Ahh, biometrics, always an interesting topic…

The Wall Street Journal had a story last week (subscription) on fingerprint matching entitled "Fingerprint Matches Come Under More Fire as Potentially Fallible". It started by discussing a recent experiment where scientists took the case of wrongfully-identified and accused non-terrorist Brandon Mayfield:

"We told them we were trying to understand what went wrong in that case," says Itiel Dror of Britain’s University of Southampton, who did the study with student David Charlton. "Could they please look at the prints and tell us where the examiners had gone wrong."

One examiner said he couldn’t tell if the pair matched. Three said the pair did not match and helpfully pointed out why. The fifth examiner insisted the prints — notorious for not matching — did match.

Give that one a gold star.

Unbeknown to the examiners, the prints were not from Madrid and Mr. Mayfield. They were pairs that each examiner had testified in recent criminal cases came from the same person. The three who told the scientists that their pair didn’t match therefore reached a conclusion opposite to the one they had given in court; another expressed uncertainty, whereas in court he had been certain. Prof. Dror will present the study later this month at the Biometrics 2005 meeting in London.

Wow. It is no secret that fingerprint matching by experts is somewhat suspect, but these specific anecdotes are always powerful (us being humans and susceptible to personal anecdotes as overwhelming evidence of trends – incorrectly, but there it is nevertheless).

It seems pretty clear that the typical human-oriented pattern matching is at best suspect, but what does this issue do to our use of biometrics in information security? Well, the ever-interesting Rob Lemos just wrote a SecurityFocus article entitled "Fingerprint Payments Taking Off Despite Security Concerns" that suggests it has no impact, at least on the consumer side. His story talks about two companies moving forward with consumer payment services that use fingerprints for authentication.

Pat Dixon of the World Privacy Forum toes the "scary" party line: "Stealing a credit card number is one thing," she said. "But if your biometric is stolen and can be reconstituted, then that is a big problem." Silly, in a general sense, because biometrics aren’t secret. But there is an increased risk from the aggregated database version. Systems need to account for this risk.