Slashdot Mirror
UK To Start Biometric Passport Trials
pearljam145 writes that the "UK is planning to test biometric passports that will include face and iris or fingerprint recording and recognition for a 6 month period on 10000 volunteers. Read here for more details. A face recognition chip is going to be the primary biometric and iris or fingerprint scanning will be use as a secondary biometric. However face recognition might not be the perfectly viable solution since it has produced too many false positives in the past. Face recogntion to this date is not robust enough to support real time recognition in a crowd (more failures?). Only with cooperation of the subject does this system produce good results. So will face recognition join fingerprint and iris recognition in a long list of obtrusive recognition techniques?"
...with their attempts to get J2EE certified. SchlumbergerSema, that is. Cool.
The Army reading list
"One of the reasons we are doing this with passports first is because the U.S. government has said it will require biometric passports for people wishing to enter the United States," the government spokesperson says. "At first that was to begin in October 2004, but that has be delayed to an unspecified date in 2005."
The UKPS will carry out the trials at "various locations" throughout the UK, using four fixed, one mobile, and one portable unit, with one of the locations being a passport office.
... but damn, they have a world of international travel going through, and only four permanent stations (!) to test with.
It seems like their trial might be a little limited in scope, don't you think? I understand from the article that this trial is being run by the Passport Service, so presumably the various test stations will be deployed for use in areas of entry to and egress from the UK
I wonder why the numbers are so small.
Other curious questions involve what you'd use a mobile station for -- not portable, but truly mobile, i.e., mounted in a vehicle or similar; stop someone on the street randomly to see if they have a passport and if they're participating in the trial?
...that this stuff doesn't work?
. . . that I would feel this way, but I actually think I prefer the Canadian solution for most things. Less technology. Think "simplify".
Becuase you can change your password a whole lot easier than you can change your DNA.
The flip side of not being able to lose or forget your biometrics is that you can't change it when it gets stolen. And, yes, people will find ways to spoof biometric authentication schemes into believing that they have your data. Whether it's fake fingerprints, or (more likely) some sort of data hack that sendst the computer the right bitstream for a given person's biometric data, once yours is gone, you're just hosed forever.
If your password or PIN gets stolen, you can make a new password, or get a new ATM card and a new PIN, and cancel the old ones. Once your biometric info is stolen or spoofed, you have the choice of cancelling it and not being able to authenticate anywhere, or just accpeting that your identity is stolen and will stay stolen.
Biometrics are great if *combined* with a password. But by themselves, they're foolish for strong authentication. Just because your fingerprints are on your hand doesn't mean that there isn't a pattern there that could be stolen and stored somewhere by bad actors.
As NTK pointed out last week, MORI are looking for people to take part and raises a point on skewed statistics, maybe?..
"Pollsters MORI will be ensuringthat the Digitised 10K will be a representative sample the UK population: and here's where it gets interesting. MORI are inviting people to apply. Assuming that those most worried about biometrics in society aren't going to leap at the chance to be fingerprinted in advance of the giant Orwellian (etc) database, why not help the sample from getting a bit too skewed? Plus who wouldn't want to mess with cool, hackable, potentially dystopian gadgets?"
Seems a oppotune time to get my passport renewed, perhaps.
I really don't feel comfortable with all of that. Personally I feel that if some one is going to beat the system, they are going to do it no matter how secure it is. With that many people it is impossible to not let some one slip through the cracks. I think a piece of paper, a stamp, and a few good forms of ID is enough.
404
Sadly, this doesn't surprise me, being a UK citizen. It's like 1984 over here.
Well, heck. There's been 'face recognition' biometric data on most people's passports for over a century already. As long as said 'biometric data collection' methods have existed, there have been people, i.e. the Amish, who've objected to it.
This isn't really anything more, other than possibly higher resolution recordings.
A Good Intro to NetBS
So will face recognition join fingerprint and iris recognition in a long list of obtrusive recognition techniques?
Passports are inherently obtrusive. You walk up to the person in the uniform behind the desk, hand over your passport, and wait for them to decide if it matches you. Matching a face by camera at this point is no more of a bother. (Well, if you don't pass the scan, it is...but that's a different subject.)
Plus, the people manning the desk control the lighting and the positioning of your face. If you don't take off your sunglasses and look straight ahead, you don't pass. This will improve the performance of the software far above the 'scan the crowd' attempts. You'll still have some false positives, of course; but all systems dealing with humans do.
Imagine the privacy invasions with these techniques but imagine also the coolness of the future finally becoming the present.
Though this is a step in the right direction, I can't imagine it being the only source of passport or ID in the near future. As stated in the article all of these methods are subject to error. Face recognition can be bypassed by simply having recontructive surgey, fingerprints can be removed(or changed if you watch the movies). As for why it will have a hard time becoming the standard, to many people are either afraid of having something implanted in them, or going under the knife to have it put in. Just my 2 cents.
-Certified TechnoWeinie
of people getting their body parts stolen. Ouch.
Among other things, the article makes the very good point that there are two ways to use biometrics: for identification (i.e., who is this J. Random Person), and for authentication (i.e., is this really Rich, as he claims to be).
Tests of face recognition for the first purpose have basically been miserable failures, as far as I can see. (As I'm sure most Slashdotters know, facial recognition is computationally a vey hard problem, even though we clever apes do it all the time.) For the second application, face recognition or fingerprints would seem more promising, since one is comparing them with, in effect, a known right answer.
The article also points out that all of this is being sold as a way to "increase security" -- but it would have done exactly nothing to prevent 9/11, since the hijackers entered the US and traveled as themselves.
Earlier this year when homeland security reported a new secure VISA system, this was what I had in mind - iris and fingerprint data along with the usual photo & dental records on one smart card. Then the Bush admin went ahead and put a year (or more) delay into whatever they do think was secure, supposedly so as not to disturb the busy european terro^h^h^h^h, er, tourist season. I guess keeping citizens safe isn't real big on Bush's agenda.
I think it just makes sense to push for a full biometric smart card for an international VISA/passport system. We have the technology, we have the knowledge, we have the money, and every country that participates fully will be a little safer. Take this along with full background checks and no 'favored' nation nonsense. Limit diplomatic passes to only those people needing them and yank it if the person even gets a jaywalking ticket.
You either get seriously tough on security, or admit defeat. You can't show you are securing the country if kids can still buy pot, crack and smack.
It's a long story, but I don't have stable fingerprints; scarring interferes with them. Any time I've needed a fingerprint check (for example, my concealed-carry permit), it was problematic producing 'acceptable' fingerprints in the first place, and thereafter difficult to match current fingerprints to old ones. Although this could make me a great secret agent or something, I'm going to have trouble if any future employer of mine moves to simple fingerprints biometrics as a means of identification.
I'd be much more comfortable with using a smart card that stored my biometric info inside itself. It may not fit into the whole "a-passport-is-a-way-to-track-you-and-privacy-gets -in-the-way" mindset, but I definitely wouldn't feel comfortable with the government scanning any kind of biometrics off me just to board a goddamn plane to Canada, whether it's fingerprints or retina scans, or anything else.
If I make no sense in this post, you'll have to excuse me. I'm a little intoxicated tonight.
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
Had been varsely improved now, producing 100% positive results?
I think I'm right and you're wrong here.
When will they start examining stool samples as well?
"Sorry, sir, we have detected couscous and figs in your feces. If you'll kindly step over there towards the gentlemen with the M-16s, they'll escort you to your flight to Guantanamo Bay."
At least they're not using it for authentication... now, where did I put that key.. *flips through his keychain of severed fingers and eyes*
Banaaaana!
How will this effect movie stars and other famous people such as Michael Jackson? People who alter their faces like I change my socks will obviously be having problems.
On a more serious note, how does this effect people who are the result of severe burns, car accidents, plastic surgergy, radioactive mutations, aging, etc? Obviously if someone's face is altered they will have some problems.
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
It's good to know that your government takes your personal opinion so seriously.
Or, just perhaps, given that the US is in effect demanding that all other countries do what it wants, it was giving them a little bit more reasonable an ammount of time to implement a system that has little point beyond jingoistic technobable-like 'look, look, we're doing something, please re-elect us' politico-speak.
Possibly, but if it's too US-led, people will see it (however correctly) as an attempt to erode their sovereignty in favour of America.
You might have the money, but does, say, Rwanda, or Indonesia? Can there not be made an argument that this is effectively protectionism as to the kind of people economically 'allowed' in to the country to conduct business, &c.?
Apart from the obvious cost implications, well, countried get 'favored' status for a reason - they have (what are regarded as) 'sufficiently' thorough security on the other side. Indeed, having seen my fair share of airport security, I'd say that the laxest I ever saw was for a (domestic, but even so) flight from Denver to Washington (pretty much nothing beyond my bag getting spot-checked for explosives' residues), as compared to a flight out of Sri Lanka (including what felt like a highly competent mandatory body pat-down - thrice - and canon emplacements around the airport).
Yeah, sure, let's dispose of several hundred years of diplomacy because it's a system that can be exploited.
You either get seriously tough on security, or admit defeat. You can't show you are securing the country if kids can still buy pot, crack and smack.
Yes, because it's well known that kids who do drugs grow up to die in terrorist-related activitiy. What?
Back on-topic, I see no reason for people to object to the use of computer-read, rather than human-read, biometric data (height 182 cm, weight 72 kg is biometric data, after all), as long as it is used for a reasonably good, but not necessarily perfect, confirmation of identity - after all, if the data matches, all that means is that the person is who the database says they are claiming to be, but not necessarily who they actually are...
James F.
I don't know about you, but I need protection.
There are rapists and killers our there.
If we need to be herded like cattle at an abattoir to obtain a little more safety, so be it.
Where can I sign up for a government run life?
Will they wipe my ass, and tell me what job I get?
My identity is my choice- right now I'm a good little citizen... but biometric IDs won't help if I turn to "Falling Down".
The day gets closer.
They will have to figure out how many fingerprints they will have to store, maybe all, a cut can obscure a finger print.
I eat my grapes at room temperature, cuz the cold ones hurt my teeth
Read an interesting take on biometrics in the last Cryptogram that Schneier puts out. If you think about it, biometrics really have NO positive impact on actual security. They're more of a placebo for the average non-security minded person. This is precisely why you see a great deal of hype around them and very little real security. Government officials, last I checked, aren't the most savvy people in the world. Especially the ones who graduated last in their class...
t ml
Blurb out of the Cryptogram:
"So it is our opinion, that as long as the manufacturers of fingerprint equipment do not solve the live detection problem (i.e. detect the difference between a live finger and a dummy), biometric fingerprint sensors should not be used in combination with identity cards, or in medium to high security applications. In fact, we even believe that identity cards with fingerprint biometrics are in fact weaker than cards without it. The following two examples may illustrate this statement.
1. Suppose, because of the fingerprint check, there is no longer visual identification by an official or a controller. When the fingerprint matches with the template in the card then access is granted if it is a valid card (not on the blacklist). In that case someone who's own card is on the blacklist, can buy a valid identity card with matching dummy fingerprint (only 15 minutes work) and still get access without anyone noticing this.
2. Another example: Suppose there still is visual identification and only in case of doubt--the look-alike problem with identity cards--the fingerprint will be checked. When the photo on the identity card and the person do not really match and the official asks for fingerprint verification, most likely the positive result of the fingerprint scan will prevail. That is, the "OK" from the technical fingerprint system will remove any (legitimate) doubt.
It is our opinion that especially the combination of identity cards and biometric fingerprint sensors results in risks of which not many people are aware."
Full article is here:
http://www.schneier.com/crypto-gram-0311.h
Karma: The only way to win is not to play.
I believe that the US government owes its citizens the responsibility & knowledge that whoever gets let into this country (on a passport) is not a terrorist. Embassies and intelligence assests can do background work on applicants, and embassies can issue passports with smart cards with encrypted data. People in countries that do not have an embassy would need to visit a country with an embassy to apply. It is all a matter of verifying that the person holding the card entering the country is same person whose data is on the card. Check iris, check a few fingerprints, check a photo and biometric data and as long as three out of four of those match it would sound reasonable enough for me.
Only in very unusual circumstances (such as loosing one's passport). Do you mean, perhaps, visas?
If you mean that people should only be allowed into the US on pre-accepted visas, well, OK, but I (as a citizen of the European Union) can move freely between 15 (and soon to be 25) countries with ease, and normally without a check of my passport in the first place (unless travel is by air, that is, as there aren't European terminals as well as international ones), and in practice, also into and out of Switzerland - I once went from Austria -> Switzerland -> Italy -> France -> Switzerland -> Germany -> France -> United Kingdom, and only got my passport checked on arrival in the UK.
It is widely believed that this freedom of movement has benefitted the EU's member states greatly (especially economically), and that security has, if anything, been increase, by concentrating on intelligence rather than rote scanning of all incomers. Why could this system of trusted others be kept in use in the US/.
James F.
Didn't they see Gattaca? Once we start using biometrics, it will become this all knowing system where once you are biometrically identified, you will be considered the real thing even if it seems like you probably aren't. It will be like that guy from the 80s movie saying "Computers never lie, kid."
I can just imagine my biometric record getting screwed up because of some random computer bug, and guys with shotguns and big dogs coming out when I show my passport the next time I travel internationally...
Your signatures belong to me.
The horrible state of English dentistry means that each Britian possesses a set of uniquely fucked-up teeth. Simply entering them into a database should be trivial.
C - A language that combines the speed of assembly with the ease of use of assembly.
So, corrupt officials get one more thing to sell, and the terrorists need only subvert a database to be whoever they want to be!
Stupidity really is the most abundant element in the universe. People think it's hydrogen, but they haven't taken the density into account.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
If tons of crack can still make it over the border, how can you expect to keep terrorists out? We have drug sniffing dogs and robots, how are those people sniffing dogs coming? And big bags of white stuff tends to stand out more than another normal looking guy. If we really had trustworthy security then nothing larger than a poodle would get into the country without it being known, but that's just not practical, and I'm not sure its desirable. It would give you those nice feelings inside, but it also turns the country into either a fortress or a jail, neither conducive to a friendly and open atmosphere.
Wouldn't growing a giant beard throw biometric readings off? Perhaps if I wore my glasses too?
"You either get seriously tough on security, or admit defeat. You can't show you are securing the country if kids can still buy pot, crack and smack."
Yes, because it's well known that kids who do drugs grow up to die in terrorist-related activitiy. What?
well weed opens your mind so naturally an open mind couldnt help but notice the realities of horrible things that are happening in the world. you want to fix them == terrorist. so sure drugs lead to terrorism, but they also lead to fine art music and literature.
im pretty sure the grandparent was some kind of neo-fascist troll. probably should be modded down
Why?
Igor, fetch my identity.
<Igor> Yeth, mathter. </Igor> (opening suitcase full of body parts)
Go permanent? In your dreams and my worst nightmares.
I think the only reliable method of biometric data would be to include a DNA sample in one's passport and then use a device a la the ones in the Gattaca movie to take a small blood/hair/skin sample at the airport or where ever. The others are either too simply faked (fingerprint testing) or open to abuse (face recognition) unless only used as confirming factors in a passport, not as a replacement for the actual passport itself.
Many high-security areas use biometric devices in addition to traditional methods such as badges, access codes and guards.
Mea navis aericumbens anguillis abundat
Wow, that must be some great pot you are smoking!
Yes, you will be able to reproduce the finger prints of anyone ....how about laser etched plastic or glass eyeballs?
There are always methods to get around new security measures, its too bad so much money is spent on systems full of flaws!
The best method to find out if someone is lying is a bathtub full of water and a variable voltage power supply!
Its called passport control,
What do you think their doing when they look at the photo in the back of your passport and compare it to your face?
So a computers going to do it instead, What makes the process more obtrusive because its automated?
...used to make fake finger prints or retinal scans. Its so easy to cheat biometric systems even little kids could do it. This technology is useless. The only real method of security beyond blood samples is the correct answers to a series of questions enter by a user, things impossible to guess correctly. As series of secret questions/answers only contained in someones brain and stored in an encrypted database. I think such systems will appear in the market very soon, just wait, you will see ....I'm telling you!
Really -- they'll probably run it on Windoze boxen, wired right to the Internet.
That means they'll be owned, and the data hosed, on a regular basis.
Who ever thought the script kiddies would be a first line of defense against the continuing assault on the U.S. Constitution?
Geez, I need to go to bed,
Mal the Elder
iris and fingerprint data along with the usual photo & dental records on one smart card (emphasis mine)
How exactly does that make the system any more secure?
Would you consider it a trustable system if the ID were just an index card with some fingerprints and a name written on it? Oh, sure, throw in a picture and an iris close-up for good measure. It doesn't change the fact that the card and the data on it is under the control of the very person whose identity you are trying to verify.
Now, you can take all that information and digitize it, but if you're still storing it on the passport, it doesn't make it magically more secure just because the information is stored in 1s and 0s in a chip instead of ink on paper.
So long as all the verification data is on the passport itself, all that matters is how resistant the document is to forgery, and in the end a forgery is usually just a few bribes away, anyway.
And none of that means jack if you can verify the identity of everyone but don't do anything because you don't know who you're supposed to be stopping.
I think it just makes sense to push for a full biometric smart card
How so? What is the threat model that the use of biometric data beyond the photograph we already have protects us against? You provide no evidence that putting more biometric data on passports will actually improve public safety and national security.
The fact is that the September 11 hijackers had valid IDs. We could have checked their thumbprints and iris scans, and those planes would have still flown smack into the twin towers.
In the meantime, by the way, you've slowed down commerce within the U.S., hurt business, hurt the economy, thereby reducing government revenue, all while you're diverting money from real, useful intelligence gathering to this useless project that serves only to line the pockets of biometrics equipment manufacturers.
If you want to prevent terrorist attacks and do something useful, then make forgery more difficult and aid intelligence gathering by providing real-time verification of the information we already have on passports. Don't waste everyone's time with more biometrics verified only by a document given to you by the traveller himself.
So in the near future it's either biometrics, or having to apply for a visa to get into the US.
And to add to that, the reason you got checked in the UK is that the UK isn't a member of Schengen, which is the passport cooperation.
I am fom the UK and have had my current passport for almost 5 years. This passpot contains biometric information for facial recongnition. The rather ingenius device consists of a small square or paper covered in a special emultion, when this emultion is exposed to light marks are left upon it. Once inserted into a passport it can be read by a mutli-purpose machine called "human" and compared to my real face.
The UK position on this is that you do NOT need a passport to enter the UK if you are a citizen of the European Union, HOWEVER, you must be able to prove that you are an EU citizen.
Guess what you need to show to prove that?
A pizza of radius z and thickness a has a volume of pi z z a
People can apply for visas to visit the US and be issued a smart card passport/visa to pass customs/security. The US embassies would do all background work and process the smart card visa/passport. Countries with embassies would not need to purchase anything, only supply whatever information an embassy requests on a person.
Some day, but not soon, people will be able to travel nearly worldwide with only simple national ID with them (ie drivers license). All other info will have been exchanged beforehand between embassies, carriers and travel agents before issuing tickets/passes. Everyone arriving will have already been checked out, and maybe only a cursory check on ID will be required to board (ie fingerprint before boarding, checked & matched during transit, confirmed at arrival).
About 30 years ago, Frederick Forsyth wrote The Day of The Jackal (and it was then made into a superb film - well recommended if you haven't seen it).
In the book and film, the Jackal (a hired assassin) applies for a copy of the birth certificate of someone who had died as a child. When he gets it, he uses that to apply for a passport in the name of that person.
A year or so ago, some investigative reporters used a similar method to get hold of Frederick Forsyth's ID and get credit cards, etc, in his name. Amazingly, they even got a driving licence in the identity of David Blunkett, who, as the home secretary, is the political head of the department that controls the UKs security services - and who is also widely known to be blind (i.e. why would he be applying for a driving licence?).
Details are here.
When confronted with this information, an astonished Frederick Forsyth said "30 years ago I exposed to the authorities a loophole in their own security and I presumed they would stop it - they didn't."
I cannot see anything in the use of biometric passports themselves that would prevent this trick from working. If you have the means to apply for a passport in the name of a dead person, how is supplying your own fingerprint or iris scan possibly going to help ? Yes, it might stop convicted terrorists applying for passports if their fingerprints or iris scans are on record, but there are huge numbers of people with no convictions. And I'm sure others will point out all the other problems with biometric IDs.
Indeed, if biometric identification means that passports become more "trusted" than previously, then they seem to be making the security situation worse, rather than better - i.e. people will place more of their trust in the biometric ID, to the exclusion of other factors.
From another BBC report, the government estimates that about 1500 issued passports a year are fraudulent (an estimate which is described as "conservative").
BS.
What you say might be true if you are IN the US... as there are lots of more common forms of ID that can be used for basically everything... though your passport will work for all of them as well....
Living abroad, your passpot IS your identification, and trumps anything else you get. Expat living in some other country? You want a bank account? Let's see your passport. Pulled over speeding? Let's see your passport. Need to fill out any kind of local government documentation? Let's see your passport. Need to buy a car? Let's see your passport.
The passport is the most universally recognized form of identification out there. It's federal, and official.
When I go back to Canada, I can use my passport for EVERYTHING. ID at clubs, ID at the bank, etc.. its' one of the three or four officiall photo identifications you can use.
Provincial ID, Driver's License, Passport, please. (Firearms Acquisition Certificate will also do... it's federal, has your photo, and has a lot more auditing in order to get than any of the rest.). There are a few government issued employee ids that will also do.. but that's not commonly available.
Consider, for your second item, what happens for someone right now in the passport system. You end up with basically three possibilites mapping to two results. The end cases are easy--you look like the picture and go through, you don't look like the picture and you're rejected. However, you have a middle ground where you look enough like the picture to exclude you from the third class, but there's enough differences to exclude you from the first class. There is no other help for the passport officer to decide aside from a gut feeling. (Or whether, in the officer's opinion, it's better to appear 'efficient' and have a high rejection rate or to be a non-trouble-maker with a low rejection rate.)
If there is biometric data available, then there's another source of data to back up the decision. Yes, there is a risk that the data will be fake. But, there's the risk that the photo is fake as well. There is and (most likely) always will be the problem of fake or altered passports--but that hasn't made anyone give up on passports yet.
Modern techniques of Iris recognition can obtain ultra-high resolution images of the Iris (used for verification of identity) from video in a matter of seconds from metres away.
Now we've been told that the reason for ID cards is that the existing databases are corrupt - full of dead people, fake records and so on.
Which means that we are putting garbarge into the system. Someone who already possesses a fake ID can simply go along with their false identification, get their eyes scanned and be given a brand new Blunkettcard.
WHICH IS GUARANTEED 100% GENUINE BY THE BRITISH GOVERNMENT!
So that person can now pass themself off with the full authority of the Home Secretary.
Best wishes,
Mike.
John Daugman from Cambridge, UK. Wrote in this weeks New Scientist that, The Ministry Of The Interior in the UAE has been using iris recognition to detect those expelled for Visa violations entering through all 17 air,land and sea ports. The ministry has a database of 293,406 iris' and according to the ministry they have run 1,011,876 searches against the database and the 3684 positive hits have all been confirmed by other means.
You can't secure a country like the US with thousands of miles of land borders and sea shores, no matter how complicated your ID system becomes. Good thing, too.
Unless the people making the programs accessing the information do not check for duplicates. And of course, there will have to be circumstances where it purposely ignores such things, because undercover law enforcement officials will need to have fake identities.
Manipulate the moderator system! Mod someone as "overrated" today.
> Only in very unusual circumstances (such as loosing one's passport).
I used to work in the US embassy in Paris, and I've never heard the term "loosing a passport." Just what do you mean by a passport that isn't tight? Are you awkwardly saying that the binder is bad and the pages are loose or falling out? Just what do you mean?
The original poster
However face recognition might not be the perfectly viable solution since it has produced too many false positives in the past.
False positives aren't too much of a problem here. I think face recognition has about a 1/1000 false positive rate, which is a killer for crowd recognition, but would be entirely acceptable for this application (the result would be that 1 time in a thousand somebody tried to use someone else's passport, they wouldn't be caught).
False negatives are what we need to worry about in this situation... I don't know much about the statistics here. Anyone have any idea?