Tuesday, May 24, 2005

June 2005

Several papers had to be finished. One on identity theft on biometric systems and the other one on profiling in forensic databases for FIDIS www.fidis.net . Finally I also have some time for doing more casework. I had organized a workshop on digital video as evidence, and that also took some time.

Red tape procedures also had to be taken care of. In my experience it is often easier to get used to the procedures then to be against them, since that often does not make much sense. On the end even bureacracy in European projects and government can be handled if you have some experience with them.

What did I write on profiling for FIDIS ?

Profiling in Forensic Science
Author Zeno Geradts – Netherlands Forensic Institute

Introduction

Current situation

In forensic science, currently there exist many different databases that can be used to link cases and suspects :
Firearms : Cartridge cases, bullets
Fingerprints
DNA
Faces
Tool marks (e.g. screwdrivers )
Shoe prints
Handwriting
Paint and glass
speaker
….
In practice there is experience with combining those databases for combining evidence, however often searching between databases is not easy, since the data the data models and entry of data is often different between them.

If we look at digital evidence on the internet, for example in internet hacking cases, then one needs to examine log files and other files. In this field also some cases have been submitted. A question that always arises with these cases is however who was really behind the keyboard at a given moment. If biometric devices are used more (and spoofing of biometrics is not used), it is also possible to follow persons. The logs of the antenna’s mobile operators, can also be used to examine the position of a person at a given time.

Expectation

We expect that in future databases, the data models will become more standardized, in such a way that they can be combined with other databases such as :
Face and 3D images and other biometrics of everyone (ear, iris, fingerprints, DNA etc)
Banking and insurance transactions : money laundering
Telecommunication traffic and interception (location GSM and internet)
All computer actions and storage
Records of toll ports / public transportation
Board computer in private transportation (cars etc)
GPS
Customer loyalty programs (air miles etc.)
Surveillance cameras (also satellite images)
Digital traces in domestic applications (e.g. coffee maker, microwave, heater)
Ambient intelligence

Examination and combination of data is currently possible in Dutch law if there is a severe crime involved and a court order is needed (depending on the kind of information).

For the passport for example it will be possible to track someone if the ICAO-standard is implemented without any protection. The passport will have a wireless chip in it, and information concerning face and fingerprint can be extracted from a distance. Currently in trials in the Netherlands more protection is used in such a way that one needs more information concerning the machine readable zone of the passport. However if countries do implement it without any protection, then possibilities exist that information concerning the passport they carry can be extracted from a distance.

Discussion

The question arises if the kind of evidence with the combination with many different databases, such as surveillance systems with non-structured data, is feasible. Also the amount of data that is collected grows very rapidly, and the question is if it is feasible to store this data in a proper way.

Furthermore, it is expected that there are more false positives when combining different databases. If a ‘cold’ hit is found in the database, which means that there was no prior information that a certain suspect would be involved in the case, false positives are possible. For example, if DNA would be collected of all citizens of the world, and the search would be against this database, then roughly at least 6 suspects would be found with current methods, and probably more since family relations are not accounted for.

The questions also arises if the databases are filled correctly. In most databases data entry errors exist. For this reason standardization of databases is required before the databases are searched through routinely. At final the evidence for one case might be stronger, since other relations that were not found before can also be used in a certain case. How far society would like to go with profiling in (forensic) databases, depends of course on the laws.Appendix RFIDS

Introduction

Radio Frequency Identification TAGS are expected to be used very often in products at retailers and cards for traveling. Currently the Wal-mart in the USA, Metro in Germany and Tesco in the United Kingdom are requiring RFID-tags on the products. Also the department of defense in the United States is requiring tags on the products from the suppliers. Tracking and tracing are the most important reasons for this requirements (also in the war in Iraq this was convenient for the transportation of equipment and tracking). Losing or misplacing products, parts or equipment will result in higher costs.

It is expected that in 2008 more than 20 billon RFID-tags are used[i] . Most of them will use the EPC-standard (Electronic Product Code). For reading those tags it is expected that 100.000 EPC-readers will be sold. It is expected that the tags will drop to several euro-cents per tag.

RFID-technology

A RFID-system consists of different components :
One or more tags (transponders), consist of a microchip and an antenna
One or more reader and writers including the RF-modules
Application software connected to the reader/writer

RFID-tags exist in two forms :
Active (with a power supply )
Passive (need power from the signal of the reader)

Active RFID-tags are somewhat larger and more expensive, however they can be used at a larger distance. Passive tags can be used in consumer articles and are cheap. They can also be used in labels.

Furthermore, RFID-tags can be read-only and read-write. The read-write tags are used with an encrypted identification number, where authorized users can change the information.

The retailers are requiring their suppliers, to use the Electronic Product Code (EPC). This standard has been developed by MIT’s Auto-ID center, and is managed by EPCglobal, which is a non-profit joint venture between two organizations : EAN (European Article Numbering) International and the Uniform Code Council. The second generation of UHF EPC-standard has been ratified in December 2004. In January 2005 this standard is submitted to ISO.

For RFID, the ISO standards concern :
Technology ISO 18000
Data content (ISO 15418, 15434, 15459, 24721, 15961 and 15962)
Device conformance test and performance (ISO 18046 and 18047)
Application Standards (ISO 10374, 18185, 11785)

Security of RFID

In July an article in Forbes [ii] presented a hackers guide to RFID. It would be easy to hack a tag, and change price information on a tag. After this there were also privacy concerns for the consumers. The cheap tags are just readable tags, and they can not be altered easily. Also when using a write-once tag, most often the price is not included in the product, since they will use a serial number for the product. It is however an aspect that has to be taken care of.

Example of RFID-labels from http://www.bluhmsysteme.com/rfid-etiketten.htm

Forensic aspects of RFID and profiling

RFID tags can be used also in forensic science, to follow a person based on the RFID-tags one carries in products. Example : there is a unique RFID-tagnumber on a package of cigarettes. A person steals this package in Amsterdam from a store. Theoretically it is possible that within European databases of stolen goods, the person can be arrested in Brussels when they scan the RFID-tags of this person. The same applies of course to the earlier mentioned passport with a chip. The key elements are RFIDs, in combination with databases and if stored properly, it can be used as evidence.

The use of standards makes it also easier for forensic science to develop tools to read out the information in a forensic proper way.


Privacy

Also EPC is worried about privacy aspects. For this reason they have implemented certain privacy guidelines[iii] :
Guidelines
1. Consumer Notice
Consumers will be given clear notice of the presence of EPC on products or their packaging. This notice will be given through the use of an EPC logo or identifier on the products or packaging.
2. Consumer Choice
Consumers will be informed of the choices that are available to discard or remove or in the future disable EPC tags from the products they acquire. It is anticipated that for most products, the EPC tags would be part of disposable packaging or would be otherwise discardable. EPCglobal, among other supporters of the technology, is committed to finding additional efficient , cost effective and reliable alternatives to further enable customer choice.
3. Consumer Education
Consumers will have the opportunity easily to obtain accurate information about EPC and its applications, as well as information about advances in the technology. Companies using EPC tags at the consumer level will cooperate in appropriate ways to familiarise consumers with the EPC logo and to help consumers understand the technology and its benefits. EPCglobal would also act as a forum for both companies and consumers to learn of and address any uses of EPC technology in a manner inconsistent with these Guidelines.
4. Record Use, Retention and Security
The Electronic Product Code does not contain, collect or store any personally identifiable information. As with conventional barcode technology, data which is associated with EPC will be collected, used, maintained, stored and protected by the EPCglobal member companies in compliance with applicable laws . Companies will publish, in compliance with all applicable laws, information on their policies regarding the retention, use and protection of any personally identifiable information associated with EPC use.
If they are properly used, and if the consumer can discard the EPC-tag easily from a product, this means that the example above with the package of cigarettes is not feasible, if the thief discards the RFID-tag.
Appendix Biometric Devices

The market of biometric devices is expanding rapidly, since it is convenient to use, and users can not forget their biometric properties. Some examples of biometric properties which are used in commercial systems:
Face
Fingerprint
Handscanner
Iris
Voice
Handwriting
In forensic laboratories also other means of biometric measurement are used for comparison:
DNA
Ear prints
Lip prints

In many countries DNA databases of persons who committed a severe crime and DNA found at the scene of crime are build, as well as a database of employees of the forensic science laboratories, to determine possible contamination. The laws forbid in many countries to use these data other then they are meant for (so for severe crimes, by court order and if applicable to the law).

In a world where no privacy laws exist, theoretically it would be possible to collect databases of fingerprints, iris scans, voice, hand writing and faces. These databases can be combined with another. If the databases are structured correctly, and not errors in names or links are made, these databases can be used to search for a person or a group of person by profiling. In such a way more crimes could be solved, and perhaps a stronger evidence is possible.

A problem is however that the 1:N comparison for example with faces, gives a high error rate. A good example is given at http://www.frvt.org/FERET/default.htm where a methodology has been used to examine different commercial packages and compare them with a standard database. If we look to the results of FRVT 2002, it can be concluded that on a database of 37,437 individuals which are read in a standardized form, first the 80 percent of the persons is identified (this means that 20 percent is identified incorrectly). After one year the identification rate drops with five percent. If we would have databases of millions of persons, there would be many false hits as is shown in the results :
71.5 % true accept rate @ 0.01 % false accept rate
90.3 % true accept rate @ 1.0 % false accept rate

Another test by NIST on fingerprints, gives a better results http://fpvte.nist.gov/ . We can see here by using single good quality fingerprints
99.4 true accept rate @ 0.01 % false accept rate
99.9 true accept rate @ 1.0 % false accept rate

When multiple fingerprints and face images (or even 3D-images) become available, the situation improves. In these systems bad quality images are not used. In practice when filling databases with real images, these will also be included, and results will drop down.





[i] TWA Nieuws, 43-2 www.twanetwerk.nl
[ii] http://www.forbes.com/home/commerce/2004/07/29/cx_ah_0729rfid.html
[iii] http://www.epcglobalinc.org/public_policy/public_policy_guidelines.html

Friday, May 06, 2005

May 2005

If I look back to april, it was a busy month, however there were also some moment of reflection. I had several meetings in our laboratory, and of course some casework. Leo de Waal, our director, changed position to http://www.martiniziekenhuis.nl the Martini Hospital in Groningen. Furthermore, I had also a flue this month, so my schedule was somewhat disturbed.

I had several meetings outside the laboratory. One meeting was for FIDIS www.fidis.net in Berlin. We discussed on the progress and the further planning. Of course, Berlin is a real nice city to be, and the last time I visited Berlin was more than 6 years ago. Many things change in Berlin, however the good atmosphere remains.

The other meeting was of ENFSI Forensic IT with the Joint Research Center in Ispra. We discussed on our meeting in Amsterdam of ENFSI and validation of software tools. The meeting with FIDIS, IOCE and ENFSI-FIT will be scheduled from 14-16 September 2005. http://www.enfsi.org/ewg/fitwg/agenda/10 is the agenda of this meeting.

For FIDIS I also had to finish some papers, however I appear to be late on the schedules. One paper was on identity theft of biometric properties. Of course spoofing biometric systems is included in this one, as well as other methods which might influence their actual work in practice. The other text I am currently writing is on profiling.

Of course I also had to spend some time as a chairman of the Engineering Sciences group of the American Academy of Forensic Sciences. I am also considering to organize a workshop on digital video and imaging with a revised program.

I also had a week vacation in Hurghada, Egypt. We went with Memphis Air, an Egyptian charter company, however had a delay of 10 hours on Amsterdam Airport (that are those delays where each several hours they will tell you the flight is further delayed, so you have to remain at the airport). Of course many persons complained and are trying the new EU-regulations on delays, however with a non-EU or non-US carrier this might be more difficult. The planes that they chartered were good, and on the return flight even excellent (a new airbus A320). Of course Hurghada was also nice, with possibilities to swim and dive, and to visit Luxor. I also had time to read the books I had no time for before. Some forensic books (I also like to read on different topics of forensic science, so this time I read the book Forensic Facial Reconstruction of Caroline Wilkinson).

May will be a month with many holidays. We will organize several meetings and workshops for the police, and the Queen of the Netherlands, Queen Beatrix, will open our new facility of the Netherlands Forensic Institute in the Hague, www.nieuwbouwnfi.nl on May 25th http://www.koninklijkhuis.nl/NL/nieuws/Persberichten/2281.html .