Thursday 17 September 2015

So where are we on astrology? 13 years late, UK government promises biometrics strategy by end 2015. Why?

In July 2002 Rt Hon David Blunkett MP, Home Secretary, issued a consultation document on introducing government-issued identity cards into the UK. One idea was to use biometrics to verify people's identity.

There was no proof at the time that mass consumer biometrics was reliable enough to do the job. 13 years later, there still isn't. The belief in the efficacy of mass consumer biometrics is akin to the belief in astrology.

In February 2015 the House of Commons Science and Technology Committee published a report, Current and future uses of biometric data and technologies. Biometrics was described as "the shoddiest science offered to the courts" and was said to be locked in a "cycle of failure".

The Committee declared itself to be worried about the privacy issues raised by biometrics and about the security of biometric databases. Which is odd. After all, if the technology doesn't work, there are no privacy issues. And the Committee doesn't (yet) seem to be worried about the storage facilities for horoscopes.

One way and another the Committee's report came up with 12 recommendations, to which the government's response has now been published.

"The Government biometric strategy is still in the early stages of development", they say (p.2). I.e. Whitehall was winging it for eight years with its promises for the benefits of ID cards between 2002 and 2010, when the Identity Cards Act 2006 was repealed. They now promise to publish their biometrics strategy "by the end of 2015" (p.3). What a mistake that will be, to publish a strategy for a shoddy science locked in a cycle of failure.

The strategy "should recognise that biometrics is fast-changing [trans: all over the place] and provides opportunities for better secure identity verification [how?], better public services [such as?], improved public protection [really?] and the ability to identify and stop criminals [all of them?]".

That was on p.4. Something must have changed since Chief Constable Chris Sims, representing the Association of Chief Police Officers, gave evidence to the Committee and said that he was "not aware of forces using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).

When we learn on p.5 that "the core facial recognition algorithm used by the Police National Database ... was shown to be one of the best in terms of accuracy" presumably that just tells us, given the testimony of Chief Constable Sims, that all the other algorithms are even more useless.

Also on p.5 the government tell us that, just like astrology, "performance levels of biometric systems cannot be characterised by a single figure. Publicising detailed results of performance is an area requiring careful consideration, as not only is the accuracy testing of large scale biometric systems very complex, so is interpreting the data. System performance is very dependent on the specifics of the application, making direct comparisons between systems difficult and in many cases meaningless".

P.6: "The Home Office systems currently holding biometric data employ a range of defence in depth measures appropriate to the value of the data" – nil?

Privacy impact assessments and the government's ethical framework for astrology are covered on p.7 and then on p.8 they say that: "the government appointed a Chief Data Officer in March 2015, supported by a Government Data Standard to ensure transparency in the use of data by Government". They did indeed.

They appointed Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO, executive director of the Government Digital Service and senior responsible owner of the pan-government identity assurance programme now known as GOV.UK Verify (RIP), as chief data officer. He's leaving Whitehall in 13 days time on 30 September 2015 and is not known to have done anything about biometrics in the interim.

The Committee included in its February report the judgement of the High Court several years ago that the Metropolitan Police Service is breaking the law by retaining, on its biometrics database, the images of people not even charged with an offence, let alone convicted of one (para.99). Now we learn that "the Home Office is currently undertaking a policy review of the statutory basis for the retention of facial images" (p.10). This will surely be a very quick review – it can't take long to establish a policy on the police breaking the law.

"We are considering the role of the Biometrics Commissioner" (p.11). The Committee's report revealed that although the Commissioner is responsible for DNA and fingerprints, he has no locus on facial images (para.102), like an unfortunate soothsayer handicapped by being forbidden to mention Leo.

The Prime Minister promised several years ago to limit net immigration to an annual figure in the tens of thousands. Last year it exceeded 300,000, much to the amusement of the opposition parties and the Guardian newspaper. It is widely agreed that UK immigration is out of control.

And yet the government's astrologer says: "The biometrics landscape has operated with a number of widely adopted international standards for many years, this has been vital in ensuring that governments are able to share data, where allowed and required, and has achieved significant benefits including; solving crimes, finding missing people and controlling immigration" (p.11).

You can have a strong grasp of reality. Or you can have confidence in mass consumer biometrics. One or the other, but not both.


Updated 17.9.15 18:45

We don't often set homework on DMossEsq. Readers tend to cheat and get their children to do it for them.

But let's make an exception. 500 words, please, on the distinction between James McCormick and the suppliers of biometrics "solutions". Mr McCormick is in prison for selling novelty golf ball detectors and pretending that they could be used to detect explosives. No-one from the public bodies which bought them is in prison for pretending to believe him.

You may find it useful to refer to the essay on biometrics written by three world-class experts who conclude that biometrics is not a science. It is "out of statistical control", they say. One of these experts has advised the US government, one of them the UK government and one of them both governments. They know what they're talking about.

500 words. On the DMossEsq desk. 9 a.m. Monday morning 21 September 2015.

Updated 9.4.16

Based on a leak, Kat Hall published the revelation yesterday that GDS has no real strategy for £450m budget pot, internal plan reveals.

She has acquired a copy of GDS's Transforming the relationship between citizens and the state: the Government’s transformation strategy and the Government Digital Service still doesn't have a clue how it's going to transform the relationship between people and the state. Instead, they're playing for time: "More detail about departments’ strategies for business transformation, enabled by digital, technology, data and security are due to be published in September 2016".

Playing for time, and repeating their nostrum about Government as a Platform (GaaP, the search for "promising clusters"): "an approach that involves developing a common core infrastructure of shared components, technology and standards on which it’s easy to build brilliant, user-centred government services".

This vacuous self-importance joins a long line of civil service reports. The excellent Jerry Fishenden, of whom more anon, has listed 80 similar documents published in the past 20 years. We're still waiting for a result and, without wishing to seem mean, it's not clear that the addition of a further £450 million is likely to induce progress.

Kat's article includes:
But the only detail of what [GaaP] will entail were examples of "common platforms" in the Home Office, which will develop a common biometrics platform for government and the Department for Work and Pensions, "which will lead work on a tool to pay money out from government."
Despite all their painful experience, the Home Office still haven't shaken off the hold of biometrics. It must be written in the stars. Their future is their past. They are doomed to re-live the pain apparently eternally.

Updated 11.4.16

Get a coconut

The UK Home Office's big idea for the future is to "develop a common biometrics platform". That will transform government. Make it digital. Expand the UK economy. Be green.

Or will it?

Take a look at India and its Aadhaar scheme. That's a common biometrics platform-and-a-half. They've registered around a billion people. And in the state of Rajasthan, the only way for the poor to collect their food ration is through Aadhaar.

How's that going?

Rajasthan presses on with Aadhaar after fingerprint readers fail: We’ll buy iris scanners:
“Yesterday, we had to send about a hundred people back when the internet did not work for six hours,” said Ali ...

Hanja Devi, an Antyodaya [maximum entitlement] beneficiary, failed to get 35 kilo foodgrain on her third trip in three days because of Aadhaar authentication failures ...

Of the nearly 860 beneficiaries who came to Aziz’s ration shop in December, he said, only half could get their fingerprint authenticated in one go ...

The biometric machine showed that the Aadhaar number of Santosh Devi, of Kesharpura village, belonged to someone else ...

The Rajasthan government made Aadhaar-based authentication mandatory at ration shops in December when the ration-seeding process [without which, digitally, you don't exist] was completed for less than half the ration beneficiaries ...

“From March 11 till 18, one week of the ration consumers’ fortnight, the servers were not working properly" ...

... all parts surrounded by the Aravalli hills had poor internet connectivity. “In Todgarh, which is also near the Aravalli hills, the ration dealer has to collect the beneficiaries 3 kilometres from the shop to catch signal" ...

... several families were trying to get their children’s biometrics registered ... because schools had ordered them to enrol for Aadhaar ...

Hansraj Yadav, who is additional director- Unique Identification Authority, said that to solve the problem of high rates of fingerprint authentication failure, the Rajasthan government is planning to install more biometric machines – this time, iris scanning machines ...
And here's Safran Morpho explaining how well Aadhaar is working, including Safran Morpho's biometrics systems:

No doubt the Home Office believe Safran Morpho's version and will pursue their big idea. The rest of us should prepare for Rajasthan's version.

That couldn't happen here, could it? Not in Blighty.

Believe what you like ...

... but we tried and failed to deploy the Basic Payment Scheme for farmers and our broadband couldn't cope ...

... and CloudStore, the old Digital MarketPlace has been known to be out of action for days and even weeks at a time ...

... and we're currently threatening to deploy GOV.UK Verify (RIP) even though it is thought that up to 30% of the low-paid can't have their identity verified ...

... and we're using Safran Morpho (SecureIdentity) as one of our eight "identity providers" for GOV.UK Verify (RIP) even though GDS themselves say that five of them – Barclays, CitizenSafe, Royal Mail, SecureIdentity and Verizon – are "unlikely to be able to verify you":

"Aadhaar" means platform in many of India's dozens of languages. The idea is that it provides a safe platform on which India can build public services. GOV.UK Verify (RIP), the UK's proposed identity assurance platform, looks just as rickety, in any language.

What's more, GOV.UK Verify (RIP) is due to go live this month. Some time in the next 19 days.

Apparently the Hindi for computer says no is "Aap ka Aadhaar sahi nahi hai". You'd better learn that before May.

And get a coconut. According to the Rajasthan article above, when one old woman couldn't have her identity verified, a bystander quipped: "Break a coconut first next time". It may help you when some idiot deploys electronic voting in the UK.

Updated 7.7.16

You will remember that the only prudent stance on mass consumer biometrics is scepticism. And that the House of Commons Science and Technology Committee were told, please see above, that no UK police force uses "facial image software" at the moment because "the technology is not yet at the maturity where it could be deployed".

You will therefore be amused to read today's Times newspaper:
CCTV riches for man who puts name to a face

... The Somerset-based SSL — Simulation Systems Ltd — a past recipient of the Queen’s Award for Enterprise, has been in the vanguard of developing CCTV equipment for major roads and devices, which it is claimed, can make out the faces of motorists in their vehicles two miles away even if there is mist, rain or snow. In clear weather viewing distances are claimed to be 15 miles ...
The men and women in blue can't get facial image software to work with photographs taken in a well-lit police station but Simulation Systems Ltd can recognise a face two miles away in the mist?

People want to believe in biometrics so much that they will accept any claim however ludicrous. They will even repeat these claims in serious newspapers.

Updated 12.8.16

It's mid-August and even the news has gone on holiday.

What to publish?

How about?
Boffins' blur-busting face recognition can ID you with one bad photo

Developers warn that scary people are out there doing this already

12 Aug 2016 at 03:58, Darren Pauli

Scientists have found a way to accurately identify completely obscured faces using recognition systems trained on only a handful of well-lit photos.

The work by Seong Joon Oh, Rodrigo Benenson, Mario Fritz, and Bernt Schiele of Max Planck Institute in Saarbrücken, Germany, finds faces can be recognised with up to 91.5 per cent accuracy when the system is fed with just 10 clear images of a target's face.

The Faceless Person Recogniser is up to 69.6 per cent accurate when working from just one image ...
Other numbers mentioned include 14.7, 4.65, ones, handful, 12, 83 and, more ambitiously, 40,000 and 2,000.

We've been here before ...

Updated 24.10.16

The Government Digital Service (GDS) don't have a published strategy at the moment. That doesn't stop them recruiting like mad and it didn't stop the Treasury promising them £450 million.

Still, it's embarrassing. So Kevin Cunnington, the new Director General, has taken to briefing journalists on the contents of GDS's strategy, which may be published before Christmas 2016.

All journalists report that Mr Cunnington sees a great future for GOV.UK Verify (RIP), GDS's identity assurance scheme that doesn't work. Rebecca Hill, writing for Public, Kevin Cunnington reveals his ‘cunning plan’ for future of GDS, adds this gem:
In addition, Cunnington said he wanted GDS to offer more advice to departments and encourage innovation across Whitehall. He noted that the Home Office was doing some good work on biometrics, but that this sort of attitude to digital innovation should be broadened out further.
The House of Commons Science and Technology Committee were unable to discover any good work being done on biometrics, please see above. If Mr Cunnington is hoping that GOV.UK Verify (RIP) will be saved by biometrics, he's in for a great disappointment.

Updated 10.11.16

We are all still waiting for GDS's strategy to be announced but the other day at least we learned its mission – to "support, enable and assure".

What does "support" mean?

According to Kevin Cunnington, director general of GDS, among other things it means that GDS should "innovate with new ideas, and help departments to innovate. Things like biometric residence permits, which a team at the Home Office has been working on".

Quick reference to p.9 of your well-thumbed July 2006 copy of Identity Card Technologies: Scientific Advice, Risk and Evidence will remind you that:
The Home Office admitted that the timetabling of the programme was being reviewed by the IPS but said that it “remains committed to delivering the ID cards programme as soon as possible, starting with biometric residence permits for foreign nationals in 2008” ...
The programme whose timetable was being reviewed back then was the National Identity Scheme (subsequently the National Identity Service). The NIS was finally reviewed to death in December 2010 when the Identity Cards Act was repealed at which point IPS, the Identity & Passport Service, imploded. Which is why we Brits still don't have UK government-issued ID cards. But some foreigners do, and have done since November 2008 – biometric residence permits.

There was nothing innovative about biometric residence permits. Not in 2008. And not in 2006. By 2002, the Home Office was already issuing asylum seekers with biometric Application Registration Cards, please see p.114 of their consultation on entitlement cards (subsequently ID cards).

That's 14 years ago and nine years before GDS existed. GDS can hardly be said to be innovating new ideas in this case or even helping the Home Office to do so. Biometric residence permits are a rotten example for Mr Cunnington to give of GDS's mission to support.

Despite their failure, the Home Office still harbour a pathological craving for ID cards. A pathological craving which is quite clearly now being channelled through Kevin Cunnington ...

... which tells you what to expect on Christmas Day when you open your GDS strategy.

Updated 11.10.17

The psychopathology continues at the UK Home Office. Face scans at the border to keep track of EU migrants after Brexit, it said in the Daily Telegraph newspaper a few days ago.

Cold comfort but it's not just the Home Office – Dubai Airport is replacing security checks with face-scanning fish.

And we think people were superstitious and gullible in the Middle Ages.

Updated 27.10.17

PAS 499:2017 Digital identification and authentication – Code of practice.

That document is a PAS, a publicly available specification, published by BSI Standards Limited, a company something to do with the venerable British Standards Institution (BSI). The document is in draft and the authors seek comments on it.

PAS 499 is a serious attempt to specify some practices needed to reduce the incidence of cybercrime based on false identities. It could survive all the tests that have to be undergone on the way to becoming a British standard.

The idea is to improve the identification and authentication of the parties to on-line transactions. Financial transactions in particular. "... in payment services regulatory requirements on authentication are going from a very low baseline to an extremely strong customer authentication, where security requirements go far beyond that expected in any other sector" (clause 0.3).

One example among many of these more onerous compliance requirements is PSD2, the latest Payment Services Directive. At clause 3.1.4 of the PAS an authentication factor is defined as:
data or a physical item used to carry out an identity authentication

NOTE 1 Typically categorized into one of the following:
a) Knowledge – something you know (e.g. password)
b) Possession – something you have (e.g. physical token or device)
c) Inherence – something you are (e.g. biometric)

NOTE 2 These may be dynamic (changing on each occasion) or static (fixed and unchanging). Static factors, once compromised, might require replacement in order to ensure integrity of the authentication system.

NOTE 3 Further information on authentication factors is given in PSD2.

NOTE 4 Geolocation can be viewed as an additional category but, under the terms of PSD2, it is not considered an authentication factor on its own. However, it might assist with the authentication risk assessment.
Note 4 is of particular interest to DMossEsq who was working on the idea of location identity back in 2003 (please see §4.9) but is not germane to our purposes here.

What is germane is the concept of authentication factors:
  • At clause 5.3 the PAS recommends that it is good practice to use all three factors when authenticating a person – a knowledge factor and a possession factor and an inherence factor.
  • And at clause 5.6 it recommends that, for all but the lowest levels of assurance, each factor should be multi-modal. If an organisation is using biometrics, for example, as a what-you-are/inherent factor, then at least two biometrics should be used, two modes, e.g. both fingerprints and iris scans.
At which point you realise that this PAS, this serious piece of expert work, is bound to be let down and undermined by the reliance it places on biometrics. PAS 499 depends on the science of mass consumer biometrics working, and it doesn't.

It's not even a science according to three world experts – Messrs Wayman, Possolo and Mansfield – because it's out of statistical control.

You can almost work that out for yourself. The results of large-scale field trials of biometrics always used to reveal that they are hopelessly unreliable. That problem has been solved by not publishing results any more. And, indeed, by not conducting large-scale field trials any more.

There are other problems where PAS 499 strays into biometrics.

At clause 5.7 we read: "The higher the numbers of modes captured at enrolment, or re-enrolment, the greater the chance of establishing uniqueness":
And at clause 9.9 we read: "Where the biometric match is 100%, the organization should review the factor to determine whether a replay attack is being attempted". Certainly a 100% match is extraordinarily suspicious, where you're dealing with probabilities and variable quality scanning/probing equipment, but 100 is not the only number – if a person repeatedly comes up with the same score whatever it is, that is suspicious and points to a replay.

But the core problem is that PAS 499 authentication rests on three factors/pillars, one of which is a mirage made of wishful thinking. That is no use to the payment services industry nor to any of us.

Updated 16.11.17

17 August 2017, and NatWest sent DMossEsq an email that he's only recently read:

"Log in with your fingerprint"? To a serious UK bank? A serious UK bank who must know as well as you do that the login will fail about 20% of the time and annoy their customers? And if it doesn't fail 20% of the time that means that impostors will find it easier to pretend to be you?

DMossEsq tucked that away in the life-is-too-short category until yesterday, when Money Box Live was on the radio while he was washing up, New technology and banking: "New technology is transforming the way we handle our finances. Are you someone who uses mobile apps to keep track of how you spend your money or does the thought of it fill you with dread?".

And blow me down if Nationwide aren't introducing not only fingerprinting but also face recognition, the biometric where it would be just as reliable and a darned sight cheaper to toss an unbiased coin.

What's going on?

That's what DMossEsq wanted to know but he was too late when he rang 03700 100 444 to get on air.

Cheap mass consumer biometrics haven't suddenly started working reliably after 60 years of uninterrupted failure. So why are the banks pretending to rely on them?

Answer, one of Mark King's more cynical suggestions ... PSD2, the second Payment Services Directive, Directive 2015/2366/EU, which comes into force on 13 January 2018.

Cynical. And incontestable – clause 30 of Article 4 defines "strong authentication" as "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data".

Hidden away in the middle there – "inherence (something the user is)" – is biometrics. If the banks want to be able to say they have authenticated you strongly before authorising a payment out of your account, they'd best have checked your biometrics. And the Member States of the EU will want the banks to be able to say that because, Article 97: "Member States shall ensure that a payment service provider applies strong customer authentication ...".

When they announce their fingerprint and face recognition initiatives and other biometric tat, the banks aren't saying that they're introducing biometrics because they now think biometrics work. They're saying they have to offer biometric authentication because otherwise, thanks to PSD2, they can't be banks.

They'll still really be relying on what you know (e.g. a password) and what you have (e.g. a debit card and a PINSentry). But in addition, at extra cost, to you, they will also dutifully pretend to be interested in your biometrics. Thanks to brilliant and cynical lobbying Apple, among others like our good friends Idemia, have a licence to print money and are going to be laughing all the way to the payment service provider:

Updated 1.12.17

How old would you have to be to believe this latest article in the Times newspaper? Less than 9?
Facebook develops facial recognition cameras that feed shop staff their customers’ profile details

... A patent submitted by the company this month reveals that it is working on technology that will enable brands to target shoppers with specific products informed by their Facebook activity and facial expressions. The plans also give details of crowd-scanning technology that can identify emotions, which are relayed to managers and shop assistants. In theory it will be able to alert staff if a customer is unhappy or needs assistance ...

Updated 20.2.18

Chinese police using facial recognition glasses to identify suspects – that's what it said in the Daily Telegraph newspaper on 7 February 2018:
Chinese police are using dark sunglasses equipped with facial recognition technology to spot criminal suspects.

The glasses, which are being worn by police at a busy train station ahead of the Chinese New Year travel rush, are linked to a central database which contains details of criminal records.

Wearing the technology, police can almost instantly view an individual's personal details, including name, ethnicity, gender and address.
Incredible what they can do these days.

Only the day before, the House of Commons Science and Technology Committee took two hours of evidence on the subjects of forensics and biometrics:

Baroness Williams was there to answer questions on the UK's missing biometrics strategy, please see above.

There was much earnest discussion of the astrological need for proper governance and the privacy implications of horoscopes. The Baroness was hauled over the coals for the failure of the police to delete the custody photographs of people who have been detained and then either found not guilty or released without charge. "Innocent people" as we used to call them.

The Baroness was due to appear before the Committee on her own but, in the event, she was accompanied by a Mr Christophe Prince, the Home Office's "recently appointed" director of data and identity, of whom we are likely to speak more.

Both of them were at some pains to say that the use of biometrics based on face recognition is not "fully developed" (11:03), that biometrics procedures are "more advanced" (11:07) with DNA and fingerprints and that the face recognition technology is still "developing" (11:12) and only being "piloted" (11:13).

In other words, biometrics based on face recognition doesn't work. Astrology may work in China. But not here in the UK.

"Why are the Home Office wasting their time and our money?", you want to know. You are not alone.

Updated 26.3.18

Yoti selected as the official identity provider for the Government of Jersey: "Today marks a landmark day for Yoti. We have been selected as the identity provider for the Government of Jersey ... Securing our first government contract is a huge milestone in our journey and something all of the team are incredibly proud of". No doubt.

According to the FindBiometrics website, "third parties can authenticate Yoti users by prompting them with a QR code to take a video selfie, with facial recognition being used to confirm that end users match their Yoti credentials on file".

According to the police, of course, talking about biometrics based on face recognition, "the technology is not yet at the maturity where it could be deployed" (please see para.95 of the House of Commons Science and Technology Committee report referred to above).

Who's right?

We'll see.

Updated 19.4.18

• At some point in the past few weeks Visa announced Fingerprint authentication moves from phones to payment cards.

You are forgiven for believing as a result that fingerprint authentication has moved from phones to cards but, actually, if you read the press release, it turns out that a new technology is being tested, it may or may not turn out to be reliable.

That headline should have read Fingerprint authentication may move from phones where it's dubious to payment cards or it may not, don't bet on it.

• On 12 April 2018 the BBC told us Chinese man caught by facial recognition at pop concert: "Chinese police have used facial recognition technology to locate and arrest a man who was among a crowd of 60,000 concert goers". You are forgiven for believing as a result that this man was identified by CCTV scanning a huge crowd but, actually, "Mr Ao was identified by cameras at the concert's ticket entrance".

According to the police, please see above, this technology doesn't work in the UK. Why would it work in China? "Identified by cameras"? More detail, please:
  • Had Mr Ao perhaps bought his ticket using a credit card in his name and posted to his address, and face recognition had nothing to do with his identification?
  • "Mr Ao had reportedly driven 90km (56 miles) from Zhangshu to Nanchang with his wife specially to catch the concert" – was he really identified by ANPR?

• "Australians will soon be able to sign up for a national digital identity solution known as the Govpass program, touted by the federal government as making it easier for people to prove who they are when using government services", we were told on 21 March 2018 in ​DTA seeks identity validation platform for Govpass program: "The Digital Transformation Agency (DTA) outlined the process for applying for a Govpass in October, with the system expected to match a user's photograph, as well as Medicare, driver's licence, and birth certificate details, with information already held by various government entities".

You are forgiven for believing that it was all going rather well up to that point but, next paragraph: "After DTA CDO Peter Alexander revealed during Senate Estimates last month that the Govpass solution is currently non-existent ..." – the DTA have got the procedures, it transpires, all they're missing is the face-matching biometrics system needed to make them work.

Updated 20.4.18

Kevin Cunnington, the director general of the Government Digital Service(GDS), doesn't say much in public.

But he does say a few things. Repeatedly.

21 October 2016, he was reported as saying that "he wanted GDS to offer more advice to departments and encourage innovation across Whitehall. He noted that the Home Office was doing some good work on biometrics, but that this sort of attitude to digital innovation should be broadened out further", please see above.

He is consistent on this matter. In an 8 February 2018 blog post, under the heading My priorities for the next 12 months and the sub-heading Being innovators for government, he wrote: "GDS is working with departments to support existing and upcoming programmes, including using biometrics and artificial intelligence on services".

He said the same three days ago in The Government Transformation Strategy: One year on.

GDS have never made any headway with the Department of Health, they have or had a rocky relationship with the Department for Work and Pensions and Her Majesty's Revenue and Customs show no need of any advice from them ...

... but perhaps there is a budding relationship between GDS and the Home Office built on a shared weakness for biometrics. If DMossEsq was reading someone's palm and saw that fate written in their future, he would keep quiet about it, too miserable for words. It's horrific but Mr Cunnington keeps saying it and he may mean it.

Updated 31.5.18

iProov wins US Department of Homeland Security contract. That's a 16 April 2018 blog post published by iProov, "a world leader in spoof-resistant, biometric facial verification technology".

Well done iProov, they've won a contract with DHS which "could help US CBP [Customs and Border Protection] quickly, accurately and reliably identify travellers as they process through US border crossings".

How quickly? How accurately? How reliably? At any chosen matching threshold, what is the false accept rate, using iProov's technology, and what is the associated false reject rate?

They don't say. There is no answer to these questions.

Instead, all we learn is that "iProov has been selected by the US Department of Homeland Security to enhance the way in which it processes people through US borders. Advances in machine learning and AI have enabled a revolution in facial biometrics in the last few years".

No blockchain?

No performance figures, we don't have a clue how reliable the product is except that the UK police believe that face recognition technology is "not yet at the maturity where it could be deployed" (please see above), but – sell the sausage, not the sizzle – at least we know that it has added machine learning. And AI.

Updated 29.6.18

Foolishly, on 6 February 2018, Baroness Williams and Christophe Prince promised the House of Commons Science and Technology Committee a biometrics strategy by June. There's no point having a strategy for the use of a technology that doesn't work.

More foolishly still, yesterday, they published a document claiming to be that strategy. A dreadful piece of work not worthy of the name "strategy", it is reminiscent of Matthew Hancock and Paul Maltby's ethical framework for data science, which isn't a framework and excludes any ethics.

Judging by ElReg's's long-awaited, lightweight biometrics strategy fails to impress, this view is shared by the chairman of the science and technology committee and by the biometrics commissioner and by Liberty and by Big Brother Watch among others ...

... including, we may assume, the High Court, which will also be unimpressed with this Home Office document, which leaves the Metropolitan Police in contempt.

And no hope there after all for Kevin Cunnington, director general of the Government Digital Service, who may have been hoping to run the national biometrics/horoscopes platform but has lost control of it just as much as he has lost control of the national data strategy and the national identity assurance strategy.

Updated 3.8.18

The UK Parliamentary Office of Science & Technology (POST) have now published their note on mass consumer biometrics, Biometric Technologies.

Among other technologies, they look at Automated Facial Recognition (AFR), the attempt to use biometrics to identify people on CCTV, see for example Chinese man caught by facial recognition at pop concert.

We weren't very impressed when we considered AFR on 19 April 2018, please see above, and neither are POST: "Over a trial period from June 2017 to March 2018, 8.7% of matches were found to be correct" (p.3).

If 8.7% of matches are correct, then 91.3% aren't. That's not very good, is it.

Is the other mass consumer biometrics technology any better? Flat print fingerprinting? Voice identification? We don't know. POST don't tell us the failure rates for them. Only for AFR. That's a bit asymmetrical. Perhaps in a subsequent edition they might correct that lapse.

"The Commons Science and Technology Committee has said it is essential for biometric systems that impact on civil liberties to be tested, to ensure they are dependable ... Whilst noting the important role of biometric technologies in policing, the Biometrics Commissioner has pointed to a lack of research proving their cost-effectiveness". That's what POST tell us on p.4 ...

... but by then it's too late, the damage has been done, we've already been told on p.1 that "the global market for biometrics is estimated to grow to £21 billion by 2022" for all the world as though the technology works and we've already been treated to several examples of applications where mass consumer biometrics is used even if the technology doesn't work.

"... many banks now offer biometric verification on mobile banking apps, often using fingerprint or facial recognition" (p.1). Of course they do. It's not because the technology works. They have to. Otherwise they'll lose their banking licences. That's the open banking/PSD2 law. As we pointed out last October.

How many readers are going to plough on to the bits at the end of the POST note, raising boring questions about the efficacy of biometrics and governance and privacy and racial bias?

Very few, Idemia and all the other astrologers may safely assume.

Thank you, POST, they may say, for doing your bit to help us keep the licence to print £21 billion for ourselves, everyone so much wants our technology to work that they rarely ask if it does, and thanks to you that continues.

Updated 13.8.18

The state of West Virginia plans to introduce on-line voting in elections. They've retained a company called Voatz to develop a voting app. (An app is a virus, remember, by another name.) How does the state know that the vote has been cast by a legitimate constituent? Answer: "Voatz says its facial recognition software will ensure the photo and video show the same person. Once approved, voters can cast their ballot using the Voatz app".

Updated 10.10.18

The investigative journalism website Bellingcat have published the story of how they unmasked one of the Russian assassins sent to murder Colonel Skripal in Winchester.

Bellingcat made full use of all the surveillance facilities in use these days, all the on-line data stores offered by the web and all the enterprising criminality with which that data is sold to whoever can afford it. Talk about a double-edged sword ...

One passage in their story strikes a wrong note. Given two passport photographs taken 15 years apart, "Prof. Ugail confirmed unequivocally that the two photographs belong to the same person, accounting for the 15-year difference between the two".

Mr Ugail is "professor of visual computing at the University of Bradford and an expert in simulated age progression". Why is his confirmation unequivocal? Partly because the Cosine Similarity is 90.1%. And then there's the K-Nearest Neighbours. That's 87.7%. And the Deep Learning (Meekaaku algorithm) being 91.3% clinches it.

Or does it?

Don't forget that three years ago the Guardian newspaper used a biometrics expert to prove that these are both pictures of Anne Boleyn:

Alexander Mishkin
Alexander Petrov

No comments:

Post a Comment