Ears as a Biometric

It's an obvious biometric for cell phones:

Bodyprint recognizes users by their ears with 99.8% precision with a false rejection rate of only 1 out of 13.

Grip, too.

News story.

EDITED TO ADD: I blogged this in 2011.

Posted on May 1, 2015 at 12:46 PM • 31 Comments

Comments

James McNelisMay 1, 2015 2:55 PM

MI6 reportedly used albums of photos to ID clandestine people by their ears, regardless of disguise, for many years. They depended on an archivist with photographic recall, if I'm remembering this right.

metaschimaMay 1, 2015 4:45 PM

As reliable as it may be, what concerns me is the possibility of just taking a photo of the user's ear and reproducing the ear using say a 3D printer.

LMingoMay 1, 2015 4:55 PM

"One benefit of an ear-based identification system was that it offered greater privacy than facial recognition, she told the BBC."

How is that possible if...

A. ...the point continues to be identification of individuals? Once you are identified and linked to data, accounts, and so on, does it matter which body part was used as the basis of the identification?

B. ...it is unlikely that those who use facial recognition would give it up in favor of trying to identify a body part that is less easy to see due to its smaller size as well as the interference of hats, earmuffs, hair, cell phones, Bluetooth earpieces, ear jewelry, etc.?

bob May 1, 2015 5:10 PM

The INS before it became USCIS required photos for green cards to include an ear in the picture. I'd heard it was much more reliable. Not sure why they stopped.

rem0May 1, 2015 6:04 PM

@metaschima

The article seemed to indicate that the input would be from the touchscreen itself, not just taking an image:

"While the input resolution of a touchscreen is relatively low, "the surface area is large, allowing the touch sensor to scan users' body parts, such as ears, fingers, fists and palms by pressing them against the display", the team said."

So I guess you still might be able to trick the sensor by creating a 3D print of an ear and pressing it against the screen, but not by using a 2D image.


Also I'm not really sure how convenient this is for the end user. One reason the fingerprint scanner works so well is because your fingers are already on the device when you pick it up. Having to press my phone to my ear every time I want to unlock my device is cumbersome. Grip might be a more convenient option if it has a similar reliability.

Jonas SilverMay 1, 2015 7:34 PM

@James McNeil

There have been agencies who alter photographs, such as high school, family, etc (or at least one organization)... have noticed detail to ears, so your story likely has some merit to it.

JS

Jonas SilverMay 1, 2015 9:44 PM

Clarification on:

There have been agencies who alter photographs, such as high school, family, etc (or at least one organization)... have noticed detail to ears, so your story likely has some merit to it.

This kind of data is what someone could say is a trade secret, I will not disclose the source nor where this has happened. So the data is very not fungible. The reader can believe it or not, but I believe the merit of this methodology will be apparent upon explanation:

The trick was to take old photographs and put them online after altering them. The key here is they are old, so they are various stages of age where the person's current age in this modern world of facial recognition and intrusive facial archiving systems was not yet around. The current and future faces of the individuals will be different from the younger person's. Their current and future faces may also be changed. These changes are not going to be apparent to the naked eye because of 'change blindness' and 'context blindness'. The later term noting how, if a person is given a context for a picture they will have a tendency to accept the foreground with the context.

One picture I noted was a dead ringer for another picture. The individual had the same first name, but an equally long and preposterous last name. However, on closer examination what killed the exact dead ringer aspect of the two faces was in the ears. One subject's ears had a closed dangle, whereas the other had an open dangle.

I could not figure out why, though on reflection, besides making the picture useful as a dead ringer where I had context that it was the same person... it was, regardless, non-fungible observation because of that very detail.

If the ear is the same size, and no noticeable alteration could be detected in the picture, then that little detail could definitively disprove any true relationship in history.

I will note, this level of sophistication in terms of detail is extremely difficult to reproduce. It would also be impossible or near impossible to verify or trace back sources or detect where, online, such methodologies have been used. So this manner of disclosure is non-fungible and even has extremely limited possibility of replication.

SamMay 2, 2015 4:55 AM

People need to stop fiddling with biometrics that could be foiled in theory (and in practice as we've seen with fingerprint scanners) and move on to biometrics that would be virtually impossible to foil in theory and in practice, such as finger vein recognition:

http://www.m2sys.com/finger-vein-reader/

The scanner requires a live finger so even if someone chopped off your finger it would be of no use, the same goes for some kind of advanced finger model, assuming the bad guys "somehow" manage to acquire your finger vein patterns without you knowing, which would be a miraculous feat in and of itself.

Clive RobinsonMay 2, 2015 4:55 AM

Ears are "funny things" when it comes to security, although they change with age, they do so in a well ordered manner, and as plastic surgery rarely touches them for vanity cosmetic surgery such as "face lifts" they do give a good indicator of real age.

I guess the fashion of base ball hats under large hoodies, and those bobble hats with side wings to keep ears warm will become more popular along with Hippy and Afro hair cuts that cover the ear.

I wonder how long it will be before certain ear covering hats and hair styles will be viewed not just as suspicious but illegal.

Oh on a side note on English sartorial elegance the male "hipster beard" is apparently nolonger in vogue in it's traditional haunt of London's Hoxton area. It's been replaced with the "70's Porno tash"... hopefully the "Travolta suit", Afro cut and platform shoes will not follow it to compleat the throw back as men try to be as "Hip and trendy as the brothers Gibb".

Clive RobinsonMay 2, 2015 5:10 AM

@ Sam,

The scanner requires a live finger so even if someone chopped off your finger it would be of no use,

Err don't make the mistake of thinking that...

They could use an axe or similar to chop of the hand an inch or so above the wrist and connect a pump system to the easily available blood vessels.

If it came down to a choice between a finger or my whole hand then I think most people would prefere to keep the hand.

I realy do wish people would stop trying to prove identity via "body parts" it only encorages criminals with no morals to chop them off or rip them out, or where that's not possible put your children or other loved ones through the meat grinder or on the barbeque to ensure your cooperation...

Anyone with half a brain to the future should say no to biometrics for exactly this reason.

albertMay 2, 2015 5:05 PM

Well. The snake oil salesmen are at it again.
.
They'll still be at it, even after we're all fingerprinted, implanted, bar-coded, facial-recognized, lie-detected, vein-imaged, DNA-analyzed. Have I left anything out? Phrenology?
.
...

FigureitoutMay 2, 2015 5:45 PM

Anyone with half a brain to the future should say no to biometrics for exactly this reason.
Clive Robinson
--Do you live your life w/ this realistic threat? Sounds like an overstated threat. Also the ear-thing, wearing a hoody/baseball hat brings way more attention to you. This can be defeated w/ good OPSEC splitting up whatever you want to protect, assuming "someone's watching" so someone would have to be watching.

The real problem w/ "biometrics" is converting the signature to digital info which can then be copied and copied and copied and copied and.....like passwords it needs to be stored somewhere to compare to input. Maybe you could scan all your body parts (yep even *that* lol) and get pseudorandomly asked some part to present.

Clive RobinsonMay 2, 2015 9:02 PM

@ Figureitout,

Do you live your life w/ this realistic threat? Sounds like an overstated threat.

I used to be involved with the more practical aspects of protecting the movement of very high value (precious metals and stones) and medium value (cash) items. It was far from unknown for attempts on the cargos to have insiders willing or coerced.

I'm assuming that you don't currently have children, so may not have given much thought as to how much leverage they offer an opponent. We have seen in London street crime where babies have had knives etc pushed against them in prams to make their parents hand over valuables and even just mobile phones etc. It's also the case that some of the more major criminals in London do not have family for this very reason.

We joke about "ruber hose cryptanalysis" and "thermorectal interrogation" but ignore or don't know about the very real crimes going on in the world.

For instance in certain parts of the world those collecting a pension have to "attend in person" and put a finger print on the payment form. It has been known for people to cut the finger of recently deceased relatives to keep claiming and others even wheel the body in in a wheel chair. Not all of the deceased have died natural deaths or were relatives of those attempting to claim the money even though the sums of money have been just a few dollars a month life is even cheaper...

I suspect that we have not yet seen "body part" crime in the West yet simply because bio-metrics are not yet used in the way where it would be sufficiently profitable yet...

Obviously the way to stop these sort of "crimes against the person" happening in the west is not to start using bio-metrics here in a way it would be profitable to lop or gouge bits of people off.

The problem is bad as bio-metrics are those involved with selling them tend only to tell you about the "up side" to them and don't mention the unreliability and downsides. Films and television tend to make them look high tech and sexy which gives rise to another version of the "CSI Effect", all of which means that the downsides don't get mentioned let alone evaluated correctly.

BuckMay 3, 2015 12:03 AM

@Figureitout

The real problem w/ "biometrics" is converting the signature to digital info which can then be copied and copied and copied and copied and.....
then, replayed and replayed and replayed.....
Maybe you could scan all your body parts (yep even *that* lol) and get pseudorandomly asked some part to present.
Ahem! We're gonna need to see some photos of... uhh -- well, you know what we're talkin' about! Stop asking so many questions!! Don't you know it's a felony offense to question our sexuality!? :-P

Nick PMay 3, 2015 12:03 AM

@ Clive

The problem is slowly getting to the public. You should check out The Blacklist, at least first season, as it's (a) a great show and (b) includes good tactics in quite a few episodes. One episode involved hacking, crypto, etc. The opening scene had them shoot a guy in an SUV, take his laptop, cut off his hand quickly, and take it too. Later, a hacker is working on the system until "biometric access" (or something) pops up. Off-scene guy drops a hand in a bag, which the hacker uses to bypass that part of the security.

On an unrelated note, I avoid eye scan biometrics wherever possible. ;)

FigureitoutMay 3, 2015 7:11 AM

Clive Robinson
--Yeah I think cash trucks, their schedules (always in the morning at this one place "in the hood"), people who designed them would be at greatest risk to either sell their knowledge, be coerced, or if they get desperate, act on it themselves.

Either way, whether it be diamonds/gold/cash, you're going to have to come in guns blazing prepared to kill someone, land a big hit and then have some sort of chain of car shops where from satellite view people enter and go out in different cars, go to motels, exchange cars again and keep moving. If you want to do that, you probably get something more out of it than cash; maybe the rush of crime.

Lopping off a limb, means blood splatter and screaming, means evidence they better dispose of quickly.

No I don't have kids and probably won't work in serious security if I do, unless I can afford to "sanitize" my identity properly.

That's pretty desparate to lop off a dead person's finger or wheel their dead body in; that has a pretty short life span eh before decay sets in...

I really don't care either way, I think it'd be funny if people scan their whole body. The xbox scanning thing and other tech that can scan your fingers quickly will probably break biometric security before many more people have stories to tell about their lopped off limbs. Just saying if they're going to start lopping people's fingers off for an iphone, many more of them will get shot too probably or just get your blood all over them.

Buck
Ahem! We're gonna need to see some photos of...
--You know one of these would "glitch" out and keep asking for 'D' pics or your hairy pumpkin-looking backside "spread" --sorry lol--In which case you can be fairly sure Wael hacked it lol.

WaelMay 3, 2015 7:31 AM

@Figureitout,

You know one of these would "glitch" [...] hacked it lol.

Or TSA leaked it :)

TheBudMay 3, 2015 1:00 PM

Forcibly press target's ear to phone. Phone unlocked. Bingo.

Works whether the aggressor is criminal or law enforcement.

MattMay 3, 2015 8:30 PM

This terminology is confusing me a bit.

"99.8% precision with a false rejection rate of only 1 out of 13".

What does precision mean here? I would have thought a rejection rate of 1 out of 13 implies 93% precision at best. Or is the 99.8% just meaning that the false acceptance rate is 2 per thousand?

WaelMay 4, 2015 1:08 AM

@Matt,

This terminology is confusing me a bit.

You're not alone...

In our evaluation with 12 participants, Bodyprint classified body parts with 99.98% accuracy and identifies users with 99.52% accuracy with a false rejection rate of 26.82% to prevent false positives.

Can classify body parts with 98.98 accuracy: It can identify an ear as an ear, a fist as a fist, a nose as a nose 99.98% of the time. 0.02% of the time, it'll think an ear is a nose :)

Identifies users with 99.52% accuracy: It'll identify the users 99.52% of the time even when it sometimes classifies the user's ear as a nose (.02% of the time.)

You may want to read the paper. In the paper, under the technical evaluation section, they say:

During the evaluation, participants held the Nexus 5 phone as demonstrated and performed 12 trial repetitions. Between trials, participants put the phone down on a table. We did not verify the correctness of performed poses or ask for retries. Overall, we collected 864 trials.

They used the word "precision" 18 times in the paper, and I am not sure what it means or how it relates to FRR and FAR. I think it would help if they explained the relationship between "accuracy", "precision", etc ... You may want to consult some of these links for explanations.

null hypothesis
pdf about FAR, FRR and EER

Seems it's a statistical thing (a branch of mathematics I find extremely boring.) It would have been easier to follow if they listed the outcome of the trials in a table and detailed the calculations rather than extract them from the graphs. I know I didn't answer your questions, but maybe you'll find the answer in one of links ;)

WaelMay 4, 2015 1:31 AM

@Clive Robinson,

I realy do wish people would stop trying to prove identity via "body parts" it only encorages criminals with no morals to chop them off or rip them out...

Agreed. The definition of security must apply to the asset as well as to the owner of the asset... Seems there is a hidden tradeoff that's being ignored; Security of the owner versus Security of the asset.

Clive RobinsonMay 4, 2015 2:22 AM

@ Wael,

Speaking of "body parts" I hope you are getting over your recent brush with the drill and hammer mob?

Oh a true story for you, some years ago I was getting the "deep root" treatment after suffering a sporting injury. The dentist and I had an interest in things technological and he told me that there was a new liquid on the market for root work, and that it was as a consiquence comparativly expensive. Any way on administering a few drops of the stuff the smell triggered a response in my head and I said "sodium hypochlorite just like bleach". This surprised him and we compared the list of chemicals on the expensive brown glass bottle and the cheap blue plastic bottle from under the sink, and they were a sufficiently close match for him to mutter a few colourfull words about the price difference...

Clive RobinsonMay 4, 2015 2:39 AM

@ Wael,

And I forgot to make the on topic comment to your comment of,

.. Seems there is a hidden tradeoff that's being ignored; Security of the owner versus Security of the asset.

Only in high value goods movment it's usually not "the owner" but some --often minimum wage-- proxie who's body part gets put on the line.

Thus from managment's point of view the perceived increase in security of biometrics is not offset by any loss / harm the proxie suffers, because they have already externalised it through the organizational insurance... Much like the payment card industry does it with the merchants and card holders when fraud is committed including that of "computer error", they externalise the cost to the person least capable of defending themselves...

WaelMay 4, 2015 3:40 AM

@Clive Robinson,

Speaking of "body parts" I hope you are getting over your recent brush with the drill and hammer mob?

About two thirds done, thanks... Regarding the ear ringing, I think it maybe related to an old filling I had (thinking of removing it) it's made of amalgam which is made of 50%+ Mercury! I didn't know at the time. Mercury!!! I read some studies on the internet that relate it to tinnitus and insomnia... Hmmm... That's what I get for taking the word of others regarding my own safety...Oh, it's safe, been used for the past 100 years, trust us! I guess the same goes for GMO, X-Rays, artificial sweeteners, ...

Back on topic: In my not so humble opinion, Biometrics aren't a suitable representation for primary authentication..

Clive RobinsonMay 4, 2015 4:17 AM

@ Wael,

In my not so humble opinion, Biometrics aren't a suitable representation for primary authentication..

I'd go slightly further and say for most of the "advertised" use cases they are not fit for purpose...

I can not find the link but some years ago a Scotish jail (prison) replaced it's mechanical locks with biometric locks...

Apparently it only took two weeks for it to be noticed that the "old lags" (longterm prisoners) had defeated the biometric locks and were getting into places they should not...

I guess the biometric industry is close to the security snake oil driving line and I think it's probably the wrong side.

The only biometric device I've not worked out a very simple work around for so far is those involving the eye, and the only reasons I've not played around with them are firstly I value my eyes highly and secondly financial resources to buy the vastly over priced eye scanning systems.

SamMay 4, 2015 7:43 AM

@Clive Robinson

"The only biometric device I've not worked out a very simple work around for so far is those involving the eye"

What's your "very simple work around" for the finger vein scanner I mentioned? I've tried to think of a feasible way for the average criminal to foil it but have come up empty. It's objectively the most solid biometric currently available and its accuracy is unparalleled. In principle it's actually very similar to retinal scanning except it is more resilient and far less invasive. (Not to be confused with iris scanning which can be fooled with a good photograph.)

If you take a step back (away from the outlandish and esoteric) and stick to the everyday, good biometrics like finger vein scanning are much better than the old password paradigm. There's no such thing as perfect security and no one is pretending that there exists a one-size-fits-all means to achieving adequate security, but to say "biometrics won't work because outlandish criminals will start hacking off limbs"? Those same outlandish criminals could start hacking off limbs anyway to get you to reveal your password or whatever other means you use to secure X valuables. The argument is moot. In fact, the only logical conclusion to these outlandish hypotheticals is that no means will ever be good enough because the criminals always seem to have unlimited means and desire to obtain whatever it is that you have.

Back on Earth, the vast, VAST majority of criminals go for the low hanging fruits; people using passwords like "password" or "12345". This is primarily the kind of problem biometrics aims to help mitigate. Keeping things in perspective.

Fred PMay 4, 2015 9:30 AM

"In our evaluation with 12 participants..." - I pretty much stopped there. They need a much larger sample size for their statistics to have much meaning.

bilMay 4, 2015 12:58 PM

@Sam
"Those same outlandish criminals could start hacking off limbs anyway to get you to reveal your password or whatever other means you use to secure X valuables. The argument is moot."

No, not really. A criminal would need only threaten me with bodily harm to get me to cough up a password. If my biometric is my ear, they have to cut it off after I give them the password or drag me with them. I'd rather stay put with both ears.

J on the river Lethe May 6, 2015 9:20 PM

One of the problems I have with the biometric push is the fact that once the bad guys have it, that's it. It's hard to change them. Supposedly tongue prints are unique too. I can think of some window lickers in the security industry that this might be useful information for required entry to the short bus.......or at least A timeout for repentance and self reflection.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.