Trust at your fingertips
Aadhaar’s use of biometrics might not allay the fears of privacy activists but Anil K Jain, the 68-year-old computer scientist who helped build the system, says it offers more privacy than what is in the US.
Jain, an award winning professor from the Michigan State University, holds several patents in fingerprint recognition. The IIT Kanpur alumnus, who was in the city recently, talks about how security concerns have led to the rise of biometrics.
How did you get into biometrics?
I was doing my PhD at Ohio State University in 1973. I was working on pattern recognition and image quality. One of the research projects that my advisor had was funded by the United States Air Force. The USAF wanted to use computers to distinguish between three kinds of aircraft: MiG, Mirage and Phantom based on features extracted from their photographs. You’ve got to remember that this was when we were using punch cards to communicate with mainframes. It was a cumbersome process. We bought model airplanes and photographed them from a variety of angles.
Later on, in 2001, we got a call from another federal agency, which had funded the development of a new powerful computer processor, called FPGA (Field Programmable Gate Array), one that could be reconfigured for specific tasks. The object was pattern recognition again, and my students and I conceived that fingerprint recognition would be a good way of using this processor’s capabilities.
How did you get involved with the Aadhaar programme?
I got involved during the planning stages, around 2008. At that time, Nandan Nilekani had recruited Raj Mashruwala, an entrepreneur from the Silicon Valley, for it. Mashruwala contacted me because he believed the project could use my experience with biometrics, in particular fingerprint recognition. I began as an advisor, and my main job was to assist in the biometric deduplications system design (avoiding redundant information) and technical specifications for the vendors. I also roped in other people – experts, and my ex-students to help with this massive task.
Why has biometric identification taken off in a big way?
In the 60s if you said that your fingerprints had been taken, it meant that you were suspected of a crime. In other words, the word “fingerprinting” had the connotation of “criminality”. Then, fingerprints began to be used by various government agencies to conduct “background check” for people working in sensitive jobs. Before, when people stayed and worked in the same locality, and everyone knew everyone else, you could settle things with a handshake. But now, especially with the increase of security threats, there has been a decline in trust. All of this has led to the necessity and acceptance of biometrics.
How does computerized fingerprint identification work?
If you take a look at your finger, you will see it is a series of ridges and valleys. Sometimes, a ridge will end at a point – or will branch out. Now these points are distinctive, and are called minutiae. When you give your fingerprints to the Aadhaar programme – or elsewhere, the images are stored as 512×512 pixels. At that resolution, you will be able to get anything between 60 to 100 minutiae points for each fingerprint, and these are stored in the database. Now, when you give your fingerprints say when you are entering the US, and they check to see whether you are on file, what happens is that these points are matched. If there are 20-25 matches of these points, we can state that the same finger made both prints.
It’s a similar principle to what Apple or Samsung use when they use your fingerprint to allow you to access your phone. But those fingerprints are stored at 90×90 pixels, and therefore the number of points stored is fewer. So even six matches would mean a fingerprint match, so the manufacturers have to use additional methods to bolster security.
But that leads to other problems. At my lab, we’ve been able to use a special kind of paper to generate fingerprints that can be used to open phones. The printer prints out fingerprints on the paper, and you can use the printed fingerprint on your phone’s detector to unlock the phone.
What are the misconceptions about biometrics?
The most common problem that I have seen is that people think that biometrics is foolproof. Every security system is prone to error. What we need to ask is ‘What is the error rate?’ Another problem is that sometimes people expect too much. A good biometrics system costs a lot of money, and one of the first questions people ask is ‘What is the ROI’. But the problem is most current systems are inadequate as far as security is concerned.
And that’s something I’ve heard as far as Aadhaar is concerned. What you have to remember is that Aadhaar is not a security system. It is for giving the underprivileged access to services. Now, if you remember, after 911, the 911 commission found that while all the US security had some information about the impending attacks, they were not able to prevent them because they didn’t talk to each other. Now, after implementing the recommendations, the FBI can do a search and match a face from an image in a CCTV feed to driving licence database.
The Aadhaar programme provides more privacy than that. The only thing that you can do is query the database – ‘Do these fingerprints belong to this person?’ and the only answers are yes or no.
Do fingerprints change over time? Can they be changed?
You know, that’s one area where there really hasn’t been much research. Your fingerprint may change if you cut yourself – or a match may fail if your skin is too dry or too wet. But that’s the reason that people look at all fingers. We’ve also been tasked with looking at ways of detecting if a fingerprint has been altered. If you remember the scene in the movie ‘Men in Black’, the agents have their fingerprints burned off. Now, that’s one way of changing your fingerprints. Another way is by grafting skin onto your fingers. We’ve developed an algorithm that checks if fingerprints have been altered physically, and are training it, based on samples that the FBI has given us.
What are these so-called ‘soft biometrics’?
Ha. I think we were the ones who coined the term. Soft biometrics could refer to a number of things. For example, the way a person walks could be a biometric. Now, Google has announced a password free phone – and that can happen based on your phone learning from the way you use it. Gait-based biometrics could possibly be used to detect if a person is carrying a bomb, or wearing a suicide belt. Then there’s keyboard biometrics, which have been talked about for a long time, but haven’t gained traction. (Keyboard biometrics identifies a person based on the way the keyboard is used). But these are typically non-core biometrics when it comes to security. Core biometrics, like fingerprints or iris scans, are always more important.