Have you been here before?

By Jianggan Li | 6 January 2009 | Permanent link

In the science fiction film Minority Report, identification by iris scan is so prevalent that there is an underground industry offering ex-criminals and others in need the chance of eyeball transplant.

This is not happening yet. Nevertheless, criminals are already (successfully) undermining fingerprint scanning – currently the de facto standard for biometric identification.

A South Korean woman barred from entering Japan fooled the finger reader at the country’s immigration by using tape on her fingers. She was deported in July 2007 but found by the immigration bureau again in the country in August 2008, Japanese news reports say.

As the tape was believed to be supplied by a South Korean broker, many unwanted individuals and ex-offenders might have already entered Japan using that method.

The talks about biometrics are remarkably quieter than three years ago – as people are already implementing solutions. Japan is undoubtedly one of the first to use this technology, but many other countries now allow their residents to pass the borders via ‘e-channels’. You present your passport (biometric or not); the machine will then take your fingerprint (or sometimes iris pattern), match it against the database (centrally stored or on your passport/card) before letting you pass.

I still remember two years ago, when the CIO of Singapore’s immigration authority complained to me that the country’s manual counters were already so efficient that people were reluctant to use a newer option. Now just by looking at the immigration lines at Singapore’s Changi airport, you will know that the automated immigration clearance system has already become part of the travelling life for many residents of the island state.

And it is not only the technologically ‘sophisticated’ countries like Singapore and Japan which have implemented biometrics – a few days ago a friend of mine entered the Mainland China (from Hong Kong) via e-channel, leaving me waiting in the crowded queue at the manual immigration counter, where the officer struggled for minutes to get my name right.

It has to note that for many countries, biometrics is used as a simple measure to expedite immigration clearance for legitimate travellers, usually residents of that particular country. Whilst in the case of Japan (and of the United States as well), it is also intended to keep unwanted people out. This, however, is a much more difficult enterprise.

Japan’s US$ 44 million biometric system, installed in over 30 airports in 2007, reads the index fingers of visitors and cross-check them with a database of international fugitives and foreigners with deportation records.

The stations, which are located at manual counters, also take a photo of each individual visitor for comparison – the oldest form of biometrics used for identification.

The problem is, the databases, from Japan’s Immigration Bureau as well as the International Criminal Police Organisation, only contain data of the individuals already known to them. If someone on the database alters his/her appearance or fingerprint, chances are he/she will get clearance smoothly.

Vouching system – a method currently being explored in the virtual world whereby an individual already authenticated vets for another individual – doesn’t work very well in this instance. The simple fact is, not everyone visitor has a person willing or able to vouch for him/her.

In fact, a passport itself is a vouching document as it is issued by the government of another country that you choose to (or in very rare instances, choose not to) trust. And this foreign government acts a vouching party. But there is a problem of forged passports.

With a universal database covering the entire humanity seemingly impossible to be realised any time soon (if it is ever to be), fake passports and fingerprints will still have their market.

It is not yet known (to authorities, and perhaps not to criminals) how easy it is to forge a biometric passport, but with many countries yet to put a chip into their citizens’ travel documents, something more needs to be done at the receiving end.

One perhaps realistic solution is to add the number of biometrics in the database – it will not stop identity forgery completely, but will dramatically increase the cost of doing so. It is just as the concept of multi-factor authentication widely used in the information security arena. Of course, use those well developed and less problematic ones such as iris, fingerprint and perhaps hand geometry.

This will, however, inevitably increase the operational costs of immigration authorities as well, and collection of biometrics is never an easy undertaking. Unwanted people will eventually find a way to get around it, leaving the costly equipments and the reputation of the immigration agency in tatters.

A better solution would be providing more training to immigration officers, turning them from manual operators into intelligence professionals. The cost would probably not be as much as the state-of-the-art biometric systems, but the effect could be dramatic. Counter-training that brokers might offer to offenders is extremely difficult, especially as compared to disguising appearances.

Again, it comes back to the notion that security is always an evolving process, good guys and bad guys are always playing catch up against each other. Be attentive, vigilant and professional helps the good ones get the upper hand.