Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometrics in Airports

Posted by michael on from the only-outlaws-will-wear-sunglasses dept.

asv108 writes: "Extremetech has an article by renowned security expert Bruce Schneier about why face recognition in public places such as airports is not a good idea." Schneier is being generous - real world results show that facial recognition systems are a lot less than 99.99% accurate even under laboratory conditions (people posing for the camera under ideal lighting).

12 of 413 comments (clear)

  1. Biometrics are coming.... by baptiste · · Score: 4, Informative
    Even if face recognition doesn't 'fly' you can bet we'll see more and more of this stuff at airports and elsewhere.

    For example - would you agree to putting your thumb on a fingerprint scanner at teh jetway entrance before you got on the plane? Retinal scan? The idea of the airlines having fingerprints for every passenger is pretty scary - but banks and many stores fingerprint when you use/cash checks. What level of this type of stuff will we accept? At what cost?

    But then - the best biometric system in the world wouldn't have stopped the WTC attack - the hijackers were passengers with tickets and many used their real names anyway so.... I fear we'll find many liberties and the like given up in the name of security that really won't help that much.

    --
    Top Most Bizarre/Disturbing Error Messages
    1. Re:Biometrics are coming.... by wiredog · · Score: 4, Informative

      Most banks require a fingerprint on a check that is being cashed if you don't have an account with them. If the check turns out to be forged, the bank gives it to the police, who now have the fingerprint of the forger.

      --

      Best Slashdot Co
    2. Re:Biometrics are coming.... by nathanm · · Score: 3, Informative
      *the US government isn't letting anyone but the military be vaccinated!
      That is completely not true. The anthrax vaccine has been FDA approved and available since 1978. It was only commonly given to veterinarians or animal workers until the military started giving them. Right now there is just a shortage of the vaccine, since the cultures can take years to grow.
    3. Re:Biometrics are coming.... by wurp · · Score: 5, Informative

      Add some factual information, indeed.

      Per your link to the CDC:
      "Inhalation: Initial symptoms may resemble a common cold. After several days, the symptoms may progress to severe breathing problems and shock. Inhalation anthrax is usually fatal."

      Yes, anthrax is treatable. They can give you an IV of 2 million units of penicillin every two hours and you will die anyway, the vast majority of the time. Note that I didn't say all anthrax is fatal, just inhalational. I am unsure about gastrointestinal or cutaneous infection, but it is my understanding that it can be treated with good success.

      Per the Defence Journal
      "Within twenty-four to thirty-six hours, the victim experiences the rapid onset of shock and subsequent death. Inhalation anthrax has a mortality of 95-100% despite antibiotic treatment."

      Per the Biological Weapons FAQ
      "Some authors maintain that anthrax is an even more deadly agent. According to one study, in principle, if its spores were distributed appropriately, a single gram would be sufficient to kill more than one-third of the population of the US. Of course, the authors were quick to point out that an attack of such magnitude would not be feasible. However, more realistic, smaller-scale scenarios still posit large numbers of casualties. For example, the US Law Enforcement Assistance Administration reported in March 1977 that a single ounce of anthrax introduced into the air-conditioning system of a domed stadium could infect 70-80,000 spectators within an hour). And a 1972 study by the Advanced Concepts Research Corporation of Santa Barbara, California, postulated that an aerosol attack with anthrax spores on the New York City area would result in more than 600,000 deaths."

      I agree wholeheartedly that getting hysterical is not going to solve anything. However, it is just as naive to discount real, viable threats as it is to fret about weak or unlikely threats. Certainly it is true that anthrax is not going to cause a plague; it doesn't really spread very well. But it just as certainly is true that anthrax is a very potent, low-tech weapon for the psychotically discontent when spores are directly blown into the air.

      Certainly it is not safe to produce biological weapons. I think that goes without saying.

      Thanks for the link to Bioport, btw! I hadn't found that. And thanks also for the note about Aum Shinrikyo. I hadn't known of any publicized anthrax attacks in modern times. The sources I've looked at so far casually mention that he tried one attack. If it is in fact true that there is some factor that I haven't seen yet that invalidates anthrax as such an easy and potent weapon, I would love to know about it so I can find something else to worry about : )

      More links on anthrax:
      http://www.metrokc.gov/health/phnr/prot_res/anth ra x.htm

  2. It just don't work! by CaptainAlbert · · Score: 5, Informative

    See:

    http://www.theregister.co.uk/content/4/21916.htm l

    --
    These sigs are more interesting tha
    1. Re:It just don't work! by tomknight · · Score: 2, Informative
      And in case no-one else has thought of using this karma-whoring link:

      Here are the results of the Facial Recognition Vendor Test (FRVT) 2000, commissioned by the DoD.

      Tom.

      --
      Oh arse
  3. More info and Links by Alien54 · · Score: 5, Informative
    The Register has a pretty good story on how Face Recognition is essentially useless, especially in uncontrolled environments.

    There is also this vendor nuetral test

    Bottom line is that this is merely a marketing opportunity for someone to get capital for products that are NOT ready for prime time.

    This has actually been examined by the US Department of Defense (DoD) Defense Advanced Research Projects Agency (DARPA), which sponsored the Facial Recognition Vendor Test (FRVT) 2000, the test linked to above

    Under live conditions in an uncontrolled enviroment, the best false detection rate (FDR) was 33 per cent, with a false acceptance rate (FAR) of ten per cent. This means that to detect 90 per cent of terrorists we'd need to raise an alarm for one in every three people passing through the airport.

    I would say it is somewhat unacceptable.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  4. 9,999? by JoeRobe · · Score: 2, Informative

    I don't mean to be picky here, but my math says that if 1 out of every 1,000,000,000 people going through is a terrorist, there will be 99,999 false alarms for every terrorist detected, not 9,999. Eh, what's an order of magnitude here or there, anyways...

    --
    The best way to predict the future is to invent it.
  5. Fingerprints... by Scratch-O-Matic · · Score: 2, Informative

    This thread is a little misleading. The prints required at banks (as far as I've seen, that is) are quick thumbprints using colorless ink (it reacts with a chemical on the paper they put it on, I assume.) There's a little ink pad by each teller window. It's as quick as signing a form, and no less intrusive, in my opinion. It's not like they take you into the back room for a full set of black, inky prints on one of those FBI cards.

    --


    Evil is the money of root.
  6. Baysian math by wowbagger · · Score: 5, Informative

    I've seen several comments that "If the system gives a false positive only 1 in 1000 times, then it must be pretty good!". This demonstrates that many people have no clue about how to properly apply probability - what is called Baysian math.

    You have to start out with two probabilities that are based on the system: probability of a false positive (Pp) and probability of a false negative (Pn).

    A false positive is mis-identifying a non-terrorist as a terrorist. Let us say that a collection of 1 million non-terrorists are run through a system, and it fingers one of them as a terrorist. That system has a Pp of 1 in a million, or 1E-6.

    A false negative is mis-identifying a terrorist as not being a terrorist. Let us say that we run a thousand known terrorists through the system, and let us say that only one is not detected. Then this system has a Pf of 1 in a thousand, or 1E-3.

    Now, that is ALL that you can say about a system. You cannot state the actual number of false positives vs. the number of false negatives in real use without an additional piece of data, the probability of any given person in a crowd being a terrorist, Pt. Let us say that in any given crowd, one in ten thousand people are terrorists (Pt = 1E-4). This may seem very high, but the lower Pt, the worse the system will perform, and I am heavily weighting this in favor of the face scanner.

    Now, let's run a million random people through the system, and see what happens.

    First, out of that million people, 1E6 * Pt = 1E6 * 1E-4 = 1E2 = 100 of them are terrorists. We would expect that of that 100 terrorists, 100 * Pf = 100 * 1E-3 = .1 terrorist will be mis-identified. So we will assume that all 100 of the terrorists trip the alarm.

    Now, out of the remaining 999,900 people, we would expect the system to finger 999,900 * Pn = 99,900 * 1E-6 = .9999, so we will assume that one innocent person gets fingered as a terrorist.

    Now, we had 101 trips, of which 1 was false, so the odds that you aren't a terrorist given that you were fingered are just under a percent. That's given the assumption that the system mis-identifies innocent people only one in a million times, and assuming that one person in ten thousand is a terrorist. Increase the false positive rate by a factor of ten (one in one hundred thousand innocents gets fingered), and decrease the terrorist population to a tenth of what we assumed (one terrorist in one hundred thousand) and you now have roughly fifty-fifty odds that a person fingered by the system is innocent.

    And that, people, is why systems like this don't work.

    --
    www.eFax.com are spammers
  7. Ever heart of sleepers? by Anonymous Coward · · Score: 1, Informative

    Get your facts staight!
    None of the hijackers were known terrorists.
    Some of them came form germany.
    They lived here for many years as good citizens.
    They even payed their "tv-fees", something
    very unusual for students.

  8. If the FBI had their names... by symplegades · · Score: 2, Informative
    and if the terrorists used their real names when boarding the planes (which they did, according to this month's Newsweek) then why don't we use large scale parallel database search algorithms to regularly scan airline company databases for known terrorist names or monikers, addresses, credit card accounts, etc.?

    This might be cheaper and less inconvenient than implementing facial recognition systems, or at the very least would make an effective compliment to those systems to improve accuracy.

    It may already be here.

    If we do implement facial recognition systems, perhaps we could put in some anti-government abuse measures, like deleting the records of the passenger's faces after a successful flight.

    -Rene

    --

    See you on the playa.