M2SYS posted on their blog a critique of the recent reverse engineering of iris templates. In my view, they misunderstand or misrepresent the significance of this sort of research. Their arguments merit rebuttal but the M2SYS blog is not accepting comments, and they seem reluctant to engage on these important issues on Twitter.
Here below is what I tried to post in response.
See also my post about the double standard in how biometrics proponents treat adverse research in comparison with serious cryptographers.
"You're right that reporting of the Black Hat results should not overstate the problem. By the same token, advocates for biometrics should be careful with their balance too. For example, is it fair to say as you do that biometrics are 'nearly impossible' to reverse engineer? And should Securlinx's Barry Hodge play down the reverse engineering as only 'intellectually interesting'?
"The point is not that iris scanning will suddenly be defeated left and right -- you're right the practical risk of spoofing is not widespread nor immediate. But this work and the publicity it attracts serves a useful purpose if it fosters more critical thinking. Most lay people out there get their understanding of biometrics from science fiction movies. Without needing to turn people into engineers, they ought to have a better handle on the technology and realities such as the false positive (security) / false negative (usability) tradeoff, and spoofing.
"My observation is that biometrics advocates have transitioned from more or less denying the possibility of reverse engineering, to now maintaining that it really doesn't matter. But until the industry comes up with a revokable biometric, I think it is only prudent to treat seriously even remote prospects of spoofing."
Posted in Biometrics
I am happy to have an opportunity to add to the discussion without being limited to 140 characters. I have no problem with the critical evaluation of biometric modalities and applications. In fact as a technology professional for more than 35 years, I appreciate and respect it. An industry should be its own worst critic internally. Both my company and I also want to balance the "hype" or science fiction aspect of the technology with the realities and actual capabilities as they exist today. These critiques and tests of the current capabilities are valuable and indeed I will stick with my "intellectually interesting" descriptor. This in my opinion is how the outermost limits of what the technology is capable of is stretched and strengthened.
But there is another side of the coin. Biometric modalities do not need to be 100% accurate or bulletproof or "unspoofable" to offer significant improvement in security and identity management. As in use today they are not standalone applications but an added layer in a security model that still requires a great deal of human interaction and process control. Biometrics can add tremendously to the success of these security models as they exist today. Technology is improved in two ways, through investigative testing and development in the lab and from real world early adopters who also uncover weaknesses and deficiencies in the commercialized versions of the intellectual property. These two processes are beneficial and necessary to the evolution of the industry. They should not be pitted against one another. Unbalanced criticism is as detrimental to the advancement of the science as inaccurate claims of performance.
When we first decided to have a company blog we determined its mission should be to inform and improve decision making in the public sector. By simply posting these articles with our comments or often without comment we feel we are following that mission to raise awareness and present both sides of the discussion. It is our attempt with our posts to add some balance to the equation such that these two processes by which technology evolves do not conflict but complement one another. When the press or a provider through a basic lack of understanding or other motive skews the curve with hype or hyperbole, we attempt to raise the other side of the discussion. I personally do not look at this as a win/lose argument. If the science cannot stand on its own it should and will fail. However, death by over-hyped expectations or deficiencies is not a desirable outcome either.
Criticism can be constructive or destructive and motive is difficult to determine in social media. SecurLinx and M2SYS are serious companies attempting to commercialize serious science. There are many others in our industry doing the same. I hope that this message will be clearer going forward. It is not our desire to degrade the science. That is counter productive to our mission. As a company we have a significant investment in advancing the science. We do wish to add a balance to the discussion and reinforce the fact that there are also significant strengths in the science as it exists today. Those strengths are being demonstrated in real world usage around the world. The improvements that come from these processes are equally important to the advancement of the science. One should not hinder the other.
We would all agree that "biometric modalities do not need to be 100% accurate or bulletproof or unspoofable". After all, there is no such thing as perfect security. The thing about security is to understand the risks and manage them. This requires transparency.
At this point, I'm afraid the biometrics industry at large is not coming to the party. Fujitsu and its OEMs like M2Sys refuse to disclose publicly the Detection Error Tradeoff curves for palm vein scanning. Instead they only publish best case FAR and FRR rates side-by-side. And yet they advocate biometrics for 1:N identification in healthcare, an application where the sensitivity-specificity tradeoff is of the utmost importance, and where users must not be misled that FAR = 0.00008% and FRR = 0.01% at the same time.
You're right that biometrics are not unspoofable, and yet M2Sys continues to maintain that it is "nearly impossible to reverse engineer the data that is sent to positively identify an individual and successfully steal their biometric identity". Not only is this untrue, there is no way to cancel and reissue a compromised biometric.
It's not the media alone that over-hypes biometrics; it's your industry that feeds journalists with best case scenarios, and glosses over the fundamental shortfalls.