Slashdot Mirror
UK To Start Biometric Passport Trials
pearljam145 writes that the "UK is planning to test biometric passports that will include face and iris or fingerprint recording and recognition for a 6 month period on 10000 volunteers. Read here for more details. A face recognition chip is going to be the primary biometric and iris or fingerprint scanning will be use as a secondary biometric. However face recognition might not be the perfectly viable solution since it has produced too many false positives in the past. Face recogntion to this date is not robust enough to support real time recognition in a crowd (more failures?). Only with cooperation of the subject does this system produce good results. So will face recognition join fingerprint and iris recognition in a long list of obtrusive recognition techniques?"
...with their attempts to get J2EE certified. SchlumbergerSema, that is. Cool.
The Army reading list
"One of the reasons we are doing this with passports first is because the U.S. government has said it will require biometric passports for people wishing to enter the United States," the government spokesperson says. "At first that was to begin in October 2004, but that has be delayed to an unspecified date in 2005."
The UKPS will carry out the trials at "various locations" throughout the UK, using four fixed, one mobile, and one portable unit, with one of the locations being a passport office.
... but damn, they have a world of international travel going through, and only four permanent stations (!) to test with.
It seems like their trial might be a little limited in scope, don't you think? I understand from the article that this trial is being run by the Passport Service, so presumably the various test stations will be deployed for use in areas of entry to and egress from the UK
I wonder why the numbers are so small.
Other curious questions involve what you'd use a mobile station for -- not portable, but truly mobile, i.e., mounted in a vehicle or similar; stop someone on the street randomly to see if they have a passport and if they're participating in the trial?
Becuase you can change your password a whole lot easier than you can change your DNA.
The flip side of not being able to lose or forget your biometrics is that you can't change it when it gets stolen. And, yes, people will find ways to spoof biometric authentication schemes into believing that they have your data. Whether it's fake fingerprints, or (more likely) some sort of data hack that sendst the computer the right bitstream for a given person's biometric data, once yours is gone, you're just hosed forever.
If your password or PIN gets stolen, you can make a new password, or get a new ATM card and a new PIN, and cancel the old ones. Once your biometric info is stolen or spoofed, you have the choice of cancelling it and not being able to authenticate anywhere, or just accpeting that your identity is stolen and will stay stolen.
Biometrics are great if *combined* with a password. But by themselves, they're foolish for strong authentication. Just because your fingerprints are on your hand doesn't mean that there isn't a pattern there that could be stolen and stored somewhere by bad actors.
As NTK pointed out last week, MORI are looking for people to take part and raises a point on skewed statistics, maybe?..
"Pollsters MORI will be ensuringthat the Digitised 10K will be a representative sample the UK population: and here's where it gets interesting. MORI are inviting people to apply. Assuming that those most worried about biometrics in society aren't going to leap at the chance to be fingerprinted in advance of the giant Orwellian (etc) database, why not help the sample from getting a bit too skewed? Plus who wouldn't want to mess with cool, hackable, potentially dystopian gadgets?"
Seems a oppotune time to get my passport renewed, perhaps.
I really don't feel comfortable with all of that. Personally I feel that if some one is going to beat the system, they are going to do it no matter how secure it is. With that many people it is impossible to not let some one slip through the cracks. I think a piece of paper, a stamp, and a few good forms of ID is enough.
404
Sadly, this doesn't surprise me, being a UK citizen. It's like 1984 over here.
Well, heck. There's been 'face recognition' biometric data on most people's passports for over a century already. As long as said 'biometric data collection' methods have existed, there have been people, i.e. the Amish, who've objected to it.
This isn't really anything more, other than possibly higher resolution recordings.
A Good Intro to NetBS
So will face recognition join fingerprint and iris recognition in a long list of obtrusive recognition techniques?
Passports are inherently obtrusive. You walk up to the person in the uniform behind the desk, hand over your passport, and wait for them to decide if it matches you. Matching a face by camera at this point is no more of a bother. (Well, if you don't pass the scan, it is...but that's a different subject.)
Plus, the people manning the desk control the lighting and the positioning of your face. If you don't take off your sunglasses and look straight ahead, you don't pass. This will improve the performance of the software far above the 'scan the crowd' attempts. You'll still have some false positives, of course; but all systems dealing with humans do.
Imagine the privacy invasions with these techniques but imagine also the coolness of the future finally becoming the present.
of people getting their body parts stolen. Ouch.
Among other things, the article makes the very good point that there are two ways to use biometrics: for identification (i.e., who is this J. Random Person), and for authentication (i.e., is this really Rich, as he claims to be).
Tests of face recognition for the first purpose have basically been miserable failures, as far as I can see. (As I'm sure most Slashdotters know, facial recognition is computationally a vey hard problem, even though we clever apes do it all the time.) For the second application, face recognition or fingerprints would seem more promising, since one is comparing them with, in effect, a known right answer.
The article also points out that all of this is being sold as a way to "increase security" -- but it would have done exactly nothing to prevent 9/11, since the hijackers entered the US and traveled as themselves.
It's a long story, but I don't have stable fingerprints; scarring interferes with them. Any time I've needed a fingerprint check (for example, my concealed-carry permit), it was problematic producing 'acceptable' fingerprints in the first place, and thereafter difficult to match current fingerprints to old ones. Although this could make me a great secret agent or something, I'm going to have trouble if any future employer of mine moves to simple fingerprints biometrics as a means of identification.
I'd be much more comfortable with using a smart card that stored my biometric info inside itself. It may not fit into the whole "a-passport-is-a-way-to-track-you-and-privacy-gets -in-the-way" mindset, but I definitely wouldn't feel comfortable with the government scanning any kind of biometrics off me just to board a goddamn plane to Canada, whether it's fingerprints or retina scans, or anything else.
If I make no sense in this post, you'll have to excuse me. I'm a little intoxicated tonight.
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
When will they start examining stool samples as well?
"Sorry, sir, we have detected couscous and figs in your feces. If you'll kindly step over there towards the gentlemen with the M-16s, they'll escort you to your flight to Guantanamo Bay."
At least they're not using it for authentication... now, where did I put that key.. *flips through his keychain of severed fingers and eyes*
Banaaaana!
How will this effect movie stars and other famous people such as Michael Jackson? People who alter their faces like I change my socks will obviously be having problems.
On a more serious note, how does this effect people who are the result of severe burns, car accidents, plastic surgergy, radioactive mutations, aging, etc? Obviously if someone's face is altered they will have some problems.
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
It's good to know that your government takes your personal opinion so seriously.
Or, just perhaps, given that the US is in effect demanding that all other countries do what it wants, it was giving them a little bit more reasonable an ammount of time to implement a system that has little point beyond jingoistic technobable-like 'look, look, we're doing something, please re-elect us' politico-speak.
Possibly, but if it's too US-led, people will see it (however correctly) as an attempt to erode their sovereignty in favour of America.
You might have the money, but does, say, Rwanda, or Indonesia? Can there not be made an argument that this is effectively protectionism as to the kind of people economically 'allowed' in to the country to conduct business, &c.?
Apart from the obvious cost implications, well, countried get 'favored' status for a reason - they have (what are regarded as) 'sufficiently' thorough security on the other side. Indeed, having seen my fair share of airport security, I'd say that the laxest I ever saw was for a (domestic, but even so) flight from Denver to Washington (pretty much nothing beyond my bag getting spot-checked for explosives' residues), as compared to a flight out of Sri Lanka (including what felt like a highly competent mandatory body pat-down - thrice - and canon emplacements around the airport).
Yeah, sure, let's dispose of several hundred years of diplomacy because it's a system that can be exploited.
You either get seriously tough on security, or admit defeat. You can't show you are securing the country if kids can still buy pot, crack and smack.
Yes, because it's well known that kids who do drugs grow up to die in terrorist-related activitiy. What?
Back on-topic, I see no reason for people to object to the use of computer-read, rather than human-read, biometric data (height 182 cm, weight 72 kg is biometric data, after all), as long as it is used for a reasonably good, but not necessarily perfect, confirmation of identity - after all, if the data matches, all that means is that the person is who the database says they are claiming to be, but not necessarily who they actually are...
James F.
Read an interesting take on biometrics in the last Cryptogram that Schneier puts out. If you think about it, biometrics really have NO positive impact on actual security. They're more of a placebo for the average non-security minded person. This is precisely why you see a great deal of hype around them and very little real security. Government officials, last I checked, aren't the most savvy people in the world. Especially the ones who graduated last in their class...
t ml
Blurb out of the Cryptogram:
"So it is our opinion, that as long as the manufacturers of fingerprint equipment do not solve the live detection problem (i.e. detect the difference between a live finger and a dummy), biometric fingerprint sensors should not be used in combination with identity cards, or in medium to high security applications. In fact, we even believe that identity cards with fingerprint biometrics are in fact weaker than cards without it. The following two examples may illustrate this statement.
1. Suppose, because of the fingerprint check, there is no longer visual identification by an official or a controller. When the fingerprint matches with the template in the card then access is granted if it is a valid card (not on the blacklist). In that case someone who's own card is on the blacklist, can buy a valid identity card with matching dummy fingerprint (only 15 minutes work) and still get access without anyone noticing this.
2. Another example: Suppose there still is visual identification and only in case of doubt--the look-alike problem with identity cards--the fingerprint will be checked. When the photo on the identity card and the person do not really match and the official asks for fingerprint verification, most likely the positive result of the fingerprint scan will prevail. That is, the "OK" from the technical fingerprint system will remove any (legitimate) doubt.
It is our opinion that especially the combination of identity cards and biometric fingerprint sensors results in risks of which not many people are aware."
Full article is here:
http://www.schneier.com/crypto-gram-0311.h
Karma: The only way to win is not to play.
Only in very unusual circumstances (such as loosing one's passport). Do you mean, perhaps, visas?
If you mean that people should only be allowed into the US on pre-accepted visas, well, OK, but I (as a citizen of the European Union) can move freely between 15 (and soon to be 25) countries with ease, and normally without a check of my passport in the first place (unless travel is by air, that is, as there aren't European terminals as well as international ones), and in practice, also into and out of Switzerland - I once went from Austria -> Switzerland -> Italy -> France -> Switzerland -> Germany -> France -> United Kingdom, and only got my passport checked on arrival in the UK.
It is widely believed that this freedom of movement has benefitted the EU's member states greatly (especially economically), and that security has, if anything, been increase, by concentrating on intelligence rather than rote scanning of all incomers. Why could this system of trusted others be kept in use in the US/.
James F.
Didn't they see Gattaca? Once we start using biometrics, it will become this all knowing system where once you are biometrically identified, you will be considered the real thing even if it seems like you probably aren't. It will be like that guy from the 80s movie saying "Computers never lie, kid."
I can just imagine my biometric record getting screwed up because of some random computer bug, and guys with shotguns and big dogs coming out when I show my passport the next time I travel internationally...
Your signatures belong to me.
The horrible state of English dentistry means that each Britian possesses a set of uniquely fucked-up teeth. Simply entering them into a database should be trivial.
C - A language that combines the speed of assembly with the ease of use of assembly.
Wouldn't growing a giant beard throw biometric readings off? Perhaps if I wore my glasses too?
Igor, fetch my identity.
<Igor> Yeth, mathter. </Igor> (opening suitcase full of body parts)
Go permanent? In your dreams and my worst nightmares.
I think the only reliable method of biometric data would be to include a DNA sample in one's passport and then use a device a la the ones in the Gattaca movie to take a small blood/hair/skin sample at the airport or where ever. The others are either too simply faked (fingerprint testing) or open to abuse (face recognition) unless only used as confirming factors in a passport, not as a replacement for the actual passport itself.
So in the near future it's either biometrics, or having to apply for a visa to get into the US.
And to add to that, the reason you got checked in the UK is that the UK isn't a member of Schengen, which is the passport cooperation.
About 30 years ago, Frederick Forsyth wrote The Day of The Jackal (and it was then made into a superb film - well recommended if you haven't seen it).
In the book and film, the Jackal (a hired assassin) applies for a copy of the birth certificate of someone who had died as a child. When he gets it, he uses that to apply for a passport in the name of that person.
A year or so ago, some investigative reporters used a similar method to get hold of Frederick Forsyth's ID and get credit cards, etc, in his name. Amazingly, they even got a driving licence in the identity of David Blunkett, who, as the home secretary, is the political head of the department that controls the UKs security services - and who is also widely known to be blind (i.e. why would he be applying for a driving licence?).
Details are here.
When confronted with this information, an astonished Frederick Forsyth said "30 years ago I exposed to the authorities a loophole in their own security and I presumed they would stop it - they didn't."
I cannot see anything in the use of biometric passports themselves that would prevent this trick from working. If you have the means to apply for a passport in the name of a dead person, how is supplying your own fingerprint or iris scan possibly going to help ? Yes, it might stop convicted terrorists applying for passports if their fingerprints or iris scans are on record, but there are huge numbers of people with no convictions. And I'm sure others will point out all the other problems with biometric IDs.
Indeed, if biometric identification means that passports become more "trusted" than previously, then they seem to be making the security situation worse, rather than better - i.e. people will place more of their trust in the biometric ID, to the exclusion of other factors.
From another BBC report, the government estimates that about 1500 issued passports a year are fraudulent (an estimate which is described as "conservative").
John Daugman from Cambridge, UK. Wrote in this weeks New Scientist that, The Ministry Of The Interior in the UAE has been using iris recognition to detect those expelled for Visa violations entering through all 17 air,land and sea ports. The ministry has a database of 293,406 iris' and according to the ministry they have run 1,011,876 searches against the database and the 3684 positive hits have all been confirmed by other means.