Posted by debito on December 16th, 2009
Hi Blog. I received this very thoughtful email from GS after Michael Moore’s visit to Japan, where he was perturbed by the border fingerprinting. According to GS, he has every right to be. Read on. Arudou Debito in Sapporo
December 14, 2009
Thank you for the heads-up I got on Mr. Michael Moore’s comments regarding fingerprinting.
As you know from our previous e-mail conversations, I am concerned about some aspects regarding the safety of fingerprint verification in general and J-VIS in particular.
Following-up on your article, I have taken the liberty of writing a long message to the website feedback form on Mr. Moore’s website, summarizing my concerns. Please find below a copy of my writing. I hope you find it useful.
“Dear Sir, Madam,
Through the blog of Mr. Arudou Debito (www.debito.org), I’ve read part of Mr. Moore’s interview in Japan, in which he reported his fingerprinting experiences at the border (see http://www.debito.org/?p=5347). Though through this web form my message probably gets to the inbox of a webmaster, I hope you may find my response interesting enough to patch through to him. I would like to provide him with some hopefully interesting food for thought about fingerprinting in general, and the J-VIS (Japanese border check) system in particular.
Mr. Moore apparently got the hostile response that if he refused, he would be deported back to the United States on his question why he would have to be fingerprinted. I guess a good introduction to my story would be to point his attention to Article 4 of the Japanese “Act on the Protection of Personal Information Held by Administrative Organs” (see http://www.japaneselawtranslation.go.jp/law/detail/?ft=1&re=02&dn=1&x=0&y=0&co=01&ky=personal+data+administrative+organs&page=15, elements in Japanese writing have been deleted but can be seen in the original):
“Article 4 When an Administrative Organ directly acquires Personal Information on an Individual Concerned that is recorded in a document (including a record made by an electronic method, a magnetic method, or any other method not recognizable to human senses [referred to as an "Electromagnetic Record" in Articles 24 and 55]) from the said Individual Concerned, the Administrative Organ shall clearly indicate the Purpose of Use to the Individual Concerned in advance, except in the following cases:
(i) Where the acquisition of Personal Information is urgently required for the protection of the life, body, or property of an individual
(ii) Where clear indication of the Purpose of Use to the Individual Concerned is likely to cause harm to the life, body, property, or other rights or interests of the Individual Concerned or a third party
(iii) Where clear indication of the Purpose of Use to the Individual Concerned is likely to cause impediments to the proper execution of the affairs or business of state organs, Incorporated Administrative Agencies, etc. (which means incorporated administrative agencies prescribed in Article 2, paragraph 1 of the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc. [Act No. 59 of 2003; hereinafter referred to as the "IAA Personal Information Protection Act" ]; the same shall apply hereinafter), local public entities, or Local Incorporated Administrative Agencies (which means local incorporated administrative agencies prescribed in Article 2, paragraph 1 of the Local Incorporated Administrative Agencies Act [Act No. 118 of 2003]; the same shall apply hereinafter)
(iv) Where the Purpose of Use is found to be clear in light of the circumstances of the acquisition”
I am not a lawyer (disclaimer), but it would seem to me that when Mr. Moore asked “why?”, he made a lawful request under article 4, while the answer that if he wouldn’t, he would be deported, doesn’t appear to me to be in the spirit of this article. Not to mention that the Immigration Bureau, the responsible party in this scheme, states in their FAQ: “we will properly store and protect your data, according to the basic law for the protection of personal data, the Act for the Protection of Personal Information Retained by Administrative Institutions.” (http://www.moj.go.jp/NYUKAN/nyukan64-2-1.pdf, note by the way the spelling differences in the title…). Right……
Privacy laws generally have a common ancestor and a common purpose. In 1980, a workgroup within the OECD (http://www.oecd.org/home/0,2987,en_2649_201185_1_1_1_1_1,00.html) published the “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” (http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html), with eight key principles that form the basis of privacy laws worldwide. Contrary to both the statements: “If you have nothing to hide, you have nothing to fear” and “Big Brother is watching you”, these guidelines (roughly said) recognize the general legitimacy of using personal information, provided that such use is safe, sane and sensible.
Safe, sane and sensible… One is left to wonder about this when it comes to fingerprinting schemes worldwide… From what I understand, the key reason for implementing such schemes is the assumption that fingerprints provide a ‘silver bullet’ solution to identifying people, being unique, impossible to forge, and impossible to misidentify. However, by now it’s safe to say that fingerprinting schemes are not the ‘silver bullet’ hoped for, and that they are creating problems which might easily lead to grossly unfair treatment to individuals being unfortunate enough to become victims of such a problem.
Leaving all kinds of other problems aside, I would like to react to the assumption that fingerprints are impossible to forge first. One can find plenty of proof that fingerprints can be copied. The University of Yokohama (http://www.lfca.net/Fingerprint-System-Security-Issues.pdf) has published it’s groundbreaking article on this now almost 8 years ago, the Chaos Computer Club in Germany (http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren), and the Mythbusters (http://www.youtube.com/watch?v=MAfAVGES-Yc) have spectacularly shown that it is possible. But the proof of the pudding is that in fact at least one person has been caught in Japan after defeating the J-VIS system (among others: http://archives.chicagotribune.com/2009/jan/02/nation/chi-090102-faked-fingerprint-japanese-airport). Some food for thought, the woman bought her fingerprints, so not only is it possible, but there are people out there making money on it. More food for thought in a few questions: Were the original prints from which the copies were made stolen? Were the copies registered as unreliable? And will the rightful owner get into trouble because someone else stole her/his fingerprints and did something unlawful? The answer is a triplicate: “We don’t know”. What we do know is that someone who is the victim of such identity theft is in for some serious trouble in those places where the assumption is still that it can’t be done…
The assumption that it’s impossible to misidentify people based on fingerprints is also incorrect. In this respect it may be the most interesting to follow the trail of the J-VIS devices.
On at least one of the airports, the devices used are from the company NEC. NEC is not very secretive about the tests proving the quality of it’s devices, they post links to the test results on their own website, with the headline NIST(= (US) National Institute for Standards and Technology)-Proven Accuracy (http://www.nec.com/global/solutions/biometrics/technologies/nist.html). But what is this accuracy?
Only the FpVTE2003 appears to test the kind of verification that is in use for J-VIS. On this, NEC says: “The FpVTE2003 was an international benchmark test of fingerprint matching, identification, and verification systems, conducted in the United States in 2003 under the control of one of the US’s most respected government authorities, the NIST.” So what does this test say? The Summary of Results (http://fpvte.nist.gov/report/ir_7123_summary.pdf) says:
“The most accurate fingerprint system tested (NEC MST) using operational quality single fingerprints:
• 99.4% true accept rate @ 0.01% false accept rate
• 99.9% true accept rate @ 1.0% false accept rate”
It is good here to explain the technical language. In the context of US-VISIT or J-VIS, fingerprints are checked against a list of unwelcome people, while NIST uses the standard terms for checking against a list of authorized (= welcome) people. This creates confusing language, but it can be explained fairly easily. A True Accept in the spirit of the US-VISIT or J-VIS system means that an unwelcome person (say, Mr. X) shows up and is recognised because of a fingerprint match. A False Accept means that a welcome person (say, Mr. Michael Moore) shows up, but is incorrectly recognized as Mr. X because of a false fingerprint match.
At this point, I would like to entertain Mr. Moore with a little side step, to which I get back later. What would a False Accept Rate of 0.01% mean? That’s infinitely small, right? Well, the J-VIS system went into operation on November 20th, 2007. I don’t have day-by-day figures on the number of visitors, but I can tell that in the year from December 1st, 2007 to November 30th, 2008, 8,513,909 visitors were registered in Japan (http://www.tourism.jp/statistics/xls/JTM_inbound20091027eng.xls). I would therefore expect 851 false alarms based on a False Accept Rate of 0.01%. It is not infinitely small.
So the question comes up: “Is fingerprint verification a form of Russian Roulette?” The answer is: “Not necessarily”. No system is perfect against theft or mistakes. But if the people running the system are well-trained and thorough, it is likely that they can spot and correct the problem before serious damage is done to the victim of either problem above. But for that to work and the people subjected to such a system to be safe, one principle is vital: Every person in the organization must have the capabilities of being able to take criticism, and also a healthy dose of self-criticism. That is never easy, and the more damage already done, the more difficult it becomes.
…And right at that point is where the comparison the officials from Japan’s Immigration Bureau made to Mr. Moore ends. One of the officials apparently told him: “But you do this in the United States, when we visit the United States.” True, they do undeniably verify fingerprints. They also undeniably verify and correct false alarms. In the words of Mr. Neil Latta, US-VISIT IDENT Program Manager at the time of writing of the following document (http://fingerprint.nist.gov/standard/archived_workshops/workshop1/presentations/Latta-LessThan10.pdf): “1:many Accuracy For a 2-finger Search Against a 6M Subject Database is 95% With a False Hit Rate of 0.08% (Exceeding US-Visit Requirements)”. And: “0.4% FAR Results in (0.4% x 100K Trxs/Day) = 400 Examiner Verifications”. Again in less technical terms, they verify false alarms, they know how many false alarms there are, and so on. Granted, given the reputation of ‘outstanding customer friendliness’ that Homeland Security has carved out for themselves, this is still likely to be a rather unpleasant experience, and there is almost certainly room for considerable improvement. But at the end of the day, here is the written proof that the Department of Homeland Security is capable of admitting mistakes.
Is this also the case on the Japanese borders? The answer is again: “We don’t know”. But in itself, this is an answer too. Just some food for thought, there’s nothing in the quoted FAQ, and the incident Mr. Moore had is not exactly the first one where the organization reacts with hostility to something that sounds remotely like criticism. It’s not exactly reassuring to have to depend for your own safety on the ability of an organisation to take (self-) criticism, while on less important details the same organisation shows a distinctive lack of that same ability.
And one detail gives more food for thought that is not very reassuring. Remember the 851 false alarms I would expect if there was a false accept rate of 0.01%? On November 29th, 2008, the Japanese Ministry of Justice (of which the Immigration Bureau is a part) made a press release stating that they had deported a total of 846 people based on fingerprint matches in the first year of operation (http://www.breitbart.com/article.php?id=D94NKV182&show_article=1). That is only five off that number… Or differently put, 846 people is 0.00994% of 8,513,909 visitors. The difference with a false accept rate of 0.01% is only 0.00006%… Is this proof that there is a Russian Roulette situation? Certainly not. From the same sources we also have the numbers for South Koreans (297 people deported, total visitors – from both Koreas, admittedly leaving a margin for doubt: 2,483,288, percentage = 0.01196%), Chinese (90 people deported, total visitors 1,000,228, percentage = 0.008998), and Filipino’s (155 people deported, total visitors 82,473, percentage = 0.18%, way off the mark). But some food for thought: Out of four groups of visitors, only the smallest group is way off the mark. The other ones are groups of more than one million visitors. And the larger the group of visitors, the closer we get to the mark of 0.01%. That is a curious set of coincidences…
And yet more food for thought. With almost every other identifier and keys, from physical keys to credit cards to drivers’ licenses to passports, the reason we have them is that we can replace them when the legitimate user gets into trouble because something goes wrong. We would find it unacceptable to hear: “Sorry, we found out your car key / credit card / passport has been copied / isn’t accepted as well as it should be / doesn’t fit / …, but you can’t replace it, so you just have to live with the problem.” Why then do we accept that with fingerprints…?
I’m sorry for this long message. I hope it has been worthwhile reading though.
Kind Regards, GS”
And of course the kind regards are for you as well.