Biometrics 200n

[Dave Birch] I actually rather enjoyed my day out at Biometrics 2009 because it was an opportunity to catch up with old friends and see what the buzz is. Yes, you can have LinkedIn and Twitter, but there’s still no substitute for hanging out in the coffee area at a big conference. Some of the content was, though, somewhat reminiscent of Biometrics 2008, 7, 6… we’re still not at a mass market, and part of the reason is that no-one seems to know what that mass market is. Is it fingerprint scanners in every laptop? I doubt it. Is it logging in to your bank using voice authentication? Maybe. Is it using your National ID Card to get served in a pub? Doesn’t look like it at the moment.

Personally, based on a couple of sessions I sat in on, I thought there was some confusion about the proposition — not from everyone — and I suspect that at least part of the problem is that the major integrators come from the government and defence space, so their approach to the market and their product set reflects that. If you’ve made a living selling large-scale automatic fingerprint identification systems to law enforcement agencies, then it may be difficult to make the transition to selling improved authentication to banks. And there’s no reason to suspect that that improved authentication will be achieved using the same technologies anyway.

I happened to be sitting next to Forum friend Maxine Most from Acuity Inc, one of the world’s leading analysts of the international biometrics market, and she made a key point early on in the day: the mass market is about mobile phones, not PCs. This was a central element of my presentation on biometrics in the event space and was further amplified by the Precise Biometrics presentation advocating match-on-SIM going forwards. This, as an aside, suggests to me that there is a premium on biometric technologies that synergise with mobile phones — we’re talking about the mass commercial market here, not law enforcement and national security — so that really means voice recognition and voice authentication (I don’t buy the fingerprint-scanner-in-handset model in the mass market). A couple of people remarked that these biometrics didn’t seem to be getting much coverage compared to fingerprints, iris and the like, which I imagine is also a reflection on the government and law enforcement focus of the show.

Extracting the P

[Dave Birch] Forum friend Toby Stevens of EPG started something of a discussion by putting forward a few conjectures about what might happen to the UK identity card and passport schemes, systems and structures come the expected opposition victory in the forthcoming general election. I don’t want to say anything about the rights or wrongs of the current schemes, systems and structures but I want to comment on an observation about the current situation. There is no engineering, technical or security reason for the “I” and “P” to be together in the Identity & Passport Service (IPS). As far as I am concerned, the ID card and the Passport are conceptually distinct. The British government might in time issue ID numbers to everyone on the planet, all six or seven billion of them, because the purpose of the ID scheme is to record that you are known, uniquely, to the British government. That’s all. It’s a mistake to mix a jumble of biographical details, pointers to government records and other things into the same records. There may be some credentials attached to that you may want to demonstrate to third parties (eg, you have the right to work in the UK, you are over 18, you are registered in the governments new Independent Safeguarding Authority database — the IS_NOT_PAEDOPHILE attribute) but these are not part of the database. On the other hand, a passport means that you are a British citizen and can travel overseas (and other countries might want to put visas in it, which is another distinguishing characteristic). There will be people who have ID cards but not passports and vice versa. But they both have to be unique. So what to do?

Interdisciplinary ideas

[Dave Birch] Someone mentioned iris biometrics over coffee which reminded me again that, a couple of weeks ago, I had stimulating day out at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE. Many thanks to James Backhouse and the team for putting together such a great programme. I really enjoyed Kevin Bowyer’s keynote on iris biometrics and wanted to highlight one or two of the points that he made. You can read the paper for yourself, but a few key findings were that:

  • Pupil dilation has an impact;
  • Contact lenses have an impact;
  • Sensor changes (ie, someone has been enrolled on one system and is being matched on another) have a significant impact (even when using the same software);
  • Irises change over time more than had been anticipated. The effect on false reject rates is small, but measurable,

In all of the cases, it is the match distribution that is changing: in other words, it’s “fail safe” in that the system behaviour is such that false rejects go up but false accepts do not. So not too bad. But at population scale, the number of false rejects will still be enough be noticeable and dealing with the false rejects effectively (which might mean different things in different environments) will be central to the success of schemes.

Paradigms and pseudonyms

[Dave Birch] I enjoyed listening to Roger Clarke at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE because I had read his work (particularly on PKI) over many years and wanted to see how his thinking had evolved. Roger made a number of excellent points, one of them being that the barriers that we need to overcome (if we are going to do anything practical about identity management) is that the models that we technologists are using, the implicit mental models of the decision-markers and the reality of the situation are all different (I’m paraphrasing greatly, obviously). Having had the chance to think about this some more, I think that I agree with his diagnosis but disagree with the treatment.

So far as the treatment goes, Roger proposed a way to deal with this some time ago and explained this in his presentation. His model is to have get around the problem of the mappings — that is, the mappings between real and virtual entities and their attributes — by separating out elements of the mapping, distinguishing between identity and entity, between identification and entification.

If I’ve understood what Roger meant, then I think I don’t quite agree with him, because I think replacing the N:N mappings between real and virtual identities by 1:N mappings to digital identities is a simpler way to model the complexity of the boundary between real and virtual in the identity space. So I don’t think about identity and entity but about the real and digital identities and stuff, and some of that stuff happens to be people, if you see what I mean.

The Guildford triangle

[Dave Birch] What is it with Britain? Digital or otherwise our degraded realm is an international identity scandal. Europe’s no.1 exporters of payment card fraud, we are apparently now the world’s worst for identity theft overall.

INTERNET users in Britain are more likely to fall victim to identity theft than their peers elsewhere in Europe and North America. In a recent survey of 6,000 online shoppers in six countries by PayPal and Ipsos Research, 14% of respondents in Britain said that they have had their identities stolen online, compared with only 3% in Germany.

[From Where your identity is more likely to be stolen | Online fraud | The Economist]

There may be a correlation here between “identity theft” and “card-not-present fraud” (Germans rarely use credit cards, least of all on the interweb), but we’ll return to that in a future discussion. Now, these statistics don’t, I think, mean the Brits are more criminally inclined. After all, fraud is an international business.

The criminals stored much of their data on computer servers in Latvia and Ukraine, and purchased blank debit and credit cards from confederates in China, which they imprinted with some of the stolen numbers for use in cash machines, investigators say.

[From Global Trail of an Online Crime Ring – NYTimes.com]

It’s more likely that Britain is a soft touch: high card penetration and use, lots of internet shopping and other factors that lead to identity theft on an industrial scale. But where does this tidal wave of fraud actually originate? I read in The Telegraph that the top 10 identity theft hotspots in the UK are all in south east England. There’s an area of white collar fraud between London, Reading and that well-known criminal outpost, Guildford. Odd. In the top 10, only St. Albans falls outside of this theft triangle. Yet the government is going to test ID cards in Manchester… Well, as well all know, ID cards won’t have the slightest impact on identity theft for at least the next decade.

ID cards have been touted as the solution to a number of real problems – terrorism, crime and so on – though none of their supporters can ever explain how having an ID card stops a mugger or suicide bomber. But they began as the answer to a classic fake problem, still routinely cited by ministers, the need to “secure our identities” against “identity theft”.

[From The ID card is on its last legs – just let it die with dignity | News]

Now, I wouldn’t call identity theft a “fake problem”. On the contrary, it’s a very real problem. But what is generally meant by identity theft, certainly in the Guildford triangle, is largely to do with payment card fraud (which is rampant in the UK) and account takeover. These are specific problems, not general identity problems. Until retailers demand that you present an ID card when you buy anything, or somehow allow them to read your identity card over the interweb, nothing much will change. Fortunately, someone is thinking this through: the UK ID card scheme may well use chip and PIN technology so that it can be accepted at retail POS. Lots of newspapers reported this, so I’ll choose to point to the report in that august journal of record from my home town, Swindon (or, “Swindon, city of the future”, as have generally called since 4th July 1995):

ID cards could be fitted with chip and pin technology to help combat identity fraud. The head of the Government agency tasked with producing the cards said there were no “technical obstacles” to adding chips to the cards and handing out pin numbers.

[From ID cards ‘could use chip and pin’ (From Swindon Advertiser)]

I rather imagined that the cards already had chips on them, but putting that to one side, the idea of making ID cards work in chip and PIN terminals isn’t totally infeasible, although I’m not completely clear as why you would want to do this. I suppose the thinking is that the shops already have the terminals. But if you are asked to put your ID card into a terminal and punch in your PIN, wouldn’t you then get annoyed at having to take it back out again, then put your chip and PIN card in and then punch in another PIN? Why not just link your bank account to your ID card?

The long and short of it

[Dave Birch] I was at the European Patent Forum in Prague talking about biometrics in an enjoyable seminar on Privacy and Identity Theft, along with Ivo Teutloff from EPO and Max Snijder from the European Biometrics Group. The reason that the session was so enjoyable is that we’d each chosen to focus on different aspects of the topic. By coincidence, when I woke up and was sitting in my hotel room looking through my slides with BBC Breakfast TV in the background, the first item on the BBC news was the rise in card fraud, again. And this is in hand-in-hand with another massive increase in identity-related fraud in general.

A 40% increase in the number of people being impersonated indicates that the flat trend seen in 2008 (where identity fraud increased by only 0.06% from 2007) was exceptional. While last year’s figures were a surprise, the sudden and significant increase in the first quarter of 2009 heralds an unwelcome return of identity fraud as the fraudsters’ method of choice; as fraudsters assume creditworthy identities in order to swindle individuals and companies alike: stealing funds, goods and services at someone else’s expense… During this quarter, a staggering 75% increase in facility takeover (also known as account takeover) frauds – where the fraudster gains access to, and plunders the legitimately obtained accounts of innocent victims – continued the steep upward trend seen throughout 2008.

[From Fraud trends and recession go hand in hand – CIFAS Online]

If biometrics could make a dent in that, you would think that banks would be rushing to implement them. After all, as CIFAS notes, the account takeover fraud explosion has been going on for some time. Plenty of time to plan and develop a biometric countermeasure, you might think.

UK account takeover fraud grows 207% year-on-year in 2008 – study [From UK account takeover fraud grows 207% year-on-year in 2008 – study]

Yet nothing much is happening. Identity theft is growing and, in the UK at least, the government’s identity card scheme won’t do anything to help. But why? Max made a very interesting point, which goes back to my current obsession, the “narrative”. In his presentation, he pointed out that because the biometric sector had its origins in the identification problem, that is how they see the world. So they would see the retail payments problem as an identification problem, which leads to PayByTouch. On the other hand, other people (eg, me) see the retail payments problem as an authentication problem: so we need progress in what he called “anonymous” biometrics to get down to solving that particular problem. And he made a very positive suggestion that I had not considered before.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.