What are biometrics and how are they used with the identity card?

what are biometrics? A biometric is a digital record of part of your body which might be unique to you. Examples of biometrics are:

Facial image
Finger-prints (hand geometry)
Eye-scans

In Britain today, these biometrics remain your personal property, you decide who has access to them. Your ability to control access to them secures your privacy, anonymity, and identity.

Your biometrics remain your personal property until you commit a crime. Then they are recorded and are held by the State (e.g. the Police). You lose your right to privacy and anonymity. Your biometrics are now a matter of public record and can be accessed by the authorities when they wish, and without your consent.

Biometrics are a highly controversial inclusion in any identity card and passport scheme because of the value we place on them and their ability to be used to place people under surveillance.

Which biometrics are used depends largely on social acceptance. Few people object to providing a facial image for a passport, but large numbers disagree with providing finger prints (scans) since this is so closely associated with committing a crime. Eye scans also face a significant hurdle due to the intrusive act of having lasers penetrating into the eye and the potential health risks.

The reliability of a specific biometric tends to be opposite to its acceptance by the public. So whilst facial images are uncontroversial, their failure rate is high.

There is the additional problem of increasing the failure rate when multiple biometrics are used (as proposed by the government). To combat this, the conditions for biometric testing are relaxed, resulting in lower security and a higher chance of passports and ID cards being abused by criminals.

the facial biometric - face pattern recognition      Facial images are the most acceptable form of biometric to the public. The government has already announced that these will be stored on a microchip on all biometric passports.

The facial biometric has a high risk of being abused by government and police for mass surveillance of the public without consent.

The identity card and biometric passport will use a facial image.

The facial biometric has a high failure rate of 1 in 10 people.

the finger biometric - finger print and hand pattern recognition Finger printing/scanning has a low acceptance from the public because it is the same process that is applied when someone is arrested and charged with a crime. The Police and Security Agencies are interested in having this on the Identity Register so that they can routinely compare finger prints from crime scenes to those of the public.

UK biometric identificaiton will include finger prints. In practice, finger printing for biometric testing is actually a scan of all fingers and sometimes the complete hand.

The finger print biometric has a high failure rate of 1 in 100 people.

the eye biometric - iris and retina pattern recognition    Eye scanning comes in two forms: iris photography and retina scanning. Iris photography involves photographing the iris or shining an infra-red laser into your eye to record the pattern of the iris. Retina scanning is more penetrative and records the pattern of the inside of the eye (retina). The technique is controversial because it is possible to determine certain medical conditions from eye scans and whether you are a recreational drug user.

The eye biometric is thought to be more effective than facial and finger biometrics. The health risks associated with eye scanning are unknown.

The identity card will include eye scans (of the iris).

Eye scanning is new technology, government tests show the failure rate is 1 in 100 people.

See "IRIS Scanning Failure Rates at London Heathrow and Gatwick" - Biometric Freedom

how do biometrics work? (Biometric testing)     Biometrics are tested using pattern recognition. In facial recognition, a pattern of the face is built using 20 to 30 reference points e.g. the position of the eyes, cheekbones, nose, etc. Finger print recognition uses similar techniques looking for small patterns that make up the print.

You have to place your fingers and face against scanners to have the biometrics recorded and tested. Facial biometrics can be taken from a photograph taken under good lighting conditions.

Pattern recognition has the following limitations:

two or more people can have the same pattern
your biometric patterns changes as you age so they must be recorded every few years
biometrics must be recorded under perfect conditions or ‘aliasing’ can occur.

Aliasing is the creation of a false point or incorrect positioning of a real point resulting in the recording of the incorrect pattern. Hence, the wrong person is identified and your identity is rejected. Aliasing can occur when the biometric is first recorded and during later testing.

It is claimed that existing technology for eye scanning will work at high speed up to 2 feet from the subject and will work through glasses and contact lenses. If the scanning distance from the subject can be increased, this provides the possibility to authenticate people using eye-scans without them being aware.

are biometrics reliable? SchlumbergerSema, now Atos Origin, who ran the UK Passport Agency Biometrics Trial, admits that the failure rate for facial biometrics is too high and the technology immature to provide a convenient and reliable authentication method.*

face scanning is too easily fooled by the changes in the face over time (compare a persons’ face at 16 to what it is like at 56), the reference points for pattern recognition move too often.

several people can have similar facial biometric patterns.

Trials at the UK Passport Agency using face recognition show that biometric passports have a failure rate of one person in ten. In the words of Government Minister Fiona Mactaggart, "this technology is not foolproof".**

Finger print patterns are not unique to any one individual. The finger print pattern on your biometric passport or identity card could easily be the same as that of someone else. Finger prints require a lot of expertise when they are first taken and may require several attempts before a good print is recorded. If you have worn finger prints (such as manual workers), have dirty fingers, or move your fingers, the scan will fail. This means that finger scanning would be unsuitable for verification in shops and banks.

Eye scanning requires special cameras and good lighting to work properly. Even so, under these perfect conditions they still have a failure rate of 1 in 100 people. Eye scanning therefore has limitations due to cost and practicality – how many times a day would people be prepared to have their eyes scanned just to get money from the bank or use their credit card? Companies involved in this area admit that iris photography is not yet proven on the scale that is required to support the whole UK population.*

The proposed identity card and biometric passport will have 2 to 3 biometrics. Under proposed EU regulations, the biometric passport will use face and finger print recognition (the two most unreliable) and the identity card will use all three.

The Home Affairs Select Committee has mentioned that all three biometrics must be taken to reduce the error. Experts suggest this increases the failure rate. Additionally, the passport and card become impractical since you will need to provide facial, finger (all fingers), and eye scans (both eyes) under perfect conditions, every time you travel or use the card.

If your biometrics are not tested then the passport or card becomes a “Dumb card”.

are biometrics secure? Biometrics are not totally secure. Research in Germany*** showed that biometric scanners could be fooled by fairly simple methods:

Facial Image: to fool facial recognition you need a good image of the face such as a photograph. More sophisticated systems can be beaten with moving images. These can be obtained by someone filming you with a camcorder. They then replay this, perhaps on a laptop screen, back to the scanner and the system will grant access.

Finger Prints: When you provide a finger scan you leave an imprint on the scanner. This print can then be used shortly after you or ‘lifted’ and re-used later. Some finger scanners can be beaten by breathing over the print that you left behind. Scanners that require pressure and temperature can be fooled by dusting the print with powder, laying adhesive tape onto this, and then pressing with your own finger. You leave copies of your fingerprints on hundreds of items each day at home and at work; these can easily be ‘lifted’ using the powder and tape technique.

Eye Scans: eye scanners are harder to beat but are not fool proof. These can be beaten by using a good quality print of the eye with a hole in the centre where the pupil is. The image is placed in front of the scanner and your eye against the hole (some systems look for a reflection from the pupil).

All biometrics are at risk from thieves/hackers who can record the information when you submit it to the scanner. They then play back the recorded biometric (and PIN) to the scanner or systems verifying the user. As the link between the identity card, scanners, and Identity Register will use the internet, this kind of attack could become very common.

The biometric identification card are being promoted as the ultimate solution in security, yet their total dependency on biometrics makes them extremely vulnerable. The complexity of providing finger/eye scans whenever they are used and confirming this against the Identity Register (NIR) is impractical in daily life. The high degree of error involved in biometric recognition will result in people being denied access to services. The criteria for biometric testing will have to be relaxed to allow for a larger ‘degree of error’ in the biometrics or requiring just one biometric for authentication. At this point the biometric passport and identity card become redundant and they are of no more value than current forms of identification.