Tuesday 12 March 2013

The Identity & Passport Service, biometrics and your money

Roll up, roll up
and watch a collection of goldfish
set light to a £15 million pile of notes
and reduce it to ashes.

The Identity & Passport Service (IPS) is an executive agency of the Home Office.

IPS were meant to issue us all with ID cards.

ID cards were meant to solve all our problems. Terrorism, crime, border control, you name it, think of a problem, ID cards would solve it.

And they were meant to make our lives easier. With ID cards, so it was said, it would be easier to open a bank account, easier to get a job, easier to prove your right to state benefits, easier to travel domestically and abroad, you name it, think of any transaction, ID cards would make it easier.

The UK ID card scheme had unstinting political support from July 2002 onwards from two prime ministers (Blair and Brown), five home secretaries (Blunkett, Clarke, Reid, Smith, Johnson) and the whole of Whitehall. The scheme had unstinting assistance from the best management consultants and contractors. Asked at one stage whether the budget had been exceeded, the Home Office said no, it couldn't be, there wasn't a budget. The media were largely in favour and, to start with, so were the public.

And yet it failed. By December 2010 when the Identity Cards Act 2006 was repealed, IPS had to admit that there was nothing to show for £292 million of public expenditure. Nothing. Absolutely nothing.

The effect of complete failure on IPS was traumatic:
When a laboratory rat presses button B and gets an electric shock, he stops pressing button B. Not so the goldfish of IPS. Each time they swim round the bowl it comes as a surprise to them, oh look, there's a castle.

The distinguishing feature of IPS's ID card scheme was biometrics. Biometrics would allow people to be identified uniquely. Biometrics would allow people to have their identity verified. The scheme depended on biometrics being reliable. They're not. That's one reason why it failed.

You'd think they'd learn. But no. Here they come round the bowl again and what's this? A castle? No. Face recognition biometrics. Just what we need.

Hat tip to Toby Stevens, IPS today issued an invitation to tender (ITT) for a face recognition system:
II.1.5) Short description of the contract or purchase(s)
The Identity and Passport Service (IPS) requires a Facial Recognition System (FRS) to help determine an applicants entitlement to and eligibility for a British Passport.
The Authority intends to deliver capability to undertake Biometric Verification and Biometric Identification (including searching against a second instance referred to as a watchlist (WL)) checks on all passport
applications.
The architecture will comprise a Facial Recognition Engine, and a Facial Recognition Workflow capability which includes business rules, management information, audit and a data interface from an existing application system.
The solution will use existing IPS biographic and biometric information as part of the FR checks, with appropriate data stored with each check ...
They're offering a five-year contract worth between £6 million and £15 million to the lucky winners. Excluding VAT.

The ITT stipulates a number of throughput conditions that have to be met, e.g. the face recognition system has to be able to:
o Return a result from a Biometric Verification in under 10 seconds on 99.5% of searches.
o Return a result from a Biometric Identification search under 60 seconds on 99.5% of searches.
o Return a result from a Biometric Verification (WL) search in under 20 seconds on 99.5% of searches.
but there is no stated requirement for the system to be reliable. Which is lucky for the contractors. Because all the published tests of mass consumer face recognition suggest that IPS would be better off tossing a coin than using this flaky technology.

What IPS do insist on in the ITT is:
the capability to adjust the threshold for matching based on business drivers e.g. demand levels.
If IPS have a lot of staff on one day, then they might turn the dial up and make it a bit harder for your face to match the photograph stored on their register. If on the other hand there's a bit of a staff shortage, then they can turn the dial down and just let everyone match. Which rather gives the lie, doesn't it, to the suggestion that this charade has got anything to do with your identity, which doesn't vary with demand levels.

Most likely, IPS will lay off a lot of staff and then, like the UK Border Agency, re-recruit them when they re-discover that the technology that was meant to replace them doesn't work.

Lessons learnt? None. Roll up, roll up and watch a collection of goldfish set light to a £15 million pile of notes and reduce it to ashes.

3 comments:

Anonymous said...

I'd be interested to know how bad facial matching software is at high volume (since for day to day use, iPhoto et al seem to work quite well, and presumably are even better with passport style photos). Presumably the problem is the number of false matches with a database of tens of millions? Do you have any stats on this?

David Moss said...

Anonymous @ 13 March 2013 17:27, sorry to take so long to reply.

1. Look at Aadhaar, the Indian identity management scheme, the biggest such scheme in the world, aiming to cover 1.2 billion people. Aadhaar uses flat print fingerprints and irisprints. They rejected face recognition. That tells you something about the reliability of mass consumer biometrics based on face recognition.

2. Figures for large-scale tests on the reliability of face recognition are hard to come by. The trial results available were reported on in ElReg nearly four years ago. Noticeably, the Home Office have solved the problem not by demonstrating the new reliability of the technology but by not doing any further tests.

3. According to three luminaries of the industry, biometrics as a discipline is out of statistical control. What does that mean? Among other things, it means that the US National Institue of Standards and Technology, who are obliged by the USA PATRIOT Act to certify biometric technology before it is deployed by the US Department of Homeland Security can only say on their certificates that the technology worked this well on this data when they did this test but they haven't got a clue how well it might work in the real world.

4. In what sense do iPhoto et al work well?

5. False matches are a problem if the operator (e.g. iPhoto?) sets the matching threshold low. False rejects are a problem if the operator sets it high (e.g. UKBA?). The two errors are inversely proportional. The operator can choose his problem. Whatever the choice, its relevance to identity is a moot point.

Anonymous said...

Thanks for the reply - it's a shame there aren't any actual stats available, but I'll definitely be following up the links you provided.

I meant iPhoto works well (in this context) in that when you give it an image with a face in it, it seems to find most examples of this "target" out of a database of several hundred photos. Clearly you can't just extrapolate this to a database of millions, hence my original post.

Post a Comment