TYLER HAMILTON
Smoke and mirrors security fails
Tue Sep 2 17:34:51 2003
64.140.158.45

Smoke and mirrors security fails
TYLER HAMILTON

The federal government has officially begun treating every citizen
like a criminal.

No longer can we smile when we get our pictures taken for passport
photos. All expressions must be neutral or, from now on, your photo
will be rejected.

Sounds like a mug shot to me. You know, the kind of photo that's
taken at the police station when a person is being booked and
fingerprinted for a crime.

And fighting crime is exactly why the new passport photo rules are in
effect. The federal passport office is in the midst of a trial to
test facial-recognition technology. Flashing an awkward smile or an
exaggerated expression could be all it takes to confuse such a high-
tech (and obviously fragile) system.

In essence, the government wants to create a massive database
containing digital photos of all Canadians. That database can be used
to find duplicate photos in the system — perhaps errors, or people
who have more than one passport under different names. The idea here
is to crack down on fraud and deception, and this is a good idea.

Theoretically, that database can also be used to battle terrorism by
comparing passport applicants with terrorist watch lists. That's
where the mug-shot requirement comes into play, since the less
expressive the photo, the more effective the software.

There's no reason to believe the use of these systems won't be
limited to passport offices. The next step will be spending hundreds
of millions of dollars to equip border checkpoints and airport
customs with the technology. This is not a good idea.

South of the border, U.S. Congress has already set Oct. 26, 2004, as
the deadline by which U.S. and foreign passports should be upgraded
to include a biometric identification — a photo, fingerprint or both.
The total cost of issuing new passports and deploying the appropriate
biometric scanning and analysis software is pegged at billions of
dollars.

In the meantime, Denis Coderre, minister of Citizenship and
Immigration, is planning a forum next month dedicated to arguing the
pros and cons of a national biometric identity card.

Such a card would likely cost Canadian taxpayers billions of dollars.

It's no secret that the minister is keen on assigning each and every
one of us an I.D. card that would include our digital fingerprint or
iris pattern and that we'd need to carry everywhere we go. Going to
the beach? Better carry that card with you. Running to the store to
get some milk? Don't forget your I.D. card. Stopped on the way to a
friend's Grey Cup party? Oops! Sorry officer, I left my card at my
parents' house.

To back his grand vision, Coderre had a poll conducted that showed 7
out of every 10 Canadians support the idea and would give up privacy
rights in favour of being more secure. Yes, I'd also give up my left
arm if it meant saving the rest of my body, and yes, polls can be
easily manipulated depending on the types of questions asked.

The big assumption in this poll is that a national I.D. card would
bring added security, which Coderre has failed to prove, let alone
address.

What's interesting is that Coderre is promoting this invitation-only
forum, held at the ritzy Chateau Laurier, as a neutral meeting place
for balanced debate. It appears to be shaping up as anything but. The
opening keynote speaker will be Alan Dershowitz, a Harvard law
professor who has championed the use of biometric security since the
Sept. 11 terrorist attacks.

The government didn't put out a call for presentations. It actively
sought out Dershowitz and his American perspective, and is agreeing
to pay more than $36,000 in taxpayer's money for what I expect to be
pro-biometric views.

Stephanie Perrin, a known privacy advocate in Canada and former
director of privacy policy for Industry Canada's electronic commerce
task force, put together a competing proposal. She offered up four
well-known academic and industry speakers from around the world, at
half the cost, but the government, intent on getting Dershowitz's
message out, rejected the offer.


----------------------------------------------------------------------
Huge sums of moneyare being spent on
unproven security initiatives
----------------------------------------------------------------------

The other keynote speaker is Dr. Colin Soutar, the chief technology
officer of Toronto-based Bioscrypt Inc., a company that has every
reason to promote the benefits of biometric technology.

"The government is trying to look for a reason to go with an I.D.
card, but at the same time, they already appear to be committed to
it," said one industry expert invited to the event. He asked that his
name be withheld.

So what's going on here?

Security expert Bruce Schneier likes to call it "security theatre."

"Elected government officials are concerned about re-election and
need to be seen by the public as doing something to improve
security," wrote Schneier in Beyond Fear: Thinking Sensibly About
Security In An Uncertain World, which was released this week.

"One of the goals of a security countermeasure is to provide people
with a feeling of security in addition to the reality. But some
countermeasures provide the feeling of security instead of the
reality. ... They're palliative at best."

He points to the decision by airlines to confiscate tweezers and nail
files at airports after Sept. 11. It doesn't cost much, which the
airlines love, and it makes it seem like the government is taking
action. Of course, they don't confiscate matches and cigarette
lighters — the tobacco lobby wouldn't allow that.

Tamper-proof packaging, which gained momentum after the tainted
Tylenol scare, isn't tamper-proof at all. But it comforts us, right?

And that's the government's main goal, to comfort us — even if we're
getting a false sense of security. Pushing it toward that goal are
external pressures coming from a number of directions. You've got
companies that make biometric technologies beating the drum, fanning
the fears of terrorism and claiming their product can be a silver
bullet? Again, a government desperate to do something likes to hear
the words "silver bullet."

Another pressure — and a huge one it is — wears stars and stripes,
and each star comes with its own elected officials performing their
own security theatre. They want action. They see Canada as a haven
for terrorists and thus a point of vulnerability for the United
States. They're pressuring our people to take action, or else.

What's most alarming about the move toward biometrics — either in a
national I.D. card or as a facial-recognition system in an airport —
is that huge sums of money are being spent on so-called security
initiatives that haven't demonstrated an ounce of added security.

Schneier writes that the use of facial-recognition software or
national I.D. cards to protect citizens and identity terrorists
simply won't work.

Assuming facial-recognition systems are 99.9 per cent accurate, which
is highly optimistic, Schneier says there is 1 chance in 1,000 that
the software fails to catch a terrorist and 1 chance in 1,000 that
the software falsely identifies somebody as a terrorist.

Based on a percentage of population, it means 30,000 Canadians and
130,000 Americans could be falsely accused of being a terrorist.

That's still a lot of false alarms, and as we've learned with car
alarms and shoplifting alarms in stores, regular false alarms mean
people — the public and those employed where these systems are used —
eventually lose interest and stop becoming enforcers.

And, as Schneier points out, "The system presumes a photo database of
terrorists.


----------------------------------------------------------------------
You've got firms that make biometric technology beating the
drum, fanning the fears
----------------------------------------------------------------------

"It seems unlikely that terrorists will pose for crisp, clear
photographs. More likely, the photos in the database are grainy ones
taken from 1,000 yards five years ago when the individuals looked
different. We have to assume that terrorists will disguise themselves
with beards, hats, glasses and plastic surgery to make recognition
harder," Schneier says.

"Automatic face-recognition systems fail miserably under these
conditions."

Not surprising, then, that police in Tampa, Florida, pulled the plug
last month on a facial-recognition system that didn't produce any
arrests after two years.

Canadian politicians should take notice of that dud.

Ditto with respect to national I.D. cards. Schneier says national
databases, simply because of their size and complexity, are prone to
failure.

It's difficult to keep information up to date, software bugs are
common and large databases are open to internal abuse and tampering.

If it's costing more than $1 billion just to have a national gun
registry, imagine what a national I.D. card system might cost?

Also important is whether we can maintain adequate enforcement of
such a system, as well as prevent forgeries of I.D. cards.

"There hasn't been a card created yet that can't be forged," writes
Schneier, who adds that "human nature dictates that those verifying
the card won't do a very good job.

"How often does a bartender — or an airport screener, for that matter
— fail to look at the picture on an I.D., or a shopkeeper not bother
checking the signature on a credit card?"

All good questions, which politicians like Coderre should be asking.

Until these questions are posed, and until reasoned, balanced answers
are provided, the federal government's security efforts to date
amount to nothing more than security theatre.

And it's shaping up to be an expensive show.


--------------------------------------------------------------
Tyler Hamilton writes about
technology and the Internet

Mondays in @Biz. Reach him

at thamilt@thestar.ca

Additional articles by Tyler Hamilton

http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout
/Article_Type1&c=Article&cid=1062367811083&call_pageid=968350072197&co
l=969048863851

Airport anti-terror systems flub tests USA Today - 5 hours ago ...
Last year, two separate face-recognition systems at Boston's Logan
Airport failed 96 times to detect volunteers who played potential
terrorists as they passed ...

http://www.usatoday.com/travel/news/2003/09/02-air-secur.htm



Scanning faces still has blemishes
Los Angeles Daily News, CA - 11 hours ago
... But the report also stressed that face-recognition systems are
getting worse at identifying people on watch lists as the pool of
wanted suspects grows. ...

Tampa cops send face recognition software packing
The Register, UK - Aug 20, 2003
... purpose," a spokesman told the Palm Beach Post.The Post adds that
face recognition ... better than the 50 per cent or less reliability
attached to earlier systems. ...

US pushes forward with biometric visas and passports

Biometric technology that scans faces, fingerprints or other physical
characteristics to confirm people's identities is about to get its
biggest, most public test: at US border checkpoints. Yet significant
questions loom about whether the US and foreign governments can meet
an Oct 26, 2004, deadline set by Congress for upgrading passports and
visas to include biometrics.

"This is the mother of all projects - there's no question about it,"
said Joseph Atick, chief of Identix, a maker of biometric systems.

US pushes forward with biometric visas and passports

http://technology.nzoom.com/technology_detail/0,1608,216332-113-380,00.html