Archive for the 'Biometrics' Category

What value convenience in exchange for your Iris scan?

Returning to Heathrow the other day after the Net-ID conference a small group of us spilled in to the imigration hall at that ridiculous high-speed walk you only see in airports. I went as the first person in the queue to see an immigration officer with my passport and at exactly that moment, another guy entered the glass cubicle with the Iris scanning equipment. My passport was taken off me, checked and handed back in about 5 seconds. The guy in the Iris scanner took about 10 seconds. As he came through, I jovially said to him “I beat you” to which he replied “only just”…

So I thought about this. You can register your Iris, which of course means a certain loss of privacy. Once that data has been revealed past first-discolsure, the only way to think of it is that it is permanently recorded and it will, over time, be used for more and more purposes. It may end up on the police and security services databases. Although policies and procedures currently stop this from happening, do I really trust they they’ll stay cast in stone *FOREVER* (that’s an important aspect to consider when you give up key data about yourself)? Not on your nelly. That data is going to gradually find its way all over government, and stands a pretty good chance of leeching out in to the commercial sector and if that happens then clearly organised crime aslo has a possible road to it in the future.

Then I thought about the convenience. For me it couldn’t have ben simpler. For him he had to operate the iris-scan machine etc. Of course, if I’d been sat at the back of the plane, by the time I entered the immigration hall the passport queue would have ben longer and I suspect the iris queue much smaller. So I give up my privacy to get more choices at the airport. But let’s wind this story forward 5 years. By then the convenience of this method will mean many more people will have opted for it. And I get this sneaking suspicion the queues will be the same length. And as it clearly takes about the same time for an immigration official to check your passport as it does for a machine to scan your iris, the rate at which each queue will be serviced will be similar. So the only advantage I get is when I’m, let’s say maybe 20 or 30 people deep in the queue, and the iris-scan option is still not widely used. As soon as the queues are equal in length, I get no advantage from either system.

I don’t think I’ll be giving up the unique (apparently) details of my Iris to the immigration service. I think I can live with a few queus until it all evens itself out in the future. Think about online check-in and so-called “Fast Bag Drop”. When it first came out wasn’t it great? Print your boarding pass at home and go straight to the head of the queue at the fast-bag-drop point. But what’s it like now? Sometimes the fast-bag-drop has a longer queue than the standard check-in desks and there are staff shepherding folks out of the fast bag-drop in to the standard check-in desks. If you happen to be in business class you can still use the business check in desks for fast bag drop anyway – so the only advantage then becomes seat selection. Some of the cheaper economy seats don’t even give you the option of choosing your seat anyway. So these amazing conveniences gradually lose their convenience as more people take advantage of them and they start to become the norm. Online check-in doesn’t make us reveal personally identifying information (PII) about ourselves, but over time the advantages of it have ben eroded. In my book, the cost of the temporary airport convenience of iris-scan immigration is not worth the invasion of my privacy. If I give up my iris, I have no idea what laws and legislation will apply to it in the future.


Biometric morphing of passport data

Having just applied for a replacement passport, I was surprised at how easy it was. The binding between my old passport and the application being a couple of identical passport photos. Clearly somebody in the IPS office looks at the photos I slipped in the application, looksat the photo on my old passport and if it’s me – hey presto I get a new passport, no questions asked.

But I obviously didn’t look identical. I’m 10 years older for a start. This got me thinking. If I had maybe 2 years, I could fox the passport service in to giving a legitimate passport to somebody. Here’s my scam.

I meet my client. I take a photograph of him and one of me. I then use morphing software to come up with say 6 intermediate images. I apply for 48 page passports because I do a lot of travel

It is therefore not unusual for the IPS toget maybe 6 passport applications in 2 years. I fake the stamps in the passport so the pages are full for each application. In the first application I use the first morphed photograph. It’s a close enough match to my existing passport photo for them to issue a new one with no suspicions. I then do the same thing with all the intermediatemorphed photos, until the last passport application, 2 years later  I send the photograph of my client.

My client ends up being biometircally bound to my data. I feel this might be possible with any biometric data and the necessary morphing software in the situation that the applicant themselves are the collector of the data. THis would surely easily work with fingerprints, Iris scans etc, which are all merely images.

There are enough criminalcases in which fingerprint data is successfully challenged, because all that is loked for is points of similarity. The more points of similarity the higher the confidence that the prints found at the scene of crime are those of the suspect. Morphing software could easily circumvent this by maintaining enough points of similarity at each intermediate stage, but still making other changes.