."
Making sure that a biometric is indeed a measure of a live, willing
human body may mean forgoing remote usage. The only certain application
looks to be supervised checks, with operators trained to spot the
likes of rubber fingerprints and iris-replacing contact lenses.
In these applications, a biometric could be an excellent but expensive
identity check. If it is used more widely, stealing someone's biometrics
could become very worthwhile indeed.
Copyright ©SA Mathieson 2004. SA Mathieson writes about
IT for titles including the Guardian and Health Service Journal.
Back to features index
|
