Members of the German Chaos Computer Club (CCC) have published the fingerprint of Minister of the Interior, Wolfgang Schäuble, along with a video on how to make fake fingerprints to fool biometric systems. Their aim is to expose a perceived tendency of increased surveillance.

One thing is for sure (and not just because of this little demonstration): Fingerprints - and possibly other biometric information as well - will have considerable less value in the future as proof in court.

  • Problem number one is that fingerprints can be obtained with relative ease from objects of everyday use, such as dishes, pens, computers, phones, door knobs.
  • Problem number two is that the technology to copy and generate fake fingerprints is more readily available and common technology items can be used for much of the process.
  • Problem number three is the proliferation of use for fingerprints as authentication - undermining its very objective. In order to use fingerprints or any other means of biometric authentication, the formation of centralized databases is pretty much unavoidable. It is obvious that fingerprints can then be obtained from such data storage illegitimately or that legitimately obtained prints can be misused. The problem is especially clear in modern passports that carry an electronic version of biometric information, fingerprints included. Combine that with RFID technology and bingo, anyone might have read the print.

As Kristian Köhntopp points out (article in German), these tools are to fingerprints what Photoshop was to photographic evidence.

To the individual, this means a risk - anyone could leave someone else's prints on the scene of a crime and get them in trouble - but also a gain in plausible deniability (who could prove the print wasn't fake if there's no other corroborating evidence, such as DNA samples).

Fingerprints - and other biometric information, such as retina patterns - are the biological equivalent of barcodes. They are good for identification (no collisions, i.e. little risk of two people turning up with the same pattern) but no longer good enough for authentication. Anything that can be used as an identifier is unsuitable as an authenticator. In other words, they're as secure as a Social Security Number.

What troubles me is that identifiers as SSNs, credit card numbers, etc. are still used for authentication in everyday life. It's probably best if we all start wearing gloves.

PS. After writing this I was dwelling on the question of collisions. A single fingerprint is in the order of magnitude of 1MB (1 Million bits) of data, uncompressed. Since fingerprints are organized by lines, their actual search space is certainly a lot smaller than 10⁶ combinations.

This means that actually the likelihood of collision in seven Billion humans is probably non-negligible. (The situation improves drastically when we have access to more than one print per person.)

For comparison the SSN has nine digits and credit card numbers 16, leading to 10⁹ and 10¹⁶ possible combinations respectively. In other words, their search space is apprantely larger than that of single digit fingerprints.

No votes yet