A peek at the tech requirements for India’s UID project

Why is India’s UID Aadhar a Big Data challenge and opportunity? (Information Week)

Everything about India’s UID project or Aadhar as it is commonly known is ambitious. Giving a unique identity to 1.2 billion residents is a challenging task. No country has done a project of this scale – which is why this project is being watched keenly by everyone – not only in India, but the rest of the world too.

Let’s look at some interesting facts about Aadhar. The scope is to capture 12 billion fingerprints, 1.2 billion photographs, and 2.4 billion iris scans. The file size for each enrollment is approximately 5 Mb. When you summarize this for 1.2 billion people, the file size would be measured in petabytes. This is just the storage part.

De-duplication, also addressed in the article, is the really crazy part, though.

The challenges confronting any new biometric modality

[ed. This post reflects a substantial rewrite of an earlier post of January 24, 2013: Not the bee’s knees]

Every once in a while a version of the following paragraph finds itself in the news…

Biometrics Using Internal Body Parts: Knobbly Knees in Competition With Fingerprints (Science Daily)

Forget digital fingerprints, iris recognition and voice identification, the next big thing in biometrics could be your knobbly knees. Just as a fingerprints and other body parts are unique to us as individuals and so can be used to prove who we are, so too are our kneecaps. Computer scientist Lior Shamir of Lawrence Technological University in Southfield, Michigan, has now demonstrated how a knee scan could be used to single us out.

Forget digital fingerprints, iris recognition and voice identification, the next big thing in biometrics could be your ______________.

Examples are numerous and fecund:

Heartbeat?
Rear-end?
Ear?
Bone structure or electric conductivity?
Footsteps?
Nose? (ed. Link added later. I forgot about that one.)
Body odor?
Brain prints?
Lip movements?
Kneecap?

While I suspect that any definable aspect of the human anatomy could be used as a biometric identifier — in instances where teeth are all that is known about an individual, they are used for high confidence identification — I’m afraid that, for the foreseeable future, the cards are stacked against any new biometric modality catching on in any big way.

The reasons for this are both scientific (research based) and economic (market based).

On the science side, a good biometric modality must be: unique, durable, and easily measurable. If any of these are missing, widespread use for ID management isn’t in the cards. If something is unique and durable but isn’t easily measurable, it can still be useful but it isn’t going to become ubiquitous in automated (or semi-automated) technology. Teeth and DNA fit this model. Teeth have been used to determine the identity of dead bodies with a high degree of certainty for a long time, but we aren’t going to be biting any sensors to get into our computers any time soon — or ever. Likewise with DNA.

There is also the challenge of proving that a modality is in fact unique, durable and easily measurable which requires a whole lot of experimental data and (especially regarding uniqueness) a healthy dose of statistical analysis. I’m no statistician, and from what I understand, the statistical rules for proving biometric uniqueness aren’t fully developed yet anyway, so let’s just leave things in layman’s terms and say that if you’re wanting to invent a new biometric modality and someone asks you how big a data set of samples of the relevant body part you need, your best answer is “how many can you get me?”

In order to ascertain uniqueness you need samples from as many different people as you can get. For durability you need biometric samples for the same person taken over a period of time and multiplied by a lot of people.

Ease of measure is more experiential and will be discovered during the experimentation process. The scientists charged with collecting the samples from real people will quickly get a feel for the likelihood that people would adapt to a given ID protocol.

For two common biometric modalities, face and fingerprint, huge data repositories have existed since well before there was any such thing as a biometric algorithm. Jails (among others) had been collecting this information for a hundred years and the nature of the jail business means you’ll get several samples from the same subject often enough to test durability, too, over their criminal life. For face, other records such as school year books exist and were readily available to researchers who sought to test the uniqueness and durability of the human face.

The first hurdle for a novel biometric modality is the competition for the attention of scientists and researchers. Getting the attention of science and technology journalists by making a pronouncement that the space between the shoulder blades is the next big thing in biometrics is one thing. Getting academic peers to dedicate the time and research dollars to building the huge database of interscapular scans required for algorithm development is quite another. Any new modality has to offer out-sized advantages over established modaities in order to justify the R&D outlay required to “catch up”. This is highly unlikely.

On the market side, in order to displace established (finger/hand and face/eye) biometric modalities in wide scale deployments, the academic work must be complete and the new technology must produce a return on investment (ROI) in excess of that offered by existing technologies designed to accomplish the same function.

That’s not to say that modalities that didn’t have the advantage of a 100 year head start on data collection are impossible to bring to market. Iris, voice, and the vascular biometrics of the hand (palm, finger) have joined face and fingerprint biometrics in achieving commercial viability despite the lack of historic data repositories. But there were several things recommending them. They either occupy prime real estate on the head and the end of the arm (Iris, vein) making them easy to get at, or they are the only biometric that can be used over a ubiquitous infrastructure that simply isn’t going anywhere (voice/phone), or they offer advantages over similar established modalities. With hand vascular biometrics: they’re harder to spoof than fingerprints; no latency; avoidance of the “fingerprinting = criminality” stigma; can work with gloves; users can avoid touching the sensor, etc. With iris: harder to copy than the face; harder to spoof; easier to measure than retina vasculation; and extremely low/no latency. Yet even despite gaining the required academic attention, iris and voice have had great difficulty overcoming the market (ROI) hurdle, which brings us back to knees.

Is there any database of kneecaps of significant size to allow researchers to skip the time-consuming task of building such a database themselves reducing the cost of development? Is there any deeply embedded ubiquitous infrastructure that is already an ideally suited knee-sensor? Is there any objection to modalities that have a head start on knees that knee biometrics would overcome? Is there any conceivable, repeatable, scalable deployment where a potential end user could save a whole lot of money by being able to identify people by their knees? I’m at a loss but these are exactly the kind of questions any new biometric modality must be able to answer in the affirmative in order to have any hope for wide-scale deployment.

So, it’s pretty clear that knee biometrics are not something the average person will ever come into contact. Does that mean there is no value in exploring the idea of the kneecap as a feature of the human anatomy capable of being used to uniquely identify an individual? Not necessarily.

In order to thrive as high value-added tools in highly specialized deployments a novel modality just needs to help solve a high value problem. This has heretofore been the case with teeth & DNA. The analysis of teeth and DNA is expensive, slow, requires expert interpretation, and is difficult to completely automate, but has been around for a long, long time and isn’t going anywhere anytime soon. That’s because the number of instances where teeth and DNA are the only pieces of identifying information available are frequent enough, the value of making the identification is high enough, and the confidence level of the identification is high enough that people are willing to bear the costs associated with the analysis of teeth and DNA.

Beyond teeth and DNA, any biometric modality can be useful, especially when it is the only piece if information available. The CIA and FBI even invented a completely novel biometric approach in an attempt to link Khalid Shaikh Mohammed to the murder of Daniel Pearl using arm veins. But how likely is something like that ever to be the case for any of these novel modalities, knees included? It’s possible that the situation could arise where a knee bone is discovered and there is an existing x-ray or MRI of a known person’s knee and a comparison would be useful. That, however, is not enough to make anyone forget about any already-deployed biometric modality.

In search of a post-password world

Google wants to ditch the password – sounds lovely (Singularity Hub)

Memorizing numerous passwords is inconvenient. This is known. To counteract said inconvenience, many people use memorable (read: hackable) passwords on multiple sites. Which is a shame because security experts advise that, at a minimum, we use different, random, alpha-numeric strings for every website and switch them out every few months. Kind of the opposite of convenient. And even this method provides but a fig leaf of security.

Google isn’t suggesting biometrics, at least not yet, but the article does cover biometrics as a possible solution.

A couple of municipal fingerprint time-and-attendance deployments going badly

INDIA: SDMC staff misusing biometric attendance system (Jagran Post)

According to the sources, most of the Municipal Corporation staff has given their fake thumb impressions to their colleagues who mark their attendance in their absence. Some workers raised the issue before the higher authorities but all the efforts went in vain.

SOUTH AFRICA: Council pays for unused system (Independent Online)

The costs are mounting, yet an electronic time management system installed to provide efficiency and control in the Hibiscus Coast municipality, almost three years ago, has still not been used. The biometric system which reads the fingerprints of workers to record what time they start and finish, was supposed to replace the current manual attendance register.

A lot of biometric ID management installations come down to managerial, rather than technical, challenges. This is especially true for biometric time-and-attendance systems.

Technically, biometric time-and-attendance systems are pretty straightforward but they can’t manage a business all by themselves. An organization that wants to maximize its Return on Investment in biometric ID management systems, will view the technology as a tool supporting able managers, not as a substitute for managerial skill.

For similar thoughts and other examples, see:
Business Management & Biometric Time-and-Attendance (I took the two paragraphs just above from this one);

Good Help is Hard to Find;

UK pays £22.5 million for ‘questionable’ Democratic Republic of Congo election; and

Technology and Management working together can help improve public payments system

A brief history of personalized (“smart”) firearms

Push for futuristic guns builds on embattled past (Houma Today)

It sounds, at first, like a bold, next-generation solution: personalizing guns with technology that keeps them from firing if they ever get into the wrong hands.

But when the White House called for pushing ahead with such new technology as part of President Obama’s plan to cut gun violence, the administration did not mention the concept’s embattled past. As with so much else in the nation’s long-running divisions over gun rights and regulation, what sounds like a futuristic vision is, in fact, an idea that has been kicked around for years, sidelined by intense suspicion, doubts about feasibility and pressure tactics.

The Associated Press has an article out today that covers the history of the “smart gun” both as a political issue and as a technology.

Sorting out voice technologies

On the occasion of Amazon’s purchase of Ivona, The Verge has a good article sorting out various voice technologies.

 Key bit:

  • Text-to-speech: reads text that’s already been written into something approaching a human-sounding voice (Ivona, AT&T, Microsoft, many others);
  • Speech-to-text: transcribes what you say word-for-word into text (Dragon, Yap);
  • Voice recognition: biometric that knows who you are based on your voice (like in Sneakers);
  • Natural-language AI: transcribes speech and/or parses text, looking for keywords and structure to turn ordinary sentences into computer queries (Siri’s core technology).
  • Those interested in voice tech should click through.

    A survey of biometric modalities and their social impact

    Biometrics Looks To Solve Identity Crisis (Electronic Design)

    You see them in blockbuster movies and high-tech TV shows—biometric systems that rely on fingerprints, facial recognition, and other physical and behavioral data to provide identification. But these technologies have moved past the sci-fi genre, and even beyond the high-security arena. They’re hitting the mainstream now. In fact, you may even be using some of them already.

    This is just the introductory paragraph. The whole article is worth reading.

    Hardware & ID Security: PC vs Mobile

    Mobile banking to hit 1 billion users by 2017

    Fortunately for the consumer, mobile devices often contain technologies such as GPS that track the user’s location, front-facing cameras that can be used for face-recognition, and other biometric tools such as voice recognition technology and in some cases fingerprint technology. In December, Ben Knieff, head of fraud at financial crime and technology specialist NICE Actimize told Banking Technology that mobile banking could eventually become safer than online banking.

    “While consumers didn’t like biometrics ten or even five years ago, rising usage of the technology on sites like Facebook has made it more acceptable,” he said. “Consumer sentiment is changing, and I believe there could actually be an opportunity to use some of these technologies to make mobile banking even safer than internet banking is today.”

    The whole article is worth reading but two points in the second paragraph quoted above are especially thought-provoking.

    That’s the first time I’ve seen the Facebook face recognition issue turned on its head like that. Stories of outrage at the Facebook facial recognition app are easy to find. Whether this has more to do with Facebook’s User Agreement policies or biometric technology is a subject for another day, but is it possible that as suggested above, by putting people into contact with the technology the Facebook face rec kerfuffle has made biometrics more acceptable to the networked public?

    Another fascinating item in the second paragraph is the notion that mobile banking can be inherently safer than online banking conducted through desktop or laptop computers. We discussed some of the reasons for this in Mobile Devices and Biometric Modalities, but the reasons why authentication via mobile devices may be more rigorous than that using other hardware go beyond biometrics. Mobile devices are quite simply capable of covering all of the factors listed below. In a multifactor authentication model, the more factors that can be determined simultaneously, the higher the confidence in the authentication transaction.
    Here they are.

    Something you have (tokens: key, prox card, mobile phone, etc.)
    Something you know (passwords, PINS, codes, high school mascot, etc.)
    Something you are (biometrics: eye, voice, face, fingerprint)
    Where you are (location: IP address, cellular signal, GPS, in the bank branch)
    When you are (time)

    Mobile hardware supports all the factors above and, in the factors with bold face, mobile platform security exceeds the security attributes of PC hardware. Mobiles make better tokens because they aren’t often shared, they have blue tooth, near filed communication (NFC), wi-fi capabilities for external signaling and, of course, they’re mobile. They support passwords (OK, maybe not quite as conveniently as PC’s). Two biometric sensors, the camera and microphone, come stock on all mobiles. They know where you are at all times.

    The what time it is question is a draw in the current discussion. Both technologies in question (mobile vs. PC) are equally ignored here because the question of time is answered on the server side; i.e. you can’t avoid late fees by setting the clock back on your PC when you make last month’s payment online. Payees have their own clocks. I just included it because it’s a real factor and there are ID/security applications where an individual is treated differently at different times of the day. Time also comes up in combination with location. Credit cards run fifteen minutes apart in gas stations separated by 1,000 miles raise suspicion.

    That’s the theory anyway. In theory, mobile hardware can facilitate higher confidence ID authentication. In practice the security vulnerabilities of the PC world are better understood. There are several household names offering services that maintain PC hardware as a virus/trojan/worm free environment. Uptake of similar technologies has yet to take off with mobile hardware. That will change, though, if more people use mobile hardware to handle their finances.

    Court: Students cannot opt out of ID badge policy

    Student Suspended for Refusing to Wear RFID Tracker Loses Lawsuit (Wired)

    Sophomore Andrea Hernandez was notified in November by the Northside Independent School District in San Antonio that she won’t be able to continue attending John Jay High School unless she wears the badge around her neck. The district said the girl, who objects largely on religious grounds, would have to attend another high school that does not employ the RFID tags.

    She sued, a judge tentatively halted the suspension, but changed course Tuesday after concluding that the 15-year-old’s right of religion was not breached. That’s because the district eventually agreed to accommodate the girl and allow her to remove the RFID chip while still demanding that she wear the identification like the other students.

    The Hernandez family claims the badge and its chip signifies Satan, or the “Mark of the Beast” warning in Revelations 13:16-18. The girl refused the district’s offer, sued, and was represented by the Rutherford Institute.

    It is clear that the public hasn’t quite come to grips with the use ID technology technology in the administration of (more-or-less compulsory) public services involving children.

    Face rec philosophy

    Face Recognition in Retail: Profit, Ethics and Privacy (Allevate)

    Having previously written on the subject of the application of face recognition in airports as applied by law enforcement and border control, this article looks at the increasing exploitation of the technology for commercial advantage. As well as contrasting the different use-cases defined by commercial exploitation versus public safety applications, this article also touches upon the very different agendas of those using the technology and the privacy issues that arise.

    Read the whole thing.

    Unisys exec. on biometrics in India

    Unisys sees scope in taking biometrics to bottom of pyramid: John Kendall (DNA India)

    A low-profile sector so far, biometrics is gaining traction, courtesy several large-scale government projects. The private sector too is catching up with adoption of biometrics, thus making India a key market that cannot be ignored any more, John Kendall, director, national security programme at Unisys, tells KV Ramana.

    See also, a recent industry forecast of 46% CAGR for biometrics in India.

    India: We have a lift off

    After initial hiccups, the government’s ambitious direct benefits transfer programme through a unique identification number kicked off smoothly today, though the number of transactions carried out by the banks on the first day remained low. About 2,000 beneficiaries were transferred an amount of Rs 35 lakh on the Aadhaar platform, but the figure is expected to go up tomorrow. The programme is aimed at covering two lakh beneficiaries.

    Photo of UID taking off. Source: NASA

    After several years of preparation and on-the-ground effort, the National Payments Corporation of India disbursed the first government payments directly to individuals using the UID (Aadhaar) platform. This is a big deal.

    We’ve repeatedly used the “moon shot” metaphor here to describe the ID management projects India has been working on for the last several years.

    The audio and video of UID won’t be as dramatic. The narrative won’t be as clear-cut. There won’t be a cathartic moment where a “one giant step” speech is appropriate. So, in this sense, UID falls short of the metaphor. [The audio of the Apollo 11 launch that inspired this post’s title is here (NASA.gov; 1 min.)]

    But if the UID project succeeds it will have overcome daunting technical, logistical and managerial challenges to have a tangible effect on the material well being of hundreds of millions of people, awakening the rest of the developing world to new possibilities to simultaneously help the most vulnerable and reduce the corruption that keeps much of the world poor. Few government initiatives could boast of as much.

    UID also reminds me of the great global efforts to eradicate small pox and polio in that they had to, quite literally, touch everyone.

    ‘Another Brick in the Wall’ was written in 1979

    Washington Times Editorial: Securing America’s schools

    Though the benefits of creating maximum-security schools is questionable, the negative impact on young minds is undeniable. Surveillance cameras would watch a child’s every move from kindergarten through high school. GPS devices would track them, and biometric scanners and identification cards would ensure compliance with all attendance regulations. This normalizes a police state. Instead of learning self-reliance, kids would grow up with a state-supplied — and illusory — security blanket.

    Schools knowing where students are and whether or not they are attending class discourages self-reliance? Does using technology for the purpose change its nature?

    Just remember ‘Another Brick in the Wall’ was released in 1979. High technology isn’t a necessary (or sufficient) condition for police state normalization.

    On another note, and in the wake of recent events, a school system in Illinois is dusting off a previously shelved plan to use biometrics to restrict access to schools to those who have been vetted beforehand:

    Dist. 201 plans to launch more safety measures (Morris Daily Herald – Illinois)

    The district will also re-investigate biometric thumbprint scanning systems for the vestibule, a program they began looking at a year ago.

    If the system were used, all parents/guardians would provide a digital thumbprint during school registration. Along with a photo ID, the fingerprint would be in the district’s computer system. Once inside the vestibule, the parent would scan their thumb and staff would pull up the person’s photo at the same time.

    Canada military to spread biometric knowledge domestically

    Canadian Forces Expands Its Biometric Capabilities But Remains Silent On The Details (Ottawa Citizen)

    …[I]n an April 2010 directive issued by then Chief of the Defence Staff Gen. Walter Natynczyk, the military was ordered to expand such capabilities beyond those being detained in Afghanistan.

    The directive called on Canadian Forces planners to “shape” research conducted by the DND’s science organization, Defence Research and Development Canada, so they could identify new future technologies that could improve the collection of biometric data.

    The directive was aimed at dealing with the Afghanistan mission. But it didn’t explain whether the call to expand biometric capabilities to support other government departments, as well as the need to conduct new research, was for future international missions, support for domestic operations or a combination of both.

    Good face rec article at the BBC

    Can disguises fool surveillance technology? (BBC)

    putting a scarf over the mouth and nose, or simply wearing dark glasses could fool the system. However, this is beginning to change, says Shengcai Liao, an assistant professor at the Center for Biometrics and Security Research in Beijing, China. He says new techniques are being developed that can use information from the nose or mouth alone if the eyes are occluded, or from the eyes and eyebrows if a scarf is covering the lower part of the face. “It’s not possible to recognize a fully occluded face, but we can currently recognize faces with 30% or even 50% occlusion,” he said. “We have even had success performing recognition from a mouth alone – something that it would be very difficult for a human to do.”

    But what about other countermeasures, such as those used by McAfee, which included skin darkening, facial distortion and colouring his hair?

    I’m still a fan of CV Dazzle. If you’re going to change your appearance to “jam” facial recognition systems, you can make a bolder fashion statement than wearing a ski mask. Well, I guess Ski Mask is a pretty bold fashion statement, but click over to CV Dazzle for other options that don’t scream “I just robbed a bank.”

    Howie Woo also has a more cheery alternative for those committed to the mask, but his approach has its own risks.

    Biometrics experts on technology & privacy

    Biometrics and Privacy: A Positive Match (accenture) …Views from leading biometrics specialists on how to reap the benefits offered by biometric solutions while preserving and enhancing the individual’s right to privacy.

    The (5 min.) video is very well edited from interviews conducted among industry experts at the Biometrics 2012, London confab. It isn’t posted in an embeddable format or I’d have it for you here, but it’s very much clicking over to accenture to view it.

    A threep-page pdf transcript of the quotes, with attribution, is here.

    The quotes are excellent individually. Collectively they reflect that the people work in the biometrics industry have devoted considerable thought into the way biometric technologies can be used to improve people’s lives.