Why do biometrics fail?
11 April 2018 | 0
Dystopian science fiction, from Philip K Dick’s Minority Report to the film Gattaca, has long presented visions of biometric hell where our very physical selves are monitored, tagged and, to quote Patrick McGoohan, “filed, stamped, indexed, briefed, de-briefed, and numbered”– always in the name of the good, but also always against our real interests. Even spoof television series Red Dwarf once featured a locked-door-severed-hand gag.
Back on planet earth, though, the technology has finally arrived – and uptake has been lethargic.
Biometric identity management? Is it the technological answer to a question nobody asked? Sometimes it would seem so, despite its ability to streamline many annoyances associated with IT systems, not to mention the workplace and even sensitive environments such as airports.
And yet biometrics have become popular on at least one front: consumer-grade mobile phones.
Phone users, weary of the onerous demand of remembering and then typing a four-digit number, have turned in their droves to fingerprint scanning, duly handing over their very identities to entities such as Google – and often doing so on devices manufactured in an authoritarian one-party state.
Call it the Alexa effect, after the similarly strange phenomenon of people volunteering to install a bug in their own homes in order to avoid having to tap on the Spotify icon on a tablet computer.
In enterprise environments the story is a rather different one: biometrics has been a flop.
Brian Honan, chief executive of, and principal at, BH Consulting, says that it is a technology that has been much-ballyhooed, but never quite arrived.
“It has been dogged by issues concerning privacy – and its effectiveness, as well,” he said.
Honan says that dangers lurk, especially when potential users start to skimp.
“Biometrics by itself can be an effective measure to protect resources, but it’s not something we’d recommend clients rely on on its own. Like all technologies, you can buy a cheap solution that might be easily bypassed.
“Cheap systems will be bypassed by even a photocopied fingerprint. More advanced systems will use various technologies to makes sure it’s dealing with a live person,” he said.
“What we recommend is: choose a good biometric system but also use a second factor.”
Most institutional environments that use biometrics tend toward fingerprint or iris scanners, he says, and, of the two, fingerprints prevail.
“Corporates prefer fingerprint as it’s deemed to be less intrusive. Plus, people seem to not like having a laser pointing at their eyes for some reason…”
The big leap should have come with artificial intelligence (AI) and machine learning (ML), and yet we continue to wait.
Of course, despite giant strides, AI and ML themselves are technologies that have long promised more than they deliver: despite the big data revolution – and the undoubted commercial value and philosophical and social questions that surround it – what is now called ‘artificial general intelligence’, that is to say true AI, is as far away as ever.
And possibly as undesirable.
Nevertheless, what current AI does well – pattern recognition – is ideally suited to combination with biometrics, so why has this alone not caused an explosion in demands for our grubby fingerprints?
One reason is scepticism: many cultures, not least Ireland, are resistant to the spread of demands for identity, and concerns about overreach by both the state and business abound.
Facebook’s recent travails in the fraught arena of data harvesting, as well as growing suspicion of the political power of Google, are clearly giving many people pause for thought when it comes to handing over personal information; doubly so when that information is inherently intimate. Whether this will be trumped by convenience – or laziness – is the battle where the culture war will be fought.
When it comes to the state, even some in officialdom have expressed doubt about the morality of biometrics.
Last year, the Financial Times has reported that Britain’s independent surveillance camera commissioner Tony Porter wrote to the National Police Chiefs Council, noting the “significantly increased capabilities to intrude upon the privacy of citizens”.
The other reason is failure: morality is all very well, but when it comes to epistemology, biometrics remains an open question. In simpler terms: as yet, the technology has simply not delivered.
One of the harshest critics of biometrics, David Moss, says biometrics is more akin to astrology than it is to astronomy.
Moss, who has long been a critic of government waste in IT projects, points to a 2016 British parliamentary committee, which heard that academics saying that biometrics was an insecure form of identity management – as well as from police, who said that facial recognition was not yet ready for deployment in the field.
“If face recognition isn’t ready [then] you can forget about voice recognition. The question is: how reliable are these techniques?” he said.
But what about fingerprints, which after all, have long been used as evidence in court?
“We all feel confident about fingerprint experts being called into court, but that’s detailed forensic investigation of particular, serious crimes,” he said.
Moss described the use of biometrics in airports as “security theatre”.
“Microscopes and men in white coats don’t make it science. The drive comes from politicians. It’s very televisual, it looks good on screen, it ticks the ‘I’m-doing-something’ box and it looks modern,” he said.
Moss is not opposed to biometrics per se; rather, he says, the deployment typically leaves a lot to be desired.
“There’s no point in being frightened about it either. We simply don’t know if it works,” he said.
“Look at the Aadhaar project in India. They are issuing biometric ID to 1.2 billion people. You can guess the problems. All of the equipment needs electricity, but the majority of the population doesn’t have reliable access to it. On top of that they’re using absolute rubbish equipment and the implementation work is being farmed-out left, right and centre.
“Nobody can rely on the quality,” he said.
Though worded more strongly, Moss’s complains are strikingly familiar: though high profile, biometrics (which are, as he reminds, a form of user ID, not a password replacement), are frequently poorly implemented and based on the use of cheap versions of the technology that over-promise and with poor integration and implementation work.
Paul Hogan, chief information officer at consultancy Ward Solutions, is more positive about the technology, but with cautions nonetheless.
Identity management disaster
“One thing we’ve seen is that enterprise uptake hasn’t been as much as we’d have expected,” he said.
In defence of biometrics, Hogan says that it is, at the very least, not another solution in search of a problem: identity management is already disastrous, and is only getting worse as devices and applications proliferate.
“There are certainly problems with passwords and with other identification systems such as tokens, key fobs or apps on the phone,” he said.
Nonetheless, biometrics alone cannot replace passwords.
“Where we do see it in enterprise is in two-factor applications,” he said. “There is still a fear around false positives.”
Another fear is the other long arm of the law: in one month the EU’s general data protection regulation (GDPR) will come into force, transforming the nature of data collection, processing and storage.
In an environment where eye-watering fines can be handed down for mere bad practice, never mind actual breaches, biometric information may simply become too hot to handle.
“Biometrics is sensitive personal data in some form or another; whether it’s fingerprints or voiceprints or whatever it is, and, frankly, even pre-GDPR the [Irish] data protection commissioner had things to say about it, including the need for explicit consent,” said Hogan.
The GDPR can only increase uncertainty.
“Certainly, there is a lot of chatter about it: ‘Can we go down the road on this, in terms of GDPR, or should we hold off?’ You’d certainly want to have done a privacy impact assessment at the very least,” he said.
Similarly, Honan says the GDPR hovers above adoption.
“This all has to caveated at the moment, because with GDPR coming in biometric data is now classified as ‘special category data’. I’ve seen it be used for time-keeping – clocking-in and clocking-out– so there are questions over whether or not that can continue.”
For Honan, the future for biometrics exists despite this because passwords and PINs have failed. Or rather, the people who use them have.
“The GDPR will have a big impact on how organisations roll-out and use biometric date [but] from a corporate security point of view we’ve not seen a lot of innovation. Where we’re seeing a lot of innovation is on the consumer side. People are getting used to using it. The technology is easy to use and it’s transparent to the user, which historically [IT] security has not been,” he said.
Paul Ducklin, senior technologist at Sophos, says that the practical implications of data breaches that include biometric information have barely even been considered, as yet.
“The problem, as we’ve seen in many cases with breaches, is some companies jump in right away and come up with a breach notification, but in many cases it is left for years. Who knows how widely that data has been sold,” he said.
“We saw a phishing campaign in the UK in the last year that had precise names and addresses. We were able to surmise that it came from a breach several years back, based on the addressed used. So, if your fingerprint is stolen, how do you get a new one? You don’t. That’s what people are, quite reasonably, afraid of: it’s tying data to something that can never be changed.”
Nonetheless, Ducklin says that where there is a problem with biometrics is it merely replicating a wider problem in large parts of the technology industries: a failure to seriously address security.
“You’re asking for trouble whether you’re using biometrics or not. If you’re using the entry level stuff then we’re talking about the ‘internet of things’, and it’s clear that it’s not that security doesn’t come in in first place, it’s that it doesn’t’ come in second, third, fourth, fifth – or on the list at all.
“The obvious example is video cameras: it used to be really hard to connect your buildings [as] they were all hard-wired. Now it’s all just connected to your wifi and, bingo, via the cloud it’s part of your network. That creates a problem,” he said.
The technology will continue to advance, however, and some say that, with it, so will the case for using it.
Martyn Smith of cybersecurity firm Orion Global Technologies – and a former counter terrorism officer in the London Metropolitan Police – says that recent terrorist outrages demand that we take a second look at biometrics.
Smith gives the example of the 2017 Manchester Arena bombing: could biometric identity management have made this attack more difficult?
“The most obvious vulnerability is [that] anyone can buy a ticket [for a public event] and then turn up. A means of confirming your identity, including if you go on to, legitimately, re-sell the ticket is ideal,” he said.
Smith says the technology need not be either onerous or open to simple abuse, and that this is precisely the circle that Orion seeks to square.
“You have people who are very bright and understand the technology, but not the implementation,” he said, pointing to how Orion already looks at complex data around credit card transactions as part of its anti-fraud measures. The objective, he says, is not simply to invent or deploy the technology, but to ensure that it addresses the social question it is hoping to answer.
Privacy concerns are secondary, he says, not least because of tough legislation and compliance regimes, but also because of a recent cultural shift. When combined with making life easier, he argues, biometrics that make life safer will, in the end, be a popular measure.
“When you look at the popularity of ‘selfies’ I don’t think there will be a great concern – especially if it is better presented and also provides a better customer experience. You can use this technology [in order] to not [have to] use traditional ID cards and documents,” he said.
“It helps the venue, it helps with security, and, above all, it improves the customer experience.”