Friday, July 30, 2010

DNA not viable as access control biometric

The article states that DNA tests require a 3 hour turnaround time and a $50-$500 price tag for each query. Very few identity management applications are practical within these constraints.

Most time frames for DNA analysis floating around on the web are 3 days for rush jobs and up to 6 weeks for normal testing. In some things, time and money are interchangeable but this isn't true for everything.

Taking the data in this article at face value, it seems that a 6 week DNA analysis could be done for $50 and the price will go up as the turn-around time is shortened. There is also the fact that all DNA analyses are not equal. Searching for a Y chromosome to determine gender will take far less time than using DNA to discriminate among siblings.

That DNA isn't viable as an access control biometric is a drastic understatement.

On the other hand, if DNA is all you have to go on, it's a great biometric.

UID selects Accenture, Satyam, L-1 for biometrics contract

The Unique Identification Authority of India (UIDAI) has selected three consortiums, led by tech firms Accenture, Mahindra Satyam and L-1 Identity Solutions, respectively, to provide technology solutions to capture the fingerprints and iris scans (known as biometrics) of the country’s 1.2 billion people. The consortia include algorithm and system integration providers.

Thursday, July 29, 2010

Bad guys could read RFID passports at 217 feet, maybe a lot more

OK, I must acknowledge that my repeated references to the RFID blocking passport wallet on offer from here and here have been a bit tongue-in-cheek, though I love the site and its humorous product descriptions.

I figured that if there was a real danger that the information was insecure, the designers of the passport could and would take countermeasures, perhaps by integrating a stainless steel wire mesh into the covers of the document itself, making it readable only when the booklet is opened (this could make the document more durable, too).

Alternatively, I thought a that criminal operation that relied upon waving an RFID reader a few centimeters from where an individual carries their passport would face labor costs that couldn't be justified by the benefits of collecting the data the first place.

If this article is accurate, I'm not so sure this isn't something people should at least be aware of. The apparatus described in the article is like moving from rod-and-reel fishing, to using drag-nets, with the commensurate efficiency gains.

Undercover Feds Able to Easily Obtain Fraudulent e-Passports [USA]

“The U.S. passport is the gold standard for identification. It certifies an individual’s identity and U.S. citizenship, and allows the passport holder to travel in and out of the United States and to foreign countries, obtain further identification documents, and set up bank accounts,” [Md. Sen. Benjamin] Cardin said. “We simply cannot issue U.S. passports in this country on the basis of fraudulent documents. There is too much at stake.”
Identity management is about people and trust.

Because the U.S. government, and the society from which its power is derived, is among the most trusted in the world, the identity documents that it issues are accepted with near universality.

The integrity of the process and the people involved in it is what confers legitimacy upon the document and its bearer and makes modern globalized travel (among other things) possible. This integrity of person and process, however, also raises the incentives to obtain a fraudulent U.S. passport precisely because it is so trusted.

In the linked article, the reason given for the State Department's issuance of five passports requested with fraudulent information is essentially that the system in place is under stress due to the  volume of identifications that it is requested to make with absolute certainty. Because the errors by the Bureau of Consular Affairs stem from over-stressing the passport issuing apparatus rather than corruption, it makes sense to try to improve how passports are issued rather than who issues them.

Technology can really help with this sort of challenge. Giving better tools to those trying to do the right thing makes the world a better place. Giving better tools to those who aren't trying to do the right thing can have the opposite effect.

In so many of the articles I read about new identity management technologies there seems to be an unstated premise that we in the industry are attempting to develop autonomous systems in order to control the behavior of ordinary people.

What is closer to the truth is that we are trying to help ordinary people make better decisions about who they can trust.

A lot about what makes living in the information age a wonderful thing is that we have the power to forge relationships (commercial, financial, romantic, etc.) with a quantity of individuals that is orders of magnitude larger than anything humans have ever experienced. This fact has forced people to come up with new tools to assess who is and who is not trustworthy.

Granted, these tools aren't always technological. The use of branding to confer trust is a very old technique indeed and it's actually pretty close to what the Senator is talking about in the quote above. The U.S. brand confers the trust that the identity document is accurate and authentic, but the U.S. can and does use technology in maintaining the value of its brand. If the brand wasn't worth protecting, no amount of technology could confer trust.

The linked article is worth reading in its entirety.

Wednesday, July 28, 2010

Biometric system to verify eligibility for SRA, says CM

Help Wanted:
Ghosts need not apply.

Biological changes may put UID out of bounds for kids

Children up to 15 years do not have sharp patterns of fingerprints, the metric used to uniquely identify each one of them and more importantly, for authentication. The iris — the coloured portion of the eye — that is to be used to issue a unique identity number, too, does not fully develop before seven years.

“The iris starts achieving 90% stability in size only after six years of age. A normal iris starts assuming stability only by eight years,” said Dr Rakesh Gupta, consultant eye surgeon at Max Balaji Hospital in New Delhi.

Fingerprint patterns assume stability at an even later stage, around 16 years, said Dr V Khanna, a South Delhi-based skin specialist. “Fingerprints are very feeble in children and difficult to capture,” he said.
A few posts here have dealt with the use of biometric identifiers for children.

From ghost workers (yesterday's post) to "fake babies"...
A case in point is the Janani Suraksha Yojana, which hands out incentives to mothers. Earlier this week, a fake babies scam was unearthed in Bihar where 300 women claimed to have delivered up to five babies in a span of 60 days to avail an incentive of Rs 1,000 for each baby.
India, in building a comprehensive biometric identity management system in the world's second-most-populated country, is attempting something that has never been attempted before. It is the identity management moon-shot. It is worth keeping an eye on.

Tuesday, July 27, 2010

Fake pensioners arrested [Nigeria]

The Head of the Civil Service of the Federation, Stephen Oronsaye, said the biometric enrolment of pensioners embarked upon by his office has started to yield some of the desired results.

Mr. Oronsaye made this known when four suspected fake pensioners, three men and a woman, arrested at the Lagos Centre in the course of the exercise were paraded by the Police in Abuja.
This is great news and a cause for optimism in Nigeria. Many see the implementation of biometric identity management systems as enhancing government power over the people. As this article shows, they can also be implemented to increase the people's power over their government.

Ghost workers are a tried and true corruption technique. Their use impoverishes the society and undermines faith in democratic institutions.

It is difficult to overestimate the damage that corruption inflicts upon the world's poor. Biometric identity management systems can help restore the power of the people over their governments ensuring that scarce government resources are devoted to spurring economic and social development rather than lining the pockets of those who would violate the public trust for their own narrow interests.

Related thoughts and analysis of Nigerian ghost workers (with numbers) here.

Monday, July 26, 2010

Japan Tests Gender-Aware Billboards

Japan is testing a billboard that can tell the difference between male and female faces - and display appropriate ads accordingly. The system is running now in subway stations around Tokyo, CNET writes. A consortium of 11 railway companies launched a one-year pilot project to test the signs. Its aim, according to CNET, is to collect data on what sorts of people look at which ads at what times of day.
The CNET article linked above mentions that facial recognition is involved.

Tools developed for identity management can be applied to other challenges such as gender determination for the purposes of marketing in public places even though gender determination by humans is an extremely complicated process. Most facial recognition systems used for identification don't attempt to evaluate the gender of the individual. This is due to the fact that in a security context (logical and physical), the exact identity of the individual is more important to those who deploy theses systems than is gender. The users' tolerance for mistakes in the security context is low.

In a marketing context, the rules of the game change. A static billboard for a gender-specific product will appeal to some proportion of the population. Due to differences in age and gender that proportion is likely far short of 50%.

A system that tries to figure out age and gender doesn't have to be correct all the time in order to provide a positive return on investment (ROI) by increasing the percentage of impressions that have a chance of impacting customer behavior.

Moreover, the costs of the system making an incorrect judgment approach zero and the rewards for "tricking" the system are zero.

Even better, if the system is "tricked" by, for instance, a man with highlights and wearing lipstick, the system still works if you are advertising lipstick.

Sophisticated adopters don't let perfect be the enemy of the good.

British Passports Use Face Biometric

The chip inside the passport contains information about the holder’s face – such as the distances between eyes, nose, mouth and ears. These details are taken from the passport photograph that you supply. They can then be used to identify the passport-holder. The chip also holds the information that is printed on the personal details page of your passport.

This scheme would be useful in preventing the falsification of UK passports even if there is no true biometric matching involved.

If the chip in the passport contained only a digital copy of the passport that the government issued, a forger would need to forge the document and the chip. A forger that "found" a "lost" passport would have to alter the passport with a picture of its new user and find a way to get that new photo onto the chip. 

The UK passport chip uses RFID technology.  Travelers might want one of these.

Thursday, July 22, 2010

Press Release: AmberVision Unveils Program to Help Protect Oregon's Children

(Portland, Oregon) – An advanced technology tool is now available to Oregon police departments that will provide parents greater peace-of-mind for their children’s safety.

A nationally used database system called AmberVision, designed to help law enforcement officials in cases of missing children, is being introduced to school districts and parents in the state of Oregon.  Jim Isaacson, Oregon representative for AmberVision, says “AmberVision heightens the awareness of missing children through the community and media, and provides parents a proactive opportunity to enhance their child’s safety."

One of the most important tools law enforcement needs in missing children cases is immediate access to a high-quality photograph of the child in question.  AmberVision provides the ability for law enforcement agencies to access a child’s picture and description quickly.  It also provides them the ability to instantly distribute this critical information to other agencies, media, officers in the field, etc., all in an effort to save valuable time.

By registering online for AmberVision, parents have the ability to upload a current digital picture and description of their child to a secure database. Parents also have the ability to modify and update this information, as needed, via a username and password they create.  In cases of missing and abducted children, law enforcement officials, with read-only access, can view the data and within minutes, distribute it to the necessary parties.

The cost of enrollment for parents to utilize the database is $11.99 per year, per child.  “It’s an easy, user-friendly enrollment process (  The overall goal of AmberVision (not for profit foundation) is to heighten child safety awareness to parents and communities, provide law enforcement another tool to aide in the safe recovery of a child, allow all children to participate regardless of their financial condition, and provide parents a proactive opportunity to participate in their child’s safety.

Through the AmberVision Foundation, free enrollment is offered to children who participate in the school lunch program”, Isaacson said.  

AmberVision has been implemented in communities throughout the country.  Isaacson said, “Some Oregon schools have already distributed information to parents, and we plan to share AmberVision with all communities throughout the State”.

The system, funded by a grant from the Department of Justice in 2005, was originally developed as a paper-based program called AmberView and tested in the state of West Virginia.  After deemed a success, the program was converted to an online service and offered nationally as AmberVision in late 2009.  SecurLinx, a leader in biometric identity management systems and technology partner to AmberView, has created the AmberVision Foundation in order to help keep our communities safe for children and their families.

Wednesday, July 21, 2010

To avoid ID, more are mutilating fingerprints

Some think these systems don't work.
So desperate was one man to conceal his identity that he began biting his fingers and drawing blood while being booked.

Some have used eyedroppers filled with acid or pressed their fingers onto burning metal to blot their fingerprints. Others have spent thousands of dollars to hire shady doctors to surgically alter their fingertips, hoping to scar them beyond recognition.
I guess these guys disagree.

AmberVision: Helping West Virginia Authorities Find Missing Children (Huntington/Charleston, WV)
The Ambervision program will kick off this fall in all West Virginia public schools. Parents will have access to a database that will allow them to change or add pertinent information about their child's appearance.
In the video below, Lisa Cordiero of the WV Board of Education does an excellent job of describing how AmberVision will work in West Virginia as well as the history behind the AmberVision Foundation.

Tuesday, July 20, 2010

Biometrics: it's not about the technology
Thanks to @heidishey for bringing my attention back to this excellent article by Bruce Lyman, CEO at Argus Global.

Good technology underpins many processes, both inside and without the business and, as many end users will know, understanding how technology works is rarely integral to its usefulness.

Indeed, technological excellence can in some part be measured by how little we need to know about a product to be able to use it. Such is the case with biometric technology, where the biometric itself is only part of the story.

Our real interest concerns (a) how easy it is to use on a daily basis, and by staff of varying technical aptitude and (b) what are the possible outcomes of using this technology?

Mr. Lyman goes on to examine biometric deployments in terms of Return on Investment (ROI), a topic close to our heart.
  • Security ROI: the cost of making a mistake
  • Productivity ROI: improvements to the business
  • Financial ROI: making the strongest case

Iris vs. Finger

The future of iris scanning -

UPDATE: This post gets a fair amount of traffic. The link above no longer seems to work. A cached version of the article linked above may be available here. The page takes a while to load.
Biometrics has received a lot of bad press during its short life. Fingerprint technologies have issues many businesses, and security professionals, would rather not deal with. And then there is the cost. So is there a technology that may provide security, involve low maintenance costs, minimize management headaches, and is acceptable to users?
Author Tom Olzak does a good job of comparing fingerprint authentication systems to systems that use the eye's iris and he makes excellent points about their strengths and weaknesses.

As we like to say, there is no "universal donor" in biometric identity management deployments. In some cases fingerprints are the best, in others, face recognition will be the way to go. Function dictates form. A successful deployment requires a deep understanding of the use model.

Monday, July 19, 2010

FBI National Academy Associates, Boston

SecurLinx and AmberVision will be in Boston for the exhibition associated with the FBINAA festivities this weekend, July 24 & 25.

The Law Enforcement Exhibition is scheduled for Saturday and Sunday in the Hynes Convention Center, Hall C.

Law enforcement officers from the Boston area not attending the conference may obtain a Law Enforcement Day Pass to tour the exposition Saturday or Sunday. Department-issued photo ID required.

If you're in the area, please come visit us:
Booth 212.

Sunday, July 18, 2010

Missing biometrics create unique problems for UID project

TheEconomicTimes (India) [Warning: site tries to open 5 pop-ups!]
This has been getting a lot of attention in the Twitterverse and elsewhere.
Scores of people the Aadhaar project will help the most do not have the sharp, curving lines on their fingers as depicted in its logo. Millions of Indians working in agriculture, construction workers and other manual labourers have worn-out fingers due to a lifetime of hard labour, resulting in what is euphemistically referred to in technical literature as ‘low-quality’ fingerprints. This is precisely the demographic that UID aims to help — those that are outside government records and welfare schemes.

While the UIDAI uses two other metrics — an iris scan and a photograph — in issuing the unique identity number, fingerprinting will be the metric used in authentication. This means a passport applicant with worn-out fingers may present his newly-issued UID number as a conclusive proof of identity, but could find the application rejected. The authentication process using a fingerprint scanner could classify the applicant’s worn-out fingers as a so-called ‘false negative’.
The Indian UID project has captured the public's attention. People are becoming aware of the promises and challenges of large scale biometric identity management deployments. This is a good thing.

On the technical front, "worn out" fingerprints don't present an insurmountable challenge to the Indian project. An ID management system that increases efficiency in the vast majority of transactions while presenting no new obstacles in the rare cases is a valuable system.

The proper way to evaluate a proposed identity management system is to compare the system currently in use to the expected performance of the envisioned system while balancing the costs of the new system against the improvements upon the old way of doing things. Too often, those skeptical about biometric ID management deployments start from the position that anything less than automated perfection is failure*. This attitude can impede the adoption of cost-saving improvements in critical organizational processes.

In adopting a multi-modal approach -- the UIDAI seems to have allowed for the use of iris for backup authentication as well as providing a photograph and an ID number -- it does not appear that India is creating an ID management system that will be unable to serve those with "worn out" fingerprints or those with disabilities that would prevent them from using a fingerprint based system.

*Similar thoughts here.

Friday, July 16, 2010

Safran Said to Be in Talks to Purchase Most of L-1 Identity Solutions Inc.

In March, we drew attention to reports that Bob LaPenta was putting L-1 on the auction block. It appears that the process is picking up steam.

Safran is among the bidders pursuing a deal to buy L-1’s businesses that help customers track biometric data, said the people, who declined to be identified because the talks are private. U.S.-based L-1 is likely to be split up, with another buyer acquiring a separate unit that sells consulting services to U.S. intelligence agencies, said one of the people. No deal is likely to be reached for several weeks, the person said.
More information about Safran is available:

Interesting questions for the future:
Will L-1 be bought whole or will it be sold off piecemeal?
Does the answer to the question above offer a verdict on L-1's strategy of acquisition rather than organic growth?

Thursday, July 15, 2010

High-Tech Corridor Susceptible to Shrinking Federal Appropriations

The State Journal (West Virginia)
Here's a little hometown analysis of the impact that our federal legislators have had on the economy of West Virginia and what the death of Sen. Byrd, the primary defeat of Rep. Mollohan, and the commensurate loss of federal funding could mean to the area.
“When Sen. Byrd moved the FBI fingerprint operation into Clarksburg, as much of a visionary he was, I’m not sure even he could have fathomed the growth that that created for the state,” said Rick Gill, CEO of the Washington, D.C.-headquartered National Biometric Security Project, which maintains an operation in Morgantown.
Both of the cities in the quote are in West Virginia's I-79 Hi-Tech Corridor.

Wednesday, July 14, 2010

Facial Profiling: Will face-recognition technology get an accused killer off the hook?

San Francisco Weekly
In what legal and scientific experts say is a groundbreaking case, a San Francisco Superior Court judge allowed biometric facial-identification technology, along with accompanying testimony from an expert witness, to be admitted as evidence in a high-profile criminal trial.

And in a curious turn, biometrics — the science popularized for its use in attempts to catch terrorists — was being used in San Francisco to try to exonerate an accused gang member and murderer.
As pointed out here, biometric identity management systems are tools that work both ways. The technology can be used by defendants as well as prosecutors.

This lengthy article, however, is pretty pessimistic about face-rec in general. To this point, I would draw attention to the fact that there is a huge difference between attended and unattended systems (a more complete resource for how to categorize different systems is here).
Several years ago, a surveillance experiment at a train station in Mainz, Germany, found that automated facial recognition had a success rate of only 60 percent during the day and as low as 10 percent at night, when poor lighting made identification more difficult.
The system described in Mainz, above is an unattended system used on non-cooperative, non-habituated individuals in a public, non-standard environment. 60% is nothing to sneeze at and the proper frame of reference is 0% (the number of people identified in the absence of a system) not 100%. So, Mainz went from 0% identifications to 60% in the daytime (possibly) without any spending on human resources and this is failure?

Poorly calibrated expectations are a real issue in the biometrics sphere. We in the industry need to make sure that we are setting reasonable expectations for our customers and helping them to craft systems that meet their needs. We have an obligation to deliver value and an incentive to educate our customers.

Monday, July 12, 2010

International Biometrics & Identification Association to Focus Efforts on the Growing Issue of Identity Management
The International Biometrics & Identification Association (IBIA) today announced that it has expanded its mission to focus on the overall issue of determining identity. This new mandate, one which will see biometric and other technologies play an increasingly important role, has been deemed critical by the IBIA, given the rise of authentication issues facing data security, identity theft, immigration and homeland security.

This makes sense. Biometrics are a means to an end. Identity management is the goal.

Saturday, July 10, 2010

Poway Tells Skaters to Give Them the Finger
Park-goers will be required to have their fingerprints and photos on file with the city, the paper said.

This kind of usage can be confusing.

All fingerprint access control systems store a template generated from a person's fingerprint. It is not possible to "reverse engineer" a template into a complete image of the fingerprint that created it. In this limited use case it cannot be said that fingerprints are on file with the City.

Other fingerprint access control systems do store an image of the fingerprint as well as the template generated from it. In this use case, it is accurate to say that fingerprints are on file with the City.

The article implies that the system in place in Poway is of the latter sort.

Related thoughts about a different system can be found here.

Friday, July 9, 2010

Why face recognition isn't scary -- yet
For those interested in facial recognition, the article linked above provides insight in to the uses and limitations of the technology. It also provides information about a few places where people can gain firsthand experience with facial recognition applications using their family photos.

Thursday, July 8, 2010

The epic marketing challenge for UID

On the technical side, biometric identity management is about the physical facts of a person in a given environment, communication, databases, sensors, permissions, etc. Once an organization works through these details, a successful biometric deployment becomes possible.

But there is a social component to almost all identity management deployments outside of prisons. ID management (biometric or not) only works if it isn't subverted by the users. If users are careless with keys, passwords and proximity cards; if doors are propped open or those with access allow others to "tailgate," the effectiveness of the ID management system is undermined.

India's UID project (once again) provides a useful window into how organizations manage the cultural side of a large-scale identity management deployment and the things that must be considered. The linked article provides insight into the India project's efforts at stakeholder marketing.
Combined, they have more than 150 years of marketing experience.

All were headhunted by Maruwada, who looked to bring the country’s most experienced minds in communications, marketing and advertising to tackle what is arguably the UIDAI’s most important challenge—marketing the idea of a universal government identity to citizens from every caste, region and religion.
As they say, read the whole thing.

Identity management is about people.

Wednesday, July 7, 2010

AmberVision State-Wide Rollout

Ambervision to help West Virginia authorities recover missing children (Herald Dispatch - Huntington, WV)
"The Department of Education is committed to keeping West Virginia's children free from harm," said state Superintendent of Schools Steve Paine. "Ambervision adds to our ability to keep every child safe and increases the chances of a good outcome in the unfortunate event of a missing child."
The AmberVision system will be adopted state-wide in West Virginia this fall.

Biometrics and Governance

CCTVs to monitor DC (Deputy Commissioner's) office employees: (The Times of India)
HUBLI: The ‘I don't care' attitude of the government employees who are accustomed to coming late, taking multiple breaks for tea, cigarettes and chatting during office hours will be a thing of past, at least in Dharwad.

The CCTV cameras and biometric machines which hitherto were only seen in corporate and other private offices have found its way into the deputy commissioner's office in Dharwad, making it probably the first DC office in the state to install it in a bid to discipline the government servants, who normally are blamed for taking their work lightly.
Many see the implementation of biometric identity management systems as enhancing government power over the people. As this article shows, they can also be implemented to increase the people's power over their government.

Tuesday, July 6, 2010

Farm of the Week: Producer clocks in with IT system to control costs
"It might sound hard, but more accuracy means more fairness, for both staff and customers," says Mr Machin. "Thirty percent of our costs are labour. The more we pin costs down, the more choice we have about how to distribute rewards. And the better we get at pricing our produce, the more customers we bring in."
This article shows how new technologies, including biometric identity management technologies, are helping small businesses generate the data that help them operate with the same type of information large companies have been using for ages.

These identity management technologies combined with Enterprise Resource Planning (ERP) techniques are allowing small businesses to arrive at a precise calculation of costs, taking the guesswork out of pricing decisions. Moreover, the return on investment is significant.
"I would say our original investment in the time and management system has repaid already. The wages calculation, for example, used to take a couple of days. Now it is a matter of hours."

Friday, July 2, 2010

UPEK Terminates AuthenTec Proxy Contest and Merger Proposal after Grady's Resignation as Chairman of AuthenTec's Board of Directors

In his letter Grady explicitly says: 'My decision results from my increasing discomfort with the Company's de facto embrace of the status quo, and tolerance of management leadership's actions to resist value-creating transactions. I believe that the Board and management of AuthenTec should take decisive action to enhance shareholder value, but that view, supported in concept, is not reflected in actions. Enhancing shareholder value needs to be more than a talking point.'
The events described in this article concern two fingerprint sensor manufacturers, but you can expect to see many more articles of this nature over the next few years.

The biometric identity management sector will see rapid consolidation for several reasons:
  • The most coveted customers for biometric identity management solutions are very large organizations, while the suppliers of goods and services tend to be very small companies. The big companies know that the little companies don't have the depth to support them. This doesn't mean that deals don't get done. The small tech. firms can and do partner up with large scale IT integrators to meet the needs of large customers, but this model presents its own challenges.
  • Investors in early- and development-stage tech start-ups would like to see the beginnings of a possible exit strategy. It's not that they all want out; it's just that all investors are investors because they would like to earn a return. Without shareholder liquidity, an exit from an investment and the actualization of the commensurate gain or loss is difficult.
  • The current investment and economic environment means that firms in the sector will fail and their assets will accrue to the remaining firms.
  • The firms, themselves, and their boards will see growth opportunities and increased liquidity and heightened ability to support their customers without outside assistance as they grow larger through acquisition.

Thursday, July 1, 2010

India Proposes Tighter Laws for National ID Project
The Indian agency assigned by the government to issue identity numbers has proposed stiff penalties, including imprisonment, for anybody found misusing personal biometric and other information that it collects.
We've had our eye on the Indian census for a couple of different reasons: the size, scope, ambition and audacity of the effort is unprecedented.

We have focused most of our attention on the technical aspects of the project. The article linked above deals with some of the cultural issues that must be addressed in any biometric identity management implementation, especially one on the scale of the India project.

At the end of the day, identity management is about people.