Biometrics: Ready for prime time?


By Mary Kirwan
Special to Globe and Mail Update

UPDATED AT 8:01 AM EDT Wednesday, Apr. 14, 2004


Mary Kirwan is a lawyer on three continents, a writer and IT security expert. She is currently completing a book on IT security for industry, for broad release in 2004. Contact her at

Biometric technologies have a certain cachet — a distinct allure. Hardly a movie comes out of Hollywood these days, but the protagonists are enveloped in a maze of biometric gizmos, from iris and retinal scanners to face and hand print readers.

Tom Cruise in the futuristic movie Minority Report has his eyes surgically removed to evade iris scans and detection, but nonetheless is able to re-enter his previous place of employment, as a wanted felon, by using his own bloodied, extracted eyeballs.

His access privileges had not been cancelled.

This is the reality even Hollywood can't expunge, and almost certain to ruin a good flick for all security- conscious moviegoers.

Have biometric technologies finally taken off?

Despite all the hype, biometric technologies have been slow to take off. Cost issues, instability, lack of portability, interoperability problems and multiple standards have made them a hard sell.

However, since Sept. 11, 2001, as a result of massive lobbying efforts by biometrics companies offering the holy grail of security in the fight against terrorism, they seem to be finally coming into their own.

Numerous government initiatives around the world are in place to augment identity and travel documents, such as passports, with biometric identifiers. There are even calls for national ID cards in Canada, as well as in the U.S. and U.K.

As of Sept. 30, 2004, citizens of all 27 countries (including Ireland, the UK, Australia, Japan, Italy, France and Germany) considered visa-waiver countries by the U.S., must be fingerprinted and digitally photographed before they can gain entry to the U.S.

This is a stop- gap measure until these countries can issue biometric enabled passports to their citizens. It is expected that the US Congress will roll back the original date for implementation of these measures (October 26, 2004) to December 2006, as many countries expressed an inability to comply within that time frame.

According to the U.S. Department of Homeland Security, the biometric data obtained will be compared against 'watch lists' to decide admissibility for entry.

One can only hope that U.S. 'watch lists' are in better shape than those in Canada, as highlighted in a recent Report by the Auditor General of Canada on National Security, where they are described as "in disarray" and rife with errors and missing crucial data.

It is also by no means clear that any fingerprint matching system can scale up to deal with such a volume of prints, without a significant increase in 'false reject' error rates (where legitimate persons are rejected by the system), or 'false acceptance' rates (where rogues are authenticated and accepted by the system).

In addition, a recent article in the New Scientist magazine reveals that many scientists and legal experts are concerned that fingerprint technology, long considered infallible, is based on flawed scientific and statistical assumptions, and that it needs to be subjected to independent scientific scrutiny, a move strenuously resisted by the law enforcement community.

Biometrics in Canada

In Canada, the Canadian Air Transport Security Authority is piloting the use of biometric smart cards by airport workers to improve airport security.

The CANPASS Air program implemented at the Vancouver International Airport in July 2003, and at the Halifax International Airport in November 2003, is to be expanded across the country.

CANPASS Air will use iris scanners to allow pre-approved travellers speedy clearance through customs. They must complete an application form, provide photocopies of certain 'proof of identity' documents, such as a passport, or birth certificate, and attend an in person interview.

How secure are biometric devices?

Vendors have made extravagant claims that biometrics "virtually guarantee network and facility security." Such statements tend to incur scepticism from seasoned security commentators, and often do more harm than good.

Most commentators have focused on the privacy issues, concerns about 'function creep', and the advent of a global 'Big Brother' surveillance society. However, far less attention is paid to security issues. It is often tacitly assumed that the various biometric technologies are stable and security threats minimal.

This is not universally the case, and successful attacks on biometrics by researchers and academics, and less frequently by hackers, have made that abundantly clear. In addition, international standards are fractured, and interoperability issues far from resolved.

Environmental factors can also impact the reliability of these technologies.

Vested interests often lead standardisation efforts, and independent evaluations of products is not yet widespread. Biometric companies have been loath to expose proprietary technology to outside expert review, which in turn leads to concerns in the security community about 'security through obscurity'.

Who will guard the chicken coop?

Lack of security at the back end has been a concern often written about in this column. This concern is heightened with extensive use of biometrics.

To create a biometric matching system, a template is created from raw data, such as a fingerprint, and stored for use in either a 'one to one' verification system, or a 'one to many' identification system (where a user's identity is checked against a large database of stored templates). Templates must be encrypted and stored, either in a database, or on a magnetic chip card, smart card or token.

It is highly preferable that the template be stored on a smart card, and not transmitted for verification or identification purposes. If the template is stored on a smart card, for instance, the attacker must hack the card as well. Not impossible by any means, but another hurdle to overcome.

However, where there are many users, and remote verification is needed, central database storage is often used. Such databases are, of course, susceptible to insider attacks, and weak cryptography to various brute force attacks.

Who can we trust to secure biometric data?

If large banks of biometric data are left to government to secure, what a glorious target for hackers and organized crime that will be?

The private sector has shown itself to be frequently unable to protect personal data. Government has repeatedly exposed SIN numbers in Canada, and SSN numbers in the U.S., and scored poorly on internal security audits of their own practices and procedures.

Are they really up to the task of protecting the master key to our identity? It remains to be seen.

The reality is that there is no such thing as 100-per-cent security, and human ingenuity dictates that as soon as we build it, someone will break it down. Claims to the contrary breed complacency and are anathema to progress in the security field. Claims of infallibility for any technology can also lead to false convictions, and serious miscarriages of justice.

Will biometrics obliterate identity theft?

It has also been widely claimed that biometric technology is essential to stem the tide of identity theft. Several of the 911 terrorists had legitimate drivers licences, and as they were largely unknown to law enforcement, all the biometric scanners in the world would not have made any difference.

According to Privacy International, an international privacy watchdog organisation, a lesson learnt from countries with national identity cards is that the technology gap between governments and organised crime is so great that even the most secure cards "are available as blanks weeks after their official introduction".

The problem of identity theft will not be solved with a smarter ID card and more stringent registration procedures to get such a card. Insiders, private outsourcing companies, organized crime and hackers will be highly motivated to expose biometric identifiers, and sell them, as they do all other valuable commodities.

And the result may be criminals with stronger identification, unlikely to be challenged.

Biometric technologies have, indeed, been shown to be useful to deter welfare fraud and opportunistic crimes, but are unlikely to perturb determined adversaries.

What does the future hold for biometrics??

Biometric technologies have great potential, especially in attended operations (where a physical security guard is also present), or in conjunction with existing technologies to create a multi- layered approach to security management. Multi —modal biometrics also show promise (where different types of biometric technologies are layered and used together).

They are also useful to protect encryption keys in a Public Key Infrastructure (PKI), and, of course, can remove the need for users to remember a multitude of PINs and passwords, an enticing prospect in itself.

But any suggestion that biometrics alone will stop terrorism, obliterate identity theft, and convert hardened criminals to Buddhism is likely to be an expensive and vain exercise.

Giving law enforcement and the intelligence community the funds they need to fight crime and engage undercover operatives to garner real intelligence is currently likely to be a better use of always scarce resources.

The same applies in the corporate environment. If you have no security policy, a discontented and poorly motivated workforce, no amount of biometrics will plug the hole in that particular dam.

 Bell Globemedia
 © 2004 Bell Globemedia Publishing Inc. All Rights Reserved.