fingerprint – Page 6

Well, the Writer Was 60% Correct (Face-Iris Pixels Per Inch)

(Part of the biometric product marketing expert series)

I recently read a web page (I won’t name the site) that included the following text:

…fingerprints, palm prints, latents, faces, and irises at 500 or 1000 ppi.

Which is partially correct.

Yes, fingerprints, palm prints, and latent prints are measured in pixels per inch (ppi), with older systems capturing 500 ppi images, some newer images capturing 1,000 ppi images, and other systems capturing 2,000 ppi or larger images. 2,000 ppi resolution is used in some images in NIST Special Database 300 because why not?

From https://www.nist.gov/itl/iad/image-group/nist-special-database-300.

I don’t know of any latent fingerprint examiner who is capturing 4,000 ppi friction ridge prints, but I bet that someone out there is doing it.

But faces and irises are not measured in pixels per inch.

Why not?

Because, at least until recently, friction ridge impressions were captured differently than faces and irises.

Since the 19th century, we’ve naturally assumed that friction ridges are captured via a contact method, whether by inking the fingers and palms and pressing against a paper card, pressing the fingers and palms against a livescan platen, or pressing a finger on a designated spot on a smartphone.
You don’t press your face or iris against a camera. Yes, you often have to place your iris very close to a camera, but it’s still a contactless method.

This is not a recommended method of facial image acquisition. From https://www.youtube.com/watch?v=4XhWFHKWCSE.

Obviously things have changed in the friction ridge world over the last decade, as more companies support contactless methods of fingerprint capture, either through dedicated devices or standard smartphone cameras.

And that has caused issues for organizations such as the U.S. Federal Bureau of Investigation, who have very deep concerns about how contactless fingerprints will function in their current contact-based systems.

From https://fbibiospecs.fbi.gov/file-repository/ebts-v11-2_final.pdf/view.

For example, how will Electronic Biometric Transmission Specification Appendix F (version 11.2 here) compliance work in the world where the friction ridges are NOT pressed against a surface?

Vous n’êtes pas du coin, n’est-ce pas ?

In a recent conversation with a client, I was reminded that procedures in one country may not be followed in another. For example, the process of getting a U.S. passport differs from the process to get one in France.

By Nikimura – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=147981790

The client’s questions about ID document issuance

The client asked me about my experience with centralized and decentralized ID document issuance systems.

It turns out I was experienced in both based upon my time at IDEMIA. State agencies can manufacture driver’s licenses either via a dencentralized process where the driver’s license is printed at your local DMV office while you wait, or via a centralized process where all the driver’s licenses are produced at a secure facility which may or may not be located in the state in question. IDEMIA maintains several such centralized facilities to produce driver’s licenses and credit card-related materials, and they’re so secure that even when I was an IDEMIA employee I was not allowed to enter them.

Exton, Pennsylvania IDEMIA facility. “The property is ‘mission critical’ to IDEMIA, as it serves as the only manufacturing plant of card blanks for IDEMIA within the United States.” From https://royaloakrealtytrust.com/properties/idemia-identity-security/.

But then the client asked about passports.

Based upon my U.S. experience, I knew about centralized passport production.
The client noted that things are different in some other countries. So I read about the process in France.

Passports and passport renewals in the United States

When I joined Incode Technologies in May 2022, I had to quickly renew my passport so that I could attend a possible meeting in Mexico City. And it’s a good thing I did, because that meeting occurred soon afterwards…well, if you consider April 2023 “soon afterwards.”

My passport had expired in 2020, but I was able to renew my passport anyway with a fairly simple procedure.

Go to my local CVS drug store and use their automated machine to take the required passport photo in an ICAO-compliant fashion. The machine checked for ICAO compliance. (It took a few tries to get it right.)
Fill out a paper form.
Use an antiquated currency technology called a “check” to make out a payment to the U.S. State Department.
Put everything in an envelope and mail it to a centralized passport processing center.
Wait.

No, passports are not produced at the U.S. State Department headquarters. But the building looks cool. Source: diplomacy.state.gov, Public Domain, https://commons.wikimedia.org/w/index.php?curid=51192214

I forget how many weeks it took me to get my new passport, but I requested an expedited process so it couldn’t have been that many weeks.

This isn’t always true. If you don’t expedite the process, and if there’s a heavy backlog, it could take more than a month to get your passport.

Passports and passport renewals in France

After my meeting with the client, I was curious about the passport policies in other countries, and ran across this Expatica description of French passport production.

Let’s skip right to the biggest difference between France and the United States:

The passport will take a few days to process.

Uh…what?

Not “the passport will take a few days to process if you pay rush fees.”

It will take a few days to process, period.

And no, this isn’t because the United States is larger than France. The same time period applies if you apply for a passport in one of France’s scattered overseas departments, or at a French embassy or consulate.

So how do they do it?

Mairie in an unidentified French city. From https://www.completefrance.com/living-in-france/work-and-retirement/role-of-the-mayor-and-mairie-in-france-6287728/.

First off, you don’t need to mail a bunch of stuff off to a centralized office. You can simply go to your local town hall (mairie), embassy, or consulate. You need the following:

A French ID card or other acceptable proof of French nationality.
A recent photograph (again, ICAO compliant).
Your fingers, which are presumably attached to your person, so that they can be captured for biometric purposes.
Proof of residence.
The passport fee.

Once your bring everything to the mairie, your passport is processed within a few days. (OK, perhaps slightly longer in the summer.) When it’s ready you go back to the mairie, sign your passport, and take it with you to travel to all of the countries you can visit with a French passport. (More than with a United States passport.)

Follow your local, um, customs

My research hasn’t yet uncovered a country where you can get your passport on the same day you apply for it, but such a timeframe is theoretically possible.

This isn’t a current concern of mine since Bredemarket only deals with U.S. firms, but some of these firms are multinational and may ask me to create written content regarding their installation in Vietnam or wherever.

Always ask what the local practice is and don’t assume that the locals do things like we do in Southern California.

We surf to school. Even if we live inland. By Dennis Hill – https://www.flickr.com/photos/fontplaydotcom/2742209717/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=146279529.

Defeating Synthetic Identity Fraud

I’ve talked about synthetic identity fraud a lot in the Bredemarket blog over the past several years. I’ll summarize a few examples in this post, talk about how to fight synthetic identity fraud, and wrap up by suggesting how to get the word out about your anti-synthetic identity solution.

But first let’s look at a few examples of synthetic identity.

Synthetic identities pop up everywhere

As far back as December 2020, I discussed Kris’ Rides’ encounter with a synthetic employee from a company with a number of synthetic employees (many of who were young females).

More recently, I discussed attempts to create synthetic identities using gummy fingers and fake/fraudulent voices. The topic of deepfakes continues to be hot across all biometric modalities.

From https://www.candynation.com/gummy-fingers

I shared a video I created about synthetic identities and their use to create fraudulent financial identities.

From https://www.youtube.com/watch?v=oDrSBlDJVCk.

I even discussed Kelly Shepherd, the fake vegan mom created by HBO executive Casey Bloys to respond to HBO critics.

From https://twitter.com/KellySh33889356.

And that’s just some of what Bredemarket has written about synthetic identity. You can find the complete list of my synthetic identity posts here.

So what? You must fight!

It isn’t enough to talk about the fact that synthetic identities exist: sometimes for innocent reasons, sometimes for outright fraudulent reasons.

You need to communicate how to fight synthetic identities, especially if your firm offers an anti-fraud solution.

Public Domain, https://commons.wikimedia.org/w/index.php?curid=607428.

Here are four ways to fight synthetic identities:

Checking the purported identity against private databases, such as credit records.
Checking the person’s driver’s license or other government document to ensure it’s real and not a fake.
Checking the purported identity against government databases, such as driver’s license databases. (What if the person presents a real driver’s license, but that license was subsequently revoked?)
Perform a “who you are” biometric test against the purported identity.

If you conduct all four tests, then you have used multiple factors of authentication to confirm that the person is who they say they are. If the identity is synthetic, chances are the purported person will fail at least one of these tests.

Do you fight synthetic identity fraud?

If you fight synthetic identity fraud, you should let people know about your solution.

Perhaps you can use Bredemarket, the identity content marketing expert. I work with you (and I have worked with others) to ensure that your content meets your awareness, consideration, and/or conversion goals.

How can I work with you to communicate your firm’s anti-synthetic identity message? For example, I can apply my identity/biometric blog expert knowledge to create an identity blog post for your firm. Blog posts provide an immediate business impact to your firm, and are easy to reshare and repurpose. For B2B needs, LinkedIn articles provide similar benefits.

If Bredemarket can help your firm convey your message about synthetic identity, let’s talk.

Drive content results with Bredemarket Identity Firm Services.

When Rapid DNA Isn’t

(Part of the biometric product marketing expert series)

Have you heard of rapid DNA?

Fair use, from https://www.racers-behindthehelmet.com/post/first-historic-pole-position-and-podium-for-antonella-bassani-in-porsche-cup-brasil. Photo credits: Porsche Cup Brasil.

Perhaps not as fast as Brazilian race car driver Antonella Bassani, but fast enough.

This post discusses the pros and cons of rapid DNA, specifically in the MV Conception post mortem investigation.

DNA…and fingerprints

I’ve worked with rapid DNA since I was in Proposals at MorphoTrak, when our corporate parent Safran had an agreement with IntegenX (now part of Thermo Fisher Scientific). Rapid DNA, when suitable for use, can process a DNA sample in 90 minutes or less, providing a quick way to process DNA in both criminal and non-criminal cases.

By Zephyris – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=15027555

But as I explain below, sometimes rapid DNA isn’t so rapid. In those cases, investigators have to turn to boring biometric technologies such as fingerprints instead. Fingerprints are a much older identification modality, but they still work.

By Federal Bureau of Investigation – https://washingtonian.com/2016/11/24/the-fbi-opened-its-crime-lab-here-in-dc-back-in-1932, Public Domain, https://commons.wikimedia.org/w/index.php?curid=128508441

DNA, fingerprints…and dental records

From https://doi.org/10.1111/1556-4029.15513.

Bredemarket recently purchased access to a Journal of Forensic Sciences article entitled “Advances in postmortem fingerprinting: Applications in disaster victim identification” (https://doi.org/10.1111/1556-4029.15513) by Bryan T. Johnson MSFS of the Federal Bureau of Investigation Laboratory in Quantico. The abstract (which is NOT behind the paywall) states the following, in part:

In disaster victim identification (DVI), fingerprints, DNA, and dental examinations are the three primary methods of identification….As DNA technology continues to evolve, RAPID DNA may now identify a profile within 90 min if the remains are not degraded or comingled. When there are true unknowns, however, there is usually no DNA, dental, or medical records to retrieve for a comparison without a tentative identity.

In the body of the paper itself (which IS behind the paywall), Johnson cites one example in which use of rapid DNA would have DELAYED the process.

DVI depends upon comparison of a DNA sample from a victim with a previous DNA sample taken from the victim. If this is not available, then the victim’s DNA is compared against the DNA of a family member.

Identifying foreign nationals aboard the MV Conception

MV Conception shortly before it sank. By National Transportation Safety Board – Screen Shot 2020-10-16 at 3.00.40 PM, Public Domain, https://commons.wikimedia.org/w/index.php?curid=95326656

When the MV Conception boat caught fire and sank in September 2019, 34 people lost their lives and had to be positively identified.

While most of the MV Conception victims were California residents, some victims were from Singapore and India. It would take weeks to collect and transport the DNA samples from the victims’ family members back to the United States for comparison against the DNA samples from the victims. Weeks of uncertainty during which family members had no confirmation that their relatives were among the deceased.

However, because the foreign victims were visitors to the United States, they had fingerprints on file with the Department of Homeland Security. Interagency agreements allowed the investigating agencies to access the DHS fingerprints and compare them against the fingerprints of the foreign victims, providing tentative identifications within three days. (Fingerprint identification is a 100+ year old method, but it works!) These tentative identifications were subsequently confirmed when the familial DNA samples arrived.

What does this mean?

The message here is NOT that “fingerprints rule, DNA drools.” In some cases the investigators could not retrieve fingerprints from the bodies and HAD to use rapid DNA.

The message here is that when identifying people, you should use ANY biometric (or non-biometric) modality that is available: fingerprints, DNA, dental records, driver’s licenses, Radio Shack Battery Club card, or anything else that provides an investigative lead or a positive identification.

And ideally, you should use more than one factor of authentication.

And now a word from our sponsor

By the way, if you have a biometric story to tell, Bredemarket can help…um…drive results. Perhaps not as fast as Bassani, but fast enough.

The 21st Century’s Four Revolutionary Biometric Events

I define a revolutionary biometric event as something that COMPLETELY TRANSFORMS the biometric industry.

For me, the four events that have revolutionized biometrics in this century (so far) include:

The September 2001 use of commercial planes in a terrorist attack.
The April 2013 Boston Marathon bombings.
The September 2013 introduction of Touch ID on the Apple iPhone.

From Apple, https://support.apple.com/en-us/HT201371

The 2020 (and beyond) COVID-19 pandemic.

If you want to learn WHY I regard these four events as revolutionary, and why I DON’T regard the introduction of the Apple Vision Pro as revolutionary, see my June 2023 post.

In fingerprint capture, 14 is better than 20

In many instances of fingerprint capture, whether obtaining prints through ink or through livescan, the tenprint person captures 14 images. Not 10, not 20, but 14.

Why?

Quality control.

Because the 14 images contain two impressions of every print, you can compare the top set of prints (the rolled prints) against the bottom set (the slap prints).

Locations of finger 2 (green) and finger 3 (blue) for rolled and slap prints.

In the example above, if the green rolled print is NOT the same as the green slap print, or if the blue rolled print is NOT the same as the blue slap print, then you captured the fingerprints in the wrong order.

I discussed this in more detail in an earlier post.

If you need Bredemarket’s marketing and writing services to explain the benefits of your technology to your prospects and customers, contact me.

Multispectral fingerprint readers, the succinct version

There are various types of dedicated fingerprint reader devices, including multispectral readers that can examine the subdermal layers of your fingers. Even if your surface fingerprints are worn away by bricklaying, time, or other factors, multispectral fingerprint readers can identify you anyway.

From HID Global, “A Guide to MSI Technology: How It Works,” https://blog.hidglobal.com/2022/10/guide-msi-technology-how-it-works

If you’re interested, I wrote more about multispectral readers, and how they relate to liveness detection, back in June 2023.

If you need Bredemarket’s marketing and writing services to explain the benefits of your technology to your prospects and customers, contact me.

Personally Protected: PII vs. PHI

(Part of the biometric product marketing expert series)

Before you can fully understand the difference between personally identifiable information (PII) and protected health information (PHI), you need to understand the difference between biometrics and…biometrics. (You know sometimes words have two meanings.)

The definitions of biometrics

To address the difference between biometrics and biometrics, I’ll refer to something I wrote over two years ago, in late 2021. In that post, I quoted two paragraphs from the International Biometric Society that illustrated the difference.

From https://www.biometricsociety.org/about/what-is-biometry.

Since the IBS has altered these paragraphs in the intervening years, I will quote from the latest version.

The terms “Biometrics” and “Biometry” have been used since early in the 20th century to refer to the field of development of statistical and mathematical methods applicable to data analysis problems in the biological sciences.

Statistical methods for the analysis of data from agricultural field experiments to compare the yields of different varieties of wheat, for the analysis of data from human clinical trials evaluating the relative effectiveness of competing therapies for disease, or for the analysis of data from environmental studies on the effects of air or water pollution on the appearance of human disease in a region or country are all examples of problems that would fall under the umbrella of “Biometrics” as the term has been historically used….

The term “Biometrics” has also been used to refer to the field of technology devoted to the identification of individuals using biological traits, such as those based on retinal or iris scanning, fingerprints, or face recognition. Neither the journal “Biometrics” nor the International Biometric Society is engaged in research, marketing, or reporting related to this technology. Likewise, the editors and staff of the journal are not knowledgeable in this area.
From https://www.biometricsociety.org/about/what-is-biometry.

In brief, what I call “broad biometrics” refers to analyzing biological sciences data, ranging from crop yields to heart rates. Contrast this with what I call “narrow biometrics,” which (usually) refers only to human beings, and only to those characteristics that identify human beings, such as the ridges on a fingerprint.

The definition of “personally identifiable information” (PII)

Now let’s examine an issue related to narrow biometrics (and other things), personally identifiable information, or PII. (It’s also represented as personal identifiable information by some.) I’ll use a definition provided by the U.S. National Institute of Standards and Technology, or NIST.

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
From https://csrc.nist.gov/glossary/term/PII.

Note the key words “alone or when combined.” The ten numbers “909 867 5309” are not sufficient to identify an individual alone, but can identify someone when combined with information from another source, such as a telephone book.

Yes, a telephone book. Deal with it.

By © 2010 by Tomasz Sienicki [user: tsca, mail: tomasz.sienicki at gmail.com] – Photograph by Tomasz Sienicki (Own work)Image intentionally scaled down., CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=10330603

What types of information can be combined to identify a person? The U.S. Department of Defense’s Privacy, Civil Liberties, and Freedom of Information Directorate provides multifarious examples of PII, including:

Social Security Number.
Passport number.
Driver’s license number.
Taxpayer identification number.
Patient identification number.
Financial account number.
Credit card number.
Personal address.
Personal telephone number.
Photographic image of a face.
X-rays.
Fingerprints.
Retina scan.
Voice signature.
Facial geometry.
Date of birth.
Place of birth.
Race.
Religion.
Geographical indicators.
Employment information.
Medical information.
Education information.
Financial information.

Now you may ask yourself, “How can I identify someone by a non-unique birthdate? A lot of people were born on the same day!”

But the combination of information is powerful, as researchers discovered in a 2015 study cited by the New York Times.

In the study, titled “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” a group of data scientists analyzed credit card transactions made by 1.1 million people in 10,000 stores over a three-month period. The data set contained details including the date of each transaction, amount charged and name of the store.

Although the information had been “anonymized” by removing personal details like names and account numbers, the uniqueness of people’s behavior made it easy to single them out.

In fact, knowing just four random pieces of information was enough to reidentify 90 percent of the shoppers as unique individuals and to uncover their records, researchers calculated. And that uniqueness of behavior — or “unicity,” as the researchers termed it — combined with publicly available information, like Instagram or Twitter posts, could make it possible to reidentify people’s records by name.
From https://archive.nytimes.com/bits.blogs.nytimes.com/2015/01/29/with-a-few-bits-of-data-researchers-identify-anonymous-people/.

So much for anonymization. And privacy.

Now biometrics only form part of the multifarious list of data cited above, but clearly biometric data can be combined with other data to identify someone. An easy example is taking security camera footage of the face of a person walking into a store, and combining that data with the same face taken from a database of driver’s license holders. In some jurisdictions, some entities are legally permitted to combine this data, while others are legally prohibited from doing so. (A few do it anyway. But I digress.)

Because narrow biometric data used for identification, such as fingerprint ridges, can be combined with other data to personally identify an individual, organizations that process biometric data must undertake strict safeguards to protect that data. If personally identifiable information (PII) is not adequately guarded, people could be subject to fraud and other harms.

The definition of “protected health information” (PHI)

In this case, I’ll refer to information published by the U.S. Department of Health and Human Services.

Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”¹²

“Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.¹³ Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
From https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

Now there’s obviously an overlap between personally identifiable information (PII) and protected health information (PHI). For example, names, dates of birth, and Social Security Numbers fall into both categories. But I want to highlight two things are are explicitly mentioned as PHI that aren’t usually cited as PII.

Physical or mental health data. This could include information that a medical professional captures from a patient, including biometric (broad biometric) information such as heart rate or blood pressure.
Health care provided to an individual. This not only includes written information such as prescriptions, but oral information (“take two aspirin and call my chatbot in the morning”). Yes, chatbot. Deal with it. Dr. Marcus Welby and his staff retired a long time ago.

Robert Young (“Marcus Welby”) and Jane Wyatt (“Margaret Anderson” on a different show). By ABC TelevisionUploaded by We hope at en.wikipedia – eBay itemphoto informationTransferred from en.wikipedia by SreeBot, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16472486

Because broad biometric data used for analysis, such as heart rates, can be combined with other data to personally identify an individual, organizations that process biometric data must undertake strict safeguards to protect that data. If protected health information (PHI) is not adequately guarded, people could be subject to fraud and other harms.

Simple, isn’t it?

Actually, the parallels between identity/biometrics and healthcare have fascinated me for decades, since the dedicated hardware to capture identity/biometric data is often similar to the dedicated hardware to capture health data. And now that we’re moving away from dedicated hardware to multi-purpose hardware such as smartphones, the parallels are even more fascinating.

The Double Loop Podcast Discusses Research From the Self-Styled “Inventor of Cross-Fingerprint Recognition”

(Part of the biometric product marketing expert series)

Apologies in advance, but if you’re NOT interested in fingerprints, you’ll want to skip over this Bredemarket identity/biometrics post, my THIRD one about fingerprint uniqueness and/or similarity or whatever because the difference between uniqueness and similarity really isn’t important, is it?

Yes, one more post about the study whose principal author was Gabe Guo, the self-styled “inventor of cross-fingerprint recognition.”

From https://www.linkedin.com/in/gabeguo/.

In case you missed it

In case you missed my previous writings on this topic:

My first post, “Claimed AI-detected Similarity in Fingerprints From the Same Person: Are Forensic Examiners Truly “Doing It Wrong”?” was (1) primarily my perspective, and (2) written before I read the actual paper.
The second post, “Did the Columbia Study “Discover” Fingerprint Patterns?” was written after I looked at the paper (“Unveiling intra-person fingerprint similarity via deep contrastive learning“) myself, but again suffers from being primarily my own perspective (albeit augmented by people who knew what they were talking about).
I also wrote something only on Lin k edIn (and Facebook) that cited a CNN article that quoted Christophe Champod and Simon Cole. (Interestingly enough, my last post on Cole concerned how words matter, which is appropriate in this discussion.) Unfortunately, the person who wrote the CNN headline (“Are fingerprints unique? Not really, AI-based study finds”) didn’t pay attention to a word that Champod and Simon Cole said.

But don’t miss this

Well, two other people have weighed in on the paper: Glenn Langenburg and Eric Ray, co-presenters on the Double Loop Podcast. (“Double loop” is a fingerprint thing.)

From https://doublelooppodcast.com/about-us/.

So who are Langenburg and Ray? You can read their full biographies here, but both of them are certified latent print examiners. This certification, administered by the International Association for Identification, is designed to ensure that the certified person is knowledgeable about both latent (crime scene) fingerprints and known fingerprints, and how to determine whether or not two prints come from the same person. If someone is going to testify in court about fingerprint comparison, this certification is recognized as a way to designate someone as an expert on the subject, as opposed to a college undergraduate. (As of today, the list of IAI certified latent print examiners as of December 2023 can be found here in PDF form.)

Podcast episode 264 dives into the Columbia study in detail, including what the study said, what it didn’t say, and what the publicity for the study said that doesn’t match the study.

Eric and Glenn respond to the recent allegations that a computer science undergraduate at Columbia University, using Artificial Intelligence, has “proven that fingerprints aren’t unique” or at least…that’s how the media is mischaracterizing a new published paper by Guo, et al. The guys dissect the actual publication (“Unveiling intra-person fingerprint similarity via deep contrastive learning” in Science Advances, 2024 by Gabe Guo, et al.). They state very clearly what the paper actually does show, which is a far cry from the headlines and even public dissemination originating from Columbia University and the author. The guys talk about some of the important limitations of the study and how limited the application is to real forensic investigations. They then explore some of the media and social media outlets that have clearly misunderstood this paper and seem to have little understanding of forensic science. Finally, Eric and Glenn look at some quotes and comments from knowledgeable sources who also have recognized the flaws in the paper, the authors’ exaggerations, and lack of understanding of the value of their findings.
From https://doublelooppodcast.com/2024/01/fingerprints-proven-by-ai-to-not-be-unique-episode-264/.

Yes, the episode is over an hour long, but if you want to hear a good discussion of the paper that goes beyond the headlines, I strongly recommend that you listen to it.

TL;DR

If you’re in a TL;DR frame of mind, I’ll just offer one tidbit: “uniqueness” and “similarity” are not identical. Frankly, they’re not even similar.

Will Ferrell and Chad Smith, or maybe vice versa. Fair use. From https://www.billboard.com/music/music-news/will-ferrell-chad-smith-red-hot-benefit-chili-peppers-6898348/, originally from NBC.

Did the Columbia Study “Discover” Fingerprint Patterns?

As you may have seen elsewhere, I’ve been wondering whether the widely-publicized Columbia University study on the uniqueness of fingerprints isn’t any more than a simple “discovery” of fingerprint patterns, which we’ve known about for years. But to prove or refute my suspicions, I had to read the study first.

My initial exposure to the Columbia study

I’ve been meaning to delve into the minutiae of the Columbia University fingerprint study ever since I initially wrote about it last Thursday.

(And yes, that’s a joke. The so-called experts say that the word “delve” is a mark of AI-generated content. And “minutiae”…well, you know.)

If you missed my previous post, “Claimed AI-detected Similarity in Fingerprints From the Same Person: Are Forensic Examiners Truly ‘Doing It Wrong’,” I discussed a widely-publicized study by a team led by Columbia University School of Engineering and Applied Science undergraduate senior Gabe Guo. Columbia Engineering itself publicized the study with the attention-grabbing headline “AI Discovers That Not Every Fingerprint Is Unique,” coupled with the sub-head “we’ve been comparing fingerprints the wrong way!”

There are three ways to react to the article:

Gabe Guo, who freely admits that he knows nothing about forensic science, is an idiot. For decades we have known that fingerprints ARE unique, and the original forensic journals were correct in not publishing this drivel.
The brave new world of artificial intelligence is fundamentally disproving previously sacred assumptions, and anyone who resists these assumptions is denying scientific knowledge and should go back to their caves.
Well, let’s see what the study actually SAYS.

Until today, I hadn’t had a chance to read the study. But I wanted to do this, because a paragraph in the article that described the study got me thinking. I needed to see the study itself to confirm my suspicions.

“The AI was not using ‘minutiae,’ which are the branchings and endpoints in fingerprint ridges – the patterns used in traditional fingerprint comparison,” said Guo, who began the study as a first-year student at Columbia Engineering in 2021. “Instead, it was using something else, related to the angles and curvatures of the swirls and loops in the center of the fingerprint.”
From https://www.newswise.com/articles/ai-discovers-that-not-every-fingerprint-is-unique

Hmm. Are you thinking what I am thinking?

What were you thinking?

I’ll preface this by saying that while I have worked with fingerprints for 29 years, I am nowhere near a forensic expert. I know enough to cause trouble.

But I know who the real forensic experts are, so I’m going to refer to a page on onin.com, the site created by Ed German. German, who is talented at explaining fingerprint concepts to lay people, created a page to explain “Level 1, 2 and 3 Details.” (It also explains ACE-V, for people interested in that term.)

Here are German’s quick explanations of Level 1, 2, and 3 detail. These are illustrated at the original page, but I’m just putting the textual definitions here.

“Level 1 includes the general ridge flow and pattern configuration. Level 1 detail is not sufficient for individualization, but can be used for exclusion. Level 1 detail may include information enabling orientation, core and delta location, and distinction of finger versus palm.”
“Level 2 detail includes formations, defined as a ridge ending, bifurcation, dot, or combinations thereof. The relationship of Level 2 detail enables individualization.”
“Level 3 detail includes all dimensional attributes of a ridge, such as ridge path deviation, width, shape, pores, edge contour, incipient ridges, breaks, creases, scars and other permanent details.”

We’re not going to get into Level 3 in this post. But if you look at German’s summary of Level 2, you’ll see that he is discussing the aforementioned MINUTIAE (which, according to German, “enables individualization”). And if you look at German’s summary of Level 1, he’s discussing RIDGE FLOW, or perhaps “the angles and curvatures of the swirls and loops in the center of the fingerprint” (which, according to German, “is not sufficient for individualization”).

Did Gabe Guo simply “discover” fingerprint patterns? On a separate onin.com page, common fingerprint patterns are cited (arch, loop, whorl). Is this the same thing that Guo (who possibly has never heard of loops and whorls in his life) is talking about?

From Antheus Technology page, from NIST’s Appendix B to the FpVTE 2003 test document. I remember that test very well.

I needed to read the original study to see what Guo actually said, and to determine if AI discovered something novel beyond what forensic scientists consider the information “in the center of the fingerprint.”

So let’s look at the study

I finally took the time to read the study, “Unveiling intra-person fingerprint similarity via deep contrastive learning,” as published in Science Advances on January 12. While there is a lot to read here, I’m going to skip to Guo et al’s description of the fingerprint comparison method used by AI. Central to this comparison is the concept of a “feature map.”

Figure 2A shows that all the feature maps exhibit a statistically significant ability to distinguish between pairs of distinct fingerprints from the same person and different people. However, some are clearly better than others. In general, the more fingerprint-like a feature map looks, the more strongly it shows the similarity. We highlight that the binarized images performed almost as well as the original images, meaning that the similarity is due mostly to inherent ridge patterns, rather than spurious characteristics (e.g., image brightness, image background noise, and pressure applied by the user when providing the sample). Furthermore, it is very interesting that ridge orientation maps perform almost as well as the binarized and original images—this suggests that most of the cross-finger similarity can actually be explained by ridge orientation.
From https://www.science.org/doi/10.1126/sciadv.adi0329.

(The implied reversal from the forensic order of things is interesting. Specifically, ridge orientation, which yields a bunch of rich data, is considered more authoritative than mere minutiae points, which are just teeny little dots that don’t look like a fingerprint. Forensic examiners consider the minutiae more authoritative than the ridge detail.)

Based upon the initial findings, Guo et al delved deeper. (Sorry, couldn’t help myself.) Specifically, they interrogated the feature maps.

We observe a trend in the filter visualizations going from the beginning to the end of the network: filters in earlier layers exhibit simpler ridge/minutia patterns, the middle layers show more complex multidirectional patterns, and filters in the last layer display high-level patterns that look much like fingerprints—this increasing complexity is expected of deep neural networks that process images. Furthermore, the ridge patterns in the filter visualizations are all generally the same shade of gray, meaning that we can rule out image brightness as a source of similarity. Overall, each of these visualizations resembles recognizable parts of fingerprint patterns (rather than random noise or background patterns), bolstering our confidence that the similarity learned by our deep models is due to genuine fingerprint patterns, and not spurious similarities.
From https://www.science.org/doi/10.1126/sciadv.adi0329.

So what’s the conclusion?

(W)e show above 99.99% confidence that fingerprints from different fingers of the same person share very strong similarities.
From https://www.science.org/doi/10.1126/sciadv.adi0329.

And what are Guo et al’s derived ramifications? I’ll skip to the most eye-opening one, related to digital authentication.

In addition, our work can be useful in digital authentication scenarios. Using our fingerprint processing pipeline, a person can enroll into their device’s fingerprint scanner with one finger (e.g., left index) and unlock it with any other finger (e.g., right pinky). This increases convenience, and it is also useful in scenarios where the original finger a person enrolled with becomes temporarily or permanently unreadable (e.g., occluded by bandages or dirt, ridge patterns have been rubbed off due to traumatic event), as they can still access their device with their other fingers.
From https://www.science.org/doi/10.1126/sciadv.adi0329.

However, the researchers caution that (as any good researcher would say when angling for funds) more research is needed. Their biggest concern was the small sample size they used in their experiments (60,000 prints), coupled with the fact that the prints were full and not partial fingerprints.

What is unanswered?

So let’s assume that the study shows a strong similarity between the ridges of fingerprints from the same person. Is this enough to show:

that the prints from two fingers on the same person ARE THE SAME, and
that the prints from two fingers on the same person are more alike than a print from ANY OTHER PERSON?

Or to use a specific example, if we have Mike French’s fingers 2 (right index) and 7 (left index), are those demonstrably from the same person, while my own finger 2 is demonstrably NOT from Mike French?

And what happens if my finger 2 has the same ridge pattern as French’s finger 2, yet is different from French’s finger 7? Does that mean that my finger 2 and French’s finger 2 are from the same person?

If this happens, then the digital authentication example above wouldn’t work, because I could use my finger 2 to get access to French’s data.

This could get messy.

More research IS needed, and here’s what it should be

If you have an innovative idea for a way to build an automobile, is it best to never talk to an existing automobile expert at all?

Fair use. From https://interestingengineering.com/transportation/bizarre-concept-cars-you-never-even-knew-existed.

Same with fingerprints. Don’t just leave the study with the AI folks. Bring the forensic people on board.

And the doctors also.

Initiate a conversation between the people who found this new AI technique, the forensic people who have used similar techniques to classify prints as arches, loops, whorls, etc., and the medical people who understand how the ridges are formed in the womb in the first place.

By National Museum of Health and Medicine – http://nmhm.washingtondc.museum/exhibits/single_cell/imgs/14_Fetus_3_months.jpg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=9998241

If you get all the involved parties in one room, then perhaps they can work together to decide whether the technique can truly be used to identify people.

I don’t expect that this discussion will settle once and for all whether every fingerprint is unique. At least not to the satisfaction of scientists.

But bringing the parties together is better than not listening to critical stakeholders at all.