Database Nation (Paperback)
The Death of Privacy in the 21st CenturyBy Simson Garfinkel
Softcover Edition January 2001
0-596-00105-3, Order Number: 1053
336 pages, $16.95
Confronted with database discrepancies, identity theft, illegal immigration, and unsolved crimes, many policymakers have put their faith in the technological promise of biometric identification. These technologies, their boosters say, will ultimately usher in a regime of absolute identification in which each individual can be precisely known by the unique characteristics of that person's body.
Absolute identification is a policy goal that is within our grasp. Indeed, a growing number of scientists, engineers, and politicians now see identification of human bodies not as a technical problem, but rather as a political one. If society has the will, they argue, we could uniquely register every person in the United States, Europe, Asia, and possibly the entire planet. We could then routinely identify individuals at banks, at school, at work, and on the road. Absolute identification could eliminate mismatched computer records, stolen identities, and the ambiguity that comes with the messiness of day-to-day life. By replacing anonymity with absolute identity, we would create a society in which each person could be absolutely granted the privileges that come with his or her station in life, and each person could be held uniquely and absolutely accountable for his or her own actions.
Absolute identification is a seductive idea. It's a pity that it is also fundamentally flawed. To understand why, you need to understand the technology and its shortcomings.
On the Identification of Infants
Three thousand years ago, two women in Jerusalem came before King Solomon. Both women had recently given birth to a child. Now one child was dead, and both women claimed the remaining child as their own. Solomon needed to identify the child and assign it to its rightful mother.
Today, Solomon's dilemma would be easy to solve. Unless the women were identical twins, they would have different genetic makeups. By testing blood from both adults and the child, the baby's true mother could be easily determined. Indeed, such genetic tests are routinely performed in the modern world to determine the paternity of children in child support cases.
But Solomon didn't have modern biology at his disposal. So Solomon called for his sword. Since the women could not decide between themselves, he said, the child would be divided in half. Solomon knew that the baby's true mother would rather yield custody than see her child killed. And moments later, when one of the women hastily gave up the baby, Solomon knew that the other woman was the liar.
Twenty-five hundred years later, the explorer João de Barros wrote about a different way to identify young children. In his book Décadas da Ásia, published in 1563, de Barros described how Chinese merchants identified young children by stamping their palm prints and footprints on paper with ink. These weren't just any pieces of paper, of course: they were deeds of sale. Once recorded in this way, there could be no chance of mistaking one child for another, which is quite important when human beings are being bought or sold.
Had Solomon wanted to, he could have instituted a similar system for registering the prints of every Israelite child at birth. Ancient Israel certainly had the necessary technology--parchment and ink--to carry out such a project. Ancient Israelites also knew that fingerprints were unique: in recent years, archeologists digging in Israel have discovered caches of clay pottery in which a thumbprint is clearly visible on each piece. Presumably, the potter had used his thumbprint as his own personal mark. But the idea of a national identification system never would have occurred to Solomon or any of his courtiers, because identification of adults was generally not a problem until the modern age.
Literature is filled with stories of mistaken identification: consider Mark Twain's The Prince and the Pauper, the stories of the Doppelgänger, and many Shakespearean plays. These stories appealed to our ancestors precisely because swapped or mistaken identities were not the stuff of everyday life. Before the Industrial Revolution, the world had no real need for a formal system of strong identification. In Europe, there wasn't even a need for last names until the Middle Ages! Most people were born in a place and lived there all their lives. People knew who you were. Outsiders were clearly identifiable.
A constellation of events in the late nineteenth century forced governments to find better ways to identify the people within their borders. The first was the rise of the modern city, in which people routinely carried out their day-to-day business with strangers. In the city, citizens needed a way of identifying each other so they could avoid being cheated: identity promotes accountability. The second event was the improved ease of travel, which created waves of immigrants seeking new homes. In short order, xenophobic lawmakers throughout Europe and the United States passed strict immigration laws to keep out the newly mobile foreigners. This, in turn, created a need for strong identification systems to let officials distinguish citizens from noncitizens. The third reason for strong identification was the nouveau concept of criminal rehabilitation--the idea that people who committed a crime could be rehabilitated and set on a new path, rather than simply put to death or exiled. Some sort of identification system was required to distinguish a first-time pickpocket from a habitual offender.
It was the problem of identifying convicted criminals that caught the attention of Alphonse Bertillion (1853-1914), a Parisian anthropologist. How do you identify a pickpocket who has been caught for the fourth time, if each time the crook is arrested he gives a different name? How is it possible to establish the continuity of identity without the cooperation of the individual?
Bertillion realized that even if names changed, even if a person cut his hair or put on weight, certain elements of the body remained fixed. He created a system called anthropometrical signalment for measuring these bodily invariants. The system was remarkably straightforward:
- When a person was arrested for a crime, Bertillion would have one of his assistants make careful measurements of the suspect's head, arms, feet, and ears. Also recorded were distinguishing scars, marks, and other unique bodily information. These measurements and the person's name were then recorded on an index card and stored at the central police station.
- Instead of arranging the cards by the arrested person's name, as others might have done, Bertillion placed them in files that were indexed by the measurements themselves. All of the men with heads that were longer than average were placed in one set of files, average in a second, and less than average in a third. Each of these files was then divided in threes according to the length of the arrested person's middle finger. The process was repeated for each of the six measurements that Bertillion recorded. The result was 3 × 3 × 3 × 3 × 3 × 3 = 729 different groups of cards.
- When an officer went to file a criminal's card, he would systematically check through the other cards for which the six signalment quantities were similar. If he found a card that was an exact match, the officer would know that the person had been previously arrested. By looking at the name on the older card, the officer could tell if the criminal had given the same name both times, or different ones.
Bertillion's system was a criminological breakthrough. A person could be arrested in 1881 and have his signalment recorded by one police officer. Three years later, after that police officer had left the force, the criminal could be rearrested, have his signalment rerecorded by a second officer, and have the match discovered as a matter of routine when the second card was filed. Bertillion had created a system for identifying people from records, whereas in the past such identifications could be performed only by using the eyesight of trained human beings.
Bertillion spent six years refining his system, then published a 95-page pamphlet for the 1879 International Prison Congress in Rome. Over the next decade, he oversaw the signalment of more than 120,000 criminals in Paris.
Today, much of Bertillion's work seems primitive and tinged by racism. (Bertillion was most impressed that his system could be used to distinguish one Gypsy from another, since few Frenchmen, apparently, had this ability.) But it worked. In the decade following December 1882, when the system was formally adopted, Parisian police used anthropometrical signalment to identify 4,564 individuals who had given the police false names. Bertillion made it possible for French judges to impose stiffer sentences on repeat offenders. Within a few years, various crime rates in Paris started to drop. Bertillion asserted that this was because the pickpockets were moving to places where they would have less chance of being identified.
By 1896, the Bertillion system had been adopted by 20 prisons and seven police departments in the United States alone. But boosters realized that the real potential of anthropometrical signalment wasn't merely identifying criminals. In the American edition of Bertillion's book, Major R. W. McClaughry, Warden of the Illinois State Penitentiary, clearly articulated the ultimate goal of any strong identification system: the identification of the entire populace. McClaughry imagined it as a strong tool for social control:According to the theory of the system, and in order for society to reap its full benefit, every human being should be partially signalized (especially by that part of the descriptive signalment relating to the ear) at the age of ten years, and completely so at the age of maturity; and every country should have a national signaletic office where all the signalments of its inhabitants should be filed. The process of signalment would take the place of passports at every national frontier, and signalments would appear on all life insurance policies, permits and other papers whose value depends upon the establishment of personal identity. It would then be possible to find any person at once whenever desired, whether for his own good or that of society at large, in whatever place he might be and however he might alter his appearance or his name. Crime could thus be rooted out, elections purified, immigration laws effectively enforced, innumerable misunderstandings and much injustice prevented and all business relations greatly facilitated.
A century later, American lawmakers are still looking for a strong identification system to enforce immigration laws, eliminate consumer fraud, and identify the dead. Of course, we're not measuring each other's ears and middle fingers. But Bertillion's basic ideas carry forth in today's biometric and DNA-based identification systems, both of which extend the promise of allowing the authorities to find any person at once, whenever desired, for any purpose, and wherever they may happen to be.
The Science of Fingerprints
Two black brothers, identical twins, are accused of a grisly murder in Missouri. The weapon is a bloody knife found at the scene of the crime. At the trial, the defense lawyer shows the jury that the murderer's fingers have each left their own characteristic prints on the weapon, and those prints match not the twins, but another person in the courtroom. The court is stunned: clearly, the wrong people are on trial!
The story is Mark Twain's Pudd'nhead Wilson, first published in 1893 by Century Magazine. Wilson's address to the jury gave many Americans their first introduction to the science of fingerprints:Every human being carries with him from his cradle to his grave certain physical marks which do not change their character, and by which he can always be identified--and that without shade or doubt or question. These marks are his signature, his physiological autograph, so to speak, and this autograph cannot be counterfeited, nor can he disguise it or hide it away, nor can it become illegible by the wear and mutations of time.
Our understanding of fingerprints has changed little to this day. Determined by a combination of genetics and random processes inside the womb, fingerprints are fixed by birth and remain fixed for life. The marks truly are a unique signature: there is so much room for variation that no two people ever have shared, or ever will share, the same pattern.
Perhaps most importantly, fingerprints are permanent. I learned this firsthand when I took a chemistry course at Bryn Mawr College. I was performing a series of experiments with anhydrous acetic acid. After a few weeks, I noticed that the tips of my fingers had become smooth; the acid had actually etched away my fingerprints. But within a month after finishing the experiments, my fingerprints were back, exactly as they had been before and no worse for their absence.
The reason for this permanence is that the fingerprint pattern is determined by the very bottom layers of the epidermis. The only way to change an individual's fingerprints is to remove the skin entirely and replace it with new skin from elsewhere on the body. This painful and disfiguring operation was employed by a few gangsters in the 1930s, but hasn't found much use since.
Despite the fact that humans have long known that each person's fingerprints are unique, it wasn't until the late nineteenth century that scientists turned their attention to the possibility of using fingerprints for identification. Henry Faulds (1843-1930) published a letter in an 1880 edition of the scientific journal Nature. In his letter, Faulds noted that he occasionally left fingerprints on objects and conjectured that a criminal might leave similar monographs in oil at the scene of a crime. Should a suspect be apprehended, Faulds reasoned, it should be possible to compare that suspect's fingerprints with the prints left behind and see if they matched.
The value of fingerprints for crime-fighting, then, wasn't just that they were unique, but that they were left behind. And unlike Bertillion's system, it wasn't necessary to measure the fingerprints of an entire populace in order to make use of the system: you could simply compare latent prints with the prints of a suspect.
W. J. Herschel, an English official stationed in India, saw Faulds's letter and wrote to Nature that he had been using a similar crime-fighting technique for nearly 20 years. But whereas Faulds had thought that fingerprints would be useful only for establishing the identity of criminals, Herschel envisioned a much grander scheme of using fingerprints as a general-purpose system to establish identity and prevent impersonations. (Clearly, racism was operating here as well: Herschel, charged with maintaining order in a colony, couldn't tell the people apart without fingerprinting them.) Five years later, a photographer in San Francisco named Tabor noticed his own fingerprint made by an inky hand on a piece of paper. After carrying out some experiments, he suggested that fingerprints could be used as a means of registering Chinese immigrants, who presumably all looked the same to the people who were running San Francisco at the time. A similar proposal was made in 1885 in Cincinnati for putting fingerprints on railroad tickets.
The Rise of the Identification State
Both Bertillion and Herschel realized that identification technology had two uses in a modern society. On the one hand, identification technology is clearly useful for law enforcement. Using a universal fingerprint registry, you could simply take a latent print from a crime scene, search for a match in the registry, and know who had left the print behind. This same registry might have many positive social uses, such as protecting individuals from fraud and identifying the deceased.
Law enforcement agencies have long advocated the creation of such a registry. And until the 1980s, they were always met with sizable opposition. The only question is, why? Proponents of the infallibility of fingerprinting are continually baffled by public opposition to their plans for mass registration. For example, in the book Finger Prints, Palms and Soles, published in 1943 at the height of World War II, the authors, Harold Cummins and Charles Midlo, wrote:It is apparent that the day is soon coming when there will be no longer a significant objection to finger-printing. The feeling against it is on the wane, though there are still some who regard finger-printing as a stigma because they associate it with police records of criminals. It is not too much to hope that universal registration of prints will be eventually realized. Objections can be based only on misconceptions, namely that the method is tainted by its criminal application and that compulsory registration would violate principles of liberty.
Why does the public fear mass registration? Perhaps because we know that fingerprints are not foolproof and that a registry, once created, could be misused. Here are some examples to ponder:
- Fingerprint identification is done by humans, and humans make mistakes.
- There is a risk that a person's fingerprint might have a legitimate reason for being at a crime scene. The presence of an identifiable fingerprint creates a presumption of guilt.
- A fingerprint might have been swapped, accidentally or intentionally, in a police laboratory.
- The fingerprint files maintained by the police might be surreptitiously modified, in order to frame an innocent person.
- A report from a fingerprint expert might be swapped or intentionally changed.
The more trust we place in an identification technology, the more rewarding fraud becomes. And the possibility of intentional fraud can never be eliminated. That's because fingerprints do not really identify a person: they merely link a particular finger to a record in a file. Change the file, and you change the identification.
The other side of the fingerprint coin is that strong identification systems are frequently used as a tool by oppressive or totalitarian societies. The people running these societies remain in power, in part, because the people who oppose the society are identified and subjected to increasing degrees of threats and punishment until they either accept the social order or are killed. The pass system in apartheid South Africa and the identification cards issued to Palestinians under Israeli occupation are both examples of such identification systems. Nondemocratic regimes require good identification systems: punishing the wrong people can create more enemies and, perhaps more importantly, can allow the real troublemakers to go free.
The United States never embarked on a mandatory fingerprint registration program. Instead, states and the federal government built their fingerprint files by fingerprinting people who were arrested and those who applied for particular jobs. These prints were recorded on a so-called "ten-print card"--one print for each finger. The cards were then classified by an expert and stored in a file cabinet. Sometimes police departments would create two cards: one for local use, and one that was sent to the FBI.
As the twentieth century progressed, the push for mandatory fingerprint registration began to ebb. The reason had to do with a fundamental contradiction inherent in the whole identification project: the larger the fingerprint files became, the harder it was to identify somebody from their fingerprints alone.
By 1987, the FBI had 23 million criminal fingerprint cards on file; the state of California alone had 7.5 million. Realistically, this size made the files unusable for anything other than identity confirmation: given a name, an investigator could look up a fingerprint card and see if the prints matched. But for practical purposes, it was all but impossible to take a set of prints, cold, and determine a person's name. Fingerprint files had grown so large that they were no longer usable for their intended purpose! In the mid-1980s, for example, a crime scene investigator in San Francisco estimated that if he worked eight hours a day, seven days a week, it would take him 33 years to conduct a manual search of the city's 300,000 fingerprint cards.
Clearly, though, fingerprinting systems are still in use. This is due in large part to the Automated Fingerprint Identification System, also known as AFIS. AFIS completely changed the role of fingerprints in the 1980s. The systems combined relatively simple computer graphics, special-purpose algorithms for analyzing and matching fingerprint images, and parallel processing computers to create spectacularly effective forensic results.
Computers don't match fingerprints the way human beings do. Instead of looking at the patterns of arches, loops, and whorls, AFIS systems reduce the fingerprint image to a table of two-dimensional vectors. Called minutiae, these vectors correspond to the places on a fingerprint where a ridge begins, ends, or splits from one ridge into two. Each minutia has an exact (x,y) position within the fingerprint, as well as a direction in which it points.
A typical fingerprint has 90 or more minutiae; taken together, these points create a series of relationships that is absolutely unique. The typical AFIS search compares the set of minutiae points for a person's ten fingers, or roughly 900 points, against all of the other records stored in the database. The search is performed by a special-purpose computer called a matcher. In 1987, a typical matcher could search a candidate print against the database at a rate of 500 to 600 prints per second. (Today's matchers are roughly ten times faster.) Thus, a single database of a million prints could be searched in a little over 30 minutes. To speed the search, a police department could simply add a second matcher. The two units would operate in parallel, each scanning through half of the database and completing the task in 15 minutes. Actual systems might have five or ten matchers, reducing a typical search to minutes.
AFIS systems made it possible for police to search latent prints against the entire database. The systems could even conduct partial print searches, where only a part of a print is found at a crime scene. The following excerpt from a 1987 U.S. Department of Justice report extols the wonders of the then-new technology:The first latent print run against the San Francisco Police Department's AFIS database had been the subject of thousands of hours of manual search methods over an eight-year period. The print belonged to the killer of Miriam Slamovich, a World War II concentration camp survivor, who was shot point blank in the face by an intruder in her home in 1978. Her assailant left a full, perfect print at the scene, but with no suspect and no other clues, there was little chance of making a match on existing file prints by conventional manual searching methods. Police detectives doggedly pursued the case, however, and when the AFIS system was implemented in 1985, it matched the print in six minutes. Slamovich's alleged killer was in custody the same day.
In 1988, I attended a conference on AFIS in Boston. There, I met Detective Ken Moses of the San Francisco Police Department. Moses told me that in 1984, the first year after the SFPD installed its automatic fingerprint identification system, the city's burglary rate dropped 26%. Here's why: fingerprints are found at 40% of all burglaries; 28% of these fingerprints result in positive identifications. A positive fingerprint identification results in a conviction 93% of the time. By the end of 1985, San Francisco had identified, convicted, and sentenced more than 900 burglars using AFIS.
AFIS also allowed San Francisco do something that had never before been possible: turn back the clock and reinvestigate old, unsolved crimes. Starting with the case of Miriam Slamovich, police were able to clear 816 outstanding cases, including 52 homicides. (The previous year, only 58 cases in total had been cleared through the use of latent prints.)
San Francisco's experience was repeated in other jurisdictions. California's infamous "Night Stalker" case was similarly solved with an AFIS search using a latent print that was lifted from a stolen car. Within a few months after installing an AFIS system in Baltimore, the state of Maryland correctly identified 525 people who had been arrested and given false names to the police. The early AFIS successes were so stunning, in fact, that the Department of Justice report gushed: "AFIS may well have the greatest impact of any technological development on law enforcement effectiveness since the introduction of computers to widespread use in the criminal justice system in the 1960's."
Automatic Fingerprint Identification System
This terminal is used by a technician to view the results of a computerized search through a databank of digitized fingerprints. To look up a fingerprint, the AFIS system first analyzes the print and makes a list of the print's minutiae points--the points where a fingerprint ridge starts, stops, or forks. The matrix of these points is then used as a key into the computer's databank. Searches are very fast and very accurate: it can take less than a minute to search a database of a million prints and find an exact match.
The system shown here was developed by NEC Technologies' AFIS Division, which introduced one of the first biometric applications nearly 30 years ago and continues to lead the market today. Today, NEC's biometric identification technology is being used at more than 300 installations in 14 countries. Specially tailored systems are available for healthcare, licensing, welfare, and security. Many cities and states are aggressively deploying this technology, seeking to build a master database containing the fingerprints of every citizen, whether or not that person has committed a crime. Such a database, advocates say, would have a tremendous impact on both crime-fighting and identification of the dead or missing. [Photos courtesy NEC Technologies]
The rush by police forces to implement AFIS systems ignored one crucial factor: questions about the accuracy of the underlying technology. In part, this is because the uniqueness of fingerprints had long been established in American law. But another reason was that even a lay person could visually confirm an AFIS match by comparing the two fingerprints. And because the initial AFIS databases were built by scanning in cards that were already in the possession of police departments, the systems were largely adopted without public discussion. For law enforcement, the only serious policy questions were pragmatic ones: settling jurisdictional disputes between AFIS systems operated by cities, states, and the federal government; assuring that AFIS systems from different manufacturers used compatible file formats; and figuring out how to get more fingerprints digitized and stored in the computers.
Far more controversy surrounded the adoption of DNA identification systems, the technology popularly misnamed DNA fingerprinting.
Deoxyribonucleic acid, better known as DNA, is the molecule that separates us and connects us. DNA is an intergenerational messenger, the basis of family and clan identity, and the imaginary binder of many nations. And yet, DNA is also the basis of most people's individuality. Just as our DNA connects us to both of our parents, our own unique pattern separates us from them.
DNA identity testing uses the genetic code as the basis of a near-perfect identification system. Today, this testing has three primary uses:
- Paternity testing
- Identification of blood and semen left at crime scenes
- Identification of human remains
Since half of a person's DNA fingerprint comes from each parent, it's relatively easy to use the molecule to determine paternity: all that's required are a few cells from the child, the mother, and the suspected father. Over the past decade, DNA testing has also worked its way into thousands of court cases. The test is ideal for crimes where no fingerprints are found, and needs only tiny amounts of genetic information for success--a drop of blood, saliva, or semen, a single hair root, or a piece of skin. As Dr. Michael Baird from Lifecodes Labs told me: "If you have a piece of blood on your shirt that matches the blood of the victim, chances are that you are the murderer."
And increasingly, DNA testing is being used to identify human remains. Because DNA is an incredibly stable molecule, DNA necessary for identification can be retrieved from a body years, or even thousands of years, after a person's death. For this reason, the U.S. military has built a DNA identification database for every soldier in the armed services. Never again will the United States bury the remains of an unknown solider.
Meanwhile, the nature of the controversy surrounding DNA identification systems has subtly changed. When the technology was first introduced, scientists, lawyers, and civil libertarians argued over whether the underlying science was sound, and if the technology actually worked. Today, DNA identification is widely accepted as absolutely accurate--and we are struggling with the social implications of this newfound precision.
Settling the Science: DNA Testing 1986-1996
At the heart of DNA identity tests is the human genome itself. Each person carries a unique genetic code, a sequence of roughly 3 billion nucleic acid base pairs--adenine (A), guanine (G), cytosine (C), and thymidine (T). Every cell of a human body contains its own copy of that person's genetic code, determined at conception--a code that is different for every person on the planet. Unlike fingerprints, there's no way to change a person's DNA by surgery or by cutting off the person's hands.
Yet, while DNA identification techniques are quite powerful, the system suffers from fundamental problems. The first problem is that, unlike fingerprints, not everybody's DNA is unique: identical twins, by definition, share the same genetic pattern. And identical twins are fairly common: in North America, one in every 83.4 births is a twin, and 28.2% of twins share identical DNA from an original cell. Thus, roughly 0.338% of the population are identical twins--three people out of a thousand. Adopting DNA as the country's sole identification system would instantly create a million genetic doppelgängers.
A second problem inherent in DNA identification systems is that they do not use the entire human genome--at 3 billion base pairs, the genome is too big. The complete genome is also largely irrelevant for identification, since more than 99% of the DNA between two individuals is identical. Instead, the DNA tests look at particular regions of the DNA that don't seem to serve any function--what's commonly called junk DNA. Because these parts of the genome aren't involved in keeping the cell or the organism alive, random changes or mutations get passed down from generation to generation. DNA identification tests look at these regions in two different samples and report if they are the same or different.
If the two samples have patterns that don't match, then the test is conclusive: they didn't come from the same person. But what if there is a match? If two samples have the same pattern, they might be from the same person--or it might just be a random, coincidental match between two individuals. There is no way to know for sure. Indeed, the typical DNA test can only resolve a hundred or so different genetic patterns--meaning that the chance of a random match is one in a hundred. To deal with this uncertainty, identification labs typically combine the results from four or five tests. Provided that the tests are actually looking at different regions of the genome, and provided that the genetic patterns aren't "structured" within a community by inbreeding, using multiple tests can reduce the chance of a false match from one in a hundred to one in a million or even one in 500 million. But they can't entirely eliminate the chance of a false match. "DNA testing is not a fingerprint," says Dr. David Bing, former director of the Human Identification Trade Association. "You can never be sure. There is no DNA test that says that this person is unique."
These two identity tests show the use of DNA evidence to exclude a suspect from a crime scene and to confirm a match. To perform this test, DNA is collected from a crime scene and from a suspect's blood. The DNA is then treated with an enzyme that cuts it into fragments of different sizes. The fragments are put on a piece of gel and placed in an electric field, which sorts the fragments by size. The fragments are then treated with a probe that adheres to unique patterns of DNA on the chromosome. A black line, or band, appears where the probe sticks. If a DNA sample has the same-sized fragments as DNA collected from a suspect, the DNA samples are said to match. This example is from Cellmark Diagnostics, one of the leading laboratories performing forensic DNA identifications. [Photo courtesy Cellmark Diagnostics, Inc., Germantown, Maryland]
A third problem is that DNA identification tests need to be performed in a laboratory by a skilled technician. The jury in Pudd'nhead Wilson could look at the fingerprint on the murder weapon and compare it with the suspect's actual fingerprint. But because the DNA identification process relies on outside experts, there's always room for professional disagreement. And there's always a chance that a sample of blood or semen taken from a crime scene might be contaminated en route--either by accident or on purpose. (Indeed, the DNA evidence at the 1996 trial of O. J. Simpson was attacked by Simpson's defense team not on scientific grounds, but using the argument that the evidence had been contaminated by a racist cop intent on framing the former football player.)
When DNA testing first moved into American courtrooms in 1987, few defense lawyers knew enough about the science to raise these objections. Prosecutors presented DNA identification to judges and juries as a well-established scientific theory--despite the fact that the idea itself had been first proposed only a year before. By 1991, DNA evidence had been used in hundreds of felony prosecutions. But there were problems. In the 1989 case People v. Castro, the trial court accepted the state's DNA evidence, ruling that DNA testing was generally accepted by scientists--then the appellate court threw out the evidence because of apparent irregularities on the part of the testing laboratory. In November 1989, the Supreme Court of Minnesota threw out DNA evidence in State v. Schwartz: the court criticized the testing laboratory for poor quality control and for failing to share the population-frequency data on which the lab's statistical conclusion was based. But that same year, the Maryland Court of Special Appeals ruled in the case Cobey v. State that DNA evidence could be admitted--but that DNA evidence should not necessarily be "admissible willy-nilly in all criminal trials."
Suddenly, whenever the prosecution wanted to use DNA testing as evidence, the trial quickly became a trial about the scientific merit of DNA testing itself. Many scientific studies and papers argued the validity of the technique; however, all of them were written by people who were either on the payroll of testing labs or had been paid by the FBI or a state district attorney to testify at trials. Nobody in the scientific community could give an unbiased opinion about the technique; everyone who understood the science seemed to have a vested interest in it!
To help put the controversy to rest, in 1989 the National Research Council formed the Committee on DNA Technology in Forensic Science to study DNA-based identification techniques. Part of the National Academy of Sciences, the NRC is the United States' most prestigious research organization, widely regarded as the benchmark of fair and objective scientific wisdom. The Committee found that the underlying science was basically correct. But the industry needed to standardize on the particular probes being used, and it needed a bigger database of population genetics. And then the Committee made a serious mistake. Trying to settle a statistical dispute between practitioners of the DNA tests and a group of population geneticists, the Committee recommended that DNA tests be performed using a new statistical technique that it called the interim ceiling principle. The principle was a new mathematical formula for computing the chances of a mismatch--a formula that was much more conservative than those that were being used at the time.
"It created a legal snafu," Mark Stolorow, manager of forensic sciences at Cellmark Diagnostics, explained to me. The problem was that the legal standard for the admission of scientific evidence in a court--called the Frye standard--requires that the scientific technique be peer reviewed and generally accepted by the scientific community. But the NRC's interim ceiling principle wasn't generally accepted; the members of the NRC committee invented it themselves.
In April 1993, FBI director William Sessions asked the NRC to do a follow-up study, in order to eliminate the confusion. Although this sort of reevaluation of a report was unprecedented, it was clearly necessary. Nevertheless, the whole process stumbled. NRC convened a new committee on August 30, 1993, but the committee didn't have its first meeting until September 1994 because of funding uncertainties. The report wasn't issued until 1996.
By the time that the NRC issued its second and final report on genetic identification testing, the issue was already settled. In November 1995, Nature published an article titled "DNA Fingerprinting Dispute Laid to Rest." True to its title, the article was coauthored by the most vocal proponent of DNA testing, Eric S. Lander, and one of its most vocal opponents, Bruce Budowle. In the article, Lander, a geneticist at the Whitehead Institute Center for Genome Research, and Budowle, head of the FBI's Forensic Science Research and Training Center, agreed that the science behind DNA was sound. Provided that laboratories take care to avoid contamination, DNA can be as accurate as any other technology for assuring identification.
DNA Fingerprinting Today
It is hard to overstate the power of DNA identification testing. Today the tests have completely changed paternity testing for child support. "Do you know how they used to do paternity testing in the old days?" Dr. David Bing asked me. "They brought the child into the court and said `does it look like him?'"
DNA testing is also being used by people who want to know if they are siblings, or half-siblings, but aren't interested in following up in court. CBR Laboratories has performed several of these tests for "sibship," says Bing, who was previously associate director of the lab. To perform the test, DNA samples are needed from both suspected siblings as well as from as many other relatives as possible. At $200 per person, the tests are not very expensive for the peace of mind that they produce. And people can be tested without their knowledge or permission--it's easy to get a DNA sample from a used tissue.
"Generally speaking, we wouldn't write up a report, but we will do the test," says Bing. The test wouldn't hold up in court because there is no chain of custody associated with the samples. But the tests do answer questions of the heart. Bing's laboratory will answer those questions for anybody--provided that the person is represented by a lawyer, physician, counselor, social worker, or private investigator.
Today, the ironclad certainty of DNA evidence is being used to overturn convictions from the days before the technology was available. The Innocence Project at Yeshiva University's Cardozo School of Law specializes in using DNA evidence to force the retrial and acquittal of those who have been falsely convicted of crimes. A 1996 report by the National Institute of Justice detailed 28 cases in which wrongly convicted men had been freed after DNA testing proved they were innocent. The men had served, on average, seven years in prison. DNA testing is also being used to reunite children kidnapped during Argentina's "Dirty War" with their grandparents and remaining family members.
Even the dead can be exonerated. In Cleveland, the son of Dr. Sam Sheppard hoped DNA evidence would prove once and for all that his father was innocent of the 1954 murder of his wife, Marilyn Sheppard. Sam Sheppard, who was imprisoned for ten years, was acquitted in a 1966 retrial of the case, but doubts remained in many people's minds. The doctor's son, Sam Reese Sheppard, successfully obtained an order in July 1997 to have his father's body exhumed so that his father's DNA could be compared with blood and bodily fluids found at the murder scene. The testing proved that blood found at the scene of the crime belonged not to Sheppard, nor to his wife, but to another man.
The DNA Databank
On the morning of November 25, 1991, a masked man broke into the home of a newlywed couple near Springfield, Illinois, shot and killed the husband, raped the wife, shot her, and left her for dead. Miraculously, the woman survived. Investigators took the murderer's semen from the woman and performed a routine DNA identification test. The pattern was searched against other DNA patterns stored inside a computerized DNA index system, but there was no match. And with the woman unable to identify her attacker, the police quickly ran out of clues. The case went cold.
The following April, in an unrelated case, Springfield police took a DNA sample from a man who had been convicted of raping a 17-year-old girl and entered the information into the same computer. This time, the computer reported a match--with the DNA taken from the November rape. A jury eventually convicted the man, Arthur Dale Hickey, of first-degree murder, attempted murder, aggravated criminal sexual assault, and home invasion. Hickey was sentenced to death.
According to the FBI, 67% of rapists commit more than one offense--with the average number of offenses being 2.8 detected, and 5.2 undetected. DNA identification technology promises to help solve many of these cases. As a result, the U.S. government passed legislation forcing every state to establish DNA registries for convicted sex offenders. And many of the state laws don't stop at sex offenders. Some states require that all convicted violent criminals provide samples. Others require that people convicted of nonviolent crimes be genetically fingerprinted as well. Some states even collect and databank the genetic patterns from people accused of crimes.
These DNA patterns are stored in the FBI's Combined DNA Index System, or CODIS. Authorized by the 1994 DNA Identification Act, the system is actually a network of computer systems designed to be used by local, state, and federal authorities as they acquire DNA profiles and search for matches. The pilot program has been operational since 1991.
DNA profiles are created from evidence left at crime scenes, as well as from convicted offenders. When a new profile is entered into CODIS, it is automatically searched against the profiles from all of the other unsolved crimes that the database contains. If a match is found, an email message is sent to the lab that entered the original information.
Keeping up with the number of samples coming into the system has been a problem. In the summer of 1997, the CODIS system had roughly 125,000 samples from convicted offenders and 20,000 samples from unsolved cases on file. Another 400,000 DNA samples from convicted offenders were in storage, waiting to be analyzed and fed into the computers. By November 1998, the number of untested samples had grown to 450,000 DNA samples throughout the United States. At that time, the FBI asked for an additional infusion of $22.5 million, specifically designed to profile the backlog.
An even larger DNA databank is being constructed by the U.S. Department of Defense (DoD). The purpose of the Department of Defense DNA Registry is to identify the remains of lost soldiers. As of December 31, 1995, the Registry's Specimen Repository had 1.15 million DNA specimens.
According to a written statement about the repository that appeared on the DoD's web site:The blood is placed on special cards with the service member's Social Security number, date of birth, and branch of service designated on the front side of the card. On the reverse side of the bloodstain card are a fingerprint, a bar code, and signature attesting to the validity of the sample. Ultimately, the bloodstain card is stored in a vacuum-sealed barrier bag and frozen at -20 degrees Celsius, in the Specimen Repository. The oral swab (buccal scraping) is fixed in isopropanol and stored at room temperature. Great care is taken to prevent the possibility of error from sample switching or mislabeling.
But it is likely that this DNA databank may one day be used for more than just identification, since the DoD is storing whole blood cells, rather than simply the results of a particular DNA screening. DoD, after all, is creating the world's largest archive of well-preserved genetic material, and for each sample, the department has detailed medical and performance information. As the years pass and the databank grows, its guardians will be increasingly pressured to release samples for scientific research--and perhaps for criminal investigations as well. Some sort of mission creep seems likely, given the history of other federal databank projects.
Despite their apparent accuracy, neither fingerprints nor DNA samples are suitable for identifying individuals on a day-to-day basis. Fingerprints may be a lost cause: after more than 100 years, proponents have still been unable to shake the stain of criminality from their use. DNA identification is unworkable because the biological reactions on which DNA testing is based require minutes or hours, rather than seconds, to take place. Fortunately, for the past 100 years, the world has relied on another kind of biometric that can be nearly as good as a fingerprint or a DNA sample. That biometric is the photograph.
The most common form of identification today is a photograph fixed to an official document. Worldwide, the "universal currency" for personal identification is the passport. Most European countries supplement passports with identity cards. In the United States, the photo driver's license is the most common form of identification for both private industry and government.
The reliability of a driver's license depends on two factors. First, the state must be sure that the driver's license is being issued to the correct person. Second, the driver's license itself needs to be reasonably tamperproof, so it can't be changed once it is issued. (A driver's license that can be easily modified is an invitation to crime, since the license can be stolen, altered, and then used for fraudulent purposes.) States have increasingly, and somewhat successfully, turned to exotic materials to make driver's licenses more difficult to forge. But they generally do only a fair job of verifying the identity of the prospective driver. An even bigger problem with the U.S. driver's license system is that each state's license looks radically different from every other's. It can be very difficult for a check casher in Massachusetts to know if an offered driver's license really came from the state of Montana or if it is a forgery.
Now the move is on to computerize identification systems. Like AFIS, modern biometric systems have two parts. The first is a device that is able to measure an aspect of the human body, and reduce that measurement to a series of numbers. The second is a large database, recording the biometric measurement for hundreds or thousands or millions of people. In many cases, an online database can do away with the problem of forgeries: while a fake piece of plastic can be produced, it is considerably harder to put fake entries into a government database.
A variety of computerized biometric systems have been proposed and developed over the past decade. The simplest involve merely creating an online database of every driver's license photograph. But more sophisticated biometrics are constantly being proposed and tested. Here are some of the more popular ones.
- Retina prints
- Eye prints are similar to fingerprints, but instead of capturing the minutiae on the tips of the fingers, these systems record and analyze the patterns inside a person's eye. In the 1980s, retina prints, based on the veins and arteries in a person's retina, were popular. But unlike fingerprints, retina prints are not fixed: when a woman is pregnant, the fetal hormones can cause new arteries and veins to branch in the mother's eye. If widely adopted, retina prints could prove to be a remarkably intrusive identification system, with women being forced to explain if they were pregnant, why they were pregnant, and perhaps what happened to the fetus, every time a retina print didn't quite match.
- Iris prints
- In the 1990s, iris prints have surged in popularity. The patterns on the human iris are fixed while the eyes are formed in utero; they remain constant for an individual's life; and they can be captured with a standard video camera, rather than an expensive and somewhat intrusive retinal scanner. One of the leaders in this field is IriScan, whose technology has been used inside prisons, at automatic teller machines, and, soon, in subway stations. British Telecom, a partner in the venture, has developed a high-speed iris scanner that can capture the iris print of a person in a car driving at 50 miles per hour. Today, the automotive scanner is quite expensive, as it requires special optics, a high-resolution camera, and a servo-mounted, computer-controlled lens. But as technology advances and prices drop, this technology is likely to become democratized.
Of all the biometric identification systems made possible by the human body, iris scanning appears to be the most robust and most accurate. The subtle patterns in the iris of each person's eyes are fixed before birth and remain unchanged throughout life (barring an accident or surgery, of course). The patterns can be read using a standard high-resolution video camera, and there is so much variation between individuals that the probability that two irises would have the same biometric value is approximately 1 in 1078. (The population of the earth is approximately 1010.) Even identical twins have dramatically different irises.
Nevertheless, remember that an iris scan does not uniquely identify a person: an iris scan identifies an iris. Turning that identification into a name requires looking up the scan in a computerized database. If the database has been tampered with or altered, the iris scan will not yield the person's true identity. [Photos courtesy IriScan, Inc.]
- Signature and handwriting analysis
- Signature and handwriting analysis was one of the world's first biometrics. Today, signatures can be digitized and electronically compared with stored templates. If the signature is written on an electronic pad, the computer can also record the speed at which the pen moves and the pressure exerted. Combined, these three sets of values (position, speed, and pressure) create a biometric that is nearly impossible to forge.
- Palm prints and hand geometry
- Palm prints and hand geometry are two systems that rely on the wrinkles in a person's hand or the relative lengths of the fingers to establish identity. Both lack the consistency over a lifetime that fingerprints provide. On the other hand, these systems don't have the stigma of fingerprints. A hand geometry system was used to identify athletes at the 1996 Summer Olympics in Atlanta.
- Voice prints
- Voice print systems attempt to determine a speaker's identity by comparing a spoken phrase with one that has been previously recorded. Today's computer voice systems can perform either speaker identification, in which they determine who is speaking, or voice recognition, in which the computer determines what is being said. Today's computers can't perform identification and recognition at the same time, but humans can, so it's reasonable to assume that as computers get faster they will be able to do the same. It's unlikely that computers will ever be able to identify speakers with 100% accuracy. After all, people can't do it either. Sometimes there just isn't enough information available for the task.
Unlike other biometric identification technologies, face recognition is largely passive: it can be performed without a person's knowledge, allowing the person to be identified in an elevator or as they walk through a doorway. Today, biometric systems are increasingly being used for identification at ATM machines, in banks, and by security-conscious businesses. Several states are evaluating whether face recognition should be applied to their databank of driver's license photos, allowing them to determine if the same person has been issued a driver's license in more than one name. [Image courtesy Miros, Inc.]
- Face recognition
- Face recognition systems attempt to identify people based on what they look like. Today's systems require that a person's face fill the computer's video camera and that the background be reasonably controlled. Future systems should be able to recognize a person in a crowd, the same way that people do (and probably with similar rates of success). Because there is no stigma attached to face recognition, and no fear of something scanning the eye, face recognition systems are poised to become quite popular in the coming century, which might have many unforeseen results. "Undercover people are scared about facial recognition," says Stephen Shaw, editor of Identity World magazine. "It doesn't just suck up terrorists--it gets diplomats and spooks and undercover cops."
- Facial thermograms
- Facial thermograms identify people based on the patterns of veins and arteries underneath their skin. Although it's possible for a person to change their facial appearance with makeup or to grow or cut their facial hair, it's much harder to rearrange one's circulatory system. As a result, it's believed that facial thermograms might be more reliable than simple face recognition systems.
- Silhouette identification and gait prints
- Silhouette identification and gait prints are my own names for the next category of biometrics, but others in the identification field are considering them as well. When you see a friend at a distance, you can usually tell who they are without actually seeing their face. You make the identification based on a variety of parameters, including the person's size and proportions, the way they walk, and the kind of clothes they are wearing. Once again, if people can do this kind of identification, it's reasonable to think that computers will eventually be able to do it as well.
- It is also possible to identify people based on their performance at a certain task. As an undergraduate at MIT, I developed a computer program that could identify people based on their typing speed and the pressure with which they hit the keyboard. While he was on staff at AT&T, researcher Thomas Speeter developed floor tiles that can identify who is walking on them. Several computer intrusion programs can detect if somebody has broken into a computer system; the systems operate on the principle that intruders use computers differently from their legitimate users.
- Writing style
- A growing body of techniques can be used to identify the author of a creative work--be it a play, a novel, or a musical score--based on patterns in the work. In 1996, Donald Foster, a computer scientist at Vassar College, analyzed the best-selling novel Primary Colors and concluded that the "anonymous" author was in fact Joe Klein, a columnist for Newsweek magazine. (Interestingly enough, Klein didn't admit to being the book's author until the Washington Post surreptitiously obtained a handwriting sample from Klein and from the book's original manuscript, and had the two compared by Maureen Casey Owens, a former chief document examiner for the Chicago Police Crime Laboratory.) Likewise, Ted Kaczynski was identified as the Unabomber only after his manifesto was published and his brother recognized the writing style and ideas.
It's important to realize that none of the techniques mentioned here have gone through the kind of thorough peer review that was required of DNA fingerprinting in the 1980s and early 1990s. Instead, individuals and companies are testing them the way an undergraduate might test spaghetti boiling in a pot of water to see if it is done: throw it against the wall and see if it sticks. If we are to use biometrics for serious future applications, then they must be subjected to significantly higher standards of accuracy than they are today. Otherwise, it's likely that there will be numerous misidentifications and false identifications that will cast doubt and suspicion, and that could even imprison people who have done nothing wrong.
Between 1989 and 1995, I lived in a house that had a voice print lock on its front door. The lock gave me freedom and power. It gave me the freedom to walk around without fear of losing my keys: as long as I had my voice, I knew that I would always be able to get back into my house. And it gave me the power to control access to my home with tremendous precision. For example, I could voice print a contractor who was doing work on my house, knowing for sure that he would not give the key to one of his employees or make a copy for himself. And I never had to ask somebody for his keys back: all I had to do was erase his voice from the lock's memory.
But the voice print lock was not without its faults. After a few months, I discovered that I could not enter my house if a jet was flying overhead, or during a particularly loud rainstorm. I also discovered that biometrics are not democratic. Certain individuals could not be reliably identified by the system, while others were always identified on their first try. (Similar problems have been reported with fingerprint identification systems.) As a result, I eventually created "voiceless codes" that would let people in without requiring that they first speak a pass-phrase.
As we move into the next century, experiences such as mine will become widespread, as biometrics increasingly replace keys and identity cards. Biometrics will be used to open the doors of office buildings and to unlock computer files. Your computer will recognize you when you sit down in front of it, either by voice or by using its built-in video camera. It's easy to see why people are likely to prefer biometrics-based systems: there will be no passwords to forget and no access cards to lose. Yet at the same time, some people will be discriminated against because their biometrics are not easily read or reproduced.
Imagine a university in the year 2020. At the cafeteria, students take a tray, pick up the food that they want, and then simply walk to the dining room. A computerized system scans each student's tray, calculating the cost of the food they've taken, then looks at the student's face to figure out whose account should be debited. At the library, another face recognition system has long since replaced the student's library card. When the student walks into a laboratory, the computer scans his face to make sure that he has authorized entry--this is especially important for labs that contain material that could be subverted and used by terrorists. And when the student sits down at a computer, the system automatically logs the person in and opens his files.
This university of the future won't need to issue its students identification cards: a smart video camera and a connection to the university's computer network will work just as well. But the university will probably continue to issue student IDs so students can prove their university affiliation to area businesses and other organizations. After all, no university is going to let outsiders tap into its biometric database!
The university biometric identification system works because a university is a total environment and students are voluntary members. Because students are paying a lot of money to earn academic credit, and because a university's library privileges, athletic facilities, and dorms are not available to the general public, the students have a vested interest in being properly identified by the institution.
Many stores now have video cameras that record the image of everyone who walks inside. (Frequently, these cameras are positioned in such a way that they also record the person's height.) Soon these cameras will likely be connected to computers and networks that use the person's face and other information to determine his or her identity. The store's computers might consult public records to find out if the person who just entered is wanted by the authorities. The computer might check other databases to find out if the person has a history of violent behavior, or if they owe too much money on their credit cards, or if they are suspected shoplifters. Place the camera outside the store and you can have the computer automatically lock the store's doors when a disreputable person tries to enter. Because these identification systems won't be perfect, places that use them will have to weigh the risk of not using the technology versus the risk of lawsuits, civil penalties, or simply poor customer relations that might result from misidentifications. In fact, the computer would probably be programmed to weigh the risk for each shopper.
Building a database of all the nation's faces would not be very difficult, since much of the data is already in public hands. In the 1990s, most states began digitizing photographs that were recorded on driver's licenses. These photographs, which are now part of the public record, will increasingly be sold to private businesses unless the sales are prohibited by legislation. The process has already started. In February 1999, the South Carolina Public Safety Department sold photographs of the state's 3.5 million drivers to Image Data LLC of Nashua, New Hampshire. The price was a bargain basement $5,000, or roughly a penny for seven photos, according to an article in the Washington Post.
The Washington Post also revealed that Image Data LLC had received a $1.46 million grant and technical assistance from the U.S. Secret Service in 1998. The company was charged with building a national photo ID database to fight check and credit card fraud, as well as to fight terrorism and verify immigration status.
Image Data's plans cause alarm because photographs provide tremendous potential for abuse. For example, a racist programmer operating inside a bank might gimmick a bank's loan calculation program to automatically factor in a person's skin tone as part of the loan approval process. Alternatively, a bug in a computer program, especially one based on "neural net" technology, might inadvertently factor in this information without anyone's conscious planning. Such calculations could be exceedingly difficult to locate during a routine audit.
Ironically, there is a far cheaper and easier approach for using photography to prevent check and credit fraud. Instead of building a computerized database with all of the nation's faces, simply put each person's photograph on the front of his or her credit cards and checks. The Polaroid Corporation developed a photo credit card in the 1960s, but most banks resisted using the cards. One reason was that photographs, while they decrease fraud, marginally increase costs. The second reason is that if a person's photograph needs to be snapped before that person can be issued a credit card, then banks cannot acquire new customers by target marketing: in order to get a photograph onto the card, the customer needs to come into the bank in person.
The national database of photographs is well on its way to being created. But we as a society need to discuss what this database will be used for, who will have access to it, and how erroneous information will be corrected. It would be a mistake to give private industry unrestricted use of this data without any checks and balances.
Smart Card-Based Identification
A "smart card," like this one from Gemplus, is a plastic card that contains a tiny microchip. The chip can hold both a microprocessor and several kilobytes of memory. One popular application of smart cards is as "stored value cards," in which the cards are used to store a kind of digital money. Another way to use a smart card is as a mobile databank that cannot be easily accessed or modified by the cardholder. In this example, the smart card is used as an identity card that contains a digitized photograph and possibly a fingerprint. Here, the border guard can compare the face of the woman standing in front of him with the image of the woman stored in the card. Because it is presumably more difficult for a person to tamper with the digitized image stored inside the smart card than to tamper with the image printed on the card's surface, smart card identity cards are considered by their promoters to be more secure. Although this may be true today, the presumption that smart cards are more secure means that there will be a higher reward for creating counterfeit or falsified cards. Ultimately, the smart cards of the future may be no more secure than credit cards are today. [Photos courtesy Gemplus]
When the Washington Post published word of South Carolina's impending sale of driver's license photographs, it caused an uproar. Immediately, the state tried to get out of the contract, arguing that the sale would violate the privacy of its citizens. But a state judge rejected the argument, saying that no law prevented the sale.
As a result of this and other cases, it's likely that some states will soon pass legislation to prevent states from selling driver's license photographs to private businesses. But it will be harder to prevent businesses from using their own resources to construct national image databanks. Video cameras behind checkout counters already record the image of each person using a credit card. It would be simple for a business to match up this information with names taken from the subject's credit card or courtesy card. In fact, such data collection is so easy that it is likely to happen unless lawmakers outlaw the practice.
Steve Mann, now a professor at the University of Toronto, Department of Electrical Engineering, calls the capture of a person's image without his or her permission likeness piracy. Mann is quick to point out that likeness piracy is different from copyright infringement: copyright only protects specific creative works that are in a fixed form. Copyright infringement is the appropriation and use of a specific image; likeness piracy is the appropriation and use of a person's image in general.
Some laws in the United States and other countries regulate likeness piracy. In the state of New York, for instance, it is a crime to use somebody's image in conjunction with an advertisement without his or her permission. This law dates to the early twentieth century, when marketers put people's faces on boxes as a form of product endorsement--without first going through the formality of obtaining the person's permission. It's anyone's guess if these laws will prevent likeness and biometric piracy in the twenty-first century. They won't if biometrics policy becomes an established business practice.
Already, the United Parcel Service, the nation's largest package delivery service, is also the nation's leader in biometric piracy. For most packages, UPS requires that a signature be written to serve as proof of delivery. In 1987, UPS started scanning the pen-and-ink signatures recorded for each package delivery. These images were stored in a database and faxed to any person who called UPS's 800 number and asked for a "proof of delivery" receipt. In 1990, UPS improved its piracy technology by equipping its drivers with portable electronic computers called DIADs (Delivery Information Acquisition Devices). Each computer has a built-in bar code reader and a signature pad. When a delivery is made, the UPS driver scans the bar code on each package and then has the person receiving the delivery sign for the package. The bar code number and the handwritten signature are recorded inside the DIAD, and ultimately uploaded to the company's databanks.
The push to make signatures available in electronic form came from UPS customers, Pat Steffen, a spokesperson for UPS, told me when I called the company to complain about the practices. Signatures are considered proof of delivery. Digitizing that proof allows UPS to manipulate it like any other digital data. The faxed proof-of-delivery certificates are sent automatically from UPS computers, she explained. It's also possible for UPS customers to download tracking software and view the signatures directly on their personal computers.
Ironically, by making a person's written signature widely available, UPS is helping to dilute the written signature's very value. Once the signature is digitized, it's easy to manipulate it further with a computer--for example, you can paste it at the bottom of a contract. UPS's system is particularly vulnerable: any package can be tracked as long as you know the package's airbill, and UPS issues its preprinted airbills in sequential order--for example, "0930 8164 904," "0930 8164 913," and "0930 8164 922." An attacker can easily learn a company's UPS airbill, use that airbill to obtain a comprehensive list of every delivery recipient--and then make a copy of every recipient's signature.
UPS understands the vulnerability, but it can't address the problem very well. A note on the company's web site says:UPS authorizes you to use UPS tracking systems solely to track shipments tendered by or for you to UPS for delivery and for no other purpose. Any other use of UPS tracking systems and information is strictly prohibited.
But, realistically speaking, UPS can do little to prevent this kind of attack. "If someone wants to go out of their way to get package numbers, it can be done. If someone wants to go out of their way to do anything, I suppose that's possible. It is not an easy thing to do," said Steffen. Guessing would be harder, of course, if UPS used longer airbill numbers and didn't issue them in a predictable sequence.
The financial community has found a better way to incorporate biometrics into its business practices. Historically, crooks have been able to either steal blank checks or print their own, fill them out, and then take them to a bank and cash them. So in 1997, SeaFirst and a number of other West Coast banks started recording thumbprints on the back of checks whenever they were cashed by a person who didn't already have an account at the bank. The fingerprint itself was recorded with a new kind of ink: the person simply puts his thumb on the ink-pad, presses his thumb against the check's back, then wipes off the rest of the ink. This way, if it turns out that the check was forged, SeaFirst has the thumbprint of the actual crook--and it's the crook's actual thumbprint, rather than a copy of the thumbprint that was stored inside a computer (where it could be electronically manipulated to implicate somebody else). Since SeaFirst knows the exact time that the check was cashed--that's also recorded on the check, as well as in the bank's computer--it's a simple matter to go to the videotape and get a photograph of the crook's face. Thumbprints can also be searched through a variety of AFIS systems. Alas, while this technique may be laudable from a technical point of view, it has the unfortunate side-effect of making people who cash checks feel as if they are being treated like criminals.
Biometrics are a powerful means to ascertain somebody's identity, but only for the person or the machine that actually does the measuring. Once a biometric is stored inside a computer, all of the security provided by biometric identification is lost. A stored biometric could easily have been copied from another computer, rather than being directly measured. This is a critical distinction to understand when using biometrics. It is a distinction that is so subtle that it frequently is overlooked by the people implementing and using biometrics-based systems.
Identifying Bodies, Not People
Absolute identification is a seductive idea. Unfortunately, it's an idea that is fundamentally flawed. All of the identification techniques discussed in this chapter share a common flaw: the techniques do not identify people, they identify bodies. In modern society, people are legal entities. People have names, Social Security numbers, and histories. People buy and sell property. People have obligations. Bodies, on the other hand, are the warm-blooded, two-legged animals that are walking around on our planet's surface. Bodies are born, and bodies die.
When a murder is committed in our society, one body has taken the life of another body. It is then the job of the police to determine the people involved--that is, identifying the victim and finding the perpetrator. Bodies are imprisoned, but people go to jail. Any identification databank, whether it's the passports issued by the U.S. State Department or the FBI's CODIS system, attempts to draw lines connecting legal people with the bodies that they inhabit. This is an imperfect exercise.
Today, it is remarkably easy for a criminal to adopt an assumed name and construct an alias, complete with a state-issued driver's license. Many underground and semi-underground tracts give precise directions on how to create a fraudulent identity: first, search public records and find somebody who was born at roughly the same time and died in early childhood. Next, request a duplicate birth certificate and Social Security card. Subscribe to magazines in the stolen name. Just start using it. At some point, take a driver's license test.
The United States does not operate a central computerized registry of every birth and death in the country. Instead, cities, counties, and states all operate their own record systems. Sometimes records get lost--hospitals burn down, computer files get destroyed. Sometimes there are duplicate records, sometimes there aren't. Many record-keeping systems are antiquated. This lack of centralization can be exploited by people who know how. Once the identity of a dead child is appropriated in this manner, it can be remarkably difficult to disprove. Just about the only way one of these constructed identities can unravel is if the individual was previously arrested or fingerprinted--and if that information has been stored in some biometrically indexed, computerized database, such as a police department's fingerprint files. The databanks don't prove that the new identity is false. All they prove is that the biometrically identified body once used some other person's name.
Crooks aren't the only ones who create new people for old bodies: the government does it as well. New identities are routinely created for undercover officers, spies, defectors, and participants in the Federal Witness Protection Program. These needs of the state assure that no ironclad biometric identification system will ever be adopted in the United States or anywhere else: there will always need to be a means to introduce erroneous information into any government-sponsored identification database, or to change correct information that is no longer politically appropriate.
Some biometric identification systems have another problem as well: they can be subverted by a person who is suitably motivated. In the 1930s, gangsters had their fingerprints surgically removed and replaced with skin grafts from other parts of their bodies. Today, a person's hand prints or retina prints could be similarly removed--with the person's permission, or without. The risk or danger of mutilation will only increase as society increases its reliance on biometrics.
Instead of relying on technology to solve the social problem of bodily identification, we might want to consider social solutions. One possibility would be to use relatively weak identification systems and have very strong penalties for people who engage in identity fraud. Next, we should create statutory damages not just for the bank or business that was defrauded, but also for the person who had their identity appropriated.
Biometrics are sure to be an omnipresent part of tomorrow. But because of their recognized limitations, and because of the legitimate civil liberties concerns that these systems create, our civilization will probably not experience the full realization of a totally biometrically tracked future. Instead of tracking people, our civilization will increasingly turn to the much simpler project of tracking things, as the next chapter explores.
Back to: Sample Chapter Index
Back to: Database Nation (Paperback): The Death of Privacy in the 21st Century
© 2001, O'Reilly & Associates, Inc.