FC: USNews' Dana Hawkins on biometrics, facecams, and "light prints"

From: Declan McCullagh (declanat_private)
Date: Wed Feb 13 2002 - 16:03:16 PST

  • Next message: Declan McCullagh: "FC: Responses to a defense of Comcast's recording of web traffic"

    Politech facecam archive:
    Politech biometrics archive:
    Date: Wed, 13 Feb 2002 19:05:14 -0500
    To: declanat_private
    From: dana hawkins <dhawkinsat_private>
    Subject: article on biometrics for politech readers?
    hi declan. politech readers might be interested in this...
    hope you're doing well. in this week's magazine, i take a close, hard look 
    at the biometrics industry.
    learn about gummy dummies, replay, and bioprivacy, by reading...
    "Body of Evidence: Biometrics turns your hand, face, or eye into your badge 
    of identity":
    and here's a sidebar on a new type of biometric: "This little light of mine":
    (you'll find the actual text for below for both articles.)
    Science & Technology 2/18/02
       Body of Evidence
       Biometrics turns your face, hand, or eye
       into your badge of identity
       'Please-move-forward . . . a- lit-tle," a robotic yet oddly sultry
       female voice commands. A camera whirs to focus on the
       eyeball of a visitor to Thales Fund Management, on the 45th
       floor of an ebony tower in Lower Manhattan. "We-are- sorry.
       You-are-NOT-identified," says the disembodied voice. "We
       like the Star Trek feel," grins Laurel Galgano, who manages
       the automated security system. "And it impresses the
       They're not the only ones taken with biometrics. Iris
       scanners are among the sexiest of these technologies,
       which convert distinctive biological characteristics,
       such as the patterns of the iris or fingertip or the shape
       of a hand or face, into a badge of identity. Even before
       the September 11 terrorist attacks, the industry was
       growing sharply as scanners and software became
       cheaper and more accurate. The International Biometric
       Industry Association estimates that sales reached
       $170 million in 2001, a 70 percent jump over the previous
       year. Now, the IBIA predicts that sales will rise to $1 billion by
       2004, propelled in part by new security worries at airports
       and other critical facilities.
       Thousands of systems are being tested or are already up
       and running. Employees at some businesses punch in and
       out by placing their hand on a reader, and digital finger-scan
       devices verify thousands of schoolchildren's enrollment in
       lunch programs. At a handful of airports, face scanners are
       scrutinizing passengers, and the New York State lottery uses
       iris scanners for employee access to a secured room
       containing its data system.
       Nothing's perfect. Yet biometrics experts and even some
       vendors worry about promising too much, too soon. In theory,
       when your fingerprint or face structure becomes your identity
       card, you no longer have to worry that it will be lost or
       stolennor does an employer, a government agency, or
       anyone else with a stake in knowing who you are. But
       biometrics systems, like traditional ID cards, can be fooled,
       and some, like hand and face scans, are less accurate in
       practice than in theory. "The people who say biometrics
       provides foolproof, fail-safe, positive identification are just
       wrong," says Jim Wayman, director of biometric research at
       San Jose State University. What's more, face scanning can
       be done without people's permission, raising privacy
       concerns and prompting calls for laws that would regulate
       how biometric data could be collected and used.
       Some biometric systems have been a hit, providing a real
       boost in security and convenience. At a Gristedes grocery
       store in Manhattan, a hand reader has replaced the time
       clock. "You can't cheat the boss, and he can't accuse you of
       buddy punching," says a store clerk. It takes just minutes for
       New York State to enroll an applicant for public assistance in
       a digital fingerprint system, which has boosted arrests for
       attempted fraud. To allay privacy concerns, legislation
       prohibits the state from sharing the data with the FBI unless it
       is subpoenaed. And travelers laud INSPASS. The program
       allows over 65,000 passengers who regularly fly abroad to
       breeze by immigration lines at nearly a dozen airports by
       passing through a hand-scan reader, linked to a database of
       known travelers. There's an appealing backup system, too.
       When a hand reader fails, the passenger gets to cut to the
       front of the customs line.
       But the technology has glitches. Digital fingerprint readers
       can draw a blank on some people, such as hairdressers who
       work with harsh chemicals, and the elderly, whose prints may
       be worn. Recent tests by the independent research and
       consulting firm International Biometric Group showed that
       some systems are unable to collect a finger scan from up to
       12 percent of users. And the IBG found that the performance
       of face-scanning systems can be dismal. Six weeks after
       test subjects had "enrolled" with an initial face scan, some
       systems failed to recognize them nearly one third of the
       timeand that was under ideal conditions. The companies
       say they've since upgraded their software.
       Yet an increasing number of airports, including Boston's
       Logan, Fresno, St. Petersburg-Clearwater, Palm Beach, and
       Dallas-Fort Worth, are testing or deploying the face-scan
       technologyin some cases at security checkpoints but also
       for covert crowd scanning. The systems compare passing
       faces against a database of images from FBI lists of
       suspected terrorists and wanted felons. Independent privacy
       and security expert Richard M. Smith, who has studied these
       systems, says that because they are so easily fooled by
       changes in lighting, viewing angle, or sunglasses, they serve
       merely as a deterrent. "The camera in the ceiling is like the
       man behind the curtain in the Wizard of Oz. It's all for show,"
       says Smith. "Crowd scanning can be problematic," says
       Tom Colatosti, CEO of Viisage Technology, a face-scan
       company. "If you're talking about an airport, you need a
       chokepoint" for scanning people one by one.
       Gummy dummies. Many systems can be deliberately
       fooled. A new study from Yokohama National University in
       Japan shows that phony fingers concocted from gelatin,
       called "gummy dummies," easily trick fingerprint systems.
       Manufacturers of some systems claim to guard against such
       tactics by recording pupil dilation, blood flow in fingers, and
       other evidence that the biometric sample is "live." And
       although some makers assert that biometrics solves the
       problem of identity theftno one can steal your iris or hand,
       after allmany experts disagree. A hacker who broke into a
       poorly designed system might be able to steal other people's
       digital biometric templates and use them to access secure
       networks. This trick, called "replay," could take identity theft
       to a whole new level. "Your fingerprint is uniquely yours,
       forever. If it's compromised, you can't get a new one," says
       Jackie Fenn, a technology analyst at the Gartner Group.
       Privacy concernsalthough they seem less pressing to many
       these daysmay also slow public acceptance of the
       technology. Yet in some cases, biometrics can actually
       enhance privacy. A finger-scan system for controlling access
       to medical records, for example, would also collect an audit
       trail of people who viewed the data. But face scanning, with
       its potential for identifying people without their knowledge,
       has alarmed privacy advocates.
       Last month, for example, Visionics Corp.'s face-scanning
       system was redeployed as an anticrime measure in a
       Tampa, Fla., entertainment district. Detective Bill Todd says
       the system had been taken down two months into its
       12-month trial because of a bug in the operating system, but
       it has been upgraded and is now back in use. The
       36-camera system is controlled by an officer at the station,
       who can pan, tilt, and zoom the cameras to scan faces in the
       crowd so that the software can compare them with faces in a
       While Todd says the database contains only photographs of
       wanted felons, runaways, and sexual predators, police
       department policy allows anyone who has a criminal record
       or might provide "valuable intelligence," such as gang
       members, to be included. So far, according to a report by the
       American Civil Liberties Union, the technology has produced
       many false matches. And Todd confirms that it hasn't
       identified any criminals. "We have our limitations," says
       Frances Zelazny, spokesperson for Visionics. "It's an
       enhancement to law enforcement, not a replacement."
       At times, the privacy problem is more perception than reality.
       The Lower Merion school district near Philadelphia had
       installed finger-scan devices for school lunch lines. Students
       would place their finger on a pad to verify their identity, and
       money would be deducted from their account. The optional
       program was instituted to make lines move faster, and to
       spare embarrassment to students entitled to free or
       discounted meals. But even though the system did not
       capture a full fingerprint image, but rather a stripped-down
       digital version, some parents felt that it came uncomfortably
       close to traditional fingerprinting. After a spate of bad press,
       the program was killed last year. Forty other school districts
       still use the system.
       Bioprivacy. Such privacy dust-ups are causing some
       biometrics experts and vendors to call for laws to govern the
       fledgling industry. Samir Nanavati, a partner at IBG, says his
       company stresses "bioprivacy" rules Tell people what data
       you're collecting and why; minimize the amount gathered;
       use the data only for the purpose originally stated; and give
       users a chance to correct their records.
       Nanavati also worries that the technology is not always used
       to best advantage. On a recent, informal tour of biometric
       installations in Manhattan, where the dapper consultant lives,
       it was easy to see what he meant. At a New York University
       dorm, the hand-scan access system seemed to offer little
       security benefit. Fewer than half the students used it. The
       others gained entry the old-fashioned way, slightly faster and
       a lot less secureby casually flashing an ID card to the
       friendly security guard. And at New York-Presbyterian
       Hospital, where long queues sometimes form at hand-scan
       readers, frustrated employees smashed machines two
       weeks in a row last month. Yet Joe Salerno of New
       York-Presbyterian says every building has a hand reader. He
       speculates that employees may be upset about the rigorous
       The real trick, says Nanavati, is to choose the right biometric
       system and design it with both security and convenience in
       mind. And sometimes that means no system. One client,
       who desired the cachet of owning the most secure, high-tech
       residence on Manhattan, hired IBG to set up an iris-reader
       system for tenants of his 24-hour doorman building. "I told
       him it was already very secure," Nanavati laughs. "Biometric
       access would've only cost money and annoyed people."
       Sometimes, Star Trek just isn't the answer.
    Science & Technology 2/18/02
       This little light of mine
       What makes you unique? Is it the ridges beneath your
       fingernails, the creaking of your bones, the shape of your
       ears, your very own odor? The biometric frontier, where
       researchers are looking for new and better markers, is not
       exactly the stuff of poetry.
       Except, perhaps, for a little silver device called a light print
       sensor. Among the most promising of the new approaches, it
       works by measuring the play of many-colored light through
       your skin. Skin layer thicknesses, capillaries, and other
       structures all affect the light, creating a distinctive pattern of
       changes. The system works on any skin surface and is
       unaffected by cuts, burns, and dirt. Only about 500 people
       have been tested, but so far each light print has been unique,
       "even identical twins," says Rob Rowe, cofounder of
       Lumidigm, the Albuquerque, N.M., company developing the
       Smart gun. By the end of the year, a Lumidigm sensor could
       actually be in use. Combined with a hand reader, it would
       control access to the University of New Mexico's new
       hazardous-biomaterials lab. The sensor has also caught the
       eye of engineers at Smith & Wesson, which is working with
       Lumidigm to build a "smart gun." A light print sensor built into
       the grip would prevent the gun from being fired except by
       authorized users. One challenge now, the gunmaker says, is
       to get the sensor to authorize a user in under a secondit
       currently takes two. If light prints aren't a flash in the pan,
       embedded sensors could someday say "hands off" to all but
       the rightful owner of cellphones, laptops, PDAs, and even
    Dana Hawkins, Senior Editor
    U.S. News & World Report
    1050 Thomas Jefferson St., NW
    Washington, D.C. 20007
    (202) 955-2338, dhawkinsat_private
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/

    This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 17:49:52 PST