Hollywood was home for James L. Wayman, and he studied at the nearby University of California, Santa Barbara, for his BSc, MSc and a PhD in architectural acoustics ābecause the surfing was goodā. He still breaks off mid-conversation to show the correct way to stand up on a surfboard. Acoustics was how to combine work with rock music. His expertise in biometrics dates from working at Ford Aerospace on speech recognition. From 1984, he developed speaker recognition algorithms. His numerous papers include: āBest practices in testing and reporting performance of biometric devicesā, with Tony Mansfield of the UKās National Physical Laboratory, and āNational Biometric Center Collected Worksā.
Tighter security has become a mantra worldwide for all sorts of reasons. Do governments see biometrics as their lifeline?
There has been great enthusiasm for biometrics since 1961. It sounds like such a great idea, but people fail to understand how difficult it is. Take the Enhanced Border Security and Visa Entry Reform Act of 2002 for example. This requires biometric identification on the travel documents of everyone entering the US after 26 October 2004, even for visa waiver countries. This has thrown a lot of governments for a loop: how will they comply? The International Civil Aviation Organization argues that there is already a biometric on passports, a photograph. But what about those people who donāt have that? Are you going to say weāre going to come up with one biometric measure? The act, if you read it carefully, doesnāt require that the system actually works, just for it to be there. I donāt think we are going to make the deadline, so something is going to hit the fan come October 2004. A woman from Australian customs told me straight: āIn Australia we will not give fingerprints to the US for the purpose of visa entry, we absolutely do not give fingerprints.ā Her response was there would be no travel from Australia to the US.
Advertisement
That sounds crazy: forcing governments to use biometric systems that may not work?
Some people say itās like barcodes, which didnāt work in the early days. Biometrics will get better, itās true. But itās a bad analogy because barcodes can be controlled in manufacturing. If a checker has to type in the code too many times they make the manufacturer redesign the can. Human beings canāt go to God. No one technology is going to provide the magic bullet. People are different in ways that you could never imagine. They never have what you think they are going to have where you think they are going to have it.
For example?
It never, ever, occurred to me that people can have polydactylism: one fellow had two right thumbs. I have a friend who has a hard time with facial recognition systems: he is very light-skinned, with very light hair but mostly bald. Against a light background, the computer couldnāt find the outline of his face, and it said: āThereās nobody here.ā Another guy I knew didnāt have a round pupil because he had damaged his eye. You couldnāt use iris recognition on that one eye. And then there are people with one glass eye. Or take privacy advocate Simon Davies, whose irises move constantly. He canāt be successfully iris-scanned.
But surely fingerprints work?
Everybody learns from reading Mark Twainās Puddānhead Wilson that fingerprints are unchanged from cradle to grave and that everybody has unique fingerprints. But despite this, there remains a tremendous controversy over the admissibility of fingerprints as evidence. Iāve been an expert witness on this. Fingerprinting is very defendable, but the government has used some of the most stupid, crazy, spurious and non-scientific scientific arguments to try to defend it. We do lack the scientific basis, and thatās what weāre trying to make up for now.
What about DNA samples?
DNA is not biometrics, itās not automatic unless you touch a machine and it takes a sample, like in the movie Gattaca. But there are a couple of problems. First, you are invading my privacy by asking me to touch a machine and by removing something from my body. I find that disgusting. Secondly, there may be information in that DNA analysis that tells you something about me as a person. Other biometrics donāt give any information about a person at all. You may argue that they can be used to link records, such as health records, but itās much easier to use a social security number.
How is face recognition doing?
Face recognition still seems to be the holy grail. Perhaps itās more acceptable to people than being fingerprinted or iris-scanned. And often if we have any information at all on terrorists, the face may be the only thing we have. But there are many problems. Take the London mayor, Ken Livingstone, and his idea that you can point a camera at a car and do facial recognition of the occupants. We did that at a Mexico border crossing in Otay Mesa. The immigration service tried to automate the crossing by installing facial recognition cameras in a system called SENTRI, but the driver had to stop and look into the camera. That was highly problematic because the height of the cars varied, and window frames obscured the faces. The state of this technology is we are still trying to teach the cameras that the two people in each scene are the same person.
So how do I know youāre you? After all, you have just failed to get into your office and we have had to go to a Dennyās restaurant.
You have no clue who I am, and I could give you my fingerprint and you still wouldnāt know who I am. Thatās a fundamental flaw in all the legislation. Biometrics says nothing about whether Iām a terrorist or not. Right now, your best information that I am who I say I am is what I know. We lack good definitions of security.
Donāt we also need international standards?
In 1996, it occurred to governments that companies who make these systems were being asked to meet different requirements for every country and that made no sense. They set up the Common Criteria so if you met the requirements for one country you met them all. The hot question is, can the Common Criteria be extended to cover security for biometrics? We are only just getting to the point of being able to test how good biometrics are for government security applications.
Will we use biometrics to track people?
Weāll never use biometrics to track somebody. Iāve got a really good idea for tracking people: you ask them to carry radio transmittersā¦
Like my mobile phone?
How much do they pay you to carry that? You pay them! So right now the government can track you within metres. Thatās a much better way to track people.
So what are biometrics good for?
For negative identification. To prove I donāt know you ā that you are not on my wanted list ā I have no choice but biometrics. If you want to prevent the issuing of multiple driverās licences to a single driver, you have to do biometrics. For positive identification, such as the UK immigration programme, itās really hard to know if you are talking to the same person as a couple of months ago, particularly with multiple interviewers and because of the āother raceā problem ā itās hard for people of one race to distinguish people of another race.
Are there systems that work?
Thereās a nice project in Australia, where custom officers are using facial recognition at border crossings for Qantas airline representatives. Theyāre very clever: they keep the photos current, they donāt take one photo but five using a special camera with five lenses ā thatās how they handle the pose angle ā and they ask everybody to use a neutral expression. When you go through customs, they have three cameras, so one of the three has to match one of the five, and they control the lighting. If the system fails, they have a back-up plan, you just go to the clerk. They claim very low error rates, and I believe them.
Any other good ones?
Hand geometry. Itās used in the US Immigration and Naturalization Serviceās INSPASS system. Itās an automatic system that speeds you through customs and immigration. INSPASS just works and works, and the error rates can be very low even with people who are not used to it.
Whatās the snag?
I have my INSPASS here, based on my hand geometry. Error rates are very low but thereās a problem. The card has a lifetime of one year and to issue me this card takes about half an hour: I have to go in, I have to get my picture taken, my hand geometry measured, I have to declare Iām not a convicted drugs smuggler and give them a fingerprint so they can run it against records. When I come through showing my passport, they take maybe 30 or 60 seconds to process me. Every time I use my INSPASS, the immigration service saves a minute because it is automatic. But during that year I have to come through the system 30 times or it never pays for itself. It pays for itself for me, though.
Does anything else work ā economically speaking?
The system at Disney World, which is based on finger geometry, has had 12 million transactions in the past five years and is working extremely well. But neither of these systems can be used for negative identification on a large scale. For that we need systems such as iris recognition but we have limited experience of working with it. The problem is whether you could run a large-scale operation just based on irises. Keep in mind that the largest national identification system in place thatās working is the Philippines social security system, which has about 4 million people enrolled.
Is the key to testing these systems to test the biometrics themselves?
It isnāt that easy. Biometric tests are not like tests of computer security because in biometrics you are testing people ā and people are extremely expensive to test. We have seen that recently with the results from a facial recognition test sponsored by the US Department of Defense and conducted by the National Institute of Standards and Technology (NIST). Two of the companies involved came forward and said āWeāve improved our product, those results donāt apply to us.ā How would they know? No one has tested the new product. And tests are so expensive that they canāt afford them. We see this in biometrics all the time.
What about national test centres?
There are a lot of government groups that do biometric testing: thereās NIST doing facial and voice recognition systems, a group at the University of Bologna in Italy that tests fingerprint verification devices, the Army Research Laboratory, Sandia National Labs and so on. But they are not coordinated. That would require central funding, and each group has its own money so they are not required to coordinate with anybody. It takes literally an act of Congress to get tests going. The British government is forcing the issue. They say: weāve got all these tests going on, but none of them uses the same protocols, none of them reports the same way, maybe we should develop a standard. Itās badly needed.
What are you working on now?
Iām really excited about research Iām doing at the University of Minnesota at Duluth. One of the big issues is, what happens if you combine biometrics? Maybe weāll have multiple systems: say, fingerprint and iris recognition. Combining biometric systems raises some huge problems. Can you imagine trying to enrol people in such a system? But the mathematics gets absolutely fascinating. We call it the ācotton-ball squishing problemā.
The what?
OK, in hand geometry, you get nine measurements. In facial recognition you get 128. Why donāt we just concatenate them? It turns out the mathematics is really, really hard. If you throw cotton balls into a shoebox with no gravity, what is the probability that there will be a collision? The probability of a collision increases as you get more balls, the smaller the box gets or the bigger the cotton balls are. Then suppose we change the dimension: so that they are not cotton balls but the shadows of cotton balls on the floor of the box. The shadows may be colliding while the cotton balls are not colliding. Can we put together a mathematical formula that tells us how increasing the dimensions of the system decreases the probability of collisions? In biometrics, a collision is a false match.
How did you get into biometrics? Didnāt you say you were surfer and a musician?
My dad was a civil engineer for the city of Los Angeles and my mother was a modern girl with a BSc in a new field called home economics from the University of California at Los Angeles. They bought a little shack above Malibu beach with pasteboard walls and running cold water and a toilet that just flushed into an underground pit. Weād live there in the summer and weekends.
Did you have any success as a musician?
Yes, it doesnāt take any talent to be a rock and roll musician, and I had even less than that. I did a Tony the Tiger Sugar Frosted Flakes commercial with my rock and roll band when I was 15. During the Vietnam war I toured with a United Services Organization show. Then I played in a revival of a group called The Diamonds that sang Little Darling, and we did lots of Las Vegas.
But the Beach Boys were your big passion?
I thought, oh, Iāve got to get into this. There were two young guys: Jeff Foskett and his buddy who played and sang together. They went around playing Beatles and Beach Boys songs in the local bars in the 1970s and they were very good. One of the founding members of the Beach Boys, Mike Love, lived in Santa Barbara, and he recruited Foskett to play with him on a tour. He made his way into the Beach Boys, and from 1980 to the present day Foskett has played with Brian Wilson. Just an ordinary guy like me. I want to be Jeff Foskett. In my dream, itās me and Brian Wilson. I have this dream very often that Iām playing with the Beach Boys.