National Research Council report on biometrics raises hard questions, ire

Some in industry slam report as “out of date and misleading at best”

A lengthy review of the general state of biometrics raises questions about the reliability, accuracy and scalability of these technologies, as well as whether they have the public’s trust.

The 183-page report, “Biometric Recognition: Challenges and Opportunities,” is the culmination of a multi-year study done by a committee under the National Research Council (NRC), which receives federal funding and issues reports to advise government on scientific and technical matters. This NRC biometrics committee, chaired by HP Labs distinguished scientist Joseph Pato, with its membership drawn from industry, academia and the analyst community, late last week published a withering critique of biometrics that is getting slammed by some in the industry.

"Biometrics recognition has been applied to identification of criminals, patient tracking and medical informatics, and the personalization of social services, among other things," the NRC report states. "In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition and societal impact of their use."

The NRC report is drawing fire from some.

"The report is out of date and misleading at best," says Michael DePasquale, CEO of BIO-key International. "The fact that it relies on data gathered over five years ago does a disservice to the industry, and to those individuals who have been pushing technological advancements since 2004. Over the last six years, the technology has made significant contributions to not only our national security, but also to protecting access to a wide variety of commercial applications including smartphones, laptops, offices, homes, commercial networks, point-of-sale terminals and medical storage cabinets."

Depasquale says the authors of the report are making criticisms that might have been raised in 2005 but don’t properly characterize the progress the biometric industry has made since then.

In addition to HP's Pato, the “Whither Biometrics” Committee, as it’s called, has 13 members, including representatives from Walt Disney World Company, San Jose State University, Carnegie-Mellon University, Georgetown University Law Center, Cleveland Clinic, IBM Almaden Research Center, and MIT. Gartner analyst Bob Blakeley is also a committee member.

The report, which can be downloaded for free, notes biometrics systems are "complex and need to be addressed as such," and also that "biometrics recognition is an inherently probabilistic endeavor. The automated recognition of individuals offered by biometric systems must be tempered by an awareness of the uncertainty associated with the recognition."

In other words, biometrics systems in use can make mistakes, either missing a match completely or tagging a wrong match.

The NRC report says there needs to be much more science applied to how traits are measured, and understanding how "an imposter will attack the system."

"Major gaps exists in our understanding of the nature and extent of distinctiveness and stability of biometric traits across individuals and groups," the report states, noting that "no biometric characteristic is known to be extremely stable and distinctive across all groups."

In its skepticism about how well biometric systems perform, the report says, "A biometric match represents not certain recognition but a probability of correct recognition, while a non-match represents a probability, rather than definite conclusion that an individual is not known to the system."

The NRC report also notes, "It is generally not possible to replace a biometric that has been compromised. This is complicated by the fact that the same biometric trait can be used by different systems, and weaknesses in one system could lead to the compromise of the biometric trait for use in another system. Furthermore, such traits are not secret — we expose them in the course of everyday life. … It is accordingly, essential to validate that a trait presented to gain recognition truly belongs to the subject and is not being synthesized by an imposter."

In addition to expressing doubts about the efficacy of biometric systems, the NRC report also questions whether society as a whole accepts them.

"Many fear misuse of identification technology by authorities (from data compromise, mission creep, or even use of a biometric for other than specified purposes). To be effective, biometrics deployments need to take these fears seriously."

The report also states that while "biometrics systems perform well in many existing applications,” the capabilities and limitations “are not yet well understood in very large-scale applications involving tens of millions of users."

Learn more about this topic

National Research Council’s “Biometric Recognition: Challenges & Opportunities”

Biometrics help U.S. soldiers fight terrorism

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies