The Physiognomy of Biometrics
The face of counterterrorism
II.
Biometrics are often associated with the future. Facial recognition systems, fingerprint readers, and retinal scans are the stuff of science fiction films such as Total Recall and Minority Report. Yet, as you read this, they are becoming very much a part of the present. Next year, the Enhanced Border Security and Visa Reform Act of 2002 will require that all visas and other travel documents to the United States include biometric identifiers. A $10 billion border control contract has already been awarded and plans are underway to install biometric devices (most likely fingerprint and facial recognition systems) at all three hundred border entry points. Soon biometrics will also be used to identify some two million transportation workers. Last year, the Department of Homeland Security handed out nearly $11 billion for biometrics, and it seeks another $1.4 billion in 2005. Millions more have been spent by the Department of Defense. Earlier this year, the American Association of Motor Vehicle Administrators upped the ante by proposing to create the world’s largest database of biometric data: a North American ID card that would utilize approximately three hundred million DMV facial images. Most recently, the 9/11 Commission report urged the government to establish a comprehensive biometric screening program "as quickly as possible." These are but a few examples of what can only be called a stampede of post-9/11 government legislation, projects, and contracts all looking to buy what the biometric industry is selling: security. With over two hundred vendors now offering biometric solutions, the International Biometrics Group predicts that global revenue from biometrics firms will climb to $4.64 billion by 2008.
The more you try to reduce the chance of people being falsely identified as terrorists, the more likely they will not be identified as themselves, and vice versa.So how does biometrics provide security? Most biometric technologies automate the identification of people by one or more of their distinct physical characteristics, matching a face or a fingerprint, for example. As Michigan State University engineering professor Anil Jain explains, biometrics rely on who you are as opposed to what you know (such as a password) or what you have (such as a passport). They transform a unique personal feature such as your face into a numerical code or template, store that template, and then compare your face to it each time thereafter. In short, biometrics turn your body into your password. Biometric systems either prove that you are who you say you are (verification) or they prove that you are not who you say you are not (identification). During verification, your face is matched with your template so that you are positively identified. During identification, your face is compared against every face in a database (such as a gallery of terrorists) to insure that you are not on a watchlist. Since biometrics claim to be more difficult to copy, forge, share, lose, or forget than traditional credentials, they have been heralded as an almost infallible way to control access to secure areas.
Biometrics, however, can make mistakes. A false match happens when you are incorrectly matched to another person’s template (as would be the case if you were falsely identified for a terrorist). A false nonmatch occurs when a person is incorrectly not matched to a truly matching template (as would be the case if you were not identified as yourself). Now here is the rub: you cannot lower both error rates simultaneously. The more you try to reduce the chance of people being falsely identified as terrorists, the more likely they will not be identified as themselves, and vice versa.
This has proven to be quite a problem for the industry, since biometrics, especially facial recognition systems, have not performed well when tested. A recent National Institute for Standards and Technology study, for example, found that facial recognition technology failed to match people correctly 23 percent of the time. Last year, it failed to match employees at Boston’s Logan International Airport up to 38 percent of the time, and in 2002 it failed to match Palm Beach Airport employees 53 percent of the time. According to the Economist, the 2003 government-sponsored Face Recognition Vendor Test found that "none of the systems worked well . . . when shown a face and asked to identify the subject." Martyn Gates, a facial recognition specialist, confessed to the Financial Times that "in some systems, the accuracy is almost random."
The Rogue, opposite page 89 in Lavater, The Pocket Lavater. Courtesy of the American Antiquarian Society.
Part of the reason biometrics perform so poorly, as many industry experts admit, is that the technologies are still immature. Consequently, biometrics have been routinely fooled or "spoofed." Magazine photographs and high-resolution images of faces have been enrolled into facial recognition systems, while cadaver, silicone, and gelatin fingers have fooled fingerprint scanners. As the Wall Street Journal reported last year, Tsumoto Matsimoto from Yokohama University was able to fool eleven different fingerprint scanners roughly 80 percent of the time using $10 worth of gelatin. Researchers at West Virginia University, the Guardian noted, were able to enroll fourteen cadaver fingers into a biometric system and, once enrolled, were able to verify their identities 40-94 percent of the time. Yet, you do not have to try to "spoof" biometrics in order to generate errors. Head movement, skin color, lighting conditions, and camera angles all affect the accuracy of facial recognition systems. Similarly, finger placement, hand lotion, dust, humidity, and temperature can alter fingerprint scans.
