Monday, May 11, 2009

Looking for terrorists? Try brain scans.

The latest terrorist detection idea, according to one Guardian journalist, is routine brain scanning...
"Distinctive brain patterns could become the latest subject of biometric scanning after EU researchers successfully tested technology to verify ­identities for security checks.

The experiments, which also examined the potential of heart rhythms to authenticate individuals, were conducted under an EU-funded inquiry into biometric systems that could be deployed at airports, borders and in sensitive locations to screen out terrorist suspects."

He's been reading about the EU-funded Humabio Project in Greece. From what I can tell from the Humabio newsletter the "EEG and ECG physiological measures" were tested on 15 volunteers in the Lab Innovation Centre (LIC) of Fraunhofer IAO and Fraunhofer IGB in Stuttgart, in Germany. The volunteers rated the brain scanning as an "acceptable" but slow authentication technique compared to other existing security checks.

Overlooking the massive discontinuity that what has been loosely tested as an authentication device is being proposed as an identification device* I can just hear the security announcements at airports now:
"Could all passengers ensure that all liquids, keys, electronic and metallic items are placed in a transparent plastic bag; in addition we ask that all passengers remove coats, jackets and shoes for passing through the X-ray machine; finally we would also ask you to remove all headgear so we can fit the scanner to scan for terrorist brain waves;

Passengers failing to remove headgear and cooperate with the brain scanning process will automatically be detained as suspected terrorists. Please be assured we operate an equal opportunities scanning policy - no excuses for anyone regardless of religion, age, gender, race, disability, sex or sexual orientation - you will be detained if you refuse to cooperate.

Would all passengers travelling with young children please ensure babies are removed from pushchairs and older children are kept calm for the fitting of the cranial apparatus and their brain scans; over-active, anxious or insufficiently controlled children do upset the calibration of the scanner and will, therefore, be subject to extra security screening and may be detained for more detailed questioning. This has been known to result in passengers failing to reach their departure gates on time and consequently missing their flights. The airport authority can accept no liability for missed flights."
Not, of course, that this will stop some politician buying into the notion faster than Bruce Schneier can cough: "security theatre".

*Technically speaking authentication is an easier thing to do than identification. Authentication (assuming we’re not trying to do it remotely) with biometrics merely asks whether a biometric belongs to the person presenting themselves for authentication. It compares their proffered biometric with the one on file under their name and determines whether there is a match.

Identification is much harder to do and is what all these security theatre systems at airports or busy shopping areas or sports stadiums attempt to do – measure the biometrics of everyone passing through and attempt to check whether there is a match with a large (and not necessarily particularly reliable) database of biometrics.

The difference appears pedantic but is very important. In the authentication case one biometric is checked against one specific biometric on the database. In the identification case, millions of biometrics are checked against millions (potentially) of biometrics on the database. Even with highly reliable technologies – say 99.9% accurate and none of the modern systems approach that yet – these millions of checks searching for matching pairs generate huge numbers of false positives (innocents flagged as malcontents) and dangerous levels of false negatives (real bad guys flagged as innocents and it only takes one to get through to cause serious security problems). The police and security services then spend so much time, energy and resources dealing with innocent people they don’t have the time to deal with the real criminals.

The standard probability of getting DNA match is often cited as 1 in 13 billion. But more than a 100 felons in an Arizona database of 65000 were found to have DNA samples with a significant degree of similarity. That's a 1 in 2000 chance of a match not 1 in 13 billion. This does not mean that DNA is not unique. Nor does it negate DNA profiling and matching as a very useful crime prevention and detection technique when used appropriately. But the numbers are counter-intuitive and turn out to have a similar explanation to the matching birthdays in a class of 30 sum used in introductory probability theory - the number of pairs checked turns out to be significantly more than people intuitively think. { For the mathematically inclined the birthday problem works as follows: the probability two people don't share a birthday is 364/365; the probability 3 people don't share a birthday, under that rule of conditional probabilities, is (
364/365)x(363/365); the probability that 30 people don't share a birthday is (364/365)x(363/365)x...x(336/365) which works out at approximately 3/10. So the probability 2 people in a room of 30 do share a birthday is 7/10 or 0.7 or 70%.}

Apologies folks - I hadn't intended to invest quite so much energy in a short Guardian report but it tripped over some issues I'd been discussing with colleagues in a course writing session recently.

No comments: