Biometrics are not the answer for authentication

I’ve pointed out before that biometrics are not a good path to follow to avoid the obvious and growing issues with authentication using passwords.

Many biometrics suffer from being easy to spoof: pictures of someone’s iris, appropriately embedded in a background, can fool iris readers, a sheet of clingfilm can often cause a fingerprint reader to ‘see’ the last real fingerprint used on it, and so on.

But there’s a more pervasive problem with biometrics. The fact that a biometric is something you are is, on the one hand, a positive because you don’t have to remember anything, and wherever you go, there you are.

But, on the other hand, a biometric cannot be changed, and this turns out to be a huge problem.

Suppose you go to authenticate using a biometric. The device that captures your biometric must convert it to something digital, and then compare that digital value to a previously recorded value associated with you.

There are two problems:

  1. For a while, the device has your biometric data as plaintext. It may be encrypted very close to the place where it is captured, but there is a gap, and the unencrypted version can potentially be grabbed in the gap. There is always a temptation/pressure to use low-power sensors for capture, and they may not be able to handle the encryption.
  2. The previously recorded values must be kept somewhere. If this location can be hacked, then the encrypted versions of the biometric can be copied. These encrypted versions can then be used for replay attacks.

Of course, there are defences. But, for example, if e-passports are to be used to enter multiple countries, then they must use the same repertoire of encryption techniques so that passports from multiple countries can be read by the same system. So it’s not enough to say that different encryptions of biometric plaintext to its encrypted versions will prevent these issues.

And if one person’s encrypted biometric is stolen, there’s no practical way to update the system’s that rely on it (since they must continue to use the same mapping so that everyone else’s biometrics will still work). More importantly, there’s no way to issue a fresh identity for the person whose data was stolen (“Go and have plastic surgery so that we can restore your use of facial recognition”).

The real problem with the Clinton email server

Every intelligence person I’ve talked to has told me that the probability that the Russians and Chinese (at least) hacked Hillary Clinton’s email server is 100%.

While the question of whether any of the emails were classified, about to be classified, or should have been classified is interesting, the real risk created by the use of this server is that it provided a real-time look at the communications of the Secretary of State (and the people she was talking to).

Even the unclassified emails provided insight into the Secretary’s state of mind, plans, location, and intentions. Some of these might have been obvious; others would follow from examining email headers; and others by carrying out textual analysis (which is getting quite good at reverse engineering mental state, as regular readers will know).

Access to your entire email stream + some analytic capacity = fairly complete understanding of your life.

(Note that Google already does this for everyone who has a gmail account, and also for anyone who sends or receives email from anyone with a gmail account.)

Added 2016/05/06: A new problem now arises: control of the presidential election is in the hands of any country that can claim to have hacked the server. While hacking by a foreign power remains a (virtually certain) hypothetical, it is clearly having no impact on the election. But if a foreign power were to leak that they had hacked the server and exploited that somehow, the impact will surely be catastrophic. And I can imagine several of America’s enemies who might prefer a President Trump to a President Clinton II.

Come back King Canute, all is forgiven

You will remember that King Canute held a demonstration in which he showed his courtiers that he did not have the power to hold back the tide.

Senior officials in Washington desperately need courtiers who will show them, with equal force, that encryption has the same sort of property. If it’s done right, encrypted material can’t be decrypted by fiat. And any backdoor to the encryption process can’t be made available only to the good guys.

The current story about Apple and the encrypted phone used by one of the San Bernadino terrorists is not helping to make this issue any clearer to government, largely because the media coverage is so muddled that nobody could be blamed for missing the point.

The basic facts seem to be these: the phone is encrypted, the FBI have been trying to get in to it for some time, and there’s no way for anyone, Apple included, to burn through the encryption without the password. This is all as it was designed to be.

The FBI is now asking Apple to alter the access control software so that, for example, the ten-try limit on password guesses is disabled. Apple is refusing on two grounds. First, this amounts to the government compelling them to construct something, a form of conscription that is illegal (presumably the FBI could contract with Apple to build the required software but presumably Apple has no appetite for this).

Second, Apple argues that the existence proof of such a construct would make it impossible for them to resist the same request from other governments, where the intent might be less benign. This is an interesting argument. On the one hand, if they can build it now, they can build it then, and nobody’s claiming that the required construct is impossible. On the other hand, there’s no question that being able to do something in the abstract is psychologically quite different from having done it.

But it does seem as if Apple is using its refusal as a marketing tool for its high-mindedness and pro-privacy stance. Public opinion might have an effect if only the public could work out what the issues are — but the media have such a tenuous grasp that every story I saw today guaranteed greater levels of confusion.

“It’s going to be really great”

Donald Trump continues to be the poster child for our election-winning-language¬† model: high positive language, as little negative language as possible, and appeals to policy goals without getting into details. The media and pundits are tearing their hair out because he refuses to talk about specifics but, as we predict, it’s working! (Interestingly, I went back and looked at Perot’s language in the 1992 election, and he had more or less the same patterns — and he led the party contenders in national polls for a period in 1992.)

What the media and pundits don’t realise is that incumbent presidents running for a second term use language very similar to Trump’s. It’s just that, with a first-term track record, it’s not as glaringly obvious, and they don’t notice.

“But I don’t have anything to hide” Part II

In an earlier post, I pointed out that differential pricing — the ability of businesses to charge different people different prices — is one of the killer apps of data analytics. Since the goal of businesses will be to charge everyone the most they’re willing to pay, there are strong reasons why we might not want to be modelled this way, even if “we have nothing to hide”

There’s a second area in which models of everyone might feel like a bad thing — healthcare. As the costs of healthcare rise, there will be strong arguments that individuals need to be participants in maintaining their health. This sounds good — but when big data collection means that a health case provider might charge more to someone who has been smoking (plausible case), overeating (hmm), not exercising enough (hmmm), or any of a number of other lifestyle choices, it begins to be uncomfortable, even if “we have nothing to hide”.

The point of much data analytics by organisations and states is to assess the cost/benefit ratio of interacting with you. Of course, humans (and their organisations) have always made such assessments. What is new is the ability to do so in a fine-grained, pervasive, and never-removable way. What will be lost is the possibility of a fresh start, of redemption, or even of convenient amnesia about aspects of the past.

Trump’s continuing success

As I posted earlier, our study of previous successful presidential candidates shows that success is very strongly correlated with a particular language model, consisting of:

  • Uniformly positive language
  • Complete absence of negative language
  • Using uplifting, aspirational metaphors rather than policy proposals, and
  • Ignoring the competing candidates

Trump presumably polls well, to a large extent, because he uses this language model (not so much ignoring of the competing candidates recently, but maybe that’s the effect of a primary). This language pattern tends to be used by incumbent presidents running for re-election, and seems to derive from their self-perception as already-successful in the job they’re re-applying for. Trump, similarly, possesses huge self confidence that seems to have the same effect — he perceives himself as (automatically, guaranteed) successful as president.

The dynamic between the successful self-perception issue and the competence issue was hard to separate before; and we’ve used ‘statesmanlike’ to describe the model of language of electoral success. All of the presidential incumbents whom we previously studied had a self-perception of success and a demonstrated competence and we assumed that both were necessary to deploy the required language comfortably and competently. Trump, however, shows that this isn’t so — it’s possible to possess the self-perception of success without the previously demonstrated competence. In Trump’s case, presumably, it is derived from competence in a rather different job: building a financial empire.

The media is in a frenzy about the competence issue for Trump. But our language model explains how it is possible to be popular among voters without demonstrating much competence, or even planned competence, to solve the problems of the day.

Voters don’t care about objective competence in the way that the media do. They care about the underlying personal self-confidence that is revealed in each candidate’s language. The data is very clear about this.

It may even be the rational view that a voter should take. Presidents encounter, in office, many issues that they had not previously formulated a policy for, so self-confidence may be more valuable than prepackaged plans. And voters have learned that most policies do not get implemented in office anyway.

It’s silly to treat Trump as a front runner when no actual vote has yet been cast. But it wouldn’t be surprising if he continues to do well for some time.¬† Of the other candidates, only Christie shows any sense of the use of positive language but, as a veteran politician, he cannot seem to avoid the need to present policies.

“But I don’t have anything to hide”

This is the common response of many ordinary people when the discussion of (especially) government surveillance programs comes up. And they’re right, up to a point. In a perfect world, innocent people have nothing to fear from government.

The bigger problem, in fact, comes from the data collected and the models built by multinational businesses. Everyone has something to hide from them: the bottom line prices we are willing to pay.

We have not yet quite reached the world of differential pricing. We’ve become accustomed to the idea that the person sitting next to us on a plane may have paid (much) less for the identical travel experience, but we haven’t quite become reconciled to the idea that an online retailer might be charging us more for the same product than they charge other people, let alone that the chocolate bar at the corner store might be more expensive for us. If anything, we’re inclined to think that an organisation that has lots of data about us and has built a detailed model of us might give us a better price.

But it doesn’t require too much prescience to see that this isn’t always going to be the case. The seller’s slogan has always been “all the market can bear”.

Any commercial organization, under the name of customer relationship management, is building a model of your predicted net future value. Their actions towards you are driven by how large this is. Any benefits and discounts you get now are based on the expectation that, over the long haul, they will reap the converse benefits and more. It’s inherently an adversarial relationship.

Now think about the impact of data collection and modelling, especially with the realization that everything collected is there for ever. There’s no possibility of an economic fresh start, no bankruptcy of models that will wipe the slate clean and let you start again.

Negotiation relies on the property that each party holds back their actual bottom line. In a world where your bottom line is probably better known to the entity you’re negotiating with than it is to you, can you ever win? Or even win-win? Now tell me that you have nothing to hide.

[And, in the ongoing discussion of post-Snowden government surveillance, there’s still this enormous blind spot about the fact that multinational businesses collect electronic communication, content and metadata; location; every action on portable devices and some laptops; complete browsing and search histories; and audio around any of these devices. And they’re processing it all extremely hard.]