Biometrics

Also see Biometric passport

I highly recommend you read wikipedia: Biometrics first as it covers the subject well.

Executive Summary

Background

The fingerprint and footprint are the two oldest forms of Biometric Authentication (BA).

Problems and Concerns

Accuracy

Like alarm systems, most biometric systems have a trade-off between false accept and false reject rates, often referred to in the banking industry as the fraud and insult rates, and in the biometric literature as type 1 and type 2 errors. Many systems can be tuned to favor one over the other. U.K. banks set a target for biometrics of a fraud rate of 1% and an insult rate of 0.01%, which is beyond the current state of the art. In general, biometric mechanisms tend to be much more robust in attended operations, where they assist a guard rather than replacing him. The false alarm rate may then actually help by keeping the guard alert. [1]

Humans are very bad at recognising if a person they do not know is the same as their photo id. Identity cards often include a photograph of the bearer in an attempt to prevent fraudulent use or impersonation. In the U.K. some credit card companies have recently introduced photo-credit cards and the government is currently considering the introduction of a new driving licence including the bearer's photograph. However, the widely held belief that the inclusion of photographs will reduce or prevent fraudulent use has rarely been tested. In a study designed to examine the utility of photo-credit cards by assessing the accuracy with which supermarket cashiers could identify whether the photographs on credit cards depicted the person tendering them. The results demonstrate that the task of matching the photograph to the shopper is much more difficult than might be expected, and that even under optimized conditions, performance is poor. It is concluded that the introduction of photographs on credit cards would have little effect on the detection of fraud at the point of sale. [2] In government trials of computer facial recognition for the id card the success rates were 69 per cent, falling to 48 per cent for disabled participants. Changes in a participant's appearance also caused verification to fail. [3]

At present, biometric equipment sales are dominated by fingerprint readers. They are widely used overseas by welfare agencies, as they cut claims dramatically. This is partly because they make impersonation more difficult, but there is also a strong placebo effect. Many people are scared off claiming welfare benefits when they have to undergo regular fingerprint scanning in order to claim. This includes some people who have legal claims to benefit, as well as some who do not. [4]. In goverment trails for the id card participants achieved successful verification on just 81 per cent of occasions, and 80 per cent for disabled participants. [5]

In government trials for the id card iris recognition achieved a 96 per cent success rate. Asian and white participants had higher success rates than black participants. [6]

Identity Theft

Many problems with biometric authentication are in relation to the lack of adequate safeguards for personal information gathered about individuals, not the concept of BA. If a thief steals your credit card number it is a problem but you can get a new one and cancel your old one. If a thief can obtain you biometric data and use it you are in a lot of trouble.

As it proves reasonably simple to obtain the biometric data of an individual the problem comes with producing a system that is very hard to fool.

Data Protection

There is the standard problem that all authentication techniques suffer from of storing the data securely and preventing modification and interception of communication to and from the data store.

Sharing of Data

In a written answer to Parliament, Joan Ryan MP, Parliamentary Under-Secretary, Home Office, has stated that:

The Home Office does share biometric information with foreign agencies on a case by case basis where this is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders or for immigration purposes, and this includes:
  • immigration and law enforcement agencies within the 26 member states of the EU;
  • Australian, Canadian and US authorities;
  • any other foreign government where it is necessary to secure the removal of a foreign individual.
The Home Office shares fingerprints with European member states through EuroDac, the European Asylum Fingerprint system.

Surveillance

There is a possible civil liberty concern with certain types of BA as it could be used to track individuals continuously and automatically, for example through video cameras.

Examples of Use

Links

Organisations

UK Biometrics Working Group run by CESG/GCHQ experts and the Office of the e-Envoy advises the UK Government on Biometrics issues feasibility.

Documents

News

2009-08-14 - The Register - Collar the lot of us! The biometric delusion
Author: David Moss
Summary: ... Dr Tony Mansfield and Mr Marek Rejman-Greene, for example, opened their February 2003 report to the Home Office by saying the exact opposite: "Biometric methods do not offer 100% certainty of authentication of individuals" ... Faced with revolution, the government would have to abandon the NIS. Logic, maths, science, a basic understanding of technology, businesslike common sense, an adult sense of responsibility and simple truth-telling all suggest that the NIS should have been abandoned on the day the biometrics enrolment trial report was published
2009-03-12 - The Guardian - Government announces 'results' of voice analysis trial - but what do they mean?
Author: Charles Arthur
Summary: I've written about the "voice risk analysis" system being used by 25 local councils to "detect" benefit fraud, and on which the Department of Work and Pensions has spent at least £1.5m. The scientific basis for this system is hard to find. Two Swedish scientists who have investigated the underlying software suggest that its verifiability – that is, "is there a scientific basis for believing what this is telling you?" lies "at the astrology end of the [scientific] spectrum". Other tests by a different team of scientists suggest that on its own, the system's reliability –-that is, "how often does it give the right answer?" - is about as good as flipping a coin (ie 50%, or chance).
2009-03-12 - The Guardin - The truth is on the line
Author: Charles Arthur
Summary: A voice analysis system is heralded as the answer to millions lost through fraud - yet two academics claim it is about as valid as astrology. They say the system, used to try to detect people lying in phone calls made to 25 UK councils and a number of car insurers, is no more reliable than flipping a coin - and that millions of pounds have been spent on a technology that has not been validated scientifically, and for which the claims about its function are "at the astrology end of the validity spectrum".
2008-11-29 - Biometrics in schools - Biometric systems 100% safe?
Author: Pippa King
Summary: As far as BECTA carrying out rigorous research on biometric systems in schools - they simply haven't. Their advice given July 2007 was given with no research into these systems whatsoever, I know that as a fact as the Freedom of Information Act was used to see what research they had done - zilch. So for all you Head Teachers out there thinking that BECTA know about these systems, think again.
2008-10-27 - The Register - No2ID shakes fist at plod print scanner plan
Author: John Oates
Summary: Privacy group No2ID is calling for legal protections before the introduction of mobile fingerprint scanners next year. As we reported in May the National Policing Improvement Agency handed over £50m for mobile devices to police forces. These will allow officers to check fingerprints against the Police National Computer. ... No2ID quoted figures from a 2004 Passport Service pilot which showed 19-20 per cent of people could not be matched to fingerprints entered minutes before and that 4 per cent could not be enrolled at all.
2008-10-06 - The Register - UK border facial scan tests hit by errors and breakdowns
Author: John Lettice
Summary: A trial of automated border control using facial scanners is already in trouble, according to UK Border Agency (UKBA) sources. The scanners at Manchester airport, said one source, are breaking down on almost a daily basis, and the automatic booths are unable to detect 'tailgating', where two people go through on one passport.
2008-10-04 - The Telegraph - Security fear over airport face scanners
Author: David Barrett
Summary: ... machines replace human immigration officers, by measuring unique details about the traveller's face as they pass through, and comparing those measurements with details stored on a microchip within the new British "ePassports". Foreign travellers, and those without the new style passport, are directed through the normal immigration control procedures. But the revelation has raised questions about whether they could sneak through the new machines, behind other passengers. The source added: "This is a massive loophole and a serious problem for security. It should certainly sound an alarm if there are two people trying to come through at the same time. It could lead to widespread immigration abuse and compromise the efficiency of immigration control. One particular concern is that it could be exploited by child traffickers, because it won't pick up if you have a child on your back." The source said there were malfunctions taking place almost daily in the pilot project, which is thought to have cost the taxpayer several hundred thousand pounds.
2008-09-29 - ZDNet - ID-cards scheme will 'drown' in mismatches
Author: Nick Heath
Summary: The government has underestimated the probable failure rate of the ID-card scheme, according to a biometrics expert who reviewed the system. ... academic John Daugman, a former member of the Biometrics Assurance Group (BAG), which reviewed the scheme, said its reliance on fingerprints and facial photos to verify a person's identity will cause the system to collapse under the weight of mismatched identifications. ... "The use of fingerprints will cause deduplication to drown in false matches."
2008-09-11 - Kable - Boycott biometrics, union tells council staff
Summary: A union has told members at Westminster City Council to refuse to use biometric devices for clocking on and off, due to concerns over consultation and privacy. ... "Our objections are two fold," assistant branch secretary Stephen Higgins told GC News. "Westminster hasn't consulted with the union before installing, although it intends to consult. Secondly, members are not confident that Westminster can hold their data securely and will not share their data with others such as the Metropolitan Police."
2008-07-11 - The Register - ID scheme undermined by poor-quality fingerprints
Author: Tom Espiner
Summary: The National Identity Scheme could be undermined by the quality of fingerprints from people aged 75 and over, according to an official report. The Biometrics Assurance Group (BAG), a group of independent experts which reviews biometrics implementation across government, brought out an annual report at the end of June. The report was extremely critical of many aspects of the government's biometrics plans, especially those around the National Identity Scheme (NIS).
2008-06-20 - Kable - Fingerprints may fail elderly, warn experts
Summary: A government expert group has warned of a 'large impact' on the National Identity Scheme from those who cannot use fingerprinting, such as many elderly people. The Biometrics Assurance Group (BAG), in its annual report for 2007, recommends more funding for the handling of people who cannot provide usable biometrics. The report describes the more than 4m people over the age of 75 in Britain as "a group for which it is hard to obtain good quality fingerprints".
2008-06-18 - Biometrics Assurance Group - Annual Report
Summary: The Biometrics Assurance Group (BAG) provides a degree of oversight and review of the biometric elements of Government programmes to offer advice and additional assurance that they are making effective use of the technology. ... BAG recommended that proper attention be paid to the privacy/consent issue across the National Identity Scheme, BAG considered that the issue was not fully addressed by the publication of the Strategic Action Plan and that the public needed to be better informed over this, and that a consent diagram should be built into the architecture. BAG recommended that Iris should be included in the testing for the following reasons: The potential for iris biometric technology to mature and become more useful. As a fall back for those unable to enrol fingerprint biometrics. ...
2008-06-17 - Kable - ICO to review surveillance annually
Summary: The prime minister has defended identity cards, biometrics and CCTV, but has agreed that the information commissioner will write an annual review of government surveillance for Parliament. Gordon Brown accepted the proposal, made by the Home Affairs Select Committee in its recent report A Surveillance Society?, in a speech on 17 June 2008 to the Institute of Public Policy Research's Security Commission.
2007-11-29 - New Statesman - It could happen again
Author: Becky Hogge
Summary: Biometrics are definitely not the answer to the HMRC debacle. For technologists, the most chilling development since HMRC's data debacle has been ministers' attempts to use it as an excuse to push for the roll-out of biometrics as a means to "secure" identity. The logic, one imagines, is that spoofing someone's fingerprints is much harder than typing a stolen National Insurance number into a computer. But the facts tell a different story. As biometric experts wrote to the Commons joint committee on human rights on 26 November, the government holds "a fairy-tale view of the capabilities of [biometric] technology". ... So how do you design a system that is safe from insider breach? Well, if you want to aggregate data about the population centrally, then the short answer is, "You don't." As Professor Ross Anderson, the UK's leading computer security expert, explained on BBC2's Newsnight: "If you take 50 million medical records and make them available to 300,000 people there's no way you can create procedures that will protect that. It's too valuable an asset to which too many people have access."
2007-11-26 - Daily Mail - Lost disc fiasco could scupper ID card scheme
Author: James Slack
Summary: Leading academics have rounded on the Government's "fairytale view" of the technology needed to make the scheme work on its introduction in 2009. In a letter to MPs, Professor Ross Anderson and Dr Richard Clayton warned lives would be ruined if information from the ID database went missing. The Cambridge computer experts said that if iris or fingerprint scans fell into the wrong hands the victim would suffer a lifetime of fraud. Unlike with bank accounts, the individual would have no way of changing their details. Ministers claim the biometric data will protect against fraud, crime and terrorism.
2007-11-24 - The Guardian - Now for ID cards - and the biometric blues
Author: Ben Goldacre
Summary: Tsutomu Matsumoto is a Japanese mathematician, a cryptographer who works on security, and he decided to see if he could fool the machines which identify you by your fingerprint. This home science project costs about £20. Take a finger and make a cast with the moulding plastic sold in hobby shops. Then pour some liquid gelatin (ordinary food gelatin) into that mould and let it harden. Stick this over your finger pad: it fools fingerprint detectors about 80% of the time. The joy is, once you've fooled the machine, your fake fingerprint is made of the same stuff as fruit pastilles, so you can simply eat the evidence.
2007-11-23 - Silicon - Can biometrics secure the public's data?
Author: Paul Bentham
Summary: With the furore over 25 million missing child benefit records, the public sector's use of personal data has never been under greater scrutiny. Biometrics may be hailed as the ultimate security measure - but the technology is not without hazards. ... If an individual's biometric information is compromised or stolen, that individual could no longer use those biometrics to prove his or her identity. Therefore, unless stringent security measures are put in place, the digital storage of biometric data could present a real security risk for facilitating identity theft. The use of biometric systems must comply with the European Convention on Human Rights and the Data Protection Directive. The relevant legislation in the UK is the Human Rights Act and the Data Protection Act (DPA). Under the Human Rights Act each of us is entitled to respect in our private life, including our life at the workplace. Under the DPA personal data is required to be processed fairly and for specific limited purposes. Two key principles come into play. First, the principle of proportionality, which means the interference with the private life of the individual must be justifiable by the benefits. Second, the principle of transparency - which means it must be clear how and why information is being used and it must not be used beyond this without prior agreement.
2006 - Linux User & Developer - Oh, what big eyes you have!
Author: Suw Charman
Summary: If someone steals my money, my bank gives me a refund. If they steal my PIN number, I get a new one. If someone steals my biometric data, who will give me my refund? Who will give me my new fingerprints?
2005-05-25 - ePolitix - Trial raises questions over biometric technology
Summary: The government has published the results of a major trial of its biometric technology, showing significant failure rates and particular problems for disabled people in registering their identity. And there are also doubts over the accuracy of the scheme, with figures showing that even the most effective technology failed to match a person to their recorded identities in four per cent of cases.