Sie sind auf Seite 1von 7

FOG HORN

Biometrics and What You Should Know About It


By: Sal Palma

2013
Twobirds Flying Publication

Make no mistake, biometrics is here to stay and its moving into every aspect of our lives like a freight train. Look no further than Apples launch of the iPhone 5s with its built-in fingerprint sensor. With a single touch an enrolled finger, can protect your iPhone and use the stored biometric data to make purchases from iTunes and other Apple venues without a password or pin code. Its a sure thing that youll start seeing Apps to encrypt data files using a biometric key. Since its impact on your life will be profound, I want you to understand it so you dont fear it, but more importantly so that you can control it. My article is not a technical treatise of biometrics but I discuss some of the emerging technology, and data flow in conceptual terms. Ill begin by exploring two very different definitions of biometrics advanced by two organizations. The first, as promulgated by the International Biometric Society (IBC), is that biometrics or biometry is the development of statistical and mathematical methods applicable to data analysis in the biological sciences. The second, and one that more closely resembles the global implementation currently underway, is rooted in authentication and we define it as the automatic identification or identity verification off living, human individuals based on behavioral and physiological characteristics.

Biometrics is a subject more frequently discussed in scholarly works and from time to time in the grumbles of paranoid delusional authors living in constant fear of losing their privacy. Case in point, the infamous Edward Snowden, NSA leaker, who single handedly did more to damage multinational security than anyone in recent history, inspired more privacy neurosis from individuals and the mainstream media than any event since 9/11; clearly indicating a lack of understanding. Yet, one should not turn a blind eye to the technology as there are valid issues arising from its use that must be understood and discussed, and legislation and regulations enacted to preserve a modicum of privacy, or otherwise ensure responsible and ethical use of biometric authentication.

Copyright 2013, Towbirds Flying Publication. All Rights Reserved.

Biometrics and What You Should Know About It

2013

The first thing to note is that biometrics is shorthand for biometric identification as expressed by James L. Wayman PhD., Director of U.S. National Biometrics Test Center. Jim, who in addition to being an authority on the subject of biometric identification is hilarious, and very tactfully distances his definition from the IBCs purist view. Its also fair to say that the IBC disavows all knowledge of, approval of, agreement with or collaboration with NBTC. It is all in good taste of course, but it highlights some profound differences. Notwithstanding IBCs opinion, it is the U.S. National Biometric Test Centers definition thats driving the industry as represented by the Armed Forces Communications and Electronics Association (AFCEA) and the Biometric Consortium. Biometrics is then best described as the automatic identification of individuals based on behavioral and physiological characteristics. To accomplish its intentions, biometrics relies on stable and complex biological markers, which it then links to behavioral patterns to establish an identity. The process establishes who you are and what you are; ultimately leading to an attribute the industry describes as a trust token. To perform as envisioned, there must first be large databases hosting enrolled biometric data. We populate those databases through a process denoted as enrollment. Enrollments may be a voluntary process or involuntary. For example, a financial institution can ask for a voice print and/or facial scan when opening an account. The banks representative directs the

customer to a kiosk, like one shown on the left manufactured by SRI International, where you record a voice sample and have your face scanned. From that event, the bank collects biometric data that uniquely identifies you. The incident is described as a voluntary enrollment. An involuntary enrollment occurs when an individual is subjected to say a facial scan, iris scan, or any other biometric measurement including DNA, resulting from an arrest or military action. Involuntary enrollments may also transpire from covert collection of biometric data. One example of covert collection could involve boarding a flight or entering a terminal at the airport. To gain access to the terminal or aircraft, the individual may be required to scan a boarding pass, and as he or she walks through the turnstiles a facial or iris scan is made.

The device pictured above, will do precisely that. Biometrics is not restricted to fingerprints or facial scans, any physiological characteristic that
Copyright 2013, Twobirds Flying Publication, All Rights Reserved

Biometrics and What You Should Know About It

2013

is stable, meaning it does not change over time, and that is difficult, or impossible, to duplicate is a good enrollment candidate. In biometric parlance each metric is referred to as a mode. Because its important to correctly identify the individual, automatically, more than one mode will generally be used. Therefore, biometric systems tend to be multimodal. A typical database could consists of the following modes; facial scan, palm scan, iris scan, finger prints and rapid DNA, which Ill discuss later in the article. However, we are not restricted to just the modes mentioned and as sensors evolve more will be added. Biometrics is also transactional. For example, a border patrol agent intercepts an individual attempting to enter the country not using an authorized port of entry. The agent runs an iris scan on the detainee, which is subsequently transmitted as a verification transaction. The verification process will search the database to determine if a match exists.

In almost all cases a list of possible matches is presented; ranked in order of highest probability. The verification system may also request finger prints and/or DNA. So, each verification transaction will also expand the database. Through the enrollment and verification processes, be it voluntary or involuntary, extremely large databases develop. As of this writing, it is estimated that the United States has access to 1.7 billion records from domestic and international origins. Biometric databases dont generally house pictures; they contain binary records referred to as templates. A template contains the biometric data with some overhead including serial numbers and other identifiers adding to the uniqueness of the enrolled data. For example, a facial scan does not result in a picture of you.

Copyright 2013, Twobirds Flying Publication, All Rights Reserved

Biometrics and What You Should Know About It

2013

The enrollment device, under software control, identifies a series of points of recognition and applies a mathematical filter, usually a Gabor 2 dimensional filter, to extract different facial characteristics. Each point of identification under the Gabor method will generate 2000+ data bits. This binary stream is encapsulated in a template and transmitted to the database irrespective of location. In any computer application the term GIGO (Garbage In, Garbage Out) applies. This means that getting an accurate facial scan requires a high quality facial image and most enrollment and verification systems in use today make that determination under software control; signaling the operator acceptance or rejection of the scan. Operator training is highly desirable to ensure a high degree of reliability. The nations casinos are one industry already reaping the rewards from facial recognition. Biometrica LLC, a Las Vegas company, founded in 1998 is helping casino operators track cheats with its Visual Casino modules. Iris scans, for example, map the human iris and its associated minutiae to generate a binary stream for verification. When discussing Iris scans, if the first thing to enter your mind are images of lying on a surgical table strapped down while laser laden machines float over your head, you can rest easy because its not quite that dramatic; in fact, its uneventful.

Iris ID manufactures a series of Iris cameras that can be used for both enrollment and verification. Shown above is the Iris ID iCam T10, which is used like a binocular and sells at a unit cost of about $1500, certainly not a budget buster.

The Iritech, Inc. product is very compact and inexpensive at $190 per device. It runs on both a Windows platform or on a mobile Android device and it can store up to 1000 templates. To run an Iris scan you simply pass it over your eyes using a sweeping motion. Bam, youre done! Also, gone are the days of paper based fingerprints. Todays fingerprint enrollment and verification sensors are optical devices that
Copyright 2013, Twobirds Flying Publication, All Rights Reserved

Biometrics and What You Should Know About It

2013

generate superior corresponding minutiae.

fingerprints

with

years later unidentified remains are found. Standard operating procedure calls for DNA testing of the remains. The results are run through a national data base like the FBIs Combined DNA Index System or CODIS; subsequently discovering a match between you and the unidentified remains. Presently, that analysis can take days. The FBI thinks it should take hours; hence the development of Rapid DNA or rDNA technologies.

Last on the list of physiological markers is DNA. It is possibly the most important biometric for law enforcement and forensic professionals because it does two things extremely well. First, DNA uniquely identifies the individual. Secondly, it allows a trace of relationships. Assume for a moment your child is missing; investigators will request a DNA sample of both parents. Sadly, the worst happened and five

Rapid DNA processing stations, like those developed by integenX, make it possible for local law enforcement to test suspects during the booking process and receive a response within 2 hours. This is particularly important especially in dealing with unsolved crime scenes. Assume law enforcement is able to collect DNA samples at an unsolved crime scene. Using rapid DNA technology an arresting officer could
Copyright 2013, Twobirds Flying Publication, All Rights Reserved

Biometrics and What You Should Know About It

2013

obtain a match during the booking process that successfully connects his suspect to an unsolved crime scene. Presently, a suspect could inadvertently be released while a laboratory DNA analysis is made. So, by shortening the DNA processing time to two hours, it increases the probability that a suspect will not inadvertently be released. With the introduction to modes, enrollment and verification out of the way its entirely appropriate to take a 50,000 foot view at how data flows. To do that end Id like to propose one possible hierarchical data model to establish in the readers mind the relationships to other data subsets, and ultimately to the creation of links to behavioral data obtained from accidental databases such as social media and a variety of other electronic footprints.

that determine what youve been doing and what your preferences are. Once the behavioral information is collected, the enterprise or government entity is able to link your physiological attributes to your behavioral characteristics For example, a bank has your biometric data, drivers license, social security number and email address in its data base. Using biometric data in conjunction with biographical data they can uniquely identify you but they can also see how you are spending your money. By associating you with how your money is spent, they can target financial products specifically to you but they can also provide valuable behavioral information to retailers or other businesses willing to pay for that information. These types of revenue is increasingly more important to banks, and believe me when I say that If you want to get a bank executive excited talk about fee income and transaction based income streams. There are far more extreme examples that Ill avoid because they are outliers with a small probability of success, and my objective here is to bring you up to speed with whats coming down the pipe within a two to five year window. The entire scenario begs the question, how can all this happen and do I really want people to know that much about me? Your answer lies in the concept of data ownership, and quite frankly elected officials have failed to address the issue of privacy in this massive electronic milieu. You see, when you provide your financial institution with biometric data it is no longer yours and can therefore be used by the financial
Copyright 2013, Twobirds Flying Publication, All Rights Reserved

The cloud in the center of the picture exists at the enterprise level or it can be a national repository for processing all enrollment and verification transactions irrespective of origin. It indicates linkages to DoD and Intelligence data, GAOs (Government Organizations local, state and federal) and international organizations like Interpol. It also connects to data mining services

Biometrics and What You Should Know About It

2013

institution for any reasonable business purpose. Lets keep in mind that businesses collect data not for the benefit of their customers, they do so to mitigate risk and identify additional revenue opportunities. Your privacy is not the central concern, and this will remain a central issue in individual privacy discussions until congress gives the individual ownership of his or her personal information. A classic example is Facebook. Here is a multinational multibillion dollar company that makes money by selling content that is yours. I have to laugh because during the height of the Edward Snowden fiasco, people were very quick to chastise the NSA for spying on individuals and violating privacy rights. Its ironic those same individuals publicly disclose, through Facebook, Linked In and other venues, personal and professional details to include sexuality without hesitation. With regards to the National Security Agency, Id like to leave you with just one thought NSA is the least of your privacy concerns. In this article, Ive answered who you are, and dabbled in what you are so its time to close with trust. The biometric hierarchy that links your physical attributes with what you think, prefer and do also functions to create a trust token, sometimes referred to as a trust stack, which to a large extent is a highly subjective scoring of numerous trust attributes to arrive at a trust score. Does the fact that on Friday nights you consistently do internet searches on the Red Skins make you a good employee or better

security risk? These observations must be made and correlations need to be determined so that behavioral metrics become reliable predictors of future behavior. Anything other than a high degree of confidence renders the trust component useless. Nonetheless, your trust score may determine if you get a job, security clearance, your right to purchase or carry a firearm, admission to a school, professional licensure, social benefits or membership to a country club. It may very well turn out to be the mark of the Beast referenced in the Book of Revelations. I see biometrics representing a tremendous opportunity where it functions in a well regulated setting (note: not heavily regulated); one that allows individuals to precisely determine what can and cannot be shared. Regrettably that capability will not be imminent until Congress stops letting the courts wing the issue, by clearly defining who owns personal information. Biometrics will improve national security, eliminate fraud, reduce crime, mitigate business and personal risk and make identity theft a rare occurrence. Think of a world without passwords or pin codes, and being marketed to by companies delivering only those products you want or prefer. Understand it, embrace it, do not fear it but control it.

-SP

Copyright 2013, Twobirds Flying Publication, All Rights Reserved