4.3 Identification systems
At the time of writing, biometric identification is not in widespread use. although that situation is likely to change. There are, however, a few schemes which have been used, and I would like to look at two of these now. The first is the experimental EyeTicket JetStream iris-recognition system that was used for passport-free immigration control at Heathrow airport in the UK in 2002. The scheme, which ran for about six months, was used only on travellers who had enrolled in it. To enrol, applicants had iris scans taken of their eyes. Figure 5 shows enrolment in a similar system at Schiphol airport.
In the Heathrow scheme, and many others, the biometric data acquired during enrolment was stored as a template in a database of enrolled users. The template in this case was not a digital photograph of the eye, but a digital representation of data from the iris scan. An analogy would be a file that recorded eye colour, separation of eyes, diameter of iris, and so on. However, in the case of iris scans the data relates to the patterns of markings shown in Figure 4. The template can be quite small in data terms. In one system, the iris data in the template has a size of 256 bytes. In other systems, however, templates are digital photographs of the eyes.
Enrolment in the Heathrow scheme involved not just taking a scan from the applicant and entering it into the database, but also checking whether this person's scan matched any of the templates already in the database.
Activity 16 (Exploratory)
Why might the applicant's scan have matched a template already in the database? More than one answer is possible.
There are two possibilities to account for the person's biometric data matching an already existing template.
The applicant's scan was similar enough to someone else's template to be within the threshold. This is always possible, although ideally it will be rare. (You will see why mismatching is possible shortly.)
The applicant was trying to enrol a second time, and matched their already existing template.
In the first comment on Activity 16, the applicant is innocent of any subterfuge. In the second case, the applicant might or might not be innocent. For instance, the applicant might have forgotten their earlier enrolment, or might be enrolling under a different name having legitimately changed their name (for example through a change of marital status). On the other hand, the applicant might be dishonestly trying to enrol a second time under a different name. This last possibility is a particular concern with the issuing of identity cards, which in the UK will also serve as entitlement cards for benefits and other services.
In the Heathrow experimental scheme, if the enrolment happened without complications, then on subsequent visits to Heathrow the traveller would look into a scanner at immigration control. This would take an iris scan, which would be compared with all the templates in the database. If there was a match with one of the templates, then the person was regarded as having been identified, and passed through without needing to show a passport.
Similar systems to the Heathrow one are used at several airports to ensure that only authorised staff can get to restricted parts of the airport. In Japan they are also used for access control in some residential apartment blocks. At the entrance, the resident looks into a scanner, and if their scan matches a template in a database they are allowed in. A common feature of all identification systems is this process of taking a sample of data when authentication is needed and comparing it with an entire database of templates.
A rather different type of identification system is used in the United Arab Emirates. All inward travellers to the country at all entry points have iris scans taken with machines like that shown in Figure 6.
These scans are checked against templates for a 'watchlist' held on a central database. The watchlist consists of about 400 000 individuals who, for various reasons, are to be denied entry. If no match is found, then the traveller is allowed through and completes the normal immigration procedures.
Activity 17 (exploratory)
In the Heathrow and United Arab Emirates systems, a match between the traveller's data and a template in the database had different outcomes. How did the outcomes differ?
In the Heathrow experimental system, a match with a template meant the traveller could proceed, whereas in the United Emirates System a match meant the traveller could not proceed.
The difference mentioned in the last activity indicates that identification systems can be used in two different ways. In the Heathrow system, the assumption was that most checks result in a match, whereas in the United Arab Emirates system the presumption is that most checks do not result in a match. This difference is sometimes expressed in terms of positive identification and negative identification Positive identification is a check on whether someone is a member of a particular set of people. Negative identification is a check on whether someone is not a member of a set of people.
What characterises an identification system is that it checks whether a particular individual is known to the system. This is the check that was made in both the Heathrow experimental system and the United Arab Emirates system. An identification system does not necessarily identify the person. However, it is not difficult in principle to extend identification systems so that they do establish a person's identity. Suppose you have templates for every citizen of a country in a database, together with personal data about the people the templates were taken from. This system could theoretically act as a national identification scheme. At any point where identification was required, the person could supply a sample of biometric data (perhaps by looking into a scanner), and this would be checked against the entire national database. If there was a match, then the person's name and address could be shown. Through links to other databases, other personal information could theoretically also be brought up, such as medical records, police records, employment and social security records, and so on. Such a scheme, if it could be made to work, takes us into ethical and political issues, which I will return to later. For the moment, there are questions of feasibility to consider, arising from the problem of so-called false matches.