Biometrics World 2005
By John Latta, WAVE
0520 5/20/05
Singapore
April 27 - 28, 2005Terrapin Pte Ltd. has produced Biometrics World in the large convention center, Suntec Singapore. This is being held simultaneously with Cards Asia, R.F.I.D. World Asia and Kiosk World. There is a corresponding trade show exhibit which is mostly focused on RFID and smart cards. Biometrics World pulled together speakers worldwide with a strong emphasis on the Asia Pacific. As we have seen in our coverage of biometrics, some of the most interesting applications of biometrics are in Asia. This event only reinforced that perception. Given the immature state of biometrics, we have found that each event, even if relatively small, nets more insights into the developing markets for biometrics. Biometrics World certainly fits this condition.
Privacy, Privacy and More PrivacyBiometrics has become a lighting rod for privacy concerns. As we have seen in earlier events, biometrics has the potential of actually protecting privacy if used properly. However, here at Biometrics World, the public perception is much higher that the potential for privacy lapses will increase when biometrics are used. The issues revolve around:
Failure to inform the public; Lack of adequate safeguards; and Poor use of biometrics.
John Secker, Chairman and Director of the Biometrics Institute in Australia, described two applications:
The use of Iris scans in an elementary school library check out system, and
A fingerprint application for time card submittal identification.
The example was simple – biometrics was used in a time card application. Yet, some employee refused to participate due to privacy concerns and were fired. This caused considerable press coverage and only served to fuel the suspicions of the public. As a result, one element of the privacy code developed by the Biometrics Institute in Australia, is for an opt-out choice.
In each of these applications, there was considerable negative press publicity which only reinforced public concerns about privacy. As a result, a privacy code has been developed. One of the objectives of the Biometric Institute’s code is to accomplish regulatory compliance. Being an organization which was launched with Australian government funding, it is hoped that the code can accomplish this.
In the U.S., the US-VISIT program has instituted a privacy program that includes:
Rules on information use;
A Redress policy for corrections; and
Privacy impact assessment.Even the CrimTrac Agency in Australia, which is responsible for biometrics in criminal investigations, has an extensive privacy policy. This includes:
A privacy commissioner
Stringent IT security
Audit Logs
Privacy requirements in contracts
Privacy training by the staffs
Implementation of FOI processing procedures.Thus, privacy concerns map across all the applications of biometrics.
Interoperability, Interoperability and More InteroperabilityJohn Secker, Chairman and Director of the Biometrics Institute in Australia, also listed, as one of the challenges of the industry, the assurance of the interoperability of technologies based on the same biometric. We have seen this in the IBG testing of Iris biometric equipment testing. At Biometrics World more interoperability issues surfaced.
Brad Wing, US-VISIT Program, described the interoperability issues that surfaced in the early testing of systems to meet the ePassport mandate. This began in February 2004 and exposed many issues. As a result, there have been four subsequent testing events to resolve interoperability issues. Another test is scheduled in September 2005.
Diane Fraser, Canada Border Service, described one of the more impressive and successful applications of Iris recognition. They have two similar programs called CANPASS, which operates within the Canada, and NEXUS Air, a pilot program between the U.S. and Canada. Both use Iris recognition. They are frequently asked – Why use Iris? In response, after evaluating other biometrics, Iris has an advantage of being: accurate, safe, fast, non-invasive and highly secure. A problem highlighted during the talk was the constraint imposed by obsolete equipment. That is, the iris scanner used in the initial deployment was made by LG. Now, when the program is to be expanded, this unit is no longer available and they must cannibalize units in the field which are not a part of the passage Kiosks in order to build more Kiosks using the LG scanner. Thus, interoperability is a factor which limits the expansion. As Diane stated – buy all the equipment needed at one time. This is a solution that many projects, including enterprise deployments, cannot accomplish. (Note that the iris interoperability issues are consistent with the tests run by the IBG on multiple iris biometric systems.)
Cynthia Musselman, Authenti-Corp, gave an overview of the Seafarers’s ID (SID) program. This is under auspices of the International Labour Organization, a specialized agency of the UN. There are 175 member states and the impact of agreements under the ILO is that those agreements have the same force as a treaty among the member states. There are 1.2m seafarers who work on ships for months at a time. They, in large part, do not have visas when ships enter port and the seafarers frequently have to move between ships. After 9/11, the seafarer ability to leave the ships in port was severely limited. This has an impact on the means by which 90% of the world’s trade is delivered. As result, ILO Convention No. 185 was passed in June 2003. This allowed for the use of a biometric on an ID card which assured determination of the ID. There are two fingerprint biometrics on a card. A testing program was conducted at sea in September 2004 that became the foundation for an actual scenario test. Systems were submitted by seven vendors for which the interoperability results were poor. The criteria was a FAR and FRR of less than 1%. This simulates an individual on a ship collecting 100 IDs and assurance that only one such ID will work with that particular individual. After additional testing, it was found that only three systems could meet the minimum requirements.
Training, Training and More TrainingIn the high volume applications for biometrics, such as a border crossing, a set of early deployment issues provided valuable lessons learned. One of these is the need for training in the use of the equipment by the public.
Raymond Wong, Hong Kong Immigration Department, showed a video of the automated entry gates. The failure-to-pass rate is <2%. At the first gate there is a moist cloth for the preparation of the thumb. This allows enough fluid to be present on the thumb so that is can be scanned. On exit, the same moist cloth is used to clean off potentially too much fluid. Thus, the public has to be trained both in the positioning of the thumb on the scanner and its preparation for insertion over the scanner.
One of the issues being faced by the Canadian Border Service is that some passengers seek to bypass the Kiosk which takes the iris scan for entry. It was found that those that did this had not taken the training when they were enrolled. Thus, the effectiveness of the system is closely related to the training received when enrolled.
Where is Biometrics Going?Clive Reedman, Chairman of the International Association of Biometrics, UK, gave an overview of cross border security and how the UK is responding. The most interesting comments came at the end when Clive asked:
Is the future vision of biometrics – Ambient Biometrics?
Clive sees the possibility that biometrics will be embedded everywhere. Fittingly, he called this Ambient Biometrics. Such a notion is not that unreasonable. But much lies ahead to accomplish such an end game.
This is certainly consistent with the work in Europe on Ambient Intelligence. The point of the comment in this talk was that biometrics allows for a degree of personalization and privacy protection which is tagged to the individual. Thus, it is not unreasonable to consider how all our actions would be linked to ourselves and biometrics would be a key enabling technology. Interesting.
WAVE CommentIt is our contention that most of these examples are about large scale government projects. They do not relate to enterprise applications and, therefore, really miss the point. Is this true?
We only need to remember the early years of computing. Without the ANSI character set, even text had a hard time being interchanged between computers. Software written in the same programming language was not always interoperable between different brands of computers. It is easy to see biometrics in this same early state of affairs. While the events of 9/11 are driving uses of biometrics, there are many limitations:
Standards will play a major role but this is a work in progress.
The public has a concern about the technology - as deployments move ahead, not enough is being explained to the users.
Interoperability is one of the biggest issues. It is very similar to the computer language analogy. A unique set of tailored middleware and operational procedures must be developed. This is not the foundation of a mass market.
There is yet another factor which underlies the use of biometrics – convenience. As more stringent security measures are put in place using many biometric applications, there are just not the resources to support the application. As Raymond Wong, Hong Kong Immigration Department, said - 1.8B persons a year are crossing the borders. This is more than the 1.3B population of China. When the immigration official takes on average of 13 seconds to pass a Hong Kong resident and the electronic gate takes 9 seconds, this is a big deal. On an average day there are 400,000 individuals crossing the Hong Kong-China border. Convenience is important to both the user and those seeking more security.
Match-on-Card Technology AdvancesAt CardTechSecurTech, we heard from Sharp on its Smart Card with an embedded 32bit processor, 1MB of memory and potential application to HSPD 12. We have now heard of another significant card which is highly integrated – e-smart card from e-smart Technologies. The key feature of this card incorporates a fingerprint biometric reader on the card. Thus, true card only, match-on-card verification can be provided. This means that multifactor identification, such as PIN and fingerprint biometric can be accomplished without access to a data base in real time. The fingerprint sensor is only .33mm thick, however, the characteristics of the sensor are not discussed other than to state patent pending. It is claimed a FRR of .01% and a FAR .0000001% which seems preposterous.
The smart card without the fingerprint sensor is in use in Pusan, Korea now and it will be upgraded to the one with the fingerprint reader in June.
JCB Tries BiometricsJCB (Japan) has a history of evaluating technology which supports its customers. The company has 53.6m card holders and 13.22m merchant outlets where the cards can be used. One of its pilot trials was the elimination of PIN entry by using biometrics. This was a limited trial with 50 JCB employees using a NTT DoCoMo phone with a fingerprint reader. The user results were quite interesting, on one hand, and a disaster on another.
Convenience – 80%
Feel Assured – 20%
Cumbersome initial registration – 33%
Dissatisfied with accuracy of verification – 67%This creates cause for pause in evaluating similar fingerprint biometrics.
Dormitory Access via BiometricsThe problem was unique:
How to manage access, time record keeping and presence for 6,000 worker immigrants who are working on construction projects in Singapore.
The center of the access issue was the dormitory where the workers stayed after the work day. The workers are semi-literate and others seek to gain illegal entry. When the workers get off at the end of the day, they arrive in large numbers. Unless secured, the dormitories can be a hot bed of illegal activity including riots. One point stressed is that it is very important to keep illegal immigrants out of the dormitory. Initially a fingerprint system was installed for access and construction worker tracking. But this was a failure due to the high variable condition of the fingers – soiled and cut. Further, if the workers needed any training to pass the entry portal, this failed. It was found that the accuracy of the system fell off dramatically in 2 weeks. Another approach was tried – the combination of a facial recognition and RFID system. This was contactless and fast. The result was a much superior system. It also allowed for the video logging of attempted access by illegal workers.
WAVE CommentsWith each event, the level of understanding biometrics increases. Biometrics World gave an important perspective of developments in the application of biometrics in the Asia Pacific and also the larger context of the role that biometrics can play.
The three big biometrics are facial, finger and iris. With each conference, it becomes clearer that no single biometric is superior. Here at Biometrics World, we saw a practical high-volume iris application in border crossing while this biometric has been a failure in other such attempts. Yet, there were two significant failures of fingerprints. At the same time, many factors outside of the biometric will determine its success or failure. Cited over and over again was training. Thus, the end-users can do much to determine if biometrics is a winner or dud. Likely more important is the prospect that biometric performance can fade with time. This was cited in the fingerprint application for physical access.
Increasingly it has become evident that the major system costs for a biometric implementation are not the sensors but the infrastructure. In the large government projects, this is the responsibility of the integrator. Smaller projects, including enterprise implementations, still have an infrastructure. Some of the early identity management suites illustrate how rich this can be.
The fact that a biometric exists does not stop there. Privacy has a large impact and, at Biometric World, we saw an early indication that this will be a factor in enterprise implementations. Thus, one must also consider the record components – that is, the data base which underlies the biometric.
It is easy to see convenience as a byproduct of biometrics use. However, the greater the convenience, the lower the security. While we are coming to accept the fact that convenience and necessity are closely related, this does not dismiss the role of security as a factor in the implementation. The parallelism of convenience and necessity are illustrated in US-VISIT and Hong Kong Immigration programs. We have spoken many times about US-VISIT. However, the Hong Kong Immigration problem is unique in terms of volume. With more than 400,000 border crossings per day, convenience is critical. Measured against an electronic gate passage of 9 seconds and a manual method of 13 seconds per person, the electronic gate would not work if it were not convenient to the user. With a failure rate of less than 2%, this might be also called a “convenience failure rate.” Thus, there is a practical cost to convenience.
Here at Biometrics World, we heard about the International Labour Organization’s Seafarers’s ID (SID) efforts and important issues in fingerprint systems interoperability. NIST is the catalyst for standards development. US-VISIT is driving performance. Where the money is being spent is setting the direction of the technology. There is nothing new here but we must keep in mind that corporate use of biometrics, and even transactional biometrics applications, are not on the radar screen in shaping the biometrics industry. HSPD 12 will be another major driver which has the potential to define the framework for logical access but this is too early to assess. Thus, it is important to keep in mind that “commercial” applications of biometrics are a trace market.
At CardTechSecurTech, we received early indications that smart card technology is playing an increasing role in the ability to implement sophisticated biometric systems. Sharp in HSPD 12 and now e-smart with a built-in fingerprint biometric reader are two examples. If there is a part of biometrics that parallels Moore’s Law, it is the smart card. While the smart card is not required for biometrics, it is yet another factor in a multi-factor approach. ePassports are embracing smart cards and so is HSPD 12. Because smart cards are migrating to a platform, for applications and sensors, developments in smart cards are showing that they can drive biometric programs. This is an important area to monitor.