The human snowflake

Hidden cameras, blood testing and retinal scanning may be an everyday occurrence for Ethan Hunt or anyone working at Gattaca, but for those in the real world they can seem a little scary.

Even more common biometrics like fingerprint, facial or iris scanning could give one pause. However, with security at the front of most people’s minds, the public will have to get used to these measures, according to Ashley Kelly.

Kelly, vice-president of Toronto-based AcSys Corp. predicted that biometrics will become a standard in day-to-day life. “We won’t think about it. We can go to a bank machine, it will recognize us and we can talk to the machine and do our daily banking business.”

He added that the ease of acceptance a biometric will have probably has a lot to do with the way it is presented to the public.

“How does the general public feel about using biometrics? Maybe not well, but if you say it will cut down on fraud and cost and protect identities, then the response may be better,” Kelly said. “West Virginia did a voluntary program for fingerprinting on drivers’ licences. They had an 80 per cent acceptance.”

Colin Soutar, chief technology officer at Bioscrypt in Mississauga, Ont., said people are more sophisticated in their thinking about security and their understanding of the need.

“There’s a much clearer picture of how technology such as biometrics can be used to protect information and access. We find that people are more receptive to the idea of protecting information – say information that may belong to a passenger at an airport. Six months or a year ago all that information was based on a card going through a machine.

“People are now much more understanding about the need to associate an individual with that card, rather than just the card. As a result of (Sept. 11) I think there is a broader understanding of security and biometrics specifically.”

He added that people have better knowledge of the terminology than they did in the past.

Judith Markowitz, president of Evanston, Ill.-based J. Markowitz Consulting, said that one of the key fears of biometrics is how and where the information will be used. “A lot of stuff is going on and the public doesn’t know who to trust. This is extremely powerful technology.”

A lot of people are used to the technology already, Markowitz said. “I don’t think it’s much of an issue as far as people getting used to biometrics. Retinal scanning gets people nervous. Iris scanning is less so, but people wonder if it’s going into their eye. It creates personal fear.

“Voice (recognition) is not invasive, hand geometry is not too bad, it’s less scary – not like having a light in your eye. Depending on what it is people are implementing and how they are implementing it, I don’t think people will have much trouble getting used to it.”

She said that the public is becoming more aware of biometrics and security.

But Soutar doesn’t think people’s heightened awareness of security has overcome insecurities they may have.

“But it allows them to distinguish between the different types of applications for biometric devices,” he said.

Joey Roa, an independent security analyst based in Calgary, said the corporate world is definitely ready to accept biometrics, and predicted the majority of the public is willing to accept them.

“My impression is that if people don’t understand the technology, they aren’t hesitant about the limitations – privacy or anything like that. They may not be keen to do it, but they won’t understand some of the privacy implications – the ethical issues some other people are aware of,” Roa said.

Hardware device manufacturers are going to make it more cost effective in terms of buying fingerprint scanners and that will allow people to start playing with them, according to Roa. He added that as the devices become more mature in the technology life cycle, they will become more usable and more reliable. He said they will eventually become pervasive, but that “biometrics are not ready for en masse usage.”

Who’s next?

Biometric systems convert data derived from behavioural or physiological characteristics into templates, which are used for subsequent matching. This is a multi-staged

process involving enrolment – the process whereby a user’s initial biometric sample is collected, assessed, processed, and stored for ongoing use in a biometric system – or submission – the process whereby a user provides behavioural or physiological data in the form of biometric samples to a biometric system. A submission may involve looking in the direction of a camera or placing a finger on

a device.

There are a great number of biometrics that exist including primary disciplines such as finger, facial, voice, iris, retina, hand, signature and keystroke scanning – and palm scanning – which is for forensic use only. The disciplines with reduced commercial viability or in exploratory stages include DNA, ear shape, odour, vein scanning, finger geometry, nailbed identification (which studies the ridges in fingernails) or gait recognition (which looks at one’s manner of walking), according to the International Biometrics Group LLC (IBC).

The most popular biometric is fingerprinting, with voice recognition, facial scanning, hand scanning and iris

scanning following, according to the IBC Market Report 2001-2005.

“Those ones are the ones that are commercialized,” Markowitz said, adding that determining which biometrics technology is best depends on the application it is needed for.

Soutar said fingerprinting once suffered a stigma because of its ties to forensic or FBI investigations. “The distinction has now been made and people can see the use of fingerprinting to identify an individual.”

Bernie Ashe, president of Ottawa-based AiT technologies, agreed that because of its ties to law enforcement, biometrics in the past was seen in a negative light.

“Now people are embracing the idea that the technology is doing something to improve processing of people. We do believe that biometrics have to be given with full consent. You should not have things hidden or take information without permission.”

People have to actively participate in fingerprinting, Soutar added. “With iris scanning there is some level of cooperation involved, although the potential is there to have the camera in the background, that is monitoring someone – which is the case with facial recognition.”

Roa noted that thumb printing has gained acceptance, and said he doubts retinal scanning would ever be a commonplace technology. A retinal scan involves the user looking into a small opening on a desktop, or wall-mounted device. The user holds his or her head very still while looking at a small light located within the device, often for 10 to 12 seconds. During an iris scan, users would place themselves near the acquisition device – a peripheral or stand-alone camera – and centre their eye on the device until they see their eye reflected. The user will be between two and 18 inches from the device and the verification is almost immediate.

Roa predicted keystroke dynamic technology would pick up and build momentum.

Keystroke dynamics, a very new technology to the biometrics arena, analyzes the characteristics of one’s typing. Users enrol by typing the same work a number of times. Verification is based on the concept that the rhythm with which one types is distinctive.

AcSys’s Kelly said each technology has to be looked at on its own because there are certain applications to which those particular technologies lend themselves.

“When you talk about something that is easy and unobtrusive for the general public and general users to be part of, facial scanning makes sense. With iris (scanning) you have to get pretty close. With fingerprinting you have to go to the device and put your finger on it,” he said.

AiT’s Ashe agrees that fingerprinting is the “biometric du jour.” Iris recognition is probably the strongest biometric for accuracy, with fingerprinting close behind, he said.

“Just time and use will help people get beyond the invasiveness of some of the biometrics. Iris (scanning) is going to have a hard time because of this, unless we are talking about extremely high-level security. Then, through education you can get people to become used to it,” he said.

Roa said it all depends on how people define invasiveness. “If you take a retinal scan and compare it to other types – a finger scan, a hand scan, a facial scan – really what’s the difference? You’re taking a part of your body and you’re giving it up as a recognition mechanism.”

One can judge how secure biometrics can make a system or area by the technology and the underlying algorithms and the quality of the sensors being used, said Paul Zatychec.

Who are you?

Zatychec, director of IT security services for Electronic Warfare Associates – Canada Ltd. (EWA), said privacy concerns are paramount when it comes to using biometrics.

“By definition, biometric information is tied to an individual,” he said. “One of the strengths of biometrics is that it creates a very strong binding between an individual human user and some action that they take using the device – that action could be identifying themselves or authenticating themselves to the system.”

What’s important about using biometrics and integrating them into a system, is the protection of digital representation of the biometric information, Zatychec said, adding that protection of that template is analogous to protecting encryption keys, in terms of importance.

“The reason it’s important is that if you look at the problem of identity theft – if someone steals your password, you can create a new one, create a new, secure environment for yourself. If someone steals your biometric information and substitutes theirs for yours, they have now assumed your identity.

“[People] can mask themselves as you and you can’t

do anything about it. You can’t reset your physiological characteristics.”

However the IBC counters this, stating on its Web site that it really depends on how well-designed the biometric system is.

If a criminal steals or guesses your password, it is very easy to have it changed. There is a fear, however, that if a criminal gets a hold of a biometric template, the damage is irreparable – there is no way to change that part of your body, the site states. If a system allows a template to be inserted into the verification process without ensuring that this template came from an actual placement, a compromised template can pose a problem.

A well-designed system will, however, ensure that the information it is analyzing is not a recording, but a new sample.

The site also notes that every biometric system – given the right amount of time, money and attempts – could be defeated: “Employing biometrics raises the bar for potential thieves, frauds, impostors…to the point where the costs of defeating the systems may not justify the rewards.”

AiT’s Ashe said one other problem with biometrics is there is a perceived lack of trust that people have about whether the information, once collected, will be dealt with correctly.

Markowitz seconded that, adding that the Canadian Privacy Act will help allay that fear. “With that regulation in place, you have to follow certain steps in what you do with any piece of information and biometrics could be part of that.

“It’s difficult for a person to know what is going to happen with that information.”

Soutar noted that the EWA has a vetting system, which Bioscrypt used for one of its products, that evaluates biometrics as security devices and addresses issues of fraud.

“The whole area of vulnerabilities in biometrics has been addressed in a much more significant degree in the past couple of years,” he said.