Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 116
Biometric Recognition: Challenges and Opportunities 5 Research Opportunities and the Future of Biometrics The first four chapters of this report explain much about biometric systems and applications and describe many of the technical, engineering, scientific, and social challenges facing the field. This chapter covers some of the unsolved fundamental problems and research opportunities related to biometric systems, without, however, suggesting that existing systems are not useful or effective. In fact, many biometric systems have been successfully deployed. For example, hand geometry systems serve to control access to, among others, university dorms, nuclear power plants, and factories, where they record time and location.1 Automated fingerprint identification systems (AFISs) integrate automatic and manual processes in criminal justice applications and civilian applications such as national identity systems. An emerging technology such as biometrics typically confronts unrealistic performance expectations and is sometimes unfairly compared with approaches such as passwords that are not really alternatives. An effective biometric solution does not have to be—nor can it be—100 percent accurate or secure. For example, if there exists a 1 percent possibility of successful “buddy punching” (signing in for a friend or colleague), a hand geometry system can easily be seen as preventing 99 percent of such 1 A.K. Jain, R. Bolle, and S. Pankanti, eds., Biometrics: Personal Identification in Networked Society, Norwell, Mass.: Kluwer Academic Publishers (1998), as cited in A.K. Jain, S. Pankanti, S. Prabhakar, L. Hong, A. Ross, and J. Wayman, Biometrics: A Grand Challenge, Proceedings of the 18th International Conference on Pattern Recognition, Cambridge, England (2004). Available at http://biometrics.cse.msu.edu/Publications/GeneralBiometrics/Jainetal_BiometricsGrandChallenge_ICPR04.pdf.
OCR for page 117
Biometric Recognition: Challenges and Opportunities fraud. A particular application demands not perfection but satisfactory performance justifying the additional investments needed for the biometric system. In any given case, the system designer should understand the application well enough to achieve the target performance levels. Nevertheless, solutions to the problem of recognizing individuals have historically been very elusive, and the effort needed to develop them has consistently been underestimated. Because humans seem to recognize familiar people easily and with great accuracy, such recognition has sometimes incorrectly been perceived as an easy task. Considering that a number of governments around the world have called for the nationwide use of biometrics in delivering crucial societal functions such as passports, there is an urgent need to act. Excepting for their application in national forensic AFISs, biometric recognition systems have never been tried at such large scales nor have they dealt with the wide use of nonforensic sensitive personal information. The current performance of some biometric systems—in particular with regard to the combination of error rate, robustness, and system security—may be inadequate for large-scale applications processing millions of users at a high throughput rate. If there is a pressing public need for these applications, and if it is determined that biometric systems and technologies are the most appropriate way to implement them, then our understanding of the underlying science and technology must be robust enough to support the applications.2 There is no substitute for realistic performance evaluations and sustained investment in research and development (R&D) to improve human recognition solutions and biometric systems.3 The rest of this chapter outlines a research agenda focusing on (1) technical and engineering considerations, (2) social challenges, and (3) broader public policy considerations. The chapter concludes with a high-level overview of what constitutes a well-designed biometric system. TECHNOLOGY AND ENGINEERING RESEARCH OPPORTUNITIES In recent years several research agendas for biometric technologies and systems have set important challenges for the field.4 The issues and 2 The National Science Foundation Center for Identification Technology Research is one program taking an interdisciplinary approach to research related to biometrics. More information about the center is available at http://www.nsf.gov/eng/iip/iucrc/directory/citr.jsp. 3 Standardization efforts, discussed elsewhere in this report, can help facilitate the cycle of build-test-share for transitioning the technology from concept to business solution. 4 See, for example, A.K. Jain, S. Pankanti, S. Prabhakar, L. Hong, A. Ross, and J. Wayman, Biometrics: A Grand Challenge, Proceedings of the 18th International Conference on Pattern
OCR for page 118
Biometric Recognition: Challenges and Opportunities research opportunities raised in this chapter are meant to complement, not replace or supersede these other articulations. Indeed, the U.S. government has created or funded several interdisciplinary, academia-based research programs that provide an institutional foundation for future work. The focus of this report has been on broad systems-level considerations, particularly for large-scale applications, and the technical challenges outlined in this Chapter reflect that focus. But as these other agendas demonstrate, there are numerous opportunities for deeper understanding of these systems at almost every level. This section lays out several technical and engineering areas the committee believes would benefit from sustained research and further investigation: human factors, understanding the underlying phenomena, modality-related technical challenges, opportunities to advance testing and evaluation, statistical engineering aspects, and issues of scale. Human Factors and Affordance Because biometric technologies and systems are deployed for human recognition applications, understanding the subject-technology interface is paramount. A key piece of the biometric recognition process is the input of the human characteristic to be measured. With the exception of recent work at NIST-IAD5 and at Disney, very little effort has been expended on the “affordance”—the notion that what is perceived drives the action that occurs, or, put another way, that form can drive function—of biometric systems.6 Biometric systems should implicitly (or explicitly) suggest to the user how they are to be interacted with.7 Recognition, Cambridge, England (2004); National Science and Technology Council, Subcommittee on Biometrics, “The National Biometrics Challenge” (2006), available at http://www.biometrics.gov/Documents/biochallengedoc.pdf; E. Rood and A.K. Jain, Biometrics Research Agenda, report of an NSF Workshop (2003); and Mario Savastano, Philip Statham, Christiane Schmidt, Ben Schouten, and Martin Walsh, Appendix 1: Research challenges, BioVision: Roadmap for Biometrics in Europe to 2010, Astrid Albrecht, Michael Behrens, Tony Mansfield, Will McMeechan, and Marek Rejman-Greene, eds. (2003), available at http://ftp.cwi.nl/CWIreports/PNA/PNA-E0303.pdf. 5 M. Theofanos, B. Stanton, and C. Wolfson, Usability and biometrics: Assuring successful biometric systems, NIST Information Access Division (2008); M. Theofanos, B. Stanton, C. Sheppard, R. Micheals, J. Libert, and S. Orandi, Assessing face acquisition, NISTIR 7540, Information Access Division Information Technology Laboratory (2008); and M. Theofanos, B. Stanton, C. Sheppard, R. Micheals, Nien-Fan Zhang, J. Wydler, L. Nadel, and W. Rubin, Usability testing of height and angles of ten-print fingerprint capture, NISTIR 7504 (2008). 6 J.J. Gibson, The theory of affordances, in Perceiving, Acting, and Knowing, Robert Shaw and John Bransford, eds. Hillsdale, N.J.: Erlbaum Associates (1977). 7 This idea can be extended even to systems where the subject is unaware of the interaction but behaviors are being suggested to facilitate data collection.
OCR for page 119
Biometric Recognition: Challenges and Opportunities International standards, such as the International Organization for Standardization (ISO)/IEC 19795 series,8 generally contain an informative annex on best practices for data collection for the modality under consideration. For example, ISO/IEC 19794-5 contains an annex on best practices for face images specifying that full frontal face poses should be used and rotation of the head should be less than +/− 5 degrees from frontal in every direction. This requirement presents an affordance challenge that has not yet been adequately addressed by the technologies—namely, how can a system be designed to suggest to the user a pose that meets this requirement? (The committee was told about one system that presented an image that, when viewed from the proper angle, was clearly visible to the user.) Similar challenges exist with every modality/application combination and will require a modality- and application-specific set of solutions. “Quality” has been used to indicate data collected in compliance with the assumptions of the matching algorithms, such that recognition performance of the algorithm can be maximized, which means that “affordance” and data “quality” are tightly linked. System operators and administrators face their own challenges when interfacing with the systems. How should the interfaces of attended systems be designed so that the operator knows how and when to collect proper images, how to recognize when poor-quality images have been collected, and how to guide the data subject in making better presentations? Very little research in this area has been conducted, and there is opportunity for significant progress. Distinctiveness and Stability of Underlying Phenomena There are many open questions about the distinctiveness of the underlying biometric traits in these systems and about human distinctiveness generally. One typical assumption in the design of most biometric systems has been that characteristics, if properly collected, are sufficiently distinctive to support the application in question. This assumption has not, however, been confirmed by scientific methods for specific biometric characteristics, either by prospectively collecting and analyzing biometric samples and feature patterns or by exploiting databases of samples or feature patterns assembled for other purposes. A broad and representative sampling of the population in which distinctiveness is being evaluated should be obtained and a minimum quality specification should be set to which biometric samples should conform. More generally, the development of a scientific foundation for reliably determining the distinctive- 8 “Information technology—biometric performance testing and reporting,” ISO/IEC 19795.
OCR for page 120
Biometric Recognition: Challenges and Opportunities ness of various biometric traits under a variety of collection modes and environments is needed. In other words, what is the effective limit on accuracy for a specific biometric trait in a realistic operating environment? This becomes a particularly important question at scale—that is, when the systems are expected to cope with large user populations and/or large reference databases. Even in DNA analysis, there has been controversy and uncertainty over how to estimate distinctiveness.9 In biometric systems, “ground truth”—the collection of facts about biometric data subjects and recognition events to allow evaluation of system performance—is challenging, particularly for passive surveillance systems, where failures to acquire may be difficult to detect.10 There are also open questions about the stability of the underlying traits—how persistent (stable) will a given individual’s biometric traits be over time? Some biometric traits, such as fingerprints, appear to be reasonably stable, but others, such as facial characteristics, can change significantly over even short periods of time. Depending on the capture and matching algorithms, changes in a trait over time may or may not have an effect on system performance and whether that person is appropriately recognized. Understanding more about the stability of common biometric traits will be important, especially if biometric systems are deployed for comparatively long (years or decades) periods of time. All of this suggests several avenues of research that could strengthen the scientific underpinnings of the technology. There needs to be empirical analysis of base-level distinctiveness and the stability of common biometric modalities, both absolutely and under common conditions of capture, and research into what types of capture and what models and algorithms produce the most distinguishable and stable references for given modalities. Further, the scalability of various modalities under different capture and modeling conditions must be studied. The individuality of biometric identifiers, their long- and short-term physiological/pathological variations, and their relationship to the user population’s genetic makeup all merit attention as well. 9 P.J. Bickel, Discussion of “The evaluation of forensic DNA evidence,” Proceedings of the National Academy of Sciences 94(11): 5497 (1997). Available at http://www.pnas.org/content/94/11/5497.full?ck=nck. 10 Ted Dunstone and Neil Yager, Biometric System and Data Analysis: Design, Evaluation, and Data Mining, New York: Springer Science+Business Media (2008).
OCR for page 121
Biometric Recognition: Challenges and Opportunities Modality-Related Research Every biometric system relies on one or more biometric modalities. The choice of modality is a key driver of how the system is architected, how it is presented to the user, and how match vs. nonmatch decisions are made. Understanding particular modalities and how best to use the modalities is critical to overall system effectiveness. Research into several interrelated areas will bring continued improvement: Sensors. Reducing the cost of sensor hardware; improving the signal-to-noise ratio, the ease of use and affordability, and the repeatability of measures; and extending life expectancy. Segmentation. Improving the reliability of identifying a region of interest when the user presents his or her biometric characteristics to the system—for example, locating the face(s) in an image or separating speech signal from ambient noise. Invariant representation. Finding better ways to extract invariant representation (features) from the inherently varying biometric signal—that is, what kind of digital representation should be used for a face (or fingerprint or other feature) such that the trait can be recognized despite changes in pose, illumination, expression, aging, and so on. Robust matching. Improving the performance of the matching algorithm in the presence of imperfect segmentation, noisy features, and inherent signal variance. Reference update. Developing ways to update references so that they can account for variations and the aging of reference data in long-lived systems. Indexing. Developing binning and partitioning schemes to speed up searches in large databases. Robustness in the face of adversaries. Improving robustness to attacks, including the presentation of falsified biometric traits (perhaps, for example, through automated artifact detection). Individuality. Exploring the distinctiveness of a particular biometric trait and its relationship to the matching performance. Does information about distinctiveness serve to increase understanding of the effective limits on matching performance, for example? In addition to the general challenges described above, there are also challenges specific to particular biometric modalities and traits. While the following discussion does not describe all the challenges for each modality, it does offer some potentially fruitful avenues of investigation for the most common ones. An ongoing challenge for facial recognition is segmentation—distinguishing facial features from surrounding information. Another signifi-
OCR for page 122
Biometric Recognition: Challenges and Opportunities cant challenge for it is invariant representation—that is to say, finding a representation that is robust and persistent even when there are changes in pose, expression, illumination, and imaging distance, or when time has passed. Specific challenges with respect to fingerprints include reducing the failure to enroll (FTE) and failure to acquire (FTA) rate, perhaps through the design of new sensors, artifact detection, image quality definition and enhancement, and high-resolution fingerprint matching. Fingerprint-based biometric systems could also be improved by increasing the speed of capture and minimizing contact, particularly for 10-print systems. Iris recognition systems present R&D opportunities in the following areas: sensors; optimization of the illumination spectrum; reducing FTE and FTA rates; capturing and recognizing the iris at greater distances and with movement of the subject; and reducing the size of the hardware. Improving speaker separation, normalizing channels, and using higher-level information (that is, beyond basic acoustic patterns) would all offer opportunities to improve voice recognition. In addition, robustness and persistence are needed in the face of language and behavioral changes and the limited number of speech samples. Information Security Research In many applications, biometric systems are one component of an overarching security policy and architecture. The information security community is extensive and has long experience with some of the challenges raised by biometric systems, which gives it a real opportunity for fruitful and constructive interaction with the biometrics community. Biometric systems pose two kinds of security challenges. The first is the use of biometrics to protect—provide security for—information systems. For what types of applications and in which domains is an approach incorporating biometric technologies most appropriate? This is a question for the broader information security community as well as the biometrics community and requires that we understand the goals and needs of an application to ascertain whether a biometrics-based approach is useful. Assuming that a biometrics system is in place, the second security challenge is the security, integrity, and reliability of the system itself.11 Information security research is needed that addresses the unique problems of biometric systems, such as preventing attacks based on the presentation of fake biometrics, the replay of previously captured biometric samples, and the concealment of biometric traits. Developing techniques 11 See NRC, Toward a Safer and More Secure Cyberspace, Washington, D.C.: The National Academies Press (2007) for an in-depth discussion of security.
OCR for page 123
Biometric Recognition: Challenges and Opportunities for protecting biometric reference information databases to avoid their use as a source of fake biometrics is another area for such research. Decision analysis and threat modeling are other critical areas requiring research advances that will allow employing biometric systems more fully across a range of applications. Testing and Evaluation Research Testing and evaluation are an important component in the design, development, and deployment of biometric systems. Several areas related to the testing and evaluation of biometric systems are likely to prove fruitful. This section describes a few of them. While there has been significant work on testing and evaluating a variety of approaches,12 it is the committee’s view that an even broader approach has merit. Moreover, while standardized evaluations of biometric systems are highly useful for development and comparison, their results may not reliably predict field performance. Methods used successfully for the study and improvement of systems in other fields (for example, controlled observation and experimentation on operational systems guided by scientific principles and statistical design and monitoring) should be used in developing, maintaining, assessing, and improving biometric systems. (See Chapter 3 for lessons that may be applicable from other domains.) The work over the last decade within the international standards community to reach agreement on fundamental concepts, such as how error rates are to be measured, has clarified the application of test methods under the usual laboratory conditions for biometric systems deployments.13 Guidance for potential deployers of biometric systems on what is even a useful and appropriate initial set of questions to ask before getting into the details of modalities and so forth, as developed by a number of groups, has 12 NIST’s emerging National Voluntary Laboratory Accreditation Program (NVLAP) for biometrics represents progress in formalizing testing programs but does not yet provide specific testing methods required for different products and applications and does not yet address operational testing. The NVLAP Handbook 150-25 on Biometrics Testing is available at http://ts.nist.gov/Standards/Accreditation/upload/NIST-Handbook-150-25_public_draft_v1_09-18-2008.pdf. 13 Note that while these standards are aimed at a broad swath of systems, they are not seen as appropriate for governments to use for large-scale AFIS systems, where they would need to be tested for conformance to standards, compliance with system requirements, alignment with capacity and accuracy requirements, and satisfaction of availability and other traditional system parameters.
OCR for page 124
Biometric Recognition: Challenges and Opportunities proven particularly useful.14 And of course, in addition to the technical questions that need to be addressed, there are issues regarding how to measure cost over the life cycle of the system and how to assess potential and actual return on investment (ROI). Unfortunately, ROI analysis methodologies and case studies have been lacking in comparison to other types of assessments. See Box 5.1 for a brief discussion and example of an ROI assessment. Ultimately, determining the performance of an operational system requires an operational test, because adequately modeling all of the factors that impact human and technology performance in the laboratory is extremely difficult. Although the international standards community has made progress in developing a coherent set of best practices for technology and scenario testing, guidelines for operational testing are still under development and have been slowed by the community’s general lack of experience with these evaluations and a lack of published methods and results.15 Designing a system and corresponding tests that can cope with ongoing data collection is a significant challenge, making it difficult for a potential user of biometric systems, such as a federal agency, to determine how well a vendor’s technology might operate in its applications and to assess progress in biometric system performance. Careful process and quality control analysis—as distinct from traditional, standardized testing of biometric systems that focuses on match performance for a test data set—at all stages of the system life cycle is essential. In addition, testing methods and results should be sufficiently open to allow disinterested parties to assess the results. Test Data Considerations One challenge meriting attention is test data for biometric systems. Designing large-scale systems requires large test data sets that are representative of the subject population, the collection environment, and system hardware expected in the target application. How does one determine which user population will be representative of the target application? The committee believes it is unlikely that being representative of the target application is the same as being representative of the population as a whole, because the population that should be considered will vary depending upon the ultimate application for which the system is 14 For example, the recommendations of the U.K. Biometrics Working Group in “Use of Biometrics for Identification and Authentication: Advice on Product Selection, Issue 2.0” (2002). Available at http://www.cesg.gov.uk/policy_technologies/biometrics/media/biometricsadvice.pdf. 15 ISO/IEC 19795-6, Biometric Performance Testing and Reporting—Part 6: Testing Methodologies for Operational Evaluation, is under development by ISO JTC1 SC37.
OCR for page 125
Biometric Recognition: Challenges and Opportunities used. Legal and privacy concerns have limited the collection and sharing of both test and operational data (for example, various data sets collected by the U.S. government) with researchers,16 raising the question of whether biometric data can be made nonidentifiable back to its origin.17 If it cannot, could synthetic biometric data be created and used in lieu of real biometric data?18 If the latter is possible, does the use of synthetic (imagined) data offer any scientific validity in assessing performance of a system using real data? When test results are available, who has access to them? These and related questions merit attention from not just the T&E community but the broader biometrics communities as well. Usability Testing Many factors related to usability can affect system effectiveness and throughput and may also affect how well the system performs its recognition tasks. Testing and evaluation mechanisms are therefore needed that provide insight into how well a system under consideration handles a variety of user interface expectations. Despite the recent focus of NIST’s information access division on usability testing, there is still major work to be done. One potential area of investigation is to incorporate into the design of the interface information on the expected motor control and cognitive capabilities of the user popu- 16 Government operational biometric data—that is, personally identifiable information (PII)) for research and testing are governed by the privacy impact assessments (PIAs) and system-of-record notices (SORNs) associated with the specific systems, which are required by the Privacy Act of 1974. Whether the Privacy Act provides the latitude to use operational biometric and biometric-related data for large-scale research and testing purposes (during acquisition and operation) so long as data privacy and integrity are adequately protected is subject to interpretation. Various scenarios for how such data might be shared include these: (1) using the data (such as from IAFIS or US-VISIT) internal to the agency collecting the data, (2) using such data outside the agency collecting the data (such as providing multiagency data to NIST for analysis), or (3) providing such data to a university and/or industry team for analysis, etc. Assuming the Privacy Act permits such uses, then the PIAs and SORNs would have to specify such use of the data. The NIST multimodal biometric application resource kit (MBARK) data set is an example of test data collected but not disseminated for privacy reasons. The Department of Homeland Security (DHS) has released its former IDENT database to NIST for testing (NIST reports refer to it as DHS-2), but it has not been released to general researchers. 17 Fingerprint images that are sufficiently similar to the original fingerprint can be reconstructed from data representations of the fingerprints. See J. Feng and A.K. Jain, FM model based fingerprint reconstruction from minutiae template, International Conference on Biometrics (2009), pp. 544-553. Available at http://biometrics.cse.msu.edu/Publications/Fingerprint/FengJain_FMModel_ICB09.pdf. 18 SFINGE, a fingerprint synthesis technique, is described in Chapter 6 of D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar, Handbook of Fingerprint Recognition, 2nd edition, Springer Verlag (2009).
OCR for page 126
Biometric Recognition: Challenges and Opportunities BOX 5.1 Return on Investment and Suitability Considerations Determining the return on investment (ROI) for a biometric system is very much dependent on the application. It is based, among other things, on the risk the system is mitigating, the severity of the risk (projected loss in dollars should a security breach occur), and the anticipated benefits to the implementer of success. Making the business case for biometrics has proved difficult for many reasons, including the following: (1) the business value of security and deterrence—if they are the goal of the biometric system under consideration, is always difficult to quantify, regardless of technology; (2) fraud rates and costs of long-standing business systems (for example, PINs and passwords) are not well understood; and (3) total costs for biometrics systems have not been well documented or reported. Some media reports have been critical of biometric systems on the issue of return on investment, but not enough systematic study has been done on this issue to reach any firm, general conclusions. A primary distinction between types of applications is between commercial applications aimed at, say, convenience or fraud reduction and applications whose goal is improving national or large organization security. Commercial applications of biometric systems are almost completely driven by financial considerations. Decisions about the implementation of commercial biometric systems are made based on expected cost savings, enhanced customer service or convenience, or regulatory compliance. When biometric systems are deployed as a component of a security apparatus, they face similar challenges to investment in cybersecurity—that is to say, the improvements are notoriously hard to quantify. Commercial application ROI computations tend to be problematic, but those for national security applications tend to be even more difficult, with the biggest problems being determining the probability of an attack, the costs of a successful attack, and the life-cycle costs of the biometric system, including supervision and management costs. This is an area where case studies and research are badly needed and requires considering all the factors discussed in earlier chapters. It is especially important to take into account the trade-offs for life-cycle costs associated with lations. Such information would allow the use of public health statistics to estimate the percentage of the general population (or subpopulation) that would be expected to have either cognitive or physical difficulties using the systems. By incorporating this understanding of the skills expected of users, designers and developers could tune the interfaces in ways that would increase their usability. Usability is affected by other factors as well. For example, some unknown percentage of the population has a condition in which the fingers do not possess the usual friction ridges central to the functioning of fingerprint-based biometric system. In addition, some unknown (but believed to be nonzero) percentage of the population has either no irises or irises of unusual shape. When setting baseline error rates, it is important
OCR for page 128
Biometric Recognition: Challenges and Opportunities or, conversely, for people who are very familiar with it (much as toll pass transponder users can use dedicated lanes on highways)? ROI Analysis Methodologies and Case Studies Determining the potential ROI and identifying which system characteristics contribute is an important means of evaluating any biometrics deployment. In addition to how well a system meets its requirements, there are issues about measuring cost over the life cycle of the system and assessing potential (and actual) ROI. There are relatively few ROI analysis methodologies and case studies. The research opportunity here is to develop methods for examining likely costs and cost savings that take into account the technical life cycle as well as ongoing maintenance and usage costs. Evaluative Frameworks for Potential Deployers In addition to system and technology tests, there is a significant opportunity to develop an evaluative model that would guide potential procurers and users of biometric systems. Guidance for potential users of biometric systems on an appropriate initial set of questions to ask before getting into the details of modalities and so forth has proven particularly useful.19 Testing When Data Changes Designing a system and tests that can cope with ongoing data collection after it has been deployed is a significant challenge. The characteristics of the data may change from what was assumed during testing. This could be due to changes in the technology, changes in the user population, changes in how the system is used, or all of the above. Such potential changes to the data make it a challenge for potential users of biometrics, such as federal agencies, to readily determine how well a given vendor’s technology might operate for the agency’s applications over time. Developing testing and evaluation methodologies that can account for such potential changes or offer information on how a system’s performance 19 The NRC report Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Assessment (The National Academies Press, Washington, D.C., 2008) provides a framework for assessing program efficacy as well as impacts on privacy. The U.K. Biometrics Working Group developed another such document, which is available at http://www.cesg.gov.uk/policy_technologies/biometrics/media/biometricsadvice.pdf.
OCR for page 129
Biometric Recognition: Challenges and Opportunities might change in the event of significant changes to the data characteristics is an opportunity for further investigation. Operational Testing Finally, operational testing is problematic in that most existing systems do not retain the data needed to determine error and throughput rates. Each system collects and stores different data in application-specific ways. Additionally, ground truth (all of the relevant facts about all participants) cannot be known in real applications with arbitrary user populations. Privacy rights of the data subjects may prevent using collected data for testing purposes. Lastly, because system operators may not wish others to know about operational performance for reasons of security, very few operational test results have ever been published. The ISO/IEC JTC1 SC37 standards committee has been working for a number of years on basic guidance for operational testing, but progress on this standard, to be known as ISO/IEC 19795, Part 6, has been slow, reflecting the inherent difficulties in making general statements about operational tests. Systems-Level Statistical Engineering Research In addition to the modality-related technical challenges outlined above, there are broad systems-level considerations to take into account. In particular, statistics and statistical engineering offer opportunities for progress and the development of design principles and model designs for operational testing of biometric systems and experimentation with modifiable system parameters. This section outlines some potential research questions in statistical engineering and biometric systems that merit attention. Statistical approaches come into play with respect to the user populations, including cross-sectional and longitudinal studies of the variability of various biometric modalities over time, the association of biometrics with demographic and medical factors, and the effects of demographic factors and physical characteristics on failure to acquire and error rates. Another systems-level consideration is error rates in biometric systems, including the following topics: The relative contribution to error of different phases and components of biometric recognition (on an algorithm-by-algorithm basis, because error rates and their causes are algorithm specific); The potential for algorithm-specific quality control measures to reduce error rates in varying populations of data subjects; The application of known statistical methods for analysis of cor-
OCR for page 130
Biometric Recognition: Challenges and Opportunities related data to estimation20 of false match and false nonmatch rates for recognition tasks; and The investigation of new statistical models for the estimation as above but from biometric databases where information on replication is incomplete—that is, replication is known only for a subset, or some information about variation in replicate measurements is available from an external source. Other areas of potential investigation include studies of statistical efficiency and cost-benefits of different approaches to choosing, acquiring, and utilizing multimodal biometrics of various sorts. Issues to be considered would include the relative algorithmic-dependent within-class and between-class variation of sample choice such as multiple instances of 2 fingerprints versus single instances of 10 fingerprints versus single instances of 2 fingerprints combined with two-dimensional facial imaging. The aim is to develop the most informative fusion methods based on application- and algorithm-dependent multivariate distributions of biometric features. Research on Scale There are many ways in which scale may manifest itself in biometric systems. These include the number of sensors in the system, the number of comparisons being performed for a given unit time or a given input sample, the number of users (including administrators and operators), the geographic spread of the system, the size of the potential user population, or any combination of these factors. Addressing issues of scale in biometric systems offers numerous opportunities for research. For instance, one question is this: How does the number of persons who have references in the enrolled database affect the speed of the system and its error rates? For some applications and associated algorithmic approaches, the size of the database might not matter if typical operation involves only a one-to-one comparison—that is, one set of submitted samples being compared to one set of enrollment records. For large-scale identification and screening systems, sequentially performing a very large number of one-to-one matches is not effective; there is a need for efficiently scaling the system to control throughput and false-match error rates as the size of the database increases. Typical approaches to scaling include (1) using multiple hardware 20 The committee notes the reluctance to use interval estimation because of lack of agreement on how to handle systematic errors except through personal probability. See ISO/IEC, Guide 98-3 (1995) Guide to the Expression of Uncertainty in Measurement.
OCR for page 131
Biometric Recognition: Challenges and Opportunities units, (2) coarse pattern classification (for example, first classifying a fingerprint into classes such as arch, tented arch, whorl, left loop, and right loop), and (3) extensive use of exogenous data (such as gender, age, and geographical location) supplied by human operators. Although these approaches perform well in practice, they come at a price. Using hardware linearly proportional to the database size is expensive. Coarse pattern classification offers substantial scaling advantages even when single measures are available and even more advantage with multiple measures—for example, fingerprints from multiple fingers—but can add to the nonmatch error rates. Use of exogenous information creates a mechanism for intentionally avoiding identification—for example, dressing as the opposite sex or appearing older—if someone is trying to avoid being recognized by the system, not to mention potential privacy compromises. Ideally, one would like to index biometric data patterns in some way similar to that used in conventional databases in order to benefit from lessons learned in other arenas. However, due to large intraclass variation in biometric data caused by variation in collection conditions and human anatomies and behaviors, it is not obvious how to ensure that samples from the same pattern fall into the same index bin. There have been very few published studies on reliably indexing biometric patterns.21 Efficient indexing algorithms would need to be developed for each technology/modality combination. It is unlikely that any generic approach would be applicable to all biometric measures, although efforts to understand similarities and where lessons from one type of system can be applied to another are warranted. False-match errors generally increase with the number of required comparisons in a large-scale identification or watch-list system. As most comparisons are false (for example, a submitted sample compared to the enrollment pattern of another person), increasing the size of the database increases the number of opportunities for a false match. However, in large-scale systems it is unlikely that a sample would be compared against every possible match in the database. Instead, just as with search algorithms generally, the set of items to compare against is winnowed according to certain criteria as quickly as possible to save time and memory. Because of the nonindependence of sequential comparisons using the same sample data, coupled with architectural and algorithm design choices that are aimed at finding any matches while sustaining throughput rate and limiting active memory, the relationship between the number 21 J.L. Wayman, Multi-finger penetration rate and ROC variability for automatic fingerprint identification systems, in N. Ratha and R. Bolle, eds., Automatic Fingerprint Recognition Systems, New York: Springer Verlag (2003).
OCR for page 132
Biometric Recognition: Challenges and Opportunities of false matches and database size is a poorly understood issue meriting further investigation.22 Although a watch-list database in a screening system is much smaller than that in a large-scale identification application, the number of continuous or active comparisons may be huge. Therefore, as in large-scale applications, the throughput and error-rate issues are also critical in screening applications. Computationally, scaling of large systems for near-real-time applications involving 1 million identities is becoming feasible, as is screening the traffic for 500 recognized identities. However, designing and building a real-time identification system involving 100 million identities is beyond our understanding. More research is needed here as well. Social Science Research Opportunities Biometric systems require an intimate association between people and the technologies that collect and record their biological and behavioral characteristics. This is true whether the application is overt or covert, negative claim or positive claim. It is therefore incumbent on those who conceive, design, and deploy biometric systems to consider the cultural and social contexts of these systems. Unfortunately, there are few rigorous studies of these contexts. Below is a framework for developing a portfolio of future research investigations that could help biometric systems better cope and perform within their cultural and social contexts. Cultural and social issues arise at essentially two different levels—for the individual and for society. At the level of the individual, whether they are interacting actively or passively with a biometric system (for example, the person seeking entry to a facility), the issue is the performance of a biometric system. At the societal level, the issue is the social impact of the biometric system (for example, all are affected, either directly or indirectly, by the trade, tourism, and terrorism effects of a biometric passport). At the level of the individual, social considerations are critical in the design, deployment and functioning of biometric systems. As we have noted, system performance may well be degraded if relevant social factors are not adequately taken into consideration. For example, religious beliefs that call for adherents to cover their faces in public make facial-recognition biometrics problematic. Thus if a biometric system is to work well for a broad range of people it must take into account behaviors resulting from 22 See, for example, J.L. Wayman, Error rate equations for the general biometric system, IEEE Robotics and Automation 6(1): 35-48, and H. Jarosz, J.-C. Fondeur, and X. Dupré, Large-scale identification system design, J.L. Wayman, A.K. Jain, D. Maltoni, and D. Maio, eds., Biometric Systems: Technology, Design, and Performance Evaluation, New York: Springer (2005).
OCR for page 133
Biometric Recognition: Challenges and Opportunities such things as religion or social convention. Every biometric system has a protocol for how it is to be interacted with. The protocol may be simple or complex, uniform in application, or tailored to the individual. Obviously, however, a good protocol for a biometrics system must recognize variations in biological features. A system based on fingerprints must have ways to gracefully accommodate a person who is missing a finger or who otherwise does not have usable fingerprints. In addition to the design issue of affordance, previously discussed, research is needed to determine effective, appropriate, and graceful protocols, processes, and devices that gain the cooperation of participants, and the protocols and devices must be acceptable to the community. In biometric systems that are essentially surveillance systems, compliance should be thought of as more than acquiescence and should extend to gracefully (perhaps without notice) promoting the types of behavior (for example, face pose and angle) that result in useful biometric measures. Full compliance represents the ideal interaction of the participant with the biometric system from the viewpoint of the system designers. Acceptability to the community refers to the endorsement, or at least the lack of active disapproval, by significant governmental and public leadership groups. In any case, community acceptability is not guaranteed. Influential parts of the community may find biometric systems overly intrusive, unfair to certain groups, or inadequately protective of the individual’s privacy. The dimensions of individual compliance and community acceptability are discussed next. One part of the design process for particular systems or, more realistically, for a particular class of systems might be to develop data that predict how well the biometric system will perform in a target community and on factors that may make the system more acceptable to that community. Predictive aspects may just have a statistical relationship with subject compliance or community acceptability, while acceptability factors probably have a causal relationship. Developing data in these areas will provide the evidence needed to assess the relationships. The extent and nature of participant compliance can be discovered and confirmed using either or both of two basic research strategies: field studies using ethnographic tools such as in cultural anthropology or attitude studies of using survey methods such as are common in sociology. Some of the things that might predict participant compliance include participant attitudes toward authority, their willingness to try new technology, their adherence to certain religious or cultural beliefs, and the geographic distribution of the population. Such work could, in theory, be part of the design work for biometrics systems but is generally not done, possibly because of the expense and effort involved. Research that
OCR for page 134
Biometric Recognition: Challenges and Opportunities sheds light on these issues would provide valuable information for those designing and building biometric systems. Factors that motivate participant compliance can be discovered by experimental studies, essentially creating laboratory environments in which the factors can be controlled. This research paradigm is common in experimental psychology, but the extent to which such controlled studies might develop data that reflect factors encountered in operational applications is only speculative. Some candidate factors include self-interest, enforcement, inducement, social pressure, conviction, habit or practice, behavior of other actors, pleasantness of the experience, and attention to cultural norms. The more common approach is to survey data subjects who have just encountered an operational system to elicit their opinions,23 but even this approach has rarely been applied. Aspects that predict the extent and nature of community acceptability can be discovered and confirmed using either or both of two basic research strategies: field studies of similar deployments using ethnographic tools—as indicated for participant compliance above, or focus groups that are asked to discuss how they view various characteristics of a biometric system such as are common in marketing studies. The kinds of aspects that might be predictive of community acceptability include resemblance to existing well-tolerated systems, operated under the auspices of a respected institution, or a system that meets all legal requirements One factor in motivating community acceptability is whether community concerns—for example, fairness, privacy, and confidentiality—are addressed. Using data from research in these and related areas, it should be possible to address a variety of relevant questions, such as: Where on the scale of purely voluntary to mandatory is a particular biometric system? In largely voluntary systems does cooperation vary by subgroup such as age, sex, or race? Does habituation lead to greater cooperation? How important is it that participants believe they or others will not be harmed? What factors influence such trust? What are effective and appropriate compliance mechanisms for biometric systems? Although it is not reasonable to expect designers of a specific system to conduct such research, these questions could be addressed as part of a more general research agenda. 23 As was done, for example, by the Orkand Corporation in Personal Identifier Project: Final Report, California Department of Motor Vehicles report DMV88-89 (1990).
OCR for page 135
Biometric Recognition: Challenges and Opportunities PUBLIC POLICY CONSIDERATIONS AND RESEARCH OPPORTUNITIES Numerous issues come into play beyond technical and engineering considerations in government use of biometric systems. These other issues include the following: To what extent can the need for a biometric system be satisfied by current technical capability? Balancing mandates with maturity of systems and technology is critical. Aggressive schedules can push technology development forward but not all challenges can be addressed on short notice. Is there sufficient flexibility and time to support the risk management needed to develop and deploy a biometric system? Governments must avoid increasing risk through overly constrained integration and testing timelines and budgets. The risks include the possibility not only that the system will fail or be compromised but also the possibility that the system will be rejected by its users or be so cumbersome or inefficient that it is withdrawn from use. Should participation in the system be mandated? Such a mandate might foster a climate of distrust or social unrest. What is the nature of the biometrics workforce? To the extent that biometric systems and related technologies are seen as important to meet public policy goals, is there sufficient incentive to grow and maintain the needed expertise? Training and maintaining consistent biometrics workforce has been difficult. Several organizations recently announced plans to create certification programs for professionals, but consensus must be reached on what skills are required of a professional in this area. The creation of a biometrics undergraduate program at West Virginia University is a step in the right direction. (The program has a ready customer: the FBI’s Criminal Justice Information Center in Clarksburg, West Virginia.) The sourcing of the technology is crucial to the government’s successful deployment of technological and information systems, including biometric systems. There is an inherent danger in relying on companies with manufacturing, research, or development activities centered overseas. For biometric systems, especially, the risk is the potential for U.S. biometric data to be collected by foreign governments, inviting scrutiny of U.S. information on border control systems and other critical infrastructure by persons not cleared by the U.S. government. The social science considerations described above may have impacts on broader public policy considerations. Systematic empirical research and factual analysis would help provide an evidence case for public
OCR for page 136
Biometric Recognition: Challenges and Opportunities policy in this area. Some key research questions that have an impact on public policy include the following: What lessons can be learned from environmental impact statements and privacy impact assessments that might be relevant to deciding whether social impact assessments for biometric systems are useful? Do existing or proposed biometric systems represent a serious potential for identity theft? How have authoritarian regimes made use of human recognition methods to assert their control over individuals? In what ways might biometric systems enable these sorts of uses? How could such a risk be mitigated? To what extent are privacy requirements, interagency control issues, and policy constraints, or the perception thereof, inhibiting the research use and sharing of existing biometric data? What belief sets, if any, lead to an aversion to certain biometric technologies? A reliable and effective biometric system may be perceived as providing irrefutable proof of identity of an individual, notwithstanding the many uncertainties already mentioned, raising concerns for users. Will the information regarding biometrics-based access to resources be used to track individuals in a way that infringes on privacy or anonymity? Will biometric data be used for an unintended purpose: For example, will fingerprints provided for access control be matched against fingerprints in a criminal database? Will data be used to cross-link independent records from the same person—for example, health insurance and grocery purchases? How would a user be reassured that a biometric system is being used for the intended purpose only? Designing information systems—not only biometric systems—whose functionality is verifiable during deployment is very difficult. One solution might be a system that meticulously records recognition decisions and the people who accessed the logged decisions using a biometric-based access control system. Such a system could automatically warn users if a suspicious pattern is seen in the system administrator’s access of users’ logs. Another solution might be biometric cryptosystems—cryptographic keys based on biometric samples. Radical approaches such as total transparency attempt to solve the privacy issues in a novel way. But there are no obviously satisfactory solutions on the horizon for the privacy problem. Additional research on the relationship between biometric (bodily) information and privacy is needed. The privacy protections required to facilitate data collection from and about biometric systems need to be clearly established. Because many of these systems are deployed to satisfy security needs, it is reasonable to
OCR for page 137
Biometric Recognition: Challenges and Opportunities expect that performance and vulnerability data need to be protected. For best results, the data sets for such research should be very large, contain very few errors in ground truth (metadata indexing), be appropriately randomized, and represent the populations of interest to target applications. To the extent consistent with privacy and security, the results of the studies should be published in the peer-reviewed scientific literature and the biometric samples used made widely available to other researchers. REALIZING A WELL-DESIGNED BIOMETRIC SYSTEM Research in the areas described above is warranted more than ever as biometric systems become widespread and are used in critical applications. This report concludes by taking a step back and presenting a vision of a well-designed biometric system that should persist even as progress is made on the challenges described earlier in this chapter. A well-designed biometric system includes more than technology. It is a complex combination of technology, public policy, law, human processes, and social consensus. In the long term, there may be new modalities that allow recognizing human characteristics and behaviors quickly and effectively with little or no interaction on the individual’s part. Human beings may turn out to possess distinctive traits that have yet to be fully explored or that cannot be suitably represented by present technology. Some of the potential sources of suitable signals currently being pursued include inductive signature and brain waves (EKG activity). Each of these potential signal sources could bring with it a new set of societal and policy issues requiring exploration. Even with all of these uncertainties, and even with the many intriguing open questions that merit research, the committee believes that the following framework for a well-designed biometric system will apply for the foreseeable future. Progress in such research will lead to even more well-designed systems. This framework is offered as both an evaluative tool and as a development tool. A well-designed biometric recognition system will have (at least) the following characteristics: The system will be designed to take into account that no biometric characteristic is entirely stable and distinctive. In other words, it will take into account that biometric similarity represents a likely, not a definitive, recognition and and that the corresponding is true for a failure to find similarity. In particular, presumptions and burdens of proof will be designed conservatively, with due attention to the system’s inevitable imperfections. The policies of such a system will recognize that any claimed probabilities of correctness depend on external assumptions about dynamic
OCR for page 138
Biometric Recognition: Challenges and Opportunities presentation distributions, and that these assumptions, whether subjective or based on estimates from past internal or external data, are fallible. It will enable system operators and users to recognize that biometric information has a life cycle. Biometric information is collected or modified during, for example, enrollment, recognition, and so on. But policies should also recognize that changes in the biometric characteristics of the individual can lead to incorrect or failed recognition. The system will be designed so that system operators and users recognize that some inaccurate information may be created and stored in the databases linked to biometric references, and that over time information in these databases will become out of date. In particular, the reliability of information in the database is independent of the likelihood of correct recognition. The system will be designed to handle challenges to the accuracy of database information in a fair and effective way. Because the system’s sensors and back-end processes are not perfectly accurate, it will need to handle failures to enroll, failures to acquire samples, and other error conditions gracefully and without violating dignity, privacy, or due process rights. Because some individuals will attempt to force the system into failure modes in order to avoid recognition, the system’s failure modes must be just as robustly designed as the primary biometrics-based process. The system’s security, privacy, and legal goals must be explicit and publicly stated, and they must be designed to protect against a specific and enumerated set of risks. The system will specifically address the possibility that malicious individuals may be involved in the design and/or operation of the system itself. It will recognize that biometric traits are inherently not secret and will implement processes to minimize both privacy risks and risks of misrecognition arising from this fact. CONCLUDING REMARKS This report lays out a broad systems view and outlines many of the subject areas with which biometrics research intersects. The committee also describes many open research problems, ranging from deep scientific questions about the nature of individuality to vexing technical and engineering challenges. It raises questions about appropriate system architecture and life-cycle design as well as questions about public policy regarding both private sector and government use of biometric systems. It notes that biometrics is an area that benefits from analyzing very large amounts of data. These and other aspects of biometrics suggest many fruitful areas and interesting problems for researchers from a range of disciplines.