Not magic bullets, but bullets nonetheless
By Dave Birch posted Feb 23 2011 at 2:14 PMHow do you identify people? This is a difficult problem. Let's set aside what you need to identify people for, and just concentrate on large scale solutions.
The Indian government is trying to give all 1.2 billion Indians something like an American Social Security number, but more secure. Because each “universal identity number” (UID) will be tied to biometric markers, it will prove beyond reasonable doubt that anyone who has one is who he says he is. In a country where hundreds of millions of people lack documents, addresses or even surnames, this will be rather useful. It should also boost a wide range of businesses.
[From India: Identifying a billion Indians | The Economist]
The "but more secure" is obvious, because otherwise "something like" a US SSN will be as disastrous as a UK National Insurance number as a viable means of identifying individuals.
The study found that rather than serving as a unique identifier, more than 40 million SSNs are associated with multiple people. 6% of Americans have at least two SSNs associated with their name. More than 100,000 Americans have five or more SSNs associated with their name.
[From One In Seven Social Security Numbers Are Shared]
So what do we mean by "more secure"? How do you go about uniquely identifying people? In the case of India, it means a biometric universal ID (UID). Once the word "biometric" appears, people seem to think there is now a magic bullet against identity theft and fraud and they want to use it for everything (which is why I have previously argued that - given convenience - the market will automatically shift to demand the highest level of assurance of identity for every transaction, whether it requires it or not).
Securities and Exchange Board of India (SEBI)... has constituted an internal group with members from various departments to examine the modalities for making UID applicable for KYC norms and to formulate their views. This information was given by the Minister of State for Finance, Shri Namo Narain Meena in written reply to a question raised in Rajya Sabha today.
[From Press Information Bureau English Releases]
This kind of behaviour builds a tower on shifting sand, introducing a single point of failure into all systems. In fact, it introduces exactly the same single point of failure into all systems, which is why I like the NSTIC approach of multiple identity providers (of which the government in merely one, and a non-priviledged one at that). In India, biometrics have not had a good start. The first attempts to register people for the UID saw only a fifth of the attempts succeed.
Though the department conducted proof-of-concept (pilot project) on over 266,000 people in Mysore and Tumkur districts, only 52,238 UIDs could be generated.
[From Pilot project yielded few UIDs - The Times of India]
Is there something unusual about Indian biometrics? I suspect not. I suspect that biometrics are being used in systems designed by management consultants who have been watching Hollywood movies rather than by technologists who understand the appropriate modalities and bounds. You wouldn't get that sort of thing here in the UK. No, wait...
Biometric face scanners at Manchester Airport have been switched off after a couple walked through one after swapping passports.
[From Aircargo Asia Pacific - Face scanners switched off at Manchester]
I've been through the e-passport face scanners at LHR a few times (I don't use the IRIS scheme after it rejected me three trips in a row) and I can't say I haven't wondered whether it is real or not. We all know that iris scanning is more secure.
A woman from eastern Europe who was deported from the UAE re-entered weeks after her departure using a new identity... To prevent her from returning, her eyes were scanned before she left. But, according to her testimony in court this week, she returned to the UAE through Dubai International Airport using a forged passport and a different name. She said her eyes were scanned upon entry.
[From Iris scan fails to stop returning deportee - The National Newspaper]
Hhhmmm. It seems as if building big databases of biometrics may not be the way forward for the time being. Is there any other way to make biometrics more practical at a large scale? I'm sure there is. Perhaps a good place to start would be to marry some capability and convenience. One thing that we know from examples around the world is that customers like biometrics because of convenience. So what else is convenient? I know: contactless, wireless and RIFD technology.
Standard Chartered is issuing RFID chips to select customers at its newest Korean location, eliminating the need for affluent individuals to wait in lines at the branch. When a customer holding an RFID tag enters the facility, the system immediately notifies the branch manager and a relationship manager who can greet the customer personally at the door.
[From RFID Chips Spell End to Branch Lines for High-Value Customers | The Financial Brand: Marketing Insights for Banks & Credit Unions]
Ah, but when you get to the counter, how does the bank know that you are indeed the valued customer and not an imposter, intent on transferring funds off to Uzbekistan? Well, you could ask the customer to put their finger on a pad, or look at a camera, or speak into a microphone, or what ever, and then send the captured biometric to the RFID device for matching. Instead of rummaging through a giant database, the system can now do an efficient 1-1 comparison offline. If the device returns the correct, digitally-signed response, then the customer is verified. No PINs, no passwords: the combination of biometrics, contactless and tamper-resistant chips can deliver a workable solution to a lot of problems.