Make your own ID

November 24th, 2007 by Ben Goldacre in bad science, geek, ID | 82 Comments »

Ben Goldacre
The Guardian
Saturday November 24 2007

Sometimes just throwing a few long words around can make people think you know what you’re talking about. Words like “biometric”. When Alistair Darling was asked if the government will ditch ID cards in the light of this week’s data cock-up, he replied: “The key thing about identity cards is, of course, that information is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be.”

Yes, that’s the problem. We need biometric identification. Fingerprints. Iris scans. Gordon Brown says so too: “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary.”

Tsutomu Matsumoto is a Japanese mathematician, a cryptographer who works on security, and he decided to see if he could fool the machines which identify you by your fingerprint. This home science project costs about £20. Take a finger and make a cast with the moulding plastic sold in hobby shops. Then pour some liquid gelatin (ordinary food gelatin) into that mould and let it harden. Stick this over your finger pad: it fools fingerprint detectors about 80% of the time. The joy is, once you’ve fooled the machine, your fake fingerprint is made of the same stuff as fruit pastilles, so you can simply eat the evidence.

But what if you can’t get the finger? Well, you can chop one off, of course – another risk with biometrics. But there is an easier way. Find a fingerprint on glass. Sorry, I should have pointed out that every time you touch something, if your security systems rely on biometric ID, then you’re essentially leaving your pin number on a post-it note.

You can make a fingerprint image on glass more visible by painting over it with some cyanoacrylate adhesive. That’s a posh word for superglue. Photograph that with a digital camera. Improve the contrast in a picture editing program, and print the image on to a transparency sheet, then use that to etch the fingerprint on to a copper-plated printed circuit board (it sounds difficult, but you can buy a beginner’s etching set at Maplin for £10.67). This gives an image with some three-dimensional relief. You can now make your gelatin fingerpad using this as a mould.

Should I have told you all that, or am I very naughty? Yes to both.

It’s well known that security systems which rely on secret methods are less secure than open systems, because the greater the number of people who know about the system, the more people there are to spot holes in it, and it is important that there are no holes. If someone tells you their system is perfect and secret, that’s like quacks who tell you their machine cures cancer but they can’t tell you how: it’s nonsense. Open the box, quack.

In fact you might sense that the whole field of biometrics and ID is rather like medical quackery: as usual, on the one hand we have snake oil salesmen promising the earth, and on the other a bunch of humanities graduates who don’t understand technology, science or even human behaviour. Buying it. Bigging it up. Thinking it’s a magic wand.

But it’s not. The leak last week wasn’t because of unauthorised access, it couldn’t have been stopped with biometrics; it happened because of authorised access which was managed with a contemptible, cavalier incompetence. The damaging repercussions for 25 million people will not be ameliorated by biometrics. What about the stalker, or the estranged husband, buying the address of his target?

And will biometrics prevent ID theft? Well, it might make it more difficult for you to prove your innocence. And once your fingerprints are stolen, they are harder to replace than your pin number. But here’s the final nail in the coffin. Your fingerprint data will be stored in your passport or ID card as a series of numbers, called the “minutiae template”. In the new biometric passport with its wireless chip, remember, all your data can be read and decrypted with a device near you, but not touching you.

What good would the data be, if someone lifted it? It would be everything. Jim Knight MP, the Labour Minister for Schools and Learners, said in July: “it is not possible to recreate a fingerprint using the numbers that are stored. The algorithm generates a unique number, producing no information of any use to identity thieves.” Greg Mulholland MP replied: “I hope that that is clear to all those listening, because it is an important reassurance on the points that the hon. Gentleman has made.”Crystal clear Jim, Greg. Unfortunately, a team of mathematicians published a paper in April this year, showing that they could reconstruct a fingerprint from this data alone. In fact, they printed out the images they made, and then – crucially, completing the circle – used them to fool fingerprint readers.

Ah biometrics. Such a soothingly technical word. Repeat it to yourself.

References:

Here is the Matsumoto “Gummi” paper:

www.lfca.net/Fingerprint-System-Security-Issues.pdf

And here’s a great presentation featuring really nice photographs of the process:

web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf

Here’s the paper on producing a fingerprint from the minutiae template:

biometrics.cse.msu.edu/Publications/SecureBiometrics/RossShahJain_FpImageFromMinutiae_PAMI07.pdf

Here’s a nice pic:

If anyone’s interest in this kind of thing is piqued, I recommend Ross Anderson’s book (although I disagree with him on issues around medical data for research):

www.cl.cam.ac.uk/~rja14/book.html

And Bruce Schneier’s security newsletter is excellent:

schneier.com/crypto-gram.html

And here’s a video of some chaps doing the biometrics tricks:

And this from the comments, which I should have mentioned:

There is a true anti-ID cards campaign, and it’s been going for quite a while and it’s had its own victories in this very long and difficult fight. Just visit www.no2id.net.

I would encourage everyone who comments here to write to their MP (easily done, at www.writetothem.com) and at the very least draw their attention to Ben’s column and, if you have more time, to the wider problems with ID cards. No2ID has a lobbying guide which is linked to from their front page. Even if you only have 10 mins to spare, it is worth sending a quick note to your MP to make your feelings known.


++++++++++++++++++++++++++++++++++++++++++
If you like what I do, and you want me to do more, you can: buy my books Bad Science and Bad Pharma, give them to your friends, put them on your reading list, employ me to do a talk, or tweet this article to your friends. Thanks! ++++++++++++++++++++++++++++++++++++++++++

82 Responses



  1. jackpt said,

    November 24, 2007 at 1:21 am

    Another potent point that needs to be made is how the birthday theorem affects systems with large numbers of users. It’s a point you’ve made potently in the past about DNA.

    Regarding the minutiae attack, the attack wouldn’t be feasible if a digest rather than the minutiae template was stored. The idea being that the biometric device samples the minutiae, creates a hash digest and compares it with a hash digest in a database. That’s somewhat simplified, but if people are storing biometric data in its raw form there’s
    something going very wrong.

    The problem is that, as per the birthday theorem, there’s going to be collisions, even (seemingly) with the odds stacked against them. There are ways to reduce that risk.

    However, I am opposed to identity cards on privacy grounds, and I doubt that it will be implemented well. Particularly if it goes down the security through obscurity route and uses proprietary, non-peer reviewed, crypto protocols and crypto algorithms.

  2. Hermit of the Southern March said,

    November 24, 2007 at 2:27 am

    This is one of your angriest columns in ages, and it’s brilliant. Well done Ben!

  3. henbane said,

    November 24, 2007 at 3:09 am

    I have to say that this article is too sterile for my taste. ID cards needs to be put before the public more than ever now that Darling has cocked up. As it is, we’re all stuck with over-priced passports which broadcast our personal information thanks to kowtowing to the US, but now is the time to start a true anti-ID campaign. Well done Ben for making the effort. I just wish you had been as strident as you were last week about homeopaths.

    If you have any “if-you-haven’t-done-anything-illegal-you-have-nothing-to-worry-about” types for friends, remember to point them at this; or just ask them for their bank details.

  4. Kimpatsu said,

    November 24, 2007 at 5:48 am

    Her in Japan, all visitors and all foreign residents now have to be fingerprinted and photographed upon (re)entry to the country every time. This is a complete farce–and a violation of human rights to boot.

  5. bazvic said,

    November 24, 2007 at 7:12 am

    1) Those with faith in technology do not understand technology.

    2) What man can make, man can break.

    The other real deficency in biometic ID is that it not fault tolerant. The question can remain if an ID fails (or indeed succeeds) is it the person that is wrong or the process ?

    Technology moves problems rather than solve them.

  6. shpalman said,

    November 24, 2007 at 8:06 am

    Every other country seems to make do with an I.D. card which is a bit of paper with your photo on it – but the government seems to have a swooning love affair with pointlessly complicated technology.

  7. briantist said,

    November 24, 2007 at 9:31 am

    Well done, once again, Dr Ben. I’ve been bleating on about this (well, I am a computer security expert as a day job) for years and no-one gets it.

    Perhaps people will trust a doctor when the won’t take a programmer’s reasoned arguments.

  8. robertthewizard said,

    November 24, 2007 at 9:55 am

    Of course, if you find a disk containing a copy of the ID card database destined for audit or backup, then you don’t need any biometric data to read it.

  9. manigen said,

    November 24, 2007 at 10:48 am

    My christmas list has now got three extra items on it:

    *Gelatin
    *Superglue
    *A Beginner’s Etching Set

    As soon as the system is built, it’ll be broken, so I might as well be prepared.

  10. Paul Crowley said,

    November 24, 2007 at 10:55 am

    Great stuff – thanks Ben!

    Biometrics themselves are not quackery and you shouldn’t have said they were. There is plenty of open, published, peer reviewed research on the subject and used properly, they can be a highly effective means of verifying someone’s identity. But quackery in the world of security is a constant refrain – read any of Bruce Schneier’s “The Doghouse” columns in his blog. Darling’s mention of it is the brandishing of a real area of scientific investigation to a thorougly scientifically unjustified end – biometrics can’t stop authorized parties misusing their authority, or replace a badly designed authorization structure with a good one. Biometrics would have done nothing to prevent this, just as ID cards would have done nothing to prevent 9/11 or 7/7.

    The technical term for the problem Matsumoto (and Mythbusters) highlight is that of verifying liveness. Fingerprint scanners are not wholly ineffective at distinguishing one person’s finger from another, and other technologies such as iris recognition or hand geometry scanners are even more effective. However, they’re usually not so good at telling whether what they are being presented with is the real live biometric of the person who’s trying to get in, or something else more like a fruit pastille. Again, iris scanners are better than this, but it’s an area where the attackers often catch up to the target and it would be foolish to bet your high-value security on the assumption that they won’t catch up again. The best liveness test is a security guard standing next to the camera, who can check that what you’re presenting is really your eye. Again, it’s a bit unfair to focus on fingerprints, which are a long way from being front runners in the biometrics stakes, and it’s a bit unfair to act as though biometrics research hasn’t thought about the problem.

    The Government’s references to biometrics as the solution to all security problems are just surreal. Are there any actual scientific papers that contain the claim, “we believe that given a full set of minutae (the “unique number”), generating a matching fingerprint is a hard problem”? Or is that just an MP’s mangled understanding of the science?

  11. Suw said,

    November 24, 2007 at 11:11 am

    @henbane (#3): There is a true anti-ID cards campaign, and it’s been going for quite a while and it’s had its own victories in this very long and difficult fight. Just visit www.no2id.net.

    I would encourage everyone who comments here to write to their MP (easily done, at www.writetothem.com) and at the very least draw their attention to Ben’s column and, if you have more time, to the wider problems with ID cards. No2ID has a lobbying guide which is linked to from their front page. Even if you only have 10 mins to spare, it is worth sending a quick note to your MP to make your feelings known.

  12. kim said,

    November 24, 2007 at 11:17 am

    For anyone concerned in particular about the huge rise in the use of biometrics with schoolchildren in this country, I suggest going to www.leavethemkidsalone.com, which is campaigning on the issue.

  13. lxg said,

    November 24, 2007 at 11:34 am

    Thank you for doing this vital subject so brilliantly. One thing, what happened to the “facial scans” people were proposing? have they gone away? Please god let them have gone away.

  14. Strcprstskrzkrk said,

    November 24, 2007 at 11:50 am

    Long-time reader, first-time poster.

    Very disappointed in your throwaway generalisation about “humanities graduates”. I’d always pegged you for somebody who understood that the sciences and humanities are not mutually exclusive.

    I may just start up a column called “Bad Humanities” and begin with this article.

  15. David Mingay said,

    November 24, 2007 at 12:39 pm

    #14 – I don’t see any generalisation. It refers to a specific “bunch of humanities graduates” – those “who don’t understand technology, science or even human behaviour”. I think I may just start up a “Bad Logic” column.

  16. Sid said,

    November 24, 2007 at 1:02 pm

    Shame there wasn’t a mention of the
    UK Biometric passport hack.
    www.techworld.com/security/news/index.cfm?newsid=8185

    Maybe next time…

  17. jackpt said,

    November 24, 2007 at 1:40 pm

    Shpalman, just to be a little pedantic (although you’ll find this interesting too) photos can be pretty awful for human2human recognition:

    www3.interscience.wiley.com/cgi-bin/abstract/11942/ABSTRACT?CRETRY=1&SRETRY=0

  18. Albeytar said,

    November 24, 2007 at 2:06 pm

    Try this on the subject of ID cards:- eclectech.co.uk/clarkidcards.php

    Not hitech but very amusing.

  19. Albeytar said,

    November 24, 2007 at 2:10 pm

    Sorry about that! It doesn’t work. It’s an old file I’ve got which is apparently no longer available.

  20. jackpt said,

    November 24, 2007 at 2:30 pm

    Here’s a better link to the paper about photo id fail rates.

  21. yellowbrickchick said,

    November 24, 2007 at 3:27 pm

    Firstly just to say how much I enjoy your column – I’ve lost count of the times I’ve recommended it to people and/or quoted from it, and I wish there was more of this kind of reporting around.

    But I do agree with poster no.14 that the comment about “humanities graduates” grates a bit. Maybe it wasn’t meant as a generalisation but it the implication is that humanities is a dirty word. You don’t need to a degree in science to understand basic scientific logic and methods. I’m not sure exactly why politicians have such a problematic approach to science but I’m not sure you can blame their degrees..

  22. Andrew Taylor said,

    November 24, 2007 at 3:29 pm

    This is great. I do love a simple how-to on defeating hi-tech security.

  23. Strcprstskrzkrk said,

    November 24, 2007 at 3:42 pm

    Point taken, David (#15), however does Ben know for a fact that all those involved in “medical quackery” are either (a) snake oil salesmen [not easy to find good snake oil nowadays] or (b) “a bunch of humanities graduates”, implying that no science graduates (although these could be a subset of (a)) have been guilty of quackery.

    It would seem that part of Ben’s project here is to point to exactly the opposite conclusion. Science graduates are no more trustworthy than humanities graduates if they “don’t understand technology, science or even human behaviour”.

    The implied generalisation would appear to stand in Ben’s article; but stupidity and deceit are not the sole preserve of the humanities.

  24. eaton bishop said,

    November 24, 2007 at 5:14 pm

    Great article. But will you stop laying into us humanities graduates? We’re a sensitive bunch. That’s why we did humanities. Pity us. I agree with the unpronouncable chap above.

  25. guthrie said,

    November 24, 2007 at 6:26 pm

    Hark- is that the sound of Bens door being smashed, and him being dragged away under charges of possessing material conducive to terrorism?

  26. projektleiterin said,

    November 24, 2007 at 6:43 pm

    I’ve always wondered if with the introduction of more biometric identification people should start worrying more about their fingers and eyeballs. Somehow it strikes me as a logical consequence.

    By the way, someone does not seem to like humanities graduates and it’s not me. :D

  27. john barleycorn said,

    November 24, 2007 at 6:46 pm

    Can’t we just round up all the humanities graduates and string them up? They seem to be responsible for everything bad in the world…

  28. Strcprstskrzkrk said,

    November 24, 2007 at 6:50 pm

    Rumbled!

    Quick everyone, register for Business Science!

  29. Neil Desperandum said,

    November 24, 2007 at 7:16 pm

    I think the point about the humanities graduates dig is that you can be sure the civil servants and politicians involved in selecting technology ARE humanities graduates and not scientists. Civil servants and politicians generally are.

    Ben’s pointed out in the past that the same is true in the media – even science correspondents are generally humanities graduates.

    There’s a real problem of not enough scientists being employed in certain influential areas like the civil service and the media.

    It’s not that scientists are brighter than humanities graduates, but they are more likely to know something about science and technology and be able to comment critically about it. Humanities graduates just have different experiences and expertise.

  30. eaton bishop said,

    November 24, 2007 at 8:42 pm

    Just checked Wikipedia, and of 22 cabinet ministers, 18 had humanities degrees (mainly PPE and Law), 2 did not specify. Only John Denham (DIUS)had a Science degree – Chemistry. Though Harriet Harman’s dad was a doctor and Miliband’s got a D in physics, which is reassuring.

    This is my Saturday night, damn it.

  31. Ben Goldacre said,

    November 24, 2007 at 8:50 pm

    haha excellent digging eaton.

    my issue is not with ignorant humanities graduates, so much as with those humanities graduates who engage themselves in complex matters which require some technical understanding, and then profess expertise, whether it is security, risk, treatments, stats, etc.

    the phenomenon of being too incompetent to assay your own incompetence is discussed in some detail in one of my favourite academic papers of all time:

    Unskilled and Unaware of It: How Difficulties in Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments
    Journal of Personality and Social Psychology
    1999, Vol. 77, No. 6. ] 121-1134
    Justin Kruger and David Dunning
    Cornell University

    Abstract:

    “People tend to hold overly favorable views of their abilities in many social and intellectual domains. The authors suggest that this overestimation occurs, in part, because people who are unskilled in these domains suffer a dual burden: Not only do these people reach erroneous conclusions and make unfortunate choices, but their incompetence robs them of the metacognitive ability to realize it. Across 4 studies, the authors found that participants scoring in the bottom quartile on tests of humor, grammar, and logic grossly overestimated their test performance and ability. Although their test scores put them in the 12th percentile, they estimated themselves to be in the 62nd. Several analyses linked this miscalibration to deficits in metacognitive skill, or the capacity to distinguish accuracy from error. Paradoxically, improving the skills of participants, and thus increasing their metacognitive competence, helped them recognize the limitations of their abilities.”

    it can be found here:

    www.apa.org/journals/features/psp7761121.pdf

  32. Robert Carnegie said,

    November 24, 2007 at 10:50 pm

    What sorts of problems do other countries have with the ID card systems they run? And where can I read up on good security practice with large databases, distributed or otherwise, that prevents people from doing the child benefit thing if they take it into their heads to? Because at my workplace I could put into my own hands with a couple of commands to a set of Microsoft SQL Servers, a great deal of personal data that I could misuse very badly. (I’m not asking for offers.) Presumably, good practice includes, at best, very few people being able to do that.

  33. projektleiterin said,

    November 24, 2007 at 10:50 pm

    I would like to mention that Germany’s chancellor Angela Merkel has a PhD in Physics and is a woman. :D I don’t vote for her party though. :(

  34. jackpt said,

    November 24, 2007 at 10:58 pm

    RC, check out the links and the books here. Anderson’s book is available online. Multiple chapters will interest you.

  35. john barleycorn said,

    November 24, 2007 at 11:21 pm

    “my issue is not with ignorant humanities graduates, so much as with those humanities graduates who engage themselves in complex matters which require some technical understanding, and then profess expertise, whether it is security, risk, treatments, stats, etc.”

    With you all the way there. My favourite from my own field (eek! Fine Art) is John Latham, web.archive.org/web/20050311223051/http://www.flattime.net/index.html
    People think he was a genius!

  36. wilyoldpete said,

    November 25, 2007 at 12:06 am

    Hope the Germans know about this!!
    www.bbc.co.uk/worldservice/learningenglish/newsenglish/witn/2007/11/071123_fingerprint.shtml

  37. Mike said,

    November 25, 2007 at 12:27 am

    The following email to the ICO bounced. I have removed my name and contact details, and the name of my MP. There is a link to a highly technical, but apparently peer-reviewed and respected, research publication. I have added my own interpretation for those with more limited statistical knowledge.

    ++++

    FAO Richard Thomas Information Commissioner

    Dear Sir

    I remain concerned, following the recent loss of personal details held by HMRC, that I could in the future have my personal details held on an ID National Database, with no guarantee in my view that it is likely to be secure. My scepticism is based on the poor outcome of previous large govt IT systems, and the equally poor prognosis for those ongoing.

    Please find appended an email to my MP, highlighting a particular problem with multiple biometric tests. When used in combination, their overall reliability may be worsened. I do not object to carrying ID as such, as required in continental Europe, but only to the proposed ID National Database.

    +++ Forwarded message, dated 18-Feb-2006 +++

    Dear

    Further to my email earlier today, reminding you that I had expressed concern to you in May 2005 about the reliability of multiple biometric tests, and asking you to look again at…

    www.cl.cam.ac.uk/users/jgd1000/combine/combine.html

    I have found that this article generated extensive discussion from people with better knowledge of probability than mine. Most agree that combining probabilities from multiple biometric tests is fraught. I have no doubt that the protagonists have put their views to gvt experts.

    For those of us with more limited expertise, may I explain this in basic terms?

    The best published evidence is that the 3 proposed biometric tests each has a certain probability of giving a correct result. Facial recognition 69%. Fingerprint recognition 81%. Iris recognition 96%.

    Therefore, if a strict recognition regime is applied (for example when screening for suspected terrorists), in which all 3 biometric tests must be passed, there is probability of 0.69×0.81×0.96 (= 54%) that a correct result will ensue. But nearly one chance in two of incorrect rejection.

    If only only one of the 3 tests must be passed (for example when checking in non-suspicious passengers at airports), the probability of incorrect rejection is 0.31×0.19×0.04 (=0.24%). This may seem low, but it would mean one or two passengers incorrectly turned away from many intercontinental flights, and would not pass my personal criterion.

    I am aware that I have simplified the statistical argument, but only better to make my point. There will be plenty of experts to argue the finer mathematics.

    +++ end of forwarded message +++

  38. regularfry said,

    November 25, 2007 at 12:31 am

    @jackpt, first post:

    You can’t use a one-way hash function for this application, because the minutiae readings can be subtly different from one reading to the next. This means that go/no-go has to be based on proximity to the stored template, not a precise match. A hash function that preserved proximity would reversable. At least, that’s my understanding.

  39. pogo said,

    November 25, 2007 at 12:41 am

    Most amazing thing about the “Mythbusters” fingerprint lock crack was that after all the (successful) monkeying around with fingerprints made from ballistic gels etc they finally succeeded in opening the lock using just a *photocopy* of a fingerprint!

  40. jackpt said,

    November 25, 2007 at 2:16 am

    @regularfry, I was wrong, sorry for misleading anyone and thanks for correcting me. I’ve been very slack in keeping up with what’s going on. What is the current state of play? Fuzzy vaults etc? Encrypting the minutiae using some kind of PIN or password? Clearly storing or transmitting it in the clear would be a very bad thing indeed.

    There’s been a couple of discussion about issues tangetial to this on the forum here and here. There may be similar mistakes or innacuracies, so feel free to log in and comment :).

  41. scotlyn said,

    November 25, 2007 at 1:38 pm

    As myself and my children already possess “biometric” passports, is there anyone out there with sufficient technical expertise to advise on a mode of carrying them around in public places that will protect them from hostile RFID readers in the vicinity?

  42. Ben Goldacre said,

    November 25, 2007 at 1:44 pm

    as is well documented with the US biometric passports you can hit it with a hammer.

    www.wired.com/wired/archive/15.01/start.html?pg=9

    this doesnt invalidate the passport, it just trashes the chip, but it’s illegal to interfere with a passport, therefore this is a heinous crime.

    maybe people will start selling passport holders which serve as faraday cages.

    en.wikipedia.org/wiki/Faraday_cage

  43. Some Random Bloke said,

    November 25, 2007 at 2:07 pm

    Excellent article, which I hope will be the first of a series.

    The next article could be based on igb’s classic [url=http://www.badscience.net/2007/10/oooooh-im-in-the-minority-report/#comment-17891]”biscuits to Portsmouth”[/url] comment.

    [quote]What the MPs in the Minority Report (*) clearly haven’t heard of is the somewhat confusingly named Open Source Intelligence. There’s a whole subclass of intelligence work, with big computers and clever people, which works on distilling down newspapers, public websites, Usenet (back in the day), blogs (today), plus information whose classification is so nugatory that it’s for practical purposes open (`Restricted’ and `Confidential’, clearances honoured more in the breach) and so on to extract classified material.

    That’s why a clearance that permits you access to Secret, say, is also required for sufficient volumes of Confidential that allow information marked Secret to be deduced. An acquaintance some years ago had had to hold DV (ie sufficient clearance for TS and above) in order to work on an ERP system in the 80s, because one thing being planned from food and clothing deliveries to the nuclear deterrent, from which cruise plans could be deduced.

    This is, in passing, why all those stories about “classified orders for biscuits” show a lack of understanding. If you were German and the date was May 1944, and you heard about a large order of biscuits being delivered to the depot Portsmouth but no similar order going to Dover, what would that tell you?
    [/quote]

    That’s exactly why it’s dangerous to have a single database containing every single snippet of information about you in one place. The powers that be have a lot of information about me, but while it’s all scattered around, it’s difficult to use any given piece of information for other than its intended (and generally acceptable, or at least implicitly authorised) purpose. Put it all together, and information collected for one benign purpose can be used for far more powerful purposes which I probably don’t know about and certainly haven’t authorised.

  44. Some Random Bloke said,

    November 25, 2007 at 2:09 pm

    OK, that’s not how you format links here. The link should be:
    www.badscience.net/2007/10/oooooh-im-in-the-minority-report/#comment-17891
    or
    tinyurl.com/3yfon3

  45. Ben Goldacre said,

    November 25, 2007 at 2:15 pm

    heh shhhh

    yeah i was going to do the whole data record linkage, everything in one place, mosaic attack thing next, unless the newspapers come up with something irresistibly stupid to write about in the intervening.

    i think it’s fascinating how little people have thought this stuff through.

    the public data problem also exemplifies another longstanding unspoken privacy issue: the biggest threat to your privacy is your mother. she knows more about you than anyone, but she only tells your girlfriend and your mates, and they might tell some other people when they’re drunk. if what your mother knows becomes public, linkable, searchable, then your privacy is basically over. the normal everyday practical constraints on the movement of knowledge are going and we are entering some freaky times.

    actually my guess, now that old misdemeanours and infantile usenet posts can come back to haunt you, is that people might become more forgiving. dunno.

  46. jackpt said,

    November 25, 2007 at 3:11 pm

    BG@2.15pm – An extension to that problem is the belligerent ex-girlfriend posting stuff on the internet about you. That’s definietly one to avoid.

  47. BobP said,

    November 25, 2007 at 3:37 pm

    Ben said –

    “Maybe people will start selling passport holders which serve as faraday cages.”

    Done!

    www.rfid-shield.com/

  48. gadgeezer said,

    November 25, 2007 at 3:42 pm

    I have to admit that Mrs G knows more about self and siblings than self and siblings because she actually listens to mother and other relatives (cough). As a case in point, at a family event some time ago, one of my cousins was wittering on about diabetes and CVD in the family and how we are all doomed. Mrs G inadvertently threw a bomb into the conversation when she said, “But not all of you are affected by that because X, Y and Z are the children of the 2nd wife and so far it looks like the problem was transmitted down maternal line of 1st wife”.

    I knew there was a large age difference between my dad and his siblings – I had never picked up on the fact that my grandmother was my grandfather’s 2nd wife. Nor, in my defence, had my siblings or various other relatives.

    Yes, I would be incapable of giving a decent family medical history if it were ever needed. Ultimately, database linkage may be a threat because it is based on the recollections and inaccurate notions of the semi-oblivious such as myself.

  49. Nigel Sedgwick said,

    November 25, 2007 at 4:12 pm

    @Mike who quoted (comment 37) from his letter to the ICO:

    “Further to my email earlier today, reminding you that I had expressed concern to you in May 2005 about the reliability of multiple biometric tests, and asking you to look again at…

    www.cl.cam.ac.uk/users/jgd1000/combine/combine.html

    Therefore, if a strict recognition regime is applied (for example when screening for suspected terrorists), in which all 3 biometric tests must be passed, there is probability of 0.69×0.81×0.96 (= 54%) that a correct result will ensue. But nearly one chance in two of incorrect rejection.

    …”

    I think care is needed here, as the above assumes (only) ‘decision combination’ and not ‘score combination’.

    With ‘score combination’, as indicated towards the end of the referenced paper on John Daugman’s website, biometric fusion is much more useful.

    Best regards

  50. scotlyn said,

    November 25, 2007 at 6:24 pm

    OK, thanks, BobP, I checked out the RFID Shield, whose properties are described thus: “The metal shielding in the RFID Shield acts as a “Faraday cage”, preventing radio frequency waves from getting to your passport and keeping your data inaccessible. When it comes time to use your passport, take it out of the sleeve and use it as you normally would – the shield does not break or inactivate your passport; it merely keeps it protected when not in use.” To anyone with this sort of expertise, does that sound like a legitimate claim? Anyone know if the device has been tested against, for eg, a hacker like the one cited above by Sid at post no 16?

  51. Mike said,

    November 25, 2007 at 7:23 pm

    Thanks Nigel Sedgwick for your comment #49 re my comment #37.

    I am not an expert mathematician, but do know that combining probabilities can have results which are counter-intuitive. I tried to alert my MP to this, telling him that it made me suspicious of the proposed National ID database.

    Thanks to everyone else taking this threat seriously.

  52. BobP said,

    November 25, 2007 at 10:47 pm

    @32 Robert Carnegie:

    I’m a bit rusty on data protection, but I think the position is as follows –

    The Eight Principles of Data Protection are listed here:

    www.ico.gov.uk/what_we_cover/data_protection/the_basics.aspx

    (NB – HMRC is exempt from this)

    If it’s true that you have server level access to personal data on your system, then the system does not conform to principle #7 (secure) and maybe #2 and #5. If you go anywhere near them, then that shoots #1,2, and 6. do you think you ought to tell your DP manager about this?

    I also have completely unwarranted read access to my employer’s system, it’s great fun and I don’t really want to point it out to anybody but this little voice keeps telling me that I ought to.

    Which, I think, serves to reinforce Ben’s main point about the fallibility of big complex systems.

  53. crana said,

    November 25, 2007 at 11:43 pm

    The photograph and use to make a gummy finger is the centre of one of the earliest forensic science detective stories, The Red Thumb Mark by R. Austin Freeman. He wrote it largely to illustrate the dangers of relying so heavily on fingerprints when solving crimes, and it’s not a bad read at all – out of copyright, and free online

  54. Robert Carnegie said,

    November 26, 2007 at 1:14 am

    On the RFID shield question, I tried keeping my cell phone in a metal case a while ago and apparently it took it off the network. On the other hand, presumably tagged goods sold in shops can’t be carried out in a metal mesh bag – or perhaps they can. I suppose the latter case is only “detect that activated tag is in range”, rather than detailed meaningful communication, which is the requirement for chips that contain data.

    On data security, I’m involved in maintenance and programming, and it would be more difficult to do my job and to help users of the system to do their jobs without access to data, and I never use my access inappropriately (intentionally; sometimes I mistype a command and I see something I shouldn’t look at). But as far as I can see (for instance from that), the only thing preventing it is me.

  55. BobP said,

    November 26, 2007 at 9:51 am

    Robert – fair enough, your access is necessary & justified as part of your job and you are effectively in a position of trust.

    In my case, it’s spurious. Time for a chat with the DP manager.

  56. jackpt said,

    November 26, 2007 at 3:12 pm

    Norbury, the easiest way to acquire a specific fingerprint it to get them to touch something clean. You could do this by passing them something like a pencil case or ID card, dust their front door, dropping something in front of them that they’ll pick up and pass to you (drop a bundle of CD cases), dust their car door, dust their mobile phone, take all of the paper from their recycling paper-bank, dust their wheeliebin, dust their windows, use their bathroom and dust it, their desk pencil-holder, desk, etc. and a few more imaginative ways. It may take a couple of tries but it’s not that difficult.

    At present it’s fairly easy to steal an ID, but not very easy to keep up the pretense. Every time you used it you’d significantly increase the chances of being rumbled because of anti-fraud measures. But, with an ID card once it is accepted nobody asks any questions because the computer says yes. It’s a bit like knowing a PIN number for a chip and pin credit card – if you know that nobody asks any questions, while they used to have to compare signatures.

    So if the governments ID scheme can be broken it’s much worse than the present situation. And if it is adopted we have to hope that all British governments in the future don’t misuse it. That is something nobody can guarantee.

    I don’t think aluminium would work, most Faraday cages are made of fine copper latices because of the properties that has.

  57. quietstorm said,

    November 26, 2007 at 7:52 pm

    I was always worried that ID cards may become the “preferred method” of identification.

    I lose stuff. All the time. It’s very irritating, but I’m slightly absent-minded, and have a tendency to go out drinking every so often, and as a result stuff gets misplaced.

    If my credit cards get misplaced, then I have other id to back them up. If my driver’s license gets misplaced, I have a passport to persuade people I am who I say I am. If my passport and work permit gets misplaced (oh dear god, can’t even imagine the hassle there) I have a birth certificate/driver’s license/a long history of communications with the Canadian immigration people/national insurance number card/social insurance number/tax forms etc to fall back on to persuade people that I am the person I say I am and they can renew my passport and other important papers.

    Those people who advertise the ID cards as the only piece of ID anyone would ever need scare me witless. Especially when you think how easy it might be to fool the various detectors into thinking that you were the person identified on the ID. I want lots of official pieces of paper and cards etc which determine my identity. It makes it much harder to steal my identity if all the proof of it is kept in different places. It makes it very easy to steal my identity if it only involves a card (which I would probably end up having to carry with me all the time), my fingerprint and perhaps my eyeball…

  58. Finger waggler said,

    November 26, 2007 at 8:55 pm

    Uh oh, i seem to be in disagreement with many of the posts. But, i hope i’ve got an open mind…

    I think it’s clear that pretty much any security system will have holes.

    The highly determined will always try to get around the security of any database or ID systems, and the key question is ‘is it possible to keep ahead and prevent most (if not all) subversion.

    Yes, the ID card system has risks, but are we going to stop trying new systems? We can’t go back to the victorian era…

    Also too of the rhetoric seems to be about things that are possible, but i would describe as unlikely.

    I’m no great fan of government IT projects, but do like the idea of being able to keep quite efficient tabs or assorted crims and undesirables. However, this may be because i don’t watch many Hollywood conspiracy flicks…

  59. jackpt said,

    November 26, 2007 at 10:14 pm

    Finger Waggler, what crimes do you think it would prevent?

    How do you think that it would keep tabs on “assorted crims and undesirables”?

    And how do you think any of the objections raised compare to Hollywood conspiracy flicks?

  60. Finger waggler said,

    November 26, 2007 at 10:26 pm

    I think it might help the police find those who have absconded from jail or parole. There seem to be quite a few people that the ‘polis’ are keen to have a word with, and these individuals would find it hard to keep out of view. I know it seems rather 1984, but even Google ‘tracks’ people.

    While the ID scheme has flaws, i have lived in the US, where a drivers licence is a de facto ID card. Strangely, they manage pretty well. In europe, i believe that the germans and french are obliged to carry ID.

    My Hollywood allusion refers to the fear that somebody is going to steal your ID. It does happen, but rarely ! I claim it isn’t easy, and is unlikely to happen in a high proportion of the population. If it did, the system wouldn’t work and would be abandoned.

  61. Finger waggler said,

    November 26, 2007 at 10:47 pm

    And another thing… An ID system does make it less attractive to people that wish to abuse our hospitality. I think that the UK has a generous approach to those that have genuine asylum claims (and that is good) but there will always be some (hopefully few) that want to abuse the system. Not to mention those with even more sinister aims. ID cards are not foolproof, but they will make it less easy to hitch a free ride, and deter some (but not all). Is that such a bad thing ?

    And relating to the hollywood analogy, why is it the the government are ‘completely crap’ at the ID security, but ruthlessly efficient at having the black clad stormtroopers in slient helicopters ? Somewhat odd…

  62. jackpt said,

    November 26, 2007 at 10:53 pm

    I sort of agree with your point about ID theft being a bit Hollywood, but preventing ID theft is one of the reasons politicians are promoting the cards. If it doesn’t prevent ID theft, as Ben has demonstrated, it removes one of the key arguments.

    Point 1, people who have absconded from prison or parole will not make a point of interacting with the state. That is where the ID cards are will be used. Carrying them is not mandatory, even if it were abscondees would not carry them for fear of being checked.

    Point 2, in countries with ID schemes there are not lower levels of ID theft, and it has not prevented terrorism or fraud. The figures are all comparable with ID card free UK. I believe ID theft is higher in the United States.

    In 2006 there were 80,000 cases of identity theft in the UK, affecting roughly 0.13% of the UK. (old fashioned fraud/organised crime is still far more lucrative) Given identity theft is comparable or worse in countries with ID schemes, why do you think fraud with UK ID cards is any more unlikely?

    So I agree that ID theft is comparitively rare, but the benefits of a passable biometric ID would make them a far more lucrative target for criminals.

  63. jackpt said,

    November 26, 2007 at 10:58 pm

    And another thing… An ID system does make it less attractive to people that wish to abuse our hospitality. I think that the UK has a generous approach to those that have genuine asylum claims (and that is good) but there will always be some (hopefully few) that want to abuse the system. Not to mention those with even more sinister aims. ID cards are not foolproof, but they will make it less easy to hitch a free ride, and deter some (but not all). Is that such a bad thing ?

    Hasn’t prevented illegal immigration in France, Germany, Spain, or the United States. I don’t see why ID cards would here. The majority of illegal workers wouldn’t be issued ID cards because the state doesn’t track them. So it’s not a deterrent.

    And relating to the hollywood analogy, why is it the the government are ‘completely crap’ at the ID security, but ruthlessly efficient at having the black clad stormtroopers in slient helicopters ? Somewhat odd…

    That’s rather unfair. I think there’s very few people in this discussion that think of things that way.

  64. isitmedicine said,

    November 26, 2007 at 11:12 pm

    Even if every problem listed above could be solved, my main objection to ID cards would still be on the grounds that pretty much every single company or organisation that I have dealt with and who has held data on me has cocked something up at one point or another. Service providers, councils, inland revenue, banks – they make mistakes (tiny or monumental) often enough for me to actually expect it. I don’t see how this would be any different. Except that the consequences would be far more severe.

  65. Mike said,

    November 26, 2007 at 11:52 pm

    FROM ANOTHER BLOG –

    Prion – 03:32pm Nov 26, 2007 GMT (#1980 of 2007)
    If the probability that facial recognition would correctly match a person to their entry on the NIR is 0.69 (69%) and fingerprint recognition is 0.81 (81%) and iris recognition is 0.96 (96%), then the probability of ALL three matching you on the database would be 0.9956 (99.56%) (Using Bayes theorem)

    AND ANOTHER

    stochata – 07:59pm Nov 26, 2007 GMT (#2004 of 2007)
    Bayes theorem says P(A|B)=P(A)P(B|A)/P(B)

    The formalism (X|Y) is “X given Y”. For example, the probability it’s you given a positive biometric match.

    For example, P(A) is the probability it is you (1 in 60 million if we have 60 million records in our database), P(B) is the probability that the scan matches you arbitrarily (unknown: it’s essentially, what proportion of the population match any one scan). We do know P(B|A), the probability of the scan matching given it’s you: e.g., for facial recognition, 0.69 or whatever it was. P(A|B), the probability of it being you in front of the scanner given a postive match is also unknown.

    Unfortunately, this doesn’t help us because there are too many unknowns.

    If someone knows either of the unknowns or their complements (the probability it’s not you given the scan is negative, or the probability of a negative match), then Bayes theorem might be useful.

    As it stands it’s just a bizarre diversion. The use of it above is incorrect.

    Edit: I should add that A needs to be independent of B. Given it’s not, Bayes theorem in any case should be used with caution.

  66. Filias Cupio said,

    November 27, 2007 at 1:24 am

    Off-topic a bit:

    The Onion on the ‘fake acupuncture cures backpain’ study:

    www.theonion.com/content/amvo/study_acupuncture_works

  67. Norbury said,

    November 27, 2007 at 7:08 am

    Jackpt, exactly. That’s pretty hard to do. It means for example that you have to target someone specific. As for signatures being secure, you are having a laugh aren’t you? When were they ever checked? I signed as Donald Duck many times. Here’s my story, once I dropped my wallet, on my way back to work after lunch. I didn’t notice till the next day. In the two hours after dropping several hundred pounds were spent, using my signature protected card. Be more difficult to do with a fingerprint protected card.

  68. philbo said,

    November 27, 2007 at 2:01 pm

    As someone who’s worked with biometrics for over a decade, I agree completely with his tirade above, and add a couple more observations:
    There is a problem with the people selling the biometric technologies not recognizing the limitations, and believing that any deviation from the perfection of identifying everybody every time is simply a matter of getting the technology right. In practice, biometric technology has got much, much quicker and more powerful over the last few years, but hasn’t actually got any better at all.
    Re the “snake oil” comment – a joke /truism I was told by an American chap soon after I started:
    Q: What’s the difference between a used car salesman and a biometrics salesman?
    A: The used car salesman knows when he’s lying

  69. jackpt said,

    November 27, 2007 at 2:59 pm

    Norbury, I don’t know if you follow the news, but ID cards are being sold as preventing identity theft. ID theft, and the success thereof, depends on targeting someone specific. Otherwise it’s no more profitable than taking a credit card from the street. They could belong to a bum. Once you have a biometric, such as a fingerprint, it’s far more profitable. So, there is a clear economic reason for getting someones fingerprint, they can change their PIN, they can have their signature checked, but they cannot change it. I realise what Ben has outlined may seem very hard and complicated for some, but it really isn’t that difficult at all. A couple of hours work for tremendous gain if you’re a criminal. I think you greatly underestimate the abilities of criminals and greatly understimate the abilities of people checking signatures, in order to support your argument.

    Finger waggler, an illegal immigrant is defined by the Home Office as those that have entered the UK without authority (e.g. bypassing border controls), those who have entered with false documents, and those that have overstayed their visa. Identity cards wouldn’t be issued to people that entered the UK without authority. They may be issued to people who entered on false papers, but then the situation wouldn’t be any different from today because they’re going to avoid being in situations where their identity cards are used. They may even throw them away. Likewise people that have deliberatly overstayed their visa. Given the majority of those people work in the black economy it is unlikely that ID card will affect them at all.

    It’s nothing like saying ‘cars should be banned because sometimes they kill people’. That is what is called a straw man argument. The argument is that the benefits from ID cards will be marginal or non existent, and it will not solve or affect the issues it is puported to solve. This is an opinion backed by the majority of the UK’s experts in the field of information security and cryptogtaphy.

  70. diceman said,

    November 27, 2007 at 3:07 pm

    To take a differing tack on this.

    What if somebody was able to access the database and insert false records or modify existing ones?

    With a modification of existing records, if the data is encrypted onto the actual card you carry, then there would be no immediate repercussions but when you came to renew your card (assuming like passports renew every 10 years) then the system would reject you. This could cause huge problem for somebody.

    Likewise with false records, once the data was in the system it would not be challanged.

    Anybody going to tell me that this would not make the ID database a huge target for hackers?

  71. Tony Edwards said,

    November 27, 2007 at 6:40 pm

    Thinking of keeping things on paper and still making mistakes brings to mind something that happened many years ago in my early days with an aircraft/missile manufacturing company. An aquaintance ordered two items using the inordinately long NATO numbers. Next thing he knew was several rather severe security men wanting to know why he had ordered two Bloodhound missiles!
    All it took was a few numbers wrong, from memory, I think it was two numbers transposed, and, whoopsie.
    Keeping your data to yourself is best.

  72. vinnyr said,

    November 28, 2007 at 9:43 am

    To all those who don’t like Ben’s throwaway remark about humanities graduates, yes it is a generalization, and I don’t believe for a minute that he thinks that ALL humanities graduates are science illiterate.

    The problem is that there is a vast imbalance of humanities to science graduates in the media which is why there is a huge problem of the media misunderstanding and therefore misreporting scientific issues.

  73. mikew said,

    November 28, 2007 at 10:38 am

    @vinnyr:
    Also, it’s unthinkable that the radio and TV journos don’t understand economics/politics, whereas they still feel it’s OK to make comments suggesting that “we normal people wouldn’t understand that sciency stuff”.

    Instead of dumbing down – “smarten up”, and don’t patronise us! The TV audience should at least be capable of GCSE maths/physics/chemistry.

  74. ShatterFace said,

    November 28, 2007 at 1:25 pm

    I’m a humanities graduate and I deserve all the stick I get.

  75. scotlyn said,

    November 28, 2007 at 1:28 pm

    Per DrJon – “And get rid of the bloody “you must BEE logged in” please!” – how about redating the archives for August and January of 1007?

  76. censored said,

    November 29, 2007 at 1:26 pm

    The ID card thing reminds me of the Derren Brown trick, where he convinced the lady to pay out on the dogs, even though she knew full well that his ticket was not for the winner.

    If an ID card/passport checks ok on the system, the guard/policeman/stasi will wave you through. You’d only need to look vaguely like the picture. The computer says yes, so it’s a yes.

    Given that passports can already be scanned and copied, without the holder knowing, anyone could walk through border control provided they’re the same race/gender as the photo they’ve nicked as the computer says yes.

    Clone a fingerprint, and you could look even less like them.

  77. Emiloosh said,

    December 3, 2007 at 4:36 am

    A bit of a tangent (ok, a big one), but I can’t help wondering if these cards will be a massive annoyance for those whose fingerprints become ground down through industrial processes. Individuals may have prints only seasonally, as their work or hobby allows. (I’m thinking of the highly specific example of metal polishing for jewellery… people in the industry might spend hours a day shoving bits of metal against a spinning wheel, covered in abrasive compounds.)

    I heard an anecdote about a jeweller who was held up at the US/Canada border because the guards couldn’t get a read on her prints. She supposedly had a hard time convincing them she wasn’t imperiling the homeland.

    Obviously not a problem with iris scans, but the fingerprinting story came to mind.

  78. tsuchan said,

    January 8, 2009 at 7:55 pm

    Kimpatsu said:
    “Her in Japan, all visitors and all foreign residents now have to be fingerprinted and photographed upon (re)entry to the country every time. This is a complete farce–and a violation of human rights to boot.”

    I’m no fan of ID cards or biometrics, and I’d vote against any party that proposed it. But you’re not right, Kimpatsu. It’s not a complete farce.

    The ability to defeat the fingerprint reader limits effectiveness and could result in innocent people being fairly easily set-up.

    But do you think that every foreign visitor who commits criminal acts in Japan:
    a) comes into the country with the express intention of doing that; and therefore also
    b) attempts to defeat that system; and
    c) has the dexterity not to get caught by an immigration official who is about 50cm away and dealing with only the one person at a time?

    (And remember that in the Japanese system there is also a camera to take a photo on the same machine.)

    Let’s think about in practice what conditios would have to be met to defeat the system. If we have somebody with a criminal record, who:
    a) Had a passport which didn’t already have their encoded fingerprint (or even a forged one that did have their own fingerprint, or conceivably even a real passport that had been originally made with a bogus fingerprint); and
    b) Had either a real passport that didn’t connect to their criminal record or a forged passport which didn’t trigger any alarm; and
    c) succeeded in hoodwinking both the immigration official and the fingerprint machine; and
    d) had a passport with a photo which passed both the immigration inspector’s and the machine comparison; and

    s/he may get through immigration, with the further possibility of having a problem at the Customs inspection.

    Of course if anything at all triggered suspicion, they’re going to be very lucky to get through a more rigorous check with their clumsily forged fingerprint.

    But if we talk about somebody who commits a criminal offence whilst in Japan, I think we can be fairly confident that the vast majority of them will not have even tried to defeat the fingerprint reader (if more than a handful of people were ever caught trying to do so, a new system of manual finger inspections would certainly be introduced) any fingerprints found at a crime scene would already connect to their name and passport.

    Summary: it may be defeated sometimes and it may make it easier for a criminal to set-up an innocent person, but in this case it’s not a farce. No, no, definitely not.

  79. longyan said,

    November 6, 2009 at 2:48 am

    It is no use doing what ugg bailey button you like ugg boots ; you have got to like ugg classic cardy what you do  My philosophy of ugg lo pro button life is work . When work is a pleasure , life is joy ! When work is duty ,ugg knightsbridge life is slavery .Work banishes those three great evils : boredom , vice, and poverty.

  80. xuqunren said,

    November 24, 2009 at 12:17 pm

    sell cheap ugg boots
    very cheap ugg boots
    buy ugg boots
    Australia Sheepskin ugg boots
    Discount ugg boots
    shopping ugg boots
    ugg boots store
    ugg boots United Kingdom
    ugg boots 15 % off when
    ugg boots100% Australian
    ugg boots uk

  81. xuqunren said,

    November 24, 2009 at 12:17 pm

    Please not copy or modify this article about ugg boots, this article is the original of this ugg boots website.
    ugg boots Forwarding not allowed to modify the article, the article for the original site ugg boots

  82. diudiu said,

    December 21, 2009 at 5:40 am

    ed hardy ed hardy
    ed hardy clothing ed hardy clothing
    ed hardy jeans ed hardy jeans
    christian audigier christian audigier
    ed hardy t shirts ed hardy t shirts
    ed hardy uk ed hardy uk
    ed hardy bags ed hardy bags
    ed hardy hoodies ed hardy hoodies
    ed hardy mens ed hardy mens
    ed hardy womens ed hardy womens
    ed hardy kids ed hardy kids ed hardy kids