Biometrics and the BC Services Card

Image by kentkb

Anti-fraud capabilities are touted as a major component of the proposed BC Services Card. While the government is almost certainly overstating the issue of fraud, the political rhetoric around fraud doesn’t inherently mean that proposed anti-fraud mechanisms will be similarly overstated. Indeed, many of the Services Card’s suggested changes could be helpful in limiting the issuance of fraudulent identity documents; adding a card holder’s photo, an expiry date, and anti-counterfeiting technologies to new medical CareCards could be quite helpful in ascertaining, and addressing, fraud levels. Unfortunately, the biometric systems that will also be linked to the Services Cards are unlikely to significantly defray fraud.

In this post I continue my analysis of the BC Services Card, this time with a focus on the cards’ integration with biometric analysis technologies. I begin by giving a primer on the origins of biometric analysis for identity documents in BC, and then move to outline how the government asserts that the biometric analyses should work. I then explain why adopting biometric identifiers matters: why don’t they tend to work? what is at stake in their inclusion? I conclude by (re)suggesting some entirely reasonable security processes that might defray fraud without needing the cards’ proposed biometric properties.

The Origins of Biometric Analysis in BC

Biometric image analysis is a relatively novel BC government capacity, and one that was driven by American – rather than Canadian – law. Following the September 11, 2001 terror attacks the US government established a series of policies meant to better secure their borders. One of those policies included the Western Hemisphere Travel Initiative (WHTI). WHTI mandated that Canadians present their passport, NEXUS card, or enhanced drivers license (EDL) before entering the United States. A component of each of these cards’ security features included biometric analysis (Clement, Boa, Davies and Hosein 2008). For the purpose of this post I focus exclusively on drivers licenses, on the basis that provincial bodies such as the Insurance Corporation of British Columbia become responsible for issuing such licenses.

Biometric analysis is only mandated by WHTI to apply to the enhanced licenses, which are drivers licenses with extra security features and a small RFID chip. Though only EDLs needed these security components, ICBC began capturing biometric templates of all individuals who applied for a BC drivers license even though ‘regular’ licenses can’t be used as identity documents when crossing the US/Canada border. The same biometric capture processes will occur when submitting an image for a BC Identity Card. Captured templates are compared against all other images in the ICBC database to ascertain whether the same biometric template (i.e. same image) has been used to apply for a license or identity card under another name. This movement to perform biometric analyses of all BC licenses and identity cards is, itself, the result of function creep.

The BC government is now extending how these templates are used: the WHTI-mandated biometric collection process that was meant to secure the US border from terrorism will now be used to identify individuals applying for multiple BC Services Cards. This is the very definition of function creep; the BC government’s Services Card is adopting technologies that the US government sees as important to deter terrorism in order to now evaluate potential identity fraud linked with non-border-related government services. Such services include medical provision and providing  education information to parents, students, teachers, and administrators. Needless to say, the current usage of biometrics for image identification far exceed the initial – very serious – justifications for such identification practices.

So, while the ‘enhanced’ security licenses and identity documents that BC residents carry resulted from an American edict – and sold as such to the public through the media – the government has subsequently integrated the American-mandated technological infrastructures with other government identity documents. Unlike the enhanced drivers licenses, there is no foreign policy demand that biometric analysis be adopted for the BC Services Card.

Biometrics and the BC Services Card

One of the core criticisms of the existing BC CareCard is its lack of anti-fraud features. The design of the new Services Card, meant to replace the CareCard, is meant to alleviate fraud-based concerns or worries. Specifically, government documents recognize that the new cards will be made of layered polycarbonate plastics, include embedded holography, and see laser markings for both photo and textual impressions on the card. Cards will have a magstripe with personal information, as well as an embedded near field communications computer chip. Finally, individuals’ photos will be imprinted on the cards, and a biometric template of images will be stored in an ICBC database. This template is what computer algorithms will use in their facial recognition analyses.

Images for the Services Card will undergo the same ‘identification’ processes as images for BC drivers licenses. Today, recipients of a BC Drivers License have their photo taken and then ICBC transforms the image into a biometric template using computer algorithms. The template is subsequently compared against ICBC’s extensive database of BC drivers and identity card holders. This analysis is meant to identify individuals who are applying for multiple licenses under different names. In the case of the Services Card, given that such cards will (effectively) be mandatory if residents want to receive medical care in the province, this means that practically every resident of BC will have to surrender their image for biometric analysis before receiving a Services Card.

Under the existing systems, ICBC sends an incredibly large number of images to secondary analysis. This will persist with the Services Card; in 2010, ICBC internal documents noted that about 26-27% of images will be sent to secondary analysis to catch potential fraudsters/individuals with biometric profiles similar to others’. To be blunt, there is no way that there are this many fraudulent applications for BC identity documents, a point that ICBC has recognized in my correspondence with the institution.  In the case of the Services Card, ICBC will be fiscally relieved of evaluating whether an actual duplicate image is found; the Ministry of Health Services will be responsible for evaluating whether a duplicate has actually been identified.

The Efficacy of Biometric Analysis

To date it is unclear how effective ICBC’s biometric analyses has been in detecting and preventing fraud. We do know that, in the US, there are cases where individuals holding a license in one state have been ‘caught’ trying to get a license in another state, but to date a similar degree of cross-jurisdictional analysis does not seem to have developed in Canada. When I contacted ICBC I was informed that “ICBC does not share biometric templates with other jurisdictions,” though this doesn’t mean that ICBC hasn’t prevented fraud based on their biometric processes.

From an empirical lens, however, it isn’t clear how confident we – or ICBC – should be in their biometric template database. This matters because if you lack confidence in collected data then you are severely limited in its utility for subsequent data analysis processes. Moreover, we, as members of the public, don’t know what ICBC’s methodologies are for detecting false positives and negatives. We need this information so we can debate the overall merits of the (in)effectiveness of ICBC’s existing biometric analysis program; trotting out a small handful of ‘success stories’ isn’t sufficient to develop confidence in a system that is massively deployed throughout the province to millions of residents.

While many biometric systems declare how accurate they are at capturing templates, it’s the data confidence rates that are more important for practical algorithmic evaluation purposes. Consider a system with a stated 95% accurate enrollment rate, where fraudster identities account for 1% of the population. Such numbers might suggest that every 100 enrolments there will be 1 accurate detection of a duplicate identity, 94 accurate unique enrolments, and 5 inaccurate enrolments. This is a misleading picture, however, because without manual evaluations of enrolled biometric templates we don’t know which 5% of enrolments are inaccurate. Consequently, the data set looks more like the following:

  • There are an unknown number of instances where one unique enrollment has been mis-enrolled as another unique individual (i.e. a mistranslation of the unique image to unique biometric data).
  • There are an unknown number of instances where a unique template was mistakenly identified as a previously-enrolled template.
  • There are an unknown number of instances where a duplicate template was mis-enrolled as a unique template.
  • There are an unknown number of instances where a duplicate template was misidentified as a different duplicate template (i.e. mixing up which template the fraudster should actually be linked with).

When trying to identify a confidence rating concerning biometric enrollment then, we run into problems born out of the methodology that ICBC uses to learn about and correct their own data. To understand the data confidence associated with the biometric analysis, or the overall ability to trust the underlying data templates and anti-fraud systems, we would need to know the following:

  • In the system, which registers both duplicates found and unique status for enrolled templates, what percentage of each are manually tested? That is, in the case of a template being enrolled as unique – when enrollment is unlikely to be perfect – how often is there a manual evaluation of the authenticity of templates’ uniqueness?
  • In identifying either false positives or negatives, can ICBC staff subsequently adjust the biometric system to ‘learn’ from past errors or does the system persistently make the same kinds of (perhaps undetectable) errors?

These questions relate to the long-term accuracy of the data that is retained by ICBC’s systems and the algorithms that are used at the enrollment and identification stages of identity card license. It’s important to recognize that, when I conducted research surrounding the effectiveness of biometric analysis with regards to enhanced drivers licenses several years ago, internal ICBC documents revealed that:

Every reported match/duplicate of a face when scanned was a false positive. The document notes that, “[t]his was expected due to the small participant group, the parameters set out for participation, and the face‐to‐face prescreen process during the application”

I would note that, to date, requests that I have submitted to ICBC regarding false positive, false negative, confidence ratings, or basic methodologies concerning the derivation of such rates, have not warranted responses by ICBC. Given the significance of biometric analysis as a component of the BC Services Card, this non-responsiveness is severely disappointing.

What’s worse, is that biometrics are routinely shown to fail. The technologies have been called upon to identify suspect bodies but the effectiveness of such identification is marginal. When conducting research on biometric systems used at the Canada-US border, Shoshana Magnet found that the technologies regularly have problems identifying or discriminating against ‘non-normal’ bodies. Variations in norms of eye colour, as well as expected depictions of gender and race, all present problems for biometric analysis. Studies that facial recognition systems are based upon tend to be charged with racial undertones; just one example is the 2005 academic paper titled “Facial Pose Estimation Based on the Mongolian Race’s Feature Characteristics.” In effect, facial recognition algorithms are infused with biases and conceptions that their developers bring with them; in the UK this has led to problems in identifying Asian bodies and, in Japan, problems in identifying “non-Japanese” bodies. In effect, these systems tend to be questionably accurate and are infused with racist assumptions. Together, these characteristics alone should demand that ICBC be incredibly open with what they are doing when analyzing biometric templates and should lead to a vibrant public debate over the appropriateness of using such technologies for non-WHTI reasons.

Why Do Biometrics Even Matter?

While there are questions about the effectiveness of biometric analysis, as well as their racist undertones, these aren’t the only reasons that should motivate a public debate about the technologies. In what follows I identify how biometrics analysis transforms – and problematizes – issues of bodily privacy and how the BC approach demonstrably confuses authentication and identification. The consequence is that there are difficulties in how to conceptualize ICBC’s actions and, again, questions of whether ICBC’s chosen method of parsing human bodies is appropriate for the securitization processes the province is engaged engaged in.

Biometrics generally fail to distinguish between “the body itself” and “body information” insofar as the body itself is transformed into information. Whereas there are strong protections to guard against violations of the body itself – as soon as the skin in penetrated in any sense a host of legal protections are activated – the same is less true of images of the body (van der Ploeg 2003). While in an era of non-digitized images the capture of body ‘information’ was of limited utility because of the delay in parsing photos against one another, the digital era renders past analytic inconveniences a historical footnote. As a result the “breach of integrity” does not lie with the data capture but with the subsequent use of the image that was acquired. Consequently, we are not dealing with a ‘privacy problem’ that lends itself to separations of the body and the information; the two are tied: in the case of facial recognition templates in BC, individuals will be compelled to disclose biometric information to receive medical services.

Technology has not just collapsed a boundary between the body and information, but the fungibility of biometric information – and willingness of the BC government to expand how it will be used – means that the capture of this information, today, could be used for unknown purposes in the future. Thus, the collapse of the boundary combined with the government’s willingness to engage in function creep means that BC residents are limited in their ability to effectively control the collection and use of this incredibly personal biometric information. The BC Services Card will only weaken residents’ existing capacities to control how their information is collected, insofar as the Services Card will ultimately be a required piece of identity for BC residents to receive non-emergency medical care.

In addition to such collapsing of boundaries, and subsequent inability of BC residents to limit how their personal information is used, there is a broader issue of inappropriately using biometrics to solve (presupposed) security problems. Biometric systems can fairly reliably be used as an authentication tool. Bruce Schneier (2006), an internationally renowned security technologist, notes that “[a]s authentication systems, biometrics answer a simple question: Does this biometric belong to that person?” Where biometrics are used as an identification system, as they are at the ICBC enrollment point, “they must answer a must harder question: Does this biometric belong to anyone in this large database of much-less-reliable biometrics of people?”

The problem is that such identification-based systems will have massive false positive ratings, or instances where the system identifies a ‘fraudulent’ identity incorrectly. As noted previously, ICBC’s own calculations suggest a massive rate of identification to the tune of 26-27% of all enrolled faces being moved to secondary screening. Since most people who are applying for identity documents are doing so legitimately, this means that the system will generate massive numbers of alerts for a very small number of actual fraudsters. Because of the high degrees of noise in the system, the algorithmic processes overall effectiveness are limited at best.

Statements surrounding the effectiveness of template identification processes are based on the accuracy of template capture; in cases where fraudsters are actively attempting to prevent ‘unique’ reads – applying cosmetic changes to the face to confuse or weaken the algorithmic enrolment accuracy – we may see incorrect ‘unique enrolments’ . Any security system has to be designed under the assumption that actively malicious actors will try to subvert it; it is still not possible (based on ICBC’s refusal to release information about its testing systems) to ascertain the Corporation’s ability to successfully defeat such bad actors. To be clear: good security does not depend on trusting actors but on peer-evaluated, openly accesible, methodological rigour. As such, the refusal to release a detailed security methodology should not be taken as lending credence to ICBC’s present security processes but as weak rhetorical posturing concerning the processes’ relative merits.

Now, for authentication purposes, biometrics are better. In these kinds of situations a high-grade image is provided and, when a person presents themself, there is an attempt to ensure that the biometric and the face presented correspond. Authentication processes answer a very different question than identification processes; rather than asking “Have I seen this random person before” you are asking an easier question: “Is this person who they claim to be?”

Conclusion

Identity documents, including the BC Services Cards, reveal “a presumption of their bearers’ guilt when called upon to identify themselves. The use of such documents by states indicates their fundamental suspicion that people will lie when asked who or what they are, and that some independent means of confirming these matters must be available if states are to sustain themselves as going concerns” (Torpey 2000). The Services Card’s most invasive security features are precisely predicated on suspicion: turn over your biometric information for algorithmic identification because you might be a fraudster and criminal. It doesn’t matter that the security measure may be impractical, the very act of complying with the province’s edicts serve to confirm the government’s own authority and power. Disclosing your biometrics is a process of empowering the state, not necessarily reducing fraud, and not (marginally) reducing fraud in a cost-effective manner.

The biometric ‘protections’ built into the BC Services card are unlikely to measurably improve fraudster detection rates. These ‘protections’ will, however, be used to compel information from the public at large, information that is intensely personal and that the provincial government has demonstrated a willingness to use for new purposes over time. Biometrics were forcibly imposed on British Columbia by the American government; the current government is now adapting anti-terror technologies for identity fraud purposes, to combat presently unknown levels of fraud.

There isn’t any need to adopt this racist, technically flawed, and privacy invasive technology to counter (unknown levels of) identity fraud. A non-biometric analyzed image can serve for authentication purposes at government service kiosks. An expiry date can reduce the number of overall identity cards that are in circulation in the province. An effective internal accounting system can try and limit the overall number of health-related cards that are in circulation. These three items, together, would both help quantify and reduce fraud. There is no need to include technically flawed and racist systems in the mix.

Offline Sources:

A. Clement, K. Boa, S. Davies, and G. Hosein. (2008). “Towards a National ID Card for Canada? External drivers and internal complexities,” in C. J. Bennett and D. Lyon (eds.). Playing the Identity Card: Surveillance, Security and Identification in Global Perspective. New York: Routledge. Pp. 233-250.

I. van der Ploeg. (2003). “Biometrics and the body as information: Normative issues of the socio-technical coding of the body,” in D. Lyon (ed.). Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination. New York: Routledge. Pp. 57-73).

B. Schneier. (2006). “Chapter 13: Identification, Authentication, and Authorization,” in Beyond Fear: Thinking Sensibly About Security in an Uncertain World. United States: Springer. Pp. 181-206.

J. torpey. (2000). The Invention of the Passport: Surveillance, Citizenship and the State. New York: Cambridge University Press.

Christopher Parsons

I’m a Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.