Ears as a Biometric
It’s an obvious biometric for cell phones:
Bodyprint recognizes users by their ears with 99.8% precision with a false rejection rate of only 1 out of 13.
Grip, too.
News story.
EDITED TO ADD: I blogged this in 2011.
Entries Tagged "identification"
Page 7 of 26
Identifying When Someone Is Operating a Computer Remotely
Here’s an interesting technique to detect Remote Access Trojans, or RATS: differences in how local and remote users use the keyboard and mouse:
By using biometric analysis tools, we are able to analyze cognitive traits such as hand-eye coordination, usage preferences, as well as device interaction patterns to identify a delay or latency often associated with remote access attacks. Simply put, a RAT’s keyboard typing or cursor movement will often cause delayed visual feedback which in turn results in delayed response time; the data is simply not as fluent as would be expected from standard human behavior data.
No data on false positives vs. false negatives, but interesting nonetheless.
Now Corporate Drones are Spying on Cell Phones
The marketing firm Adnear is using drones to track cell phone users:
The capture does not involve conversations or personally identifiable information, according to director of marketing and research Smriti Kataria. It uses signal strength, cell tower triangulation, and other indicators to determine where the device is, and that information is then used to map the user’s travel patterns.
“Let’s say someone is walking near a coffee shop,” Kataria said by way of example.
The coffee shop may want to offer in-app ads or discount coupons to people who often walk by but don’t enter, as well as to frequent patrons when they are elsewhere. Adnear’s client would be the coffee shop or other retailers who want to entice passersby.
[…]
The system identifies a given user through the device ID, and the location info is used to flesh out the user’s physical traffic pattern in his profile. Although anonymous, the user is “identified” as a code. The company says that no name, phone number, router ID, or other personally identifiable information is captured, and there is no photography or video.
Does anyone except this company believe that device ID is not personally identifiable information?
How Did the Feds Identity Dread Pirate Roberts?
Last month, I wrote that the FBI identified Ross W. Ulbricht as the Silk Road’s Dread Pirate Roberts through a leaky CAPTCHA. Seems that story doesn’t hold water:
The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But [Nicholas] Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.
“The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP,” he said. “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.
But this is hardly a satisfying answer to how the FBI investigators located the Silk Road servers. After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?
“That’s still the $64,000 question,” Weaver said. “So both the CAPTCHA couldn’t leak in that configuration, and the IP the government visited wasn’t providing the CAPTCHA, but instead a PHPMyAdmin interface. Thus, the leaky CAPTCHA story is full of holes.”
My guess is that the NSA provided the FBI with this information. We know that the NSA provides surveillance data to the FBI and the DEA, under the condition that they lie about where it came from in court.
NSA whistleblower William Binney explained how it’s done:
…when you can’t use the data, you have to go out and do a parallel construction, [which] means you use what you would normally consider to be investigative techniques, [and] go find the data. You have a little hint, though. NSA is telling you where the data is…
Identifying Dread Pirate Roberts
According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users’ true location.
People Are Not Very Good at Matching Photographs to People
We have an error rate of about 15%:
Professor Mike Burton, Sixth Century Chair in Psychology at the University of Aberdeen said: “Psychologists identified around a decade ago that in general people are not very good at matching a person to an image on a security document.
“Familiar faces trigger special processes in our brain—we would recognise a member of our family, a friend or a famous face within a crowd, in a multitude of guises, venues, angles or lighting conditions. But when it comes to identifying a stranger it’s another story.
“The question we asked was does this fundamental brain process that occurs have any real importance for situations such as controlling passport issuing and we found that it does.”
The ability of Australian passport officers, for whom accurate face matching is central to their job and vital to border security, was tested in the latest study, which involved researchers from the Universities of Aberdeen, York and New South Wales Australia.
In one test, passport officers had to decide whether or not a photograph of an individual presented on their computer screen matched the face of a person standing in front of their desk.
It was found that on 15% of trials the officers decided that the photograph on their screen matched the face of the person standing in front of them, when in fact, the photograph showed an entirely different person.
Fingerprinting Computers By Making Them Draw Images
Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.
EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.
EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system—the White House is—and how to defend against it.
And a good story on BoingBoing.
Tracking People from Smartphone Accelerometers
It’s been long known that individual analog devices have their own fingerprints. Decades ago, individual radio transmitters were identifiable and trackable. Now, researchers have found that accelerometers in smartphone are unique enough to be identifiable.
The researchers focused specifically on the accelerometer, a sensor that tracks three-dimensional movements of the phone essential for countless applications, including pedometers, sleep monitoring, mobile gaming but their findings suggest that other sensors could leave equally unique fingerprints.
“When you manufacture the hardware, the factory cannot produce the identical thing in millions,” Roy said. “So these imperfections create fingerprints.”
Of course, these fingerprints are only visible when accelerometer data signals are analyzed in detail. Most applications do not require this level of analysis, yet the data shared with all applications—your favorite game, your pedometer—bear the mark. Should someone want to perform this analysis, they could do so.
The researchers tested more than 100 devices over the course of nine months: 80 standalone accelerometer chips used in popular smartphones, 25 Android phones and two tablets.
The accelerometers in all permutations were selected from different manufacturers, to ensure that the fingerprints weren’t simply defects resulting from a particular production line.
With 96-percent accuracy, the researchers could discriminate one sensor from another.
Creating Forensic Sketches from DNA
This seems really science fictional:
It’s already possible to make some inferences about the appearance of crime suspects from their DNA alone, including their racial ancestry and some shades of hair colour. And in 2012, a team led by Manfred Kayser of Erasmus University Medical Center in Rotterdam, the Netherlands, identified five genetic variants with detectable effects on facial shape. It was a start, but still a long way from reliable genetic photofits.
To take the idea a step further, a team led by population geneticist Mark Shriver of Pennsylvania State University and imaging specialist Peter Claes of the Catholic University of Leuven (KUL) in Belgium used a stereoscopic camera to capture 3D images of almost 600 volunteers from populations with mixed European and West African ancestry. Because people from Europe and Africa tend to have differently shaped faces, studying people with mixed ancestry increased the chances of finding genetic variants affecting facial structure.
Kayser’s study had looked for genes that affected the relative positions of nine facial “landmarks”, including the middle of each eyeball and the tip of the nose. By contrast, Claes and Shriver superimposed a mesh of more than 7000 points onto the scanned 3D images and recorded the precise location of each point. They also developed a statistical model to consider how genes, sex and racial ancestry affect the position of these points and therefore the overall shape of the face.
Next the researchers tested each of the volunteers for 76 genetic variants in genes that were already known to cause facial abnormalities when mutated. They reasoned that normal variation in genes that can cause such problems might have a subtle effect on the shape of the face. After using their model to control for the effects of sex and ancestry, they found 24 variants in 20 different genes that seemed to be useful predictors of facial shape (PLoS Genetics, DOI: 10.1371/journal.pgen.1004224).
Reconstructions based on these variants alone aren’t yet ready for routine use by crime labs, the researchers admit. Still, Shriver is already working with police to see if the method can help find the perpetrator in two cases of serial rape in Pennsylvania, for which police are desperate for new clues.
If I had to guess, I’d imagine this kind of thing is a couple of decades away. But with a large enough database of genetic data, it’s certainly possible.
Automatic Face-Recognition Software Getting Better
Facebook has developed a face-recognition system that works almost as well as the human brain:
Asked whether two unfamiliar photos of faces show the same person, a human being will get it right 97.53 percent of the time. New software developed by researchers at Facebook can score 97.25 percent on the same challenge, regardless of variations in lighting or whether the person in the picture is directly facing the camera.
Human brains are optimized for facial recognition, which makes this even more impressive.
This kind of technology will change video surveillance. Right now, it’s general, and identifying people is largely a forensic activity. This will make cameras part of an automated process for identifying people.
Sidebar photo of Bruce Schneier by Joe MacInnis.