Beyond security: the future of biometrics is behaviour

Bio­met­ric iden­tity veri­fic­a­tion is not new. We all know, of course, that fin­ger­prints were used as far back as the early 20^th Cen­tury by police as a way of identi­fy­ing crim­in­al sus­pects. Unique to each indi­vidu­al, even twins, fin­ger­prints are still widely used by the police today. How­ever, the mod­ern move­ment in bio­met­ric iden­ti­fic­a­tion owes thanks to the pro­gress made in both com­puter pro­cessing power and AI over the past decade.

Today, the algorithms used are power­ful enough to pro­cess bio­met­ric data on a nation­al or even inter­na­tion­al level. To give an idea of scale, the EU is cur­rently using a fin­ger­print archive sys­tem to track migrants across Europe ¹, and India is even run­ning a scheme to col­lect bio­met­ric data for their nation­wide census ² – a first for a coun­try with a pop­u­la­tion of over 1 bil­lion people.

Whilst bio­met­ric data can (and is) being used for gath­er­ing pop­u­la­tion met­rics, their main applic­a­tion remains secur­ity. An ini­tial game-changer for this type of soft­ware was the abil­ity to digit­al­ise fin­ger­prints. Put­ting them onto a com­puter sys­tem is one thing, but there are also factors involving how the pro­gramme uses that inform­a­tion. That is to say, the capa­city to both search and make pre­dic­tions cap­able of match­ing up fin­ger­print data from those archives.

The cur­rent trend towards wide­spread use of bio­met­rics has been driv­en by web giants like Face­book, Google and Microsoft. They see this type of iden­ti­fic­a­tion sys­tem as a poten­tial mar­ket; espe­cially since they are the only entit­ies with the neces­sary resources to sup­port the enorm­ous data­bases required. Our small labor­at­or­ies can­not deal with that side, so we work on the reli­ab­il­ity and secur­ity of the sys­tems – leav­ing big oper­a­tion­al aspects to the giants!

Seek­ing this mar­ket has driv­en the new uses of bio­met­rics we have seen take hold, such as fin­ger­print or face iden­ti­fic­a­tion in smart­phones and oth­er per­son­al devices. It should be said that the stakes here are less drastic, though. In a crim­in­al invest­ig­a­tion fin­ger­prints can play a decis­ive role in char­ging a per­son with a crime; a murder con­vic­tion is a life sen­tence in pris­on. Where­as an attack­er get­ting into a tele­phone could – at worst – res­ult in the loss of sens­it­ive data. So, in that way qual­ity required for day-to-day use is less strict than those use for crim­in­al investigations.

Fur­ther­more, a new sec­tor has opened up, which we are research­ing at Tele­com Sud­Par­is (a top French engin­eer­ing school) cov­er­ing beha­vi­our­al bio­met­rics. As such, devices could be used to identi­fy a per­son based on the way they walk or type on a com­puter key­board. Here, the bene­fits are more about per­son­al­isa­tion of envir­on­ment than secur­ity. Ima­gine a detec­tion sys­tem in a home, which recog­nises the way a per­son walks, using sensors under the car­pet; that in turn relays those details to an auto­mated sys­tem linked to tem­per­at­ure or light­ing set­tings set to per­son­al pref­er­ences etc. We are also see­ing this type of tech for health­care set­tings, focused on well-being of eld­erly or dis­abled people to improve com­fort or safety. 

In par­tic­u­lar, the smart­phone sec­tor pushed fin­ger­print detec­tion through so as to provide a sol­id secur­ity iden­ti­fic­a­tion sys­tem for online bank­ing. Since bio­met­rics are mostly unfalsifi­able – without steal­ing your face, fin­ger­print or voice – they are much more secure for bank trans­ac­tions than a pass­word or pin num­ber, which can rel­at­ively eas­ily be stolen or dis­covered. Also, a per­son takes their bio­met­ric inform­a­tion around them wherever they go.

Fol­low­ing Septem­ber 11^th, there was a real boost in devel­op­ment of bio­met­ric secur­ity in light of the ter­ror­ist attacks because they were thought to be infal­lible iden­ti­fic­a­tion meth­ods. In real­ity, cer­tain sys­tems tech­nic­ally can be spoofed. An intruder can steal fin­ger­prints from a sur­face in a home/office or recon­struct a face based on images found online. But these things would involve the vic­tim being spe­cific­ally tar­geted rather than mass cyber-attacks by hack­ers involving per­son­al data breaches of thou­sands of people at a time.

As such, this can be coun­ter­ac­ted by a double-veri­fic­a­tion sys­tem. Hence, why many sys­tems use both fin­ger­prints and pin code. Now we can add oth­er per­son­al traits such as face, eyes or voice, to name a few. There are a great num­ber of pos­sib­il­it­ies of col­lect­ing oth­er physiolo­gic­al traits: face, iris, voice, lip move­ments… They are more or less reli­able, but that’s not neces­sar­ily the determ­in­ing factor. Rather it is the acquis­i­tion of the data which can require the most effort. Iris detec­tion, which is one of my areas of expert­ise for example, relies on a spe­cial camera.

A big chal­lenge in the field is reas­sur­ing the gen­er­al pop­u­la­tion of the safety of bio­met­ric data. The issue of per­son­al data is not treated the same way depend­ing on where you are in the world. In China, the State keeps DNA records of each cit­izen from birth. The USA is more relaxed than Europe, too. Where­as in France, the idea of a bio­met­ric iden­tity card [every cit­izen has one] comes back on the table again and again – but the French pop­u­la­tion have great dif­fi­culty accept­ing it so it has been refused every time.

To deal with issues around accept­ab­il­ity, it would help to offer an explan­a­tion about how bio­met­rics really works. If you com­pare fin­ger­prints with DNA, it’s not the same type of inform­a­tion. Your DNA can be used to learn things about you – pre­dis­pos­i­tion to dis­eases or ori­gins, for example. Where­as your fin­ger­print is just a unique identi­fy­ing factor that doesn’t carry any spe­cif­ic inform­a­tion about you in itself.