Saturday, November 15, 2003

ID cards and biometrics

Fiona McTaggart, a govt minister and former chairwoman of Liberty, defends ID cards in a Guardian article. An excellent rebuttal can be found at spy.org.uk's blog, and the Guardian's letters section also contains some excellent points. An interesting section from the spy.org.uk rebuttal is this:

Here we go again, the repetition of the false claim that biometrics are somehow unique. Not even the people with a vested commercial interest in selling the technology dare to make that claim. Your "biometric characteristics" may be reasonably individual to you personally, but that is not the same as saying that what ends up inside a Smart Card or database is "unique" or "unforgeable".

The specious reasoning goes along the lines of: if your Smart ID Card ever gets lost or stolen, there would be no need to worry, since, for example your fingerprint biometric would make it impossible for anybody else to use it, thereby crushing Identity Theft.

Leaving aside the statistics of False Positives, False Negatives, and the small percentage of people with no usable biometric at all (tens of thousands in a population of 60 million) the fact is that you leave your fingerprints all over your ID Card. There is a very high probability (around 80%) that latent fingerprints taken off your ID Card could be used to construct a "false finger" which is sufficient to fool the finger print scanner.


Emphasis added. The point here is that biometric identifiers are compared with each other in a manner that is probabilistic. The higher the number of data points compared, the more certain you can be that a match is a real match but the less certain you can be that you'll get a match. Thus you have to trade off the false positives, getting a match on biometrics from 2 different people, against the false negatives, failing to detect that two biometric readings are from the same person.

Now if someone claims that they've got a false positive rate for a particular biometric system, of 1 in a billion this might sound like it will give real certainty and allow a national identity register to be created in a manner that prevents people from applying from multiple identities. They'd reason that in a population of 60million, a 1 in a billion chance of a false positive is safe. They'd be wrong.

To compare every person's biometric with every other person's biometric (as would be required to create the database in this manner) would involve (60,000,000 times 59,999,999)/2 = 1,799,999,970,000,000
comparisons. For each comparison there's 1 billionth of a chance of getting a false positive. You'd therefore expect
1799999.97 of those comparisons to return a false positive match. That's roughly 1.8million false positive matches. Note that that does not involve 1.8million people, but rather 1.8million comparisons.

In other words, you can guarantee that there will be a large number of false positive matches as the database is assembled. Without a means of determining whether a positive match is a true or false positive, you won't be able to prevent people from creating multiple identities on the system. Worse, if you concentrate on getting such a low false positive rate, the false negative rate is likely to shoot up, making if even more likely that if someone did try to get multiple identities on the system, their attempt would not even show up as a positive match. And note that the false positive rate needs to cover software glitches, hardware glitches and human error too. Also, if you double the size of the population you roughly quadruple the number of comparisons.

It seems to me that without a solution to this, the idea that a national ID card can provide a secure and reliable means of verifying identity is simply a mirage.

No comments: