Bottom line benefits of identity management (IT Web) – Identity management is about more than security; it is a financial and compliance imperative as well.
Gallia first to enroll in Rx pilot program (Daily Tribune – Gallipolis, OH)
The program, being launched through a public-private partnership between regional health care provider Holzer Health System and CrossChx, a company based in Gallipolis, is known as the Biometric Enrollment and Verification Prescription System and will allow doctors to compare health records from multiple sources to help determine the eligibility of a patient to receive a prescription for medication.
CrossChx (pronounced “cross checks”) will provide the technology to track health information and will, specifically, use biometrics, or the identification of an individual through his or her inherit traits — in this case, fingerprints — to allow prescribers to receive real-time patient information.
The article goes on to note that, locally, 30% of the infants in the neo-natal intensive care unit are addicted to opiates.
Still, she said it’s important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.
“Criminals are constantly thinking of ways to beat the system,” she said. “The system is never going to be perfect.”
Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring.
The article covers a lot more ground than it is fair to copy and paste. It also begs important questions.
Given that ID management perfection isn’t an option, what approximation of perfection is desirable?
What costs are worth bearing?
The Utica College Center for Identity Management and Information Protection is to be commended for their work.
If you’re here, you’ll probably want to read the whole thing.
Utica College Center for Identity Management and Information Protection
and Biometrics “Fix” Identity – Even if there is fraud in the identification process, biometrics can be used to fix a single identity upon an individual.
Our friends at Operation Asha get a well-deserved mention.
Technology and social change (Live Mint – WSJ)
The increasing cost of tuberculosis (TB) treatment is a serious concern in India. Funding requirements have grown 16 times. And instances of multi-drug resistance tuberculosis are rising. Therefore, monitoring the intake of medicines by TB patients for six to nine months is essential. Operation Asha’s eCompliance programme created a biometric identification system to monitor tuberculosis treatments through verifiable tracking, while coordinating phone text messaging-based technology for collecting records into a digitized system.
A high proportion of the seven cases mentioned in the piece have an ID management component.
Do we really need to worry about proof of address? (Economic Times)
It is possible to abandon proof of address altogether and accept an applicant’s submission as authentic. Biometric tags and de-duplication software that works across multiple databases – driving licences, hospital records, school and college registers, insurance and bank accounts – would identify cases that call for further verification.
Sure, this means a lot of computerisation. So what?
Trust everyone’s claimed address, verify those that give cause for doubt. This is integral to inclusive growth.
There are some really good points here.
At first I thought that, if not address, than some geographical descriptor would be necessary in many real world applications. Voting in state and local elections is geography dependent. Many public services are provided only to people in a given jurisdiction.
But author T K Arun makes a good point. In a world of perfect database interoperability and deduplication, residence address doesn’t matter much, especially compared to the challenges and misery associated with having a huge population of people without ID.
From the individual angle, so long as an individual can only vote in one place, as long as they can only collect cash transfers intended for one group (for example they are prevented from simulteneously collecting subsidies for rice growers and fishermen), overall ID-based shenanigans will decrease.
On the service provider level, if databases are linked, two schools claiming to educate the same child (and billing the government for it) would have some explaining to do. For more along these lines, see Biometrics “Fix” Identity.
It’s an interesting conversation and we may be headed that way, but for now, perfect interoperability and (single factor) deduplication isn’t a reality.
But like we always say, don’t let perfect be the enemy of good. Give the poor man an ID — even if he can’t give a permanent residence address.
When: July 19, 2012 — 11:00 am EDT; 8:00 am PDT; 16:00 pm BST; 17:00 pm CEST; 23:00 pm SGT; 0:00 JST
Where: tweetchat.com (hashtag #biometricchat)
What: Tweet chat on Biometrics and Law Enforcement with Michael D. Kirkpatrick (@MDKConsulting)
Topics: The past, present and future of biometric ID management applications in law enforcement, interoperability, modalities.
When John at M2SYS asked me to guest host the July #BiometricChat, I immediately thought of Michael Kirkpatrick. I’m happy to announce that he’s agreed to join us. I offer my sincere thanks to both of them for the opportunity.
Michael D. Kirkpatrick, as the FBI’s Assistant Director in Charge of the Bureau’s Criminal Justice Information Services (CJIS) Division from January 2001 – August 2004, led the Division through profound IT changes especially relating to the application of biometric technologies to the challenges of law enforcement.
Back in the day (i.e. before 1999), fingerprint analysis for law enforcement purposes was a much different ball game. Everything was accomplished with paper, ink, and highly-trained, dedicated fingerprint analysts. That made law enforcement biometrics pretty much the only biometrics game in town because there weren’t really any commercial applications for that type of set-up. Sure, some professions required criminal background checks, but the fingerprinting part was mostly there to make it easier to catch people in the event they committed crimes at some later date.
Presently, the FBI maintains the world’s largest collection of biometric data and facilitates information sharing between law enforcement organizations and a range of both public and private entities. The CJIS center handles more than 61 million ten-print submissions a year. Average response time for an electronic criminal fingerprint submission is about 27 minutes, Electronic civil submissions are processed within 72 minutes.
The successful transition from a paper system to an Integrated Automated Fingerprint Identification System (IAFIS), presented a range of technical, organizational and managerial challenges such as: What to do with all the paper records; What technical standards to apply to digitization; Determining what confidence level constitutes a match; How to receive input remotely and transmit results; How to store the information securely; What policies to put in place; Determining whether current international agreements were adequate or forging new ones necessary. The list goes on and on.
Without the hard work sorting out these kinds of questions done by those at CJIS, biometric ID management applications, beginning with fingerprint biometrics, simply would not have nearly the impact in the public and private sectors that they do today. Michael D. Kirkpatrick was one of the many people who helped make it all possible.
Over the course of his career, Michael has done far too many interesting things in law enforcement and biometrics than can be listed here. Thankfully, he has posted a brief overview of some of his experiences at his site, here. He tweets at @MDKConsulting
We hope that you will spread the word among your colleagues and friends and join us Thursday, July 19 at 11am EDT.
We’ll publish the chat questions in an update to this post early next week.
IT recruitment in public sector hits rock bottom (PC Advisor)
Major government projects involving the heavy use of IT contractors, that have been cancelled over the last two years, include the NHS national electronic database, second generation biometric passports, the ID cards programme, the Contact Point child protection database, and the development of new defence technologies.
Judging by the short description here, three of the four cancelled projects mentioned are related to ID management. Even the fourth, defence technologies, could have a large ID management component.
Coriander s/o Pulao, Aadhaar No 499118665246 (DNA India)
Coriander and an apple, as per the Unique Identification Authority of India (UIDAI), are residents of India as they have been given an Aadhaar number. And this, perhaps, has been the last straw.
Expressing shock at this, not to mention there having been several complaints of impersonation, the Union home ministry has asked UIDAI to get an internal as well as external security audit done by a third party to fix the lacunae in the enrolment system and avoid any more goof-ups.
It is also being blown way out of proportion. Nobody used Coriander’s ID to do anything good or bad.
P Keshav, a Member of Legislative Assembly from the district where the fraud occurred has speculated that the fraud was probably a prank played by someone who wanted to show how casually the process of data collection is done in villages and that the private agencies entrusted with the job have no understanding of the job.
So the hoax was probably an inside job. At the very least it required the complicity of an employee of a trusted entity: one of the companies that facilitates enrollment. Nevertheless, a corrupt official at the DMV issuing false documents doesn’t call the whole drivers license regime into question, and the same is true for UID, but it does encourage policy changes.
The unwanted attention the fraud has brought on the UID enrollment process has led to policy changes that should make the situation better. More attention will be focused on the private operators who charge money to collect enrollments. There’s no reason why the private agency and the employee responsible the fraud couldn’t be sanctioned. In fact, UIDAI probably should institute some sort of performance metric that affects payouts to the private firms based upon data quality, which despite The Coriander Affair, has remained high even as costs have fallen.
It’s important to remember that the management challenge of UID is every bit as difficult as the technical challenge.
Back to Three Sides of the Same Coin
State tightens up on social grants (IOL News)
From the beginning of June, the agency started a full re-registration of all social grant beneficiaries “on a comprehensive biometric identification system”.
Social development director general Vusi Madonsela said the number of beneficiaries who might be receiving grants fraudulently was not known.
“We can only estimate, based on international standards… that there is an estimated 10 percent leakage.
It’s notoriously difficult to estimate losses due to fraud because, in any individual transactions, if the bureaucracy knew it was being defrauded, it wouldn’t engage in the transaction.
This is the first time I’ve seen a reference to the ten percent standard global estimate. That’s as good a place as any to begin a return on investment analysis.
South Africa has been very active in strengthening its ID management infrastructure.
Over the past five years, roughly 2.1 million longshoremen, truckers, merchant mariners, and rail and vessel crew members have undergone extensive background checks and paid a $132.50 fee to obtain these cards. Unless Congress or the Administration acts, starting this October, workers would be required to go through the time and expense of renewing their TWICs. Compelling hardworking Americans to undertake the expense and hassle of renewing their cards is not justifiable given that the basic requirements for biometric readers to match these cards with the cardholders have not been issue by the Department of Homeland Security.
Five years on, the earliest Transportation Worker Identification Credentials (TWICs) will be expiring soon and renewing them isn’t cheap.
The fee for a renewal TWIC (valid for 5 years) is the same amount as the initial enrollment fee, which is currently 129.75* since another security threat assessment will be performed and a credential issued those individuals who successfully undergo this assessment. Individuals also have the option to enroll with a comparable credential and pay a reduced fee. * Effective March 19, 2012, the enrollment cost was reduced from $132.50 to $129.75 due to a FBI fee decrease.
Transportation workers are peeved that they pay for an ID with all sorts of biometric technology bells and whistles while the ID management systems that they use daily don’t take advantage of the card’s capabilities.
But the TWIC is expensive for reasons other than biometric enrollment. The TWIC applicant must provide: biographic information, identity documents, biometric information (fingerprints), a digital photograph and pay the fee. A TSA employee has to go through all this stuff.
Then, the TSA conducts a security threat assessment on the TWIC applicant sending pertinent parts of the enrollment record to the FBI and the Department of Homeland Security (DHS) so that appropriate terrorist threat, criminal history, and immigration checks can be performed.
This, to say the least, is not a cheap process and my guess is that the labor costs, not technology cost, of issuing a TWIC accounts for a huge proportion of the total. The opportunity cost inflicted on the applicant also seems pretty high (i.e. getting a TWIC is a major annoyance).
So then, what of the Homeland Security Committee desire to remove the TWIC renewal requirement? I guess that depends upon why it was originally determined that the TWIC should be renewed every five years.
According to the TSA: “The renewal process consists of the same steps as the original enrollment process (optional pre-enrollment, in-person enrollment, and card activation.) These steps are required since a security threat assessment is required on all applicants, confirming they still meet eligibility requirements” (emph. mine).
If the cards are expensive because the processing costs are high and background checks are expensive. Are the costs unacceptably high? Is $26 per year too expensive? How much does it cost other entities (FBI, military) to keep ID’s current? Who should pay: the worker, their employer, the government, or some combination of the three?
UPDATE: ORIGINAL TITLE HAD “PALISTAN.” MY APOLOGIES. IT SHOULD HAVE BEEN PAKISTAN.
Pakistan’s experience with identity management dates back to 1973, when the eastern part of the country had just seceded and questions were being raised over who was a Pakistani and who was not.
So a registration act was introduced in the parliament to create an authority that would register Pakistani citizens and issue them with a photo ID.
In 2001, this authority was merged with a national database organisation to create Nadra, with the task of computerising all citizen data.
In 2007, Nadra introduced what is known as the multi-biometric system, consisting of finger identification and facial identification data that was to be included in the citizen’s computer profile.
“By now, Nadra has issued 91 million computer generated cards, which is 96% of the entire adult population,” says Nadra deputy chairman Tariq Malik.
“This is one of the world’s largest national databases.”
This is only a taste of the article which is full of interesting information.
King County voters could decide on a $118.9 million property tax levy to continue funding criminal fingerprint identification services for local law enforcement agencies.
The proposal is to keep the Automated Fingerprint Identification System, or AFIS, in operation through 2018. The system provides criminal fingerprint identification services to law enforcement agencies throughout the county, including the Issaquah Police Department.
The proposed renewal levy rate is 5.92 cents per $1,000 of assessed valuation, or about $20.72 per year for a $350,000 home. Voters approved the initial AFIS levy in 1986, and overwhelmingly renewed the levy since then, most recently in 2006. The current levy expires in December.
“As a regional crime-fighting tool, AFIS is our ‘CSI: King County,’ bringing new technology to the job of cracking cases and catching criminals,” County Executive Dow Constantine said in a statement.
Read the whole thing. There are numbers to indicate that the system is getting cheaper to administer over time. There are other indicators that even as the system is costing less, its capabilities are expanding.
King County contains Seattle (map here).
A lot of really good thinking about ID and biometrics comes out of South Africa. In the piece linked below, Marius Coetzee makes some points with which we wholeheartedly agree.
Marius Coetzee, MD of biometric identity control specialist Ideco, says smart identity cards will improve identification processes through the use of biometrics, but they cannot solve the identity fraud problem on their own.
“We’ve been in this game for the past 10 years. We have seen companies publish tenders for solutions and spend a lot of money on a pilot, only to see poor results. Biometrics is an extremely complex science – if you implement it correctly, working with the right partners, you will see results. If you don’t, you will simply waste money.”
ID management technology is a tool managers can use to make certain business processes more efficient, saving the organization money. No technology can manage a business all by itself.
And, of course, as with so many other things, a good partner can make all the difference. The problem is that the larger biometrics vendors don’t really want to be that partner for any normally-sized or price sensitive organization and other organizations that could really take advantage of better ID management systems have difficulty finding the partners they need because the expertise is in small companies. Biometrics hasn’t been Oracle’d, SAP’ed, Microsoftened or IBM’d, yet, and it’s going to be a while before that changes.
Until then, SecurLinx is here to help.
Voice Biometrics as a Fraud Fighter (Bank Info Security)
The biometric technology analyzes voice characteristics, such as dialect, speaking style and pitch. By collecting and archiving voice characteristics of customers, banks, in theory, could authenticate customers’ identities when they call in.
Call center fraud has been escalating. U.S. banks have reported upticks in call-center schemes that rely on social-engineering tricks. The attack: Convince customer service representatives to share or change account details.
The installed base of telephone technology pretty much guarantees that there will be huge incentives for voice recognition technology companies to develop better and better products and for financial companies to adopt them.
This article does a great job with the incentives and challenges of ID management by telephone.
The Con is Mightier than the Hack
Up to 20% of voice biometric samples could be fooled by ‘wolves’ (UK Register)
Phone ‘Line Noise’ As ID Management Technique
Voice Recognition ≠ Speech Recognition
Identity control is IT reality (IT Web – S. Africa)
“SA is a world leader in the use of biometrics. The future must be co-operation and not isolation. There must be an integration of security expertise. Identity control is an IT reality.”
He added that the use of fingerprints allows physical access, cuts losses, reduces risk, has proven ROI, increases security and accelerates processes.
To address the enormous risks associated with cards, PINs and passwords, organisations must authenticate, authorise and audit.
Using the human body as a unique link between gadgets will not lead to novel biometric modalities.
Recently, a couple of different groups have created prototypes that use the human body as a link between two gadgets, one mobile and the other, stationary. The first used an acoustic signal transmitted from a smartphone through the user’s body to a doorknob to unlock the door. The second used electrical signals to transmit an MP3 file through the users body to a speaker system. That’s pretty cool.
In their most basic use cases (using the body as a wire), these innovations accomplish little that couldn’t be accomplished with a USB cable. But if these technologies come to incorporate a biometrics and ID management element, they could kick start a revolution in mobile computing and ID management.
It’s not hard to see how future iterations of similar systems might use biometric modalities already in use — such as integrating a fingerprint reader with the conduction sensor for authenticating a data link — but both sets of innovators have something more profound in mind: using the electrical/acoustic properties of the body itself as an identifier.
The company is looking at different applications. Bhikshesvaran said the company was exploring the notion that it could end up being a new biometric footprint, since bodies all possess a unique energy signature. The company hasn’t quite figured that one out yet.
Amento and his colleagues think they can add another layer of security to the smartphone key, too — one that’s based on the unique properties of people’s skeletons. Because of differences in bone lengths and density, people’s skeletons should carry vibrations differently, they think.
My guess is that the fingerprint verification at one end of the link will be relatively straightforward, provide strong authentication and will work well enough to render the development of the new conduction/acoustic modalities impractical even over the very long term.
This is because in order to displace the well-understood modality of fingerprints and in order to make developing them worthwhile, the novel approaches will have to prove themselves to offer advantages far in excess of fingerprints (in order to justify the R&D outlay) and I don’t see this happening.
Q: Are the electronic and acoustic properties of individuals stable?
A: Compared to fingerprints, I doubt it. Changing the chemistry or mass of a body will lead to minute changes in its electric or acoustic properties. Drinking a sports drink will change electrolyte levels and cause a tiny change in electric properties. Visiting a buffet, wearing a heavy backpack or changing shoes will change the acoustic properties of a person at least a little.
Q: Are the electronic and acoustic properties of individuals unique?
A: Compared to fingerprints, I doubt it. Fingerprints can be as funky as they want to be without killing anyone; not so with the chemistry behind conductivity or the skeletal structure of a person.
Q: How easy is it to measure the properties involved?
A: Conductive and acoustic properties may be unique enough for a team of doctors with infinite resources and lots of time to make a positive ID but not unique enough to enable a very fast, cheap and confident identification.
But the biggest reason these novel approaches are extremely unlikely to be adopted in the competitive marketplace is the very nature of the technology (skin on hardware) lends itself perfectly to the cheap, well-understood and reliable fingerprint tech. No other modality actual or theoretical stands to recommend itself more highly than finger/hand based biometrics and no profit seeking organization will likely devote the resources necessary to establish the reliability conduction/acoustic biometrics that will at best only ever be equal to fingerprints.
The more novel approaches will probably only ever be used as a method of weak authentication such as liveness testing so as to thwart the old rubber finger trick.