Beyond security: the future of biometrics is behaviour
Biometric identity verification is not new. We all know, of course, that fingerprints were used as far back as the early 20th Century by police as a way of identifying criminal suspects. Unique to each individual, even twins, fingerprints are still widely used by the police today. However, the modern movement in biometric identification owes thanks to the progress made in both computer processing power and AI over the past decade.
Today, the algorithms used are powerful enough to process biometric data on a national or even international level. To give an idea of scale, the EU is currently using a fingerprint archive system to track migrants across Europe 1, and India is even running a scheme to collect biometric data for their nationwide census 2 – a first for a country with a population of over 1 billion people.
Whilst biometric data can (and is) being used for gathering population metrics, their main application remains security. An initial game-changer for this type of software was the ability to digitalise fingerprints. Putting them onto a computer system is one thing, but there are also factors involving how the programme uses that information. That is to say, the capacity to both search and make predictions capable of matching up fingerprint data from those archives.
The current trend towards widespread use of biometrics has been driven by web giants like Facebook, Google and Microsoft. They see this type of identification system as a potential market; especially since they are the only entities with the necessary resources to support the enormous databases required. Our small laboratories cannot deal with that side, so we work on the reliability and security of the systems – leaving big operational aspects to the giants!
Seeking this market has driven the new uses of biometrics we have seen take hold, such as fingerprint or face identification in smartphones and other personal devices. It should be said that the stakes here are less drastic, though. In a criminal investigation fingerprints can play a decisive role in charging a person with a crime; a murder conviction is a life sentence in prison. Whereas an attacker getting into a telephone could – at worst – result in the loss of sensitive data. So, in that way quality required for day-to-day use is less strict than those use for criminal investigations.
Furthermore, a new sector has opened up, which we are researching at Telecom SudParis (a top French engineering school) covering behavioural biometrics. As such, devices could be used to identify a person based on the way they walk or type on a computer keyboard. Here, the benefits are more about personalisation of environment than security. Imagine a detection system in a home, which recognises the way a person walks, using sensors under the carpet; that in turn relays those details to an automated system linked to temperature or lighting settings set to personal preferences etc. We are also seeing this type of tech for healthcare settings, focused on well-being of elderly or disabled people to improve comfort or safety.
In particular, the smartphone sector pushed fingerprint detection through so as to provide a solid security identification system for online banking. Since biometrics are mostly unfalsifiable – without stealing your face, fingerprint or voice – they are much more secure for bank transactions than a password or pin number, which can relatively easily be stolen or discovered. Also, a person takes their biometric information around them wherever they go.
Following September 11th, there was a real boost in development of biometric security in light of the terrorist attacks because they were thought to be infallible identification methods. In reality, certain systems technically can be spoofed. An intruder can steal fingerprints from a surface in a home/office or reconstruct a face based on images found online. But these things would involve the victim being specifically targeted rather than mass cyber-attacks by hackers involving personal data breaches of thousands of people at a time.
As such, this can be counteracted by a double-verification system. Hence, why many systems use both fingerprints and pin code. Now we can add other personal traits such as face, eyes or voice, to name a few. There are a great number of possibilities of collecting other physiological traits: face, iris, voice, lip movements… They are more or less reliable, but that’s not necessarily the determining factor. Rather it is the acquisition of the data which can require the most effort. Iris detection, which is one of my areas of expertise for example, relies on a special camera.
The problem of acceptability
A big challenge in the field is reassuring the general population of the safety of biometric data. The issue of personal data is not treated the same way depending on where you are in the world. In China, the State keeps DNA records of each citizen from birth. The USA is more relaxed than Europe, too. Whereas in France, the idea of a biometric identity card [every citizen has one] comes back on the table again and again – but the French population have great difficulty accepting it so it has been refused every time.
To deal with issues around acceptability, it would help to offer an explanation about how biometrics really works. If you compare fingerprints with DNA, it’s not the same type of information. Your DNA can be used to learn things about you – predisposition to diseases or origins, for example. Whereas your fingerprint is just a unique identifying factor that doesn’t carry any specific information about you in itself.