May 18, 2005

By Dan Tynan

Are you who you say you are? Answering that question may soon involve more than simply handing over your ID. You may also need to hand over part of your personal biology by submitting to a biometric scan.

Voice, face, and eye scanners have been a staple of Hollywood science fiction for years. Now they're rapidly becoming a part of everyday life, as the spike in identity theft and fears over terrorism have created a biometrics boom.

Today, facial recognition is used in airports to identify potential terrorists and at casinos to finger card sharks. Schools use fingerprint and hand scanners to restrict access to employees and students. Iris scanners help secure border checkpoints and nuclear power plants, while banks are starting to use voice prints to verify transactions made over the phone.

A company called Food Service Solutions sells fingerprint-scanning systems to K-12 schools around the United States. The schools mainly use the systems in cafeterias to speed kids through lines by linking them to a personal cash account that pays for their lunches. Reviews have been mixed on whether lines have gotten shorter.

Grocery stores have also begun experimenting with fingerprint scans to hurry shoppers on their way and protect debit accounts from illegal use.

But what's the potential downside? Privacy watchers say that as biometric scanners become more widespread, it becomes possible for organizations--companies, the government--to create a detailed dossier of your physical movements as you pass from one scanner to the next. If Starbucks can easily track your movements, so can Uncle Sam, or your insurance company, or your spouse's divorce attorney, and so on.

And for now at least, mistakes with these scanning systems are more common than most biometrics system makers like to admit. In other words, they don't always know that you are you.

Still, the technology is coming quick, and knowledge is power. Here's a quick primer on the most common forms of biometrics.

Fingerprints

Where have I seen this before? A common plot element of Hollywood spy thrillers, fingerprint scanners allow National Security Agency officials in Enemy of the State to enter secure areas and access computer systems.

How does it work? An optical scanner captures an image of the ridges and furrows of your fingerprint, then compares the minute details--the places where ridges end or fork--against those of a fingerprint image on file.

Where is it used? Besides solving crimes, fingerprints are used to gain entry to buildings or computer information. For $50, you can buy a thumb scanner for your PC, such as DigitalPersona's U.are.U, which uses your fingerprint to access files or log on to Web sites. Fingerprints have also been tested as an alternate payment system--a store could scan your thumb on your way out instead of your credit card, and then charge your account.

How accurate is it? Electronic fingerprint scans make the right match from 95 to 98 percent of the time, according to the FBI. But accuracy varies depending on gender, racial characteristics, and chemical residue on the fingers, such as pool chlorine or household cleansers.

Can it be beaten? Yes. In 2002, Japanese researcher Tsutomu Matsumoto demonstrated several ways to create a fake fingerprint out of gelatin that could be worn by an identity thief. Earlier this year, Malaysian car thieves took a more direct route: They stole a Mercedes that required fingerprint recognition to start the car, by cutting off one of the owner's digits (thus giving new meaning to the phrase 'give someone the finger').

Voice

Where have I seen this before? In The Incredibles, superhero costume designer Edna Mode (the voice of Brad Bird) uses voice verification to gain entry into her secret lab. (She also undergoes an eye scan--see below.)

How does it work? The sound, pattern, and rhythm of your speech is measured and assigned a numerical score, then matched against those with similar scores.

Where is it used? As with Edna, voice can be used to allow verified employees to enter secure areas, but a more popular application is remote authentication via phone, especially for banks and other financial firms plagued by identity theft.

How accurate is it? Getting better, but still not as accurate as other biometrics. Voice verification is highly susceptible to background noise and can be affected by the user's physical condition (i.e., a head cold), as well as the equipment used--the same person can be identified as different people when using different phones. That's why voice is often used in conjunction with another biometric, such as a face or eye scan as seen in The Incredibles.

Can it be beaten? Depends on how sophisticated the voice-verification system is. A simple system that asks you to repeat a fixed phrase can be defeated with a tape recording of the authorized person saying that phrase. A system that combines verification with requests for confidential information (such as a password) is much harder to beat.

Face

Where have I seen this before? In Tomorrow Never Dies, James Bond (Pierce Brosnan) uses facial recognition to identify terrorist Henry Gupta (Rickey Jay) from videotape captured at an arms deal gone bad.

How does it work? There are several ways to perform facial recognition. The most common method uses a camera to capture an image of your face, which is analyzed for certain "nodal points," such as the distance between your eyes or the width of your nose. A unique "template" (a series of numbers) is generated based on these nodal points and then compared against other templates.

Who's using it? Security-conscious businesses use facial recognition to let certain employees access sensitive sites. Airports use it to scan for people on security watchlists; cities employ the technology to spot criminals in public places; and several large Las Vegas casinos use it to nab known cheaters, all with varying degrees of success.

How accurate is it? According to tests conducted by the National Institute of Science and Technology, the best systems achieve 80- to 90-percent accuracy in controlled conditions. However, results vary depending on lighting and the angle at which the face is presented, as well as the gender and age of the person being scanned. The technology tends to be better at verifying identity than at picking faces out of a crowd.

Can it be beaten? Yes, but leave the Groucho Marx glasses at home and strap on the feedbag. Disguises appear to have less effect on matches than sudden weight gains or losses. Some systems have also been defeated by holding up photographs of authorized personnel to the camera.

Eyes

Where have I seen this before? In Minority Report, shoppers at a mall are identified via eye scans as they walk by (and are then shown targeted ads that call them by name). In a particularly gruesome scene, John Anderton (Tom Cruise) replaces his own eyeballs to avoid being recognized by the Pre-Crime Police.

How does it work? There are two forms of eye scans. A retinal scan measures the pattern of blood vessels in the back of the eye, and is obtained by shining an infrared light through the pupil. An iris scan can be performed using a video camera, and examines the unique patterns of ridges on the colored portion of your eye.

Who's using it?Iris scanners are starting to be used at airport security checkpoints, and some airports have experimented with the technology to replace the check-in kiosk--in this scheme, your eye is your ticket. Retinal scans are fairly invasive and less common, but are still used to restrict access to military installations, research labs, and other high-security areas.

How accurate is it? Both retinal and iris scans are considered the most accurate biometric, but they won't work in all cases. Retinal scans won't work on individuals who are blind or have cataracts, while ambient lighting and the angle of your head can affect the accuracy of iris scans. Ethnicity and eye color also play a role--the darker your eyes, the harder it is for the scanner to tell where your pupil ends and your iris starts.

Can it be beaten? To some degree--and without gouging out your eyes. Colored contact lenses can reduce the accuracy of iris scans, as can the use of drugs that dilate your pupils. Some iris scanners have been defeated by holding up a high-resolution photo of an "authorized" eye, with a hole cut to reveal the faker's actual pupil.

DNA

Where have I seen this before? In Gattaca, Vincent Freeman (Ethan Hawke) must provide a pinprick of blood at the entrance to the aerospace firm where he works, so his DNA can be verified against a database of genetically superior employees. Freeman actually uses a fake fingertip filled with blood from Jerome Morrow (Jude Law), until his identity is revealed through an eyelash he carelessly leaves at a crime scene.

How does it work? A person's DNA is obtained via a blood, saliva, hair, or skin sample. The length and protein sequence of several small sections of the DNA strand are analyzed to generate a "DNA profile," which is compared against other DNA profiles.

Who's using it? Today DNA testing is used almost entirely by law enforcement or in paternity cases. Nearly every state collects DNA samples from people convicted of violent crimes, and four states take them if you've been merely arrested, according to DNA Resource. The FBI's DNA database has data from more than 2.1 million DNA samples. But because it takes hours to analyze a DNA sample, we're still several years away from a Gattaca-style biometrics scan, says Maud Meister, a consultant with the International Biometric Group in New York.

How accurate is it? The odds of two people having the same DNA sequence are estimated at 6 billion to 1--unless they're identical twins. However, identical twins do produce different iris and retinal scans, making eye scans a slightly more reliable biometric.

Can it be beaten? Yes, if you're Ethan Hawke, or if an imposter gets there ahead of you. If someone obtains your DNA from, say, a strand of your hair and manages to obtain the DNA profile associated with your identity, you're in for a world of hurt. Because unlike a driver's license or a password, you can't replace your DNA.