By Nick Heath, 26 September 2008 16:40
NEWS
The government has underestimated the likely failure rate of the ID card scheme, according to a biometrics expert who reviewed the system.
The ID card scheme will guard against one person having multiple identities by checking the two fingerprints and facial scan held on a chip on the ID card against biometrics in a central database, the National Identity Register.
But academic John Daugman, a former member of the Biometrics Assurance Group (BAG) which reviewed the scheme, says its reliance on fingerprints and facial photos to verify a person's identity will cause the system to collapse under the weight of mismatched identifications.
silicon.com's A to Z of Biometrics
Click on the links below to find out everything you'll need to know about biometric security.
A is for Accuracy
B is for Behavioural biometric
C is for Cash machine
D is for Database
E is for Ear
F is for Facial recognition
G is for Gummi bears
H is for Hand geometry
I is for Iris
J is for Juan Vucetich
K is for Keystroke dynamics
L is for Liveness testing
M is for Mobile phones
N is for Network security
O is for Oxford
P is for Palm
Q is for Queues
R is for Registration
S is for Signature verification
T is for Twins
U is for Universality
V is for Voice verification
W is for Walk
X is for X-ray
Y is for Young
Z is for Zurich Airport
Daugman, an expert on iris recognition, says fingerprints and facial photos are not distinctive enough to be able to tell the UK's 45-million-strong adult population apart.
Daugman said that even if the error rate was as low as one in a million, the 10 to the power of 15 comparisons needed to verify the IDs of 45 million people would result in one billion false matches.
He told silicon.com: "The use of fingerprints will cause deduplication to drown in false matches.
"The government was badly advised by its internal scientists in the Home Office when it took the decision to base the biometric system on fingerprints instead of iris patterns.
"Only iris patterns have enough randomness and distinctiveness to survive so many comparisons without making false matches."
The Home Office refuted allegations that the scheme would be swamped with false matches, citing the example of two already operational schemes larger than the ID card - the FBI's fingerprint database with more than 50 million records and the US-VISIT database with more than 80 million records.
A spokesman for the Identity and Passport Service said: "Unexpected matches reported by an automated fingerprint system are checked by expert human fingerprint examiners."
"The level of false matches for current large scale automated fingerprint systems is sufficiently small that it is entirely practical to use human examiners to resolve them," he added.
Daugman also echoed the findings of the recent BAG report, which said there could be about four million elderly people in the UK whose fingerprint skin is either too dry or fine to take useful prints from.
Speaking at the launch of the UK's first ID cards on Thursday, Home Secretary Jacqui Smith claimed problems with taking or recognising fingerprints pose no threat to the effectiveness of the ID card system.
"Because it is so exceptional, it is not going to be a problem that undermines the entire scheme," she said.
Comments
There are 9 comments. Join the discussion
1. Shan Morgain
10% failure rate ios not "exceptional." That's a high rate of failure working purely off the medium.
Add in human error GIGO + recognition eror and it's chaos.
2. Jeremy Wickins
As I've pointed out elsewhere on silicon.com, one has to wonder just where the error level stops being "exceptional" to this bunch of ignorami. Presumably, 49% is exceptional, because there are few errors than correct matches! Seriously, how do we stop this insane project before it all turns to rat-sh*t?
3. W.S.Becket
Of course it will fail - human nature will see to it if nothing else does. Thirty years ago the organisation for which I worked introduced (for no particular reason that anyone could see) identity cards with photographs.
The immediate result was that half the staff concerned grew beards the minute they received their ID cards. Within a month the scheme was dead.
4. Roger Huffadine
False Positives - at last someone who is of sufficient academic stature is echoing the comments of many of us who have blogged till our fingers ache on this subject.
Why is it so difficult for the Home Office to grasp this very simple statistical search concept - if you have a wide enough filter set to ensure that you trawl the one person who you need to identify then you will have thousands of mis-matches on every search - conversely if you have the filter set narrow enough to return a manageable number of matches then you will probably miss the person who you should have identified.
Don't these people ever use Google?
5. Richard
The UK ID project will succeed brilliantly...
... at firmly identifying those politicians & organisations who've done so much to make UK government IT the success that it is.
6. anonymous
I'm puzzled. Is the scheme to be used to identify people or to confirm the identity they are presenting?
If the former, then the question really being asked is "here's a data set, please search through all that you have to come up with the best match". And if "best" isn't adequate, then there will be a lot of false positives. Let's just ignore the green agenda of the energy needed to power and cool all that hot silicon: that would take joined up thinking.
If the latter, then the question is "given a data set of measurements, does it match the data set on my chip closely enough?". Again back to a "closely enough". If you're having a bad hair day, hangover, missing a finger etc, then the system will default to the fall back identification mechanism ... which is inherantly weaker than the first.
Perhaps any doubtful matches could indicate an underlying medical condition and be met with "You're looking a little out of shape today ... would you like to take out this health insurance?"
7. GALLEYSLAVE
Personally I can't wait!
I can't wait for it all to go TITS UP
as it surely must.
SOD'S LAW RULES!!!!!
8. Radical Meldrew
Gallyslave, also don't forget that - SODS RULE LAWS - so the card's a done deal for everyone whatever we say or do.
9. Adrian Tawse
Some time ago I challenged Andy Burnham on this very issue and he, I suspect without knowing just what he was doing, sent me a tech report on the use of automatic finger print matching. The upshot was that it is good enough to verify that a person is who he sais he is, but as a scheme to establish that a person is not anyone else it is a dead failure. It is important to distinguish between the two questions.