back to article Collar the lot of us! The biometric delusion

Until the 16th century, educated opinion, as codified by Ptolemy, held that the Earth is at the centre of the universe. Then along came Copernicus. On 29 June 2009, the Identity & Passport Service (IPS) published their latest paper on the National Identity Service (NIS). According to Safeguarding Identity (pdf), "the vision …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    FAIL

    A few replies

    @Onoria

    You've obviously not been following this one that well. El Reg reported a while back some research that showed that daisy-chaining multiple biometrics actually make things as bad as the worst biometric. The reason for this is the offset between false positive and false negative. Check out the article if you want full details.

    @Julian I-Do-Stuff

    You are thinking like a computer scientist. But remember that all biometrics (with the exception of DNA) are measurements. For example on fingerprints the measurement of the relative position of certain identifiable points on a finger. Measurements have a particular accuracy. Unless your measurements are EXACTLY the same (to the given precision you are using) then your hash fails and you fail to match your subject. This is true on a fingerprint for all 10 or 12 points that you use for ID. This puts an even higher standard of preventing false positives than you need; and in return throws your false negative rate through the roof. Furthermore you can't tune false positive to false negative rates. The only way to use a hashing system currently is with DNA profiles which are gene sequences and therefore effectively a specific value rather than a measurement. Here your only problem is the probability of a matched sequence which is higher than most people think.

  2. Frumious Bandersnatch

    @Bringing down those odds

    Short answer: no.

    Slightly longer answer, courtesy of The Register:

    http://www.theregister.co.uk/2005/10/19/daugman_multi_biometrics/

  3. Charles 9

    @A few replies

    Concerning measurements---so what if those measurements can be made MORE ACCURATELY? Or is there some inherent accuracy ceiling that no amount of technology can compensate?

  4. Anonymous Coward
    Black Helicopters

    @ Keith T, 19:45

    The US no-fly list is ridiculous, and as you said, thousands of people end up spending hours at the airport without ever having set a foot wrong.

    However, biometrics is not the answer to that. These problems need to be addressed individually: the no-fly list's system needs to be changed dramatically (or abolished). The people responsible for holding up the person in Kenya need to be sacked, re-educated or "cured" Room 101-style.

    Adding another layer with its own faults (false positives etc), on top of an already faulty layer, just to try and correct the bottom layer's mistakes is silly. It is a massive waste of time, money and infrastructure; and will ultimately solve very little, if anything at all.

    Of course, in our overlords' views, adding another layer is "making something _better_". Drastically changing a system, or abolishing it, is admitting the government was wrong. And that, as has been pointed out, they will never do.

    However, I cannot help but hope that inside those black helicopters there's one person with a heart (or a calculator and a sense of how much the taxpayer is coughing up this time). Either that or a revolution with funky masks.

  5. Anonymous Coward
    Black Helicopters

    @AC - A few replies...

    "The only way to use a hashing system currently is with DNA profiles"

    Can you see where this is all going yet?!

  6. Anonymous Coward
    Stop

    @Categorisation comments

    If you were categorised automatically and that included hair colour- not an unreasonable attribute on the face of it- you'd have to remember that this changes weekly with some people.

    You can't do it based on skin colour- imagine if someone who wasn't quite "black" enough was described as "white" or "coloured" or "non-white" or if the opposite happenned to a white guy- it'd be even worse for those genuinely in this category as their category could swing either way. And remember that their skin colour could be changed by lighting, camera settings, make-up worn, etc.

    Suddenly you've got a system that could lead to lawsuits- and huge numbers of false-negatives; say the police pulled over a girl who'd worn a little dark make-up on photo-day. They're classified as "non-white" on their card but due to a lack of make-up on the day of this pulling-over are very definately white. Suddenly you've got a fraudulent looking ID. If they'd died their hair that day they'd probably end up being tazered as a suspected terrorist...

    And this is to say nothing of the havoc facial tattoos (genuine or temporary) could cause- if you were halfway through a tattoo when you were legally forced to renew your photo you'd potentially not match it after another session at the tattooist.

    Also, what're the effects of facial glitter in modifying the average skin colour found?

    Eye colour would be a possibility but this could be screwed up with coloured contacts if you were a terrorist.

    Given that the eye is a big lens, wouldn't the "read" eye blood vessel pattern appear to change over time? Especially with kids and the elderly? Not a huge amount, but enough to cause problems if you tried to match it too exactly?

    So we're down to fingerprints which aren't proved to be individual and which are read by a method below what the already-fallible police currently use. These can't be automatically checked- as Mythbusters demonstrated some of these automated fingerprint-reading systems can be gotten through with as little as a photograph of a fingerprint. So to use fingerprint recognition with any actual confidence that they're the real person you need a person. Kinda limits their use.

    Biometric cards are really going to suck, aren't they?

  7. Julian I-Do-Stuff
    Coat

    Mea Culpa

    I plead temporary insanity due to a week of Hungarian in-laws.

    IF - as is NOT the case - the issue is the uniqueness of data, then my answer was not incorrect

    IF - as IS the case - the issue is the uniqueness of the identities of people as defined by biometric data, then I was indeed so far off the point as to be positively retrograde. 1.8 x 10^15, etc. etc. all accepted.

    Apologies to author et al. Doing stuff includes making a complete twat of myself - I'm good at that.

    (Rarely in the field of iconry has this been more appropriate)

  8. Richard 12 Silver badge

    @Keith - Please re-read statement.

    He is *not* talking about how the data is processed.

    He is *not* talking about how the data is stored.

    The purpose of the statement is to calculate the *probability* that there will be false matches - thus, the chance that *any* two individuals on the register will match *each other*.

    His statement is basically that given infinite computing power and infinite storage space, it still *cannot work* because of the data capture systems available.

    Furthermore, it is quite likely (though as yet unproven) that the data subjects themselves (you, me and everyone else in the world) prevent the system from working, as we're all much more than 99.99% identical. If we weren't, we couldn't breed.

    (I'm not sure of the exact number of decimal places, but it's much more than two)

  9. D Moss Esq

    janimal Posted Friday 14th August 2009 13:57 GMT

    Mr Animal

    You say:

    "You know this, I know this, many statisticians, mathematicians, techies and geeks know this. What we actually need is some trusted (ha!) media organisation, like say the beeb, to explain it to the rest ..."

    Quite right. Editors in the print media and broadcast should be lobbied to insert the word "alleged" into any of their reports on the reliability of biometrics. Biometrics are guilty until proven innocent -- normal scientific scepticism.

    As for your joking assertion that "they're all in it together I tell you!", you know and I know that that's not quite it. There's just a general assumption that biometrics work infallibly, a forgivable mistake, people can't be expected to question everything, there isn't time, how many false beliefs do you and I hold?

    We just need to indicate to politicians, civil servants, journalists and others that this is an area where it's worth putting in a bit of effort to question the received wisdom, otherwise we'll waste a fortune and there will be a lot of disappointment when all those raised hopes for security and efficiency are dashed.

  10. D Moss Esq

    Anomalous Cowherd Posted Friday 14th August 2009 14:07 GMT

    Mr Cowherd

    You say:

    "Portugal ... is using fully automated facial biometrics already."

    Correct. Ditto Australia, please see letter from Home Office Scientific Development Branch (HOSDB), http://dematerialisedid.com/BCSL/Rejman-Greene.html:

    "Operational testing, e.g. in Australia and in Portugal, has confirmed the improvements which the NIST technology tests have identified."

    That is HOSDB's assertion. I can find no references to the success of the technology in Portugal. As to Australia, please see http://www.australianit.news.com.au/story/0,,23502567-5013040,00.html?from=public_rss:

    "Customs refused to disclose the rates at which the system inaccurately identified people ..."

    This is not how science is normally conducted, is it? Normally, the emphasis is on openness, which promotes confidence. The Australian Customs are depressing confidence, their secrecy looks suspicious, what have they got to hide?

  11. D Moss Esq

    Michael H.F. Wilkinson Posted Friday 14th August 2009 15:15 GMT

    Mr Wilkinson

    Thank you for your contribution, especially valued coming from a practitioner.

    I did propose a plan to John Reid when he was Home Secretary how to get off the hook while saving face, http://dematerialisedid.com/Open.html. The plan is unused and remains available to any future Home Secretary and, indeed, to the Interior Minister of any country in the world. Interior Ministers, or Prime Ministers, http://dematerialisedid.com/OffTheHook.html.

  12. Ed

    Actually possible?

    We, as humans, can mistake one person for another. I can't believe computers are going to get better at recognizing us than we can each other in the near future.

  13. Robert Forsyth

    It must work, I've seen it on films

    along with faster than light travel, teleport, ...

    Some of this is bluff, like TV detector vans to 'encourage' people to get TV licences. The fingerprint to get your school dinner, it doesn't really matter if it works, so long as it appears to work.

    All these biometric testing devices seem like they can be bypassed, say a mask for face recognition, false fingerprints covers, whatever. What you need is a secret (like your PIN), shared between you and the ID office, and something like a credit card to hold your ID and the shared secret verifies it. Trying to use biometrics for the shared secret, has the problem that it is not secret (or not fixed and not unique ).

  14. Michael H.F. Wilkinson Silver badge
    Boffin

    @Keith T; @AC: A few replies; + "Authentication + , Identification -"

    @Keith T : see my earlier comment on why this does not work, also the AC mentioned below

    @AC: A few replies: No computer scientist dealing with computer vision or other pattern recognition tasks would think the way you suggest computer scientists think.

    Finally: I do think biometircs, in particular iris scans can help in authentication, though more research is needed to reduce the failures in enrolement. I remember John Daugman complaining he had studied more eyelashes (especially Asian ones, which do not curl up as much, and therefore occlude the iris) than anybody in the world.

    In identification I have severe doubts

  15. D Moss Esq

    Anonymous Coward Posted Friday 14th August 2009 20:48 GMT

    Mr Coward

    You say:

    "The only way to use a hashing system currently is with DNA profiles which are gene sequences and therefore effectively a specific value rather than a measurement. Here your only problem is the probability of a matched sequence which is higher than most people think."

    Correct.

    Professor Sir Alec Jeffreys, the man who invented DNA profiling, so he should know, had this to say way back in 2004, http://www.guardian.co.uk/science/2004/sep/09/sciencenews.crime:

    "Genetic profiles stored by police normally record the details of 10 specific parts of the long chain of molecules that make up a person's DNA. The chances of two unrelated people having the same details for all these 10 markers - and hence the chance of a false identification - is said to be about one in a billion. This method has traditionally been regarded as highly efficient at identifying suspects from DNA traces left at crime scenes.

    "However, Prof Jeffreys said the increasing number of records being held on the police database - currently about 2.5m - meant that having only 10 markers per person was no longer foolproof."

  16. D Moss Esq

    Julian I-Do-Stuff Posted Saturday 15th August 2009 06:16 GMT

    Absolutely no need to apologise.

    Your Hungarian experience reminds me.

    One of the arguments used for the introduction of biometrics into the UK is that other countries use them. That doesn't make biometrics reliable, of course. It simply suggests that we in the UK should do what other people do.

    In Hungary, they speak Hungarian. Do the Home Office suggest that we all speak Hungarian?

    No. They do not follow their own rule.

    Just as well. After all, they speak Portuguese in Brazil. So we should speak Portuguese.

    The rule implies both that we should speak Hungarian and that we shouldn't, because we should speak Portuguese.

    Reductio ad absurdum.

  17. D Moss Esq

    Ed Posted Sunday 16th August 2009 00:25 GMT

    Ed

    You say:

    "We, as humans, can mistake one person for another. I can't believe computers are going to get better at recognizing us than we can each other in the near future."

    According to the US National Institute of Standards and Technology (NIST), http://www.frvt.org/FRVT2006/docs/FRVT2006andICE2006LargeScaleReport.pdf:

    "In an experiment comparing human and algorithm performance, the best-performing face recognition algorithms were more accurate than humans."

    That was the result of a laboratory-based experiment. It has never been repeated in the field. Quite the opposite.

    NIST's methodology for predicting outcome in the field is utterly discredited.

  18. D Moss Esq

    Anon @ 17 August 2009 10:16

    A reader who wishes to remain anonymous emails:

    "Hi David - I'm confused because <countryname> is using fingerprint-based identity verification (not identification as you define it, because it is matching my flat-fingerprint read against a smartcard that stores a copy or some hashed representation), and this system has worked quite reliably for me over the last few years since they started using it in all their automated immigration kiosks.

    "I use it myself several times per month and occasionally it can't read my fingerprint but it tells me this and I try it again and it goes through. I don't see evidence of the 15-30% failure rates you are mentioning. Are they using a better technology?

    "Personally I always thought the bigger concern about biometric security was the impossibility of revoking a stolen key. If someone is able to compromise the reader infrastructure then presumably they can capture the hash of my digital retina, for example. Now they could submit this through any hacked interface, and I can never recall it as stolen. Of course this requires that they hack both sides, but we know that even ATMs are hacked -- good, send me a new debit card. But a new retina?

    "Curious to hear your thoughts.

    "Cheers, -<readername>"

    ----------

    1. It is possible that this country is using more reliable technology than others. Could you try to find out who supplies it?

    2. I would be surprised if they have found a supplier with an infallible product. We would have heard about it by now, if that was the case, and we would all know the failure to enroll rate (FTE), and the matching false match and false non-match rates (FMR and FNMR). Nobody with a light like that would hide it under a bushel.

    3. You are only a sample of one. You cannot draw much of a conclusion from so small a sample.

    4. Can you find out how the fingerprint equipment has been set. It may be that the authorities have deliberately opted for a low FNMR. In that case, they are likely to experience a high FMR -- you may find that hundreds of people could pass through the gates using your ID card.

    5. Scanning your iris is supposed to be risk-free. Scanning your retina isn't. I asked my optician. She said it was a bad idea to have your retina repeatedly scanned. Only a sample of one, admittedly.

    6. You're confused? Nothing like as confused as the politicians and civil servants here in the UK, http://dematerialisedid.com/BCSL/Tulipmania.html.

    Best wishes

    dm

  19. D Moss Esq

    Anon @ 17 August 2009 16:13

    The reader who wishes to remain anonymous replies:

    "Fair enough - I would actually expect it is as you suggest - they are probably configured to be somewhat lax -- you know the numbers better than I do, but if the probability of another person being able to pass through on my credentials is 1/10000 then presumably they figure this 0.01% chance is acceptable to prevent brute force attack. I would spend a long time to find one of the compatible 700 people. But they aren't claiming it offers fool proof identification, either.

    "If I am able to find any information about the manufacturer I will send it along.

    "Cheers,

    "-<reader name>"

    ----------

    I believe that most people think the biometrics being offered in the National Identity Scheme (NIS) and in the UK Border Agency's eBorders scheme are 100% reliable, binay, yes/no, that's you/that's not you. That causes most people to look on these schemes in a certain way.

    If and when they realise that the identity ascribed to a person by today's mass consumer biometric technology is only probabilistic, I believe that people will look on it in a different way. The technology will provide acceptable value for money if the error rate is small.

    But what is "small"? 0.5%? 1%? Those would probably count as small, and people would grudgingly think the money is well spent. But 20%? That will come as a shock. Nothing in the utterances and press releases of politicians and civil servants has prepared people for that sort of error rate. But that's what the FNMR is, apparently, for flat print fingerprinting, with a low FMR.

    Not having been prepared, people will feel cheated, the money will feel wasted and the instigators of the NIS and eBorders will be lucky if the worst they suffer is derision.

    ----------

    You would have trouble finding 700 people in <countryname> with similar flat print fingerprints to yours. I would, too. We're both nice people.

    But consider a newspaper editor. He or she is used to retaining private investigators (PIs) to discover secrets about people. The PIs, in turn, have contacts in the police or at credit card companies who will supply information for money. This doesn't happen at The Register, I imagine, and we all know it doesn't happen at the News of the World. But it happens. Someone is keeping those PIs in business.

    A newspaper editor, or organised criminal, could ask his contacts to get him the name and address of the top 100 people with closest matching flat print fingerprints, all neatly categorised by post code. Henchmen could then be despatched to do a spot of burgling/pickpocketing. Perhaps it would be best not to steal the look-alikes' cards. That would get them revoked. But just note down/download some details so that a decent copy can be made.

    Bob, it seems ot me, after that, is your uncle.

    The nice people suffer. The nasty people prosper.

    ----------

    Hope you can get some information.

    Best wishes

    dm

  20. John 61
    Jobs Horns

    @ Keith T

    Quote:

    What we need for now is something better than what we have now. Achieving perfection is always something for the future.

    Surely this puts you into an infinite loop?

    *All* databases suffer from the same thing: GIGO.

  21. Anonymous Coward
    Anonymous Coward

    Home Office Scientists

    The Home Office has scientists!?

    Rofl, I don't believe a word of it.

  22. Adrian 4

    @AC - DNA

    ""The only way to use a hashing system currently is with DNA profiles"

    Can you see where this is all going yet?!"

    No, not any more.

    http://www.nytimes.com/2009/08/18/science/18dna.html?_r=1

    I predict atomisers matching celeb DNA on ebay any time now ...

  23. N2
    FAIL

    Anyone know

    Any government IT initiative to be a success, that it operating with in the design intent & within budget etc, as opposed to a claimed success?

    It seems like theyve failed at everything else & Ive every confidence they will fail at this.

  24. Chris Hunt
    FAIL

    The bigger picture

    I think even new labour realise that ID cards won't work, but they won't have the job of making them work.

    When the tories win the next election*, it'll be their job to implement the cards, and their fault when it all goes tits up. Think "millenium dome" with knobs on.

    Of course the tories are committed to dropping the scheme altogether. That's even better for NuLab - they can accuse the tories of being soft on crime/security/terrorism; and next time there's a terrorist attack they can claim that ID cards might have prevented it.

    All good ammunition in the ongoing political bunfight, for only £5M and counting - but who cares, it's only our money!

    Of course the plan runs into trouble if, somehow, Labour win next year (let's call this the "John Major" scenario). Then they just keep it in a perpetual series of consultations and trials and whatnot to keep it on the "coming soon but not yet ready" list so as not to pay the price of cancelling it. Sadly, with daily-mail-appeasing uppermost in their minds, I think the tories might do this too.

    Card-shaped icon with "fail" written on it...

  25. John Smith 19 Gold badge
    Thumb Down

    Where does 1.8 E15 come from?

    IIRC 60million is the official number from the offfice of national statistics based on the last census.

    checking each person against *all* other users (including the one they claim to be) gives 60milion ^2 or 3.6E^15.

    I am including a check against the person they claim to be as well (which logically should be the first on the list)

    Note we are not looking for at least 1 match (IE the idea that on *average* we have to cover 1/2 of any database to find a match) we want *all* matches, as an impostor should be the person who has a higher match score (on their real identity) than the person they are claiming to be.

    So how does the number of matches get dropped by 1/2?

    Note this does not change the conclusion. Only an idiot or a data fetishist would beleive the claims made for these systems given the size of the DB, the match rate needed and the number of false positives it will generate.

    Like all natural recognition problems (speech, vision, hand writing etc) recognition error rates which would look good in controlled computer environments (1 % or even 0.01%) are rubbish compared to human abiliites.

    Thumbs up for the article. Thumbs down for the NIR the ID card or the misbegotten idea that passports should be "reportable documents."

  26. Anonymous Coward
    Anonymous Coward

    @Charles 9

    Quote >>>

    Concerning measurements---so what if those measurements can be made MORE ACCURATELY? Or is there some inherent accuracy ceiling that no amount of technology can compensate? <<<

    Yes, it's called the Heisenberg Uncertainty Principle.

  27. Richard 33

    Smith

    I have just one polite request. Please don't put up any more pictures of "Jacqui" Wacky Smith in your articles. She is no longer Home Secretary, thank god. Putting her picture there just makes normal members of the public want to hit things. I have above average blood pressure as it is - please don't push me over the edge.

  28. D Moss Esq

    Keith T Posted Friday 14th August 2009 19:45 GMT

    Mr T

    You say:

    "The article assumes technology never advances and it assumes if perfection cannot be attained there is no point in making an improvement.

    "What we need for now is something better than what we have now. Achieving perfection is always something for the future."

    ----------

    As it happens, no. I'm all for research into biometrics, I expect technology to advance, I understand that there are limits to human systems, some small failure rate would be acceptable to us all, but the failure rates of mass consumer biometrics at the moment are not small by any standard.

    Nigel Sedgwick is my nominee for the expert on biometrics most worth listening to, http://dematerialisedid.com/BCSL/Fantasy.html. He is the man who has calculated the performance needed to deliver politicians' promises for biometrics and he is the man who says that there are no such biometrics available today that he knows of. Which seems to me to be the end of the argument – biometrics is a subject without an object. Unless you know better. In which case, please tell us.

    Mr Sedgwick likens today's mass consumer biometrics industry to the airline industry 100 years ago. Rolling out biometrics today to the entire population is as suicidal as getting everyone to take transatlantic flights in 1909.

  29. D Moss Esq

    John Smith 19 Posted Wednesday 19th August 2009 06:39 GMT

    Mr Smith

    You ask:

    "... checking each person against *all* other users (including the one they claim to be) gives 60milion ^2 or 3.6E^15 ... So how does the number of matches get dropped by 1/2?"

    ----------

    Suppose we have both George VI and Che Guevara on the population register. Your calculation treats matching George to Che as separate from matching Che to George. Professor Daugman's method calls that one match, not two. He's doing combinations, you're doing permutations.

  30. D Moss Esq

    N2 Posted Tuesday 18th August 2009 09:10 GMT

    N2

    You ask:

    "Anyone know [any] government IT initiative to be a success, that it operating with in the design intent & within budget etc, as opposed to a claimed success?

    "It seems like theyve failed at everything else & Ive every confidence they will fail at this."

    ----------

    A lifetime of reading Private Eye suggests that Accenture and EDS (now Hewlett-Packard) can normally be relied upon to deliver "delayed success" in government projects, Hitachi have given up with NPfIT, leaving CSC and BT to fail alone, and Capita have had a mixed experience with local authority services such as pension, payroll, rents and benefits.

    Let me leave those projects to Private Eye and concentrate on the National Identity Scheme (NIS). The inception of the NIS can be dated to some time in 1999, please see the UK Government Gateway FAQ, section 1.1.1, http://archive.cabinetoffice.gov.uk/e-government/docs/responsibilities/document_library/pdf/gateway_faqs_v2.pdf:

    "Q. What is the Government Gateway? What is it for?

    "A. In 1999, the UK Government commissioned a report from PA Consulting looking at the cross-government infrastructure that would be required to enable the delivery of online services and joined-up government to be implemented. One of the recommendations in that report was that the UK Government should procure a central ‘gateway’ that would help tackle common issues such as user identity management, messaging and transaction handling."

    Arguably, in 10 years, PA Consulting and the Identity & Passport Service (IPS) and its predecessors, have achieved nothing. They are utterly ineffectual. Sedentary, if not actually supine, they have set low targets for themselves and failed to meet even those.

    Is there someone somewhere, I sometimes ask myself, someone with real power, the power to make things not happen, putting his or her foot on the brake?

    Is it right to fear the NIS or is it more sensible just to pour scorn on the hopeless under-achievers at IPS?

    Don't know.

    But one thing is clear. Any supplier who "gets into bed" with IPS should re-examine their commercial decision-making processes, http://dematerialisedid.com/BCSL/Risk.html. CSC, with their £385 million contract to produce the biographical National Identity Register (NIR), and IBM with their £265 million contract to produce the biometric NIR, are all set for a place in the business school case studies on how to come a cropper – an eminently avoidable cropper.

  31. BlueGreen

    @Michael H.F. Wilkinson: "using some distance measure"

    Okay, presume we have some distance measure D, and let's assume the distance is not single, but multi-dimensional; call that dimension N.

    Let's try this: we take a large, random (and therefore hopefully representational) sample of irises, apply D and plot them throughout N space. I suspect there would be large clusters representing racial subgroups, but let's ignore that for the mo and assume they're fairly smoothly scattered.

    Partition the space into S subsets with regular cuts to produce a regular grid in this hyperspace, analogous to drawing a grid on a 2d sheet of paper. Plenty of cuts = plenty of hypercells here, of the order of thousands or tens of thousands, call this number H. Pick or construct the central-most (centroid?) iris in each hypercell. This is your target hash bucket iris.

    Now take your suspect's iris and match it against each target hash iris. Operation is O(H). When you've found the best-matching hypercell then start matching against all the irises in that cell (V of them, say); operation is O(V). Overall operation is O(H)*O(V) not O(H*V), give or take a square power perhaps.

    Tweak as required.

    How does that sound?

    some disclaimers - this isn't my area so I'm just stabbing randomly. And I don't like biometrics and its uber-tracking kin, I'm just treating it as a problem. And there are undoubtedly errors but the central idea seems prima facie workable

  32. D Moss Esq

    Anonymous reader @ Sun 23-08-2009 14:21

    A reader who wishes to remain anonymous emails:

    "Thanks, it's a good article - but...

    "Have you looked at the worldwide perspective on this?

    "Already, about 2.2 billion people have 'smart' ID cards. Over 900 million are biometric with fingerprints (China's only has digital facial images, not fingerprints)

    "By 2012, over 85% of the world's population will have smart ID cards.

    "If it isn't working, why haven't we heard the screams?

    "Incidentally, I should point out that I am an opponent of ID cards and fear what they will mean to ordinary people.

    "What worries me is that exaggerating the problems will convince most people not to worry or oppose the project, because 'it isn't going to happen'.

    "I have written an article on this subject, but it's under consideration, waiting to be published.

    ----------

    1. Thank you for your email.

    2. I look forward to seeing your article.

    3. The problem I consider is the unreliability of the biometrics chosen for the National Identity Scheme (NIS) and for its cousins, like eBorders. I have not exaggerated that problem. I have reported it and cited public domain sources in each case.

    4. The NIS and eBorders explicitly rely on biometrics. Bringing attention to the laughable unreliability of the biometrics chosen is an economical way of demonstrating that the NIS and eBorders must fail. It confronts those two initiatives with quantitative evidence, no theological or political or social or ethical arguments required, it's not a matter of judgement, it's nothing more than arithmetic, there's no "wriggle room", within their own terms of reference, these initiatives must fail. The Identity & Passport Service (IPS) and the UK Border Agency (UKBA) are an embarrassment to any self-respecting Big Brother, they wouldn't even get a GCSE in mass surveillance.

    5. The big arguments against putting state-controlled identity management at the centre of social interaction are not even mentioned, let alone exaggerated.

    6. If readers think my point is that there is no need to campaign against the NIS and eBorders because they won't work, then I have failed abysmally.

    7. It had not occurred to me that anyone would interpret this article as a call to cease campaigning but if that is a valid inference then I thank you for opening my eyes to it and for creating the opportunity to reiterate my belief that the NIS and eBorders poison the political ecology of the UK and need to be energetically resisted and terminated as soon as possible in the interests of the good government that we want, need, deserve and pay for. The intention of the article is precisely to equip people with simple arguments to campaign with.

    8. "Why haven't we heard the screams?", you ask. In the UK, with its typically gentle demeanour, criticism of the NIS and eBorders started slowly and quietly, but it's in fourth gear now and you can hear the screams, notably on the exemplary forum of No2ID (http://forum.no2id.net) and radiating out from there in the press and the broadcast media, local and national, and in Parliament and the devolved assemblies and local authorities.

    9. Spain has compulsory ID cards. Spain suffered the horror of the Madrid railway bombings. They may not have made the connection but, point that out to people, and you'll hear the screams. By 2005, Pakistan had issued 64 million biometric ID cards to citizens at home and abroad to help combat terrorism. Two years later, the unfortunate Benazir Bhutto was still nevertheless assassinated and even now Pakistan still remains some distance away from the orderly, efficient and safe state promised by the advocates of ID cards. They may not have made the connection but, point that out to people, and you'll hear the screams.

    10. Why don't you hear screams from US-VISIT? Because US-VISIT doesn't apply to US citizens. It applies to Mexicans trying to cross the Rio Grande. They can scream all they like, they won't be heard. And it applies to tourists and businessmen. They can scream all they like, but they don't have a vote. If the rumoured plans of DHS to apply US-VISIT to the Canadian border ever come to fruition, then you might hear some screams.

    11. Let me ask you in return -- why don't you hear screams of success? Where are the well-argued cases with supporting evidence for the success of biometric ID cards?

    12. I look forward to seeing your sources for the 2.2 billion, 900 million, 85% figures. In the case of the 900 million people with flat print fingerprint ID cards, has identity theft been reduced, has other crime been reduced, has terrorism been countered, have government services become more efficient? If not, why waste money on these identity management systems?

    13. "Global mobile penetration to reach 75% by 2011". That's what it says in The Register, http://www.theregister.co.uk/2007/10/26/mobile_pentration_research/. That's 4 billion people enrolled in a global identity management system that works. At the same time as heading off an identity management system for 900 million people that doesn't work, I really think we should all pay a bit of attention to mobile phones, http://DematerialisedID.com.

    14. Have I looked at the worldwide perspective? For mobile phones, I tried to. For IPS-style ID card systems, no. I have looked at the NIS in depth. I have looked at the EU's OSCIE specification (http://dematerialisedid.com/Mobiles.html#nothing) and Project STORK (http://dematerialisedid.com/BCSL/Hall.html and http://dematerialisedid.com/BCSL/Festival.html). I have looked at US-VISIT in some depth (http://dematerialisedid.com/Biometrics.html#usvisit) and at NADRA in Pakistan (http://dematerialisedid.com/BCSL/Risk.html para.10). Also Operation Golden Shield in China. But not at the whole world.

    15. It seems to me that an awful lot of countries, the UK included, are labouring under the delusion that governing means operating identity management systems and that they will work because biometrics work. And it seems to me as a result that the first country to point out that the biometrics emperor has no clothes will cause consternation, bring the whole house of cards down and ultimately help to restore reason to government.

  33. John Smith 19 Gold badge
    Unhappy

    @D Moss Esq

    OMG

    I'll pick up my copy of the Homer Simpson award on the way out.

  34. Anonymous Coward
    FAIL

    One Error In The Article

    The author has confused 'Indentification' (the searching of the database for a given probe image) with de-duping (checking each database biometric is only on the database once).

Page:

This topic is closed for new posts.