Biometrics: Eyes, Fingers, Everything.

In a post-9/11 world, we want to link the biographic information we have available to us about risks associated with an individual to a verifiable biometric characteristic—that is, a physical characteristic that is impossible to change. As a basic building block of risk assessment, we think it is imperative that we can have confidence that people are who they say they are. In this lecture, you’ll discover what biometrics is, how it works, and what makes it useful. You’ll also consider how the technology might threaten civil liberties.
Biometrics
● Biometrics is among the oldest of new technologies. It began with fingerprints early in the 20th century and today includes more novel ideas, such as gait recognition, which is the ability to identify an individual by his or her physical gait, or movement—that is, by how he or she walks.
● Biometrics can be used in two ways: for verification or for identification. When a biometric device is used to verify whether a person is whom he or she claims to be, that verification is frequently referred to as “oneto-one” matching. Almost all systems can determine whether there is a match between the person’s presented biometric and biometric templates in a database in less than one second.
● Identification, by contrast, is known as “one-to-many” matching. In the one-to-many matching framework, a person’s biometric signature— whether an iris or a fingerprint—is compared with all of the biometric templates within a database.
● There are two types of identification systems for this framework: positive and negative. Positive systems expect there to be a match between the biometric presented and the template. These systems are designed to make sure that a person is in the database. Negative systems are set up to make sure that a person is not in the system. Negative identification can also take the form of a watch list, where a match triggers a notice to the appropriate authority for action.
● Neither system generates perfect matches (or exclusionary filters). Instead, each comparison generates a score of how close the presented biometric is to the stored template. The systems compare the score with a predefined number or with algorithms to determine whether the presented biometric and template are sufficiently close to be considered a match.
● Most biometric systems require an enrollment process, in which a sample biometric is captured, extracted, and encoded as a biometric template. This template is then stored in a database against which future comparisons will be made.
● When the biometric is used for verification (for example, access control), the biometric system confirms the validity of the claimed identity. When used for identification, the biometric technology compares a specific person’s biometric with all of the stored biometric records to see if there is a match. For biometric technology to be effective, the database must be accurate and reasonably comprehensive.
Forms of Biometrics
● While the process of enrollment, creation of a database, and comparison between the template and the sample is common to all biometrics, there are many different forms of biometrics. Four of the most common are fingerprints, iris recognition, facial recognition, and voice recognition. Two of the more speculative forms of biometrics are hand geometry and gait recognition. The champion of all forms of biometrics is DNA analysis.
● Fingerprint-recognition technology is probably the most widely used and well known biometric. Fingerprint recognition relies on features found in the impressions made by distinct ridges on the fingertips. Fingerprint images are scanned, enhanced, and then converted into templates. These templates are saved in a database for future comparisons using

optical, silicon, or ultrasound scanners. Using fingerprints has seemed to work as a way of protecting privacy without too much inconvenience.
● Iris-recognition technology relies on the distinctly colored ring that surrounds the pupil of the eye. Iris-recognition systems usually start with a small camera that takes a picture of the iris. The picture is then analyzed to identify the boundaries of the iris and create a coordinate grid over the image. Then, the distinctive characteristics found in each different zone are identified and stored in a database as the individual’s biometric template.
● Facial-recognition technology identifies individuals by analyzing certain features of the face. Typically, facial recognition compares a live person with a stored template, but it also has been used for comparison between photographs and templates. This technology works for verification and for identification. DeepFace, the facial-recognition technology developed by Facebook, is said to be 97 percent accurate, making it competitive with human-distinguishing capabilities.
● Voice-recognition technology identifies people based on vocal differences that are caused either by differences in their physical characteristics or from speaking habits. Such systems capture a sample of a person’s speech, which is then converted to a digital format, and distinctive characteristics (such as, pitch, cadence, and tone) are extracted to create a template for the speaker. Voice-recognition technology can be used for both identification and verification.
● A more speculative form of physical recognition is hand geometry: a measurement based on the human hand; the width, height, and length of the fingers; distances between joints; and the shape of knuckles. Using optical cameras and light-emitting diodes that have mirrors and reflectors, two orthogonal, two-dimensional images of the back and sides of the hand are taken. Based on these images, 96 measurements are calculated, and a template is created. Hand geometry is a mature technology primarily used for high-volume time-and-attendance and access control.
● Gait recognition is an emerging biometric technology that involves people being identified purely through the analysis of the way they walk. Scientists in Japan have developed a system measuring how the foot hits and leaves the ground during walking. They then use 3-D image processing and a technique called image extraction to analyze the heel strike, roll to forefoot, and push off by the toes. Some say the accuracy in recognition is up to 90 percent—with the caveat that if you know you are being watched, you can change your gait.
● DNA analysis is, perhaps, the most accurate biometric method of one-toone identity verification. Your DNA is everywhere you are and remains, through “shedding,” after you go. DNA evidence has increasingly come to be used to exonerate the wrongly accused and convicted: Hundreds of such cases have been overturned, at least 20 of which involved people who had served time on death row. Currently, the government is free to assemble a template DNA national database of anyone who has ever been arrested for a crime.
Policy Questions and Concerns
● The use of biometric technologies poses a host of interrelated policy questions.
◗ Can the biometric system be narrowly tailored to its task?
◗ Who will oversee the program?
◗ What alternatives are there to biometric technologies?
◗ What information will be stored and in what form?
◗ To what facility/location will the biometric give access?
◗ Will the original biometric material be retained?
◗ Will biometric data be kept separately from other identifying personal information?
◗ Who will have access to the information?
◗ How will access to the information be controlled?
◗ How will the system ensure accuracy?
◗ Will data be aggregated across databases?
◗ If information is stored in a database, how will it be protected?
◗ Who will make sure that program administrators are responsive to privacy concerns?
◗ Can people remove themselves from a database voluntarily?
◗ How will consistency between data collected at multiple sites be maintained?
◗ If there is a choice, will people be informed of optional versus mandatory enrollment alternatives?
● Some of the fears surrounding biometric information include that it will be gathered without permission, knowledge, or clearly defined reasons; used for a multitude of purposes other than the one for which it was initially gathered; disseminated without explicit permission; or used to help create a complete picture about people for surveillance or social control purposes.
● There also are concerns about tracking, which is real-time or near-realtime surveillance of an individual, and profiling, where a person’s past activities are reconstructed. Both of these would destroy a person’s anonymity. The following are some ideas about biometrics to consider.
◗ Enrollment in biometric systems should be overt instead of covert.
◗ Before one is “enrolled” in a biometric program, one should be made aware of that enrollment.
◗ Biometric systems are better used for verification rather than identification.
◗ We should prefer biometric systems that are “opt in,” and require a person to consent, rather than those that are mandatory. While certain biometric applications (e.g., DNA for convicted criminals) might need to be mandatory, this should be an exception to the general rule of voluntariness.
◗ Any biometric system should have strong audit and oversight programs to prevent misuse.
◗ We need to be concerned about the security and privacy of a biometric database.
● But all of this pales next to the larger question of who gets to decide: Should citizens have a right to control their extremely sensitive biometric data?
● In one sense, the answer seems like it should be obvious: If anyone can take a photo of you on the street without your permission, why can’t the government? On the other hand, it is the government.
● Today, however, the decision to move forward with biometrics is not the subject of wide public debate. In 2014, the FBI started to use a Next Generation Identification biometric database with 14 million face images. Current plans are to increase that number to 52 million images by 2015, with more images to be collected in the future.
● Biometric technologies are likely to be of great value in creating secure identification. But to be useful and acceptable, they need to be privacyand civil liberties–neutral. They can, and should, be designed with appropriate protocols to ensure privacy before they are implemented.
Questions to Consider

1. Biometrics is a better form of security than passwords, typically. Do you prefer to use biometrics or passwords? Why?
2. Which type of biometrics makes you most unconformable? Which makes you least uncomfortable?
3. Should the government have a DNA database of everyone ever convicted of a crime? What about a DNA database of everyone ever arrested?