Biometric Security - basically Security Theater

-
Biometric identification systems are all the rage - heck, they've been the rage for years now.  The problem, of course, is what biometric signs to use for identification.

Fingerprints?
D.H. Kaye showed in 2003 that the statistical evidence showing that fingerprints are unique is not at all conclusive
As HackLaw puts it
No court has ever challenged the expert-ness of an expert witness who purported to be an expert on fingerprints.
Why not?
To be an expert in something, there has to be a body of knowledge for you to know about.Where is the body of knowledge about fingerprints? They swirl around, we know that much right? 
But, it turns out that there is no publicly available database of this evidence (really!)
It gets worse
Fingerprint evidence is difficult to deal with in trial because the examiner offers his or her "opinion" as if it were indisputable fact. In truth, the examiner identifies a number of points of comparison and then, if similar to the known sample (for example, from our client), declares that the prints "match."  He or she may use fewer than 7 points of comparison in many jurisdictions and still declare the "match.
Which, when you really get down to it, is what reviews around the world have pretty much determined viz., that fingerprints are a good test, but are not (not!) a provably exact test, which basically means that you can't have the CSI investigator say "His fingerprint was on the gun! I have a match! He done it!".
Mind you, juries tend to like "scientific" evidence, and they might say "the fingerprints matched", but the automatic rebuttal is to point out that any number of people's prints might have matched!

Handprint Scanning
Its exactly the same as Fingerprints above.  The value is in that if you can pre-restrict the set of people who are having their handprints scanned, then handprints are - quite possibly - a very good way of discriminating amongst people.
Think - you claim to be Bob, not Alice, and the handprint matches Bob's handprint, as does your ID, so you're good. 
As compared to - I have no idea who you are, but your handprint matches Charlie's so you must be Charlie.

Iris Scans
Turns out this is even worse!  From a fpaper by a few folks at Notre Dame, we have the news that Retinal Scans actually change over time.
 The study used commercial iris-matching software to compare 20,000 images of 644 irises, using iris pictures that were taken anywhere from one month to three years apart.
When the researchers compared the photos that were taken one month apart, they found few instances of the system failing to match two irises from the same person. As the length of time between the photos increased, however, the rate of false mismatches increased: when iris photos taken three years apart were compared, the false non-match rate was 153 percent higher than for photos taken a month apart. In practical terms, this still means that only about 2.5 iris scans in 2 million will be incorrectly matched after three years. As time goes by, however, the effect will be compounded, co-author Kevin Bowyer says, potentially locking some people out of systems or letting other fool security checkpoints. This means that at the very least, images should be updated every few years, and future pattern recognition systems may need to account for changing irises as well as different lighting conditions and other factors.

The bottom line?  Retinal scans are not dispositive, and if they are not updated frequently, are pretty much useless for both uniqueness (think "Fingerprints" above) and discrimination (think "Handprint scanning" above)

So yeah, the next time you see any kind of biometric identification going on (and in particular, being used for uniqueness or discrimination), think Security Theater, and keep on trucking....

Comments

Post a Comment

Popular posts from this blog

Erlang, Binaries, and Garbage Collection (Sigh)

-
Image
The nice thing about garbage-collection is that it is makes memory management absolutely transparent to you Of course, the above is true right up to the point when it stops being transparent, at which point it does a phase change from nice to clusterf**k of biblical proportions .  There are entire posts, books, and suicide notes that have been written about this, and I have no great desire to add to them, save with the minor comment that paranoia about garbage-collection is still justified , albeit only in the edge-cases for most people. That said, I'll give you that Erlang GC is in many ways much, much better positioned in this regard than, oh, Java, but it still rears up and bites you in the butt when you least expect it. ( More information about Erlang's GC vis-a-vis Java here , and Jesper's truly excellent description of Erlang's GC here ).  A story from the past should serve to illustrate this. Once upon a time, in a magical land far far away - well, Her
Read more

Cannonball Tree!

-
Image
Spotted this one just outside the Ravindra Kalakshetra in Bangalore .  Its called the Cannonball Tree , but is - technically (i.e., in Latin, if thats your metier) - Couroupita Guianensis , or ನಾಗಲಿಂಗ ಪುಷ್ಪಾ  in Kannada. The fruits look like Cannonballs (well, d-uh), and the flowers are really quite amazing, and pretty ludicrously distinctive...
Read more

Visualizing Prime Numbers

-
Image
From Jason Davies , we have El Patron de Los Primos , probably one of the coolest prime number visualizer that I've seen.  For every Natural number, he draws a periodic curve that intersects at that number and each of its multiples.  Needless to say, prime numbers are touched by only two curves (itself and 1 ). You can scroll to the right, and move up the prime food change. (The image above is a screen grab.  Go here to see the actual thing)
Read more