[LINK] SMH Blurb tries to help ailing biometrics industry - 2

Roger Clarke Roger.Clarke at xamax.com.au
Wed Feb 20 09:04:53 EST 2008


[This email contains comments on an article in the SMH/Age Next 
section: Born-again biometrics
February 19, 2008
http://www.smh.com.au/news/technology/bornagain-biometrics/2008/02/18/1203190738826.html?page=fullpage#contentSwap1

[It's 1-day-old news, because I had to let my blood cool down 
overnight to make sure the comments were merely critical and not 
intemperate.]


The extent of the skulduggery that the biometrics industry has been 
allowed to get away with in this one story is simply astounding.  The 
reporter should hang their head in shame.

Here are some devices used in the article:

1.  "Half a decade before the twin towers fell in New York, ..."
     (a)  uses a portentous alternative to "In 1996, ..."
     (b)  unjustifiably links something to something important, in the
          hope that it will gain some reflected glory

2.  " ... PhD exploring how computers and biometrics could be used to
     detect terrorists at airports"

     I've not read that PhD thesis, but there's a fair chance that it
     related to detecting people for whom both of the following were true:
     (1)  the person's biometrics were recorded
     (2)  the person's status as a terrorist was known

     Neither was true in respect of any of the 19 who committed the
     attacks on the Twin Towers and Washington DC.

     The close relationship suggested in the text is completely spurious.

     Catching 'virgin terrorists' by means of biometric schemes is
     downright impossible, and the industry is culpable for pretending
     that they can deliver solutions to that problem.

3.  "Biometrics involves capturing information about something unique
     to an individual - their voice, face, ..."

     Neither voice nor face are unique to an individual.

     There is a great deal of variability of performance of an individual's
     voice, and appearance of a person's face.  The range of each voice
     and face overlap substantially with those of many other people's
     faces and voices.

     Much the same is true of biometrics generally, although with biometrics
     that are based on a unique physical feature, the reasons have less to
     do with variation of the physical characteristics and more to do with
     the wide range of technical and operational challenges involved in
     taking measurements.

4.  "If it matches the information captured about that biometric,
     in they go"

     For the reasons outlined in 3. immediately above, all comparisons
     between biometrics are fuzzy, or to put it another way, no two
     measurements of the same physical feature are ever the same.

     It's seriously misleading to ever use a strong word like 'match'
     in relation to biometrics, without some form of qualifier.  The
     comparison process is non-trivial, and of necessity makes mistakes.

     All biometric schemes involve substantial false-positive and
     false-negative results.  How they are balanced in important.
     And the business processes to handle them are crucial.

     Many seemingly attractive applications simply don't work, because the
     financial and other costs of handling the flood of exceptions is
     simply far too high.  Many of those seemingly attractive applications
     will *never* work, because the error-rates and resultant costs will
     *always* be too high.

5.  "This was supposed to be the year that biometrics hit its straps;
     the year Australia phased in a biometric access card ..."

     The Access Card *Register* was to include a high-resolution copy
     of the card-holder's photo, and a 'biometric template' derived from it.

     But the *Card* was *not* to hold either of them:
 
http://www.privacy.org.au/Campaigns/ID_cards/HSAC-GovDocs-Data.html#DataonChip

     So the biometrics industry is in the process of creating the lie
     that the card would have been a biometric card.

     (And of course face is not a proper biometric, and the suggestion that
     it can be used for identification purposes is a complete furphy).

6.  "[Ludwig] has carefully left the door open for possible future
     projects ..."

     What Ludwig was actually reported as saying on 13 Feb 08 was:
 
http://news.theage.com.au/access-card-funds-go-to-health-schools/20080213-1s11.html
     "We are focused on the practical things that will make a real
     difference, like online services, the coordination between agencies,
     data matching and data sharing, that's what the Rudd Labor government
     will focus on, RATHER THAN A CARD," he said. [Emphasis added here]

     So even a replacement Medicare Card is far from a certainty.

     The pretence that a 'biometric card' is in the air is a self-serving
     invention of biometrics industry spruikers.

7.  [Ludwig said] "any proposals that I bring forward will not rest their
     hopes on a magic card to solve all the Government's problems."

     [Reporter said]  Given that biometrics involves little or no magic,
     it seems a safe promise to make.

     Ludwig is wary of a 'magic card', yet the reporter switches the
     sense of the statement across to 'no magic necessary in biometrics'.

     The reporter has now swallowed four myths perpetrated by the industry:
     (1) biometrics identify terrorists
     (2) face is a biometric
     (3) the Access Card would have been a biometric card
     (4) biometrics doesn't rely on magic

8.  "For some of the companies that had won roles on the project,
     it's been a costly political debate ...  [KPMG] ... [BAH] ..."

     This is beside the point.  KPMG and Booz got paid.  They would
     have made even more money, that's true, but they didn't lose
     anything other than opportunity.  It was the tenderers for the big
     supply jobs that lost, because they'd spent literally millions on
     the preparation of tenders that were never let.

     The suggestion that it was a 'political debate' is misleading.

     The Access Card scheme collapsed because it was shown to be
     seriously inappropriate in a variety of ways.  See:
     http://www.privacy.org.au/Campaigns/ID_cards/HSAC.html
     http://www.privacy.org.au/Campaigns/ID_cards/HSAC-Media-07.html

     A key step in the process was a Senate Committee whose Government
     members had the intestinal fortitude to say so.  So it was 'political'
     only in the sense that the assessment was undertaken by politicians
     (and was well-undertaken, which is regrettably uncommon).  It wasn't
     a 'political debate' in the pejorative sense of 'party-political'.

9.  "Research from the University of Texas comparing human and machine
     face recognition has shown that when the performance of seven
     different face-matching algorithms was pitched against the
     performance of humans matching faces, a handful of the algorithms
     consistently outperformed the humans."

     The standard of acceptability seems to have slipped, rather a lot.

     How many mega-millions did we want to pay, for a scheme that, under
     laboratory testing conditions, is marginally better than what we've
     got now, and that, under operational conditions, may well be rather
     worse?

     And this is the *easy* part - 1-to-1 authentication of an assertion
     of identity.  That's far, far away from the 1-to-many identification
     challenge that headlined the article ("detect terrorists at airports")

10. "The Government continues to trial the SmartGate facial
     recognition-based border control system".

     "The pilot ... started in late 2002 ..."
     http://www.anu.edu.au/people/Roger.Clarke/DV/SmartGate.html (Aug '03)

     Wouldn't the fact that it's still on trial after more than 5 years
     suggest something?  (Maybe those two pesky Japanese gentlemen are
     still around, waiting to give the scheme more bad press).

     A pseudo-evaluation in 2004 did the taxpayer a serious disservice
     by pretending that all was well, when it wasn't:
     http://www.anu.edu.au/people/Roger.Clarke/DV/SmartGate040207.html

     Customs CIO Murray Harrison admitted in March 2006 that "Smartgate
     doesn't enhance security.  It helps flow and efficiency in the limited
     space available in airports".

11. "The system has operated since July and [the CEO] expects it will
     deliver annual payroll savings of about $600,000".

     The amabiguous use of "the system" is yet another piece of
     misinformation.  It actually refers to a payroll system, but is
     used as though it referred to a biometric element within the system.

     Re-insourcing and installing a payroll "system" can save you a lot
     of money when your business processes are as crippled as that
     company's appear to have been.  Biometrics has got precious little
     to do with such outcomes.


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW


More information about the Link mailing list