Statement for the Record of
Executive Director, Electronic Privacy Information Center
Carla Meninsky, EPIC IPIOP Fellow
Joint Hearing on
Identity Theft Involving Elderly Victims
Special Committee on Aging
United States Senate
July 18, 2002
My name is Marc Rotenberg. I am the executive director of the Electronic Privacy Information Center (EPIC), a public interest research organization based here in Washington. I am also on the faculty of the Georgetown University Law Center where I have taught the Law of Information Privacy for ten years. Joining me in the preparation of this statement is Carla Meninsky, a student at George Washington Law School and an Internet Public Interest Opportunities Program (IPIOP) Fellow at EPIC.
We appreciate the opportunity to present this statement on the relationship between biometric techniques and the problem of identity theft. Identity theft imposes a significant cost on individual consumers. The primary cause of identity theft is the widespread use of the Social Security number as a record locator and individual identifier. Because of the absence of effective controls on the use of the Social Security numbers, SSNs are regularly marketed, stolen or counterfeited.
The problem of identity theft cannot be solved by widespread adoption of biometric identifiers. While there are currently over 20,000 military, government and commercial installations using some form of biometric identification, those installations are specific applications within small, controlled communities. To create a nationwide network of biometric identification would be a huge undertaking, requiring vast amounts of storage and hundreds of million of dollars. It would not solve the identity theft problem, but it would raise new and difficult problems, particularly for the elderly.
We will briefly review how biometrics are used as identifiers, discuss some of the advantages and limitations of each of the biometrics available today, and make a few brief recommendations.
The Problem of Identity Theft
Identity theft accounted for over 80 percent of Social Security number misuses reported to the Social Security Administration. The cost of identity theft is expected to reach eight billion dollars by the year 2005. However, this represents one tenth of a percent of the credit industry's income and only a small fraction of the amount of loss due to fraud and stolen credit cards. The average loss to the financial industry is $17,000 per identity loss, but the loss to the victim is potentially much greater.
Most victims of identity theft face significant credit bills and the destruction of their credit history. The immediate consequence could be the loss of securing a job or purchasing a home, or worse. Other victims face arrest for crimes that an impersonator has committed in their name. If the arrest occurs, it may be impossible to correct. Identity theft has been used to obtain employment, drivers' licenses, receive government benefits, and evade criminal prosecution. Identity theft indirectly affects everyone because it causes interest rates to increase to cover the industry's losses.
While the majority of those reporting identity theft are between the ages of 20 to 40, identity theft is of particular concern to the elderly because of the length of time between when the theft occurs and when it is discovered. Usually it is more than a year later and only because much needed credit has been denied. For people who may use credit cards infrequently, the delay between when the theft occurs and when the card is needed will further exacerbate the problem of correction. Identity theft also weighs heavily on those who have established good credit histories over a long period of time and then confront the challenge of correcting a credit statement in retirement.
Biometrics as a Solution
One approach to the problem of reducing the threat of identity theft is the widespread adoption of systems of biometric identification. Biometric identification systems are automated methods of recognizing a person based on one or more physical characteristics, such as fingerprints, voice, or facial characteristics. Computer-based pattern matching is at the core of all biometric systems. The technologies available are subject to varying degrees of error, which means that there is an element of uncertainty in any match.
The accuracy of biometric systems is measured by their false acceptance and false rejection rates. A false acceptance is when the wrong individual is matched to a stored biometric. A false rejection is when an individual is not recognized who should have been. The two measures are dependent. In reducing false acceptances, the false rejection rate will increase. Reducing false rejections will cause the false acceptance rate to go up. Most biometric systems adjust false acceptances or false rejections to the type of application and the amount of security required. High security areas, such as bank vaults and military installations are protected by biometric systems that minimize fraudulent acceptances. The false acceptance rate must be low enough to prevent imposters, but as a result, people who rightfully should be accepted, are often refused. In these cases, human intervention is typically available to provide authentication when the biometric system fails.
Fraud occurs when either an imposter is trying to be accepted as someone else to gain entry or usurp funds, or when an imposter is trying to avoid being recognized as someone already enrolled in the system and tries to enroll multiple times. The first is a form of identity theft, the second creates multiple identities for a single individual. Both types of fraud must be safeguarded against in any biometric system, however, depending on the application, it may be reasonable to relax one criteria to prevent the other.
There is no perfect biometric system. Each type of biometric system has its own advantages and disadvantages, and must be evaluated according to the application for which it is to be used.
Creating and Using an Identity Database
There is a distinction between Authentication, Identification and Enrollment. Authentication is the easiest task for a biometric system to perform. Identification is more difficult and much more time consuming. The enrollment process determines the ultimate accuracy of the biometric system. A single biometric system can be created for identification or authentication, but not both, although the two applications can share the same database of biometric samples.
Authentication answers the question, am I who I say I am? A person presents a biometric sample, and some additional identifying data, such as a photograph or password, which is then compared to the stored sample for that person. If the person is not an imposter, the two samples should match. This is known as a one-to-one match. If a nonmatch occurs, some systems retake up to three samples from the person to find a best match. This is the simplest task of a biometric system because the independent identifiers help to corroborate the individual. The biometric acts as a secondary password to protect the individual. Authentication of an individual takes at most a few seconds.
Identification means to answer the question, who am I? A person provides a sample biometric, sometimes without his knowledge, and the system must compare that sample to every stored record to attempt to return a match. This is known as a one-to-many match, and is done without any corroborating data. Because the matching process is based on the closeness of the new sample to a stored sample, most systems return a likely list of matches. Others return a single match if the sample is similar enough. The time for the result depends on the size of the database. The FBI's Integrated Automated Fingerprint Identification System (IAFIS), which is used to identify criminals, can perform over 100,000 comparisons per second, usually completing an identification in 15 minutes with a database of over 42 million records. If identification must be done on a wide-scale basis, the number of comparisons that will need to be done simultaneously will be astronomical. In addition, consumers might be unwilling to wait more than a few seconds to be able to use their bank ATMs or on-line service.
Negative identification is when an individual can be accepted to receive a benefit only if he is not yet enrolled in a database, such as a government-run welfare program or drivers registry. Even negative identification is susceptible to fraud. A person already enrolled in the system can avoid being recognized by attempting to falsify his biometric or skew the data collection. Rejecting imperfect images in the enrollment process, improves the integrity of the database, but cannot solve all enrollment problems.
Entering a New Person into the Database.
Enrollment is the process of introducing a new person into the database. The person's biometric must be sampled and stored together with his or her identity. The greatest problem is there is no existing guarantee as to that identity. A biometric system can only be as good as the accuracy of any background information that is relied on. If fraudulent information is used to enroll an individual, through a fake birth certificate or stolen social security number, a biometric can only verify the person is who they said they were at the time of enrollment. One important enrollment test is to match every new person against all other entries to check for duplicate entries and possible fraud. Without this check, once a person is in the database, it will be impossible to trace an imposter assuming multiple identities.
What happens if a person cannot be enrolled?
There will always be a small percentage of users who cannot enroll in biometric systems either because they are unable to produce the necessary biometric—a missing finger or eye—or they are unable to provide a quality sample at enrollment. Others repeatedly cannot match their biometric to the stored template. These individuals will never be identified by the biometric system.
Since biometrics deteriorate with age, the elderly will be particularly affected. They will constitute the largest portion of those unable to enroll or be recognized by a biometric system. There needs to be an alternative solution for those who cannot be recognized by a biometric system so that they will not be denied rightful benefits.
Relying on Biometrics as Identifiers
The Legal Aspects of Biometrics
No court has, as yet, permitted computer authentication of human identity. United States v. Mitchell was the first case to question the use of latent fingerprints as evidence to identify an individual. The Daubert standard, which is used to establish the reliability of an expert witness, requires that any method or technique must have been subjected to statistical analysis and its error rate must be known. Mitchell based his claim on the lack of objective testing for fingerprints and the actual error rate is unknown. Indeed the National Institute of Justice and the biometrics community are just now trying to establish standards for performing such testing. However, the Court ruled that fingerprints were accepted scientific methodology.
Experts in the field still contest the analysis on which the decision was based. Indeed, a subsequent case, United States v. Plaza, which relied heavily on the scientific testimony from Mitchell, initially disagreed with the Mitchell holding. However, the Court later revised its opinion saying that the FBI error rate in fingerprint matching was not "unacceptably high."
Uniqueness of biometric data is affected by time, variability and data collection.
The key to any biometric system is that the biometric being measured is unique between individuals and unchanging over time. Otherwise the stored biometric associated with an individual needs to be periodically updated. There are several factors affecting the accuracy of any identification. Biometric data collection can be affected by changes in the environment, such as positioning, lighting, shadows and background noise. But the biometrics of an individual are also susceptible to change through aging, injury and disease. Because of this, the accuracy of all biometric systems diminishes over time.
Collecting biometric data introduces errors in the data.
Any biometric sample, whether a fingerprint, voice recording, or iris scan, is not matched from the raw data. There is too much data to store and compare during each attempted match, especially if the sample needs to be transmitted to a central database for matching. Instead, biometric systems use templates. The raw data is simplified through feature extraction. Face recognition systems need the most number of features to be extracted and hand scans need the least. The extracted features are compressed further into a sample template which is then compared to a stored template to determine if there is a match. Information is lost with each level of compression making it impossible to reconstruct the original scan from the extracted points. Since even minor changes in the way a sample is collected can create a different template for a single individual, matches are based on probability. Systems are adjustable to the amount of difference they will tolerate to confirm a match. The more independent the data available for matching, the more credible the match.
Increasing the speed of biometric systems can introduce error
In extremely large populations, storage of templates is partitioned into characteristics, or bins, for ease of searching. These bins can be based on external characteristics such as gender or race, or they can be based on the biometric's internal characteristics. Traditional fingerprint identification has been based on the binning idea, with classifications based on whorls, loops and arches. Computerized systems take advantage of this concept. While binning can speed the time for identification and allows for better statistical matches within each bin, if a template is wrongly binned, it can never be found.
Types and Accuracy of Biometrics
Fingerprint scanning is the best known and most widely used Biometric.
Fingerprints are the best-known and most studied biometric. Basic fingerprint technology has been around for over a century. Technically-sophisticated fingerprint scanners are available from $300 to just over $1,000, although an entire biometric installation can cost upwards of a million dollars. The FBI's IAFIS, which has cost several hundreds of millions of dollars, is 98% accurate with a database of over 42 million sets of ten-finger prints. But fingerprint authentication systems still reject over 3% of authorized users when false acceptances are minimized. Systems currently in use by state and local governments must use at least two-finger identification schemes in order to achieve that level of accuracy for much smaller populations, usually around a few hundred thousand people.
Fingerprint patterns are created from the ridges on your fingers. The patterns, consisting of loops, whorls and arches, have been shown to be unique between people. Even on a single individual, each of the ten fingers has a different pattern. However, the ridges necessary to create the pattern age and deteriorate over time. Fingerprint templates are influenced by the pressure, position, and dryness of the finger on the scanner. Scars, calluses or cracks in the skin can change the template. While more sophisticated scanners can compensate for dirt or other contaminates, simple household cleaners can remove the ridges necessary to obtain a readable print. Even long fingernails can prevent a scanner from correctly taking a fingerprint. Still, fingerprint technology is the most cost-effective biometric available today.
Retinal scans are the most accurate, but least acceptable to the public.
Retinal scans are the most accurate. They capture the pattern of blood vessels in the eye. No two patterns are the same, even between the right and left eye, or identical twins. Nor do retinal patterns change with age. The drawback to retinal scans is that typically the data capture process is also the most invasive. This makes them the most difficult to administer, thus making any sample subject to the most errors in data collection. To get a usable sample, an individual must cooperate by keeping his head fixed and focusing on a target while an infrared beam is shown through the pupil. The reflected light is then measured and captured by a camera. Retinas are also susceptible to diseases, such as glaucoma or cataracts, which would defeat a system intended to protect the elderly.
Iris scans are accurate, less invasive, but not proven.
Iris scans are a fairly new technology that appears to be almost as accurate as retinal scans. The advantage over retinal scans is collection of the sample template is not as invasive: a video camera is used to take a picture of the iris. Cooperation of the individual is still necessary, though. The person must be within 19 to 21 inches of the camera and focused on a target in order to get a quality scan, although work has been done with inserting lenses to sharpen the sampled image. Movement, glasses and colored contact lenses can change the template created from a single individual. Eyelids and eyelashes obscure part of the surface of the iris. Since the scan is based on the size of the pupil, drugs dilating the eye could defeat an iris scan.
Iris patterns are thought to be unique. However, since the technology is fairly new, a large enough database has not yet been assembled to prove this assumption. The iris allows for the fastest comparisons against a database, checking 100,000 records of iris codes in two seconds, compared with 15 minutes for a fingerprint scan to do the same task.
Face Recognition systems are the least reliable.
Face recognition is the least reliable of the biometrics available today. Lab tests by two of the nation's biggest testing centers, the Biometrics Fusion Center in West Virginia, run by the United States Department of Defense, and the International Biometric Group, a research and consulting firm in New York, show that correct matches are produced only about 54% of the time.
Face recognition is a difficult task, usually requiring a system to isolate an image in a complex environment and then to compare it to a stored template that was sampled in a controlled environment. Face recognition relies on matching the same head position and angle, so several poses need to be collected to create a single template. Light, shadows, facial expression, weight gain, and sunglasses all affect the system's ability to produce a match, oftentimes making mistakes across gender. Even when the sample is taken in a similar controlled environment to the stored template, face recognition systems have trouble matching to images that were stored more than one year earlier. Research groups are now trying different approaches to improve face recognition systems.
Other biometrics are only accurate for smaller groups of people.
Other biometric products and research are available, with differing degrees of success: signature scanners, vein patterns, gait recognition are a few. However, most are inappropriate to identity protection. For example, hand readers are currently in use in many installations. However, because they contain the smallest dataset, and because hand geometry is neither time-invariant or unique, their effectiveness breaks down in large populations, producing too many duplicate matches. Hand readers can also be defeated by jewelry and weight gain.
Voice recognition is skewed by background noise, and whether an analog or cell phone is used. While it is impossible to fool a voice recognition system through impersonation or mimicry, it is possible to use a tape recorder to commit fraud.
Evading a Biometric System
There are several ways to try to circumvent a biometric system. False identification at enrollment, physically altering a personal biometric, skewing the sample collection by not cooperating, and hacking into or falsifying the database are all ways that biometric recognition can be compromised. Sample data could even be altered or stolen during transmission to a central database. How a biometric system is set up, protected and maintained will determine the effectiveness of the system.
One of the most often asked question is whether biometrics can be defeated by prosthetic devices. The best biometric scanners in use today detect a pulse or heat from the individual to make sure that the sample has come from a live human being.
Other Options Available to Prevent Identity Theft
Although biometric techniques provide a variety of methods to identify individuals, the best way to reduce the specific problem of identity theft is to reduce the use of the Social Security number as a record locator and personal identifier. States are now recognizing the source of the identity theft problem and have begun to enact legislation protecting use of the Social Security number. In Georgia, businesses face fines of up to $10,000 for not protecting consumer personal data. California gives consumers a right to freeze their credit report, so that no business can access it without their consent. Florida, as part of a Grand Jury Report on Identity Theft, has recently recommended that Social Security numbers be prohibited from being used as identifiers unless required by law, and that both government agencies and individuals should be held accountable for releasing personal identifying information with public records.
It is also important to recognize in the design of any system of biometric identification that the creation of a database linked to the individual and containing access to sensitive, personally identifiable information will create a new series of privacy issues. Administrators of these systems as well as those who gain access to these databases unlawfully will have access to personal information as if they were themselves the individual subject. It is conceivable that data could be altered either by administrators or by those who gain unlawful access to the database. The result would be records that wrongly indicate biometric authentication when in fact the subject did not engage in the event recorded. There are techniques to minimize these risks, but no system is foolproof.
It is also important to understand that once a biometric identifier is compromised, there will be severe consequences for the individual. It is possible to replace a credit card number or a social security numbers, but how does one replace a fingerprint, voiceprint, or retina? These questions need to be considered in the design and deployment of any system of biometric identification for a large public user base.
Biometrics identifiers will not solve the problem of identity theft facing the elderly community. Biometric systems in use now are successful because the number of people enrolled is limited. When the system fails, human administrators are available to assist in the authentication process. Creating an automated system on a national scale is beyond the capability of any of the existing technologies. Simply by merging the existing systems into a single central database would cause the reliability of those systems to be lost. Further, biometric databases are subject to new forms of abuse which may be more difficult to correct and will pose significant consequences for individuals whose biometric identifier is compromised. A less expensive approach to the problem of identity theft would be to reduce the disclosure and sale of the Social Security Number. It is the easy availability of the SSN that has contributed to the rapid growth in identity theft, particularly among the elderly, over the past decade.
Finally, we would like to draw your attention to the article on biometrics that appears in the current issue of Consumer Reports. The magazine concludes, "The nation urgently needs to tackle the complex task of regulating biometrics before vast stores of data are built." We wholeheartedly agree.
EPIC, Biometric Identifiers
EPIC, Face Recognition
EPIC, National ID Cards
Roger Clarke, Biometrics and Privacy, at http://www.anu.edu.au/people/Roger.Clarke/DV/Biometrics.html (last visited Jul. 9, 2002).
Roger Clarke, Human Identification in Information Systems: Management Challenges and Public Policy Issues, at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html (last visited Jul. 9, 2002).
James L. Wayman, Fundamentals of Biometric Authentication Technologies, U.S. National Biometric Test Center, San Jose State University (1999).
Sharath Pankani et al, On the Individuality of Fingerprints, Proc. Computer Vision and Pattern Recognition (2001), http://biometrics.cse.msu.edu/cvpr230.pdf.
Biometrics Research, Michigan State University, at http://biometrics.cse.edu (last visited Jul. 15, 2002).
Biometric Identification, San Jose State University, at http://www.engr.sjsu.edu/biometrics/ (last visited Jul. 15, 2002).
"Your body, your I.D.?" Consumer Reports 12-13 (August 2002)
Electronic Privacy Information Center (EPIC)
1718 Connecticut Ave., NW
Washington, DC 20009
+1 202 483 1140 (tel)
+1 202 483 1248 (fax)
 Erik Bowman, Everything You Need to Know About Biometrics, Identix Corporation (Jan. 2000), http://www.ibia.org/EverythingAboutBiometrics.PDF. Analysis of Social Security Number Misuse Allegations Made to the Social Security Administration's Fraud Hotline, Management Advisory Report, SSA (Aug. 1999). Identity Theft Complaint Data, Identity Theft Data Clearinghouse, Federal Trade Commission (2001). Statewide Grand Jury Report: Identity Theft in Florida, Case No. SC 01-1095 (Jan. 10, 2002). Id. What Could Biometrics Have Done?, at http://www.biometricgroup.com/e/Brief.htm (last visited Jul. 15, 2002). United States v. Mitchell, 199 F. Supp. 2d 262 (E.D. Pa. 2002). Daubert v. Merrell Dow Pharmaceuticals, 113 S.Ct. 2786 (1993). United States v. Plaza, 179 F. Supp. 2d 492 (E.D. Pa. 2002).
 United States v. Plaza, 188 F. Supp. 2d 549 (E.D. Pa. 2002).
 James L. Wayman, Generalized Biometric Identification System Model, U.S. National Biometric Test Center, Proc. 31st IEEE Asilomar Conf. Signals, Systems and Computing (1997), http://www.engr.sjsu.edu/biometrics/nbtccw.pdf.
 James L. Wayman, Large-Scale Civilian Biometric Systems, U.S. National Biometric Test Center, Proc. CardTech/SecurTech Government (1997), http://www.engr.sjsu.edu/biometrics/nbtccw.pdf.
 Congressional Statement, 2000 - Crime Regarding HR 3410 and Name Check Efficacy , athttp://www.fbi.gov/congress/congress00/loesch.htm (last visited Jul. 9, 2002).
 Bowman, supra note 1.
 See Wayman, supra note 9.
 Bowman, supra note 1.
 John Daugman, How Iris Recognition Works, University of Cambridge, at http://www.cl.cam.ac.uk/users/jgd1000/ (last visited Jul. 9, 2002).
 See P. Jonathon Phillips et al, An Introduction to Evaluating Biometric Systems, Computer (2000), http://www.dodcounterdrug.com/facialrecognition/DLs/Feret7.pdf.
 William A. Barrett, A Survey of Face Recognition Algorithms and Testing Results, U.S. National Biometric Test Center, at http://www.engr.sjsu.edu/biometrics/nbtccw.pdf (last visited Jul. 15, 2002).