PA Consulting

Especially what we trialled.

What part of Commercial in Confidence is tricky? It's perfectly normal and since I helped to write the NDA I am bound by it.
When and for that matter if the work is published that information will be available.

Security applies to commercial projects just as much as it does to Defence and Government ones.

As I said and you accepted - there is no evidence at all that any of these "benefits" could be realised, that's why.

Sure you can. People leave their biometric passwords everywhere they go. They leave fingerprints (on the capturing device no less!) and their faces and irises can be photographed. All these biometrics must be captured under trained diligent supervision (including when used for mundane authenticiating and identification) otherwise they *will* be forged.

I'm not sure what to make of you saying it it is almost statistically impossible to have false positives (in a population of 60 million). Are you sure you're not trolling? You have come across the birthday theorem?

I don't think you read or understood my post.

I said you cannot forge your Biometric data when you are not involved in the capture of it. They don't trust you to go into a little booth and get your photo taken.

My comment on it being almost statistically impossible was:

To explain, you may be Joe Bloggs and you may get a false positive against your fingerprint pattern identifying you as Bill Smith. It is then almost statistically impossible for you then to match your iris pattern as Bill Smith as well.

Biometrics have to be captured against each time they are used, not just once.

You have light years of learning to do on this, so much that it is too much effort for me to play with you. Please start by reading this chapter on biometrics from Ross Anderson's book on Security Engineering.

Gets my vote 100%

Please also read that chapter Diver, and make an informed decision

You’re an idiot, you don’t understand the technologies involved and you’re dredging up old papers from the internet. Most of the studies and experiences he refers to are nearly 10 years old and most probably using equipment manufactured 12-15 years ago (knowing how public sector purchasing schedules work).

You’re trying to compare AFI methodology that is at best 10-15 years old that will scan against 8 to 16 Minutiae at best with today’s technology that can and will capture up to 52 separate points from a single fingerprint.

Try reading this and try to comprehend the subject matter. It’s the latest Minex report, although it is from 2004 the current study has not yet been completed. It involved fingerprint images from a quarter of a million people, and executing in excess of 4.4 billion comparisons and the FNMR against FMR metrics for some of the products are exceptional considering the testing is against interoperability of disparate vendors and not single product metrics.

A 2004 study by the US NIJ on Iris recognition, from that the figures you are interested in are:

And again I’ll state that yes it’s statistically possible for someone to get a False-match result against a single Biometric reading, and yes it’s statistically possible that they achieve two False-match results returning two distinct identities against a double Biometric reading, but I will reiterate that it is almost statistically impossible for someone to achieve two False-match results returning a single identity against a double Biometric reading. Anyone who thinks differently better keep playing the lottery then because you've obviously got a great chance of winning it three weeks in a row.

I’m now saying no more on this subject as it’s dragging up the Google experts who think because they read something in the Guardian they’re an expert on the subject.

From everyone that’s posted on here, there is only one other person who has even trialled the equipment. Obviously the rest of you just know better.

What an informed and constructive way to engage in debate

You said you were going to shut up some time ago but you didn't manage it so I won't hold my breath.
This isn't just a question of technology, so your policy of calling people names if they disagree or don't have full and detailed current knowledge of the technology is pointless and demonstrates the same level of arrogance and ignorance as the government.

Just because we may be able to do something at a vast cost with no proven benefits at all in cost savings simply because the technology may exist, doesn't mean we should do it.

You have still offered no justification for ID cards other than some wild and unsubstansiated claims that you have got from government propoganda.

You don’t know what I know and that 'old paper' you refer to is a chapter from a book on Security Engineering. Sure it’s 7 years old – there is a newer edition but obviously that is not free – and clearly the technology has not advanced greatly in that time nor have the laws of physics or human fingerprints changed. The author is a well-known figure in the Security world and a professor at Cambridge. You would know this if you were anything but a rather poorly informed troll.

Which shows same order of magnitude of false reject and false accept as ever, i.e. poor in practise. Looking at one of their graphs: FMR of 0.001 at an FNMR of 0.002 and plenty of discussion in the document revolving around an FMR of 0.01.

That’s misleading. You appear not to have understood the significance of the text that followed that quote. That is, that was the false accept rate when the false reject was set at an extraordinarily high 0.78. No doubt there were plenty of pissed off people with a human always on stand-by. And that's with a tiny population.

Somewhat of a understatement considering the first report you linked to, and didn’t read, which was discussing error rates in the order of 1 in 100.

You really need to understand that basics by reading the chapter of Ross Andersons book I gave. I am not spoon-feeding this you because you are not aware of any of the mathematics involved. Note also that double biometric readings (by which I assume you mean the more usual term 'two-factor' or perhaps you mean two-finger) is not without cost. Doing so can actually make a system more unreliable. These are basic things you need to understand before you can spout off, all covered briefly in that chapter I gave.