Beyond security : the future of biometrics is behaviour

Bio­me­tric iden­ti­ty veri­fi­ca­tion is not new. We all know, of course, that fin­ger­prints were used as far back as the ear­ly 20^th Cen­tu­ry by police as a way of iden­ti­fying cri­mi­nal sus­pects. Unique to each indi­vi­dual, even twins, fin­ger­prints are still wide­ly used by the police today. Howe­ver, the modern move­ment in bio­me­tric iden­ti­fi­ca­tion owes thanks to the pro­gress made in both com­pu­ter pro­ces­sing power and AI over the past decade.

Today, the algo­rithms used are power­ful enough to pro­cess bio­me­tric data on a natio­nal or even inter­na­tio­nal level. To give an idea of scale, the EU is cur­rent­ly using a fin­ger­print archive sys­tem to track migrants across Europe ¹, and India is even run­ning a scheme to col­lect bio­me­tric data for their nation­wide cen­sus ² – a first for a coun­try with a popu­la­tion of over 1 bil­lion people.

Whil­st bio­me­tric data can (and is) being used for gathe­ring popu­la­tion metrics, their main appli­ca­tion remains secu­ri­ty. An ini­tial game-chan­ger for this type of soft­ware was the abi­li­ty to digi­ta­lise fin­ger­prints. Put­ting them onto a com­pu­ter sys­tem is one thing, but there are also fac­tors invol­ving how the pro­gramme uses that infor­ma­tion. That is to say, the capa­ci­ty to both search and make pre­dic­tions capable of mat­ching up fin­ger­print data from those archives.

The cur­rent trend towards wides­pread use of bio­me­trics has been dri­ven by web giants like Face­book, Google and Micro­soft. They see this type of iden­ti­fi­ca­tion sys­tem as a poten­tial mar­ket ; espe­cial­ly since they are the only enti­ties with the neces­sa­ry resources to sup­port the enor­mous data­bases requi­red. Our small labo­ra­to­ries can­not deal with that side, so we work on the relia­bi­li­ty and secu­ri­ty of the sys­tems – lea­ving big ope­ra­tio­nal aspects to the giants !

See­king this mar­ket has dri­ven the new uses of bio­me­trics we have seen take hold, such as fin­ger­print or face iden­ti­fi­ca­tion in smart­phones and other per­so­nal devices. It should be said that the stakes here are less dras­tic, though. In a cri­mi­nal inves­ti­ga­tion fin­ger­prints can play a deci­sive role in char­ging a per­son with a crime ; a mur­der convic­tion is a life sen­tence in pri­son. Whe­reas an atta­cker get­ting into a tele­phone could – at worst – result in the loss of sen­si­tive data. So, in that way qua­li­ty requi­red for day-to-day use is less strict than those use for cri­mi­nal investigations.

Fur­ther­more, a new sec­tor has ope­ned up, which we are resear­ching at Tele­com Sud­Pa­ris (a top French engi­nee­ring school) cove­ring beha­viou­ral bio­me­trics. As such, devices could be used to iden­ti­fy a per­son based on the way they walk or type on a com­pu­ter key­board. Here, the bene­fits are more about per­so­na­li­sa­tion of envi­ron­ment than secu­ri­ty. Ima­gine a detec­tion sys­tem in a home, which reco­gnises the way a per­son walks, using sen­sors under the car­pet ; that in turn relays those details to an auto­ma­ted sys­tem lin­ked to tem­pe­ra­ture or ligh­ting set­tings set to per­so­nal pre­fe­rences etc. We are also seeing this type of tech for heal­th­care set­tings, focu­sed on well-being of elder­ly or disa­bled people to improve com­fort or safety. 

In par­ti­cu­lar, the smart­phone sec­tor pushed fin­ger­print detec­tion through so as to pro­vide a solid secu­ri­ty iden­ti­fi­ca­tion sys­tem for online ban­king. Since bio­me­trics are most­ly unfal­si­fiable – without stea­ling your face, fin­ger­print or voice – they are much more secure for bank tran­sac­tions than a pass­word or pin num­ber, which can rela­ti­ve­ly easi­ly be sto­len or dis­co­ve­red. Also, a per­son takes their bio­me­tric infor­ma­tion around them whe­re­ver they go.

Fol­lo­wing Sep­tem­ber 11^th, there was a real boost in deve­lop­ment of bio­me­tric secu­ri­ty in light of the ter­ro­rist attacks because they were thought to be infal­lible iden­ti­fi­ca­tion methods. In rea­li­ty, cer­tain sys­tems tech­ni­cal­ly can be spoo­fed. An intru­der can steal fin­ger­prints from a sur­face in a home/office or recons­truct a face based on images found online. But these things would involve the vic­tim being spe­ci­fi­cal­ly tar­ge­ted rather than mass cyber-attacks by hackers invol­ving per­so­nal data breaches of thou­sands of people at a time.

As such, this can be coun­te­rac­ted by a double-veri­fi­ca­tion sys­tem. Hence, why many sys­tems use both fin­ger­prints and pin code. Now we can add other per­so­nal traits such as face, eyes or voice, to name a few. There are a great num­ber of pos­si­bi­li­ties of col­lec­ting other phy­sio­lo­gi­cal traits : face, iris, voice, lip move­ments… They are more or less reliable, but that’s not neces­sa­ri­ly the deter­mi­ning fac­tor. Rather it is the acqui­si­tion of the data which can require the most effort. Iris detec­tion, which is one of my areas of exper­tise for example, relies on a spe­cial camera.

A big chal­lenge in the field is reas­su­ring the gene­ral popu­la­tion of the safe­ty of bio­me­tric data. The issue of per­so­nal data is not trea­ted the same way depen­ding on where you are in the world. In Chi­na, the State keeps DNA records of each citi­zen from birth. The USA is more relaxed than Europe, too. Whe­reas in France, the idea of a bio­me­tric iden­ti­ty card [eve­ry citi­zen has one] comes back on the table again and again – but the French popu­la­tion have great dif­fi­cul­ty accep­ting it so it has been refu­sed eve­ry time.

To deal with issues around accep­ta­bi­li­ty, it would help to offer an expla­na­tion about how bio­me­trics real­ly works. If you com­pare fin­ger­prints with DNA, it’s not the same type of infor­ma­tion. Your DNA can be used to learn things about you – pre­dis­po­si­tion to diseases or ori­gins, for example. Whe­reas your fin­ger­print is just a unique iden­ti­fying fac­tor that doesn’t car­ry any spe­ci­fic infor­ma­tion about you in itself.