Tuesday, May 24, 2005

June 2005

Several papers had to be finished. One on identity theft on biometric systems and the other one on profiling in forensic databases for FIDIS www.fidis.net . Finally I also have some time for doing more casework. I had organized a workshop on digital video as evidence, and that also took some time.

Red tape procedures also had to be taken care of. In my experience it is often easier to get used to the procedures then to be against them, since that often does not make much sense. On the end even bureacracy in European projects and government can be handled if you have some experience with them.

What did I write on profiling for FIDIS ?

Profiling in Forensic Science
Author Zeno Geradts – Netherlands Forensic Institute

Introduction

Current situation

In forensic science, currently there exist many different databases that can be used to link cases and suspects :
Firearms : Cartridge cases, bullets
Fingerprints
DNA
Faces
Tool marks (e.g. screwdrivers )
Shoe prints
Handwriting
Paint and glass
speaker
….
In practice there is experience with combining those databases for combining evidence, however often searching between databases is not easy, since the data the data models and entry of data is often different between them.

If we look at digital evidence on the internet, for example in internet hacking cases, then one needs to examine log files and other files. In this field also some cases have been submitted. A question that always arises with these cases is however who was really behind the keyboard at a given moment. If biometric devices are used more (and spoofing of biometrics is not used), it is also possible to follow persons. The logs of the antenna’s mobile operators, can also be used to examine the position of a person at a given time.

Expectation

We expect that in future databases, the data models will become more standardized, in such a way that they can be combined with other databases such as :
Face and 3D images and other biometrics of everyone (ear, iris, fingerprints, DNA etc)
Banking and insurance transactions : money laundering
Telecommunication traffic and interception (location GSM and internet)
All computer actions and storage
Records of toll ports / public transportation
Board computer in private transportation (cars etc)
GPS
Customer loyalty programs (air miles etc.)
Surveillance cameras (also satellite images)
Digital traces in domestic applications (e.g. coffee maker, microwave, heater)
Ambient intelligence

Examination and combination of data is currently possible in Dutch law if there is a severe crime involved and a court order is needed (depending on the kind of information).

For the passport for example it will be possible to track someone if the ICAO-standard is implemented without any protection. The passport will have a wireless chip in it, and information concerning face and fingerprint can be extracted from a distance. Currently in trials in the Netherlands more protection is used in such a way that one needs more information concerning the machine readable zone of the passport. However if countries do implement it without any protection, then possibilities exist that information concerning the passport they carry can be extracted from a distance.

Discussion

The question arises if the kind of evidence with the combination with many different databases, such as surveillance systems with non-structured data, is feasible. Also the amount of data that is collected grows very rapidly, and the question is if it is feasible to store this data in a proper way.

Furthermore, it is expected that there are more false positives when combining different databases. If a ‘cold’ hit is found in the database, which means that there was no prior information that a certain suspect would be involved in the case, false positives are possible. For example, if DNA would be collected of all citizens of the world, and the search would be against this database, then roughly at least 6 suspects would be found with current methods, and probably more since family relations are not accounted for.

The questions also arises if the databases are filled correctly. In most databases data entry errors exist. For this reason standardization of databases is required before the databases are searched through routinely. At final the evidence for one case might be stronger, since other relations that were not found before can also be used in a certain case. How far society would like to go with profiling in (forensic) databases, depends of course on the laws.Appendix RFIDS

Introduction

Radio Frequency Identification TAGS are expected to be used very often in products at retailers and cards for traveling. Currently the Wal-mart in the USA, Metro in Germany and Tesco in the United Kingdom are requiring RFID-tags on the products. Also the department of defense in the United States is requiring tags on the products from the suppliers. Tracking and tracing are the most important reasons for this requirements (also in the war in Iraq this was convenient for the transportation of equipment and tracking). Losing or misplacing products, parts or equipment will result in higher costs.

It is expected that in 2008 more than 20 billon RFID-tags are used[i] . Most of them will use the EPC-standard (Electronic Product Code). For reading those tags it is expected that 100.000 EPC-readers will be sold. It is expected that the tags will drop to several euro-cents per tag.

RFID-technology

A RFID-system consists of different components :
One or more tags (transponders), consist of a microchip and an antenna
One or more reader and writers including the RF-modules
Application software connected to the reader/writer

RFID-tags exist in two forms :
Active (with a power supply )
Passive (need power from the signal of the reader)

Active RFID-tags are somewhat larger and more expensive, however they can be used at a larger distance. Passive tags can be used in consumer articles and are cheap. They can also be used in labels.

Furthermore, RFID-tags can be read-only and read-write. The read-write tags are used with an encrypted identification number, where authorized users can change the information.

The retailers are requiring their suppliers, to use the Electronic Product Code (EPC). This standard has been developed by MIT’s Auto-ID center, and is managed by EPCglobal, which is a non-profit joint venture between two organizations : EAN (European Article Numbering) International and the Uniform Code Council. The second generation of UHF EPC-standard has been ratified in December 2004. In January 2005 this standard is submitted to ISO.

For RFID, the ISO standards concern :
Technology ISO 18000
Data content (ISO 15418, 15434, 15459, 24721, 15961 and 15962)
Device conformance test and performance (ISO 18046 and 18047)
Application Standards (ISO 10374, 18185, 11785)

Security of RFID

In July an article in Forbes [ii] presented a hackers guide to RFID. It would be easy to hack a tag, and change price information on a tag. After this there were also privacy concerns for the consumers. The cheap tags are just readable tags, and they can not be altered easily. Also when using a write-once tag, most often the price is not included in the product, since they will use a serial number for the product. It is however an aspect that has to be taken care of.

Example of RFID-labels from http://www.bluhmsysteme.com/rfid-etiketten.htm

Forensic aspects of RFID and profiling

RFID tags can be used also in forensic science, to follow a person based on the RFID-tags one carries in products. Example : there is a unique RFID-tagnumber on a package of cigarettes. A person steals this package in Amsterdam from a store. Theoretically it is possible that within European databases of stolen goods, the person can be arrested in Brussels when they scan the RFID-tags of this person. The same applies of course to the earlier mentioned passport with a chip. The key elements are RFIDs, in combination with databases and if stored properly, it can be used as evidence.

The use of standards makes it also easier for forensic science to develop tools to read out the information in a forensic proper way.


Privacy

Also EPC is worried about privacy aspects. For this reason they have implemented certain privacy guidelines[iii] :
Guidelines
1. Consumer Notice
Consumers will be given clear notice of the presence of EPC on products or their packaging. This notice will be given through the use of an EPC logo or identifier on the products or packaging.
2. Consumer Choice
Consumers will be informed of the choices that are available to discard or remove or in the future disable EPC tags from the products they acquire. It is anticipated that for most products, the EPC tags would be part of disposable packaging or would be otherwise discardable. EPCglobal, among other supporters of the technology, is committed to finding additional efficient , cost effective and reliable alternatives to further enable customer choice.
3. Consumer Education
Consumers will have the opportunity easily to obtain accurate information about EPC and its applications, as well as information about advances in the technology. Companies using EPC tags at the consumer level will cooperate in appropriate ways to familiarise consumers with the EPC logo and to help consumers understand the technology and its benefits. EPCglobal would also act as a forum for both companies and consumers to learn of and address any uses of EPC technology in a manner inconsistent with these Guidelines.
4. Record Use, Retention and Security
The Electronic Product Code does not contain, collect or store any personally identifiable information. As with conventional barcode technology, data which is associated with EPC will be collected, used, maintained, stored and protected by the EPCglobal member companies in compliance with applicable laws . Companies will publish, in compliance with all applicable laws, information on their policies regarding the retention, use and protection of any personally identifiable information associated with EPC use.
If they are properly used, and if the consumer can discard the EPC-tag easily from a product, this means that the example above with the package of cigarettes is not feasible, if the thief discards the RFID-tag.
Appendix Biometric Devices

The market of biometric devices is expanding rapidly, since it is convenient to use, and users can not forget their biometric properties. Some examples of biometric properties which are used in commercial systems:
Face
Fingerprint
Handscanner
Iris
Voice
Handwriting
In forensic laboratories also other means of biometric measurement are used for comparison:
DNA
Ear prints
Lip prints

In many countries DNA databases of persons who committed a severe crime and DNA found at the scene of crime are build, as well as a database of employees of the forensic science laboratories, to determine possible contamination. The laws forbid in many countries to use these data other then they are meant for (so for severe crimes, by court order and if applicable to the law).

In a world where no privacy laws exist, theoretically it would be possible to collect databases of fingerprints, iris scans, voice, hand writing and faces. These databases can be combined with another. If the databases are structured correctly, and not errors in names or links are made, these databases can be used to search for a person or a group of person by profiling. In such a way more crimes could be solved, and perhaps a stronger evidence is possible.

A problem is however that the 1:N comparison for example with faces, gives a high error rate. A good example is given at http://www.frvt.org/FERET/default.htm where a methodology has been used to examine different commercial packages and compare them with a standard database. If we look to the results of FRVT 2002, it can be concluded that on a database of 37,437 individuals which are read in a standardized form, first the 80 percent of the persons is identified (this means that 20 percent is identified incorrectly). After one year the identification rate drops with five percent. If we would have databases of millions of persons, there would be many false hits as is shown in the results :
71.5 % true accept rate @ 0.01 % false accept rate
90.3 % true accept rate @ 1.0 % false accept rate

Another test by NIST on fingerprints, gives a better results http://fpvte.nist.gov/ . We can see here by using single good quality fingerprints
99.4 true accept rate @ 0.01 % false accept rate
99.9 true accept rate @ 1.0 % false accept rate

When multiple fingerprints and face images (or even 3D-images) become available, the situation improves. In these systems bad quality images are not used. In practice when filling databases with real images, these will also be included, and results will drop down.





[i] TWA Nieuws, 43-2 www.twanetwerk.nl
[ii] http://www.forbes.com/home/commerce/2004/07/29/cx_ah_0729rfid.html
[iii] http://www.epcglobalinc.org/public_policy/public_policy_guidelines.html

9 comments:

Roberto Iza Valdés said...
This comment has been removed by a blog administrator.
Anonymous said...

Zeno Geradts, our science laboratory team here at NYU wanted to let you know that your post June 2005 was loved by our group. I've recomended your blog to the team who is currently working on medical laboratory equipment and they've all told me to tell you they love your blog. We are a small team of lab students that have put together a medical laboratory equipment site but have yet to put up a blog. But now your site has given us the inspiration to set one up. We'll let you know what the URL is when it's complete. Thanks again from all of us here at NYU Laboratory!!

Anonymous said...

Zeno Geradts, there are 12 students here at USC chemistry department who want to tell you how refreshing it is to have found your blog. Currently we are working on a common laboratory equipment project which requires that we list our favorite blogs of interest. Even though the content isn't an exact match, we are going to include it anyway. Your June 2005 post has given us the idea of changing our common laboratory equipment site into a blog. So when we ace this project, just know that your blog was a huge inspiration. Thanks from our lab.

Anonymous said...

Well done on a nice blog Zeno Geradts. I was searching for information on work from home data entry and ran across your post June 2005 - not exactly what I was looking for related to work from home data entry but a very interesting read all the same!

Anonymous said...

Well done on a nice blog Zeno Geradts. I was searching for information on data entry home employment and ran across your post June 2005 - not exactly what I was looking for related to data entry home employment but a very interesting read all the same!

Anonymous said...

Hi Zeno Geradts,
great info on your blog June 2005 I was really looking for information in more detail on data entry however I still found your read to be quite informative and interesting. Thanks for the useful info

Anonymous said...

Hello Zeno Geradts,
Just wanted to say I enjoyed the information you have on your blog June 2005 . It was not quite exactly what I was looking for since my search was for data entry however your info was very useful. Thanks again for the helpful read

Anonymous said...

Hi Zeno Geradts,
After searching page after page about I ran across your blog June 2005 which caught my attention because, of the amount of valuable and informative information you have. Unfortunately this is not exactly what I was looking for, however I enjoyed reading all your information. Thanks for the reading.

Unknown said...
This comment has been removed by the author.