Biometrics conference

I was at a biometrics conference in Florida the week before last. The state of the art is much more advanced than I realized in many areas.

For example, iris recognition can be done at a distance of a couple of meters. You just look at a screen for a second or two and the system can identify who you are and thus whether you are approved to enter, or whatever. In a self-contained unit, the unit itself can store 100,000 people. With a back-end database there can be millions or even hundreds of millions and identification still takes place in under 2 seconds. This is still what is called cooperative recognition, where the person being identified follows instructions, opens their eyes, takes off their glasses (although it has a pretty good recognition rate even if you don’t, depending on how much other reflection there is off the lenses). There seem to be research projects going on to recognize people simply by scanning them as they walk by.

In Japan, half of all ATMs are equipped so you stick your finger in to validate who you are. Over 80% of them use Hitachi’s recognition system, which works, not by fingerprints, but by the pattern of veins inside the finger which can be seen by shining a bright red light into the end of the finger. Curiously, an ATM card plus your finger isn’t enough. You have to type in a four digit PIN too, but not because the banks want it. Japanese law says that ATMs much have PINs and the law hasn’t caught up with modern technology (that would never happen here, surely, where every senator already knows that the Internet is a series of tubes). Don’t expect to see this any time soon in the US since we don’t really use smart cards and the modern way to do things is to store the biometric data on the card and not in a central database so that it doesn’t have a single point of failure, and because in many countries (although not the US) there are major restrictions on biometric databases which are obviated if you only store them on something that belongs to the user.

In Pakistan, fingerprints are used to control elections, guaranteeing one person one vote. I talked in the bar one night to people who built that system and I asked them about its computational needs. They told me it all ran on “what counts as a server in Pakistan” namely a not-state-of-the-art PC. Apparently part of the cleverness is being able to reject over 90% of people without having to look at their detailed fingerprint data.

Those of you who are citizens may have noticed that all visitors (including permanent residents like me) are fingerprinted and photographed every time we enter the US. That’s over 600 million times a year. I’m sure Homeland Security would fingerprint everyone at the border if it weren’t against the law, just like the NSA decided to examine everyone’s phone traffic (despite being against the law). I’ve no idea what they do with the data, it seems like a boondoggle for the equipment suppliers. After all, the 9/11 hijackers all entered the country legally with visas (although in couple of cases the visas didn’t get approved until 6 months after 9/11).

It is clear that the federal government isn’t going to rest until we have standardized biometric driver’s licenses. I’m sure they will then require you to use your fingerprint or iris every time you take a plane or enter a federal building. Since most government databases have significant error rates and essentially no procedures for validating and checking the data, this is going to result in some wonderful Kafkaesque stories when people get lost by the system or confused with someone else.

Identity is very important for some things, like nobody except you should transfer money out of your bank account. For others it is completely unclear, such as getting on a plane. Despite the terrorist watch lists (people who are so dangerous that they can’t be allowed on a plane but so undangerous that they can’t be charged with anything at all) airline security seems never to have apprehended a genuine terrorist (as opposed to the occasional petty drug dealer).

A lot of what the government seems to be doing is analogous to the drunk looking for his keys under the streetlight because that’s where he could see. Take lots of biometric information in, because it is possible, even though nobody has a database of biometric information from suspected terrorists to match against.

In the meantime, in tiny drips like this, I think our freedom and privacy gradually ebbs away. Forget the differences in rhetoric, the Bush and Obama administrations both seem equally keen to centralize power and take away liberties in the name of the usual trifecta of terrorists, pedophiles and drug dealers.