3 page story with a poll. Go to the site for the poll.
Biometrics in the Digital Realm
By Don Sussis
November 27, 2001
In the aftermath of September 11, almost everyone understands
that there is a need for improved security. A Harris Interactive Poll
of 1,012 adults surveyed by telephone the week following the
attack (Sept. 19 - 24, 2001) showed that 86 percent were in favor
of the controversial facial recognition technology - something the
American Civil Liberties Union contends is an invasion of privacy.
Other privacy advocates warn that the government's moves to
increase security signal the arrival of Big Brother. However, such
concerns by privacy advocates will have to be considered along
with the concerns and safety of the American public. The following
are results from the Harris interactive Poll:
(Poll goes here)
It remains to be seen if this attitude prevails over time. The need
to grieve after the terrorist attacks resulted in swelled attendance
throughout the nation's churches, synagogues, and mosques
from mid September until mid November. But a return to normal
levels of participation has been evidenced since then. So, too may
be the call for heightening security taper off with time, especially
when it conflicts with ideas about privacy and personal freedom.
So far, this has not been the case.
In fact, with Homeland Defense Chief Tom Ridge and Attorney
General John Ashcroft calling for billions of dollars in new spending
to bolster security, business will undoubtedly get on the
bandwagon. Mr. Ridge said on November 21 in Washington that
he hoped "... entrepreneurship, creativity, ingenuity and
technology would ... lead to innovations." For example, he said
that "biometric cards that can read fingerprints and scan eyes
could be used in visas to allow the government to make sure the
same person who applied to come to the United States was the
same one to arrive-and that they also could allow the government
to learn whether the person left when their visa had expired."
At this moment new tech spending priorities are less about
boosting productivity and more about fortifying defenses. Security
has been the only sector in tech that now seems immune from
cutbacks and positioned for growth during this recession.
Some reasons for using biometrics now
In addition to the urgency generated for security to combat
terrorism--including information warfare-there are a number of
compelling reasons why biometric security is a technology whose
time has come. This involves more than airport security and
passenger control. We no longer know our neighbors and the
notion of community is often ad hoc and temporary.
Globally, we continue the progression from small communities to
large suburbs and cities, engage in international commerce,
communicate with people living in far away continents as easily as
those on nearby streets, transfer money electronically, have our
medical and employment records stored digitally, and engage in
electronic commerce. We need better ways of protecting our
identities and authenticating our partners. This is especially true in
ferreting out those who would do us harm.
The addition of biometric features to a security program can make
a difference by providing higher levels of identity authentication.
What is biometric technology?
In the realm of security, biometric technology means identifying
people based on their unique physical characteristics or behavior
traits and automating the process. We do this everyday when we
recognize a friend's walk, a relative's voice or an acquaintance's
face.
In describing such attributes, we gain more certainty when the
characteristics are unique (that is, sufficiently different from
everyone else so as to be "special") and there is little or no
variability in the same features over time (that is, they must be
reliable). Biometrics literally means "life measurement," and builds
on these same assumptions. The technology records patterns and
uses the power of computing to compare them. The leading zones
of capture for security purposes are: face, finger, hand, iris,
retina, signature, and voice. Certain behaviors, such as keystroke
patterns, can also be measured and used.
Each of these has strengths and weaknesses. The key factors in
deciding which to use include: 1) intrusiveness, 2) accuracy, 3)
cost and 4) effort (to implement, maintain and upgrade systems).
For example, facial recognition is relatively unintrusive and many
consider it ideal for use in airports where screening can take place
via hidden or direct cameras. Iris scans are intrusive but they
deliver a very high level of accuracy. They are very appropriate, for
example, in providing access on a nuclear submarine. Thumbprints
seem ideal for low to mid-level computer security because they are
easy to record, retrieve, and the cost is relatively low.
There is also a burgeoning market for middleware that combines
these technologies, as well as marrying them to encryption,
tokens and smart cards, pin numbers and other security
applications and/or devices.
While no one biometric application is "fail safe," each can achieve a
very high level of accuracy and certainty. All of the technologies
are constantly improving while the costs are steadily declining. The
automation of the process is constantly advanced by
improvements in searching and routing technologies plus the
steadily increasing power of computer processing. It is so much
more efficient to search a database of fingerprints or photographs
than it is to search for matches manually. The move to
biometric-based security products is therefore, evident. This
pertains to everyday tasks, such as using an ATM or purchasing
products online, as it does to catching terrorists or monitoring
activities of those in the criminal justice system.
How do biometrics work?
How do biometrics work? A series of measurements are taken
from an individual's relevant characteristics (e.g., a finger, palm, or
facial scan). This is then converted into a digital template by an
algorithm. The template is stored in one of several ways:
1.Within the biometric device itself, such as a single thumb
print scanner with memory and small database capacity.
(Think of a PDA address book.)
2.In a central location that is accessible from several locations
in a closed loop architecture. (Think of multiple desktops
connected to a server.)
3.Externally, such as on portable media, such as a smart card
or other token retained by the user and submitted at the
time of transaction. (Think of your ATM or phone card.)
4.On a central database and downloaded to the biometric
device from a distributed architecture. (Think of a wireless
computer in a police car that can check an out-of -state
license with an actual physical driver.)
After a template is stored, it is then retrieved for comparison
when someone wants so gain access to a system or a location. To
do so, they interact with a scanning device, which takes a new
sample of the relevant physical characteristic and compare it with
the one stored during enrollment. If the two samples match, they
are granted access. If not, access is denied. Using a "hash
function," and then checking back to the full template if there is a
discrepancy can expedite the process.
There are also two main types of biometric scanning devices: 1)
optical and 2) semi-conductive. Optical scanner are less expensive
but less reliable. Smudges, for example, may interfere with
results. In rare instances, oil from a fingerprint may be left on a
scanner, thus enabling someone to re-use, or re-produce the
print at a later time. James Bond made use of this weakness by
"lifting prints" and using them to access the computers of various
villians.
Semi-conductive scanning eliminates this possibility because it
detects the ridges and valleys of a fingerprint by reading the
differences in capacitance caused by electrical variations made by
the distance between biometric markers (such as the ridges and
valleys in a fingerprint). An additional benefit of this technology is
that it is heat sensitive (on a fine scale basis) and, therefore,
knows the difference between a finger attached to a living person
and one that is attached to a corpse or severed from one. This
rules out some intriguing schemes found in Bond films, such as
the fake eye used to gain access to nuclear warheads in "Never
Say Never."
The use of templates means that it is not necessary to compare
complete biometric measurements against one another. A simpler
and more efficient method would be to generate a number for
each subject's measurements and then compare the numbers
(which are expressed digitally). Using algorithmic generated
numbers reduces storage, increases efficiencies and makes for
faster routing and searching. In cases of police or military
surveillance, authorities instead of the individual may handle
"enrollment." This, for example, might be the case with facial
templates made from photographs of suspected felons or
terrorists.
One of the recurrent problems with non -biometric security
solutions, such as passwords or magnetic strip cards (with or
without PIN numbers), is that they control access but do not
authenticate identity. Therefore, an unauthorized person or an
impostor can gain access if they know the code or have the pass
card.
At many airline terminals, for example, metal doors leading to the
runway are controlled by a numbered keypad. Unless the
combination is rotated regularly (which means re-distributing the
combination and having personal memorize it again and again), it
is easy to determine the combination by using the most worn out
keys! So, too is it possible, if you know the PIN number, to use
someone's credit card without authorization. Obviously, anyone
can use someone else's Metro-card with near impunity. The level
of security can change dramatically with a biometric identifier
because it can provide both verification and identification.
Verifying vs. Indentifying
Verifying access is the simpler process. It is achieved by matching
a stored template against a submitted template. The user usually
calls up a template in machine memory by using a card or a
password or a PIN. The system retrieves the template. The user
then submits a "fresh sample." Both template and sample are
automatically compared according to criteria set-up in the system.
With a good algorithm, good quality templates, and a robust
system, the match will be compared quickly and a decision-yes or
no-will be given. In some systems, access will permanently be
denied after several unsuccessful attempts. In some cases, the
"mismatch" may alert guards or the police.
This provides access but does not establish the identity of the
user. It is more reliable than a simple PIN, password, or card in
that it doesn't require memorization, is a greater deterrent to
theft, and can limit the routine replacement of lost of portable
media.
A system operating in identification mode is quite different. In this
case the user does not call up a stored template. Instead, s/he
submits their biometric information through a scan and then asks
the system to "identify them." This is much more complicated
because the system must go back and search through its
database to find a match. In effect the challenge is: "here is a
template (created by the scan) -go and find a match and tell me
who it is!" Thus, the larger the database, the more difficult the
task. Finding a match for members of an office staff of 3,000 is
one thing; finding a match for a driver's license in a batch of
500,000 is another. Also, the more critical the mission, the more
complex the algorithm should be (i.e., the more variables it should
express) and, consequently, the more time and computing power
will be needed to return a reliable and efficient decision.
In the next few articles, we'll take a look at some of the companies
providing biometric-based security solutions, the issues of privacy
vs. security, and the factors driving growth in this industry.
Don Sussis, the E-Consultant Columnist, is a business and
investment advisor. He is a member of the New York New Media
Association Angel Investment Group and a speaker for California
based Tec, a worldwide association of CEOs. His email is: dsussis@internet.com
ecommerce.internet.com
steve |
