DHS Face Biometric Scans - Are They Legitimate?

Georgetown Law recently released a report titled "Not Ready For Takeoff" (clever name), harshly critiquing the DHS' facial recognition program designed to catch people over-staying their US visas. A travel visa is "conditional authorization granted by a country to a foreigner, allowing them to enter, remain within, or to leave that country. Visas typically include limits on the duration of the foreigner's stay, territory within the country they may enter, the dates they may enter, the number of permitted visits or an individual's right to work in the country in question."

So the key point here is that most foreigners have to apply for and receive a visa before they are allowed to enter the United States and that visa is verified when they enter the country. The visa allows them to be in the country for a specific number of days (usually). However, we currently have no method for checking to see if they leave on time, or at all. So DHS is experimenting with different ways of doing that. If you are interested in privacy, the report is definitely worth a read. The report has led to a number of rather harsh critiques such as this one.

DHS Face Kiosk

I'm not going to address the legal issues of the program, but they do have some technical critiques that are worth talking about, especially because they deal with how to measure the accuracy of a biometric system, an area that comes up almost constantly with our interactions with customers.

We've talked about accuracy in biometrics often, so I am not going into that again here. You can read a quick refresher at Biometrics 101. The report does correctly talk about the trade-offs between these two metrics. But what they want to measure is actually quite challenging. Essentially, they want to know how often the system will accept an "active" imposter. An active imposter would know that the database is mostly people of a certain gender, ethnicity, and age, and they would be similar in order to fool the system. 

No one has good measurements of how much more likely a false match is depending upon similar demographics. NIST says it is more likely, but not how much. It is very expensive to get a controlled population to measure this. But based upon my experience, the worst imaginable case would be that an imposter would have a 5% chance of getting through the system. That translates to a 95% chance of going to secondary screening, where he would almost certainly get caught. if that was a significant problem, DHS would be catching lots of imposter failures.

In terms of biometric accuracy, I think the report really just misses the point. The system is not perfect - no classification system is. The better question is to ask is this system is better than what we have now?  We have no exit system at all now, so this system has to be better, assuming there is value in measuring exits at all.

Biometrics and Privacy Laws

Illinois was one of the first states to implement a biometrics law, way back in 2008. The law actually makes a lot of sense. It basically says that use of biometric data requires written consent (opt-in) and that companies can't profit from biometric data. We have always believed that the use of biometrics should be voluntary and transparent.

In Illinois, a number of companies are currently being sued for misuse of biometrics collected from employees for time-clocks. I don't want to speak to the merits of the lawsuit because I am not qualified. However, there are a few interesting points about biometrics that are worth examining. First of all, biometrics are a good match for a time-clock application. They are inexpensive, quick, easy-to-use and more than reliable enough for a company-sized background database. They solve one of the main problems of time-clocks, namely that employees can punch in for another employee (buddy punching) which costs employers $373 Million per year. Verifying someone's identity is the perfect sweet spot for biometrics.

However, the article does bring up a number of confusing factors. First, they highlight a Fear, Uncertainty and Doubt (FUD) aspect of biometrics - namely that if someone steals your fingerprints, they can pretend to be you and since you can't "revoke" your fingerprints, you will not be able to recover from the theft. While this is technically true, it is misleading and not really the fault of biometrics. First, spoofing biometrics is far from trivial. Second, you leave your fingerprints everywhere, so if someone wants to steal them they don't have to hack an employee time card system. Third, biometric systems don't store images of your fingerprints, they store mathematical templates, which can't be used to generate an image of a fingerprint. Finally, even if they were able to steal your fingerprints it shouldn't matter. No high security system should rely on biometrics alone (single factor) - they should use at least two factors such as a fingerprint plus a PIN.

One of the defendants in the lawsuit said the following:

“In a June filing, Roundy’s denies its time clock system uses what the Illinois act considers biometric data. It admits that its “system identifies employees using a scan of a portion of an employee’s finger” but denies that an entire fingerprint is used.”

This is a actually a pretty weak defense. I suspect a biometric time-clock used biometric data so I seriously doubt their first claim. Their second claim is weak as well. It doesn't really matter that the system uses a "portion" of the fingerprint because a portion (depending on size) can easily be just as identifiable as an entire fingerprint. That's why crime scene latent prints (partial fingerprint) are used in criminal convictions all the time. It would have been far better for the defendant to make the correct claim that they don't store fingerprints at all - just templates. Therefore they can't be selling fingerprints to other entities because they don't have them.

I believe these kinds of issues will settle out over time. Biometrics will not go away - they are too valuable of a technology in a world where we are more and more worried about establishing identities of people. However, the simple solution of enforcing a single, transparent use for a particular biometric application solves these problems quite well, preserving both strong biometric identification and user privacy free from uncontrolled data sharing.