Wednesday, February 29, 2012

Fake Passports - Kiwis Don't Play

Two years in the Hoosegow and then Deportation (3 News)
Immigration NZ's Steve Stuart said that while the ability to detect false passports had improved over the years, criminals had also improved their techniques for forging and stealing passports.

Immigration officials were now fingerprinting asylum seekers and people referred at the border and checking these fingerprints with other countries. High-tech passport scanners and collection of facial biometric data were also being used.

Biometrics will be used in all immigration visa application checks when the roll-out of a new Immigration Global Management System begins next year.
See also: New Zealand Passport checks find surge in fakes


h/t @m2sys

Windows 8 Beta is Out (minus the facial recognition login)

Hands-on: Windows 8 beta (c|net - Asia)
A killer feature that is missing would be facial recognition logins. The better of these apps have been proven to be resistant to printed photo hacking, and it would extremely useful to have a Webcam recognize your face and log you in without having to physically touch the computer. At least nobody else has this integrated into the operating system yet, but since third parties like KeyLemon and FastAccess have been working on their versions for a while, expect it to arrive in the big players sooner rather than later.
You can download the Windows 8 Consumer Preview for free here.

E-passports spread to half the globe

Nearly half of all United Nations (U.N.) member states are now issuing biometric e-passports (Contactless News)
CAO estimates that as of July 2011, these 93 states have issued more than 345 million e-passports, of which almost 340 million are in circulation.

As per ICAO specifications, each of these documents contains a contactless integrated circuit chip that stores biometric data–i.e. facial, fingerprint or iris–of the passport holder as well as other encrypted identification data. Forty-five of the e-passport issuing states store both fingerprint and facial data on their documents, while 34 store only the facial data. The remaining 14 states currently use facial data, but will begin including fingerprints by the end of 2011.
Article, maps & stats at the link.

UK Border Agency seeks biometric services supplier

Contract to support visa application services around the world (CIO)
The services will support the International Group's visa operations in 130 countries.

Under the five to seven-year contract, some of the services will be deployed in 2014, with others introduced gradually until 2016.

Fujitsu Ultra High Spec Smartphone Prototype Has a Fingerprint Reader

Fujitsu’s Quad-Core Android Phone Offers Powerful Specs (GottaBeMobile.com)
The phone is said to be coming to Asian markets, and Fujitsu has recently revealed that it wants to tackle the European mobile market so this latest addition may find its way to Europe soon. When I spoke with the company’s executives at CES 2012, Fujitsu is also ambitiously eyeing to break into the U.S. mobile market within the next couple of years.
The above article makes a useful companion to this post, reproduced in its entirety below. It also has a video in which the fingerprint reader makes a last-minute cameo.

Unless my eyes deceive me, the Fujitsu phone seems to treat the fingerprint reader more thoughtfully than the Motorola ATRIX did. The Fujitsu has a touch platen located in the center of the top half of the back of the phone whereas the Motorola placed a swipe platen on the top edge of the handset (post and photo here). So the Fujitsu should be easier to use because a more convenient sensor form factor in a more natural location on the device.

Mobile Devices and Biometric Modalities
Smartphones and tablets combine the most powerful attributes of the networked computer and the cell phone, extending the web into every nook and cranny of the globe.

In one awesomely tiny package they facilitate data collection, storage and access to data stored elsewhere.

As a platform for near field communication (NFC) and SMS One-time passwords, mobile devices are also increasingly being used to deliver identity management applications by using a person's known possession of the device as a way of verifying their identity. In access control lingo, mobile devices are being used as tokens.

Using mobile devices is a dream come true for businesses that rely upon tokens: Your customer already owns it; If they lose it, they will be aware of the loss very quickly and they will replace it at their own expense; People are disinclined to lend their phone/credential to someone else; Etc.

Now to the question of securing the device itself and biometric modalities.

Fingerprints are currently the most frequently used biometric for overtly identifying cooperative, habituated individuals. They have a lot of things going for them. Fingerprints are well-understood scientifically, durable, reliable, and fingerprint ID management techniques have been shown to deliver high return on investment in many applications.

These are some of the reasons I lamented Motorola's announcement that it was leaving the fingerprint sensor out of the Atrix 2. The decision makes sense, though. The fingerprint sensor wouldn't be widely used until developers had written software using it, but including the sensor would drive up the cost of each unit for a thinly-used feature. The innovation chicken-and-egg problem is a real one and Motorola seems to have made the judgement that they weren't gaining enough of an advantage in the highly-competitive mobile device market by including it.

But that hasn't meant the end of mobile device biometrics. Just as businesses that issue tokens have been able to take advantage of the fact that their users are already carrying the necessary technology around with them, biometric identity management application developers are doing the same.

Mobile devices already contain the hardware required to deliver two biometric modalities: a camera for facial recognition and a microphone for voice. These modalities present challenges not usually associated with fingerprint biometrics — in the case of facial recognition challenges include lighting and the well-publicized photograph hack; for voice, background noise can be a problem — but they offer the advantage that the hardware is "free" and never going to be yanked out of mobile devices. That's quite an advantage, and it points to why face and voice biometrics are the front-runners for handset biometrics.

Nice and tidy, eh?

So, what to make of today's news that Fujitsu is set to compete more aggressively in the global handset market?

Fujitsu Aims for European Mobile Phone Market (Financial Times)
Fujitsu’s smartphones will certainly feature electronic money technology – enabling owners to use NFC, the mobile payment system – and biometric recognition to make their use as mobile wallets more secure.
Fujitsu, more than any other handset manufacturer, is deeply involved in biometric sensor hardware (finger, palm) that doesn't currently reside on stock mobile platforms. So stay tuned.

Tuesday, February 28, 2012

Authenticating users: Going beyond the password

What is authentication? (ZDNet Asia) 
Authentication is basically the process to confirm that a person (or user) is who they say they are. There are three classic "factors" that can be used to confirm a users' identity:

♦ Using something only the user knows
♦ Using something unique the user has
♦ Using something that only the user is
Read on for a discussion of each.

Sometimes it's good to go back to the basics and this article does a fine job.

If you get to the end of that one and wonder if there might be more factors, you might want to check this one out: Four Factor Authentication.

UID Enrollments to Resume in May

Fresh Aadhar enrolments only from May (Times of India)
After achieving the initial targets of enrolling 20 crore people before March 31, 2012, the Unique Identification Authority of India (UIDAI) has asked all its registrars in the country to halt the process of collecting data. However, following the fresh mandate received from the Union cabinet in January to cover another 40 crore people, the process is only likely to start by mid May.

Canada: Strange Things Afoot at the British Columbia Privacy Commissioner's Office

Canada: British Columbia Privacy Commissioner Says No Drivers License Facial Recognition Searches for Law Enforcement Without Court Order

First some background:

From Wikipedia:
The 2011 Vancouver Stanley Cup riot was a public disturbance that broke out in the downtown core of Vancouver, British Columbia, Canada on Wednesday, June 15, 2011. The riots happened immediately after the conclusion of the Boston Bruins' win over the Vancouver Canucks in game seven of the Stanley Cup Finals, which won the Stanley Cup for Boston. At least 140 people were reported as injured during the incident, one critically; at least four people were stabbed, nine police officers were injured, and 101 people were arrested that night, with 16 further arrests following the event.
Dramatic Photos Here

Enter the Insurance Corporation of British Columbia (ICBC), which administers the province's drivers license aparatus:

Insurance corporation offers to help ID rioters (CBC - June 18, 2011)
The Insurance Corporation of B.C. is offering Vancouver police the use of its facial recognition software to aid in the investigation into Wednesday night's riot.
Troubled by the ICBC's offer, the British Columbia privacy commissioner launched an investigation. The Office of the Information and Privacy Commissioner (OIPC) is independent from government and monitors and enforces British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection Act (PIPA).

That's the background and the primary actors.

The BC privacy commissioner has now issued a press release of her findings:

ICBC cannot use facial recognition to identify Stanley Cup rioters without a court order, says B.C.’s Privacy Commissioner (OIPC Press Release - pdf)
The Insurance Corp. of British Columbia cannot use facial recognition to identify Stanley Cup rioters without a court order, B.C.'s privacy commissioner said in a report released Friday.
A passage of critical importance states:
Next, the commissioner reviewed ICBC’s offer to Vancouver Police, and found that using the database in this manner is not authorized under FIPPA.

“A public body can only use personal information for the original purpose it was collected, except in very limited circumstances. ICBC’s offer to use its database to check police-submitted images is clearly a different purpose,” said Denham.

The commissioner’s findings do not alter the power of police to request personal information from public bodies to assist in a specific investigation, or through the use of a subpoena, warrant or court order, as per section 33 of the act.
The part of the FIPPA law the privacy commissioner cites in support of her finding that the ICBC can't cooperate with the police without a court order actually says:

Section 33 - A public body may disclose personal information in its custody or under its control only as permitted under section 33.1, 33.2 or 33.3.
Section 33.2 A public body may disclose personal information referred to in section 33 inside Canada as follows:
Section 32.2(i) to a public body or a law enforcement agency in Canada to assist in a specific investigation
Section 32.2(i)(i) undertaken with a view to a law enforcement proceeding, or
Section 32.2(i)(ii) from which a law enforcement proceeding is likely to result;
To summarize, the law states that: A public body may disclose personal information inside Canada to a law enforcement agency in Canada to assist in a specific investigation undertaken with a view to a law enforcement proceeding, or from which a law enforcement proceeding is likely to result.

So, a public body can only use personal information for the original purpose it was collected, except in very limited circumstances; those circumstances are described in section 33 of the act which clearly permits the sharing of information with police (and, really, any other government official for nearly any reason; see for yourself), yet here is precisely where the OIPC "finds" that the ICBC is prevented from cooperating without a court order when the term "court order" is never used in either of the two acts that give the OIPC its power.

As stated earlier, the OIPC is independent from government and monitors and enforces British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection Act (PIPA).

The PIPA (Sections 52 & 53) gives the OIPC the power to issue orders which are binding unless they are appealed within thirty days.

But the OIPC's news release never asserts that the OIPC is ordering anything. The OIPC writes:
In a public report released today, Information and Privacy Commissioner Elizabeth Denham found that any use of ICBC’s facial recognition technology to identify criminal suspects requires a warrant or court order. [Emphasis mine].
Either of the bolded portions could have used the order/ordered terminology if that was what was intended by the British Columbia privacy commissioner, but they didn't.

So what exactly is going on here?

Is the OIPC ignoring its stated powers because issuing an order would lead to an appeal that the OIPC would, in the plain reading of the Act, be certain to lose?

Is the OIPC trying to take the position that if the police ask, the ICBC can co-operate, but that the ICBC can't preemptively offer help?

The OIPC's Summary of Recommendations in the document is rather telling.
1. ICBC should clearly notify customers that facial recognition technology is in use for the purposes of detecting and preventing driver’s licence fraud...
2. ICBC should immediately cease using their facial recognition database to identify persons in images provided by police, unless authorized by a subpoena, warrant or court order.
3. ICBC should establish accountability and leadership on privacy within the corporation, to ensure that privacy is taken into account in decision-making at the executive level.
4. ICBC should implement a privacy impact assessment policy, to set out when and how a privacy impact assessment is completed and reviewed. Technology projects should be reviewed at the conceptual, design AND implementation phases.
5. ICBC should develop a schedule for periodic review of its privacy policies. [Point 1 truncated, bold emphasis mine.]
If the OIPC believes that the ICBC is or was in violation of either the PIPA or FIPPA laws, doesn't it have a duty to order the ICBC to comply with the two acts and be prepared to go to court over its stance?

Perhaps another portion of the FIPPA law has more bearing in this case.

Part 2 - Division 4 states:
Information must be disclosed if in the public interest [emph. in orig.]

25 (1) Whether or not a request for access is made, the head of a public body must, without delay, disclose to the public, to an affected group of people or to an applicant, information
(a) about a risk of significant harm to the environment or to the health or safety of the public or a group of people, or
(b) the disclosure of which is, for any other reason, clearly in the public interest. [emph. mine]
The ICBC would be expected to make the argument that informing the police of its capabilities to assist them in quelling riots is not prohibited by the FIPPA law, but rather it is required by it.

Monday, February 27, 2012

UID is Much More Than a Number

Aadhaar and the Transition From a Paper Economy to a Digital One (The Hindu Business Line)
It could, indeed, emerge as the basis for a real transition of an economy predominantly operating on cash today, to one where even the poorest of Indians can receive or make payments electronically. To lend traction to the process, a Task Force headed by Nandan Nilekani — Chairman of the Unique Identification Authority of India (UIDAI) and author of the Aadhaar idea — has recommended that payments for all government transactions above Rs 1,000 be done through electronic transfers, involving neither cash nor cheques. This may be enforced especially in respect of disbursements against subsidies and various welfare schemes, which add up to well over Rs 300,000 crore annually.
Crore = ten million. Rs 300,000 crore is three trillion rupees. 3,000,000,000,000.00 INR = 60,932,932,375.40 USD. That's sixty-one billion dollars, distributed, in large part, in cash because the intended recipients don't have bank accounts.

It can't come as a surprise that there are large leakages from such a system. How big are they? Nobody knows.

So what would it cost to give everyone a UID number enabling access to the banking system?

Aadhaar project mission director Ram Sewak Sharma recently estimated that the total cost could come in under Rs 18,000 crore (US $3.7 Billion).

If we double the estimated total cost of UID and assume that 12% of the budget for transfers can be saved, UID would pay for itself in... one year.

If only one percent of the welfare budget can be saved, the project would pay for itself in twelve years, even if it costs twice as much as expected to implement. So, even in the narrow, financial perspective of return on investment, UID sells itself.

But rupees, even lakhs of crore of them, are only a very narrow metric for gauging UID's value.

The demoralizing effects of the corruption, abuse and fraud that thrive in the absence of accountability are impossible to measure with money; they're measured in misery. If UID succeeds, the benefits of UID's implementation will also be impossible to measure in currency units.

Biometrics are a powerful institution-building, tool.

UK Expands Biometric ID for Non-Citizen Residents

400,000 people will hold Biometric Residence Permits (Computer Weekly)
The system now includes refugees and those given the right to live here permanently, meaning all non-EEA nationals applying to remain in the UK for more than six months will have to hold the permits.

Thursday, February 23, 2012

Biometric Chat on Biometrics & Cloud Computing

When: March 1, 2012 [UPDATE: Postponed to March 15]

11:00 am EST, 8:00 am PST, 16:00 pm BST, 17:00 pm (CEST), 23:00 pm (SGT), 0:00 (JST)

Where: tweetchat.com/room/biometricchat (or Twitter hashtag #biometricchat)

What: Tweet chat on biometrics and cloud computing

Topics: The exponential growth of biometric data, leveraging the cloud for big data biometrics, applications that can benefit from biometric cloud computing, the burdens of new biometric modalities, the future of biometrics and the cloud.

More information at the M2SYS blog.

I always enjoy these.

Tune in, dial up, surf over (or do whatever it is you do to navigate the interwebs) and join in the conversation.

Exceptional Cases In Biometric Deployments

Ghana Vote Will Cater for Amputees (Ghana Web)
Amputees and persons with any challenge with the fingers will be catered for to register unhindered when the biometric registration process begins next month.

Person with such impairment, those with no fingers or some impairment that makes their finger prints unidentifiable will be registered and identified as such in the biometric register, together with their facial features.
The goal of biometric ID management systems is return on investment, not perfection. All large-scale biometric deployments must anticipate exceptional cases and plan for how to handle them.

Analysis predicts growth of biometric security products and services on mobile devices

Market will grow to over $161 million in revenue by 2015. (Security Park)

A lot of the information provided at the link tracks thoughts expressed in Monday's post, Mobile Devices and Biometric Modalities.

If you missed it, please consider giving it a read. There's a synergy in reading the two pieces together.

Wednesday, February 22, 2012

Cameroon adopts biometric voter registration

To ensure credible elections in Cameroon (Africa Review)
Cameroon’s elections governing body Elecam has accepted to adopt biometric registration.

The system will be used during the next round of registration, which was announced two weeks ago on the instructions of President Paul Biya.

Opposition parties and civil society organisations have been piling pressure on Elecam to adopt the biometric system.
West Africans overwhelmingly recognize voter biometrics as a useful safeguard of democracy.



h/t @silicontrust

Frost & Sullivan Predicts Mandatory Implementation of e-Passports for ICAO Member Countries by 2015

Since 191 countries are ICAO members, that would pretty much make biometric passports the world standard.

Boost to Adoption of e-Gate Systems (findBIOMERTRICS)
Travel documents are for terrorists just as important as weapons, according to the key finding from the 9/11 Commission Report. This is the reason border control systems based on biometric applications have become the solution of choice in identifying potential threats. There is also considerable emphasis on the identification of immigrants using e-Passports and e-Visas to channel biometric data to destination countries to reduce illegal immigration.

Iowa Guardsmen Capture Taliban Financier Using Biomtrics

Local Guardsmen capture of Taliban financier detailed (SouthwestIowaNews.com)
Spc. Dan Goeser, of Manilla, and Staff Sgt. Timothy Beery, of Denison, were involved in the capture of an individual who was financing local Taliban members.

Team Diesel knew the financier was coming into their area and had a license plate number for the individual’s vehicle. Beery was the truck commander of the first truck and Goeser was the gunner. They blocked the financier’s vehicle from the rear and a second truck blocked it from the front before the rest of the convoy arrived.

The financier didn’t admit to his identity, Beery stated. A biometric device was used identify the individual by scanning his fingerprints and eyes.

Berry said the financier was turned over to LTC Stephen Boesen II, the battalion commander, and in turn was turned over to the Afghan National Army.

West Virginia Photo ID Controversy - Some Object to Photo ID on Privacy/Religious Grounds

Real ID Act opposed on the basis of privacy rights religious freedom (West Virginia Public Broadcasting)
“We were created in the image of God. God gave us our uniqueness. What the State wants to do is take something unique physical about us, our digital facial fingerprint and take it. It’s actually theirs. They’re taking something unique from us like someone taking your DNA.

"If I take a picture of you in a photograph, you buy the picture, I give you the picture, it’s your picture. I can’t go out and say do something else with that picture because that is your picture. You understand? What God gave me I don’t have the right to give to the State. Especially when in Scripture it tells me eventually my identification will be necessary to have permission by the State to basically do anything,” Hudok said. [emphasis mine]
That's a bold statement.

There's audio at the link.

UPDATE:
Another article on the subject from the Charleston Daily Mail
"...we would be enrolled in a global system of identification that directly links our body, through biometrics, to our ability to buy and sell..."
and
"I am not saying this is the mark of beast, I'm saying this is where I draw the line"

Biometrics Definitively Establish Number of Ivorian Refugees

UNICEF Weekly Situation Report No.56 (Relief Web)
According to UNHCR, the official number of refugees from Cote d’Ivoire as of 16 February 2012 currently stands at 69,561 following a recount using biometric registration.
The international development crowd has been among the most industrious in applying biometrics to helping the worlds most vulnerable people.

Côte d'Ivoire (Ivory Coast) has had two bouts of civil war in this young century.

Tuesday, February 21, 2012

Does turning off the Iris system at Manchester and Birmingham represent a failure of biometrics?

I'm glad that the folks at Allevate have put this story into its proper perspective. They possess a great depth of knowledge on airport biometrics and they are close to the story.
"Let’s not forget the system was originally introduced in 2004, initially as a pilot. At this time, such use of Iris technology was fairly innovative. That the footprint of the pilot was gradually extended and became a permanent system is indicative that the system was fairly well received. The fact that over 380,000 people have voluntarily enrolled (myself included) makes it difficult to argue that the system is derided.

In my opinion, the turning off of the system at these two locations is more in line with a planned phasing out of this particular solution, for some rather more mundane reasons: [...]"
Read on at the Allevate blog.

One more reason I'm glad: my procrastination has saved me from writing a post that would have paled in comparison. Read the whole thing.

Argentinians concerned about Government Surveillance Overreach

In Argentina the collection of biometric data is drawing criticism (Miami Herald)
Argentina’s police were recently accused of infiltrating and spying on demonstrations against the American company Kraft to collect personal information of protesters through a program called “Project X.” Security Minister Nilda Garré has denied the charges but called for an investigation, even as the chief of the national police agency, Héctor Schenone, confirmed the existence of the program in court documents.

Experts say a biometric database would make the identification of protestors much easier.

“Privacy is particularly crucial for our country since throughout our long history of social and political movements, calls for action have often taken to the streets,” says Beatriz Busaniche of Vía Libre, a local foundation that promotes freedom on the Internet. She stressed the importance of anonymity for demonstrators, “especially when they are at odds with the government.’’

Argentina and other Latin American countries are updating their decades-old national ID systems and moving to biometrics without a public debate on the privacy and data-protection implications of these proposals, according to Katitza Rodriguez, the international rights director for the Electronic Frontier Foundation, a San Francisco-based nonprofit that defends digital rights.
Biometric systems are never deployed in a vacuum. Argentina's political and economic history over the last thirty years has been tumultuous, to say the least.

Everyone is entitled to an open deliberative process leading to the highest possible degree of consensus and transparency before the implementation of such systems, and accountability afterwards.

Argentinians are entitled to such a process before deciding whether or not the potential rewards outweigh the real risks that such a surveillance system will be compromised or abused.

Identity management is about people.

Macedonia: All Non-Biometric ID's Expire Monday

Image Source: CIA World Factbook


Macedonia: Only biometric identity cards to be valid as of Monday (Focus Information Agency)

Tanzania Using Biometrics to Cope with Horn of Africa Chaos

It seems like West Africa is more active in the biometrics world. Here's some biometrics news from East Africa.

Tanzania Inaugurates Japan-Funded Immigration Facilities (Modern Ghana)
A 2009 IOM study "In Pursuit of the Southern Dream" suggested that some 17,000-20,000 mainly young men from Somalia and Ethiopia are smuggled through Tanzania en route to South Africa every year.
...
In each location the Japanese-funded project has allowed IOM, in close collaboration with Tanzanian police and immigration counterparts, to construct and extend premises where the migrants can be housed and screened.

It has also provided IT equipment to allow Tanzanian immigration officers to capture biographic and biometric data in order to create a record of all migrants passing through land border posts. The project has also donated 11 cars and three boats.

UK Border Scandal Update: Independent Inspector's Report Published

The UK's border control scandal of last fall is back in the news as John Vine, an independent inspector of the Border Agency, has released his findings (84-page .pdf available at icinspector.independent.gov.uk) An investigation into border security checks.

One of our slogans at SecurLinx is "Identity management is about people," and the shortcomings in the UK border apparatus seem (and always have seemed) to have been failings of management and communication rather than failures of technology and its proper use. That's why we didn't spend much time on the subject last fall (only one post) and why we won't spend much time on it today.

A small part of the story does seem to deal with biometrics, though.

Terror fear as border checks fail (Sydney Morning Herald)
The report also found that biometric chip checks were routinely suspended before the pilot began. Between January and June last year, chip reading was suspended 14,812 times, but the Border Agency was "unable to explain definitively why these suspensions occurred".
Needless to say, biometrics only work if you use them.


In addition to the above referenced story, here is a selection of other coverage:

The Migrant Rights Network thinks this is all being blown way out of proportion.

The Daily Mail (here & here) is less sanguine.

The Guardian does a good job covering the bureaucratic finger-pointing angle.

Scotland: The Herald's Kate Devlin covers it like she's talking to Joe Friday.

Monday, February 20, 2012

Second Order Benefits of India's UID Project

This blog has compared India's UID program and census to the American space program of the sixties (here, here & here). The analogy holds because, like the space program, India's ID programs stand to deliver benefits far beyond the scope envisioned by their originators.

The space program eventually led to the development of satellite telecommunications, GPS and many other benefits. Moreover, the benefits of these technologies are not confined to the United States.

India'a population-level biometrics programs stand to confer a huge benefit to countries all over the world, too.

There's a very important way in which the analogy doesn't hold, though.

With the space program there is a sense that if the United States didn't do it, nobody would or could.

With the Indian ID projects there is a sense that if India can do it, anybody can...

"[...N]ot because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone..."
- John F. Kennedy

India faces challenges that make UID harder to accomplish there than anywhere else I can think of. If India can do it, other countries will find following in India's footsteps a much less formidable challenge than following in Neil Armstrong's.

India gives globe tips on UID (Hindustan Times)
The Unique Identification Authority of India (UIDAI) is assisting the government of Papua New Guinea, a small island nation in the Pacific Ocean close to Australia, in starting a national identity scheme. Two UIDAI officials — deputy director general BB Nanawati and additional director general Anup Kumar — spent a week there this January to guide the country's government in providing biometric identity to its residents.

Ireland: New era for Visas

Biometric visas (e-Visa project) (Business & Leadership)
Chief executive of the Irish Exporters Association (IEA) John Whelan has welcomed the vision for a new era for visa systems for Ireland, which was outlined at the second meeting of the Export Trade Council held last week.

...
The basis of the long-term waiver is likely to be based on sharing biometric checks through fingerprint recognition technology with the UK authorities.

Biometrics are increasingly being used as a feature of visa application and border checking by many advanced economies.

However, the Dept of Justice and Equality advised the Export Trade Council that the cost of putting the biometric technology in the worldwide network of Irish embassies would cost in the order of €6.5m.
Much more at the link.

Mobile Devices and Biometric Modalities

Smartphones and tablets combine the most powerful attributes of the networked computer and the cell phone, extending the web into every nook and cranny of the globe.

In one awesomely tiny package they facilitate data collection, storage and access to data stored elsewhere.

As a platform for near field communication (NFC) and SMS One-time passwords, mobile devices are also increasingly being used to deliver identity management applications by using a person's known possession of the device as a way of verifying their identity. In access control lingo, mobile devices are being used as tokens.

Using mobile devices is a dream come true for businesses that rely upon tokens: Your customer already owns it; If they lose it, they will be aware of the loss very quickly and they will replace it at their own expense; People are disinclined to lend their phone/credential to someone else; Etc.

Now to the question of securing the device itself and biometric modalities.

Fingerprints are currently the most frequently used biometric for overtly identifying cooperative, habituated individuals. They have a lot of things going for them. Fingerprints are well-understood scientifically, durable, reliable, and fingerprint ID management techniques have been shown to deliver high return on investment in many applications.

These are some of the reasons I lamented Motorola's announcement that it was leaving the fingerprint sensor out of the Atrix 2. The decision makes sense, though. The fingerprint sensor wouldn't be widely used until developers had written software using it, but including the sensor would drive up the cost of each unit for a thinly-used feature. The innovation chicken-and-egg problem is a real one and Motorola seems to have made the judgement that they weren't gaining enough of an advantage in the highly-competitive mobile device market by including it.

But that hasn't meant the end of mobile device biometrics. Just as businesses that issue tokens have been able to take advantage of the fact that their users are already carrying the necessary technology around with them, biometric identity management application developers are doing the same.

Mobile devices already contain the hardware required to deliver two biometric modalities: a camera for facial recognition and a microphone for voice. These modalities present challenges not usually associated with fingerprint biometrics — in the case of facial recognition challenges include lighting and the well-publicized photograph hack; for voice, background noise can be a problem — but they offer the advantage that the hardware is "free" and never going to be yanked out of mobile devices. That's quite an advantage, and it points to why face and voice biometrics are the front-runners for handset biometrics.

Nice and tidy, eh?

So, what to make of today's news that Fujitsu is set to compete more aggressively in the global handset market?

Fujitsu Aims for European Mobile Phone Market (Financial Times)
Fujitsu’s smartphones will certainly feature electronic money technology – enabling owners to use NFC, the mobile payment system – and biometric recognition to make their use as mobile wallets more secure.
Fujitsu, more than any other handset manufacturer, is deeply involved in biometric sensor hardware (finger, palm) that doesn't currently reside on stock mobile platforms. So stay tuned.

Friday, February 17, 2012

Ghana Biometric Voter Registration: 4 Phases in 40 Days

E.C. announces dates for biometric registration (Ghana Web)
The 40-day registration exercise will be held at the polling station levels with four polling stations coming together to form a cluster for the registration.

As part of the registration process, prospective voters will be required to provide their exact date of birth, their current residential address as well as their hometown address.

Applicants will also be be required to show evidence of eligibility to register by providing either a birth certificate, passport, baptismal card, a driver’s license or a national health insurance card, the national I.D card or the existing voter ID card.

The prints from all ten fingers of applicants as well as their images will be captured digitally as part of the registration exercise. In the event of an applicant having lost some fingers, the fingerprints of the available fingers will be captured. Special arrangements will also be made for the registration of persons without fingers.

Thursday, February 16, 2012

India: Six Week Hiatus for UID Enrollments

It's a “six-week break” for Aadhaar enrolments (The Hindu)
Weeks after the Union Cabinet decided that the task of collecting biometric and demographic data of residents would be shared by the Unique Identification Authority of India (UIDAI) and the National Population Register, Aadhar enrolments across the country have been suspended as the process is reviewed.

The enrolment process is on a “six-week break”, senior officials in the UIDAI told The Hindu , and during this period “modalities” on how to go forward with the second phase of this scheme will be finalised. Enrolments are slated to recommence by mid-April, after a “thorough review” of the existing process is conducted, the official said.

Nigeria: Biometrics Generate $965 Million in Pension Savings

FG Cuts Spending (This Day Live)
She also disclosed that the Pension Task Force made a recovery of about N151 billion following the use of the biometric verification system in plugging leakages occasioned by the menace of ghost workers in the public sector.
Today: 151,000,000,000.00 NGN = 955,998,752.25 USD. That's some heavy ROI.

Two UK Airports Turn Off Iris Scanners

This seems to be more a question of modality going forward than a rejection of biometrics. Birmingham and Manchester Scrap Iris for Frequent Traveler (BBC)
They will continue working at London's Heathrow and Gatwick airports until after the 2012 Olympics.

A UK Border Agency spokeswoman said the government was reviewing the use of the scanners in the light of new technology.

The Iris Recognition Immigration System (IRIS) was first introduced into Heathrow in 2005 and rolled out at Birmingham, Gatwick and Manchester in the following year.

Canada's Tories Move to Address Bogus Refugees

"Canada's asylum system is broken" (Vancouver Sun)
On average, Kenney said it takes four and a half years from the initial claim to remove a failed refugee claimant for the country.

The legislation also would grant legal authority to collect biometric data from people entering Canada on a visitor visa, work permit or study visa.

"We have seen many cases of people, criminals — foreign criminals — arrested, convicted, and deported who came back to Canada using fake papers," Kenney said.

He said the use of biometrics would prevent failed refugee claimants from trying to return to the country.
Canada is among the world's most welcoming countries to refugees. If it to remain that way, Canadians need to have a high level of confidence that the system works well.

Wednesday, February 15, 2012

Nandan Nilekani on UID

Nandan Nilekani talks development, privacy, utility and the cloud in this short, but excellent UID interview at Business Today.

Biometrics Assist US Border Patrol Apprehension of Convicted Kidnapper

Previously removed from the U.S. in May and June, 2011 (Deming Headlight)
Using the Integrated Automated Identification System (IAFIS), and other databases, a female subject from the group was identified as Blanca Yesenia Garcia-Recinos, a 24-year-old Guatemalan national.

The subject's biometric information revealed prior arrests which led to felony convictions, including kidnapping, burglary and aggravated assault in 2009.

Garcia-Recinos was previously removed from the U.S. in May and June, 2011.

South Africa: Biometrics to Curb Social Security Fraud

The South African Social Security Agency (Sassa) awards a R10-billion contract (Mail & Guardian Online)
Social development director general Vusi Madonsela told the Mail & Guardian that Sassa does not own a database and it doesn't have a biometric database of beneficiaries and would like to create that record. "It's also very important for the purpose of fighting fraud. And in the process of creating that record of database, we will pick up the wrong things in the system," said Madonsela.

He added that the re-registration of beneficiaries will begin in the next financial year.
Ten billion Rand = US $1.3 billion.

Education and Large-Scale Biometric Deployments: Ghana Vote

EU commits €7m to fund Ghana’s 2012 election activities (Ghana Web)
The European Union (EU) is supporting three organizations in the country with an amount of seven million Euros to train their staff and educate the public on the Biometric Voter Registration exercise.

The beneficiary organizations are the Electoral Commission (EC), National Commission on Civic Education (NCCE) and the National Media Commission (NMC).
Biometric scanners don't cause erectile dysfunction - EC (Ghana Web)
The National Commission for Civic Education (NCCE) and the Electoral Commission (EC) have debunked rumours that scanners for the biometric voters registration can cause cancer or erectile dysfunction.

According to the two bodies, the scanners, which will be used for biometric registration, would be similar to the ones used at the various international airports, such as the Kotoka International Airport, the John F. Kennedy Airport in New York and the Schipol Airport in Amsterdam.
Every large scale biometric deployment will have an education component and the educational challenges differ depending upon many factors.

Knowing how different groups are likely to receive a biometric system can make a real difference in the odds of its success.

It's not about the tech., ID management is about people.

The Cloud & Biometric ID Management

Cloud-Based Application Development for Biometrics Data (M2SYS Blog)
More and more international governments and security-intensive companies are using biometric-enabled identity cards for their employees and professionals. As this technology becomes more widespread, the need to make this technology more mobile, and more accessible is becoming clear. Experts all over the globe are pushing for cloud-based biometrics for greater efficiency and mobility.
More at the link.

Tuesday, February 14, 2012

What is a Face Scan, Anyway?

More than 10,000 Olympic athletes and their coaches are having fingerprints and face-scans taken by UK officials around the world in the biggest operation of its type to prevent the London Games being targeted by illegal immigrants or terrorists. (The Independent - emphasis mine)

Did I miss a revision to the J-School style manual stipulating that photographs are henceforth to be called face scans?

Is this a British usage thing like calling flashlights torches, trucks lorries, and elevators lifts?

Let me try:
"Are those face-scans of your children? They're adorable!"
"I lost a ton of weight, so I put a new face-scan on my LinkedIn profile."
"I hate my drivers license face-scan."
How am I doing? What? Not good?

My friend from Purley assures me "that's not the way it's done back home," pointing out that this guy didn't say...
"Your wife interested in er... face-scanning, eh?"

My friend is correct!

No, I think "face-scans" is a term meant to communicate an author's disapproval of facial recognition technology without directly acknowledging bias. Wink, wink; nudge, nudge.



Public service: Here's the whole 'Candid Photography' clip at YouTube

See also:
The Politics of Biometrics: A Shibboleth, from the SecurLinx blog's early days.

h/t @m2sys

Using Electrical Properties of Heartbeat as a Biometric Modality?

Human heartbeats never quite repeat themselves, and each person's heartbeat is unique (Daily Mail - UK)

Because "pulse rate" is nowhere near synonymous with "electrocardiogram," the headline in the article linked above is wrong and a bit misleading. The concept described in the article, however, is very interesting.

Pulse rate is a number, usually expressed as beats per minute (bpm). The average resting heart rate for an adult is 60-90 bpm. An individual's pulse rate varies not just with levels of activity or excitement; it also varies depending upon whether the person is inhaling or exhaling at the time. Trying to account for individuality among the entire adult population with a simple biostatistic that varies within an individual every few seconds, but among the whole population by only 30 bpm is absurd. Pulse rate is wholly unsuited to biometric identification.

But what about ECG?

The electrocardiogram (loose translation: electric heart writing, or ECG) is a far more detailed representation of what the heart is up to. It looks like this:
Photo: Wikipedia

This graph shows the electrical activity associated with two full heart beats, and it may be possible that the formula describing an individual ECG will turn out to be unique enough and stable enough over time to use as a biometric identifier.

The other good news is that there are probably millions of recorded individual ECG readings for biometric algorithm designers to work with. Even people without fingers have heartbeats. Another awesome upshot of an ECG biometric would be the promise that that, one day, your phone or laptop might be able to tell if you're having a heart attack. Unfortunately, the good news pretty much ends there.

The bad news:
Healthy hearts all look very similar on an ECG, which is part of what makes the ECG a useful diagnostic tool.

Where on the body ECG sensors are placed causes changes in the observed wave, mostly on the Y-axis.

The wave gets compressed or stretched horizontally (X-axis) based upon heart rate.

So, to summarize these first three points, the ECG, like heart rate, may vary by too much within an individual but not enough over the healthy population to make it a useful identifier.

The biometric is actually a biostatistic, which is problematic (as linked above).

An ECG is medical information, which has accompanying regulatory and privacy issues.

It's going to be difficult for this type of modality to displace other hand-based biometrics which have a huge head start in terms of price, proof of reliability, education and acceptance.

In short, this is one of those subjects that is intensely interesting from a Ph.D.'s point of view (invention) but not so much from an engineering or business perspective (innovation). ECG as a biometric will face significant — I dare say insurmountable — challenges in finding its way into wide use as a commercial ID management application any time soon.

UK Car Finance Group’s Avoids £3.2M in Identity Fraud

The Funding Corporation Limited (TFC) says that almost 500 cases of suspected fraud were identified in 2011 (Press Release)
The result was achieved by vigilant staff across the group, trained by a dedicated anti-fraud unit in the company, aided by document checking technology from Au10Tix in all of its ACF Car Finance Limited used car dealerships.

Forged passports and driving licences presented by customers to verify their ID are among the illegally-held documents picked up by the crime-fighting scanners.

The software analyses components of documents such as biometric data, visual data, infrared, ultraviolet and holograms to provide its full authentication check.

ACF Car Finance is the first UK motor retailer to use this technology, says Richard Cox, Head of Motor Operations at TFC, parent company to ACF Car Finance.

However, he comments, in addition to significantly reducing the company’s exposure to the risk of fraud, the scanners also provide both commercial and customer benefits:

"By removing the risk of human error from document checking we are also freeing up showroom staff to spend more time with customers" said Richard.

"Also, consumers do not have to wait around as long while their documents are manually authenticated - a procedure which some people find irritating and slightly offensive.

"In just a few seconds, we can now ascertain if an item of identity is genuine - and it is a far more robust and customer-friendly way of managing fraud risk than manual checking" said Richard.

“What’s more, if an innocent customer is involved, for example if their details are used fraudulently, they are duly notified and offered advice on how to protect themselves from ID Fraud in the future.”
Better ID management is good for companies and their customers.

Monday, February 13, 2012

French Consumers Prefer Fingerprints over Mobile Phones for Retail Payments

Survey Shows More Interest in Biometrics than Near Field Communication (NFCWorld.com)
69% of the 1,008 people surveyed by Ifop for Wincor-Nixdorf said they were either very or quite in favour of replacing PIN codes with fingerprint biometrics at the point-of-sale, and only 36% were either very or quite in favour of using an NFC phone to make a purchase. 39% were quite opposed to the idea and 25% were very opposed.
Support for NFC actually dropped from last year's survey.

What explains this?
Is it something to do with NFC tech specifically?
Do people trust their credit card company/bank more than they trust their mobile service provider/Google/Apple?
Is smartphone penetration in France so low as to limit interest in a NFC payment system?
Is it that if you lose your phone, you can't buy a new one because you don't have a phone and you'll starve because you can't use your phone to buy food (less likely, I'll admit)?

UPDATE:
Following Vulnerabilities, Google Disables Pre-Paid Card on Google Wallet App (GottaBeMobile.com)
After a series of two vulnerabilities were discovered that targeted Google Wallet, Google’s mobile and digital wallet app on the company’s Android smartphones, Google has now decided to disable the prepaid credit card feature on the app.
...
The app makes use of NFC, or near field communications, technology. Rather than swiping a plastic credit card through a magnetic reader, users can pay for physical goods at retail stores by waving their NFC-enabled smartphone next to an NFC reader. In this manner, Google anticipates that smartphones and wallets would converge and eventually credit cards would become obsolete as users would only need to carry their smartphones to make and initiate payment.



h/t @ksikeyboards
h/t @Ess_ID_Security

UPDATE - United States: ID Technology & the Bill of Rights

I made some slight edits to the ending of the original post for clarification and to make the original more smoothly flow into the update. The original post is here.

The Fifth Amendment in the Digital Age (ZDNet - Identity Matters Blog)
Basically, if the password is a physical thing she has, than the Fifth Amendment does not protect it. But if the password is deemed to be something the defendant knows, it is protected.
...
To illustrate the principle, the Supreme Court has previously explained that a witness might be “forced to surrender a key to a strongbox containing incriminating documents,” but not “compelled to reveal the combination to a wall safe.”
As the post points out, biometric technologies complicate this further.

The Fifth Amendment guaranty that "No person shall... be compelled in any criminal case to be a witness against himself," applies (outside the military) to those who have already been indicted by a grand jury, are standing trial, and are being asked to assist in their prosecution. The example above doesn't seem to prevent the police from hiring a locksmith to open the wall safe; it merely prevents the police from compelling the accused to help them.

The Fourth Amendment is much more relevant to privacy in the ordinary sense.

The Fourth Amendment guarantees that:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

"Warrantless mobile device searches" (Google search) are a much hotter digital age privacy issue and it's the Fourth Amendment that seems to apply to those searches, though not necessarily to this case as I'm pretty sure they have a warrant for the laptop.

UPDATE: The attorney for the defense, having lost on the Fifth Amendment is appealing the Fifth Amendment ruling and seeking refuge in the Fourth Amendment.

Woman who pleaded Fifth in password case now citing Fourth
He said the Fourth Amendment is a better argument “for us and for the public in general.”

Fricosu’s case drew interest from civil rights groups who argued that current law needs to evolve to meet the nuances of the digital age. The prosecution, however, argued that hiding behind a password and encrypted data would make prosecution impossible in the future.

Dubois says the Fourth Amendment argument ties into the Fifth Amendment, which is also “about due process of law and fundamental fairness. ”


The court rejected the Fifth Amendment argument that focused on the password, an identity management technology, saying that the password is more akin to a physical key than a safe's combination (see above). The defense appeal of this judgement keeps the identity management issues in this case alive. The Fourth Amendment question seems to focus on the contents of the laptop and not access to them.

Still, it seems like this case has a long way to run.

Poorest of the Poor Expect to Benefit the Most from India's UID

This won't be new to regular readers but it can't be repeated often enough. World's biggest biometric ID scheme forges ahead (BBC)
Among those in the queue is Kamala, a daily wage labourer.

It's people like her, the poorest of the poor, who are expected to benefit the most from the UID. They have no proper identity papers and therefore no access to services such as subsidised food rations, a phone connection, even a bank account.

"It's so difficult to get anything done without a proper identity," she says. "We're often forced to pay bribes to get subsidised grains or fuel.

"With the UID I hope things will improve - we can buy cheap food and I can help educate my children."
Technically, the challenge India has set for itself — a unique, legitimate ID for every individual in society — reminds me of the polio mass immunization efforts of the 1950's and the goal is of no less importance.

A unique, legally recognized individual identity is a prerequisite for any sort of decent society. It is an infrastructure without which many things those in the developed world take for granted simply cannot exist: compulsory primary education, successful immunization against (and treatment of) preventable communicable disease, social safety nets, effective democracy, etc.

A legitimate ID is a prerequisite to full participation in the modern world.

The Crime Wave of 1920 and the Making of the Modern FBI

Before the dawn of the Twentieth Century, The Bertillon System was the standard for biometric identification.

In 1903 the New York state prison system had begun to use fingerprints. By 1908, all the branches of the U.S. military had adopted fingerprints. In 1924, an act of congress established the Identification Division of the FBI. The IACP's National Bureau of Criminal Identification and the US Justice Department's Bureau of Criminal Identification consolidated to form the nucleus of the FBI fingerprint files (source - and a very interesting site in its own right).

How did we get there? Read on.

The Wall Street Bombing That Made Hoover and the FBI (Bloomberg)
Shortly after noon on Thursday, Sept. 16, 1920, a powerful bomb hidden in a horse-drawn wagon exploded at the corner of Wall and Broad Streets in Manhattan. It was a pleasant late-summer day, and throngs of people had been out enjoying a lunchtime stroll, a brief respite from the great money machine, the center of American capitalism.

Now blood ran in the streets where the first U.S. Congress had convened and the Bill of Rights became law. Shrapnel scarred the walls and shattered the windows of J.P. Morgan and Co., America’s most formidable bank. The bomb killed at least 38 people and injured roughly 400. It was the deadliest terrorist attack in U.S. history, a distinction it held for 75 years. Its force reverberates today.

In Washington at that hour, J. Edgar Hoover, 25 years old, was putting the finishing touches on the federal government’s first counterterrorist force, the General Intelligence Division. Hoover wrote that he intended to combat “not only the radical activities in the United States” but also those “of an international nature”; not only radical politics, but “economic and industrial disturbances” as well.

...

Walk to the corner of Wall and Broad Streets today, and you can run your hands over the deep gouges left by the 1920 bombing. You will have to look harder to see the cameras that track your steps -- a 21st-century tribute to Hoover, the architect of the modern surveillance state. Every fingerprint on file, every byte of biographic and biometric data in the computer banks of the government, owes its origins to him.


See also:
The Bertillon System: An Early ID Management System
The History of Fingerprints (and the Death of the Bertillon System)

Sierra Leone: Amputees Association President Registers to Vote Without Biometrcs

The only biometric that everyone can provide is DNA and DNA isn't even remotely practical for voting. Good biometric deployments will plan for exceptions to the identity management routine.

Jusu Jaka Registers for 2012 elections (Awoko.org)
Alhaji Jaka will be one of hundreds of exceptional cases to go through the registration exercise without completing the process one hundred percent.

As President of the Amputees Association, Alhaji Jaka is armless, being a victim of rebels’ amputation spree during the rebel invasion of Freetown on 6th January 1999. He uses his arms with the help of a metal formulation attached to his body which he calls, ‘prospective’. He therefore did not thumb print his registration form. Thumb printing is one of the key elements in the Biometric voter registration process.

Infosec Professional Interviews SecurLinx CEO Barry Hodge on Information Security Challenges

Interview Series - Barry Hodge CEO SecurLinx Corporation (Infosec Professional)

The questions are:

♦ How has information security changed in the last 3 years?

♦ What do you think are the main threats facing organisations in 2012?

♦ Are organisations ready to deal with those threats and what can they do to protect themselves?

♦ The last 3 years has seen global organisations make significant in roads to protect data from a logical and network perspective. Does physical access control need to play a greater part and are organisations aware of it's benefits?

♦ Infosec has now become it's own profession, with job titles, budgets and certifications. What challenges do infosec professional face on 2012?

♦ What are the key questions your clients ask when looking to select a product or services offering? Experience, RoI, cost etc?

♦ With the global credit crunch effecting budgets across all areas, is security now seen as a luxury good for many projects?

I'll include only one answer here because I want you to click through to the whole interview. Here's his answer to the last question:
Security is looked at by most companies as a cost of doing business and if my competitor isn’t investing, I can let it go too. My personal opinion is that security can be a competitive advantage if it increases employee productivity and decreases cost. It is our job to design and implement solutions for our customers that do just that. Technology should facilitate the provisions of better security and lower the cost of ownership to the organization. I believe that is possible today.

SecurLinx Signs Definitive Agreement to Acquire ITM Associates

Press Release - Morgantown, WV - February 13, 2012

SecurLinx Corporation has agreed to acquire the assets of ITM Associates, Inc. of Rockville, MD. Founded in 1993, ITM has developed longstanding relationships with key accounts in both the government and commercial markets. These contractual relationships are included in the transaction.

The acquisition of ITM is a significant step in SecurLinx’ strategic plan to expand its presence in the biometric identification and security market. “ITM has a successful history and solid reputation for providing innovative, targeted and high quality commercial products and services to government and commercial customers that we can leverage immediately,” said SecurLinx CEO Barry Hodge. According to Hodge, SecurLinx will utilize ITM’s technical experience and expertise to help support its goal of making SecurLinx "the most advanced and cost effective biometric solution provider in the industry.” Additionally, SecurLinx will work to expand ITM’s existing customer base which currently includes the Environmental Protection Agency and Verizon Communications.

“The merger of SecurLinx and ITM is an exciting development,” said Bob Procelli, former COO and co-owner of ITM, “I was impressed with SecurLinx biometric identification technology when I first met Barry and his team in 2010. “But it was Barry’s vision for growing the company and expanding into new markets that impressed me the most.” According to Procelli the combination of SecurLinx and ITM is a “perfect fit of cultures, customers, capabilities and products that will be a valuable asset for meeting the goals set out by Hodge.”

All ITM employees will be retained as part of the agreement. “We welcome the addition of ITM’s customers, products, and talented staff to SecurLinx” said Hodge.

About SecurLinx: A wholly owned subsidiary of SecurLinx Holding Corporation (FRA: S8X) and located in Morgantown, West Virginia, SecurLinx is an advanced technology and software development company. The Company offers middleware products and systems applied to information sharing, secure access, and biometric identification. SecurLinx adds increased security, productivity, and seamless information management solutions in targeted markets where secure access to physical locations or information sharing networks is critical to the enterprise.

About ITM Associates: ITM provides products and services that make businesses more profitable and prosperous by bridging the gap between business operations and the enormous potential of emerging technologies. ITM's staff of professionals designs, adapts and integrates technology to (1) eliminate or reduce time-consuming information processing tasks, (2) assist executives to make more informed and timely decisions, and (3) achieve greater efficiency by extending internal information systems to customers, vendors, and strategic partners.

Big Data's Impact in the World

Privacy advocates tend to latch onto biometrics as a convenient way of expressing concerns about a world driven by Big Data even though biometrics will only ever be a tiny slice of the data pie.

Big data does, however, present opportunities and challenges that are well worth considering. The opportunities are so great that big data techniques will, and probably should be, adopted. The challenges to individual privacy are real, too.

This article provides a great overview of what is becoming possible and where we may be headed.

The Age of Big Data (New York Times)
Data is not only becoming more available but also more understandable to computers. Most of the Big Data surge is data in the wild — unruly stuff like words, images and video on the Web and those streams of sensor data. It is called unstructured data and is not typically grist for traditional databases.

But the computer tools for gleaning knowledge and insights from the Internet era’s vast trove of unstructured data are fast gaining ground. At the forefront are the rapidly advancing techniques of artificial intelligence like natural-language processing, pattern recognition and machine learning.

Those artificial-intelligence technologies can be applied in many fields. For example, Google’s search and ad business and its experimental robot cars, which have navigated thousands of miles of California roads, both use a bundle of artificial-intelligence tricks. Both are daunting Big Data challenges, parsing vast quantities of data and making decisions instantaneously.

The wealth of new data, in turn, accelerates advances in computing — a virtuous circle of Big Data. Machine-learning algorithms, for example, learn on data, and the more data, the more the machines learn. Take Siri, the talking, question-answering application in iPhones, which Apple introduced last fall. Its origins go back to a Pentagon research project that was then spun off as a Silicon Valley start-up. Apple bought Siri in 2010, and kept feeding it more data. Now, with people supplying millions of questions, Siri is becoming an increasingly adept personal assistant, offering reminders, weather reports, restaurant suggestions and answers to an expanding universe of questions.
That's just a sample. It's well worth reading the whole thing.

Friday, February 10, 2012

Mirror Displays Animal Heads that Mimic Facial Expressions

A 3-D animal avatar as your reflection (PopSci.com)
Not biometrics, but a cool use of some of the technologies we use for facial recognition, nonetheless.

Do not attempt to adjust your radio, there is nothing wrong. There isn't any sound with the video.

.

Ukraine: Parliament Overwhelmingly Rejects Biometric Passport

Not too sure what's going on here Lawmakers support Yanukovych's proposal not to introduce biometric passports (Kyiv Post)
A total of 304 out of 394 MPs registered in the hall voted on Thursday for the president's proposal to reject the law on documents confirming the identity and citizenship of Ukraine.
Other posts on the subject...


ht/ @m2sys

Samsung launches Smart TV with facial, voice recognition

The Future of Smart TV, NOW (Hindustan Times)
Wii-like motion controls will enable users to select apps, browse the web or change the channel by moving their hand through the air. The built-in camera on the ES8000 is also equipped with facial recognition technology that can automatically log you on to your Smart Hub and VoIP service Skype without needing a password or ID.

Thursday, February 9, 2012

TSA Extends Contract with Biometric Services Organization

TSA Renews Security Pact with NATA (Aviation International News)
The Transportation Security Administration (TSA) has approved a five-year extension of its partnership authorizing National Air Transportation Association Compliance Services (Natacs) to continue as a trusted fingerprint facility to process biological and biometric information for general aviation and commercial aviation worldwide.

Natacs, a partially owned subsidiary of NATA, has been partnered with the TSA since 2002. Under the revised and extended agreement, Natacs can continue to provide all pre-enrollment, enrollment, fingerprint collection and secure data transmission for TSA-conducted background checks on tens of thousands of aircrew members and flight students each year. The agreement expires in December 2016.

India: UID Costs Plummet as Accuracy Remains High

An unparalleled exercise (The Times of India)
♦ 99.86% of the population can be enrolled and uniquely identified. The other 0.14% is enrolled manually.
♦ 99.965% of all duplicate enrollments are correctly caught.
♦ A single deduplication originally cost Rs 20, now it's Rs 2.75 (from forty cents to six cents, US)
♦ The cost of an enrolment station dropped from Rs 3 lakh to Rs 1 lakh in one year. (from $6,060 to $2,020)

Much more interesting detail at the link.

Wednesday, February 8, 2012

Rhode Island: City Worker Vandalizes Biometric Time Clocks

Another local news piece that captures the economic and political angles of biometric ID management. This one's from Rhode Island.




An East Providence city worker has been fired and is in trouble with the law after police said they caught him on hidden camera tampering with a time clock.

Scott Cook, 50, of East Providence pleaded not guilty to one count of vandalism,a misdemeanor. Police said he used a ballpoint pen to scratch a biometric reader on a time clock at the city's Department of Public Works yard.

DPW employees are required to scan their finger when clocking in and out of work each day. City officials said the technology was put in place to clamp down on "buddy punching."

"[The reader] ensures the data collected by the device is linked to an individual which allows us to pay people with taxpayer money to a high degree of certainty it’s correct," said City Manager Peter Graczykowski.
Observations:
♦ Fingerprint biometrics work well for time-and-attendance, delivering a substantial return on investment.
♦ Buddy-punching is a real problem, costing taxpayers and shareholders who-knows-how-much money.
♦ Local governments forced by declining tax revenues to tighten their belts see better ID management techniques as an attractive way to save money.
♦ Buddy-punchers don't like taking a pay cut.

See also:
What Human Resource Managers Can Learn from the President of Guinea's Move to Eliminate Ghost Workers (relevant to managing a transition from loose T&A policies, to more rigorous biometric techniques).

The Economics and Politics of Biometric Time and Attendance in State Bureaucracies



h/t @m2sys

US: Biometrics-Based Global Entry Program is Here to Stay

DHS Announces Permanent Global Entry Program (Travel Agent Central)
The Department of Homeland Security (DHS) Secretary Janet Napolitano announced the publication of a final rule that would establish Global Entry—a U.S. Customs and Border Protection (CBP) voluntary initiative, which allows expedited clearance for pre-approved, low-risk travelers.

DHS says the move will streamline the international arrivals and admission process at airports for trusted travelers through biometric identification—as a permanent program.

“Global Entry expedites the customs and security process for trusted air travelers through biometric verification, while helping DHS ensure the safety of all airline passengers,” said Secretary Napolitano. “Making Global Entry permanent will improve customer service at airports across the country and enable law enforcement to focus on higher-risk travelers.” [emph. mine]
This little bit also caught my eye:
The program is available to U.S. citizens and U.S lawful permanent residents, as well as Mexican nationals.

Citizens of the Netherlands may also apply under a special reciprocal arrangement that links Global Entry with the Dutch Privium program in Amsterdam. Canadian citizens and residents may participate in Global Entry through membership in the NEXUS program.
That covers NAFTA (Canada-US-Mexico). The Netherlands represents a toehold in the Euro area. Hopefully these few existing relationships combined with the stated commitment to automation and emerging eGate technology sets the stage for a revolution in the international travel bureaucracy.

UIDAI launches online verification of Aadhaar numbers

Authentication service will be free of charge until December 2013 (Economic Times)
The Unique Identification Authority of India (UIDAI) on Tuesday launched its online authentication of Aadhaar numbers facility, which is proposed to help banks, telecom companies and government departments authenticate an Indian resident, via mobile phones, computers, tablets or other devices, connected to the internet.

New Mexico: Access to Holloman Air Force Base Requires a Fingerprint

New DBIDS requirements ensure safety, ease of access (Holloman Air Force Base)
After a brief hiatus to upgrade the software on the 49th Security Forces Defense Biometric Identification System, as of Feb. 1 hand-held scanners are being used again at all three gates at Holloman AFB.

Using barcode technology and fingerprints to verify the access authorization of everyone entering the installation, DBIDS is the latest step in helping security forces here improve safety and security for the Holloman community and its resources.

Multifactor Authentication, Middleware and the Online Security Arms Race

Julie Sartain at has an article at techworld.com that describes some of the new threats that have necessitated the adoption of multifactor authentication for online transactions and the variety of technologies available to augment standard username/password authentication, such as:

♦ Risk-based authentication
♦ Phone-based authentication
♦ Versatile authentication platforms
♦ Image-based authentication and, of course,
♦ Biometrics
As everyone in the security business knows, there is no perfect answer. Gartner's Allan points out that "whatever the desirable level of assurance, it has to be balanced against cost (deployments for hundreds of thousands of users are very cost sensitive) and user experience. We know that bank customers may change their banks if new security features such as authentication degrade the user experience: in a survey a couple of years ago, Gartner found that 3% of customers had done so, and a further 12% considered it," adds Allan.
Because there's no perfect answer, the challenge is in how to adopt new technologies that show positive return on investment without tying a mission-critical business process up in something that might not be the optimal solution over the longer term. How do you adopt new technologies in a way that preserves your ability to continue to adopt new technologies?



Our CEO, Barry Hodge, points out via Twitter that the move to multifactor authentication broaches the subject of middleware.

Middleware, as it relates to this discussion, is the software components that will allow the new authentication factor to interact with the existing authentication scheme and broader business processes.

But not all middleware is created equal.

Middleware can be written to facilitate a custom integration, or it can be written as a more flexible software layer that makes future integration decisions and changes less costly. A hardware analogy might be the difference between a soldering iron and a USB port. Both get the job done but involve entirely different levels of commitment.

Well written middleware components, such as those we've developed here at SecurLinx for biometrics, allow flexibility by reducing an enterprise's switching costs and the costs of adopting future techniques and technologies that may offer a significant returns on investment.

Middleware isn't really a glamorous topic — no Tom Cruise movies, severed eyeballs or rubber fingers — but it's incredibly important and becoming more so.

Tuesday, February 7, 2012

Privacy: How to Hide From Google

"If you are not paying for it, you're not the customer; you're the product being sold."
—blue_beetle, Metafilter discussion.

In yesterday's post, EPIC Fail, I took the privacy group Electronic Privacy Information Center (EPIC) to task for taking out it's frustrations with Google & Facebook, which are organizations, by lobbying for a ban on a technology: facial recognition.

If you share EPIC's frustrations but would like to channel them in a more productive way, Wired offers some helpful hints in a "How-To Wiki": Hide from Google

Instead of using what influence they have on trying to ban technology, groups like EPIC should be doing a better job of educating the public about the privacy implications of their everyday activities, very few of which have anything even remotely to do with facial recognition.

Helping people to understand technology so as to make informed decisions about what to share and what to keep private is a noble endeavor (see Wired article above). Going over their heads to limit their choices is not.

Often, however, EPIC is quite good at educational efforts. This is demonstrated by their role in the organization of, and participation in, the Twitter privacy chat, #PrivChat (which begins in 8 min. and features Microsoft Chief Privacy Officer, Brendon Lynch).

This is when they're at their best.

Retail Marketing Technology Online and In Person

Not really biometrics related, but...
Software mines security footage to help business owners see what people do once they're inside the store (Technology Review)


"The huge success of online shopping and advertising—led by giants like Amazon and Google—is in no small part thanks to software that logs when you visit Web pages and what you click on. Startup Prism Skylabs offers brick-and-mortar businesses the equivalent—counting, logging, and tracking people in a store, coffee shop, or gym with software that works with video from security cameras."
Online retailers are able to free-ride on investments made by their brick-and-mortar competitors (see showrooming). They also have more powerful tools available to them for the purposes of analyzing detailed reports of user activity on retail websites. Why, the page I linked to for this story has fifteen programs that track your interaction with the linked page and TechnologyReview.com isn't even selling anything directly. The image to the left shows the list as compiled by the Ghostery add-on for Firefox.

If brick-and mortar retailers can't learn as much about customers in physical stores as web retailers know about user experiences, they must compensate in other ways or they're going to continue to struggle.

See also:
Target fights Amazon showrooming with plea for special product lines (ExtremeTech.com)