Two years ago, OUT-LAW ran a story about the vulnerability of
biometric products. Last month, we ran a report by a volunteer for
the UK's trial of a biometric passport scheme. Today we present an
article that was contributed to OUT-LAW by Russ Davis of ISL
Biometrics, arguing against some of the criticisms faced by the
technology.
Myth 1: It's new
technology
The first myth that needs to be dispelled is that biometrics is
a modern-day idea. Despite its high-tech glitzy image, the
principles behind the technology can actually be traced right back
to Egyptian times, when workers building the great pyramids were
not only identified by their name, but also their physical size,
face shape, complexion and other noticeable features, such as
scars.
It may have taken the next four-and-a-half thousand years to
really get going (see A brief history of biometrics,
below), but the technology is now experiencing a "hockey stick"
adoption curve with governments, hospitals, schools, airports,
retail outlets and modern offices all successfully using this
remarkably straightforward empowering technology.
The problem with such a rapidly emerging industry is that many
people are elevated to the position of "expert", almost overnight.
This can be a particularly dangerous situation – especially when
the expert used to be the company salesman or marketing
executive.
This scenario has led to some of the industry's best
technological fallacies, which can either be put down to pure
ignorance, or worse, the stirring up of malicious rumours in order
to gain competitive advantage.
Myth 2: Lasers in your
eyes
Myth number two is that iris recognition devices use lasers to
scan your eyes. This damaging rumour is completely without
substance, although the confusion is understandable given that the
first company to produce such a system called itself IrisScan (now
renamed as Iridian Technologies).
In fact an iris recognition camera takes a black and white
picture from up to 24 inches away and uses non-invasive,
near-infrared illumination (similar to a TV remote control) that is
barely visible and very safe.
Myth 3: Stolen body parts trick the
system
This is also a classic, and has been seized upon by many a
Hollywood director, who are not known for letting the true facts
cloud a good storyline.
With most biometric devices there is an element of 'liveness'
detection, which can measure many variables, from a finger pulse to
a pupil response. This would normally be enough to prevent the
system from working once the body part had been removed.
However, other factors quickly come into play. For example, an
extracted (or enucleated) eyeball quickly begins to decompose, with
the cornea clouding over and obscuring the iris. A severed finger
also dies rapidly – typically becoming useless after around 10
minutes.
Myth 4: Children and Asian women go
undetected
Fingerprint technology also gives us number four on the list of
myths. This relates to the inability of the technology to enrol or
verify the identity of children, or women of Asian descent. This
myth is relatively new, because until a few years ago it was a
reasonable criticism of the technology, given the challenge of
acquiring small fingers with "faint" fingerprints.
However, recent advances in imaging have led to far greater
resolutions being achieved by fingerprint sensors, so boosting a
biometric system's ability to extract the pertinent information
required to create a biometric template of that person.
Children, in particular, seem to hold no fear of the technology,
believing it to be "cool". It may be surprising to learn that at
least 1,300 primary schools in the UK are using fingerprint
technology to replace old-fashioned password-based systems in their
libraries. The interesting spin off benefit here is that so many
children want to use the technology that the number of books taken
out increases dramatically.
Myth 5: You'll get
arrested
Number five on the list relates to the belief that fingerprint
information captured by a commercial fingerprint system could
somehow be used in a criminal investigation. This myth stems from a
misunderstanding of how a biometric system typically works in a
commercial environment.
Almost none of the available commercial fingerprint-based
systems store the entire image of a fingerprint. Rather they
extract information from that fingerprint to create a mathematical
representation or template. This template, which is often
encrypted, is designed so that it cannot be reverse engineered to
reconstruct the original fingerprint image, so is useless
information to the police, or indeed a hacker.
The feeding of identical template data to a fingerprint system's
matching engine by a hacker will normally fail, as this is almost a
sure indication that the data has been stolen and that a replay
attack is underway.
In a non-commercial biometric system, such as the recently
announced US-VISIT system, which is being installed to monitor the
comings and goings of foreign nationals in the USA, the situation
is different, with full fingerprint and facial images being
acquired and stored. This information can and has led to the arrest
of more than 500 people since January 2004.
Myth 6: The silver
bullet
So often biometrics are touted as the silver bullet that will
rid the world of evil. Again this is to over-estimate and
misunderstand the abilities of biometric technology.
For instance, contrary to common belief, biometric systems are
not able to confirm with any level of certainty the true identity
of a person. Rather, they are able to confirm whether this is the
same person that initially enrolled into the system.
The person's true identity is irrelevant to the biometric
system. Confirming a person's true identity is far more a question
of checking the validity of an individual's official identification
documents, such as birth certificates or driving licences.
Biometric technologies are also unable to perform miracles. If a
government doesn't have a quality photograph of a known terrorist
suspect, then the chances of stopping that person at a checkpoint
using facial recognition are slim.
All that said, biometrics can play a valuable assisting role in
the fight against organised crime and terrorism, but it must be
part of a holistic approach, which uses many different strands of
information.
From myth to
reality
While there are many other myths plaguing the biometric
industry, the good news is that the technology has been able to
rise above them to claim its place at the security top table. The
benefits of the technology have just been too attractive to let
unfounded myths get in the way.
Some of today's best biometric systems are saving organisations
time and money, while helping to raise the security bar to new
heights. For example, "door-to-desktop" systems are now appearing,
which merge an organisation's physical access control system at the
front desk with its network of computer terminals around the
building. This enables an employee to replace cumbersome tokens and
passwords with their fingerprint, turning the premises into a truly
smart environment.
In the past, pundits have talked about mainstream biometric
adoption being years away. Today, with smart passports just around
the corner, and adoption rapidly increasing in places such as
hospitals, schools and airports, new estimates are being measured
in months. The myth that biometrics will never become a mainstream
technology is truly being smashed.
A brief history of
biometrics
Biometrics go back a lot further than their futuristic image
might suggest. Even the architects of the Great Pyramids in Egypt
recognized the benefits of identifying their labourers using
previously noted bodily characteristics.
The Egyptians were clearly ahead of their time, as very little
development in the field of biometrics occurred for around four
thousand years. It was only in the late 1800s that people started
to develop systems that used the fingerprint and other bodily
characteristics in order to identify individuals.
In 1880, for example, Henry Faulds, a Scottish doctor living in
Japan, published his thoughts on the variety and uniqueness of
fingerprints, suggesting that they could be used for the
identification of criminals. Meanwhile, in 1900, the important
Galton-Henry system of classifying fingerprints was published.
Other than a few isolated pieces of research into the uniqueness
of the retina (which was finally turned into a workable product in
1985), the biometric industry remained fairly static until the
1960s, when the Miller brothers in New Jersey, USA, launched a
device that automatically measured the length of people's fingers.
Speaker verification and signature verification were also developed
in the 1960s and 70s.
Interest from the US armed forces and intelligence agencies then
emerged, but it wasn't until the turn of the century, and in
particular until after 9/11, that the awareness of biometrics broke
out of specialised industry circles to reach the fever pitch levels
seen today.
Russ Davis is CEO of Worcestershire, England-based ISL
Biometrics, a designer and manufacturer of biometric security
middleware and software appliqués.
