Biometric Security - basically Security Theater
Biometric identification systems are all the rage - heck, they've been the rage for years now. The problem, of course, is what biometric signs to use for identification.
Fingerprints?
D.H. Kaye showed in 2003 that the statistical evidence showing that fingerprints are unique is not at all conclusive
As HackLaw puts it
It gets worse
Mind you, juries tend to like "scientific" evidence, and they might say "the fingerprints matched", but the automatic rebuttal is to point out that any number of people's prints might have matched!
Handprint Scanning
Its exactly the same as Fingerprints above. The value is in that if you can pre-restrict the set of people who are having their handprints scanned, then handprints are - quite possibly - a very good way of discriminating amongst people.
Think - you claim to be Bob, not Alice, and the handprint matches Bob's handprint, as does your ID, so you're good.
As compared to - I have no idea who you are, but your handprint matches Charlie's so you must be Charlie.
Iris Scans
Turns out this is even worse! From a fpaper by a few folks at Notre Dame, we have the news that Retinal Scans actually change over time.
The bottom line? Retinal scans are not dispositive, and if they are not updated frequently, are pretty much useless for both uniqueness (think "Fingerprints" above) and discrimination (think "Handprint scanning" above)
So yeah, the next time you see any kind of biometric identification going on (and in particular, being used for uniqueness or discrimination), think Security Theater, and keep on trucking....
D.H. Kaye showed in 2003 that the statistical evidence showing that fingerprints are unique is not at all conclusive
As HackLaw puts it
But, it turns out that there is no publicly available database of this evidence (really!)No court has ever challenged the expert-ness of an expert witness who purported to be an expert on fingerprints.Why not?To be an expert in something, there has to be a body of knowledge for you to know about.Where is the body of knowledge about fingerprints? They swirl around, we know that much right?
It gets worse
Fingerprint evidence is difficult to deal with in trial because the examiner offers his or her "opinion" as if it were indisputable fact. In truth, the examiner identifies a number of points of comparison and then, if similar to the known sample (for example, from our client), declares that the prints "match." He or she may use fewer than 7 points of comparison in many jurisdictions and still declare the "match.Which, when you really get down to it, is what reviews around the world have pretty much determined viz., that fingerprints are a good test, but are not (not!) a provably exact test, which basically means that you can't have the CSI investigator say "His fingerprint was on the gun! I have a match! He done it!".
Mind you, juries tend to like "scientific" evidence, and they might say "the fingerprints matched", but the automatic rebuttal is to point out that any number of people's prints might have matched!
Handprint Scanning
Its exactly the same as Fingerprints above. The value is in that if you can pre-restrict the set of people who are having their handprints scanned, then handprints are - quite possibly - a very good way of discriminating amongst people.
Think - you claim to be Bob, not Alice, and the handprint matches Bob's handprint, as does your ID, so you're good.
As compared to - I have no idea who you are, but your handprint matches Charlie's so you must be Charlie.
Iris Scans
The study used commercial iris-matching software to compare 20,000 images of 644 irises, using iris pictures that were taken anywhere from one month to three years apart.When the researchers compared the photos that were taken one month apart, they found few instances of the system failing to match two irises from the same person. As the length of time between the photos increased, however, the rate of false mismatches increased: when iris photos taken three years apart were compared, the false non-match rate was 153 percent higher than for photos taken a month apart. In practical terms, this still means that only about 2.5 iris scans in 2 million will be incorrectly matched after three years. As time goes by, however, the effect will be compounded, co-author Kevin Bowyer says, potentially locking some people out of systems or letting other fool security checkpoints. This means that at the very least, images should be updated every few years, and future pattern recognition systems may need to account for changing irises as well as different lighting conditions and other factors.
The bottom line? Retinal scans are not dispositive, and if they are not updated frequently, are pretty much useless for both uniqueness (think "Fingerprints" above) and discrimination (think "Handprint scanning" above)
So yeah, the next time you see any kind of biometric identification going on (and in particular, being used for uniqueness or discrimination), think Security Theater, and keep on trucking....
Comments