Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters


Letters My piece on biometrics and compulsory ID earlier this month produced a substantial mailbag, most of it - even the couple of rude ones - constructive. Several of you provided links to useful research in the area, and the follow-up piece drawing attention to doubts about the infallibility of fingerprinting produced some more. As this will be a key factor in the mass rollout of biometric ID systems, it makes sense to start here.

First, a confession. I'm largely happy with the original piece, but I feel that I regrettably fell in with the general assumption that fingerprints are infallible, unique ID. The truth is that this may or may not be the case, but that is not necessarily relevant to the operation of a mass ID card system. So here, we should determine what we're talking about.

As the New Scientist piece cited in the second article pointed out, there is no unchallenged data supporting the claim that fingerprints are unique. The DoJ sponsored study concludes that the probability of a match is so low as to make them effectively unique, but the methodology of this study is now being questioned. Contrariwise, no two people have ever been found to have the same fingerprints, and it does seem kind of plausible that even similar fingerprints must be different in some way. On the third hand (which would be convenient in the case of an unfortunate match of the other ten fingers), it also seems plausible that two sets of prints could be sufficiently similar for it to be difficult, perhaps impossible, for us to be able to spot the differences. Which takes us to what we should be talking about.

The UK's National Physical Laboratory has published a quantity of biometric research here, one of the most useful pieces for our purposes being the identity card feasibility study, conducted for the Home Office. This research was actually intended to produce recommendations regarding the introduction of an entitlement card, so makes assumptions about initial throughput that will be significantly lower than in the case of a full-scale ID card, but it's nevertheless valuable because it examines implementation and the associated challenges in some detail, and because it does anticipate the database growing to 50 million.

As regards uniqueness/infallibility, the study makes it clear that the level of this is something you set for yourself, balancing the level of failed matches i.e. failure to identify someone you should identify, with the level of false matches, i.e. perfectly innocent people being interrogated until the authorities are convinced that they're not the person the machine's matched them up as.

So you can set the sensitivity at a level where you have a very high likelihood of making matches, but the price of this is such a high level of false matches that you bring the system to its knees and the security services into widespread disrepute. In reality, the study suggests a 1 in 1,000 false alarm rate, with a 5-10 per cent false non-match rate, as a reasonable compromise. Having only a 1 in 10 or 1 in 20 chance of slipping through is probably enough to deter most thinking terrorists and social services fraudsters, although a 1 in 1,000 false alarm rate could still produce hefty logistical problems, depending on how frequent routine ID checks became. 1 in 1,000 is one every two to three Jumbos.

But it's clear that using current technology in mass machine-read systems, arguments about the uniqueness of fingerprints are academic. They will not of themselves be unique identification, because of the parameters we will have to set. Uniqueness is however very important in another area, so we'll move straight over to the first of our critics, Andrew Rutherford of the Australian police:

Your article doesn't make any sense. It appears from the article that you don't know very much about Fingerprints, and as such, you probably shouldn't be writing articles on the subject until your understanding of its fundamentals improves.

I assume that the fingerprint comparisons, involving the 50000 images used in the study that you mention in your article, and the subsequent results were from computer comparisons. If this is the case, then you must realise that computer systems used throughout the world for fingerprint comparisons are only a tool used by fingerprint experts. If a fingerprint search is conducted using a fingerprint computer system, the computer will produce a candidate list of images from its database that it finds most like the search print. The fingerprint expert conducts comparisons of the images from the candidate list and they decide if the fingerprints are identical or not. If the search print is identified, then in the majority of cases it will be the first candidate on the list, however sometimes this is not the case and the identified print may be well down the candidate list. In some cases the computer may not find the print on its database even though it is there. This is why computers are only used as tools to assist in a computer search and why fingerprint experts make fingerprint identifications and not computers.

Mistakes are made and many are well known throughout the world, but the mistake is always a human error, and never has the cause of a wrong fingerprint identification been the breakdown of the fundamental principles of fingerprint identification.

If people, like you who write these articles, want to attack the infallibility of fingerprints, then you like should only question the competency of the fingerprint expert. Many people who claim to be fingerprint experts have limited training and/or experience (especially in the US).

Regards Andrew Rutherford

I'll leave Andrew's manners to his mother, and I don't entirely recall writing quite the article he seems to have been reading. But as he points out, fingerprint identification as used in the legal process deploys machine reading as a guide for fingerprint experts. These experts will clearly not be present or feasible for general ID systems, but what he has to say about their fallibility is worth noting as a corrective to the general impression of fingerprint evidence as absolutely conclusive. Yes, it might be in theory, but in practice the system's dependence on human experts means that it's not. This fact obviously does matter to those people who are in prison on the basis of an expert witness' mistake, and surely deserves to be more widely publicised.


Other stories you might like

  • Chip shortage forces temporary Raspberry Pi 4 price rise for the first time

    Ten-buck increase for 2GB model 'not here to stay' says Upton

    The price of a 2GB Raspberry Pi 4 single-board computer is going up $10, and its supply is expected to be capped at seven million devices this year due to the ongoing global chip shortage.

    Demand for components is outstripping manufacturing capacity at the moment; pre-pandemic, assembly lines were being red-lined as cloud giants and others snapped up parts fresh out of the fabs, and the COVID-19 coronavirus outbreak really threw a spanner in the works, so to speak, exacerbating the situation.

    Everything from cars to smartphones have been affected by semiconductor supply constraints, including Raspberry Pis, it appears. Stock is especially tight for the Raspberry Pi Zero and the 2GB Raspberry Pi 4 models, we're told. As the semiconductor crunch shows no signs of letting up, the Raspberry Pi project is going to bump up the price for one particular model.

    Continue reading
  • Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls

    Surveillance tech faces trade limits as America syncs policy with treaty obligations

    More than six years after proposing export restrictions on "intrusion software," the US Commerce Department's Bureau of Industry and Security (BIS) has formulated a rule that it believes balances the latitude required to investigate cyber threats with the need to limit dangerous code.

    The BIS on Wednesday announced an interim final rule that defines when an export license will be required to distribute what is basically commercial spyware, in order to align US policy with the 1996 Wassenaar Arrangement, an international arms control regime.

    The rule [PDF] – which spans 65 pages – aims to prevent the distribution of surveillance tools, like NSO Group's Pegasus, to countries subject to arms controls, like China and Russia, while allowing legitimate security research and transactions to continue. Made available for public comment over the next 45 days, the rule is scheduled to be finalized in 90 days.

    Continue reading
  • Global IT spending to hit $4.5 trillion in 2022, says Gartner

    The future's bright, and expensive

    Corporate technology soothsayer Gartner is forecasting worldwide IT spending will hit $4.5tr in 2022, up 5.5 per cent from 2021.

    The strongest growth is set to come from enterprise software, which the analyst firm expects to increase by 11.5 per cent in 2022 to reach a global spending level of £670bn. Growth has fallen slightly, though. In 2021 it was 13.6 per cent for this market segment. The increase was driven by infrastructure software spending, which outpaced application software spending.

    The largest chunk of IT spending is set to remain communication services, which will reach £1.48tr next year, after modest growth of 2.1 per cent. The next largest category is IT services, which is set to grow by 8.9 per cent to reach $1.29tr over the next year, according to the analysts.

    Continue reading
  • Memory maker Micron moots $150bn mega manufacturing moneybag

    AI and 5G to fuel demand for new plants and R&D

    Chip giant Micron has announced a $150bn global investment plan designed to support manufacturing and research over the next decade.

    The memory maker said it would include expansion of its fabrication facilities to help meet demand.

    As well as chip shortages due to COVID-19 disruption, the $21bn-revenue company said it wanted to take advantage of the fact memory and storage accounts for around 30 per cent of the global semiconductor industry today.

    Continue reading
  • China to allow overseas investment in VPNs but Beijing keeps control of the generally discouraged tech

    Foreign ownership capped at 50%

    After years of restricting the use and ownership of VPNs, Beijing has agreed to let foreign entities hold up to a 50 per cent stake in domestic VPN companies.

    China has simultaneously a huge market and strict rules for VPNs as the country's Great Firewall attempts to keep its residents out of what it deems undesirable content and influence, such as Facebook or international news outlets.

    And while VPN technology is not illegal per se (it's just not practical for multinationals and other entities), users need a licence to operate one.

    Continue reading
  • Microsoft unveils Android apps for Windows 11 (for US users only)

    Windows Insiders get their hands on the Windows Subsystem for Android

    Microsoft has further teased the arrival of the Windows Subsystem for Android by detailing how the platform will work via a newly published document for Windows Insiders.

    The document, spotted by inveterate Microsoft prodder "WalkingCat" makes for interesting reading for developers keen to make their applications work in the Windows Subsystem for Android (WSA).

    WSA itself comprises the Android OS based on the Android Open Source Project 1.1 and, like the Windows Subsystem for Linux, runs in a virtual machine.

    Continue reading
  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading

Biting the hand that feeds IT © 1998–2021