Let's embrace Identity Plurality
In information security we’ve been saddled for years with the tacit assumption that deep down we each have one “true” identity, and that the best way to resolve rights and responsibilities is to render that identity as unique. This “singular identity” paradigm has had a profound and unhelpful influence on security and its sub-disciplines like authentication, PKI, biometrics and federated identity management.
Federated Identity is basically a sort of mash-up of the things that are known about us in different contexts. When describing federated identity, its proponents often point out how drivers licences are presented to boot-strap a new relationship. But it is a category error to abstract this case to as an example of Federated ID, because while a licence might prove your identity when joining a video store, it does not persist in that relationship. Instead the individual is given a new identity: that of a video store member.
A less trivial example is your identity as an employee. When you sign on, HR might sight your driver licence to make sure they get your legal name correct. But thereafter you carry a company ID badge – your identity in that context. You do not present your driver licence to get in the door at work.
Federated Identity posits, often implicitly, that we only really need one identity. The "Identity 2.0" movement properly stresses the multiplicity of our relationships but it usually seeks to hang all relationships off one ID. The beguiling yet utopian OSCON2005 presentation by Dick Hardt shows vividly how many ways there are to be known (although Harte went a step too far when he tried to create a single, albeit fuzzy, uber identity transcending all contexts).
I favor an alternate view - that each of us actually exercises a portfolio of separate identities and that we switch between them in different contexts. This is not an academic distinction; it really makes a big difference where you draw the line on how much you need to know to set a unique identity.
Kim Cameron’s seminal Laws of Identity deliberately promoted the plurality of identity. Cameron included a fresh definition of digital identity as “a set of claims made by one digital subject about itself or another digital subject”. He knew that this relativist definition might be unfamiliar, admitting that it “does not jive with some widely held beliefs – for example that within a given context, identities have to be unique”.
That "widely held belief" seems to be a special product of the computer age. Before the advent of “Identity Management”, we lived happily in a world of plural identities. Each of us could be by turns a citizen, an employee, a chartered professional, a customer, a bank account holder, a credit cardholder, a patient, a club member, another club official, and so on. It was seemingly only after we started getting computer accounts that it occurred to people to think in terms of one "primary" identity threading a number of secondary roles. Conventional Access Control insists on a singular authentication of who I am, followed by multiple authorisations of what I am entitled to do. This principle was laid down by computer scientists in the 1970s.
The idea that we need to establish a true identity before granting access to particular services is unhelpful to many modern online services. Consider the importance of confidentiality in "apomediation" (where people seek medical information from non technical but "expert" patients) and online psychological counselling. Few will enrol in these important new patient-managed healthcare services if they have to identify themselves before providing an alias. Instead, participants in medical social networking will feel strongly that their avatars’ identities in and of themselves are real.
Despite the efforts of Kim Cameron and others, the singular identity paradigm has proved hard to shake. In practice, and despite the plurality in the Laws of Identity, most federated identity formulations actually reuse identities across totally unrelated contexts, in order to conveniently hang multiple roles off the one identity.
The old paradigm also explains the surprisingly easy acceptance of biometrics. The very idea of biometric authentication plays straight into the world view that each user has one “true” identity. Yet these technologies are deeply problematic; in practice their accuracy is disappointing; worse, in the event a biometric is ever stolen, it's impossible with any of today's solutions to cancel and re-issue the identity. Biometrics’ overwhelming intuitive appeal must be based on an idea that what matters in all transactions is the biological person. But it’s not. In most real world transactions, the role is all that matters. Only rarely (such as when investigating fraud) do we go to the forensic extreme of knowing the person.
There are grave risks if we insist on the individual being bodily involved in routine transactions. It would make everything intrinsically linked, violating inherently and irreversibly the most fundamental privacy principle: Don’t collect personal information when it’s not required.
Why are so many people willing to embrace biometrics in spite of their risks and imperfections? It may be because we’ve been inadvertently seduced by the idea of a single identity.
Posted in Identity, Federated Identity, Culture, Biometrics
Understanding biometrics and their necessary fallibility
In practice, the most important thing about biometrics is their fallibility. Because of the vagaries of human traits and the way they vary from day to day, biometrics have to cope with the same person appearing a little different each time they front up. Inevitably this means that occasionally a biometric system will confuse one person with another. So what? Well, there are two major foibles of all biometrics that go unmentioned by most vendors:
1. There is an inherent trade off in all biometrics, between their ability to discriminate between different people (specificity) and their ability to properly recognise all users (sensitivity). You can't have it both ways; a system that is very specific will be more inclined to reject a legitimate user, and conversely, a system that never fails to recognise you will also tend to occasionally confuse you with someone else. Yet biometrics vendors often quote their best case False Reject and False Accept figures side by side, as if they're achievable simultaneously.
2. The only way to improve sensitivity and specificity at the same time is to tighten the enrolment and scanning conditions and/or the mathematical models that underpin the algorithms. In other words, to make the systems choosier. This is why really serious biometrics like face recognition for passports and driver licences require stringent lighting conditions and image quality, and why we should be wary of biometrics in mobile devices where there is almost no control over lighting and sound.
Uncertainty accumulates
The least technical criticism of biometrics concerns the fallibility of all measurement methods. Cameras, sensors and microphones – like human eyes and ears – are imperfect, and the ability of a biometric authentication system to distinguish between subtly different people is limited by the precision of the input devices.
Even if the underlying biological traits of interest are truly unique, it does not follow that our machinery will be able to measure them faithfully. Take the iris. This biometric is often promoted with the impressive claim that the probability of two individuals’ iris patterns matching is one in ten to the power of 78. These are literally astronomical odds; there are fewer atoms in the universe than 10-to-the-78. Yet does this figure necessarily tell us how accurate the end-to-end biometric system really is? Consider the fact that there are ten billion stars in the Milky Way. If two people look up in the night sky and each pick a star at random, is the probability of a match one in ten billion? Of course not, because of the limits of our measurement apparatus, in this case the naked eye. Interference too affects the precision of any measurement; the odds of two people in a big city picking the same star might be no better than one in a hundred.
The Sensitivity-Specificity tradeoff: False Positives and False Negatives
Biometric authentication entails a long chain of processing steps, all of which are imperfect. Each step introduces a small degree of uncertainty, as shown in the schematic below. Uncertainty is inescapable even before the first processing step, because the body part being measured can never appear exactly the same. The angle and pressure of a finger on a scanner, the distance of a face from a camera, the tone and volume of the voice, the background noise and lighting, the cleanliness of a lens all change from day to day. A biometric system cannot afford to be too sensitive to subtle variations, or else it can fail to recognise its target; a biometric must tolerate variation in the input, and inevitably this means the system can sometimes confuse its target for someone else.
Therefore all biometric systems inevitably commit two types of error:
1. A “False Negative” is when the system fails to recognise someone who is legitimately enrolled. False Negatives arise if the system cannot cope with subtle changes to the person’s features, the way they present themselves to the scanner, slight variations between scanners at different sites, and so on.
2. A “False Positive” is when the system confuses a stranger with someone else who is already enrolled. This may result from the system being rather too tolerant of variability from one day to another, or from site to site.
False Positives and False Negatives are inescapably linked. If we wish to make a given biometric system more specific – so that it is less likely to confuse strangers with enrolled users – then it will inevitably become less sensitive, tending to wrongly reject legitimate enrolled users more often.
The following schematics illustrate how a highly specific biometric system tends to commit more False Negatives, while a highly sensitive system exhibits relatively more False Positives.
A design decision has to be made when implementing biometrics as to which type of error is less problematic. Where stopping impersonation is paramount, such as in a data centre or missile silo, a biometric system would be biased towards false negatives. Where user convenience is rated highly and where the consequences of fraud are not irreversible, as with Automatic Teller Machines, a biometric might be biased more towards false positives. For border control applications, the sensitivity-specificity trade-off is a very difficult problem, with significant downsides associated with both types of error – either immigration security breaches, or long queues of restless passengers.
Any biometric system, in principle at least, can be tuned towards higher sensitivity or higher specificity, depending on the overall desired balance of security versus convenience. The performance at different thresholds is conventionally shown by a "Detection Error Tradeoff" (DET) curve.
Biometrics vendors tend to keep their DET curves confidential, and usually release commercial solutions where the ratio of False Accept Rate (FAR) to False Reject Rate (FRR) is fixed. The following DET curves are over ten years old but they remain some of the few examples that are publicly available, and they usefully compare several biometric technologies side by side.
Ref: "Biometric Product Testing Final Report" Issue 1.0, 2001 by the UK Government Communications Electronics Security Group (CESG).
Vendors occasionally specify the "Equal Error Rate" for their solutions. It's important to understand what this spec is for. No real world biometric that I'm aware of is deployed with FAR and FRR tuned to be the same. Instead, the EER should be used as a benchmark for broadly comparing different technologies.
EER provides another useful ready reckoner. If a vendor specifies for example FAR = 0.0001% and FRR = 0.01% and yet you find that the EER is, say, 1% -- that is, greater than both the quoted FAR and FRR -- then you know that the vendor is quoting best case figures that cannot be realised simultaneously. Just look at the DET curves above. When False Accept Rate is 0.1% (ie false positives of 1 in a 1000) the False Reject Rate for ranges from at least 5% to as much as 30%. And we can see that an FAR of 0.0001% is really extreme; for most biometrics, such specificity leads to False Rejects of one in two or worse, rendering the solution unusable.
Failure To Enrol
Over and above the issues of False Positives and False Negatives is the unfortunate fact that not everyone will be able to enrol in a given biometric authentication system. At its extremes, this reality is obvious: individuals with missing fingers, or a severe speech impediment for example, may never be able to use certain biometrics.
However, failure to enrol has a deeper significance for more normal users. To minimise False Positives and False Negatives at the same time (as illustrated in the next figiure), a biometric method generally must tighten requirements on the quality of its input data. A fingerprint scanner for instance will perform better on high definition images, where more fingerprint features can be reliably extracted. If a fingerprint detector sets a relatively stringent cut-off for the quality of the image, then it may not be possible to enrol people who happen to have inherently faint fingerprints, such as the elderly, or those with particular skin conditions.
More subtle still is the effect of modelling assumptions within biometric algorithms. In order to make sense of biological traits, the algorithm has to have certain expectations built into it as to how the features of interest generally appear and how those features vary across the population; after all, it is the quantifiable variation in features which allows for different individuals to be told apart. Therefore, face and voice recognition algorithms in particular might be optimised for the statistical characteristics of certain racial groups or nationalities, making it difficult for people from other groups to be enrolled.
The impossibility of enrolling 100% of the population into any biometric security system has important implications for public policy. Clearly there can be at least the perception of discrimination against certain minority groups, if factors like age, foreign accent, ethnicity, disabilities, and/or medical conditions impede the effectiveness of a biometric system. And careful consideration must be given to what fall-back security provisions will be offered to those who cannot be enrolled. If there is a presumption that a biometric somehow provides superior security, then special measures may be necessary to provide equivalent security for the un-enrolled minority.
Posted in Biometrics
A penny for your marketable thoughts?
Most people think that Apple's Siri is the coolest thing they've ever seen on a smart phone. It certainly is a milestone in practical human-machine interfaces, and will be widely copied. The combination of deep search plus natural language processing (NLP) plus voice recognition is dynamite.
And Siri also marks a new milestone in privacy invasion. I predict Siri will become the poster girl for PII piracy, the exemplar of the sly bargain for Personal Information at the heart of most social media.
If you haven't had the pleasure ... Siri is a wondrous new function built into the latest iPhone. It’s the state-of-the-art in artificial intelligence and NLP. You speak directly to Siri, ask her questions (yes, she's female) and tell her what to do with many of your other apps. Siri integrates with mail, text messaging, maps, search, weather, calendar and so on. Ask her "Will I need an umbrella in the morning?" and she'll look up the weather for you – after checking your calendar to see what city you’ll be in tomorrow. It's amazing.
Natural Language Processing is a fabulous idea of course. It radically improves the usability of smart phones, and even their safety with much improved hands-free operation.
An important technical detail is that NLP is very demanding on computing power. In fact it's beyond the capability of today's smart phones, even if each of them alone is more powerful than all of NASA's computers in 1969!. So all Siri's hard work is actually done on Apple's mainframe computers scattered around the planet. That is, all your interactions with Siri are sent into the cloud.
Imagine Siri was a human personal assistant. Imagine she's looking after your diary, placing calls for you, booking meetings, planning your travel, taking dictation, sending emails and text messages for you, reminding you of your appointments, even your significant other’s birthday. She's getting to know you all the while, learning your habits, your preferences, your personal and work-a-day networks.
And she's free!
Now, wouldn't the offer of a free human PA strike you as too good to be true?
Indeed it would. So realise this about Siri: she's continuously reporting back to Apple about your every move. If Apple were a PA placement agency, what they get in return for the free secretarial services is a full transcript of all you've said, everyone you've been in touch with, everything you've done. Apple won't say what they plan to do with all this data, how long they'll keep it, nor who they'll share it with. Apple's Privacy Policy (dated October 2011, accessed 12 March 2012) doesn't even mention Siri nor the collection of the voice-to-text data.
When you dictate your mails and text messages to Siri, you’re providing Apple with content that's usually off limits to carriers, phone companies and ISPs. Siri is an end run around telecommunicationss intercept laws.
Of course there are many, many examples of where free social media apps mask a commercial bargain. Face recognition is the classic case. It was first made available on photo sharing sites as a neat way to organise one’s albums, but then Facebook went further by inviting photo tags from users and then automatically identifying people in other photos on others' pages. What's happening behind the scenes is that Facebook is running its face recognition templates over the billions of photos in their databases (which were originally uploaded for personal use long before face recognition was deployed). Given their business model and their track record, we can be certain that Facebook is using face recognition to identify everyone they possibly can, and thence work out fresh associations between countless people and situations accidentally caught on camera. Combine this with image processing and visual search technology (like Google's "Goggles") and the big social media companies have an incredible new eye in the sky. They can work out what we're doing, when, where and with whom. Nobody will need to like expressly "like" anything anymore when Facebook can see what cars we're driving, what brands we're wearing, where we spend our vacations, what we're eating, what makes us laugh. Apple, Facebook and others have understandably invested hundreds of millions of dollars in image recognition start-ups and intellectual property; with these tools they convert the hitherto anonymous image collections in Picassa, Flickr and the like into content-addressable PII gold mines. It's the next frontier of Big Data.
Now, there wouldn't be much wrong with these sorts of arrangements if the social media corporations were up-front about them. In their Privacy Policies they should detail what Personal Information they are extracting and collecting from all the voice and image data; they should explain why they collect this information, what they plan to do with it, how long they will retain it, and how they promise to limit secondary usage. They should explain that biometrics technology allows them to generate brand new PII out of members' snapshots and utterances. And they should acknowledge that by rendering data identifiable, they become accountable in many places under privacy and data protection laws for its safekeeping as PII. It's just not good enough to vaguely reserve their rights to "use personal information to help us develop, deliver, and improve our products, services, content, and advertising". They should treat their customers -- and all those innocents about whom they collect PII indirectly -- with proper respect, and stop pretending that 'service improvement' is what they're up to.
Siri along with face recognition herald a radical new type of privatised surveillance, and on a breathtaking scale. While Facebook stealthily "x-ray" photo albums without consent, Apple now has even more intimate access to our daily routines and personal habits. And they don’t even pay as much as a penny for our thoughts.
As cool as Siri may be, I myself will decline to use any natural language processing while the software runs in the cloud, and while the service providers refuse to restrain their use of my voice data. I'll wait for NLP to be done on my device with my data kept private.
And I'd happily pay cold hard cash for that kind of app, instead of having an infomopoly embed itself in my personal affairs.
Posted in Social Networking, Social Media, Privacy, Language, Biometrics
That's what I call hype
A modest little quote from a biometrics expert caught my eye this week. Neil Fisher, VP of Global Security Solutions at Unisys was cited describing the False Acceptance Rate of iris scanning as "in the region of 0.1%". See Believing in biometrics, at "Airport Technology", http://www.airport-technology.com/features/featurebelieving-in-biometrics.
This figure is, to put it mildly, rather less than what we’ve been led to believe by iris scanning proponents over the years.
It is widely reported that the probability of two randomly selected irises matching is one in 10 to the power of 78 [1]. This is indeed a staggering denominator, far greater than the number of stars in all the galaxies in all the universe [Yet that number is near meaningless if the iris scanning equipments isn't perfect. Consider that there are 100 billion stars in the Milky Way but that figure doesn't predict the odds of two people picking out the same star with the naked eye, which is one in a few hundred or worse depending on the lighting conditions.]
Yet the recognised inventor of iris recognition, John Daugman of Cambridge University, never claimed his method was as good as all that. In 2000, Daugman published a technical paper [2] on iris detection decision thresholds. Based on data from an ophthalmology research database, his calculations implied [3] a False Match rate as low as one in 10 to the power of 14.
In 2005 Daugman experimentally verified his very low error rate claim using data on over 600,000 individuals sampled in the United Arab Emirates’ immigration security system [4]. He reported that “False Match rate is less than 1 in 200 billion” or one in 10 to the power of 11. But it should have been clear to all that the result would be very best case, for border security biometrics systems impose tight control over image quality and lighting conditions for both enrolment and subsequent capture events; without such control, measurement fidelity suffers.
And indeed, independent government testing of iris biometrics, while impressive, show error rates millions of times worse than Daugman’s estimates. For example, the UK Government in 2001 found a False Match rate of 0.0001% or one in a million [5].
And now we have a leading biometrics implementer say that in practice, the iris False Match Rate is typically 0.1% or a pretty ordinary one in 1,000. If that’s the real life benchmark, then the folkloric figure of one in 10 to the power of 78 represents an exaggeration of one thousand, trillion, trillion, trillion, trillion, trillion, trillion times.
Literally.
[2] Biometric decision landscapes, Daugman, 2000; http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-482.pdf
[3] http://www.sans.org/reading_room/whitepapers/authentication/dont-blink-iris-recognition-biometric-identification_1341.
[4] Results from 200 billion iris cross-comparisons John Daugman, University of Cambridge Computer Laboratory, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-635.pdf.
[5] Biometric Product Testing Final Report, Issue 1.0; Mansfield et al, Centre for Mathematics and Scientific Computing, National Physical Laboratory, for the UK Government Communications Electronics Security Group (CESG) Biometric Test Programme, 2001; http://www.cesg.gov.uk/publications/Documents/biometrictestreportpt1.pdf.
Posted in Biometrics
The birthday paradox and biometrics
The inventor of forensic DNA testing, Dr Alec Jeffreys, has cautioned that once millions of DNA samples are collected in population databases, false matches rise significantly.
DNA testing is not an infallible proof of identity. While Jeffreys' original technique compared scores of markers to create an individual "fingerprint," modern commercial DNA profiling compares a number of genetic markers - often 5 or 10 - to calculate a likelihood that the sample belongs to a given individual.
Jeffreys estimates the probability of two individuals' DNA profiles matching in the most commonly used tests at between one in a billion or one in a trillion, "which sounds very good indeed until you start thinking about large DNA databases." In a database of 2.5 million people, a one-in-a-billion probability becomes a one-in-400 chance of at least one match.
[Ref: DNA Fingerprint Privacy Concerns Jill Lawless, CBS News.]Dr Jeffreys is alluding to the Birthday Paradox, where the chance of any pair of people being matched on a random trait rises dramatically and counter-intuitively in groups of people. At a gathering of just 25 people, the chances are better than 50:50 that a pair of people in the group will have the same birthday. The implication for forensic databases is that it's highly likely that somewhere in the set, there will be pairs of different people that happen to have biometric data that fall within the tolerance of the matching algorithm. In other words, the matching software will confuse them. The designers of driver licence and immigration databases need to put protocols in place that double-check automatic matches so as to avoid impugning innocent people. By-and-large, the protocols I have seen in practice work well, but these practicalities are glossed over by biometrics vendors who continue to over-hype their technologies.
In the context of population databases, we see once again why the adjective "unique" is a wrong and misleading way of describing biometrics. No biometric trait has a zero probability of a false match, so none of them can be described as "unique". And even the highly distinctive traits like DNA can lead to surprisingly frequent false detects in large databases.
So it bears repeating, biometrics don't work as well as suggested by science fiction movies.
Posted in Science, Biometrics
An authentication family tree
How do we make best sense of the bewildering array of authenticators on the market? Most people are familiar with single factor versus two factor, but this simple dichotomy doesn’t help match technologies to applications. The reality is more complex. A family tree like the one sketched here may help navigate the complexity.
Different distinctions define various branch points. The first split is between what I call Transient authentication (i.e. access control) which tells if a user is allowed to get at a resource or not, and Persistent authentication, which lets a user leave a lasting mark (i.e. signature) on what they do, such as binding electronic transactions.
Working our way up the Transient branch, we see that most access controls are based either on shared secrets or biometrics. Dynamic shared secrets change with every session, either in a series of one time passwords or via challenge-response.
On the biometric branch, we should distinguish those traits that can be left behind inadvertently in the environment and are more readily stolen. The safer biometrics are “clean” and leave no residue. Note that while the voice might be recorded without the speaker’s knowledge, I don't see it as a residual biometric in practice because voice recognition solutions usually use dynamic phrases that resist replay.
For persistent authentication, the only practical option today is PKI and digital signatures, technology which is available in an increasingly wide range of forms. Embedded certificates are commonplace in smartcards, cell phones, and other devices.
The folliage in the family tree indicates which technologies I believe will continue to thrive, and which seem more likely to be dead-ends.
I'd appreciate feedback. Is this useful? Does anyone know of other taxonomies?
Posted in Security, PKI, Biometrics
Seriously: biometrics replacing passwords?!
I know it's the season to be jolly but, oh lord, I am so sick of the endless re-publishing of IBM's breathless prediction that biometrics will replace passwords in five years time. As reported by the Daily Mail http://www.dailymail.co.uk/sciencetech/article-2077019/IBM-predicts-making-mind-controlled-PCs-years.html, what they said is: "The complex, hard-to-remember strings of numbers and letters will be replaced by biometric readers that 'work out' who you are by reading unique things such as the shape of your face". Nonsense!
Firstly, no biometric ever 'works out' who you are; they have to be first told who you are. I won't apologise for being pedantic about this, for the loose language that besets most biometric reporting leaves readers quite clueless about the real issues.
The cost of registering for biometrics far exceeds the cost of registering passwords. And the unit cost of decent readers (ones with liveness detection that arent so easily spoofed) is hundreds of dollars. Where's the ROI to replace all passwords?
Speaking of loose language, again we have the casual claim that biometrics detectors read "unique things" about their subjects. It's just not the case. If any biometric security system really did use a unique trait, we would expect a False Accept Rate of precisely zero, and not the pretty shoddy one or two percent that is common in practice. The only biometric traits I know of with good theoretical bases for being near-unique are the iris and DNA. Iris is one of the best biometrics, but it's expensive (to get the impressive specificity performance, you need special purpose cameracs and controlled lighting conditions, unachievable with webcams or smart phone cameras). As for DNA, well despite the odd hype, there just isn't any sign of a commercial DNA access control system. Sure, there's forensic DNA analysis, but it requires tissue samples and takes hours of time on masses of equipment, and even then it actually does not deliver "unique" results! DNA testing only examines a few dozen selected genetic markers and has a False Match Rate of around 1 in a billion. Ok, that sounds great but before getting too excited, note that the inventor of DNA testing, Dr Alec Jeffreys, has pointed out that [due to the Birthday Paradox] the chance of random false matches amongst pairs in population-wide DNA databases could climb to be very high.
No responsible analysis of widespread use of biometrics (at a scale that would allow us to 'replace passwords') should skip over the serious inherent flaws in all biometrics. These include the impossibility of cancelling and re-issuing compromised biometrics, the absence of any standardised testing methods and performance specifications, and the fact that (as stressed by no less an authority than the FBI) biometric testing in the lab is a poor predictor of how they perform in the field.
And finally, let's be careful what we ask for, in case we get it. The high cost of biometric registration is such that as soon as anyone embarks on widespread deployment, it's inevitable that service providers will seek to "federate", so that a biometric identity established in one setting can be re-used others. But until we properly solve the problems outlined above, biometric federation, with shared template databases up in the "cloud" somewhere, would quite simply be a nightmare in waiting.
Posted in Biometrics
Technocrats' happy snaps
Once again, technologists confuse being in public with giving up one's right to privacy.
Today's Sydney Morning Herald reports on recent advances in automatic surveillance by facial recognition of people in public, especially airports. Now, I am not weighing into the public good argument; personally I would be delighted if this sort of technology thwarted terrorist plots. What worries me is the fundamental failure of technocrats to grasp privacy, and how this chronic blind spot biasses their work.
The subject of the article, Professor Brian Lovell, is quoted as saying 'people did not have the right to privacy in places such as airports'.
It's vital to appreciate that the concept of being "in public" doesn't actually figure in Australia's Privacy Act. What matters in our privacy regime, and in the Information Privacy law of many countries, is Personal Information -- that is, any information about someone whose identity is readily apparent -- and how that information is collected, used, shared and managed.
Traditional surveillance tapes of people in public places are retained for some months, and if suspicion arises, they're pored over by cops on a mission. People caught on tape who are not of interest remain anonymous. But automatic facial recognition of digital imagery converts otherwise anonymous data into PI, in real time and en masse, without discriminating between suspects and everyone else. Identifiable information is then converted into profiles and intelligence and probably retained 'just in case' a good deal longer than video tapes. After all, disk space is cheap.
It's worrying that technocrats seem so often to have a very limited and self-selected understanding of information privacy (see some more analysis of this gap at Public yet still private). They're not well equipped to have the crucial public good debate if they don't get how their technology works to create vast drifts of Personal Information where previously there was none.
Posted in Security, Privacy, Biometrics
If Facebook were a government, there'd be riots
A repeated refrain of Facebook’s apologists is that privacy is dead. People are supposed to know that anything on the Internet is up for grabs. It’s digital apartheid: the new digital Brown Shirts say if you’re so precious about your privacy, just stay offline.
But socialising and privacy are hardly mutually exclusive; we don’t walk around in public with our names tattooed on our foreheads. Why can't we participate in these networks in a measured, controlled way without submitting to the operators' rampant X-Ray vision? And why can’t the apologists see how they’re sucked into generating the vast fortunes of Zuckerberg et al? It's nothing inevitable about trading off privacy for conviviality -- it's just more lucrative that way for the PI robber-barons.
The privacy dangers of Facebook are real and present and run so much deeper than the self-harm done by some peoples’ overly enthusiastic sharing. The privacy of millions in the mainstream of Facebook is imperilled. Facebook crowd-sources the identification and constant surveillance of its members. With facial recognition, Facebook is building up detailed pictures of what people do, when, where and with whom. I can be tagged without consent in a photo that was not taken by me, and not uploaded by me. The majority of photos in the cloud were not uploaded for this purpose. And look closely: When you remove a tag, Facebook does not remove the underlying biometric template, nor do they undertake to stop using the template that has been gifted to them by innocents who just think tagging their mates is kinda cool.
It’s not cool, it's insidious! And it’s rapaciously commercial like everything else they do. Facebook places no limitations whatsoever on the secondary uses it makes of the Personally Identifiable Information it's generating (which in itself is at odds with European and other privacy law, hence the law suits now underway in Germany).
You know, if a government was stealing into our photo albums, labelling people and profiling them, there would be riots.
Posted in Social Networking, Privacy, Biometrics
Biometrics and false advertising
Use of the word “unique” in biometrics constitutes false advertising.
There is little scientific basis for any of the common biometrics to be inherently “unique”. The iris is a notable exception, where the process of embryonic development of eye tissue is known to create random features. But there's little or no literature to suggest that finger vein patterns or gait or voice traits should be highly distinctive and randomly distributed in ways that create what security people call "entropy". In fact, one of the gold standards in biometrics - fingerprinting - has been shown to be based more on centuries old folklore than science (see the work of Simon Cole).
But more's the point, even if a trait is highly distinctive, the vagaries of real world measurement apparatus and conditions mean that every system commits false positives. Body parts age, sensors get grimy, lighting conditions change, and biometric systems must tolerate such variability. In turn, they make odd mistakes. In fact, consumer biometrics are usually tuned to deliberately increase the False Accept Rate, so as not to inconvenience too many bona fide users with a high False Reject Rate.
So no biometric system ever behaves like the trait is unique! Every system has a finite False Accept Rate; FARs of one or two percent are not uncommon. If one in fifty people are confused with someone else on a measured trait, how is that trait “unique”?
The word "unique" should be banned in conenction with biometrics. It's not accurate, and it's used to create over-statements in biometric product marketing.
This is not mere nit picking. The biometrics industry gets away with terrible hyperbole, aided and abetted by loose talk, lulling users into a false sense of security. Managers and strategists need to understand at every turn that there is no such thing as perfect security. Biometric systems fail. But when lay people hear “unique” they think that’s the end of the story. They’re not encouraged to look at the error rate specs and think deeply about what they really mean.
Exaggeration in use of the word "unique" is just the tip of the iceberg. Biometrics vendors are full of it:
Economical with the truth
- Major palm vein vendors claim spectacular error rates of FAR = 0.00008% and FRR = 0.01%. Their brochures show these specs side-by-side, without any mention of the fact that these are best case figures, and utterly impossible to achieve together. I've been asking one vendor for their Detection Error Tradeoff (DET) curves for years but I'm told they're commercial in confidence. The vendor won't even cough up the Equal Error Rate. And why? Because the tradeoff is shocking.
- The International Biometric Group in 2006 published the only palm vein DET curve I have managed to find, in its Comparative Biometric Testing Round 6 ("CBT 6"). Curiously this report is hard to find nowadays, but I have a copy if anyone wants to see it. The DET curves give the lie to the best case vendor specs. For when the palm vein system is tuned to highest security setting with a best possible False Match Rate of 0.0007%, the False Non Match rate deteriorates to 12%, or worse than one in ten. [Ref: CBT6 Executive Summary, p6]
Clueless about privacy
- You'd think that biometric vendors would brush up on privacy. One of them attempted recently to calm fears over facial recognition by asserting that "a face is not, nor has it ever been, considered private". This red herring belies a terrible misunderstanding of information privacy. Once faces are rendered personally identifiable by OSNs and names attached to the terabytes of hitherto anonymous snapshots in their stores, then that data becomes automatically subject to privacy law in many jurisdictions. It's a scandal of the highest order: albums innocently uploaded into the cloud over many years, now suddently rendered identifiable, and trawled for commercially valuable intelligence, without consent, and without any explanation in the operators' Privacy Policies.
Ignoring published research
- And you'd think that for such a research-intensive field (where many products are barely out of the lab) vendors would be up to date. Yet one of them has repeatedly claimed that biometric templates "are nearly impossible to be reverse engineered". This is either a lie or willful ignorance. The academic literature has many examples of facial and fingerprint templates being reverse engineered by successive approximation methods to create synthetic raw biometrics that generate matches with target templates. Tellingly, the untruth that templates can't be reversed has been recently repeated in connection with the possible theft of biometric data of all Israeli citizens. When passwords or keys or any normal security secrets are breached, then the first thing we do is cancel them and re-issue the users with new ones, along with abject apologies for the inconvenience. But with biometrics, that's not an option. So no wonder vendors are so keen to stretch the truth about template security; to admit there is a risk of identity theft, without the ability to reinstate the biometrics of affected victims, would be catastrophic
With more critical thinking, managers and biometric buyers would start to ask the tough questions. Such as How are you testing this system? How do real life error rates compare with bench testing (which the FBI warns is always optimistic)? And what is the disaster recovery plan in the event that a criminal steals a user’s biometric?
Posted in Security, Language, Biometrics