Dishonesty detectors: Flawed technology?

We've been generally skeptical of applied behavioral biometrics (and biostatistics) in security applications. The author of the linked article, in the quoted text below nails the reason we're unlikely to see these technologies deployed for a very long time. It's a variation on the Return on Investment argument for adopting a given security solution.

Who knows what evil lurks in the hearts of men? (Smart Planet)

Even if we put aside reservations about self-reported scores on trials under unspecified conditions and grant that FAST is a technology in its infancy, that track record doesn’t inspire confidence. No one should be satisfied with a screening method that lets through more than one out of every five would-be plane bombers. Far more annoying, however, is that we don’t know exactly what the rates of false positives and false negatives were. A system that missed 20 percent of the terrorists in an airport would be bad but terrorists are rare, so disastrous mistakes would be few. But a system that snared 20 percent of innocent travelers as terrorist suspects would destroy air travel overnight.

Even while extending the author's benefit of the doubt, for airports especially the (negative) return on investment would be crippling.

In order to see how, let's imagine a system integrator's dream deployment and then see how that environment differs from an airport.

A system like this would detect all sorts of biostatistics and then compare them to some "normal" value, allow for a tolerance and then alert administrators if something is out of a certain range. If someone wanted to deploy a system like this and give it the best possible chance of success, it would make sense to seek out an environment where "normal" is a very narrow range, rather than a very wide range. The test designer would naturally gravitate toward a test environment where the test subjects make up a homogeneous group, a place where there is cultural uniformity, narrow age differences, low novelty, etc. If I'm the tester, I'm thinking prison first, then military base.

Now airports, by their very nature serve people of all ages from all over the world in various mental, physical and emotional states, not smooth sailing for testing sensitive equipment or training TSA staff to make judgments on small fluctuations of observed data. In airport use, either the error rates have to be very small, or the biostatistic examination would serve as only a small factor in security decision making.

Removing our benefit of the doubt by hypothesizing that those most likely to want to bring harm to global commerce and air travel might undertake training to control their biostatistics and subvert the security they afford, I'm guessing that airports will be one of the last places to adopt such a system. It'll be too costly in all sorts of ways for too little return.

See also:
Security: Biometrics vs. Biostatistics (Sept. 15, 2011)
Behavioral Biometrics or Public Lie Detectors? (Sept. 23, 2010)
Mal-intent may be the future of security (June 1, 2010)

Biometrics vs. Biostatistics

[UPDATE: An uptick in recent articles like this one made me want to revisit this post. A quote from the article:

Ford showed off a prototype of this future health system, developed by BlueMetal Architects, at CES. The system will be able to capture biometric data from devices such as pacemakers and glucose monitors, and will also be able to accept voice input from the driver [emph. mine].

Maybe the term "biometrics" has a marketing cachet that "biostatistics" lacks; maybe for reasons of economy, journalists preserve to save ink, pixels, space and keystrokes.

The original post follows...]

We've danced around this topic a couple of times in the past (see links at the end of this post).

Biometrics and Biostatistics, the difference is subtle.

Biometric = body measure.
Biostatistic = body status, state, or condition.

[I'm no Latin scholar so I don't want to go to the mat for these definitions, but keeping them in mind helps me make sense of things when I read about all the uses for "biometrics" in health care and the health insurance industry. If there are any Latin (language) scholars out there who have interest and insight into this question, I'd love to hear from them.]

Biometrics for identity management concern facts about the physical human body that don't change (or don't change much) over time.

Biostatistics, on the other hand, are useful precisely because they change, sometimes radically over short or long time-frames.

Health care uses both biometrics and biostatistics. Health care providers use biometrics such as fingerprint and iris scanners for patient records management and logical and physical access control. They use biostatistics such as heart rate, weight, and EEG's, etc. for diagnostics, monitoring progress and assessing outcomes.

The Security sector is also seeking ways to use quantitative biostatistics to achieve better outcomes. I added the "quantitative" modifier because in many ways human beings have used non-quantified biostatistics (observations of behavior, for example) for security purposes since, well, forever. We all know what someone means when they say that someone else was "acting suspiciously".

The computerized, measurement of biostatistics for security purposes, is at least as old as lie detectors. The novelty described by the article linked below is in bringing lie detectors out of the rigorously controlled laboratory environment and into more chaotic situations.

Face-reading lie detectors to be tested at UK airports (Airport-Technology.com)

The dual cameras in the system observe changes in facial expression and blood flow, with the first camera spotting signs of deceit such as lip-biting, nose-wrinkling, blinking and Freudian slips, and the second thermal imaging camera measuring flushing and blood-flow patterns around the eyes.

See also:
Behavioral Biometrics or Public Lie Detectors?
Mal-intent may be the future of security