Shortly after the start of the war in Iraq on March 19, Saddam Hussein appeared on state television. Or did he? The bespectacled, uniformed speaker looked like the Iraqi leader, but also different enough for many to speculate that it was a stand-in for the real Hussein, who may have been injured or killed. Enter biometrics, which for the first few days of the war proved an instrumental?and limited?tool for U.S. intelligence.
Face recognition tests indicated the person on TV was likely to be Hussein (voice tests were more definitive). Face recognition had also been used impressively weeks before this to positively identify top al-Qaida operative Khalid Sheikh Mohammed after his capture on March 1. The identification came despite the fact that, disheveled and unshaven, Mohammed looked markedly different than he had in previous photos. (Both U.S. officials and enterprising vendors made the match.)
Those were just recent examples. A steep uptick in the buzz around biometrics started after Sept. 11 and the subsequent passing of the USA Patriot Act, which mandates the eventual use of biometrics by U.S. authorities at the Canadian and Mexican borders.
Since then, the government has been testing the technology fervently, focusing on fingerprint ID and face recognition. And biometric advocates have seized the opportunity. “If I were a CIO, I’d simply count the number of phone calls from users who forgot their passwords,” says Alan Samuels, a self-employed biometric consultant in Elizaville, N.Y., who helped a network news program run a face recognition test between the Hussein video and file footage. “That alone can sell the technology,” he adds.
So why hasn’t it? Part of the reason biometrics remains a niche field is because the still-improving technology has been oversold. A General Accounting Office report in November 2002 raised concerns about privacy and cost. The GAO estimated that securing the nation using biometric systems would take up to $3 billion in capital investment and as much as $1.5 billion annually after that. “Biometrics is not a panacea,” the GAO report said in reference to its use along the nation’s borders.
Look no further than face recognition. Good systems identify 90 percent of matches with a 1 percent false positive, according to a study by the National Institute of Standards and Technology (NIST) released in March. However, that’s for a 100-face database, or gallery. With 37,000 faces in the gallery, accuracy swoons to 73 percent. (Fingerprint systems do better: 86 percent match with a gallery size of 100,000. But NIST says that for national security purposes, where a database will house millions of fingerprints, one-finger ID isn’t likely to fly: The match rate will be too low, and it’s harder to acquire fingerprints than it is faces.)
What’s more, the NIST face-verification tests were done under ideal conditions, with lots of light and the subject looking straight at the camera. (Accuracy deviates predictably as the head turns away from a straight-on pose.) Outdoors, match rates collapsed to 47 percent in the best systems. Samuels cited an amusement park that wanted to use biometrics, but the park would have had to completely reconstruct its entrances to control the lighting conditions well enough to have a high match rate. The park owners scrapped the idea.
Now, CIOs don’t need to achieve border security accuracy levels. But still, there’s a preconception that biometrics is better than predictable, easily compromised passwords or swipe cards because it can prove, irrefutably, that a face is a face. That is misleading.
The technology is developing, says Samuels, who believes that biometrics is too compelling to remain in the background for long. “But, in all cases, biometrics is still about probability. There’s no foolproof system,” Samuels says.