1
Introduction and Fundamental Concepts

From a very young age, most humans recognize each other easily. A familiar voice, face, or manner of moving helps to identify members of the family—a mother, father, or other caregiver—and can give us comfort, comradeship, and safety. When we find ourselves among strangers, when we fail to recognize the individuals around us, we are more prone to caution and concern about our safety.

This human faculty of recognizing others is not foolproof. We can be misled by similarities in appearance or manners of dress—a mimic may convince us we are listening to a well-known celebrity, and casual acquaintances may be incapable of detecting differences between identical twins. Nonetheless, although this mechanism can sometimes lead to error, it remains a way for members of small communities to identify one another.

As we seek to recognize individuals as members of larger communities, however, or to recognize them at a scale and speed that could dull our perceptions, we need to find ways to automate such recognition. Biometrics is the automated recognition of individuals based on their behavioral and biological characteristics.1

1

“Biometrics” today carries two meanings, both in wide use. (See Box 1.1 and Box 1.2.) The subject of the current report—the automatic recognition of individuals based on biological and behavioral traits—is one meaning, apparently dating from the early 1980s. However, in biology, agriculture, medicine, public health, demography, actuarial science, and fields related to these, biometrics, biometry, and biostatistics refer almost synonymously to statistical and mathematical methods for analyzing data in the biological sciences. The two usages of



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 15
1 Introduction and Fundamental Concepts From a very young age, most humans recognize each other easily. A familiar voice, face, or manner of moving helps to identify members of the family—a mother, father, or other caregiver—and can give us comfort, comradeship, and safety. When we find ourselves among strangers, when we fail to recognize the individuals around us, we are more prone to cau - tion and concern about our safety. This human faculty of recognizing others is not foolproof. We can be misled by similarities in appearance or manners of dress—a mimic may convince us we are listening to a well-known celebrity, and casual acquaintances may be incapable of detecting differences between identi- cal twins. Nonetheless, although this mechanism can sometimes lead to error, it remains a way for members of small communities to identify one another. As we seek to recognize individuals as members of larger communi - ties, however, or to recognize them at a scale and speed that could dull our perceptions, we need to find ways to automate such recognition. Biometrics is the automated recognition of individuals based on their behavioral and biological characteristics.1 1 “Biometrics” today carries two meanings, both in wide use. (See Box 1.1 and Box 1.2.) The subject of the current report—the automatic recognition of individuals based on biological and behavioral traits—is one meaning, apparently dating from the early 1980s. However, in biology, agriculture, medicine, public health, demography, actuarial science, and fields re - lated to these, biometrics, biometry, and biostatistics refer almost synonymously to statistical and mathematical methods for analyzing data in the biological sciences. The two usages of 

OCR for page 15
 BIOMETRIC RECOGNITION BOX 1.1 History of the Field—Two Biometrics “Biometrics” has two meanings, both in wide use. The subject of this report—the automatic recognition of individuals based on biological and behavioral traits—is one meaning, which apparently dates from the early 1980s. In biology, agriculture, medicine, public health, demography, actuarial science, and fields related to these, “biometrics,” “biometry,” and “biostatistics” refer almost synonymously to statistical and mathematical methods for analyzing data in the biological sciences. This usage stems from the definition of biometry, proffered by the founder of the then-new journal Biometrika in its 1901 debut issue: “the application to biology of the modern methods of statistics.” The writer was the British geneticist Francis Galton, who made important contributions to fingerprinting as a tool for identification of criminals, to face recognition, and to the central statistical concepts of regression analysis, cor- relation analysis, and goodness of fit. Thus, the two meanings of “biometrics” overlap both in subject matter—human biological characteristics—and in historical lineage. Stigler (2000) notes that others had preceded the Biometrika founders in combining derivatives of the Greek βíος (bios) and μετρον (metron) to have specific meanings.1 These earlier usages do not survive. Johns Hopkins University opened its Department of Biometry and Vital Statistics (since renamed the Department of Biostatistics) in 1918. Graduate degree programs, divisions, and service courses with names incorporating “biostatistics,” “biometrics,” or “biometry” have proliferated in academic departments of health science since the 1950s. The American Statistical Association’s 24 subject-matter sections began with the Biometrics Section in 1938, which in 1945 started the journal Biometrics Bulletin, renamed Biometrics in 1947. In 1950 Biometrics was transferred to the Biometric Society (now the International Biometric Society), founded in 1947 at Woods Hole, Massachusetts. The journal promotes “statistical and mathematical theory and meth- ods in the biosciences through . . . application to new and ongoing subject-matter challenges.” Concerned that Biometrics was overly associated with medicine and epidemiology, in 1996 the Society and the American Statistical Association jointly founded the Journal of Agricultural, Biological, and Environmental Statistics (JABES). The latter, along with other journals such as Statistics in Medicine and Biostatistics, have taken over the original mission of Biometrika, now more oriented to theoreti- cal statistics. Automated human recognition began with semiautomated speaker recognition systems in the 1940s. Semiautomated and fully automated fingerprint, handwriting, and facial recognition systems emerged in the 1960s as digital computers became more widespread and capable. Fully automated systems based on hand geometry 1  .M. Stigler, The problematic unity of biometrics,  Biometrics 56: 653-658 (2000). S

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS and fingerprinting were first deployed commercially in the 1970s, almost immediately leading to concerns over spoofing and privacy. Larger pilot projects for banking and government applications became popular in the 1980s. By the 1990s, the fully automated systems for both government and commercial applications used many different technologies, including iris and face recognition. Clearly both meanings of biometrics are well-established and appropriate and will persist for some time. However, in distinguishing our topic from biometrics in its biostatistical sense, one must note the curiosity that two fields so linked in Galton’s work should a century later have few points of contact. Galton wished to reveal the human manifestations of his cousin Charles Darwin’s theories by classifying and quantifying personal characteristics. He collected 8,000 fingerprint sets, published three books on fingerprinting in four years,2 and proposed the Galton fingerprint classification system extended in India by Azizul Haque for Edward Henry, Inspec- tor General of Police, in Bengal. It was documented in Henry’s book Classification and Uses of Finger Prints. Scotland Yard adopted this classification scheme in 1901 and still uses it. But not all of Galton’s legacy is positive. He believed that physical appearances could indicate criminal propensity and coined the term “eugenics,” which was later used to horrific ends by the Third Reich. Many note that governments have not al- ways used biologically derived data on humans for positive ends. Galton’s work was for understanding biological data. And yet biostatisticians, who have addressed many challenges in the fast-moving biosciences, have been little involved in biometric recognition research. And while very sophisticated statistical methods are used for the signal analysis and pattern recognition aspects of biomet- ric technology, the systems and population sampling issues that affect performance in practice may not be fully appreciated. That fields once related are now separate may reflect that biometric recognition is scientifically less basic than other areas of interest, or that funding for open research is lacking, or even that most universities have no ongoing research in biometric recognition. A historical separation between scientifically based empirical methods developed specifically in a forensic context and similar methods more widely vetted in the open scientific community has been noted in other contexts and may also play a role here.3,4 2  . Galton,  Fingerprints (1892);  Decipherment of Blurred Finger Prints (1893); and  Fingerprint F Directories (1895). All were published by Macmillan in London. 3  ational  Research  Council,  The Polygraph and Lie Detection (2003).  Washington,  D.C.:  The  N National Academies Press, and National Research Council,  Strengthening Forensic Science in the United States: A Path Forward (2009), Washington, D.C.: The National Academies Press. 4  or more on the history of the field and related topics, see F. Galton,  On Personal Description,  F Dublin, Ireland: Medical Press and Circular (1888), and S.J. Gould,  The Mis-measure of Man, New  York: Norton (1981).

OCR for page 15
 BIOMETRIC RECOGNITION BOX 1.2 A Further Note on the Definition of Biometrics The committee defines biometrics as the automated recognition of individu- als based on their behavioral and biological characteristics. This definition is consistent with that adopted by the U.S. government’s Biometric Consortium in 1995. “Recognition” does not connote absolute certainty. The biometric systems that the committee considers always recognize with some level of error. This report is concerned only with the recognition of human individuals, although the above definition could include automated systems for the rec- ognition of animals. The definition used here avoids the perennial philosophi- cal debate over the differences between “persons” and “bodies.”1 For human biometrics, an individual can only be a “body”. In essence, when applied to humans, biometric systems are automated methods for recognizing bodies using their biological and behavioral characteristics. The word “individual” in the definition also limits biometrics to recognizing single bodies, not group characteristics (either normal or pathological). Biometrics as defined in this report is therefore not the tool of a demographer or a medical diagnostician nor is biometrics as defined here applicable to deception detection or analysis of human intent. The use of the conjunction “and” in the phrase “biological and behavioral characteristics” acknowledges that biometrics is about recognizing individuals from observations that draw on biology and behaviors. The characteristics ob- servable by a sensing apparatus will depend on current and, to the extent that the body records them, previous activities (for example, scars, illness afteref- fects, physical symptoms of drug use, and so on). 1  . Martin and J. Barresi,  Personal Identity, Malden, Mass.: Blackwell Publishing (2003);  R L.R. Baker,  Persons and Bodies: A Constitution View, Cambridge, England: Cambridge Uni- versity Press (2000). Many traits that lend themselves to automated recognition have been studied, including the face, voice, fingerprint, and iris. A key characteristic of our definition of biometrics is the use of “automatic,” which implies, at least here, that digital computers have been used.2 Computers, in turn, require instructions for executing pattern recognition algorithms on trait samples received from sensors. Because biometric systems use sensed traits to recognize individuals, privacy, legal, and sociological factors are “biometrics” overlap both in subject matter—human biological characteristics—and in his - torical lineage. This report’s definition of biometrics is consistent with ISO/IEC JTC 1/SC 37 Standing Document 2, “Harmonized Biometric Vocabulary, version 10,” August 20, 2008. 2 Early biometric systems using analog computers and contemporary biometric systems us- ing optical comparisons are examples of nondigital processing of biometric characteristics.

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS involved in all applications. Biometrics in this sense sits at the intersection of biological, behavioral, social, legal, statistical, mathematical, and com - puter sciences as well as sensor physics and philosophy. It is no wonder that this complex set of technologies called biometrics has fascinated the government and the public for decades. The FBI’s Integrated Automatic Fingerprint Identification System (IAFIS) and smaller local, state, and regional criminal fingerprinting sys - tems have been a tremendous success, leading to the arrest and conviction of thousands of criminals and keeping known criminals from positions of trust in, say, teaching. Biometrics-based access control systems have been in continuous, successful use for three decades at the University of Geor- gia and have been used tens of thousands of times daily for more than 10 years at San Francisco International Airport and Walt Disney World. There are challenges, however. For nearly 50 years, the promise of bio- metrics has outpaced the application of the technology. Many have been attracted to the field, only to leave as companies go bankrupt. In 1981, a writer in the New York Times noted that “while long on ideas, the business has been short on profits.”3 The statement continues to be true nearly three decades later. Technology advances promised that biometrics could solve a plethora of problems, including the enhancement of security, and led to growth in availability of commercial biometric systems. While some of these systems can be effective for the problem they are designed to solve, they often have unforeseen operational limitations. Government attempts to apply biometrics to border crossing, driver licenses, and social services have met with both success and failure. The reason for failure and the limitations of systems are varied and mostly ill understood. Indeed, systematic examinations that provide lessons learned from failed systems would undoubtedly be of value, but such an undertaking was beyond the scope of this report. Even a cursory look at such systems shows that multiple factors affect whether a biometric system achieves its goals. The next section, on the systems perspective, makes this point. THE SYSTEMS PERSPECTIVE One underpinning of this report is a systems perspective. No biomet- ric technology, whether aimed at increasing security, improving through - put, lowering cost, improving convenience, or the like, can in and of itself achieve an application goal. Even the simplest, most automated, accurate, and isolated biometric application is embedded in a larger system. That system may involve other technologies, environmental factors, appeal policies shaped by security, business, and political considerations, or 3 A. Pollack, Technology: Recognizing the real you, New York Times, September 9, 1981.

OCR for page 15
0 BIOMETRIC RECOGNITION idiosyncratic appeal mechanisms, which in turn can reinforce or vitiate the performance of any biometric system. Complex systems have numerous sources of uncertainty and vari- ability. Consider a fingerprint scanner embedded in a system aimed at protecting access to a laptop computer. In this comparatively simple case, the ability to achieve the fingerprint scan’s security objective depends not only on the biometric technology, but also on the robustness of the computing hardware to mechanical failures and on multiple decisions by manufacturer and employer about when and how the biometric technol- ogy can be bypassed, which all together contribute to the systems context for the biometric technology. Most biometric implementations are far more complex. Typically, the biometric component is embedded in a larger system that includes envi - ronmental and other operational factors that may affect performance of the biometric component; adjudication mechanisms, usually at multiple levels, for contested decisions; a policy context that influences param- eters (for example, acceptable combinations of cost, throughput, and false match rate) under which the core biometric technology operates; and pro- tections against direct threats to either bypass or compromise the integrity of the core or of the adjudication mechanisms. Moreover, the effectiveness of such implementations relies on a data management system that ensures the enrolled biometric is linked from the outset to the nonphysical aspects of the enrolling individual’s information (such as name and allowed privileges). The rest of this report should be read keeping in mind that biometric systems and technologies must be understood and examined within a systems context. MOTIVATIONS FOR USING BIOMETRIC SYSTEMS A primary motivation for using biometrics is to easily and repeat - edly recognize an individual so as to enable an automated action based on that recognition.4 The reasons for wanting to automatically recognize individuals can vary a great deal; they include reducing error rates and improving accuracy, reducing fraud and opportunities for circumven- tion, reducing costs, improving scalability, increasing physical safety, and improving convenience. Often some combination of these will apply. For example, almost all benefit and entitlement programs that have utilized 4 Note that here we are using “recognition” colloquially—the biometrics community often uses this term as part of the sample processing task; it uses “verification” to mean that a sample matches a reference for a claimed identity and “identification” to mean the search - ing of a biometric database for a matching reference and the return of information about that individual.

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS biometrics have done so to reduce costs and fraud rates, but at the same time convenience may have been improved as well. See Box 1.3 for more on the variety of biometric applications. Historically, personal identification numbers (PINs), passwords, names, social security numbers, and tokens (cards, keys, passports, and other physical objects) have been used to recognize an individual or to verify that a person is known to a system and may access its services or benefits. For example, access to an automatic teller machine (ATM) is generally controlled by requiring presentation of an ATM card and its cor- responding PIN. Sometimes, however, recognition can lead to the denial of a benefit. This could happen if an individual tries to make a duplicate claim for a benefit or if an individual on a watch list tries to enter a con - trolled environment. But reflection shows that authorizing or restricting someone because he or she knows a password or possesses a token is just a proxy for verify- ing that person’s presence. A password can be shared indiscriminately or a physical token can be given away or lost. Thus, while a system can be BOX 1.3 The Variety of Biometric Applications Biometric technology is put to use because it can link a “person” to his or her claims of recognition and authorization within a particular application. Moreover, automating the recognition process based on biological and be- havioral traits can make it more economical and efficient. Other motivations for automating the mechanisms for recognizing individuals using biometric systems vary depending on the application and the context in which the system is deployed; they include reducing error rates and improving accuracy; reduc- ing fraud and circumvention; reducing costs; improving security and safety; improving convenience; and improving scalability and practicability. Numerous applications employ biometrics for one or more of these reasons, including border control and criminal justice (such as prisoner handling and process), regulatory compliance applications (such as monitoring who has access to certain records or other types of audits), determining who should be entitled to physical or logical access to resources, and benefits and entitlement man- agement. The scope and scale of applications can vary a great deal—biometric systems that permit access might be used to protect resources as disparate as a nuclear power plant or a local gym. Even though at some level of abstraction the same motivation exists, the systems are likely to be very different and to merit different sorts of analysis, testing, and evaluation (see Chapter 2 for more on how application parameters can vary). The upshot of this wide variety of reasons for using biometric systems is that much more information is needed to assess the appropriateness of a given system for a given purpose beyond the fact that it employs biometric technology.

OCR for page 15
 BIOMETRIC RECOGNITION confident that the right password or token has been presented for access to a sensitive service, it cannot be sure that the item has been presented by the correct individual. Proxy mechanisms are even more problematic for exclusion systems such as watch lists, as there is little or no motiva - tion for the subject to present the correct information or token if doing so would have adverse consequences. Biometrics offers the prospect of closely linking recognition to a given individual. HUMAN IDENTITY AND BIOMETRICS Essential to the above definition of biometrics is that, unlike the defi - nition sometimes used in the biometrics technical community, it does not necessarily link biometrics to human identity, human identification, or human identity verification. Rather, it measures similarity, not identity. Specifically, a biometric system compares encountered biological/behav- ioral characteristics to one or more previously recorded references. Mea - sures found to be suitably similar are considered to have come from the same individual, allowing the individual to be recognized as someone previously known to the system. A biometric system establishes a proba- bilistic assessment of a match indicating that a subject at hand is the same subject from whom the reference was stored. If an individual is recognized, then previously granted authorizations can once again be granted. If we consider this record of attributes to con - stitute a personal “identity,” as defined in the NRC report on authentica- tion,5 then biometric characteristics can be said to point to this identity record. However, the mere fact that attributes are associated with a bio - metric reference provides no guarantee that the attributes are correct and apply to the individual who provided the biometric reference. Further, as there is no requirement that the identity record contain a name or other social identifier, biometric approaches can be used in anonymous applications. More concisely, such approaches can allow for anonymous identification or for verification of an anonymous identity. This has important positive implications for the use of biometrics in privacy-sensitive applications. However, if the same biometric measure is used as a pointer to multiple identity records for the same individual across different systems, the possibility of linking these records (and hence the various social identities of the same person) raises privacy con - cerns. See Box 1.4 for a note on privacy. 5 National Research Council, Who Goes There? Authentication Through the Lens of Priacy, Washington, D.C.: The National Academies Press (2003).

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS BOX 1.4 A Note on Privacy Privacy is an important consideration in biometric systems. The report Who Goes There? Authentication Through the Lens of Privacy,1 focused on the in- tersection of privacy and authentication systems, including biometrics. Much of that analysis remains relevant to current biometric systems, and this report does not have much to add on privacy other than exploring some of the social and cultural implications of biometric systems (see Chapter 4). This reliance on an earlier report does not suggest that privacy is unimportant. Rather, the com- mittee believes that no system can be effective without considerable attention to the social and cultural context within which it is embedded. The 2003 NRC report just referred to and its 2002 predecessor, which examined nationwide identity systems,2 should be viewed as companions to this report. 1  National Research Council,  Who Goes There? Authentication Through the Lens of Pri- vacy. Washington, D.C.: The National Academies Press (2003). 2  National Research Council,  IDs—Not That Easy: Questions About Nationwide Identity Systems. Washington, D.C.: The National Academies Press (2002). The Fundamental Dogma of Biometrics The finding that an encountered biometric characteristic is similar to a stored reference does not guarantee an inference of individualiza - tion—that is, that a single individual can be unerringly selected out of a group of all known individuals (or, conversely, that no such individual is known). The inference that similarity leads to individualization rests on a theory that one might call the fundamental dogma of biometrics: An individual is more similar to him- or herself over time than to any - one else at any time. This is clearly false in general; many singular attributes are shared by large numbers of individuals, and many attributes change significantly over an individual’s lifetime. Further, it will never be possible to prove (or falsify) this assertion precisely as stated because “anyone else” will include all persons known or unknown, and we cannot possibly prove the assertion for those who are unknown.6 In practice, however, we can relate similarity to individualization in situations where: 6 The committee is aware of the Duhem/Quine and Popperian objections to provability in general of scientific theories.

OCR for page 15
 BIOMETRIC RECOGNITION An individual is more likely similar to him- or herself over time than to anyone else likely to be encountered. This condition, if met, allows us to individualize through similarity, but with only a limited degree of confidence, based on knowledge of probabilities of encounters with particular biometric attributes. The goal in the development and applications of biometric systems is to find char- acteristics that are stable and distinctive given the likelihood of encoun - ters. If they can be found, then the above conditions are satisfied and we have a chance of making biometrics work—to an acceptable degree of certainty—to achieve individualization. A better fundamental understanding of the distinctiveness of human individuals would help in converting the fundamental dogma of biomet - rics into grounded scientific principles. Such an understanding would incorporate learning from biometric technologies and systems, popula - tion statistics, forensic science, statistical techniques, systems analysis, algorithm development, process metrics, and a variety of methodologi - cal approaches. However, the distinctiveness of biometric characteristics used in biometric systems is not well understood at scales approaching the entire human population, which hampers predicting the behavior of very large scale biometric systems. The development of a science of human individual distinctiveness is essential to the effective and appropriate use of biometrics as a means of human recognition and encompasses a range of fields. This report focuses on the biometric technologies themselves and on the behavioral and bio - logical phenomena on which they are based. These phenomena have fundamental statistical properties, distinctiveness, and varying stabilities under natural physiological conditions and environmental challenges, many aspects of which are not well understood. BASIC OPERATIONAL CONCEPTS In this section, the committee outlines some of the concepts under- lying the typical operation of biometric systems in order to provide a framework for understanding the analysis and discussion in the rest of the report.7 Two concepts are discussed: sources of (1) variability and 7 There have been several comprehensive examinations of biometrics technologies and systems over the years. See, for example, J.L. Wayman, A.K. Jain, D. Maltoni, and D. Maio, eds., Biometric Systems: Technology, Design, and Performance Ealuation, London: Springer (2005); J. Woodward, Jr., N. Orlans, and P. Higgins, Biometrics: Identity Assurance in the Information Age, New York: McGraw-Hill/Osborne Media (2002); and A.K. Jain, R. Bolle, and S. Pankanti, eds., Biometrics: Personal Identification in a Networked Society, Norwell, Mass.: Kluwer Academic Press (1999). The National Science and Technology Council also recently

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS (2) uncertainty in biometric systems and modalities, including multibio - metric approaches. Sample Operational Process The operational process typical for a biometric system is given in Fig - ure 1.1. The main components of the system for the purposes of this dis- cussion are the capture (whereby the sensor collects biometric data from the subject to be recognized), the reference database (where previously enrolled subjects’ biometric data are held), the matcher (which compares presented data to reference data in order to make a recognition decision), and the action (whereby the system recognition decision is revealed and actions are undertaken based on that decision.8 This diagram presents a very simplified view of the overall system. The operational efficacy of a biometric system depends not only on its technical components—the biometric sample capture devices (sensors) and the mathematical algorithms that create and compare references—but also on the end-to-end application design, the environment in which the biometric sensor operates, and any conditions that impact the behavior of the data subjects, that is, persons with the potential to be sensed. For example, the configuration of the database used to store refer- ences against which presented data will be compared affects system per- formance. At a coarse level, whether the database is networked or local is a primary factor in performance. Networked databases need secure communication, availability, and remote access privileges, and they also raise more privacy challenges than do local databases. Local databases, by contrast, may mean replicating the reference database multiple times, raising security, consistency, and scalability challenges.9 In both cases, the accuracy and currency of any identification data associated with reference issued reports that elaborate on biometrics systems with an eye to meeting government needs. See, for example, “The National Biometrics Challenge,” available at http://www. biometrics.gov/Documents/biochallengedoc.pdf, and “NSTC Policy for Enabling the Devel- opment, Adoption and Use of Biometric Standards,” available at http://www.biometrics. gov/Standards/NSTC_Policy_Bio_Standards.pdf. 8 The data capture portion of the process has the most impact on accuracy and throughput and has perhaps been the least researched portion of the system. The capture process, which involves human actions (even in covert applications) in the presence of a sensor, is not well understood. While we may understand sensor characteristics quite well, the interaction of the subject with the sensors merits further attention. See Chapter 5 for more on research opportunities in biometrics. 9 Both the NRC report Who Goes There? (2003) and the EC Data Protection Working Party discuss the implications of centralized or networked data repositories versus local storage of data. The latter is available at http://ec.europa.eu/justice_home/fsj/privacy/docs/ wpdocs/2003/wp80_en.pdf.

OCR for page 15
 BIOMETRIC RECOGNITION TABLE 1.3 Impostor Base Rate of 1.0% Biometric Decision Proffered Authentication Identity Attempts Match Nonmatch Conclusion Authentic 990 990 × 99.9% 990 × 0.1% = 1 Confidence that a = 989 nonmatcher is an impostor = 10/11 = 91% Impostor 10 10 × 0.1%= 0 10 × 99.9% = 10 Total 1,000 989 11 1,000 Candidates 50 Rows 10 Nonresident impostors 990 Residents 0.1% 0.1% FMR FNMR 10 True nonmatches 1 False nonmatch 11 Nonmatches; 91 percent correct FIGURE 1.4 Authenticating residents (impostor base rate 1 percent; high non - Figure 1.4 match accuracy). vector, editable not in a rare-event situation) can be very high—far higher than 99.9 per- cent. In our first example, when the impostor base rate is 0.1 percent, our confidence in the correctness of a match is almost 100 percent (actually 99.9999 percent)—much higher than suggested by the FMR and FNMR. It is easy to see why this is true. Almost everyone who approaches the sensor in the dorm is actually a resident. For residents, all of whom are supposed to match, false matches are possible (one resident could claim to

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS TABLE 1.4 Impostor Base Rate of 50% Biometric Decision Proffered Authentication Identity Attempts Match Nonmatch Conclusion Authentic 500 500 × 99.9% 500 × 0.1% = 1 Confidence that a = 499 nonmatcher is an impostor = 499/500 Impostor 500 500 × 0.1% = 1 500×99.9% = 499 = 99.8% Total 1,000 500 500 1,000 Candidates 50 Rows 500 Nonresident impostors 500 Residents 0.1% 0.1% FM R FNMR 499 True 1 False nonmatch nonmatches 500 Nonmatches 99.8 percent correct FIGURE 1.5 Authenticating residents (impostor base rate 50 percent; very high Figure 1.5 nonmatch accuracy). vector, editable be another resident and match with that other resident’s reference), but a false match never results in a false acceptance, since a false match has the same system-level result—entrance to the dorm—as correct identification. A false match is possible only when an impostor approaches the sensor and is incorrectly matched. But almost no impostors ever approach the

OCR for page 15
 BIOMETRIC RECOGNITION TABLE 1.5 Impostor Base Rate of 0.1% Biometric Decision Proffered Authentication Identity Attempts Match Nonmatch Conclusion Authentic 999 999 × 99.9% 999 × 0.1% Confidence that a matcher = 998 =1 is not an impostor = fraction of nonimpostors Impostor 1 1 × 0.1% = 0 1 × 99.9% = 1 among matches = 998/998 Total 1,000 998 2 = 100% 1,000 Candidates 50 Rows 1 Nonresident impostor 999 Residents 0.1% 99.9 % FMR TMR 998 True matches 0 False matches 998 Matches; 100 percent correct FIGURE 1.6 Authenticating residents (impostor base rate 0.1 percent; high match Figure 1.6 accuracy). vector, editable door, and (because the technology is very accurate) impostors who do approach the door are very rarely incorrectly matched. Table 1.5 provides the information for this case, and Figure 1.6 illustrates the case. Note that Figure 1.6 depicts only matches, in contrast to Figures 1.2 through 1.5, which depict only nonmatches.

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS The overall lesson is that as the impostor base rate declines in a recog- nition system, we become more confident that a match is correct but less confident that a nonmatch is correct. Examples of this phenomenon are common and well documented in medicine and public health. People at very low risk of a disease, for example, are usually not routinely screened, because positive results are much more likely to be a false alarm than lead to an early diagnosis. Unless the effects of the base rate on system perfor- mance are anticipated in the design of a biometric system, false alarms may consume large amounts of resources in situations where very few impostors exist in the system’s target population. Even more insidiously, frequent false alarms could lead screeners to a more lax attitude (the prob- lem of “crying wolf”) when confronted with nonmatches. Depending on the application, becoming inured to nonmatches could be costly or even dangerous.26 ADDITIONAL IMPLICATIONS FOR OPEN- SET IDENTIFICATION SYSTEMS The above discussion concerned an access control application. Large- scale biometric applications may be used for identification to prevent fraud arising from an individual’s duplicate registration in a benefits program or to check an individual’s sample against a “watch list”—a set of enrolled references of persons to be denied benefits (such as passage at international borders). This is an example of an open-set identification system, where rather than verifying an individual’s claim to an identity, the system determines if the individual is enrolled and may frequently be processing individuals who are not enrolled. The implications of Bayes’ theorem are more difficult to ascertain in this situation because here biometric processing requires comparing a presenting biometric against not just a single claimed enrollment sample, but against unprioritized enrollment samples of multiple individuals. Here, as above, the chances of erroneous matches and erroneous nonmatches still depend on the fre- quencies with which previously enrolled and unenrolled subjects present to the system. Such chances also depend on the length of the watch list and on how this length and the distribution of presenters27 to the system 26 These costs vary with the application. For instance, if Walt Disney World is able to prevent most people who do not pay from getting into its theme park, then erroneously admitting a few who only pretended to pay may not be all that important. The importance of an imposter on an airplane may be much greater. So the assessment of uncertainty has to take into account the importance of certainty for different outcomes. 27 The ratio of presenters who are enrolled subjects on the watch list to presenters who are not.

OCR for page 15
 BIOMETRIC RECOGNITION interrelate. The overall situation is complex and requires detailed analysis, but some simple points can be made. In general, additions to a watch list offer new opportunities for an unenrolled presenter to match with the list, and for an enrolled presenter to match with the wrong enrollee. If additions to the watch list are made in such a way as to leave the presentation distribution unchanged—for example, by enrolling persons who will not contribute to the presenta- tion pool—then the ratio of true to false matches will decline, necessarily reducing confidence in a match. Appendix B formalizes this argument, incorporating a prior distribution for the unknown proportion of present- ers who are previously enrolled. We may draw an important lesson from this simple situation: Increas- ing list size cannot be expected to improve all aspects of system perfor- mance. Indeed, in an identification system with a stable presentation distribution, as list length increases we should become less confident that a match is correct. A comment from the Department of Justice Office of the Inspector General’s report on the Mayfield mistake28 exemplifies this point: “The enormous size of the FBI IAFIS [Integrated Automated Fingerprint Iden - tification System] database and the power of the IAFIS program can find a confusingly similar candidate print. The Mayfield case indicates the need for particular care in conducting latent fingerprint examinations involving IAFIS candidates because of the elevated danger in encountering a close nonmatch.”29 But this is not the end of the story, because in some circumstances changes in watch-list length may be expected to alter the presentation distribution. The literature distinguishes between open-set identification systems, in which presenters are presumed to include some persons not previously enrolled, and closed-set identification systems, in which pre- sentations are restricted to prior enrollees. Closed-set identification sys - tems meet the stable presentation distribution criterion de jure, so that the baseline performance response still automatically applies to the expanded list. But the actual effect of list expansion on system performance, when the presentation distribution in an open-set identification system may change, will depend on the net impact of modified per-presenter error rates and the associated rebalancing of the presentation distribution. In other words, the fact that the list has expanded may affect who is part 28 Brandon Mayfield, an Oregon attorney, was arrested by the FBI in connection with the Madrid train bombings of 2004 after a fingerprint on a bag of detonators was mistakenly identified as belonging to Mayfield. 29 See http://www.usdoj.gov/oig/special/s0601/PDF_list.htm; http://www.usdoj.gov/ oig/special/s0601/exec.pdf.

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS of the pool of presenters. This rebalancing may occur without individu - als changing their behavior simply because of the altered relationship between the length of the watch list and the size of the presenting popu- lation. But it may also occur as a result of intentional behavior change by new enrollees, who may stop or reduce their presentations to the system as a response to enrollment. Clearly, increasing watch list size without very careful thought may decrease the probability that an appar- ent matching presenter is actually on the list. That lengthening a watch list may reduce confidence in a match speaks against the promiscuous searching of large databases for individu- als with low probability of being on the list, and it tells us that we must be extremely careful when we increase “interoperability” between databases without control over whether increasing the size of the list has an impact on the probability that the search subject is on the list. Our response to the apparent detection of a person on a list should be tempered by the size of the list that was searched. These lessons contradict common practice. The designers of a biometric system face a challenge: to design an effective system, they must have an idea of the base rate of detection tar- gets in the population that will be served by the system. But the base rate of targets in a real-world system may be hard to estimate, and once the system is deployed the base rate may change because of the reaction of the system’s potential detection targets, who in many cases will not want to be detected by the system. To avoid detection, potential targets may avoid the system entirely, or they may do things to confuse the system or force it into failure or backup modes in order to escape detection. For all these reasons, it is very difficult for the designers of the biometric system to estimate the detection target base rate accurately. Furthermore, no amount of laboratory testing can help to determine the base rate. Threat modeling can assist in developing estimates of imposter base rates and is discussed in the next section. SECURITY AND THREAT MODELING Security considerations are critical to the design of any recognition system, and biometric systems are no exception. When biometric systems are used as part of authentication applications, a security failure can lead to granting inappropriate access or to denying access to a legitimate user. When biometric systems are used in conjunction with a watch list applica- tion, a security failure can allow a target of investigation to pass unnoticed or cause an innocent bystander to be subjected to inconvenience, expense, damaged reputation, or the like. In seeking to understand the security of biometric systems, two security-relevant processes are of interest: (1) the determination that an observed trait belongs to a living human who is

OCR for page 15
 BIOMETRIC RECOGNITION present and is acting intentionally and (2) the proper matching (or non- matching) of the observed trait to the reference data maintained in the system. Conventional security analysis of component design and system integration involves developing a threat model and analyzing potential vulnerabilities—that is, where one might attack the system. As described above, any assessment of the effectiveness of a biometric system (includ- ing security) requires some sense of the impostor base rate. To estimate the impostor base rate, one should develop a threat model appropriate to the setting.30 Biometric systems are often deployed in contexts meant to provide some form of security, and any system aimed at security requires a well-considered threat model.31 Before deploying any such system, especially on a large scale, it is important to have a realistic threat model that articulates expected attacks on the system along with what sorts of resources attackers are likely to be able to apply. Of course, a thorough security analysis, however, is not a guarantee that a system is safe from attack or misuse. Threat modeling is difficult. Results often depend on the security expertise of the individuals doing the modeling, but the absence of such analysis often leads to weak systems. As in all systems, it is important to consider the potential for a mali - cious actor to subvert proper operation of the system. Examples of such subversion include modifications to sensors, causing fraudulent data to be introduced; attacks on the computing systems at the client or match- ing engine, causing improper operation; attacks on communication paths between clients and the matching engine; or attacks on the database that alter the biometric or nonbiometric data associated with a sample. A key element of threat modeling in this context is an understand- ing of the motivations and capabilities of three classes of users: clients, imposters, and identity concealers. Clients are those who should be rec - ognized by the biometric system. Impostors are those who should not be recognized but will attempt to be recognized anyway. Identity concealers are those who should be recognized but are attempting to evade recogni- tion. Important in understanding motivation is to envision oneself as the 30 For one discussion of threat models, see Microsoft Corporation, “Threat Modeling” available at http://msdn.microsoft.com/en-us/security/aa570411.aspx. See also Chapter 4 in NRC, Who Goes There? Authentication Through the Lens of Priacy (2003). 31 The need to consider threat models in a full system context is not new nor is it unique to biometrics. In his 1997 essay “Why Cryptography Is Harder Than It Looks,” available at http://www.schneier.com/essay-037.html, Bruce Schneier addresses the need for clearly understanding threats from a broad perspective as part of integrating cryptographic compo- nents in a system. Schneier’s book Secrets and Lies: Digital Security in a Networked World (New York: Wiley, 2000) also examined threat modeling and risk assessment. Both are accessible starting points for understanding the need for threat modeling.

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS impostor or identity concealer.32 Some of the subversive population may be motivated by malice toward the host (call the malice-driven subversive data subject an attacker), others may be driven by curiosity or a desire to save or gain money or time, and still others may present essentially by accident. This mix would presumably depend on characteristics of the application domain: • The value to the subversive subject of the asset claimed—contrast admission to a theme park and physical access to a restricted research laboratory. • The value to the holder of the asset to which an attacker claims access—say, attackers intent on vandalism. • The ready accessibility of the biometric device. • How subversive subjects feel about their claim being denied or about detection, apprehension, and punishment. A threat model should try to answer the following questions: • What are the various types of subversive data subjects? • Is it the system or the data subject who initiates interaction with the biometric system? • Is auxiliary information—for example, a photo ID or password— required in addition to the biometric input? • Are there individuals who are exempt from the biometric screen- ing—for example, children under ten or amputees? • Are there human screening mechanisms, formal or informal, in addition to the automated biometric screening—for example, a human attendant who is trained to watch for unusual behavior? • How can an attack tree33 help to specify attack modes available to a well-informed subversive subject? • Which mechanisms can be put in place to prevent or discourage repeated attempts by subversive subjects? Here are some further considerations in evaluating possible actions to be taken: 32 This is often referred to as a “red team” approach—see, for example, the description of the Information Design Assurance Red Team at Sandia National Laboratories, at http:// idart.sandia.gov/. 33 For a brief discussion of attack trees, see G. McGraw, “Risk Analysis: Attack Trees and Other Tricks,” August 1, 2002. Available at http://www.drdobbs.com/184414879.

OCR for page 15
0 BIOMETRIC RECOGNITION • Will the acceptance of a false claim seriously impact the host orga - nization’s mission or damage an important protected resource? • Have all intangibles (for example, reputation, biometric system disruption) been considered? • How would compromise of the system—for example, acceptance of a false claim for admission to a secure facility—damage privacy, release or degrade the integrity of proprietary information, or limit the availabil - ity of services? In summary, as discussed at length above, FMRs and FNMRs in them- selves are insufficient to describe or assess the operational performance of a biometric system and may be seriously misleading. It is necessary to also anticipate the fraction of reported matches that are likely to be true matches and the fraction of reported nonmatches that are likely to be true nonmatches. The analysis above shows that these will vary greatly with the base rate of impostors presenting to the system. The base rate should be estimated using one or more reasonable threat models. Biometric sys - tem design should then incorporate this information, as well as the costs and/or utilities of actions resulting from true and false matches and nonmatches. All information systems are potentially vulnerable, but the design of biometric systems calls for special considerations: • Probabilistic recognition. This fundamental property of biometric systems means that risk analysis must recognize that there is a probabil - ity of making incorrect recognitions (positive or negative). If an attacker can gain access to a large-scale biometric database, then he or she has the opportunity to search for someone who is a biometric doppelganger— someone for whom there is a close enough match given the target false match rate for the system.34 • Exposure of biometric traits. This can occur either through direct observation or through access to biometric databases. It allows an attacker to create fraudulent copies of those traits to be used in an attempt to mis - lead a biometric sensor.35 34 See the discussion on biometric risk equations in T.E. Boult and R. Woodworth, Privacy and security enhancements in biometrics, Adances in Biometrics: Sensors, Algorithms and Systems, N.K. Ratha and V. Govindaraju, eds., New York: Springer (2007). 35 For an example of how a fingerprint image can be transferred to a gelatinous material and then used to mislead a finger-imaging sensor, see T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino, Impact of artificial “gummy” fingers on fingerprint systems, Opti- cal Security and Counterfeit Deterrence Techniques IV: 4677 (2002). For a discussion on improve- ments to techniques for reconstituting fingerprint images from processed template data, see J. Feng and A.K. Jain, FM model-based fingerprint reconstruction from minutiae template,

OCR for page 15
 INTRODUCTION AND FUNDAMENTAL CONCEPTS • Concealment of biometric traits. In some applications, such as those intended to prevent multiple enrollments or to identify persons on watch lists, an attacker can avoid detection by concealing biometric traits through relatively simple actions.36 These considerations show the importance of how a sample is pre- sented. Since biometric data must be thought of as public information, a system must take appropriate precautions to verify that the sample presented belongs to the individual presenting the sample and that the individual is voluntarily presenting himself or herself for identification. In some cases, this may mean supervised recognition; in others it may mean that a technical mechanism is employed to validate the sensor and that the sensor can differentiate genuine samples from fraudulent synthe- sized samples. In the latter case, an appropriate sensor takes the place of a human observer of the presentation ceremony. In response to growing concerns over identity theft and fraud, some advocates suggest that legislation be enacted to prohibit the selling or sharing of an individual’s biometric data.37 By making it illegal to traffic in biometric data and by requiring encryption for the storage of biometric data in authentication systems, the hope is that the chance of inappropri - ate data disclosure will be reduced significantly, preserving the utility of biometric authentication for widespread use. However, the encryption of data does not guarantee that the underlying data will not be exposed. Fur- thermore, covert observation of many biometric traits is possible, making acquisition of these data hard to avoid. Accordingly, the more ubiquitous biometric systems become, the more important it is that each system using biometrics perform a threat analysis that presumes public knowledge of a subject’s biometric traits. Those systems should then deploy measures to verify that the presentation ceremony is commensurate with the risk of impersonation.38 Furthermore, in high-assurance and high-criticality in Adances in Biometrics, Massimo Tistarelli and Mark S. Nixon, eds., Third International Conference, Alghers, Italy (2009). 36 Sometimes identity is concealed using more radical techniques. Recently it was reported that a Chinese national had had her fingerprints surgically transferred from one hand to another to avoid recognition by Japanese border control. Available at http://mdn.mainichi. jp/mdnnews/news/20091207p2a00m0na010000c.html. The Interpol fingerprint depart - ment provides a historical perspective on fingerprint alteration at http://www.interpol. int/Public/Forensic/fingerprints/research/alteredfingerprints.pdf. 37 P. Swire, “Lessons for biometrics from SSNs and identity fraud,” presentation to the committee on March 15, 2005. 38 Note, for instance, the recent shutdown of the “Clear” air traveler program by Verified Identity Pass. The company held personal information, including biometric information, on thousands of individuals. At the time of this writing, a court had enjoined the company from selling the data.

OCR for page 15
 BIOMETRIC RECOGNITION applications, biometric recognition should not be the sole authentication factor. ON REPORT SCOPE AND BOUNDARIES This report explores the strengths and limitations of biometric sys- tems and their legal, social, and philosophical implications. One core aim of the report is to dispel the common misconception that a biometric system unambiguously recognizes people by sensing and analyzing their biometric characteristics. No biometric technology is infallible; all are probabilistic and bring uncertainty to the association of an individual with a biometric reference, some of it related to the particular trait being scrutinized by the system. Variability in biometric traits also affects the probability of correct recognition. In the end, probability theory must be well understood and properly applied in order to use biometric systems effectively and to know whether they achieve what they promise. This report does not address whether a biometric system is the best way to meet a particular application goal. It does not compare biomet- ric technologies with potential alternatives for particular applications, because such alternatives would have to be evaluated case by case. This chapter has reviewed the fundamental properties of biometric systems. Chapter 2 will offer a framework for considering the requirements of an application from the engineering standpoint. Chapter 3 outlines les - sons learned from other types of systems. Chapter 4 examines the social, cultural, and legal issues related to biometric systems. Finally, Chapter 5 summarizes the research challenges and open questions identified in the earlier chapters.