Wednesday, September 29, 2010

It's on: India Launches Project to ID 1.2 Billion People

The project, which seeks to collect fingerprint and iris scans from all residents and store them in a massive central database of unique IDs, is considered by many specialists the most technologically and logistically complex national identification effort ever attempted.

As the gathering of villagers cheered and applauded, Ranjana Sonawane became the first in the country to receive the Unique Identification Number (UID) card at a ceremony.

Pushback on the National Research Council (NRC) Report

"The report is out of date and misleading at best," says Michael DePasquale, CEO of BIO-key International. "The fact that it relies on data gathered over five years ago does a disservice to the industry, and to those individuals who have been pushing technological advancements since 2004. Over the last six years, the technology has made significant contributions to not only our national security, but also to protecting access to a wide variety of commercial applications including smartphones, laptops, offices, homes, commercial networks, point-of-sale terminals and medical storage cabinets."
The full report is available here (Registration Required).

There are many fault lines running through the biometrics sphere and nowhere are they better explained than in the classic NATIONAL BIOMETRIC TEST CENTER COLLECTED WORKS 1997-2000 (1.8MB PDF). I refer specifically to Chapter 1, section II 'Classifying Applications' (page 13 in your PDF reader, page 3 according to the document's internal numbering). Without a decent understanding of the categories into which biometric applications fall, confusion is inevitable.

The categories are:
Cooperative v. Non-cooperative
Overt v. Covert
Habituated v. Non-habituated
Attended v. Non-attended
Standard Environment
Public v. Private
Open v. Closed

Some of these distinctions refer to the individual to be identified while some refer to the technology.

Every one of the above factors will impact the technical suitability of a solution or the user's acceptance of a system to some degree or another and the Attended/Non-Attended (technical suitability) and Public/Private (social acceptability) categorizations are supremely important.

The report seems to have caused confusion in its readers along these two lines: attended vs. unattended systems, and public vs. private use. This quote from the report is emblematic:
Biometrics recognition has been applied to identification of criminals, patient tracking and medical informatics, and the personalization of social services, among other things. In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition and societal impact of their use.

This post touches on the confusion resulting from a lack of attention to the attended/unattended distinction.
The system described in Mainz, above is an unattended system used on non-cooperative, non-habituated individuals in a public, non-standard environment. 60% is nothing to sneeze at and the proper frame of reference is 0% (the number of people identified in the absence of a system) not 100%. So, Mainz went from 0% identifications to 60% in the daytime (possibly) without any spending on human resources and this is failure?

This post, in part, examines whether your identity management solution is ever truly unattended:
Biometric identity management systems are not replacements for current security systems and protocols. They are augmentations of those systems. Very few security solutions are completely unstaffed.

The lock on your front door is apparently unstaffed, but is it? If you live in an apartment or are staying in a hotel and you lock yourself out, the front desk staff will verify your identity and issue you a new key. If you live in a house, a locksmith can verify your identity and gain access to your abode for you.

This post deals with the public/private distinction.
Bryan Glick at understands that the rejection of a statist, top-down approach does not mean that identity management systems are unnecessary or that all proposed systems will be rejected by a free public.

Glick then draws attention to a 2008 report by Sir James Crosby, then at HM Treasury, entitled Challenges and Opportunities in Identity Assurance (.pdf). The 47-page report contains a breadth of information that makes it a great introduction for how to begin thinking about the challenges associated with large-scale biometric identity management deployments. It is very accessible and deserves to be read widely.
At an early stage, we recognised that consumers constitute the common ground between the public and private sectors. And our focus switched from “ID management” to “ID assurance”. The expression “ID management” suggests data sharing and database consolidation, concepts which principally serve the interests of the owner of the database, for example the Government or the banks. Whereas we think of “ID assurance” as a consumer-led concept, a process that meets an important consumer need without necessarily providing any spin-off benefits to the owner of any database. This distinction is fundamental. An ID system built primarily to deliver high levels of assurance for consumers and to command their trust has little in common with one inspired mainly by the ambitions of its owner. In the case of the former, consumers will extend use both across the population and in terms of applications such as travel and banking. While almost inevitably the opposite is true for systems principally designed to save costs and to transfer or share data.
They say a horse by committee gets you a camel. I'll withhold final judgment on the NRC report until I've gone through it in more detail.

Tuesday, September 28, 2010

Australian Government launches security research network
Nominated researchers must be members of the Research Network Secure Australia and clear its professional background checks.

Deputy national security advisor Margot McCarthy said the network will tighten coordination on matters of national security in the public and private sectors.
This is a good idea.

Creating a directory of the pre-vetted security experts available to a country should foster the development of good working relationships within the security sector which should in turn make for better responses in a security crisis.

The directory is online here and contains rich contact information such as phone numbers and (sometimes multiple) email addresses.

If you're in Australia and have acute need of an expert in biometrics and securing biometric templates, give Boztas Serder a call or shoot Calic Dragana an email.

Security is about people and national security is no exception.

Monday, September 27, 2010

Monday Roundup

Three topics seem to be dominating biometrics news today:

Biometrics 'Inherently Fallible' (
For perspective, see Saturday's post.
More articles: Bing News

WVU seeks volunteers for biometrics study (; Text & Audio)
Blog post here.
More articles: Bing News

Boston & Secure Communities (
More articles: Bing News

Saturday, September 25, 2010

National Research Council: Biometrics 'Inherently Fallible'

Regular visitors will be familiar with the themes in this article.

No security system is infallible. Biometric identity management solutions are getting so much attention precisely because existing identity management solutions are extremely fallible.

What determines the desirability of a biometric identity management solution is not infallibility but return on investment (ROI) -- a measure of the efficiencies such a system can bring to an organization's identity management function offset by the costs associated with adoption of the new solution. In many cases the ROI is reflected in productivity gains among staff responsible for an organization's identity management function.

It is very important, however, that potential adopters of biometric ID management solutions be aware of the issues the article raises.
The report notes that careful consideration is needed when using biometric recognition as a component of an overall security system. The merits and risks of biometric recognition relative to other identification and authentication technologies should be considered. Any biometric system selected for security purposes should undergo thorough threat assessments to determine its vulnerabilities to deliberate attacks. Trustworthiness of the biometric recognition process cannot rely on secrecy of data, since an individual's biometric traits can be publicly known or accessed. In addition, secondary screening procedures that are used in the event of a system failure should be just as well-designed as primary systems, the report says.
Identity management is about people, after all. These systems can really help organizations, but they're not magic.

Friday, September 24, 2010

Biometrics: Giving Afghans an identity UPDATE

 Following on this post last month comes this from

Army Reveals Afghan Biometric ID Plan; Millions Scanned, Carded by May
Scanning prisoners’ irises is just Step 1. In Afghanistan, local and NATO forces are amassing biometric dossiers on hundreds of thousands of cops, crooks, soldiers, insurgents and ordinary citizens. And now, with NATO’s backing, the Kabul government is putting together a plan to issue biometrically backed identification cards to 1.65 million Afghans by next May.

Interesting nugget:
There are all kinds of hurdles to the plan, however. At the moment, Afghanistan’s two main biometric databases don’t talk to one another, limiting their effectiveness.
SecurLinx customers don't encounter these problems and we can fix them for customers in need of increased interoperability. Our middleware increases the ROI on existing identity management systems.

Face Rec: Getting So Much Better All the Time

Granted, integrated face recognition/video surveillance systems are not perfect—false positives do happen. Still, “Accuracy has improved nearly two full orders of magnitude since the large scale studies [that were] published in 2002,” says Ken Nosker, president of Fulcrum Biometrics. “In the latest independent study published by NIST, researchers have shown that seven tested algorithms performed as good as or better at matching faces than humans were able to do.

Thursday, September 23, 2010

Behavioral Biometrics or Public Lie Detectors?
The linked article is confusing and heartening at the same time.

It is easily divided into two parts: a discussion of the efforts of some in the research community to bring lie detectors out of interrogation rooms and into contact with the public, and a brief summary of findings that public views on biometric identity management techniques differ from the way so-called privacy advocates frame the issues.

The reason that it is confusing is that the two parts of the article don't belong together.

The discussion of the Future Attribute Screening Technology (FAST) prototype has virtually nothing to do with public acceptance of biometric identity management techniques.

The techniques described under the label Behavioral Biometrics are akin to lie detector tests. They rely upon the detection of changes in bodily function resulting from some outside stimulus such as interrogation and seek to determine intent. Moreover, FAST attempts to automate this analysis as much as possible. This is like going from "Lie To Me" to "Minority Report".

["Lie to Me" is a current* TV show chronicling the adventures of one Dr. Lightman (Tim Roth), the world's greatest human lie detector. "Minority Report" takes place in a dystopian future where criminals are caught before crimes are committed.]

There's ample evidence that the "Lie To Me" scenario is at least reasonable. It is possible to train professional interviewers that can ferret out lies and attempts to deceive with some high degree of accuracy. In fact, these professionals are actively doing the job FAST attempts to automate every day in our airports and police stations.

While I am unqualified to make assertions of fact regarding the feasibility of developing a machine that functions with high reliability along the lines envisioned by FAST's creators, it is my guess that FAST, or a similar system, is not only possible in theory but highly likely to exist in reality in the not-too-distant future so long as current growth rates in human scientific knowledge and computational power continue.

But even if we accept that a FAST-like system will be technically possible in the future, say fifteen years from now, no current researcher could possibly say anything useful about whether or not the culture fifteen years from now would find it acceptable to use such tools in public places upon ordinary people without probable cause. Predictions about social views on technology fifteen years in the future more appropriately belong to the genre of science fiction than opinion polling.

None of this is to discredit University of Pittsburgh Dr. Lisa Nelson's
study of biometrics and the public views about it [that] reveals tolerance and support when it comes to government use of biometrics to protect public safety.

Although privacy advocacy groups are supposed to represent the public, Nelson said her studies based on focus groups show that "there are differences between public perception and how privacy advocates were framing the issues," with the larger public apparently far more willing than privacy-advocacy groups to accept biometrics when it's used for purposes of protecting against terrorism or identity theft.
This summary of Dr. Nelson's findings rings true. There does seem to be a significant disconnect between self-appointed privacy advocates and the public they claim to represent where issues of biometric identity management are concerned. But this has little bearing on FAST and other far-off technologies. To tie Dr. Nelson's findings to FAST does a disservice to Dr. Nelson and perhaps even misrepresents the views of FAST's creators.

*UPDATE: The show has since been canceled.

Canadian border going hi-tech
The five-year project to electronically secure the borders involves immigration, the RCMP and Canada Border Services Agency. Federal immigration spokesman Karen Shadd said under the program, applicants will have to provide fingerprints and a photograph as part of their digital visa application.
Expect this trend to continue, and not just among developed nations.

Wednesday, September 22, 2010

Global Biometric Market to Grow 22% Annually Between 2011 - 2013
Both public and private sectors worldwide are witnessing rapid adoption of biometrics as an accurate, reliable and cost-saving way for better and advanced security surveillance. Over the years, the biometric technology has developed from a new technology used in a narrow band of closed environment applications to a useful, practical, fit-for-purpose tool used across a wide range of industries and in a variety of applications.
The full report is available for download for $1600. I have not seen the full report but the linked page provides a quick overview of industries and geographies where biometrics adoption is heating up.

Florida condo to use fingerprint reader for access to clubhouse, block access to delinquents

Expect more condo and homeowner communities to use locks, devices for common area access (

After the obligatory hand-wringing, this article addresses the management of condo complexes and how they are meeting their identity management challenges using biometrics.
"There is some resistance. A few people worry about ID theft," said Tersigni, adding she thinks there is no more risk in providing a fingerprint to endorse a check at the bank. "Others are all for it because this helps us keep the area safer. We always know who is coming in and going out and when."

And, Tersigni explains, the device does not store fingerprints. It uses biometrics to convert a user's fingerprint into a binary code based on 65 unique points of the fingerprint and stores that code for comparison later when a visitor uses the device outside the clubhouse door. To gain entry, visitors press a finger onto a small screen, allowing it to identify them and remotely unlock the clubhouse door. The system stores one fingerprint code per owner.
My condo management staff certainly does seem to spend a lot of time and effort in regulating who gets to use the facilities.

When a segment of the public views any place they are able to access as a place they are entitled to access, and absent rigorous identity management systems, the value proposition that management companies offer condo owners can be eroded considerably.

Tuesday, September 21, 2010

Biometrics Firms Reach Beyond Government Gigs

Biometrics Firms Widen Net (Wall Street Journal)
In this article the WSJ uses the 24-Hour Fitness and L-1 sale stories to provide the reader with a state-of-the-industry update.
Revving up the industry's growth will depend in part on getting more corporate clients to embrace the technology to provide access to offices, factories, medical and financial records and computer networks.

WVU researchers compiling biometrics data

West Virginia Public Broadcasting (Text & Audio at the link)
West Virginia University researchers are working with the FBI to build up a database including finger prints, eye and facial images.

For the second year in a row, WVU researchers in computer sciences are working with the FBI to gather information about biometrics, including facial shapes, finger prints, and even audio and video samples.
West Virginia University is at the cutting edge of the science of biometric identification. In order to advance the state of the biometric art, they need test subjects to "donate" the raw data that they use in their work.

The linked article and accompanying audio gives great insight into where some of the best minds in the field think biometric ID management is headed.

While this blog is more concerned with market-based product innovation than basic science, our company simply couldn't do what we do without our crosstown neighbors and scientific brethren at WVU.

Citizen or subject: The politics of personal identity

When IT Meets Politics (, UK)
The issues of personal identity are central to a global information society in which we are routinely expected to conduct transactions with those whom we have not met before, cannot remember or may never physically meet. The supporting technologies, from smart cards, encryption and biometrics to secure and efficient databases and networks, have been in regular use for decades. The reasons for the current controversy over ID systems have little or nothing to do with technology developments: save in the sense that they may be used as an excuse for promoting a solution which serves political objectives.
The linked article is an excellent survey of the forces at work within the identity management sphere. It does a great job of addressing the questions:
  • What do governments want from an ID management system?
  • What do citizens want in the bargain?
  • How does trust play a role?
  • What makes for a sustainable and acceptable ID management framework?
These are important questions and rarely are they addressed with such careful attention to history and context as they are here.
Please read the whole thing.

Monday, September 20, 2010

Safran seals the deal to acquire L-1

Safran Enters Into a Definitive Agreement With L-1 Identity Solutions for the Purchase of L-1 Biometrics and ID Management Solutions Businesses (Yahoo Finance)
The transaction is subject to L-1' shareholder and regulatory approvals, including review by the U.S. Antitrust Authorities, the Committee on Foreign Investment in the United States (CFIUS), as well as the satisfaction of other customary closing conditions.
And from the AP: (via MSNBC)
Paris-based Safran says the combination of L-1's biometric and enterprise access businesses with its existing U.S. security business, Morpho, will have joint sales of about euro1.4 billion ($1.8 billion), with U.S. sales accounting for almost half of that.

Safran (Morpho) will take the biometrics business and Britain-based BAE will purchase L-1's consulting business.

Wednesday, September 8, 2010

Tech. in West Virginia

Jeff Imel is a success story for state tech leaders. The owner of Air Robotics, LLC relocated his company to West Virginia from Indiana 18 months ago and it is a decision he says he praises daily. He now thanks the state for helping his business, that is an aerospace company that designs and manufactures blended wing body Airborne Vehicle Systems, to thrive.

“I tell all my colleagues that West Virginia is the place to be. The opportunities here with the support places like the Robert C. Byrd Institute provide is comparable to none across the country,” Imel said.

That is the same message Tech Connect WV wants to provide to the rest of the world.
The linked article is a good summary of the successes and challenges associated with the development of the technology sector in West Virginia.

The weekly State Journal is also among the best printed publications in the state.

Tuesday, September 7, 2010

Who can go where without a visa?

The Henley Visa Restrictions Index
Brit's can go to 166 countries without acquiring a visa first. Iraqis and Afghanis, not so much.
In today's globalized world, visa restrictions play an important role in controlling the movement of foreign nationals across borders. Almost all countries now require visas from certain non-nationals who wish to enter their territory. Visa requirements are also an expression of the relationships between individual nations, and generally reflect the relations and status of a country within the international community of nations.
Full list here: [PDF].

WVU seeks volunteers for biometrics research [Charleston, WV]
West Virginia University is looking for volunteers to help with biometrics research.
Participants must be 18 or older and get $40 worth of gift cards for their time
College kids have it easy these days! Back in my day, it was all blood, plasma and drug trials.

AuthenTec And UPEK Announce Merger
AuthenTec (NASDAQ: AUTH), a leading provider of security, identity management and touch control solutions, and privately-held UPEK, a leading supplier of fingerprint solutions for consumer, business and government applications, announced that the companies have combined, creating the world’s largest provider of fingerprint sensors and identity management software, as well as biometric and embedded security solutions. AuthenTec will remain headquartered in Melbourne, Florida and will be led by newly named CEO Larry Ciaccia, who previously served as AuthenTec’s President and Chief Operating Officer.

This merger seems to fit into the second category of consolidation as outlined in this post.

Friday, September 3, 2010

German gov downplays biometric ID card hack

Nicht ein biggie []
German hackers successfully used off-the-shelf kit to extract personal data from the federal government's supposedly secure ID cards, but the government has downplayed the significance of the attack.
This is one of those "compared to what" situations.

No security regimen is perfect.
Wise adopters of biometric ID management solutions will:
  • Complete an honest assessment of the security of their current solution
  • Tally the costs associated with the current solution
  • Compare these data to the value proposition of a contemplated improved solution
  • Compare any gains in security to the change in the costs associated with the solution.
In other words, the guiding principle should be Return on Investment (ROI), not distance from perfect.

It is often possible to save money and improve security at the same time.

The German government appears to be of the opinion that the new system, even if imperfect, is more secure than the old system. I'll accept that as a given.

One thing Germany might consider: Would it be better to put a template generated by the fingerprint on the card rather than an image of the fingerprint itself?

There are good reasons for wanting the entire fingerprint, but storing it on the card itself reduces the security of the information and will probably lead to a larger opt-out rate than would be the case if the card only held the template.

Another article on this story can be read at

Wednesday, September 1, 2010

Industry Consolidation: 3M acquires another security firm

Hot on the heels of their offer for Cogent, 3M announced that it will buy Attenti Holdings, an Israeli company which markets GPS-based solutions used for monitoring people awaiting trial or on probation, as well as the elderly in aged care facilities.

3M makes second foray into security sector (reg. req.)

In Monday's post, I used news of 3M's offer for Cogent to make the prediction that we will be seeing a lot more mergers and acquisitions in the identity management space. There are many reasons to believe that this will be the case:

-The underlying technologies are becoming more robust and costs are declining offering significant returns on investment to their customers.

-More customers are making more investments and the pure ID management firms are starting to show profits.

-Big Tech. firms are sitting on a lot of cash (see Hewlett-Packard's stock buy-back and bidding war with Dell over 3PAR).

-Growth rates are good; worldwide demand is surging, especially in the developing countries.

So, with the exception of 3M and L-1's uncompleted sale, what's the hold-up?
Mathew Christy, an analyst with Standard & Poor’s Equity Research, said: “The security space has higher growth and higher margins than other parts of 3M’s business which has typically grown sales at around 8 or 9 per cent a year”.

However, Mr Christy noted that given the overall size of the company, the acquisitions would add less than 1 per cent of revenues and would do little to change the company’s momentum one way or the other.
Mr. Christy has precisely identified the current running counter to the rapid consolidation scenario.

The potential deals are too small to impact the bottom lines of huge firms in any meaningful way.

This brings up several possibilities for the future of market consolidation in the ID management space:

Big firms are sitting on so much cash and, rather than using it for stock buy-backs and dividend distributions, they will spend it on acquisitions in order to carve out space in what is certain to become a huge and profitable industry.

Consolidation will occur in two stages: Small firms bought by medium-sized firms and then repackaged for sale to huge firms -or- consolidation among the small firms leading to firms large enough to make significant bottom-line contributions to the large firms.

The consolidation of the ID management industry will happen later as the market sheds more light on the quality of individual ID management firms.

Organic growth (with acquisitions along the way, of course) will lead to a new household name as the flagship firm in the identity management industry -- a new Microsoft, Oracle or IBM, for instance.