快猫短视频

Privacy and prejudice: whose ID is it anyway

Who will be the winners and losers of the identity revolution, in an age when each of us is assigned a digital identity?

In the second part of 快猫短视频鈥榮 special report into the identity revolution, Duncan Graham-Rowe investigates what impact the widespread introduction of biometrics will have on society.

Who will be the winners and losers in an age when each of us is assigned a digital identity? How will our lives change, and what impact will this revolution have on our personal privacy?

IN JUST a few years from now, every citizen of most western countries, and probably many more besides, will be required to carry their digital identity with them wherever they go. Our digital personas will be derived from biometrics that are unique to each of us, such as fingerprints, iris patterns and facial profiles. And this digital identity will open doors, in some cases literally, giving us access to our home, workplace, finances and medical records. It is designed to give each of us instant access to the services we are entitled to, improve our security and prevent fraud. It is an alluring prospect.

But as the story of the fictitious Mark shows (below left), when the technology fails, things can go badly wrong. Of even more concern are the far-reaching effects the introduction of biometrics-based systems could have on personal privacy and the balance of power between the individual and the state.

Fears about the way biometric technologies could change society prompted a committee of the European Parliament to commission a wide-ranging report into their impact. The results are startling. The report, published in February by the European Commission鈥檚 Joint Research Centre (JRC), concluded that the burgeoning information society is bringing with it a need for us to be able to securely identify ourselves quickly and remotely. And this, it says, makes rapid implementation of biometric technologies both necessary and inevitable.

The first step will be for governments to encourage the use of biometrics to increase security at a national level, probably by introducing biometric-based ID cards, for example (see last week鈥檚 快猫短视频, p 29). At the same time, businesses and banks will see biometrics as a tool to help cut fraud. Consumers will be attracted to it as a way of eliminating the increasingly cumbersome assortment of credit card numbers, login details and passwords that we need to access our finances and electronic services (快猫短视频, 10 September, p 26).

Later there will be a 鈥渄iffusion effect鈥, as biometrics permeate every aspect of society. And with that, says the JRC, which submitted its report to the European Parliament鈥檚 Committee on Citizen鈥檚 Freedoms and Rights, Justice and Home Affairs, will follow a host of legal, political and social issues for which we are still woefully unprepared.

Here鈥檚 looking at you?

Take Mark鈥檚 experience with his medical records. In future, every time you visit a physician, are prescribed drugs or undergo a medical test or procedure, medical staff will be able to confirm your identity beyond doubt, ensuring that the drugs or operation you receive are the ones approved for you, and not for someone else. Similarly, banks may use biometric technologies such as face recognition to confirm that you are who you claim to be.

But what if the technology fails? Will hospitals, banks and other institutions shut down when the computers crash? And what will happen if biometric software confuses you with someone else, or if someone steals your digital identity? 鈥淚dentity theft may become simultaneously less likely but more serious,鈥 says Jonathan Cave, an economist at the University of Warwick in the UK, who has studied biometrics. Accurate identification will reduce the prevalence of mistakes, but those that do occur will be more serious and harder to rectify.

This is likely to happen, Cave says, if people place too much faith in the technology rather than their own common-sense judgement. Much may depend on how stringent the standards for identification are. In the UK, for instance, the government is proposing that ID cards carry electronic representations of the holder鈥檚 face, scans of both irises, and all 10 fingerprints. But other organisations may settle on a lower standard: businesses, hospitals and banks, for example, may find it simpler and cheaper to rely on automated systems that use just one biometric identifier and lower-quality equipment. These simpler IDs will be more easily spoofed and prone to error.

鈥淲e are woefully unprepared for the legal, political and social issues that will follow biometric ID鈥

Even worse are the problems that could arise if your digital identity becomes compromised or altered. What happens when a scan of your iris fails to match the digital ID held in databases all over the world? Every time your eyes are scanned, by your bank鈥檚 security system, the biometric lock at the gates of your children鈥檚 school, or the immigration desk at some faraway airport, you will be rejected as an unknown.

Is this fear a realistic one? It depends how biometric systems are implemented, Cave says. For example, the ID system being proposed for the UK will store citizens鈥 digital identities both on a card that everyone carries with them, and in a central database. However, when researchers at the London School of Economics examined the proposals they found the scheme to be 鈥渢oo complex鈥 and 鈥渢echnically unsafe鈥. They propose an alternative system in which the central database stores only non-biometric information about each person, which can be accessed only with that person鈥檚 permission. Any biometric information will be stored only on the card.

The distinction is crucial. Storing biometric data centrally in effect creates a digital identity that can be accessed, copied or amended without its owner鈥檚 knowledge or permission. Storing it only on the ID card keeps the owner in control of that identity. 鈥淵ou either see the government at the centre of the model or you see the citizen,鈥 says Simon Davies of the London-based pressure group Privacy International. 鈥淎ll the government needs to know is that a person purporting to be an individual is that individual.鈥

Theft is another concern. Hackers and cybercriminals can already steal bank account or credit card details, and in the future they will undoubtedly find ways to steal biometric profiles. And they may find that all too easy. We leave fingerprints on anything we touch, images of our faces can easily be captured from CCTV footage, and we leave a trail of DNA wherever we go. As for iris scans, often touted as one of the more secure biometrics, the possibility already exists that they can be spoofed. Samir Nanavati of the consultancy International Biometric Group in New York says that criminals could, for example, use tinted contact lenses to register a fake iris pattern.

鈥淧eople may simply opt out and refuse to enrol in such schemes, especially if they believe their digital ID may be misused or stolen鈥

While software designed to distinguish contact lenses from genuine iris scans exists, experts stress we must still trust humans to verify the integrity of these scans. Jim Cambier of the leading iris-recognition technology company Iridian recommends that people being scanned should be monitored by trained staff to check that they are not wearing lenses that will falsify the scan.

Ravages of time

Another problem is the way our biometric profiles change as we pass from youth to middle age and beyond. Faces change, fingerprints fade and even the pattern of pigmentation spots in the iris changes over time. This means everyone鈥檚 biometric profile will have to be updated every decade or so. With each re-registration comes a new danger: the opportunity for the person to acquire a new, fake identity.

Such scenarios are still hypothetical, however, and Cambier dismisses them as unlikely. Simpler, more traditional ways to spoof the system are the more immediate threat. 鈥淚t鈥檚 a lot easier, quicker and cheaper to hack a central database than to lift a biometric,鈥 says Ioannis Maghiros at the Institute for Prospective Technological Studies in Seville, Spain, who co-authored the JRC report. If internet-savvy companies and banks can鈥檛 always keep credit card details secure from hackers, then governments are unlikely to be much better at securing personal data, he warns.

One way to mitigate some of these problems is to create separate digital IDs for particular purposes, by applying different algorithms to the same biometric scans. For instance, one biometric template could be created to be used by iris-recognition systems that give access to your medical records. Meanwhile another algorithm could be applied to the same iris scan to generate a more secure digital template for use in passport controls. As well as providing the appropriate level of security for each application, this makes it much easier to revoke a biometric template and issue the user a new one if their digital identity becomes corrupted or is stolen. 鈥淭his is a feature that we need to have,鈥 Maghiros says.

Such systems have already been successfully developed, says John Daugman of the University of Cambridge, who developed the algorithms that form the basis of the vast majority of iris-recognition systems. There appear to be no limits to the number of device-specific or application-specific templates that can be generated from a single iris, he says.

One weak point arises from people鈥檚 slackness when it comes to safeguarding their personal details. On the net, cookies already encourage us to save passwords to supposedly secure sites so we don鈥檛 have to remember them next time. The same could happen with biometrics, if people are allowed to provide a scan of their fingerprint to sign up to new services. Already, some hamburger chains are scanning customers鈥 fingerprints so they can deliver burgers to them more quickly. It鈥檚 a small step for hackers to start stealing profiles from sources like this, and use them to get credit or goods in other people鈥檚 names.

This could take us into uncharted legal territory. The JRC report points out that there is little legislation in Europe governing the use of biometric information, and other countries are no further ahead. Existing data protection laws do not make clear whether a biometric template should be classified as personal data, so it remains uncertain who will be able to share the information, and whether an individual鈥檚 digital profile could be exploited by businesses and marketing firms.

It has also become clear that while digital identity schemes will create a host of benefits, they ultimately rely on maintaining the trust of the public. The London School of Economics report into the UK government鈥檚 ID card scheme found the proposals 鈥渓ack public trust and confidence鈥. If such attitudes take hold, people may simply opt out and refuse to enrol in such schemes, especially if they believe their digital IDs may be misused or fall into the wrong hands, Maghiros says. Some may be uncomfortable with the idea of being identified at every turn, while others may seek to create false digital identities to protect their privacy.

For all these reasons, the JRC report calls for a public debate about biometrics before their use becomes widespread and unstoppable. Its conclusion may be written in dry, bureaucratic language, but its message is clear. 鈥淭he introduction of biometrics is not just a technological issue, it poses challenges to the way our society is organised. These issues need to be addressed in the near future if policy is to shape the use of biometrics rather than be overrun by it.鈥

Mark鈥檚 story

Mark awoke full of expectation. This was the day he鈥檇 been planning for, when he would move to Florida with his family to make a fresh start. First he needed the all-clear from his doctor. Then he would go into work one last time to quit his job, get cash from his bank account for the move, collect his kids from school, and they鈥檇 be on their way.

Except things didn鈥檛 quite work out as he hoped. A quick examination by the doctor confirmed what he already knew: he did not have the serious heart condition he鈥檇 been warned of in the last report the doctor had sent. The person it referred to was a different patient, 20 years his senior. The mix-up happened when a nurse had failed to scan Mark鈥檚 fingerprints to confirm the test results were indeed his.

But when he tried to enter his office he found the way barred. The doors wouldn鈥檛 open no matter how many times he allowed his iris to be scanned. Things went from bad to worse. At the bank, he discovered that someone had got there the day before and cleared out his account. The man must have been Mark, the clerk insisted, because their face recognition scanner confirmed that his profile matched the one they had in their database. It was bad news at the school gates, too, where their iris scanner insisted he was not authorised to enter. Florida would have to wait.

Sheep, lamb or goat?

In a world where your digital identity defines your ability to access essential services, those who cannot be enrolled on biometric databases will find themselves part of a new underclass.

In the terminology coined by George Doddington of the US National Institute of Standards and Technology, these people are known as goats. In a 1998 paper, Doddington used animal names to classify people according to how easy they are to enrol into biometric systems. Sheep are the easiest to enrol, lambs are particularly vulnerable to imitation, and wolves are good at mimicry.

Goats are not recognised by the system at all. They include people whose fingerprints have worn away, as sometimes happens to manual workers, people with sweaty hands, unusually small fingers, droopy eyelids, squints, lazy eyes or large pupils. Also among the goats are amputees, and those with aniridia, a rare condition that leaves about 1 in 75,000 people with no iris.

The number of goats will be substantial, says information systems expert Gus Hosein of the London School of Economics. At least 2 per cent of the population have fingerprints unsuitable for biometric scanners, he says.

What will become of these outcasts? The UK government鈥檚 solution for its ID card scheme is to use multiple biometrics during enrolment. Under the proposals people will be required to register 10 fingers, both irises and their face, or as many of these as possible.

The problem with this, says Hosein, is that as you increase the number of biometrics for an ID card, the cost escalates. A typical doctor鈥檚 surgery using biometrics to identify patients will not be able to afford three different types of equipment, he says. So alternative forms of identification may have to be found, which might be less secure and so attract fraudsters.

Goats are not the only people likely to suffer in the brave new world of biometric identification. Individuals who are for whatever reason out of favour with the powers that be could find themselves banned from entering certain buildings, using public transport or even refused jobs because of what their identity card says about them.

In the money

While governments worldwide are pushing the introduction of biometric technologies, they will not be the only winners in the identity revolution. The key technologies depend on a handful of patents, and their owners are likely to benefit if biometrics are widely adopted. 鈥淎 few companies stand to make a lot of money out of this game,鈥 says Gus Hosein at the London School of Economics.

One of them is Iridian Technologies of Moorestown, New Jersey, the market leader in iris recognition, widely considered the most reliable biometric. The value of the iris-recognition sector was approximately $70 million last year, and is expected to rise to $164 million by 2006, according to a recent report by Elsevier Advanced Technology.

Iridian has aggressively defended its patents, says Mark Lockie, editor of the industry newsletter Biometric Technology Today, including one originally filed by two doctors, Leonard Flom and Aran Safir, that effectively claims rights to any use of the iris as a biometric. The company also holds patents assigned to it by University of Cambridge researcher John Daugman for his iris-recognition algorithms. Daugman himself no longer has a financial interest in either the patents or Iridian.

The original broad patent, which the company has been using to fight off competitors, expired earlier this year in the US, and will expire in most European countries next year. 鈥淏ecause Iridian uses my algorithms as their internal 鈥榖lack box鈥 but doesn鈥檛 actually understand in detail how they work, they are a sitting duck without the Flom patent to keep others out,鈥 Daugman says.

Jim Cambier, chief technology officer of Iridian, admits that there was a time when the company didn鈥檛 fully understand Daugman鈥檚 algorithms. 鈥淏ut in the past five years we have made some considerable improvements and big corrections,鈥 he says. He also denies that Iridian has stifled innovation. Governments can hardly complain that one strong patent is dominating the market. 鈥淭he governments issued the patents in the first place,鈥 he points out.