27 February, 2005: Without let or hindrance

[ Home page | Web log ]

A little while ago, James Fairbairn drew our attention to a piece in The Economist on biometric passports, concluding, by way of remark,

Eek! I wonder what Mr Lightfoot would say about this.

Well, true to form, I did comment, but since I suspect that my set of half-dozen readers is mostly disjoint with James's, I'm going to recycle (and proof-read) my comment from last time here.

In case you've remained mercifully ignorant of the biometric passports nonsense, here's a very quick precis.

After September 11th (an atrocity committed, as you will recall, by legal residents of the US travelling on genuine documents) it became vitally important for airport security types to Look Like They Were Doing Something.

Of course, at root, airport security is more-or-less a sham. But naturally this didn't stop them.

(``Goodness,'' you may think, ``that's very cynical! How could you say such a thing? What about all those X-ray machines and metal detectors and beefy-looking security guards frisking people at the airport? It certainly makes me feel secure!'' If so, think some more -- when was the last time that you heard about airport security guards intercepting a bomb in someone's luggage? And the last time you heard about an aeroplane blowing up in mid-air because of a bomb they didn't find? And if security has improved so much since September 11th, how come we haven't heard about all the baggage thieves who've been caught and prosecuted? Admittedly, I'm being a little unfair and anecdotal here. But that's what you expect, right?)

So, in order to be seen to be Doing Something about airport security, the Americans hired lots more airport security people and had them inspect travellers' shoes and occasionally deport Canadians to Syria (where they get tortured) for no reason. But obviously no modern security panic-reaction would be complete without an appeal to the miracles of `biometric' technology, and so it was duly decided that in the future passports would carry `biometric' details of their holders.

The idea here is that, to stop THE TERRORISTS from stealing other people's passports and travelling using them, you put some biometric information on every passport, and check that it matches the person carrying the passport whenever they travel.

But instead of using a credible biometric (expensive, and not very reliable), the biometric passport standard is designed to use only a digitised photograph of the passport holder. This can then be used as a `facial geometry biometric' (not quite as expensive, and hopelessly unreliable).

You will not be surprised to hear that I expect this to be a balls-up.

Very probably the technology won't work at all, and anyway the facial biometric is so laughable that even if it does work the effects will be counterproductive. But there are worse balls-ups in progress. At least the biometric passport nonsense isn't predicated on a central database (though you may have noticed that the Home Office have repeatedly lied that most of the cost of their ID cards scheme will have to be spent implementing biometric passports anyway).

In more detail: the plan is that you put an RFID chip on the passport which contains a certain set of data. That data is signed with a key owned by the passport-issuing authority, so that -- assuming that you have a reliable key distribution policy (not too hard with only ~150 countries out there, each with ~1 passport issuing authority) -- you can verify that the stuff on the chip is authentic.

Then, when the subject presents their passport at the airport or whatever, you take a photograph of them and compare it, using the miracle of facial biometrics, to the digitised photo on their passport. If they have exactly the same facial expression, facial hair etc. as when their passport photo was taken, and the lighting at the immigration desk at the airport is exactly the same as it was in the photo booth when their photograph was taken, then the system will say, ``this person is carrying a passport which was issued to them by the such-and-such passport agency''. If any of those conditions are not satisfied (which happens >10% of the time even under good conditions in tests), then the system will say this person does not match their passport photograph, and are therefore probably one of THE TERRORISTS.

(As an aside, I was going to write about the miracle of facial biometrics in more detail, but I'm not sure how many of my half-dozen readers can find it in their hearts to laugh at misapplied matrix algebra. Suggestions gratefully received.)

The next step, of course, is that each country records people's passport numbers and facial biometrics and uses this to detect people using more than one identity. This won't work at all, because of that 10% error rate. (NB, before you think I've made a mistake, that these systems are usually tuned to have equal false positive and false negative error rates.) Of course, we would all Heartily Endorse a scheme to prevent people travelling on false passports; after all, it's not like we give a fuck about refugees any more, is it?

Of course, using RFID for this is a fucking stupid idea. Most trivially, it means that anyone with enough technical wherewithal (not all that much...) can steal your personal data and use it to impersonate you in non-passport contexts. It probably also opens up all sorts of exciting man-in-the-middle attacks, too. For instance, I could arrange that the chip in my passport just relays requests and responses through to the person behind me in the queue. Given the 10% error rate -- and assuming that the 10% of comparisons which give false negatives are ignored, rather than resulting in instant deportation to `Camp X-Ray' or a Mukhabbarat torture chamber -- and the difficulty even trained people have in comparing photos to people (typically making mistakes on 43% of occasions), I would expect this attack to work rather well.

So, its another broken-as-designed idea from the wacky world of biometric security. Surely you dont expect me to act surprised?

Biometric passports... they're sort-of like ID cards. But only sort-of. So you only get one holiday photo:

The (considerably misplaced) Tyndale Monument


Copyright (c) 2005 Chris Lightfoot; available under a Creative Commons License.