Biometrics Used For Evidence
Cory Doctrow is one of my favorite authors. His book Little Brother is wonderfully subversive. In a recent post, he refers to a story about an LAPD officer who followed a potential suspect in order to gather DNA to help with a conviction. This is standard CSI kind of stuff – a few years ago the police would have offered a suspect a glass of water in order to gain their fingerprints and compare them against a crime scene.
Cory uses this as an example of why biometrics are bad, loosely grouping DNA in with biometrics. He says “You can protect the PIN for your debit card by shielding the keypad when you enter it, but how do you keep counterfeiters from getting your DNA for authenticating the debit-card of the future?”
This is certainly a valid point, and can be used as a criticism for fingerprints as well. Just like you spray your DNA all over the place, you leave your fingerprints all over the place as well. Theoretically, a person can lift your fingerprints and use them to act as you in order to gain access to something that is protected by biometrics. This has been done in several movies, as well as in real life on Mythbusters.
There are a number of problems with his argument, though. First, almost anything can be counterfeited. A valet can copy my house key. A waiter can copy my credit card. Card skimmers can steal your PIN without you knowing it. Money is counterfeited all the time.
These are technical problems. For example, money has been counterfeited since it was invented. But we have gotten better at making money harder to counterfeit. It can still be counterfeited, but it is very hard. And we pursue counterfeiters very aggressively because so much is at stake. But we don’t give up on the idea of having secure money.
The same thing is true of DNA, biometrics, or whatever. The original fingerprint sensors (like used on Mythbusters) were pretty easy to fool. They did not have any notion of a “liveness” check. Newer sensors are very good, and this is generally considered to be a solved problem. Face matching systems have this as well, so you can’t just show a picture of someone to a sensor. But inevitably, something else will come up as a new vulnerability, assuming there is enough money at stake. At then we will fix that problem as well. This is nothing new, and is no reason to just dismiss biometrics out of hand.
The second (presumed) critique is that the police can use your DNA to pin you to a crime you didn’t commit, a reason not to use DNA (or fingerprints) for evidence. First of all, fingerprint evidence is not easy to “plant.” If I have your fingerprints, I can generate a gummy version of your fingerprint easily enough. But I cannot use that to plant your fingerprints at a crime scene. The mechanisms for how the oil on your fingers generates fingerprints is pretty complex, and as far as I know it has not been replicated. I suspect the same is true for DNA.
But again, relevant to the previous point, none of this is new. All kinds of evidence can be planted. That’s why we have forensics science, juries, detectives, and investigations. These entities are supposed to look for suspicious evidence. Will it always work? No. Sometimes people will be convicted wrongly, that is just probability. But I suspect DNA, for example, has been used many more times to exonerate someone than it has been used to falsely convict someone.
Biometrics is just a technology like the internet. Both can be used by bad guys for bad things. But the fact that it can be used for bad things is no reason to reject it out of hand.