The vital biometric data that’s missing from the National Identity Register

The recent appointment of IBM to run the National Biometric Identity Service (NBIS) marks a significant step in the establishment of an effective National Identity Register.  In setting up and operating the biometric database, IBM now also has the opportunity to add some vital missing data.  Namely, biometric signatures.

Irrespective of any other choice of biometrics, every application for a Passport or ID Card will still have to be legally verified by an authorised signature - and yet this is one piece of biometric data currently missing from the NIR. 

Considering that this has been shown to be the most effective, usable and publicly acceptable biometric, there is an overwhelming case for its inclusion.

1.    User Acceptability

Current use

It is sometimes thought that since the introduction of ‘chip & pin’ that the age of the signature is over as a form of identity verification.  This is far from being true.  The signature is still used extensively in general form filling, service or document applications (including passport applications), legal documentation (wills, affidavits, etc.), transactions (house purchasing, bank cheques, etc.), and even retail point of sale (Tesco Clubcard, American Express).

The signature has two roles:

·         A demonstration of legal intent

·         A long recognised and accepted form of identity verification.

Verification of signatures is often done by casual visual inspection, which is often cursory and not conducive to any challenge.  However, the signature like all other biometrics can be, and is, subjected to expert comparison and matching; and can be challenged in legal courts.

PIN numbers were seen as easier to challenge as it was the machine that matched and challenged not the retail assistant.  This can also be the same for biometric systems, including the electronic verification of signatures.  Automatic signature verification repeats accurately and out performs what a signature recognition expert analyses.  That is not only the matching of images but also the dynamics of the signature – what speed was used at certain points in the signature, and other such signature feature analysis.  It is the dynamics of signing that make signatures difficult to forge, and a suitable biometric for automatic verification.

Legality

Signatures provide legal intent on many documents.  Although the signature can be legally accepted in many forms, it is most useful if the dynamics of the signature can be compared.

From Linking the person to the UK identity card by Stephen Mason, first published in Biometric Technology Today, May 2008.

“The signature as a means of preventing fraud

… manuscript signatures are notoriously easy to forge, and even experts only manage to identify forgeries fifty per cent of the time.

If the signature of a person recorded on an identity card is to have any value as a form of security as well as to prevent the misuse of the card, it may be that the agency responsible for implementing the identity card might consider the use of some of the technologies available in terms of a biodynamic version of a manuscript signature….

…  If a technological solution were sufficiently robust to demonstrate the near impossibility of forging a biodynamic signature, arguably the identity card may prove to be useful in some legal circumstances, especially where a lawyer or notary might need to be convinced that the signature of the person is that of the genuine person, and not some impostor……

Consider a man who jointly owns a house with his wife, and divorces her. He marries another woman, who adopts his name. He and his second wife sell the house, and the second wife signs the documents in her married name. Unless the lawyer managing the sale is aware that the wife that is signing the papers is not the person that is the joint owner of the property, it is conceivable (and this has occurred) that the first wife will then have to take legal action to recover her share of the property. A similar problem was highlighted in ‘First Person’ in the FT Weekend, May 10/11 2008 on page 7. A thief obtained a scanned copy of a deed with the manuscript signature of the owner of the house they were renting. The thief, part of a group that stole houses, forged the signature and sold the house. It took the rightful owner some time to prove the house did not belong to the thief. In such circumstances, it is possible for a registry, such as the land registry, to have a record of the first signature, perhaps a biometric manuscript signature, so the different biometric signatures can be compared before the transaction for the sale of the land is irrevocable.” © Stephen Mason, 2008

Stephen Mason is a barrister and a member of the IT Panel of the General Council of the Bar of England and Wales.

Legitimate multi-persona

A person might use a number of different signatures for different purposes.  For example, many women keep their maiden name and signature for their professional business and use their married name and married signature for domestic purposes.  Biometric signatures offer this advantage over other biometric modalities.

Secondary legislation for the Identity Card Act has just completed its consultation phase.  The Home Office recognise that representation of identity is a particularly complex and difficult issue for those who are moving from living in their birth gender to an acquired gender.  The use of different biometric signatures offers the opportunity of multi-persona while an individual has dual gender.

Again from Linking the person to the UK identity card by Stephen Mason.

“The meaning of identity

....Equally, some individuals may wish to be known under a nom de plume. There are perfectly good reasons for this, such as where an author writes fiction, but does not wish to confuse their real life identity with their activities as creative writer. Two English examples are that of C. L. Dodgson, who lectured in mathematics at Oxford University during the nineteenth century and wrote under the name of Lewis Carroll, and Mary Ann Evans, who wrote under the name of George Eliot.” © Stephen Mason, 2008

Inclusive

Additional biometric modalities to the International Civil Aviation Organisation (ICAO) requirements for the National Identity Register would assist in being able to handle exception cases where either fingerprint or face representations presented either permanent or temporary comparison difficulties; such as poor fingerprints from a manual worker, or facial injuries from an accident.

Simple identity verification could be made using biometric signatures using dynamic signature data that could be stored on the card.  This would present most applications the ideal solution for identity verification, without recourse to access the NIR, and improved performance over cursory visual inspection of either the face image or signature image.

A biometric signature would certainly provide greater inclusivity than the inclusion of a PIN.

2.    Performance

Some trial results

Biometric signature collections and/or verifications are being used world-wide in a number of sectors; for example, banking, mobile phone contracts, secure data access, and local authority financial assessment forms.

Trials of biometric signature collection, analysis, and comparison have demonstrated that automatic signature verification offers a performance capability that is most appropriate for identity verification in a wide number of appropriate applications; particularly where signatures are currently part of the process, or legal intent is required, or where an audit trail of workflow is required (such as prescriptions).

A particular trial performed by KeCrypt Systems Limited in pharmacy departments at a number of London hospitals of some 300 people (5,849 signatures) provided the following results:

·         False Rejection Rate        17.42%

·         False Acceptance Rate     0.0011%

·         Forgeries Accepted          0 from 750 attempts

Storage requirements

Storage requirements for dynamic signatures will vary depending upon the commercial implementation and/or the standard being used.  If dynamic signatures were to be stored on the ID card then the storage requirement would have to be consistent without variation caused by the signature itself.  This can be achieved and can be a minimum of 282 bytes.  This is significantly smaller than any storage requirement to handle the raw image of the signature, which is currently the basis of the ICAO standard.

3.    Standards Development

International standards development for signature biometrics is progressing in harmony with other biometric modalities.  The following represents the current status:

4.    Conclusion

Biometric signatures not only offer similar advantages to other biometrics over other authentication techniques (such as passwords, PINs), but offer some distant advantages as a behavioural biometric:

·         They require user cooperation – the user wants to prove their identity

·         They carry inherent legal intent

·         They offer the opportunity for an individual to use biometrics with multi persona (e.g. professional vs. domestic, dual gender, etc.)

·         They put control of revocation back in the user’s hands (i.e. an individual can change their signature if they believe their previous signature has been compromised)

The technical benefits alone would make an obvious case for the inclusion of biometric signatures to the National Identity Register. But there is an added factor.  Their social acceptability, versatility and convenience of use will help to improve the public perception of ID Cards, and the creation of the NIR, as methods of guarding against identity theft and security threats.

Having resolved the complex question of who will actually operate the NBIS,  the decision to collect a biometric version of a signature that has to be supplied anyway, and which will require very little extra investment, should now be much easier.