TOUCHING BIG
BROTHER
How biometric technology will fuse flesh and machine
Simon G. Davies
Department of Law
University Of Essex
United Kingdom
Simon@privint.demon.co.uk
"Information Technology & People",
Vol 7, No. 4 1994
Abstract
The evolution of information technology is likely to result in intimate
interdependence between humans and technology. This fusion has been
characterized in popular science fiction as chip implantation. It is, however,
more likely to take the form of biometric identification using such
technologies as fingerprints, hand geometry and retina scanning.
Some applications of biometric identification technology are now
cost-effective, reliable, and highly accurate. As a result, biometric systems
are being developed in many countries for such purposes as social security
entitlement, payments, immigration control and election management. Whether or
not biometry delivers on its promise of high-quality identification, it will
imperil individual autonomy. Widespread application of the technologies would
conflict with contemporary values, and result in a class of outcasts.
INTRODUCTION
The accurate identification of individuals is a key concern for many government
agencies and corporations. It is important to them because it contributes
significantly to administrative efficiency and the control of fraud, and can
offer benefits to clients as well. A key focus of information systems security
in recent years has been the intensification of efforts to establish accurate
identity.
The application of identification systems involves conflict between two
conditions. On the one hand, flawed identity checking results in unnecessary
duplication, fraud, and client disruption, with resultant costs and risks; and
on the other, a rigorous identification procedure is invasive, and its
effectiveness may be undermined by unpopularity and resultant falsification and
evasion.
Three conventional forms of identification are in use today. The first is
something you have, such as a card. The second form is something you know,
such as a password or PIN. The third is something you are, such as a pattern
of ridges on a fingertip; or something you do, such as writing or speaking.
This third form of identification is known as 'biometrics'.
Schemes based on the items and knowledge which people possess have many
weaknesses. For example, fake 'blanks' of even the highest integrity cards are
generally available in East Asian countries within weeks of the first cards
being issued (Davies 1992a, p.42). The general availability of sophisticated
manufacturing equipment has placed the ability to forge such documents into the
hands of a much wider group of criminals than was previously the case (Carroll
1991, pp. 10-13).
A high-integrity biometric system appears, from the perspective of information
users, to be an ideal solution to such problems. The development and
application of technical standards has meant that communications among the
information systems of different organisations is increasingly simple. The
application of a biometrically-based identifier for each individual would be a
natural further step.
Yet, from the perspective of individuals, any move towards a biometric
identifier carries enormous risk. Many systems do not live up to expectations
because they prove unable to cope with the enormous variations among large
populations, or fail to take into account the practicalities of human
behaviour, and the needs of people. Individual autonomy and freedoms may be
compromised by the need for a high level of compliance with the scheme. In
many western nations, the stigma of criminality is associated with
fingerprinting, and, by association, with other biometric techniques. If a
scheme is applied across multiple organisations, behaviour in relation to one
organisation might lead to a domino effect of 'cross-enforcement' activities,
involving suspension of entitlements or benefits by other organisations.
Individuals who cannot, or will not, use the prescribed system may become
outcasts on the edge of society.
The purpose of this paper is to present an overview of biometric systems, and
discuss the justifications for its implementation and the dangers inherent in
them. Because biometric technologies, their application, and their working
environment are all in their infancy, the research on which this paper is based
has relied heavily on case studies, literature search, primarily in the popular
and trade press, and interviews with leading figures in the field. Where
applicable, studies and working documents have been incorporated.
BIOMETRIC TECHNOLOGIES
Biometrics has been applied in a variety of ways since at least the time of the
Pharaohs, who used height measurement. Automated biometric technology was
first applied in controlling access to premises and to computer networks.
Modern biometric schemes generally rely on sophisticated computer scanning
technology, of such aspects of the body and its behaviour as the micro-visual
pattern on the retina, the geometry of the hand or a finger, the patterns on
the surface of the skin of the thumb or fingers, the aural pattern of the
voice, the pattern of handwriting or signatures, and facial appearance. In
each case, an artifact analyses a sample presented to it, and compares the
measurement with a verified sample digitally stored in the system.
In recent years, biometric technology has attained a very high degree of
sophistication, and accuracy has been achieved at a level which far surpasses
all other forms of identification. The Iriscan system, for example, conducts a
scan of the eye, and, according to claims made by the manufacturer, is
generally accurate to 1015 on the first scan, and 1022 on
the second (BTT 1993a). Iris recognition does, however, suffer from the
shortcoming that many people feel very sensitive and protective of their eyes,
and find such technology disquieting. To address at least some of this
concern, research is currently underway to scan the eye at a range of up to
three meters.
Currently the most popular form of biometry is fingerprinting. National
computerised fingerprint systems exist in several countries, the first national
system having been established in Australia in 1987. The Japanese
telecommunications giant NTT recently announced the development of a
fingerprint recognition method that it claims provides further improvements in
speed and accuracy. Recognition of a fingerprint takes place in an average of
2 seconds on a personal computer or 1 second on a workstation, with accuracy
claimed to be above 99.9%. Among its diverse potential applications, it could
be used to confirm that the bearer of an identification card is the person to
whom it was issued (TA 1993). Meanwhile, the Biometric Technologies Company of
the U.S.A. is developing a fingerprinting system using neural networks.
Laboratory tests commissioned by the manufacturer are reported to show an
accuracy of 0.0001% and a probability of wrongly rejecting a genuine client of
0.1%. Known as Printscan 3, the device is intended for release in the early
part of 1995 at a cost of $US600 per unit (BTT 1993b).
Hand geometry, involving a scan of the shape and characteristics of the entire
hand, has been applied in a variety of situations in over 4,000 locations
including the Colombian legislature, the San Francisco International Airport, a
day care centre at Lotus Corporation in the U.S.A. and a Los Angeles sperm bank
(Miller 1994, p.25).
Evaluation of biometric technologies will be essential to their acceptance, but
to date only limited independent testing has been undertaken. In 1991, the
U.S. Department of Energy's Sandia National Laboratories released the results
of its second round of tests. The significance of these results remains open
to question, however, since they assessed equipment from only six U.S. vendors:
Indentix's Touchlock fingerprint system, Recognition Systems' ID-3D-U hand
geometry system, Eyedentify's Model 8.5 retinal scan system, Autosig's Sign/On
signature dynamics system, and Alpha Micro's Ver-a-tel and International
Electronics' VoiceKey voice verification systems (Sherman R.L. 1993).
The tests showed that dynamic signature verification was by far the cheapest of
the evaluated products, although it rejected a high proportion of properly
enrolled individuals. Hand geometry had a very low rate of false rejections,
especially if more than one attempt was made, and was very much better than
signature dynamics in this respect; however it cost more than twice as much.
CASE STUDIES
In order to provide some depth of understanding of the nature of
biometrics-based identification, this paper documents several schemes. The
first is a single-purpose scheme in pilot operation, and the second a
multi-purpose system currently under development. Several other applications
are identified.
National Border Crossings
In 1993, the U.S. immigration authorities opened a new lane at New York's John
F. Kennedy airport. It differs from traditional immigration procedures in that
it uses biometric technology called FAST (Future Automated Screening for
Travellers) to automatically identify and process passengers in as little as
twenty seconds.
The project is called INSPASS (Immigration and Naturalisation Service Passenger
Accelerated Service System). Applicants for registration are interviewed, and
their identity confirmed. They place the palm of a hand onto the surface of a
scanner, which records measurements of the hand's contours. These are
converted into a 'template' and stored on a card. This is currently a paper
card, but is soon to be a 'smart card'. In case the hand geometry system
proves to be inadequate, fingerprints are also taken and recorded.
When INSPASS members arrive at the two test airports (John F. Kennedy and
Newark), they bypass the main immigration queues, and enter a kiosk. The card
is presented to the terminal. The hand is placed onto a scanner, which matches
the biometry of the hand with the template encoded into the card. Immigration
databases are consulted. Once the last of five green lights appear at the tips
of the fingers, the glass exit door opens, and the passenger continues to the
baggage claim and customs zone.
INSPASS is currently operating as a voluntary system for frequent travellers to
and from the U.S.A., who are U.S. or Canadian nationals, or nationals of
countries involved in the U.S. visa waiver scheme. More than thirty thousand
people have so far enrolled, and by mid-1994 this was increasing by one
thousand per week. Governments in 26 countries are monitoring and cooperating
with the project (BTT 1993b, Davies 1994b).
If the INSPASS trial is successful, the technology may render conventional
identification card and passport systems redundant. As a trade-off for faster
immigration processing, passengers are accepting a system which has the
potential to generate an increased amount of international traffic in their
personal data. INS officials appear confident that a multi-purpose scheme can
be established, using common international standards and a smart-card system
that can cope with either a hand geometry or a fingerprint scan. Immigration
control could be linked to a wide spectrum of information, such as police and
taxation systems.
The system has been approved by a preliminary feasibility audit, and looks
increasingly like being implemented in several countries. The trial may be the
forerunner of a linked biometric system that involves many nations.
Social Welfare
In the Canadian province of Ontario, there is considerable public concern about
the existence of nearly twelve million identities in the health system of a
province with a population of ten million. It is perceived that many U.S.
citizens are using Canadian health care facilities without entitlement. To
address the problem, the provincial government is developing a proposal for a
government-wide biometric scheme variously called the Ontario Client Positive
Identifier Proposal or Service Card Ontario. It is being championed by the
Community Services Department of Metro Toronto, an agency which disseminates
around $Can2 billion ($US1.4 billion) per annum in welfare services.
A committee representing the majority of Ontario Departments is currently
discussing mutual identification and administration problems, and the potential
for creating a universal strategy for dealing with these issues (Davies 1994a).
Officials are hopeful that a register of thumb scans can be established by 1996
as the basis for a 'once-and-for-all' identity. Scanners would be located at
many locations in all Ontario Government agencies, and connected to a
thumb-scan registry and to the computers of relevant agencies. Discussions are
underway with Federal agencies with regard to integration with immigration
systems.
The Request For Information (TMS 1993) envisaged that the system would
involve:
- digitised photographs and hand geometry stored in a central database;
- a plastic identity card, possibly with a magnetic strip, containing facial
image, client signature, client date of birth, a variety of security features,
and possibly a fingerprint;
- authorised users at multiple sites using data scanned from a person's hand to
search the databank for matches; and
- interfaces with existing information systems.
Five of thirteen companies providing submissions were shortlisted. The
principal difficulty for suppliers appeared to be the capability to interface
with existing technologies. A Request For Proposal was subsequently issued
(TMS 1994). The total cost for hardware, software, maintenance, training and
peripherals was indicated to be in the range of $Can3-4 million. According to
project staff, this expenditure would be recovered from administrative and
payments savings. The project team recognises that there are significant
administrative barriers, but hopes to overcome them.
The Department has announced that it intends pursuing a policy of 'openness and
honesty' in the development of the system, and will appoint an external adviser
to monitor its performance and impact. The Privacy Commissioner for Ontario,
however, has had minimal involvement to date, and has expressed grave
reservations about it. Issues of identification are still divisive in Canada
(Phillips 1994), and the pursuit of the project may require considerable
political will.
Emergent Applications
Reports in the trade press suggest that biometric systems are being developed
for a wide spectrum of purposes. Major retail and banking organisations in
Australia, Europe and North America are adopting biometric systems for internal
security. Blue Cross and Blue Shield in the U.S.A. have plans to introduce
nationwide fingerprinting for hospital patients. This may be extended into
other medical applications. The Jamaican Government is planning to introduce
electronic thumb scanning to control elections. Social Security verification
using biometrics is being planned in several countries including Spain and
South Africa (BTT 1994a, 1994b).
In 1994, the U.K. Department of Social Security (DSS) developed a proposal to
introduce a national identification card, which it is hoped will assist in
reducing the estimated [[sterling]]1 billion of welfare fraud annually. The
DSS recommended a computerised database of hand-prints of all of the 30 million
people receiving a government benefit. Applicants for a benefit or subsidy
would have their hand-prints tested against existing entries (Sherman J. 1993)
. The proposal is expected to be one of the options contained in a Green Paper
on an identification card, to be released in the Spring of 1995.
In Europe, tests are being undertaken of the feasibility of storing
card-holders' fingerprints on their credit cards, so that a device at the point
of purchase can compare the card-borne data with the bearer's fingerprint. In
Australia, the technology is being applied to staff who access automated teller
machines. Government officials in The Netherlands say that biometrics has a
"real chance" of being accepted as a form of identification. According to the
Chip Card Platform, which is coordinating the project, there has been a
political 'change of wind' in recent years, and an understanding amongst the
public of the role of information technology. Officials acknowledge that this
change of attitude has taken them by surprise (Davies 1994a).
THE ACHIEVABILITY OF BIOMETRICS' POTENTIAL BENEFITS
The potential benefits of an integrated biometrics-based identification system
include improvements in:
- the cost of administration;
- the integrity of identification;
- the integrity of information;
- access to information held by organisations;
- the speed of delivery of services and benefits;
- the accuracy and quality of research and statistics; and
- the level of technical security of communications.
In many countries, information technology is being successfully applied to
particular business and administrative functions within particular
organisations. The majority of these success stories have in common a
manageable size, a limited geographic spread, a single purpose, and modest and
easily defined goals. Where biometric technologies are applied to specific
purposes, some confidence may be felt in the system's ability to deliver the
intended benefits.
On the other hand, many failures and disappointments continue to occur, even
among seemingly straightforward projects. A report commissioned by the U.S.
Department of Health and Human Services noted that a vast gulf exists between
the promise and the reality of savings from computer systems (HHS 1993). A
study by the Congressional Office of Technology Assessment found that
computer-based information systems, once implemented, often result in
"unforeseen costs, unfulfilled promises, and disillusionment" (OTA 1993).
Large-scale government schemes have been shown in several countries to be much
less cost-effective than was originally estimated. Years after the governments
of the United States and Australia developed schemes to match public sector
data, there is still no clear evidence that the strategy has succeeded in
achieving its goals. The audit agencies of both federal governments have cast
doubt that computer matching schemes deliver savings. Achieving the potential
benefits of large-scale applications of information technology is difficult,
and the outcomes are erratic, unpredictable, and commonly considerably less
than expected.
Complex systems embody greater levels of risk of failure, and resultant
vulnerability of organisations and individuals dependent on them. An example
of this was the shutdown of more than half of AT&T's network due to a
computer virus in the network switching system (Davies 1990). The greater the
complexity of a system, the more permutations of failure appear to be created.
The case for multi-faceted integration of complex personal information systems,
whether or not based on biometrics, must be viewed with some skepticism.
THE DANGERS OF BIOMETRIC IDENTIFICATION
The pursuit of high-quality identification involves significant technical,
organisational, social, legal and political issues. Many of the these are
concerns about computerisation in general, and the sharing of data among
organisations in particular. For a review of the dangers of data surveillance
to individuals and society, see Clarke (1988).
Biometric identification relies on technology that is far from proven, and
major organisational adjustments are needed to cope with it. There are many
practical problems involved in complex and largely automated schemes, and in
coping with exceptions, system outages and claims of database error. The
imposition of intrusive identification procedures changes the nature of
relationships and transactions between clients and organisations. There is at
least a perceived, and probably a real, increase in the power of organisations
over individuals. Biometrics, much more so than other identification schemes,
may imperil the sense of individuality.
Systems that entail a central registry of personal identities raise much more
substantial issues. The adequacy of data protection laws in dealing with these
issues to the satisfaction of the public is in doubt. A biometric print may,
for example, be considered to be in the public domain. Alternatively, people
may find that they are required to provide a biometric print in many unforeseen
or unintended future circumstances.
The history of identification systems throughout the world provides evidence of
'function creep' - application to additional purposes not announced, or perhaps
even intended, at the commencement of the scheme. Uses of the Social Security
Number in the U.S.A, the Social Insurance Number in Canada, the Tax File Number
in Australia, the SOFI number in The Netherlands, and the Austrian Social
Security Number have been extended progressively to include taxation,
unemployment support, pensioner benefits, and in some cases health and higher
education. The existence of a relatively high-integrity scheme would create
irresistible temptations to apply it widely, and inter-relate many hitherto
separate collections of personal information (Holvast 1991, Clarke 1992, Davies
1992a).
Privacy protection involves resistance to the establishment or consolidation of
monolithic information systems. Informational chaos and functional separation
amongst agencies have ensured that the individual has not become a servant to
the state. Variety, choice, and chaos have also had the effect of insuring the
free movement, rights, and free choice of individuals against errors in the
system.
Several countries, including Australia, Canada, the United States and New
Zealand, have witnessed public disquiet over identification schemes. Abstract
fears that have been cited include :
- that people will be de-humanised by being reduced to codes;
- that the system will enhance the power over individuals of particular
organisations and the State;
- that high-integrity identification embodies an inversion of the appropriate
relationship between the citizen and the State;
- that the system is a hostile symbol of authority;
- that society is becoming driven by technology-assisted bureaucracy, rather
than by elected government;
- that exemptions and exceptions will exist for powerful individuals and
organisations, and that the system will entrench fraud and criminality; and
- that such identification schemes are the mechanism foretold in religious
prophecy (e.g. 'the Mark of the Beast').
There is some evidence that the public may be moving away from traditional
notions of privacy, and cautiously accepting fraud control and administrative
mechanisms that would have been politically untenable in the 1970s and 1980s.
For example, both the Dutch and Australian public rejected national information
and identification schemes en masse several years ago, but have reacted
more passively to equally intrusive (though less blatant) schemes in the 1990s.
In Germany, where the introduction of an identity card caused major controversy
fifteen years ago, the public now appears to be more willing to accept a
national 'smart card' scheme for the health sector.
There may be many factors at work in the apparently greater public acceptance
of privacy-invasive schemes. Proposals are being brought forward in a more
careful and piecemeal fashion, which may be lulling the public into a false
sense of security. There is increasing popularity of computers and networks
for personal use. The use of personal information systems by Nazi Germany to
enable the identification and location of a target race are becoming a vague
memory.
It is an open question, however, as to whether public acceptance is real, or
only apparent. A change of attitude may merely await a catalyst.
Alternatively, an increasing proportion of people may ignore official processes
and organisations and opt instead for 'black markets' and 'black society'.
Many countries have substantial sub-cultures of outcasts, usually resulting
from poverty, racial differences or illegal immigration. To these may be added
a significant number of people who choose not to participate in a general
identification scheme.
CONCLUSIONS
Biometry is, in many senses, a natural extension of technological evolution.
Like the modern automobile, it signals an intimacy with the client. Whether
the public senses a danger in the establishment of such a fusion will depend on
its sensitivity to privacy and autonomy.
High-quality identification offers the promise of the avoidance of error and
fraud, and privacy advocates often have difficulty expressing their opposition
to it. Nevertheless, the use of biometrics needs to conform to the standards
and expectations of a privacy-minded society. Specific-purpose biometric
schemes raise serious issues which need to be addressed. General-purpose
schemes represent real threats to the fabric of contemporary society.
References
BTT 1993a Biometric Technology Today, London 1, 3 (June 1993)
BTT 1993b Biometric Technology Today, London 1, 7 (November 1993)
BTT 1994a Biometric Technology Today, London 1, 9 (February 1994)
BTT 1994b Biometric Technology Today, London 2, 3 (June 1994)
Carroll J.M. (1991) Confidential Information Sources, 2nd edition,
Butterworth-Heinemann, New York, 1991
Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5
(May 1988). Re-published in C. Dunlop and R. Kling (Eds.) 'Controversies in
Computing', Academic Press, 1991
Clarke R. (1992) 'The Resistible Rise of the Australian National Personal Data
System' Software Law Journal, 5,1, January 1992
Davies D. (1990) 'Anatomy of a disaster' Computer Law and Security Report
Jul-Aug 1990
Davies S. (1992a) 'Big Brother: Australia's growing web of surveillance',
Simon and Shuster, Sydney, 1992
Davies S. (1992b) 'Vulnerability reaching its elastic limit', in 'Managing
information technology's organisational impact' Eds. Clarke R. and Cameron J.,
Elsevier Science Publishers B.V. North Holland, Amsterdam, 1992
Davies S. (1994a) 'Too many bytes to swallow' Report to the British Medical
Association on Information Technology, London, 1994
Davies S. (1994b) 'Forget the passport, let's see your hand' The Independent,
August 15, 1994, London
HHS (1993) 'Toward a national health information infrastructure', Report to
the Secretary, US Department of Health and Human Services, Workgroup on
Computerisation of Patient Records, Washington DC, April 1993
Holvast J. (1991) 'Vulnerability of Information Society', in Managing
Information Technology's Organisational Impact, Eds. Elsevier Science
Publishers B.V. North Holland, Amsterdam, 1991
Miller B. (1994) 'Vital Signs of identity' IEEE Spectrum, Institute of
Electrical and Electronic Engineers, New York, February 1994
OTA (1993) 'Protecting Privacy in Computerised Medical Information' Office
of Technology Assessment, US Government Printing Office, Washington DC, 1993
Phillips B. (1994) Privacy Commissioner of Canada, Annual Report, 1994
Sherman, J. 'Lilley considers using palm prints to vet pensioners', The Times,
London, October 26, 1993
Sherman, R.L. (1993) Journal of Electronic Defense, January, 1993 Biometrics
futures; EW Design Engineers' Handbook & Manufacturers Directory
TA (1993) 'NTT Develops Rapid, Highly Accurate Fingerprint Recognition
Technique' New Era Japan, Telecommunications Association, August 15, 1993
TMS (1993) 'Request for information' Toronto Metro Services, Community
Services Department, 1993
TMS (1994) 'Request for Proposal' Toronto Metro Services, Community Services
Department, 1994
The Author
Simon Davies is Visiting Fellow in the Department of Law, University of Essex,
United Kingdom; Visiting Fellow in Information Law at the University of
Greenwich, London; Consultant Advisor to the British Medical Association; and
Director General of Privacy International, London, UK