Wednesday, September 29, 2010

Pushback on the National Research Council (NRC) Report

"The report is out of date and misleading at best," says Michael DePasquale, CEO of BIO-key International. "The fact that it relies on data gathered over five years ago does a disservice to the industry, and to those individuals who have been pushing technological advancements since 2004. Over the last six years, the technology has made significant contributions to not only our national security, but also to protecting access to a wide variety of commercial applications including smartphones, laptops, offices, homes, commercial networks, point-of-sale terminals and medical storage cabinets."
The full report is available here (Registration Required).

There are many fault lines running through the biometrics sphere and nowhere are they better explained than in the classic NATIONAL BIOMETRIC TEST CENTER COLLECTED WORKS 1997-2000 (1.8MB PDF). I refer specifically to Chapter 1, section II 'Classifying Applications' (page 13 in your PDF reader, page 3 according to the document's internal numbering). Without a decent understanding of the categories into which biometric applications fall, confusion is inevitable.

The categories are:
Cooperative v. Non-cooperative
Overt v. Covert
Habituated v. Non-habituated
Attended v. Non-attended
Standard Environment
Public v. Private
Open v. Closed

Some of these distinctions refer to the individual to be identified while some refer to the technology.

Every one of the above factors will impact the technical suitability of a solution or the user's acceptance of a system to some degree or another and the Attended/Non-Attended (technical suitability) and Public/Private (social acceptability) categorizations are supremely important.

The report seems to have caused confusion in its readers along these two lines: attended vs. unattended systems, and public vs. private use. This quote from the report is emblematic:
Biometrics recognition has been applied to identification of criminals, patient tracking and medical informatics, and the personalization of social services, among other things. In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition and societal impact of their use.

This post touches on the confusion resulting from a lack of attention to the attended/unattended distinction.
The system described in Mainz, above is an unattended system used on non-cooperative, non-habituated individuals in a public, non-standard environment. 60% is nothing to sneeze at and the proper frame of reference is 0% (the number of people identified in the absence of a system) not 100%. So, Mainz went from 0% identifications to 60% in the daytime (possibly) without any spending on human resources and this is failure?

This post, in part, examines whether your identity management solution is ever truly unattended:
Biometric identity management systems are not replacements for current security systems and protocols. They are augmentations of those systems. Very few security solutions are completely unstaffed.

The lock on your front door is apparently unstaffed, but is it? If you live in an apartment or are staying in a hotel and you lock yourself out, the front desk staff will verify your identity and issue you a new key. If you live in a house, a locksmith can verify your identity and gain access to your abode for you.

This post deals with the public/private distinction.
Bryan Glick at ComputerWeekly.com understands that the rejection of a statist, top-down approach does not mean that identity management systems are unnecessary or that all proposed systems will be rejected by a free public.

Glick then draws attention to a 2008 report by Sir James Crosby, then at HM Treasury, entitled Challenges and Opportunities in Identity Assurance (.pdf). The 47-page report contains a breadth of information that makes it a great introduction for how to begin thinking about the challenges associated with large-scale biometric identity management deployments. It is very accessible and deserves to be read widely.
At an early stage, we recognised that consumers constitute the common ground between the public and private sectors. And our focus switched from “ID management” to “ID assurance”. The expression “ID management” suggests data sharing and database consolidation, concepts which principally serve the interests of the owner of the database, for example the Government or the banks. Whereas we think of “ID assurance” as a consumer-led concept, a process that meets an important consumer need without necessarily providing any spin-off benefits to the owner of any database. This distinction is fundamental. An ID system built primarily to deliver high levels of assurance for consumers and to command their trust has little in common with one inspired mainly by the ambitions of its owner. In the case of the former, consumers will extend use both across the population and in terms of applications such as travel and banking. While almost inevitably the opposite is true for systems principally designed to save costs and to transfer or share data.
They say a horse by committee gets you a camel. I'll withhold final judgment on the NRC report until I've gone through it in more detail.