The Biometric Society
- Fiction or Inescapable?

Dr. Manfred Bromba – Biometrics Consultant - Germany
http://www.bromba.com/

Biometric Identification Technology Ethics (BITE)
V. MEETING: FUTURE TECHNOLOGIES
Wroclaw/Poland, 2006-03-24

Permanent address for citation: urn:nbn:de:0125-2008042109

Preface: The Information Society

In Germany, 2006 has been nominated as the year of "Informatik" (which can be translated as "computer science") [1]. Never before it was so easy to gather, to distribute, to collect, and to process information of all kind. This became possible as a result of the advances in sensor technology, copy technology, storage technology, communication technology, computer technology, and applied mathematics.

Since all these advances will drastically change our life, the term "Information Society" has been created [2]. The impact of the Information Society on legal framework and privacy will be enormous. But many of us do not really perceive this because the change is a creeping process. We are amid this process which yields a degeneration of liberal values, establishing as information surveillance, data retention, and censorship, while taking back banking secret and other rights. The question "Is this really a degeneration or is it a necessity for our survival?" disunites many people. It is not my intention to solve this problem. But I will take this opportunity to raise some fundamental questions by drawing an example of a future society which I have called "The Biometric Society".

The fictitious Biometric Society will be an occurrence of the Information Society. It is specifically based on progress in sensor technology and applied mathematics and cannot exist without the Information Society.

Contents

This contribution will be divided into three parts and considers the benefits, the risks, and the feasibility of the Biometric Society. The first part defines the Biometric Society and praises its advantages. The second part is something more nebulous and tries to examine the worst case risk of the Biometric Society. All these considerations remain useless unless there is a chance of realizability. For this question I will try to find an answer in the third part.

The Biometric Society and its benefits

The Biometric Society – how does it work?

In the Biometric Society, all actions and transactions are authorized using biometric identification. As a result,
  • no token nor any other credential is necessary,
  • you cannot forget anything, and
  • your identity can neither be stolen nor lost
As special requirement, all services shall be available worldwide.

The Biometric Society is not the only solution which fits to this description. Alternative systems using implanted ID chips will mainly do the same and deliver almost the same benefits.

In the following, the beneficial impacts on our life will be shown, regarding payment transactions, traveling by car, health care, communication, computing, entertainment, and law enforcement as important examples.

Payment transactions

Cards such as credit cards, payment cards, and rebate cards as well as cash are completely replaced by biometric identification which is performed online and in real-time. 

Obtaining services by fraud is made impossible because always a unique biometric recognition together with a creditworthiness inquiry is performed before granting the service.

As a result, no tickets for bus, train, or flights, nor tickets for football games, concerts, and gyms are needed any more.

Traveling

Before a driver starts the car, a biometric check proves the permission to drive under consideration of the car ID number. This can be achieved using wireless communication.

This way, driving without permission, with stolen cars, or without sufficient creditworthiness is prevented from the very beginning. Only those types of cars can be driven for which an education has been performed.

The personal assignment of the universal street toll is managed automatically on the basis of the driver and car data.

Health care

Medical services are balanced biometrically without expensive and losable health cards.

After biometric identification, the patient may inspect his health records everywhere and anytime.

In the case of accidents, the rescue workers are able to inform about health data, blood type, immunizations, and allergies immediately. This is achieved with the aid of a mobile biometric identification on location and guarantees an optimum medical treatment.

In the case of fatality, the large expense of a manual identification is replaced by checking the biometric features.

Communication

Communication has grown to a basic requirement of our life. Especially internet and mobile communication have become indispensable. 

In the Biometric Society, emails and phone calls are exclusively processed using biometric identification. This makes the user independent on any hardware. Nevertheless, stolen hardware can be identified by a unique device ID!

For addressing, only the data set of the biometric feature of the receiver is to be used. Names are not really necessary - they are merely needed for certain kind of direct inter-human communication.

Certainly, also every sender has to identify biometrically. This way, spamming and phishing is effectively prevented.

Computing

Secure computing will become self-evident to avoid the infection of computers with viruses,Trojan horses, and other malicious software and to solve the problems of the entertainment industry with respect to unwanted use of their products.

Biometrics ensures that only authorized persons are able to operate a computer and that all software can only be used with personal authorization. 

Biometrics even allows new license models. For example, if a certain person has licensed a software, this person is allowed to use this software anywhere on any running system. Since only authorized persons are allowed to use it, a software may be copied and installed arbitrarily often without any loss to the software developer.

Secure data access can be achieved in a similar way as all data is personalized using biometric identification. Personal Information Rights Management (PIRM) is used to prevent content piracy and to retain authors' rights.

Entertainment

Any kind of entertainment is authorized by biometrics. This has a lot of advantages. For example, since birth date is stored centrally, age verification is easily achieved.

Services like pay per view are managed by ordering a film using biometric identification. Like in computing, each data access is personalized while the data are free, may be copied as often as one wants, but remain inaccessible for the unauthorized. As a result, audio and video downloads need not necessarily be authorized by biometrics. Peer to peer (P2P) file sharing services are no problem for the content owners any more. 

But how can I prevent unauthorized viewers and listeners? Today, any transmission channel is secured using encryption techniques. Even the cable between receiver and monitor will be protected using HDMI (High Definition Multimedia Interface) [3]. However,  this method does not prevent copying from screen, using an ordinary camera. So several companies even think about disturbing the display output in such a way that the camera record becomes unusable.

Maybe, the problem will solve quite naturally if 3D TV becomes more popular and will use goggles. This way viewing video will be personalized. If the method becomes common enough, it will be combined with biometric identification to prevent unauthorized use of the 3D video (and audio) data. Here, iris recognition is the preferred biometric feature which naturally integrates into the goggles.

Law enforcement

Cosmopolitans who move outside the settled society standards, can effectively be sanctioned with restrictions of certain rights.

Examples are prohibitions for shoplifters to enter a certain store, for hooligans to enter a football stadium, or refusal of border crossing for undesired aliens.

Since the network of biometric registration is densely tied, wanted criminals and terrorists may be localized immediately. This is accomplished by using the position data accumulated from shopping, traffic toll, mobile communication systems, and public transportation.

Obviously, this cannot be a solution against terrorism since only known terrorists are detected. Therefore, prevention will be used to solve the problem. Prevention can be realized using profiler agents which permanently investigate all data collected with respect to certain crime patterns or unknown anomalies. This is assumed to significantly reduce crime rate.

The Biometric Society and its risks 

I distinguish two kinds of risk, i.e., security related risks and privacy related risks. It seems that security related risks are solvable by technical means while privacy related risks need political and legal measures! While security shortcomings mainly affect property, privacy more directly targets a person.

Security related risks

Since big values are moved, this may seduce criminals to steal an identity to take over foreign rights. There are many methods to fool a system with stolen identities – most of them can be met with known protection methods such as cryptography.

Mechanical copies of biometric features are the most critical challenges in our case. As countermeasure, a nearly perfect copy detection is essential.

Interestingly, with a perfect copy detection, publicity of a biometric feature is no problem any more – especially, there is no necessity to keep biometric templates secret!

The security matter will be treated later under "Feasibility of the Biometric Society".

Privacy related risks

With a perfect copy detection and a tamperproof system, the knowledge of biometric template data does hardly affect privacy if we suppose that the template data exclusively carries identity information but no other information such as health data. The realization eventually has to guarantee that the biometric data stem from the original feature owner.

The role of biometrics is only that of a unique identifier which enables easy database linking. This is a process which is mainly controlled by the operators of the identification application.

The real danger is the misuse of the identification application which collects and stores a lot of private information! For example, if the identification application is used to search for terrorist profiles, false assignments to innocents may be produced. And this issue may even question the whole application, respectively, the Biometric Society. This kind of risk cannot be solved technically.

The privacy matter is treated now, while focusing on giving up privacy with respect to the biometric identification system, its operators, and possible governmental users.

The Biometric Society and privacy

The central biometric identification system which is the heart of the Biometrics Society enables nearly total surveillance by linking all transaction data!

This poses the following questions: 

  • Will total surveillance come along with the Biometric Society?
  • If total surveillance becomes reality, will it really be dangerous?
All these questions cannot be answered today! But we should discuss the possibilities!

Will total surveillance come?

Due to digitization of communication, it becomes extremely easy to create traffic data in form of log files. Due to advances in mass storage and computer technology, these log files can easily be stored and examined for all kind of information. It is very easy to use this traffic data for purposes, which are not in the intention of the feature owner. It's simply a software change.

As soon as something is technically realizable, there is a lot of demand to use these private data, especially for law enforcement, advertising, and criminal prevention.

Furthermore, it becomes extremely easy today to get the agreement for legal misappropriation of traffic data. There is little resistance from those who are affected. Commissioners for data protection have to do hard to stand up to government because their support from the public and media is surprisingly small. 

Today, it cannot be predicted where the extension of surveillance stops. I guess this will be a one-way process which never ends and which will never reach total surveillance. The process can be compared with a mathematical series like 1, 2, 3, 4, ... which tends to infinity, but will never reach infinity.

Is total surveillance dangerous?

From a security and safety point of view, surveillance of objects is an effective method to prevent accidents or crime. 

Slightly different is the situation where people are monitored preemptively against crime and terrorism. In this case, surveillance and tracing directly affects privacy and is naturally rejected by many citizens. The reason for a bad reputation is that surveillance is regarded as a means to keep totalitarianism alive by keeping down opposition. Is surveillance also a means to establish totalitarianism?

Totalitarianism has been shown to correlate strongly with "democide". H. J. Rummel, a  professor emeritus of political science at the University of Hawaii, has shown that totalitarianism, in contrast to liberal democracy, is positively correlated with democide in a statistical sense [4]. The term "democide" he created to express "murder by government", as has been experienced, for example, under the dictatorship of Adolf Hitler. This enables two conclusions: 

  1. totalitarianism is the cause for most democide, or 
  2. democracy has no chance to establish in environments which favor democide.

Observations

Most people agree that the most feared occurrence in life is an unwanted death. So I have collected some data which shall compare several reasons for unwanted deaths. All data refer to worldwide deaths per year. The figures are either recent data or have been averaged over a long time period [5, 4, 6, 4, 7]. A long-time averaging is reasonable in those cases where the data show strong yearly variations.


Worldwide deaths per year (recent or mean value)

For many people it may be surprising that not terrorism or natural disasters are the reason for  the most deaths. Even wars are small in effect compared to traffic, democide, or smoking victims. Although the data may not be very reliable, changes by even a factor of 10 will not principally change this image. Since there is no commonly agreed definition of terrorism, I made the worst case assumption of 10 000 deaths per year. But even this pessimistic number is not able to show a visible bar in the diagram!

Comments

Looking at the cause-of-death diagram, this provokes some critical comments. First, there seems to be a dramatic mismatch between real danger and felt danger. Second, there seems to be a dramatic mismatch between real problems and resulting activities.

For example, all German governments mainly acted for the German tobacco industry [10] when suing against the European tobacco product directive 2001/37/EC. In the meantime, other European countries like Ireland, Norway, Italy, Poland, and Spain felt responsible for their citizens and prohibited, for example, smoking in restaurants. 

On the other hand, Germany was among the first to introduce the biometric passport with the justification to fight against terrorism, although most experts are convinced about the ineffectiveness in this regard. 

And just the activities against terrorism often are suspected to help totalitarianism. Totalitarianism, however, is the medium for state terrorism and democide which is one of the real threats to humanity as shown in the diagram.

Conclusions

From all the statements above, I draw the following conclusions:
  • With respect to surveillance, biometrics is not the delinquent, it's only the accessory. 
  • Biometrics is not necessary to enable nearly total surveillance – but it can be very helpful.
  • (Nearly) total surveillance in a democracy need not be a danger - but a successful coexistence has not yet been shown.

The Biometric Society and its feasibility

System proposal

A straightforward solution to the biometric identification system which fulfills the requirements of the Biometric Society is to use a central system with central data base. In principle, this can be concentrated on a single location. However, multiple locations are to be preferred with respect to reliability and vulnerability.

The operator should be neutral. He is responsible for the technical part and has only to obey the operating instructions which are to be derived from special international laws. 

Storage and traffic requirements

To estimate the storage and communication traffic requirements, we assume 100 identifications per person and day and 10 billion (1010) people worldwide. Then 1012 identifications have to be performed per day. 

Now assume 100 kB as sample size of a biometric template, where request and reference template shall have the same size. Then the storage requirement for the biometric reference templates will be 1015 B = 1 000 TB = 1 PB. This is realizable today with 2 000 hard disks with 500 GB each!

The traffic resulting from sending the request templates then will be 1017 B per day. This is assumed to be the amount of the worldwide internet traffic today [8]. With distributed systems such a traffic should be realizable within several years from now.

Processing power requirements

For the processing power requirements we start again with 100 identifications per person per day and 10 billion (1010) people worldwide which results in 1012 identifications a day. Furthermore assume 1 million (106) operations per comparison. Then 1016 operations per identification are necessary!

This results in 1028 operations per day or about 1023 operations per second. If 1010 operations per second are possible with one PC (or 1014 for a supercomputer [15]) this results in the need of 1013 PCs or 109 supercomputers! But I am far from giving up!

How to achieve the necessary processing power

If the template comparison is replaced by dedicated hardware to calculate the whole result within one clock cycle, i.e., when it is 106 times faster, the processing requirement is reduced from 1023 to 1017 operations (Ops) per second, resulting in 107 PCs or 103 supercomputers. Now there are two ways to solve the remaining lack:

Wait for advances in computer technology:

  • Required: < 1017 Flops (floating point operations/s, assume Flops = Ops)
  • Available today: > 1014 Flops [9]
  • Available 2016: > 1017 Flops (assuming annual doubling)
Or look for intelligent identification strategies:
Most individuals have a limited action radius. For example, if succeeding identifications are done within an imaginary circle of 1 million people, search may be successful after 1 million identifications instead of 10 billion. This will save a factor of 10 000 in this example so that only 1012 Flops are required. And this is feasible today!

Biometric requirements

Regarding the biometric performance, we again assume 10 billion (1010) people worldwide performing 100 identifications per person and day. Furthermore, let us assume 1 biometric feature per person enrolled. Finally, the error that two persons be confused should be less than 1 per day. To estimate the required performance with respect to False Acceptance Rate (FAR), we make two assumptions:

Assumption 1: If the identification would be completely deterministic, an FAR of slightly smaller than 10-10 is required to guarantee that no two features are equal. This error rate does not increase with the number of identifications because no new fingerprint pairs are compared. This is assumed to be the best case. In reality it can only be reached when using unique ID numbers instead of biometrics.

Assumption 2: If the identification would be completely statistic, an FAR of 10-22 is necessary (coming from 1012 identifications against 1010 references). This is assumed to be the worst case approximation. It is too pessimistic because of dependencies between the comparisons.

Both cases will help us to find out suitable biometric characteristics.

Which biometric feature is usable?

Due to large performance differences in different biometric features, not every feature is able to satisfy the extreme requirements of the Biometric Society. We will only discuss the three most common biometric features here.

If a (verification) FAR of about 10-10 would be sufficient, then

  • Face recognition is far away from being usable
  • Fingerprint recognition will be possible with one or two fingers
  • Iris recognition will do without any problem
If a (verification) FAR of about 10-22 should be required, then
  • Face recognition again is not possible
  • Fingerprint recognition now should be possible with three fingers
  • Iris recognition should be possible with two irides
It must be remarked that a usage of more than one feature per person will further increase technical requirements because it multiplies the number of comparisons per second!

Fake detection

A nearly perfect fake detection is one of the great unsolved problems in biometric identification today. We have to distinguish three different types of fake detection.

A liveness detection is necessary to prevent identification with dead body parts. The challenge is twofold:

  • First, a measure for liveness is to be found in order to be able to detect it. 
  • Second, it must be guaranteed that detected life really belongs to the feature owner and not to the impostor.
A copy detection is a basic requirement to prevent forgery with copied features. Also, it is necessary in order to detect copied features which are tied to living bodies. 

A problem that has been neglected so far is volition control to prevent unconscious or enforced identification.

Fake detection example: fingerprint

Let us consider the present situation with fingerprint as an example. Today, all systems can be fooled if the liveness detection method or the copy detection method is revealed! Even the best fake detection methods known so far will increase the False Rejection Rate (FRR) considerably. Here are a few examples. Note that the optimum method depends on the sensor principle!
  • Temperature is easy to be circumvented by temperature equalization
  • Skin conductivity is very unstable and mainly increases FRR
  • Skin impedance is not very specific
  • Dielectric constant of skin is easily forged by gelatin
  • Pulse measurement takes several seconds and may be too lengthy
  • Measurement of the change of oxygen content of blood together with pulse detection may easily be circumvented by fingerprint foils which cover a finger of the forger

Fingerprint fake detection: a possible solution

Most fake detection methods fail in the case somebody covers his finger with a transparent artificial fingerprint foil. However, this should be manageable by using a real 3 dimensional sensing method. A possible candidate are ultrasonic sensors which create a 3D image of the whole interior of the finger. Besides the fingerprint which mainly represents the surface of the finger, an image of the internal skin layer structure is delivered. This should reveal artificial cover foils with false fingerprints and should also indicate the proper function of the blood circulation.


Cross-section through the human skin of a finger

Two principles for ultrasonic sensors are known. Optel proposes a single source ultrasound generator while Siemens favors an ultrasonic generator array on a silicon chip. Both methods are still looking for commercial realization.

Micro-machined ultrasound transducers

The high resolution ultrasound sensor from Siemens is based on micro machined ultrasound transducers which use the pulse-echo principle at 30...50 MHz. It is using a surface micro machined membrane array within a standard CMOS semiconductor process. A 300 µm matching layer serves as coating. The advantages are
  • Real 3D finger image of surface and subsurface structures such as epidermis
  • Recognition of sweat glands and their activity
  • Easy detection of artificial layers as copy detection
  • Liveness detection by Doppler effect from pulse changes

FEM simulation of the sound field (Siemens)

3D data processing

Suppose a raw 3D image of 256 x 256 x 256 pixels with 8 bits each. Then the file size amounts to 16 MB per image without temporal information! Transmission from sensor to processing unit should be performed within 0.5 s, resulting in a speed of 256 Mbit/s. This is achievable with USB 2.0. The required processing power of about 25 GOPS will be provided by future PCs.

Availability of biometric features

The next hurdle towards the Biometric Society is the fact that not every biometric feature is reliably measurable anytime. This is expressed in the "Failure to Enroll Rate" (FER) which specifies the part of biometric features that actually cannot be registered. Since this temporal failure may also happen after successful enrollment, it can prevent identification, too. In this case it is called "failure to acquire". 

For fingerprint, the FER is about 5% for the whole population and smaller than 1% for an office population, with declining tendency for improving sensor equipment.

For iris recognition, the FER also strongly depends on the sensing hardware. For expensive hardware, the FER is below 1 % for office workers.

Unfortunately, there is no chance to reduce the FER to similarly low values as the verification FAR.

We did not discuss the effect of FRR which may be reduced to very small values by multiple identification trials. In principle the FRR should lie in the same range as the FER. As a consequence, if no work-around methods are provided, this could eventually prevent the Biometric Society.

Introduction scenario

For that reason, the question is fundamental whether the Biometric Society needs a perfect system, or not. The answer is possibly no, the system need not be perfect, because it should be manageable
  • to start with smaller units, e. g., country-wide instead of worldwide. This reduces all technical and biometric requirements.
  • to allow alternative methods for identification to reduce enrollment requirements
  • to allow for voluntary participation to eliminate acceptance problems
  • to restrict the system to transactions of low value to reduce the demand for perfect liveness and copy detection.

Summary

To summarize, there is a good chance for the Biometric Society to be technically achievable. The advantages are unquestioned. The risks are imaginable but unpredictable. And that will be the real challenge!

Links

Last visited 2006-02-25

[ 1] http://www.informatikjahr.de/
[ 2] http://europa.eu.int/information_society/index_en.htm
[ 3] http://www.hdmi.org/
[ 4] http://www.hawaii.edu/powerkills/
[ 5] http://www.euro.who.int/mediacentre/FactSheets/20031212_1
[ 6] http://de.wikipedia.org/wiki/Verkehrstote
[ 7] http://de.wikipedia.org/wiki/Naturkatastrophen#Katastrophenstatistiken
[ 8] http://www.bespacific.com/mt/archives/001999.html
[ 9] http://www.top500.org/lists/2005/11/
[10] http://www.zdf.de/ZDFde/inhalt/29/0,1872,3904477,00.html