Prepare to be scanned - Article continued Dec 4th 2003 From The Economist I am whoever I say I am? The claim that biometrics are not ready for widespread application may seem puzzling, given the advances in computer technology. To understand the reservations of the experts, it is necessary to take a closer look at how biometrics work. Biometrics can be used in two ways. The first is identification (“who is this person?”), in which a subject's identity is determined by comparing a measured biometric against a database of stored records—a one-to-many comparison. The second is verification (“is this person who he claims to be?”), which involves a one-to-one comparison between a measured biometric and one known to come from a particular person. All biometrics can be used for verification, but different kinds of biometric vary in the extent to which they can be used for identification. They also vary in cost, complexity and intrusiveness. So which biometrics have been chosen for the new passports, visas and identity cards, and why? The oldest biometric is the one we use most frequently—a person's face. But while recognising faces is something that people can do easily, computers find it very difficult. Most computerised face-recognition systems work by building a template based on 30 or so “markers”—the positions of the edges of the eyes, the cheekbones, the base of the nose, and so on. These markers are chosen so that they are unaffected by expression or the presence of facial hair. Matching faces is then a matter of matching the templates. “Biometrics still do not work well enough for many applications in which they are being deployed” However, the results of an American government test released in March cast doubt on the accuracy of face-recognition systems. The test, called the Face Recognition Vendor Test, used systems from ten leading firms and a database of 121,589 images of 37,437 people. None of the systems worked well in a formal identification mode when shown a face and asked to identify the subject; nor did they work well when trying to recognise a face surreptitiously. However, three of the systems could be used for verifying identity in a controlled environment, such as the booths used to take passport photos. Joseph Atick of Identix, a biometrics vendor based in Minnetonka, Minnesota that took part in the test, insists that the deployment of his company's system by customers such as the state of Colorado, which is using it to try to prevent individuals from obtaining multiple driving licences, attests to the viability of facial biometrics. But Joel Lisker, a biometrics consultant who has worked extensively with America's Transportation Security Administration (TSA), says face-recognition systems have yet to prove themselves. In the TSA's own tests, not a single wanted person was spotted. A hands-on approach The first biometric technology to become widely used was hand geometry. It involves scanning the shape, size and other characteristics (such as finger length) of some or all of the hand. Users are required to make some claim about who they are—by swiping a card, for example—before a scan. The biometric template of the person they claim to be (in some cases, stored on the card itself) is then compared with the scan. Because it relies on comparatively simple sensors, hand geometry does not require the fancy technology that underpins other biometric systems, which gave it a head start. Bill Spence of Recognition Systems, a biometrics company based in Campbell, California, says San Francisco's international airport has used hand-geometry systems to control employee access since 1993. Another system, at Ben Gurion airport in Israel, uses hand geometry to allow trusted passengers to pass security control. A similar system deployed in America, called INSPASS, allows frequent travellers to the United States to skip immigration queues at several large airports. Hand-geometry systems are already used to control access and verify identities at many airports, offices, factories, schools, hospitals, nuclear-power plants and high-security government buildings. They are also used in “time and attendance” systems, in which shift workers clock on and off using their handprints—preventing time-card fraud through “buddy punching”. One benefit of hand geometry is that unlike fingerprint scanning, it is not stigmatised by an association with law enforcement. However, hand geometry has a key problem: people's hands do not differ enough for it to be used as an identification system. As a result, says Dr Atick, hand geometry's market share is plunging. The technology which is perhaps most responsible for the decline in hand geometry is finger scanning. Ink-based fingerprints have been in use for over a century, but in recent years they have gone digital. Modern electronic systems distil the arches, loops and whorls of conventional fingerprints into a numerical code. This can be compared with a database in seconds and with an extraordinary degree of accuracy. Identix, which sells such a system, was recently selected by America's Department of Homeland Security to provide fingerprint scanners at Citizenship and Immigration Services offices across the country. The remarkable success of fingerprints as a forensic tool for law-enforcement agencies has come about because these agencies take fingerprints very meticulously. All ten fingers are used, and each finger must be rolled back and forth, to get “nail-to-nail coverage”. Such thoroughness is appropriate in a police station, however, but not in an airport. Another problem is that around 5% of people do not have readable fingerprints, either because their fingerprints are genetically indistinct or because years of manual labour have worn them down. And while the technology is now relatively cheap—basic digital fingerprint readers cost less than $100—it is not foolproof. Some fingerprint scanners can be spoofed with nothing more than a breath of hot air, which reactivates latent prints left on the scanner. And Tsutomu Matsumoto, a researcher at Yokohama National University, was able to fool fingerprint scanners around 80% of the time using fingers made of moulded gelatin. An eye for an eye Another option is to scan the eye. Such systems date back to the 1970s, when the retina, the surface of the back of the eye, was considered the useful bit, mostly because medical techniques for probing it had been developed. The iris, the coloured part surrounding the pupil, had been less thoroughly investigated. However, almost all experts now agree that the iris makes a better biometric than the retina, because it can be more easily examined. The use of cameras to measure the fibres, furrows and freckles in the iris is familiar from numerous spy films, with good reason: iris scanning is generally deemed to be the most reliable biometric. According to Peter Higgins, a biometrics consultant, the most widespread use of iris biometrics to date has been in Afghanistan, where the United Nations High Commissioner for Refugees (UNHCR) is using iris scans to attempt to prevent refugees from collecting benefits more than once. Though the system has logged over 7m transactions, Mr Higgins points out that, because it is impossible to collect meaningful statistics in such an uncontrolled environment, no one has any idea how well the system has performed. Smaller-scale tests of other state-of-the-art iris systems, described in a GAO report, indicate that the rate of false non-matches can be as a high as 6%. This would mean that one in 20 attempts to claim benefits twice would be successful. Given the paltry sums being given to each refugee, it is not clear that the cost of deploying this anti-fraud system was justified. However, the UNHCR points out that it may have had a useful deterrent effect. Other biometrics include voice recognition, which is cheap, but not terribly reliable; gait recognition, which attempts to recognise people from the way they walk; dynamic signature-recognition, based on analysis of the shape of a signature and the way the pen moves while it is being written; and thermal imaging, which seeks to identify people by the pattern of heat which their bodies emit. But none of these technologies is taken seriously enough for use in a passport. Given all the limitations of individual biometrics, the best way forward in the long run, according to a forthcoming paper by Anil Jain, a biometrics expert at Michigan State University, will be the use of “multibiometric” systems. These combine several different biometrics in a single security system with almost universal coverage. For even if someone's fingerprints cannot be read, it is likely that his irises can be, and vice versa. Furthermore, Dr Jain points out that combining several different systems can lead to substantial improvements in error rates. And the winner is... So it is only logical to expect biometric passports and visas to take a multibiometric approach. America has decided on a combination of finger scanning and face recognition, and Europe seems to be leaning towards the same combination. Oman and the United Arab Emirates will issue biometric identity cards based on finger-scanning technology, to which Britain plans to add iris scans. All of these plans accord with the recommendation of the International Civil Aviation Organisation, which recently proposed that finger scanning should be adopted as an international standard, chiefly because fingerprint readers are much cheaper than iris scanners. However, America is also adopting face recognition because, say officials, they do not have the fingerprints of many terrorists, but they do have pictures. While this sounds like a logical explanation, Mr Higgins notes that, given the high error rates of facial-recognition systems, in relying on such a system, “you would really be exposing yourself.” The other critical choice, driven by the limitations of biometric technology, is that these biometrics will be used for verification, not identification. That is because identification is simply not feasible with databases containing millions of users. There are two key measures of how good a biometric system is: the false match rate, and the false non-match rate. These two can be balanced against each other. Tune the system to be tolerant, so that everything matches, and you have a false non-match rate of zero, but a very high false match rate; conversely, in a system that is so strict that it allows no matches, the false match rate is zero, but the false non-match rate is 100%. In an identification system, particularly one that has to search a large database of millions of templates, the task is much harder. Even a false match rate of one in 10,000 would produce thousands of false matches. And if you are trying to spot members of a small group of known terrorists, even the best of today's biometric systems produce hundreds of false matches for every correct match with a terrorist. The result is that the system is flooded with false alarms, which are routinely ignored, providing almost no additional security. As a result, the new border-control systems now being implemented at American border posts are merely verification systems. Now for the catch The trouble is, it is not clear that these identity-verification systems are worth the cost and trouble of introducing them. All 19 of the September 11th hijackers entered the United States using valid visas, on their own passports, for example. Verifying their identities using biometric visas would have made no difference. Worse, spending the billions of dollars that the GAO estimates will be necessary to implement biometric systems at border-crossing points—$1.4 billion to $2.9 billion initially, and $700m to $1.5 billion annually thereafter—may mean there is less to spend on other areas of security. America has long land-borders with Canada and Mexico, and tens of thousands of miles of coastline. Using biometrics at airports does little to reduce the level of illegal immigration, since most such entries do not occur at airports, but over the far more porous land and sea borders. The new system will, however, be ideally suited for spotting tourists or students who overstay on their visas, but that is a trivial issue. The cost of the new system will not just be financial. All visas will now have to be issued face to face, so that scanning can take place. This will put a huge administrative load on America's consulates around the world, which currently issue two-fifths of visas by post. Given the limitations of current biometric technology, the Big Brotherish concerns raised by privacy advocates are largely misplaced, at least for the time being. Other technologies, such as internet wiretapping and the ability to track the location of mobile phones, will arguably make much more substantial encroachments on privacy over the next few years. However, in the long term, biometrics, by their very nature, will compromise privacy in a deep and thorough fashion. If and when face-recognition technology improves to the point where surreptitious cameras can routinely recognise individuals, privacy, as it has existed in the public sphere, will in effect be wiped out. No doubt there will be some benefits: fraud, in particular the persistent and increasingly annoying problem of identity theft, might be substantially reduced if biometric-identification systems, introduced in the form of passports, visas and identity cards, become widespread. But privacy advocates argue that such benefits are not worth the risk of “function creep”—that once biometric passes have been issued by governments, it will be tempting to use them for all sorts of things, from buspasses to logging on to your office PC. Spurred by the misplaced enthusiasm of governments around the world, biometrics seem headed for dramatic growth in the next few years. But calm, public discussion of their benefits and drawbacks has been lamentably lacking. Such discussion is necessary both to prevent the waste of public money in the short term—for the most part, the private sector has been wiser in its adoption of biometrics—but also to regulate what will eventually have the potential to become a powerful mechanism for social control. |