Exorcising the Biometric Boogeyman
Misinformation breeds monstrous tales of biometric technology
29 September, 2014
category: Biometrics, Digital ID, Government
Procedural crime dramas haven’t done the biometric industry any favors. Television shows make it look easy to lift a print, scan it and get a match within seconds. And if you look at how some of these shows depict creating fake biometrics, it’s a wonder anyone uses the technology.
The unrealistic depiction of how biometric technology works in the law enforcement market carries over into commercial applications as well. This misperception that it’s simple to create copies of biometric images – and worse that the actual images are stored and easily compromised – have led many to believe that biometrics as an identification technology is insecure and privacy invasive.
Case in point … the State of Florida passed a law banning the use of biometrics in public schools fearing that it might lead to identity theft and put students at risk. Testimony from State Senate hearings clearly shows that legislators lacked basic understanding of how biometric technology works. There was also a misperception that if one of the databases that stored the children’s biometrics were corrupted it would lead to identity theft.
Even the Florida bill’s sponsor, State Sen. Dorothy Hukill (R – Port Orange), admitted to not know of an instance where a biometric database has been breached and later led to identity theft. “I’m obviously not a scientist,” she said in a hearing. “I can’t tell you exactly how that happens.”
That may also be because it is very difficult – biometric vendors would say impossible – to do. When an individual is enrolled and later authenticated into a commercial biometric system, the image of that identifying information isn’t stored. Biometric vendors use complex algorithms to map various points on the biometric – fingerprint, iris, palm vein, etc. – and translate that into a binary code called a template.
When later authenticating to the same biometric system, the live image is once again translated into the binary code to match against the stored encrypted version of the template.
Template 101
Outside of the U.S. federal government, most biometric deployments use proprietary technology. This means vendor A’s technology may not work with vendor B’s technology even if they both use fingerprints. Each vendor has its own template extractor and algorithms, says Mike Garris, Image Group leader in the Information Access Division at the National Institute of Standards and Technology. “With proprietary templates the vendor knows what’s inside and it can’t be leveraged by others,” he explains.
A template typically represents less than 100 minutia points from the thousands available on the fingerprint. The points are mapped out, translated into binary code and then stored. “Given only minutiae points, you can’t go back to the exact original image, the pixel data has been lost and if it’s a proprietary system only the vendor knows what information has been extracted and preserved from the original fingerprint,” Garris says.
As for reverse engineering templates into images that are matchable, Garris says it is possible, but these images would look nothing like the original fingerprint image. Industry experts suggest that the resulting image would look like a constellation of 100 dots on black sky that in no way resemble a fingerprint.
There are also standard templates where only the minutia points of a fingerprint are captured and encoded in a known representation. Standard-based systems have been tested and verified to work across multiple vendors. The federal government uses standards-based systems because it doesn’t want to be locked into one system with one vendor. Today, fingerprint is the only biometric modality with internationally accepted template standards.
Law enforcement vs. commercial applications
These systems are different from what law enforcement use and what’s seen on NCIS and CSI, says Gary Jones, director of Biometric Access & Time Solutions at MorphoTrak, a company that works in the law enforcement and commercial biometric markets. “When someone’s life is on the line it’s essential that you have as much information as possible,” he adds.
Law enforcement systems often deal with partial, latent fingerprint images collected from crime scenes. These are scanned and then the automated system tries to find a match. If one is found, then an expert manually reviews both images to determine if there’s an actual match. “You have expert testimony that talks about the matching,” Jones says.
In the commercial world, biometric systems don’t have to deal with partial images since the participant is willingly providing the information, Jones explains. “We can discard the image and have a high-assurance map,” he says.
In essence, law enforcement uses the binary template to make it feasible for computers to search for one partial print across databases of millions of stored prints. Commercial systems, on the other hand, use the template to expedite matching and protect user privacy.