Comments

Imperfect CitizenOctober 11, 2010 7:30 AM

Great article. The business about the FBI and fingerprints was chilling, but at least that was out in the open. I wish they had to read this blog and Bruce's articles for their exams.

I like the end remarks:

"Apart from privacy and reliability, biometric recognition raises important issues about remediation. Increasingly, we can expect the courts to use remediation as a way of addressing both lax and fraudulent use of biometrics, especially for individuals (like Mr Mayfield) who have been denied their due rights because of an incorrect match or non-match in some screening process."

Mayfield was arrested, what about the rest of us just under "observation"? Whether its NSA or FBI or both, there is apparently no review of cases.
If they admit to observing someone, like the young fellow who found the gps on his car and the FBI took it back, that's one thing. Otherwise, what federal judge will be allowed to review a case cloaked in the Patriot Act? Nobody investigates Patriot Act abuse in this country. These are DOJ funds and the IG can't/won't act. How can they investigate it seriously if they refuse to allow their own safeguarding people to look at it? Like FBI Special Operatiors or DOJ IG?

I don't think there's much hope for those of us whose cases are hidden and ongoing. A person's status on a terrorist watch list probably prevents review in the name of "national security."

paulOctober 11, 2010 9:47 AM

One of the (many) problems with biometrics is that so many measures were first developed in an era of computational and storage scarcity, and of sparse population coverage. For fingerprints, for example, the classical matching method is based on minutiae, which are only a tiny subset of the information available in a print. It's fairly easy to construct prints whose minutiae match while the prints themselves are obviously different.

mcbOctober 11, 2010 10:12 AM

"The biometrics industry has a vital role to play in these threatening times."

I'm sure the biometrics industry wants us to think so. Be afraid, be very afraid, unless the we're your identification and authentication method.

This closing sentence flies in the face of the rest of the article, which makes a reasoned argument that an unrealistic reliance on biometrics is a threat in its own right. Methinks I smell an editor at work...

LisaOctober 11, 2010 10:38 AM

Once biometric scans are digitized, they are just data, that can be copied and manipulated in any desired way. Imaging software can even make minor changes such as rotation, translation, skewing, etc. to simulate real-world changes between biometric scans of the same subjects.

What I find laughable, is that many people think that having an unsecured biometric reader, such as one attached to their home computer, magically gives them secure authentication over networks, and can be used for things like Internet banking and VPN access.

Unlike hardware security tokens that can support real-time challenge-response, and can prevent man-in-the-middle attacks, biometrics can not.

Personally I am against the use of biometrics in general. Unlike passwords, security tokens, etc. that can be easily replaced when compromised, it is impractical to replace a biometric.

Even with "secured" biometric scanners, like those in airports or immigration, they are still subject to forgery by professionals.

It is not to difficult to make gelatine copy of a fingerprint that can place over a criminal's fingertip, and be good enough to fool nearly all electronic fingerprint readers.

Spy agencies, like the Israeli secret service, have been know to use forged foreign passports in order to commit crimes. So it would not be unrealistic to expect these agencies to also forged biometrics as well in the near future.

RHOctober 11, 2010 12:26 PM

I'm just waiting for a biometrics company to be put in Bruce's doghouse when one of their fancy iris scanners get subverted by a crook who bridges the "open door" wire, and walks in. We all know that, in the name of cost cutting, eventually SOMEONE's going to put in simple wiring like that!

Clive RobinsonOctober 11, 2010 7:23 PM

@ Lisa,

"So it would not be unrealistic to expect these agencies to also forged biometrics as well in the near future"

I have at various points in my life worked out how to forge most biometrics, the only major one so far I have not had a go at is iris scanning. Not because I think it might not be possible but the cost of getting access to the systems is way to high currently.

The one that makes me smile sadly is DNA we here ludicrous and compleatly unsuported statments from the mouths of "scientists" acting as "expert witnesses". Their statments of only one in a hundred billion (or whatever) is bassed on the notion of a linear population and an incorect assumption about the test methodology.

As for the linear population how many natural red heads have you seen in the african and asian populations? How many people from european populations have sickle cells? Likewise "genetic illnesses" run in population types. Thus you can safely say that human DNA is not linearly spread across all possible types, even after cross racial breeding.

But as the artical notes people are not researching into these areas possably for the "golden goose" reason.

What makes the issue worse is the assumption that human DNA cannot be cloned, and that this caries forward through the DNA testing process. It does not, many years ago I worked out how to game the DNA test by seeding a crime scene (I've posted the outline of how to do it in the past). It is only in recent times (the last three years or so) some scientests have worked out a way to stop the simple gaming. Unfortunatly there are more complex ways to still do it.

Originaly I contacted people involved in DNA work and pointed out that it could be gamed. The response in all cases was to deny it was possible and when you asked if they had ever tested the hypotheses they either refused to answer or filibustered. The question is as to why... I concluded that they did not want to "kill the golden goose" or they enjoyed the idea of wearing "emperors new clothes". However a scientist in Australia some years later did the tests (as far as I'm aware compleatly unknowing of anything relating to me and my questions) and showed conclusivly that DNA testing could be gamed and thus results falsified.

I was faking fingerprints over forty years ago with common household items (soft red wax from edam cheese, WD40 oil, rubber solution glue). I came up with the idea after reading a Sherlock Holmes story.

BUT IMPORTANTLY all thes problems with biometrics happen in all forms of "forensic science" for instance bullet metal alloy analysis where it was argued for some time that you could tell from the alloy composition if a bullet at a crime scene came from the same batch as those found in a persons gun cupboard etc. Expert witnesses who had never tested the idea jumped on the band waggon. Then a scientist went an analysed the alloy across several batches and found the idea of alloy matching was compleat bunkum, when analysing bars of the metal alloy prior to making bullets he found the variation in the bar to vary wildly beyond any possable level of confidence.

One issue that is biting hard is the notion of "noise" or "background contamination" some tests are so sensitive that the probability of them showing a chemical present is very high. This is because nearly all the chemicals forensic examiners look for are "naturaly in the environment". An early example of this was the "aunt aggies bomb factory" a group of irish people where arrested and accused of bomb making because traces of certain explosives where found on their hands.

Well it turns out that the explosive concerned is a byproduct of the natural decay of certain celulose plastics. The fact that this was known to happen from a hundred years before hand with "exploding billiard balls" was not brought to the juries attention. Thus a totaly false conviction was obtained.

My view is that forensics is most definatly not nor can it ever be a science in the traditional sense. The best it can do is make probablistic statments about physical objects found at a crime scene etc. It cannot say how something came about.

An example of this was told to me by one of our "learned friends" a clear finger print had been recovered from a beer glass used to seriously attack somebody. It turns out the fingerprint (in all probability) was a 100% match to a person who was picked up and accused. It was only after they could show a very very solid alibi and no real motive could be found that the forensics came into question.

It turns out that the suspect had drunk at the pub some months beforehand, and the pub washed it's glasses using those little bar edge washing machines that clean the inside and top of the outside but not the base of the glass because the bar staff hold this end of the glass when using the washing machine. Thus the forensics were in all probability correct it was the interpretation of the information provided that was incorrect.

SalachOctober 12, 2010 2:05 AM

@Clive
DNA testing for forensics is indeed a very problematic evidence and i am often surprised that it is still accepted as such.
The question is not if it is easy to forge but a much more severe problem is the false identification from errors or contamination, without anyone actively forging DNA.
Regarding the article itself, it starts from a wrong assumption: biometrics are not for catching terrorists and this happens very rarely, if any. Biometrics are good for handling people who *want* to be identified. For example, in a certain country they operate a biometric fast lane at their international airport. Their own citizens can enroll and enjoy a very fast service without waiting in long lines. The reason is not security but rather efficiency. If all those citizens would use the normal border control - they just cannot handle the capacity.
The enrolled citizens are considered "low risk, just get the hell outa here" and they can use far less border control officers for the rest. Another up side: it saves floor space and leaves more space for retail...

The bottom line: Biometrics can and must be used realistically and are a good solution to some problems. They are not the silver bullet to solve everything.

Cheers

gregOctober 12, 2010 3:48 AM

@Clive

I am working as a population geneticist. The scary part of DNA fingerprinting is that a lot of people *know* the problems. We are getting to the point where we have enough markers for most ethnic groups. But there are still gaps (ie the Mario in NZ). However consider a database with often containing only some of the current marker set.

Then the problem of expert witnesses. We always say no, for the simple reason that you only do it once and get your words twisted by the guy that asked you to testify, then you just let the lawyers play Law and loose total faith in the justice system.

The next problem is the witness that does testify doesn't know jack about probability. So if there are 10 markers and each has about 10 alleles, they will say the probability of a match by chance alone is 1:10^10. This is completely wrong *even for the ethic group the data was based on*. One allele may occur in 90% of the population.

Now as Clive already said, there is the problem of what does it even mean that DNA was at the location of a crime?

However as for the contamination problems. This is a bit bogus. Labs are doing DNA sequencing all the time, with controls. We have good protocols to detect contamination these days. If a defense lawyer is holding up the contamination card... its because he/she has not leg to stand on *why* there is a innocent reason for the DNA to be there. (assuming the controls came back correctly of course)

But polluting a crime scene would be easy. But you can just use bleach too. Or any other of a number of chemicals that completely break down the DNA.

And perhaps more on topic. In the movie GATACA, they have DNA biometrics that our "hero" gets through anyway.

billOctober 12, 2010 6:02 AM

>That makes it both convenient and efficient: there is nothing to carry, forget or lose.

If duplication and playback are 'losses' then for sure you can 'lose' a biometric.

PedantOctober 12, 2010 8:53 AM

>>That makes it both convenient and efficient: there is nothing to carry, forget or lose.

>If duplication and playback are 'losses' then for sure you can 'lose' a biometric.

Obviously, but I think that they are talking about actual loss.*

Your argument is similar to the RIAA saying that copying is theft despite the fact that theft requires the victim to be deprived of the stolen item, which is obviously not the case when copying.

* Unless you are talking about the guy whose finger was chopped off so they could steel his car.

M.V.October 12, 2010 10:15 AM

@greg

>However as for the contamination problems. This is a bit bogus. Labs are >doing DNA sequencing all the time, with controls. We have good protocols to >detect contamination these days.

Are these protcols fail safe? What about the supply chain, what about contamination at the crime scene?

Not so long ago in south west Germany (Bruce blogged about it) was a case in which DNA from several crime scenes (including a high profile case of killing a police officer) pointed to a single woman. Only after they caught all culprits in a specific case (none of them a woman) they noticed that something was wrong. It turned out to be a contamination in the supply chain.

And what about contamination at the crime scene or picking up the wrong traces (see Cliffs fingerprint example), how do you safeguard against that?

In the Germany case the DNA traces may even prevented the police to solve some of the cases, just because they asked possible witnesses the wrong question: "Have you seen a woman?".

All over the world administrations seek to create huge fingerprint and DNA databases. In my opinion this will only increase the number of false positives.

Alisdair McKenzieOctober 12, 2010 2:21 PM

Sloppy Journalism

"A motorist in Germany had a finger chopped off by thieves seeking to steal his exotic car, which used a fingerprint reader instead of a conventional door lock."

The reliability of the Economist article is called into question by the sloppiness of this reference. The incident was in Malaysia in March 2005 albeit in a German car. I could not find any other reports of this sort of event happening again since then. Hardly an epidemic!

This is yet another example of loose reporting which feeds urban myths, muddies the waters and allows the FUD to spread. We might hope for higher standards from The Economist.

Reports from the time of the incident.

http://news.bbc.co.uk/2/hi/asia-pacific/...

http://www.theregister.co.uk/2005/04/04/...

http://www.schneier.com/blog/archives/2005/04/...


RogerOctober 12, 2010 3:34 PM

This is indeed an excellent review article for a publication that is not a security specialist -- apart from, as mcb pointed out, the last line jarring so badly with the rest of the article.

The one thing I thought he missed is the benefit of composition of methods. For example, a few years back someone (Ross Anderson?) published an identity verification protocol for combining a biometric with a smart card in a way which eliminated all known problems of both.

@Salach:
"Biometrics can and must be used realistically and are a good solution to some problems. "
Indeed, I agree with that. But:
"Biometrics are good for handling people who *want* to be identified. "
even that if often true only if you don't care too much about their mediocre statistics. For example, if your airport security reference is alluding to Australia, then a little birdie told me that the false positive rate is absolutely terrible. They don't care, though, because anyone caught trying to fake their way through will be immediately arrested, so even a false positive rate higher than 10% would still be considered an adequate deterrent: no-one is likely to try to use a fake ID if they are ~90% likely to be arrested.

@M.V.
"It turned out to be a contamination in the supply chain."
I understand that in fact the lab had cut costs by sourcing supplies that were never intended for forensic applications, and rather than being contaminated they never had trace DNA removed in the first place.

Clive RobinsonOctober 12, 2010 6:02 PM

@ Roger,

"I understand that in fact the lab had cut costs by sourcing supplies that were never intended for forensic applications"

Which lab the one making the swabs or the forensic lab? your comment can be read either way.

As I recall it was an own goal for the forensic lab that decided to switch from "DNA free" to "sterile" swabs which where many time cheaper. What is not clear is why (ie a non scientist admin type making assumptions etc).

@ Salach,

"The question is not if it is easy to forge but a much more severe problem is the false identification from errors or contamination, without anyone actively forging DNA"

Yes it's a part of the more general "noise" issue I refered to that. criticaly effects all forensic tests.

However from my point of view the ultimate fail of DNA forensics is when you can pull a chosen individuals DNA profile out of a Government or NGO DB and synth up the required partial bits to show a positive identification in the current testing framework without setting off alarms.

@ greg,

"We have good protocols to detect contamination these days."

Atleast one was developed by the Australian I refered to in my post.

That being said, it's been a few years since I last looked into what was required to game a forensic DNA test, so I'm out of touch with what can and can not currently be done. For instance there where newspaper reports not so long ago that a scientist had created his own "living" bacteria from non living DNA he had synthed up. The truth of it seamed improbable from the way it was reported by journos.

With regards synthing up to game the current DNA testing with it's controls, many of these controls are add ons to look for quite specificindicators. I suspect if you and your colleagues sat down with pizza and a few beers and had a "what if" rump session you could fairly readily identify promissing avenues of investigation that would game a forensic DNA test even with the current check additions.

The reason I feal this, is the "if you break it once, you can break it again" issue. That is adding a test for a specific break only buttresses up one small part of the process, the chances are good there are many other vectors. That is as you add more check tests it is likley it will fail under the weight of these add on tests.

For example, If people think back to the Fast Encryption Algorithm (FEAL). It got broken, fixed, broken again, fixed again, over and over again. Each time the attack got better till eventually a compleatly new method of attack arose that broke many crypto algorithms.

SalachOctober 13, 2010 2:32 AM

@Clive
Pulling a specific DNA from a database is certainly a risk but actually if you target a specific individual you dont need this database. DNA can be "harvested" easily from that specific guy even if such a database does not exist. Actually it is a much higher risk since forging your DNA is accessible by everyone, and not only dark government organizations with databases.
You dont even have to be very smart and technically adept to do it.
The hard part is to plant it in a crime scene within the correct context of this scene. the forensic experts must be convinced that it is what they are looking for unless you assume they are very careless, which may not be the case. This difficulty is shared by everyone wanting to game a DNA test, government or not.

gregOctober 13, 2010 4:44 AM

@M.V
The lab also didn't run negative controls. As already pointed out, they were sloppy with the type of swabs they used.

In this case there should be at *least* one negative and one positive control. The negative control is the unused swap. This would not have come back negative and the data should have never been used.

$10 on they did do the control and ignored it because it was a high profile case.

What finding the DNA at the scene means (ie contaminate the scene) is something a DNA test *cannot* tell you. This is a *much* bigger problem than CSI and their kin make out. DNA testing is too good in a way.

I am strongly against DNA databases. False postivites are a real problem with a population size database. The markers used where chosen to eliminate a small number of suspects. Already the DNA databases that do exist are probably causing more harm than good.

I will never voluntarily give a DNA sample.

@Clive and everyone.
The controls are pretty good. But thats with a caveat. Its like a message with a mac. If the mac fails you *must* ignore the message. So its easy for an attacker to get the mac to fail and mount a DNS attack. For DNA evidence this is quite easy by spoiling the scene. But this is easily detected. Its standard procedure when we sequence or fingerprint a fungus or a fruit fly. Its a legal requirement for DNA evidence at least where i have been.

Also multiple individuals is a problem without a well funded lab. Easy to detect with the cheaper methods... DA still don't often throw it out.

However a defense lawyer should be able to handle all of this. The prosecution will not get DNA into evidence if it doesn't have proper controls *if* challenged by a defense lawyer.

I did also state why many real experts don't go near a courthouse. The problem is not the protocols, is the mentally behind the prosecution and other enforcement agency's that generally have already decided who committed the crime.

No protocol can fix that. Just like the FBI *lied* about a fingerprint match because they want to blame someone and didn't care if it is the wrong person.

However my main point stands. A proper lab has good protocols that really put the contamination problem down to beyond reasonable doubt. A sloppy lab is easily exposed. Also there should always be provisions for the defense to arrange their own DNA testing.

Clive RobinsonOctober 13, 2010 6:15 AM

@ Salach, Greg,

I think that I have not made myself clear...

All "tests" are attackable and subject to "noise" it is the ability to deal with this which defines how good or bad a test is.

To say that a test is truly broken and not fit for purpose on it's own you need to find a way that shows this..

Seeding with somebodies existing DNA either deliberatly or accidently (secondary contact for instance) does not show the test to be broken.

Showing you can manufacture a DNA sample or parts there of which will pass the existing test without suspicion shows the test to be defficient. Showing it can be done from existing biometric information held for identification makes it doubly broken.

The traditional way to deal with noise or contamination is to somehow measure the ratio of signal to noise as long as you have four times the signal to noise you can generaly argue a signal is there (but not of necesity be able to extract anything more meaningfull).

One of the problems I identified with DNA testing in the past is you are dealing with parts not the whole (ie where you have choped it up at the markers). The simplest way to game the system was just to add chopped up bits to the crime scene. However I gather that there are now methods by which you can fairly easily remove any "added parts" prior to the test.

However what happens when you are using either whole samples or parts of samples sufficiently large not to be easily filtered out.

This gives a significant problem in that two entirly unrelated samples will match by more than 90% when chopped up. Thus only two unrelated samples that get into the test when chopped up create shadows of uncertainty where potentialy many people can be matched.

Overly simplisticaly if you have a potential set of six test elements {ABCDEF} and each sample consists of atleast four members from the set you have potentially many many combinations when order is taken into account (ie ABCD and ADBC) However many less after choppinng up (ie ABCD and ADBC have identical elements).

Worse two samples which have some differing elements (ABCDE ADBCF) might when chopped up provide matches to every element in the set thus match every possible sample presented.

Potentialy the only way to differentiate is by the quantity of each element (that is if you have 10 lots of ABCDE to 1 lot of ABCDF) the ratio of the differing elements indicate ( 1 of F, 10 of E and 21 each of ABCD) which the majority sample is and by how much also that there are only two samples in the test.

This is fairly easy when you have, the ability to make a realistic quantative measurment of each element in the set AND significantly different (10:1) differences AND a sufficient quantity of both to be able to measure with sufficient accuracy.

When I was last looking into it the forensic tests in use where not doing this, thus there is a vector by which the test can be gamed just by simple addition of an additional sample at almost any level...

Further the filtering methods later proposed would only deal with getting rid of sufficiently different "parts".

I'm not sure what the current state of play is but as I said I'm fairly certain there are still going to be ways of gaming the system even if full synthesis of human DNA is not currently possible...

To be usable on their own as proof the tests have to be robust in the presence of noise / contaminates and I'm not sure they can be made so. Thus DNA testing should be regarded as circumstantial evidence at best...

M.V.October 13, 2010 8:59 AM

@Greg

Well i think the $10 are mine :-)

It has been many cases over several years where the trace DNA from a woman working at the swab supplier turned up. Probably every time they failed to pick up any other DNA on the scene.

I agree with a blind test it would have been discovered much earlier.

You are working in a scientific environment and i am sure you put extra effort into validating your results. I doubt this is the case with forensic labs. DNA sampling is the current wonder weapon in crime investigation putting a lot of workload on the labs. Which i bet are chronically working at or even beyond their capacity limits. So some controller WILL order to increase the capacity by cutting down on the procedures, training etc.

"What finding the DNA at the scene means (ie contaminate the scene) is something a DNA test *cannot* tell you. This is a *much* bigger problem than CSI and their kin make out. DNA testing is too good in a way."

Very true. The Germany case showed they often poke arround without any idea what they may pick up, just in case. Beside picking up nothing i bet they also often pickup wrong DNA. Pair this with a nation wide DNA database. A nigthmare.


gregOctober 14, 2010 7:15 AM

@M.V. & Clive

Perhaps your right. Perhaps forensics labs are sloppy by "culture". The culture of what the cops want and the DA or whatever pushes the tests to the lowest common denominator...

At that point be very afraid.

I would hope that they filter at the first step for "whole chromosomes". The fragment pollution from the scene more or less eliminated (with controls of course).

However if they get sloppy and say cut it up after a basic separation step (wouldn't know how to be this sloppy without wreaking everything downstream).... well it becomes very easy to ruin the test by spraying the scene with random marker fragments.

Synthesizing a whole chromosome is still a long way off. And once done we are talking serious investment that could be used to commit the crime in better ways. That won't be a problem for some time.

RogerOctober 14, 2010 7:39 AM

@Clive:
"Which lab the one making the swabs or the forensic lab? your comment can be read either way."

The forensic lab. Apologies for the ambiguity.

"As I recall it was an own goal for the forensic lab that decided to switch from "DNA free" to "sterile" swabs which where many time cheaper. What is not clear is why (ie a non scientist admin type making assumptions etc)."

Yes, that's what I heard too.

M.V.October 14, 2010 5:09 PM

@Clive, Roger, Greg

"As I recall it was an own goal for the forensic lab that decided to switch from "DNA free" to "sterile" swabs which where many time cheaper. What is not clear is why (ie a non scientist admin type making assumptions etc)."


According to this article (sorry in German)
http://www.focus.de/panorama/welt/...

It seems that DNA free was never part of the spec as defined by the BKA (German FBI equivalent).

The first case with the wrong DNA was from 1993, and it looks like the spec was never updated since.

It's not only sloppy handling, the cops are also very slow to update and adjust their procedures.

MattskiNovember 2, 2010 11:40 AM

It's a good article, not a great one and seems to have been written to prove certain points e.g. that biometrics is being driven by knee-jerk reaction riding rough over the needs of people. One point to make is that although fingerprint biometrics have a had a bad press, the sensor capability can be a lot better if quality systems are specified. Another is that in terms of homeland security at borders, airports etc, it should be part of a range of checks. No one security system, machine or human or a combination will ever be perfect. We can only aim to improve them.

OtisNovember 4, 2010 6:11 AM

Many good points.
But it is the commercial interests that hold sway. That includes the people working in the field who depend upon the 'validity' of DNA testing for their livelihood, the manufacturers, the prisons (especially in the USA) and (dare I say it) the legal system itself.
Not to mention the political 'interests'.

All of these ignore 'the bugger's muddle' and that will not change.

Never mind 'be afraid' the watchword should be 'if you are not already afraid you have been had'.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..