The Engineer

Identity Crisis

The UK government is urging the industrialised world to deploy biometric technologies in the fight against fraud, international terrorism and illegal immigration.

June 13, 2003
By Andrew Lee

Biometric systems use a unique human characteristic such as a face, voice or iris pattern to authenticate identity, and are viewed by ministers as an answer to a host of seemingly insoluble problems. The Home Office plans to introduce passports that carry biometric information by 2005. However, the technology has many critics who point to a number of serious flaws including new opportunities for criminals to steal another person's identity with devastating effect.

Although the government is still reviewing the results of its own consultation on the subject, the biometrics bandwagon is now rolling. Last month, home secretary David Blunkett won the agreement of other G8 members to consider its introduction. But as yet his department has failed to answer any of the questions posed over the technology's reliability and its ability to cope with the sheer scale of mass deployment.

Scarcely a week has passed in 2003 without a headline-grabbing announcement of a new initiative to improve the security of the public, the business community or the state. Technology has been touted as the key to, among other things, curbing illegal immigration, cutting credit card fraud, stopping terrorists in their tracks and exposing false benefits claimants.

UK passports, driving licences and social security 'entitlement cards' could all contain biometric elements within a few years. And last month, the US Department of Homeland Security announced it had decided to begin implementing biometric technology at border control points by the end of next year. The specifics of the scheme have yet to be finalised, but officials have indicated that fingerprint and facial-recognition equipment would be installed at some points of entry including airports, seaports and border crossings.

Biometrics first sprang to wider attention following September 11, when it was seen as a possible quick fix for the security nightmare of the global aviation industry. The emerging biometrics industry is well aware of the expectation - some could say hype - surrounding its products. It is always helpful to a field of technology when a momentum builds up behind it, but some experts are counselling extreme caution.

Joe Grand, an electronics engineer with long experience in security technologies, said placing too much faith in biometrics would be a mistake. 'Like all technologies these systems have their strengths and weaknesses,' said Grand, who has carried out work for the US government, military and the National Security Agency. 'When you are applying a technology, specifically security, I think you have to be extra cautious and even a bit paranoid over what you are getting.'

According to Grand, the biometrics industry is more than happy to bask in the limelight created by current world security tensions, in a few cases employing what he labelled 'scare tactics' to hasten adoption of their systems.

'I see a lot of companies really going all out to push this technology. They're trying to create a market, which is understandable. But if you just trust what a manufacturer tells you, you could open yourself up to all sorts of security weaknesses.' 

The problem, according to Grand and other 'friendly sceptics' of biometrics, is that many of the systems currently available are simply not as secure as many would like to believe. 'There are known methods to bypass many of them,' he said, listing holes in the security of supposedly foolproof technologies exposed by enterprising and mischievous researchers.

In one of the more celebrated recent examples, Japanese engineering professor Tsutomu Matsumoto last year created 'fake fingers' from gelatine in a bid to fool fingerprint scanners. According to Matsumoto, his dummy digits baffled the biometric scanners 80 per cent of the time - a failure rate that goes beyond poor and into the realms of disastrous.

Even more alarmingly, Matsumoto and his team did not need to rely on access to actual fingers to work their trickery. The researchers used a combination of digital photography, graphics software and copper etching to lift people's fingerprints left on glass and create fake fingers with exactly the same ability to fool the biometric scanners.

According to Grand, this ability to purloin the crucial element of the entire biometric system - the human characteristic itself - is one of the more worrying prospects if biometrics are to be applied on a mass scale. Once that key indicator is lost, stolen or otherwise compromised the situation may be irretrievable for the individual concerned (see sidebar). In a potential future in which biometrics control access to many everyday services, that would be nothing short of a disaster.

Some of those most closely involved in the field of biometrics technology are open about the limitations of the systems if attempts are made to apply them on a national or even global scale. Bob Carter, formerly an R&D specialist at international security printing giant De La Rue, is now chair of IST44, a group that aims to bring together industry, academia and the government to represent the UK and establish formal international biometric standards.

Carter said a biometrics-based national identity scheme would be extremely hard to establish owing to natural factors occurring within populations. 'There's nowt so queer as folk, and folk have a habit of screwing up the most advanced system,' said Carter, who gave one of the lesser known quirks of human physiology as an example.

'Around one in 70,000 people don't have an iris and some others only have part of one, though this doesn't affect their vision. Though iris recognition is very accurate, it therefore doesn't suit a scheme that seeks to identify the entire population,' he said. 'I also have yet to see a system that can identify a face within a database of 2.5 million images. The system becomes less accurate as the numbers go up.' 

According to Carter, the small but significant flaws in each strand of biometrics make their use in isolation more risky, even allowing for the fact that they must also respond quickly enough to be practical in mass-screening applications. 'Basically, a biometric system based on one technology won't work,' said Carter. 'Anything that will be used on people queuing at ports and the like must have a response time of three to four seconds.'

This argument leads to what many see as the nub of the issue: if relying on one biometric indicator is suspect, then two, three or even more will have to be used. A combination of fingerprint, iris, voice and face, for example, would surely be beyond foolproof in establishing identity.

Such multi-layered systems, however, would take biometric deployment into new realms of complexity and cost. This inevitably begs more questions over whether they could work on a mass scale and if the monetary price would be worth paying.

Kush Wadhwa, European director of International Biometric Group, a consulting and integration specialist in biometric technologies, said the performance of the systems has come a long way in the past decade, but claimed they would still struggle to fulfil some of the more ambitious expectations being heaped on them. 

The hardware elements of bio-metric systems have certainly improved, he said. 'As recently as five years ago we would carry out testing on devices that would instantly fail. One actually caught fire during the testing process.' 

Also, as biometrics have matured as a distinct strand of technology, said Wadhwa, systems have become more robust. Successful matches have increased, error rates have dropped. Wadhwa pointed out that the most venerable biometric technology of them all - fingerprint identification - accounts for about half of the current biometric systems in use around the world.

The other 50 per cent is made up of the systems causing all the current stir such as voice, iris or facial recognition. 'These are relatively new, and with these technologies it is important to think about what specific job you want them to do.' 

According to Wadhwa, current biometric systems are quite capable of carrying out everyday functions such as controlling access to an office. What is less clear is their ability to fulfil the gigantic, society-wide security operations they are currently being lined up for. 

'When you are talking about dealing with tens of millions of people, there is actually no evidence that they will be able to scale up to fulfil the types of applications being talked about,' said Wadhwa. 'On the other hand, there is no evidence against them. At that sort of scale we just don't know.' 

At the level being talked about by some biometrics evangelists, said Wadhwa, cost also becomes an issue. 'One fingerprint access control system for one door to a laboratory could cost as little as $500 (£300),' said Wadhwa. 'Deployment to millions of people is another matter. Even though the cost of individual devices for biometric systems is coming down, when you scale up deployment to that extent the total cost of ownership is the important thing.' 

Wadhwa believes 'cost of ownership' - the money that has to be spent to deploy biometric technologies on a large scale - will need to be given careful thought if they are to be widely implemented in the public sector.

For the private sector, the return on investment may be easier to calculate. For governments or individual state agencies, the equation becomes more complicated. A spokesman for the Home Office said biometrics will be increasingly used in the UK, particularly to improve the effectiveness of immigration controls. With regard to the proposed national identity or entitlement card, he said the government would need to be satisfied that the technology was sufficiently mature and reliable, could be implemented at a cost which justified the benefits, and was acceptable to the public.

Biometrics may be held out internationally as a way of protecting the public. But if the taxpayers of the UK and other countries see the costs spiralling - as government-led technology projects have a habit of doing - they will expect the systems they are paying for to be as good as foolproof. At that stage, some of the more hysterical claims made for biometric technologies may start to look rather ill-advised.