Before their time
- By Thomas R. Temin
- Sep 04, 2002
Thomas R. Temin
Kudos are due to researchers at the National Institute of Standards and Technology for being skeptical of biometrics.
NIST didn't create the policy that requires biometric identifiers be used on foreigners' travel documents'Congress did, in the USA Patriot Act of 2001. But NIST got the job of evaluating biometric products and reporting how they work to Congress.
NIST joins a growing number of agencies'notably the Customs Service and the Defense Department'that have looked at the current state of the technology and found it wanting.
Congress rushed the USA Patriot Act into law in the aftermath of Sept. 11. Just as the energy crisis of the 1970s gave us an ethanol and synfuels agenda, so Sept. 11 has forced a biometrics agenda. Do you know anyone who uses ethanol for fuel?
Biometrics technology just isn't ready for prime time. Certainly, fingerprint readers, iris scanners and facial recognition devices are promising, but they are fraught with flaws. Even where biometric IDs are used, it is only in conjunction with other, more stable authentication forms. Using biometric data across networks with questionable security compounds the danger.
No doubt you've heard the story, related by cryptography ace Bruce Schneier in his Crypto-Gram newsletter, of a Japanese cryptographer who made a gelatin cast of a real human finger and used it to fool 11 commercial fingerprint readers.
In tests of facial recognition products by our own GCN Lab, one system was unable to distinguish me from my boss when I put on his glasses. This error occurred in a database that had been filled with fewer than a dozen people's biometric information.
My point isn't that biometrics tools are hopeless. Intensive R&D no doubt will improve these systems, but they are still largely experimental. A law mandating their use runs counter to the notion of applying commercial best practices and adopting proven technology.
By all means, let's keep testing biometrics. But the government should be sure its existing security systems are finely tuned before inserting an unproven technology.