Despite efforts by the credit-card industry
to force retailers to protect their customers' data, several recent
security breaches suggest that current requirements aren't enough.
Hannaford Bros., a unit of Belgium's
Delhaize Group SA, says it received a certificate on Feb. 27
stating it was fully compliant with the credit-card industry's
security protocols. But that same day, the New England supermarket
chain was informed by its card-transaction processor that there
appeared to be a problem with its customers' credit-card accounts. The
chain soon learned that data for 4.2 million cards may have been
Until now, most known retail-data
breaches occurred at companies that failed to comply with steps
mandated by a credit-card industry group called the Payment Card
Industry Security Standards Council, or PCI, in Wakefield, Mass. The
Hannaford attack -- and another disclosed last month at Okemo Mountain
Resort, a ski operator in Vermont -- has prompted retailers to seek
security systems well beyond PCI standards.
Hannaford last week announced the
adoption of two such measures. The company installed a round-the-clock
security monitoring-and-detection service provided by
International Business Machines Corp. to track all user log-ins.
The chain has also begun to encrypt all its customer card information
immediately from the time the card is swiped at the cash register, so
that data is scrambled all the way to the company's corporate servers,
from where it is sent to the credit-card company. "PCI is a good place
to start but retailers are going to have to go above and beyond PCI,"
said Bill Homa, Hannaford's chief information officer.
Says Bonnie MacPherson, a spokeswoman for
the ski resort, which lost card data for nearly 50,000 customers, "We
did everything we were supposed to." The company says it doesn't know
whether the breach resulted in any theft.
Joshua Jewett, information chief at
Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the
cash register systems at about 2,500 of the company's stores by August
with more data encryption than mandated by PCI. Both Hannaford and
Family Dollar are purchasing security systems from
Verifone Holdings Inc. of San Jose, Calif.
Until two years ago, retailers faced a
cacophony of security requirements, with each of the major credit-card
brands -- including Visa Inc., MasterCard Inc. and
American Express Co. -- issuing their own set of standards. Then
the credit-card industry established PCI, and consolidated the best
data security practices into a single, unified code.
The compilation, called PCI Data Security
Standards, requires such things as encrypting or masking customer
data, regularly updating antivirus software, restricting access to
card data to only certain authorized personnel and protecting stored
information with firewalls, among other things.
Retailers that fail to meet the
requirements are subject to fines.
In January, Visa announced that 77% of
its largest U.S. merchants became PCI compliant in 2007, up from 12%
in 2006. Compliance among midsize merchants grew to 62% last year from
15% the year before.
Credit card-related fraud grew to $5.49
billion in 2007 from $1.46 billion in 1997, according to industry
tracker Nilson Report. Law-enforcement officials attribute the rise to
new technological applications as well as increased participation by
international organized-crime groups.
Bob Russo, PCI's general manager, says
PCI believes its standards -- derived with input from more than 500
data-security specialists -- are adequate, but he adds that PCI is
still awaiting the results of investigations into the Hannaford and
Okemo breaches. "If there is something that's lacking in the
standards, then we'll address it immediately," he says.
In both the Hannaford and Okemo heists,
hackers attacked an area that previously had been thought impenetrable
-- a company's private internal computer network. Many previous
breaches involved wireless network systems.
PCI mandates that all transaction data
sent over networks that are publicly accessible -- such as in coffee
shops -- be encrypted, but it doesn't require that for transmissions
over internal private lines.
At Hannaford and Okemo, hackers managed
to install malicious software into the companies' private networks to
steal credit-card information being transmitted to processors for
"This kind of attack would not have been
possible if the credit-card data had been encrypted," says Avivah
Litan, a security analyst for
Gartner Inc. in Stamford, Conn.
Michael Cherry, an online-security
consultant, says companies can encrypt credit-card data at cash
registers, which PCI doesn't require, at minimal cost. "You can be
worry free for less than $100 per cash register," says Mr. Cherry.
Two companies that provide such
technology -- called personal identification number pad encryption --
are courting new customers, playing up Hannaford and Okemo's
Verifone Holdings is promoting its
VeriShield system, which was purchased by Family Dollar. A similar
product, called MagneSafe, is offered by MagTek Inc., of Carson,
Rob Caulfield, chief executive of
TrustCommerce, an Irvine, Calif., credit-data processor that works
with MagTek's clients, says he knows of about two dozen retailers
currently using MagTek encryption and about 300 others that "are
queuing up to become clients."
Meanwhile, PCI has been upgrading its
requirements for retailers as more information about vulnerabilities
is gleaned from data breaches. In February, PCI required merchants to
ensure that PIN pads are tamper proof and their credit-card data are
rendered useless if they are opened. The requirement follows a theft
last year where thieves stole PIN pads from Dutch retailer
Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and
accessed customers' debit-card passwords.
As of June 30, retailers must install
firewalls that prevent hackers from accessing internal company files
through software programs that are exposed to the Internet, such as
applications that handle online credit-card transactions. PCI also
plans to toughen its standards in September in the areas of wireless
transmissions, card-preauthorization procedures and software
applications that handle credit-card data. "From all the data breaches
we've seen, we're quickly learning that the point-of-sale is our
weakest spot in the payment chain," says Mr. Russo.
A technique reveals drugs
and explosives on the scene.
By Katherine Bourzac
A new method for examining fingerprints provides
detailed maps of their chemical composition while creating traditional images
of their structural features. Instead of taking samples back to the lab,
law-enforcement agents could use the technique, a variation on mass
spectrometry, to reveal traces of cocaine, other drugs, and explosives on the
Fingerprints are traditionally imaged after
coating crime-scene surfaces with chemicals that make them visible. These
techniques can be destructive, and different methods must be used, depending
on the surface under study, says John Morgan, deputy director of science and
technology at the
National Institute of Justice, the research branch of the U.S. Department
of Justice. "Mass-spectrometric imaging could be a useful tool to image prints
nondestructively on a wide variety of surfaces," says Morgan.
Traditional mass spectrometry, the gold standard
for identifying chemicals in the lab that uses mass and charge measurements to
parse out the chemical components of a sample, typically involves intensive
sample preparation. It must be done in a vacuum, and the sample is destroyed
during the process, making further examination impossible and eliminating
information about the spatial location of different molecules in the sample
that are needed to create an image.
R. Graham Cooks, a professor of analytical chemistry at Purdue University,
who led the fingerprint research, and his group used a sample-collection
technique that he developed in 2004 and that can be used with any
commercial mass spectrometer. Desorption spray ionization uses a stream of
electrically charged solvent, usually water, to dissolve chemicals in a
fingerprint or any other sample on a hard surface. "The compounds dissolve,
secondary droplets splash up and are then sucked into the mass spectrometer,"
explains Cooks. As the instrument scans over a surface, it collects thousands
of data points about the chemical composition, each of which serves as a
pixel. The mass-spectrometry method can create images of the characteristic
ridges of fingerprints that also serve as maps of their chemical composition.
In a paper published in the journal Science this
week, the Purdue researchers describe using the method to image clean
fingerprints and prints made after subjects dipped their fingers in cocaine,
the explosive RDX, ink, and two components of marijuana. "We know in the
old-fashioned way who it was" by providing information about the fingers'
ridges and whorls, says Cooks of the fingerprint-imaging technique. The
technique could also address the problem of overlapping fingerprints, which
can be difficult to tell apart: fingerprints made by different individuals
should have a different chemical composition. And "you also get information
about what the person has been dealing with in terms of chemicals," says
Winograd, a chemist at Pennsylvania State University, who was not involved
in the research.
Some of the chemicals found in fingerprints come
from things people have handled; others are made by the body. The metabolites
found in sweat are not well understood, but it's likely that they differ with
age, gender, and other characteristics that would help identify suspects, says
Cooks. Mass spectrometry could help uncover these variations. And Winograd
says that the chemicals found in fingerprints might also provide information
about drug metabolism and other medically interesting processes. Winograd,
Cooks, and many others have recently begun using mass spectrometry to study
molecular workings of cancerous tissues and cells. Mass spectrometry might
reveal that diagnostic information exists in sweat as well, says Winograd.
However, Morgan cautions that the work is
preliminary and that the technology may prove too expensive for widespread
adoption by law-enforcement agencies. Indeed, Cooks has not developed a
commercial version of the fingerprint-analysis instrument.
"They have a long way to go," agrees Michael Cherry,
vice chairman of the digital technology committee at the National Association
of Criminal Defense Lawyers, who has extensive experience interpreting
fingerprints. He says that Cooks's group has demonstrated the potential of the
technology. However, after examining some fingerprint images made using mass
spectrometry, Cherry says that the technology will require further development
to be good enough to hold up in court.
Copyright Technology Review 2008.
News Limited Researchers look to spot photo hoaxes 02.24.08, 2:51 PM ET
NEW YORK (AP) - Sometimes, a photo is simply too good to be true.
Tiny details in an image, for instance, may be too similar to have occurred
naturally, suggesting a cut-and-paste maneuver. Or the color patterns may be too
'normal' -- beyond the limitations of sensors on digital cameras.
A growing number of researchers and companies are looking for such signs of
tampering in hopes of restoring credibility to photographs at a time when the
name of a popular program for manipulating digital images has become a verb,
Adobe Systems Inc., the developer of Photoshop, said it may incorporate their
techniques into future releases.
"There's much more awareness and much more skepticism when (people) are
looking at images," said Kevin Connor, a senior director of product management
at Adobe. "That's why we think that's something we need to get involved in.
It's not healthy to have people be too skeptical about what they saw."
Meanwhile, camera maker Canon Inc. sells a data-verification kit with some
models. It can stamp digital photos with an invisible, mathematical summary of
the image, such that even one tiny change will produce a mismatch and flag the
photo as an alteration.
These techniques are of interest to law-enforcement officials and defense
attorneys because photographic evidence can make or break cases. News
organizations also have been increasingly exploring ways to spot hoaxes.
Not everyone is on board, however.
Michael Cherry, vice chairman of the Digital Technology Committee at the
National Association of Criminal Defense Lawyers, said too little is known
about the nuances of digital photography to put much trust in such detection
For example, Cherry said, using a photo printer rather than a laser printer
can make a color image look nicer but lose details, such that a gun appears
slightly off. The detection tools would reveal nothing, he said, because the
photo itself was never digitally tweaked.
Meanwhile, enhancements to bring out details, such as sharpening a fuzzy
surveillance image, may inadvertently turn a dark spot into something that
looks like a gun.
And when there is intent to deceive, people who have enough money, time and
skills can cover their tracks and evade any tamper detection, he said.
Lawyers and juries ultimately have to consider circumstances beyond the image
itself, Cherry said. For example, was the evidence available at the time of
the dispute or did it suddenly show up six months later — giving that person
time to manufacture it?
Researchers stand by their techniques.
"There will always be a countermeasure that cannot be prevented," said Jessica
Fridrich, a professor at Binghamton University. "We are trying to make it
harder for people who want to do these things to go unnoticed, undetected."
The key, she said, is to use tools in combination. A criminal or hoaxer might
be sophisticated enough to defeat one technique, but not all at once.
Fridrich's research takes advantage of the fact that all cameras have tiny
flaws, so small they don't affect what the eye can see. For example, her
software could analyze a set of photographs taken by the same camera and
notice that a certain, defective pixel is always dark. Seeing that pixel light
up would suggest an alteration.
Dartmouth College professor Hany Farid, meanwhile, has developed a set of
software tools he collectively calls Q-IF. He sells the programs for up to
$25,000 (€16,872) a year.
One tool looks for the use of clone stamp, a feature for duplicating or
erasing objects in an image. Two cloned flowers would appear identical and
lack expected blemishes.
Another exploits how cameras capture color images. Color is a mixture of red,
green and blue. Rather than have sensors that detect all three for each pixel,
they generally alternate in a specific pattern. That pattern gets disrupted
Other techniques include looking for inconsistencies in lighting and shadows.
A human still must make a final determination, and Farid admits he can never
be certain. His techniques got challenged in one criminal case, and
prosecutors withdrew him as an expert witness.
"If we don't find traces of tampering, we don't say it's real," Farid said.
"We say we find no traces of tampering. That's the best we can say."
Nonetheless, his tools are innovative enough to pique the interest of Adobe,
which is subsidizing his research.
Photoshop already has a logging feature, which can track and record every
change made along the way — standard procedure these days in law enforcement.
"You have an audit trail, even if you have gone in and made changes to the
image," said Cynthia Baron, author of "Adobe Photoshop Forensics: Sleuths,
Truths and Fauxtography." Adobe has no specific release schedule, though, on
tamper-detection tools. The worry is that these same tools can help hoaxers
test whether their changes escape notice.
"One of the things we've got to tackle," Conner said, "is to figure out if we
can put some of these features in without making it easier for people to
New Hampshire Union Leader (Manchester, NH)-March 21, 2008
Author/Byline: DENIS PAISTE New Hampshire Union Leader
MANCHESTER -- Ripples from the Hannaford security breach continued to spread
yesterday as Citizens Bank sent out replacement MasterCards to customers.
Citizens determined which customers would get new cards based on reports from
MasterCard as well as its own internal investigation, spokesman Chris Grenier
"People will start getting them tomorrow (Friday) through the early part of next
week," said Grenier, who is community relations manager at Citizens Bank New
Citizens declined to say how many cards are being replaced.
Citigroup Inc. has also begun issuing replacement cards, but a spokesman would
not confirm specifics, instead issuing a general statement.
"As a preventative measure, we notify and issue new credit cards to some
customers whom we believe may be subject to increased risk. We do so in order to
minimize any inconvenience to our customers," Samuel Wang, vice president of
public affairs for Citigroup Global Consumer Group, said in an e-mail. "For
security reasons, we do not discuss details of the potential compromises, such
as the number of customers potentially at risk or our specific actions in each
case to detect and prevent fraud."
A Manchester customer confirmed that his Citigroup credit card had been shut
down and he had been notified he would be getting a new card.
The attack on Hannaford stores in the Northeast and its affiliated Sweetbay
outlets in Florida revealed 4.2 million card numbers between Dec. 7 and March
10, the Associated Press reported yesterday. Apparently, about 1,800 cards have
been used fraudulently. The U.S. Secret Service is investigating.
Also yesterday, the AP reported that Lasell College in Newton, Mass., said a
hacker accessed data containing personal information on about 20,000 current and
former students, faculty, staff and alumni. The college said it believes the
hacker was an employee.
Michael Cherry, president of Cherry Biometrics Inc. and vice chairman of the
Digital Technology Committee for the National Association of Criminal Defense
Lawyers, faulted Hannaford for the extent to which it used encryption on its
Apparently, hackers captured data while it was being transmitted internally
through Hannaford computer systems, the AP reported. (See related article.)
"If they would have encrypted it at every step," it would have enhanced data
security, Cherry said.
He added: "At the end of the day, there is a cost of doing business, and the
cost of doing business is a safe set of customers. And if that means that you
have to get faster computers, which you would have to do eventually anyway,
that's what the cost of doing business is.
"You can't expose 4 million customers because you didn't want to spend the money
for some upgrade. It's just morally wrong."
MasterCard Worldwide would not disclose details of the Hannaford breach.
Spokesman Chris Monteiro wrote in an e-mail: "In response to a potential
security breach involving a U.S.-based company, MasterCard has notified the
banks that issued cards which could be at risk to monitor for any suspicious
account activity and take the necessary steps to protect cardholders.
"If a cardholder is concerned about his or her individual account, they should
contact their issuing financial institution," the MasterCard spokesman wrote.
Visa and other major credit cards were also compromised in the Hannaford breach.
New Hampshire Bankers Association President Gerald H. Little said yesterday it's
difficult for banks to know whether to shut off someone's debit or credit card
and reissue the card.
"Some folks want that to be done immediately," he said.
But others are unhappy about the inconvenience.
"By and large, they don't get angry at the retailer that caused the data breach,
they get angry at the bank," he said.
He said that because Hannaford's business is concentrated in the Northeast, the
breach has the potential to wreak as much havoc as the TJX Cos. intrusion last
year that captured millions of credit card numbers.
Citizens Bank spokesman Grenier said customers can continue to use their
existing cards until they receive new ones. They are not being charged for the
Carol Landry, director of deposit and lending operations at St. Mary's Bank in
Manchester, said Wednesday the credit union hadn't seen any signs of fraud
related to the Hannaford breach.
"Our members have zero liability with their Visa debit card," Landry said. "We
are monitoring their transactions with fraud protection software, and it's
business as usual."
Customers have to report suspicious activity to their bank, usually within 48
hours of when they first become aware of it.
Portsmouth woman says she is a victim
PORTSMOUTH (AP) -- A Portsmouth woman says that she was one of thousands of
Hannaford customers who had their credit card numbers stolen.
The woman, who asked not to be identified, said yesterday she discovered foreign
transaction fees and charges from Bulgaria on this month's credit card
The charges totaled $1,500 and happened on March 3 and 4, about a week after her
last visit to a Hannaford in Farmington.
She called Hannaford, which told her to cancel her card, a step she had already
taken. The charges were waived by her credit card company.
The FBI is investigating to determine if the charges were the result of a
security breach at Hannaford that exposed more than 4 million customer card
numbers to thieves since December.
Kevin Leonard is an attorney who has filed a class action lawsuit against
Hannaford on behalf of three New Hampshire customers who have not seen any
fraudulent charges yet.
He said his clients are concerned that their identity and financial safety are
Record Number: 11F99E0E27C0B648
Copyright 2008 Union Leader Corp.
USA Today (Magazine)Date: 6/1/2007
matches--key to fighting international terrorism and keeping criminals off the
street--no longer are foolproof, warns Edward Imwinkelried, professor of law at
the University of California, Davis. He contends that the reliability of
fingerprint identification has declined while the population of the world--and
its fingerprints--has exploded. "We can no longer naively assume the reliability
of our current fingerprint standards," he stresses. "Given the stakes--not only
justice in a particular case, but national security itself--we must do better."
Imwinkelried and his research co-author Mike Cherry, who is vice chair of the
digital technology committee of the National Association of Criminal Defense
Lawyers, urge reforms.
matching process identifies ridges within a fingerprint and categorizes it into
one of three general patterns--including loops, arches, and whorls--and their
subpatterns, and maps predetermined shapes and contours. A fingerprint is said
to match when the pattern, subpattern, and some of the shapes and contours
roughly correspond with each other.
In the late
1800s, Sir Francis Galton developed the first system for classifying and
identifying fingerprints. He is quoted as having said that the odds of two
individual fingerprints being the same are one in 64,000,000,000. The authors
point out that the current world population exceeds 6,000,000,000 persons, and
most have 10 prints. In short, they say, the world population of fingerprints
now exceeds the odds Galton estimated.
At the same
time, the authors maintain, fingerprint matching techniques that once used cards
and then analog photographs to compare up to 10 fingerprints have been taken
over by automated computerized systems that use less precise digital images and
pre-screen matchers that sometimes use only a single index finger. "If we're
going to rely on the computer technology for the Watch List on terrorism, when
we do background checks ... we've got to have some assurance the computer system
is reliably accurate," warns Imwinkelried. He is co-author of "Scientific
Evidence," one of the leading treatises in its field that has been cited on
several occasions by the Supreme Court.
and Cherry call for high-powered computer analysis of existing fingerprint
databases--data mining--to detect new patterns and develop new criteria for
matching fingerprints. They also urge the return to the Henry Fingerprint
Classification System, which uses all 10 fingers to classify an individual. The
Henry System, Imwinkelried and Cherry insist, would better help identify
suspects who use aliases and would prevent criminal suspects like alleged serial
killer Jeremy Jones from being re-released after each arrest because just one
print is used for matching. "If analyzed properly, fingerprints can be as
accurate as DNA," they conclude
Adding to Security but Multiplying the Fears
February 26, 2007
By ADAM LIPTAK - NY Times
Foreigners arriving at the American border must present both index fingers
for fingerprinting, but that will soon change. The Department of Homeland
Security now wants 10 fingers.
The two-print system was largely a biometric backup, an added level of
security to supplement and verify a passport or a visa. The 10-print system adds
a powerful investigative tool.
"When we have a fingerprint of a terrorist who has left behind a bomb or an
I.E.D. in Iraq or has left his fingerprint in a safe house somewhere, we don’t
always have the two index fingers," Paul Rosenzweig, a Department of Homeland
Security official, said at a briefing in December. "It could be the pinkie or
the thumb. And thus by moving to a 10-print system, we will enhance our ability
to use biometrics to enable us to identify threats before they occur in the
Call it biometric mission creep.
People concerned about privacy and civil liberties say they fear the creation
of gigantic biometric databases ripe for data-mining abuse. They note that Mr.
Rosenzweig was a supporter of the Total Information Awareness program at the
Defense Department, which had planned, as the Pentagon put it, to create "ultralarge
all-source information repositories." The program was shut down in 2003 because
it scared people.
The administration’s last-ditch defense of that effort was telling, too. It
changed the name to the Terrorism Information Awareness program.
There is a pattern here, said Marc Rotenberg, the executive director of the
Electronic Privacy Information Center. "These techniques that are sold to us as
necessary to identify terrorists inevitably become systems of mass surveillance
directed at the American people," Mr. Rotenberg said.
In an interview, Robert A. Mocny, the acting director of U.S.-Visit, the unit
in the Department of Homeland Security that is in charge of the fingerprint
program, said all the right things. "We cannot," Mr. Mocny said, "have a
reaction to 9/11 such that we’re sacrificing privacy and civil liberties on the
altar of security."
But the privacy folks have a point. Once information is captured, it must be
tempting to use it. With little discussion, for instance, driver’s license
photographs have been dumped into enormous digital databases, ripe for searches
with facial recognition technology. Police departments have started to use the
databases to find people and identify suspects. That may be a fine idea, but it
is one that has been pursued without real debate or disclosure.
Mr. Mocny made a persuasive case that the move to 10 prints enhanced the
legitimate goals of identification and investigation.
"We’ve identified 1,800 people who’ve tried to lie their way into the United
States, and their fingerprints tripped them up," he said.
The 10-print program will, he said, make identifications even more reliable.
"We’re now at 80 million-plus individuals in the system," he said. "With that
many fingerprints, they start to look alike." More fingers, he said, means more
On the investigative side, more fingerprints give the authorities more
opportunities to check them against a watch list of 2.5 million prints that
includes, he said, "known and suspected terrorists," sexual predators and people
wanted on criminal and immigration charges.
But there are real questions about the reliability of the technologies
employed. Though fingerprint evidence is widely assumed to be close to
infallible, recall the $2 million the federal government paid in November in the
settlement of a lawsuit filed by Brandon Mayfield.
Mr. Mayfield, a lawyer in Oregon, was arrested in 2004 after the F.B.I.
definitively and mistakenly concluded that his fingerprints matched one taken
from a plastic bag containing detonator caps found at the scene of the bombings
in Madrid that year.
"Fingerprints work fine when you have a bank robbery in Chicago," said
Michael Cherry, vice chairman of the digital technology committee of the
National Association of Criminal Defense Lawyers. But matching a partial
fingerprint of poor quality and uncertain vintage collected in Afghanistan or
Iraq to a database of global scope is a different matter.
The 10-print strategy, Mr. Cherry said, is a "technical nightmare that will
produce many Brandon Mayfields."
At an American Bar Association conference in November, Michael Chertoff, the
secretary of Homeland Security, said the 10-print program "creates a powerful
deterrent for anybody who has ever spent time sitting in a training camp and
training or building a bomb in a safe house or carrying out a terrorist mission
on a battlefield."
Those terrorists, presumably, will be deterred by not wanting to test the
nation’s border security. Or the deterrent may be a different one: encouraging a
generation of young jihadists to wear gloves.
"Unless you believe there’s a constitutional right or a civil liberties right
to have phony documents or to pretend to be someone you’re not, I don’t really
see the cost in civil liberties," Mr. Chertoff told the assembled lawyers.
"By the way," he added, "we’ll be collecting all of your glasses after
Academics warn of fingerprint biometrics weaknesses
January 24, 2007
Experts from the University of California, Davis
warned this week that the reliability of fingerprint biometrics has declined
considerably due to technological concerns and a growing world population.
Law Professor Edward Imwinkelried and
biometrics expert Mike Cherry released their
findings this week in an article for the law journal Judicature
about improving fingerprint identification.
"We can no longer naively assume the reliability
of our current fingerprint standards," the pair wrote. "Given the stakes -
not only justice in a particular case but national security itself - we must
Imwinkelried and Cherry, who is vice chairman of
the digital technology committee of the National Association of Criminal
Defense Lawyers, said that the majority of the computerized systems used to
match and categorized ridge patterns within fingerprints are far too
imprecise for the important applications for which they are increasingly
"If we're going to rely on the computer
technology for the watch list on terrorism (or) when we do background
checks, we've got to have some assurance the computer system is reliably
accurate," Imwinkelried said.
The world’s growing population also exacerbates
the problem. When the first system for classifying and identifying
fingerprints was created in the late 1800s, its creator said that the
chances of two identical fingerprints were one in 64 billion.
Imwinkelried and Cherry said they worry that
with the world population exceeding six billion, and with most owning 10
fingers, the pool of fingerprints exceeds those odds.
The pair wrote that improvements in biometrics
need to be made by
mining data from existing fingerprint databases to
detect new patterns and classifications for fingerprint matching. They also
encouraged law and industry to go back to using 10 fingers to classify an
individual, a practice that has gone out of favor.
Fingerprinting reforms at hand
A novel means of print detection may be a golden
opportunity to improve fingerprinting processes. Why is no one paying attention?
As most crime scene experts know, dusting for
fingerprints can sometimes destroy parts of the prints, erasing potentially
valuable forensic clues.
fingerprinting methods involve treating samples with powders, liquids or
vapors to add color to the fingerprint so it can be easily photographed, a
process called contrast enhancement.
But fingerprints left on many substances such
as fibrous papers, textiles, wood, leather, plastic, multi-colored
backgrounds and human skin can sometimes be difficult to detect this way.
Plus, children's fingerprints are often more difficult to detect than adult
prints due to the absence of an oily substance called sebum and the presence
of other fatty acid deposits unique only to children.
Any improvements in detection techniques that
can be forensically useful are welcome, and a group of government chemists
believe they have an answer.
Researchers at the Los Alamos National
New Mexico say they
have developed a novel means of detecting fingerprints using X-rays that
don't disturb the print in any way. The technique also is able to reveal
chemical markers that could give investigators new clues for tracking
suspects and missing persons.
The technique uses a process called microbeam
X-ray fluorescence (MXRF), which rapidly reveals the elemental composition
of a sample by irradiating it with a thin beam of X-rays without disturbing
This method is important because it does not
require using developing agents to treat the print.
"We collect an image of a print pattern intact
without altering its composition," says Christopher Worley, an analytical
chemist at Los Alamos.
The research, however, has stalled at an
unforeseen snag. The researchers have run out of money.
"The research is currently at a standstill
awaiting additional funding," Worley says. "So far, we have not been able to
find anyone interested, willing and able to provide funding to pursue the
So far the research is proof-of-concept only, to demonstrate the
possibility of detecting fingerprint patterns using MXRF, whereby the
fingerprint pattern is determined by detecting inorganic elements present in
the print residue.
"Thus, we both detect the print pattern
digitally and collect chemical information from the print as well," Worley
Fingerprints contain detectable quantities of
salts, such as sodium chloride and potassium chloride, excreted in sweat.
The Los Alamos researchers have shown they could detect the sodium,
potassium and chlorine from these salts. Since these salts are deposited
along the patterns present in a fingerprint, an image of the fingerprint can
be visualized producing an elemental image for analysis.
Worley says the technique is another tool to
be used in an attempt to visualize a print that might be difficult to detect
with current powder or chemical treatment methods. He stresses that MXRF
work is proof-of-concept only.
"We are not claiming we have a method to
replace current protocols," he says. Rather, Worley believes this method
compliments current techniques.
"While this method currently requires a prior
knowledge of the print location, it clearly has some advantages over
contrast-based techniques for special cases," he says.
For example, a print left from a finger coated
with a residue such as gunpowder might be detectable from the sulfur and
potassium content. Other distinctive fingerprint examples, such as those
containing lotion, sunscreen, saliva or certain food residue, can be
detected by MXRF based on inorganic elemental constituents.
"Because MXRF is a spectroscopic method, the
elemental composition of a fingerprint is examined, and visual contrast with
the substrate is irrelevant," Worley says.
Thus, if sufficient detectable residue is
present, the print can be identified regardless of the background color.
"It is also a non-invasive tool, so the sample
remains intact for other analysis or archiving," he says. Volatilization of
water, oils and other organic components over time should not hinder print
identification since only inorganic elements are detected.
X-ray fluorescence itself is not a new
technology. The phenomenon is widely used for chemical analysis,
particularly in the investigation of metals, glass, ceramics and building
materials, and for research in areas such as geochemistry and archaeology.
But this is the first use of MXRF (XRF performed with micrometer-size beam)
for fingerprint detection.
In the line of beauty
One of the nation's leading experts on scientific evidence greeted
Worley's MXRF work with enthusiasm.
"The beauty of this new visualization
technique is that it permits you to visualize the latent without altering
it," says Edward Imwinkelried, law professor at the University of
California -- Davis
and former chair of the evidence section of the American Association of Law
Any alteration in the visualization stage can
distort subsequent stages in the process.
"If the print is altered in visualizing it, it
does not matter how accurately the visualized print is recorded -- that
image will not be an accurate depiction of the fingerprint impression at the
crime scene," he says.
Imwinkelried, coauthor of the third edition of
"Scientific Evidence," one of the leading treatises in its field that has
been cited on several occasions by the U.S.
recently warned that existing fingerprint matches key to fighting
international terrorism and keeping criminals off the street are no longer
"We can no longer naively assume the
reliability of our current fingerprint standards," he writes in "How We Can
Improve the Reliability of Fingerprint Identification," a paper published in
a recent issue of "Judicature," co-authored by criminal defense attorney and
biometrics expert Michael Cherry, president of Cherry Biometrics. "Given the
stakes, not only justice in a particular case but national security itself,
we must do better."
Calls for reform
Cherry and Imwinkelried urge reforms.
The first system for classifying and
identifying fingerprints was developed in the late 19th century by Sir
Francis Galton, known for his famous quote that the odds of two individual
fingerprints being the same are one in 64 billion.
Cherry and Imwinkelried are concerned that
since the current world population exceeds 6 billion persons -- each usually
with 10 prints -- the world population of fingerprints now therefore exceeds
They also worry that fingerprint matching
techniques which once used cards and then analog photographs to compare up
to 10 fingerprints have been taken over by computerized systems using less
precise digital images, and pre-screen matchers sometimes use only a single
"If we're going to rely on computer technology
for the watch list on terrorism and for background checks ... we've got to
have some assurance the computer system is reliably accurate," says
He and Cherry call for the high-powered
computer analysis of existing fingerprint databases, called data mining, to
detect new patterns and develop new criteria for matching fingerprints.
They also recommend the return to the Henry
Fingerprint Classification System, which used all 10 fingers to classify an
individual. The Henry system, Imwinkelried and Cherry say, would better help
identify suspects who use aliases and would prevent criminal suspects, like
alleged serial killer Jeremy Jones, from being re-released after each arrest
by technical glitches in the
FBI system. Jones is
accused of committing several murders after he was repeatedly freed
following arrests for other minor offenses. Because only one print was used
for matching, the fingerprint-matching system failed to detect that he was
using an alias.
"If analyzed properly, fingerprints can be as
accurate as DNA," the authors say.
In an earlier "Judicature" article, Cherry and
Imwinkelried argued for greater skepticism of using computerized fingerprint
analysis, especially for its reliance on digitized images of fingerprint
"The bottom line is that digital images are
simple, incomplete approximations of the images they attempt to capture,"
they wrote. The authors encourage courts to take a more skeptical look at
fingerprint testimony, recommend that computer systems check as many
fingerprints as are available and advise greater scrutiny of the matching
criteria embedded in the programs that match fingerprints.
Right on the money
The Cherry-Imwinkelried articles relate to later stages in fingerprint
analysis than the Worley MXRF visualization method. More specifically, they
address the question of how prints should be recorded after visualization,
the limitations of digital images and the criteria that the computer or
human examiner uses to make the match or no-match decision.
Imwinkelried believes the entire
fingerprinting system is so fraught with unreliability, enhancements at any
stage are welcome.
"I applaud an improvement at any stage in the
fingerprint process," Imwinkelried says. "Law enforcement and national
security depend vitally on the validity of fingerprint analysis, and this
research promises an improvement in the earliest stage of the process."
A number of issues remain to be pursued with
the Worley method before it's available, not the least of which is designing
an X-ray instrument specifically for analyzing fingerprints in the field.
The instrument Worley used in the lab for his concept work was built for a
variety of material analysis applications and not specifically for
fingerprints. It is therefore not optimized for detecting trace levels of
chemicals found in some types of prints. Optimization is possible with
$2 million, apology settle FBI fingerprint error case
By Sam Howe Verhovek, LA Times Staff Writer
November 30, 2006
SEATTLE — A misidentified
fingerprint cost federal taxpayers $2 million Wednesday and led to an unusual
formal apology to Brandon Mayfield, a Muslim lawyer in Oregon whom the FBI says
it wrongly named as a suspect in the 2004 Madrid train bombings.
The federal government "regrets that it mistakenly linked Mr. Mayfield to this
attack," according to the apology issued by the Justice Department. It added
that the FBI had implemented measures to "ensure that what happened to Mr.
Mayfield and the Mayfield family does not happen again."
But Mayfield, who under the settlement can still proceed with a legal challenge
to the controversial Patriot Act, said the nightmare he endured could happen to
"I look forward to the day the Patriot Act is declared unconstitutional and all
citizens are safe from unwarranted arrest and searches by the federal
government," Mayfield said in a statement.
Mayfield was detained in May 2004 after federal officials matched his
fingerprint to one found on a bag of detonators in Madrid after the March 11,
2004, commuter train bombings that killed 191 people.
Two weeks later, however, Spanish police said the print belonged to an Algerian
man, and the U.S. government said it had made a mistake.
The case highlighted the error potential for fingerprint matching, which some
experts say is unacceptably high.
"This is a tip-of-the-iceberg phenomenon," said Simon A. Cole, a professor of
criminology, law and society at UC Irvine and author of "Suspect Identities: A
History of Fingerprinting and Criminal Identification."
"The argument has always been that no two people have fingerprints exactly
alike," Cole said. "But that's not what you need to have an error. What you need
is for two people to have very similar fingerprints, and that's what happened
Michael Cherry, president of Cherry Biometrics, an identification-technology
company, said misidentification problems could grow worse as the U.S. and other
governments add more fingerprints to their databases.
"I really believe there are a lot more Mayfields out there," Cherry said. "We
just don't know about these cases because the Spanish police don't always get to
oversee them. We simply don't have an identification standard that fits with
In a report on the Mayfield case in January, the Office of the Inspector
General, the Justice Department's internal watchdog, said FBI experts had
overlooked "important differences" between Mayfield's prints and those of the
Algerian man, and had essentially ignored information from Spanish police that
pointed to the other suspect.
"We believe that the FBI laboratory's overconfidence in the skill and
superiority of its examiners prevented it from taking the [Spanish report] as
seriously as it should have," Inspector General Glenn A. Fine said in a summary
of that report.
The Justice Department reiterated its contention that mistakes in fingerprint
identification were extremely rare.
"The inspector general made suggestions for improving the FBI's fingerprint
identification process, and the FBI has adopted many of those suggestions," said
Tasia Scolinos, director of public affairs for the Justice Department.
Mayfield, a former Army lieutenant and a convert to Islam, said Wednesday that
the government had "targeted me and my family because of our Muslim religion."
But Fine, in his report, concluded that Mayfield's faith was not the reason the
FBI came after him, and he said agency officials had not misused the Patriot
Act, which Congress passed after the 2001 terrorist attacks.
President Bush and other defenders of the act say it is an important
anti-terrorism tool, but critics say it has handed the government too much
surveillance and wiretapping power and tramples on civil liberties. Mayfield's
challenge contends the act violates the constitutional guarantee against
unreasonable government searches.
Times staff writer Lynn Marshall contributed to this report.
Fingerprint matches -- key to fighting international terrorism and keeping
criminals off the street -- are no longer foolproof, warns a law professor at
the University of California, Davis.
Edward Imwinkelried, one of the nation's leading experts on scientific
evidence, and co-author Mike Cherry, who designs identification systems, say
the reliability of fingerprint identification has declined while the
population of the world -- and its fingerprints -- has exploded.
"We can no longer naively assume the reliability of our current fingerprint
standards," they write in "How We Can Improve the Reliability of Fingerprint
Identification," an article recently published in Judicature. "Given the
stakes -- not only justice in a particular case but national security itself
-- we must do better."
Imwinkelried, the Edward Barrett Jr. Professor of Law at UC Davis, and
Cherry, who is vice chair of the digital technology committee of the National
Association of Criminal Defense Lawyers, urge reforms.
The current matching process identifies ridges within a fingerprint and
categorizes it into one of three general patterns -- including loops, arches
and whorls -- and their subpatterns, and maps predetermined shapes and
contours. A fingerprint is said to match when the pattern, subpattern and some
of the shapes and contours roughly correspond with each other.
Population and digitization
In the late 1800s, Sir Francis Galton developed the first system for
classifying and identifying fingerprints. He is quoted as having famously said
that the odds of two individual fingerprints being the same are one in 64
billion. The authors point out that the current world population exceeds six
billion persons, and most have 10 prints. In short, they say, the world
population of fingerprints now exceeds the odds Galton estimated.
At the same time, the authors say, fingerprint matching techniques that
once used cards and then analog photographs to compare up to 10 fingerprints
have been taken over by automated computerized systems that use less precise
digital images and pre-screen matchers that sometimes use only a single index
"If we're going to rely on the computer technology for the Watch List on
terrorism, when we do background checks ... we've got to have some assurance
the computer system is reliably accurate," said Imwinkelried. He is co-author
of "Scientific Evidence," one of the leading treatises in its field that has
been cited on several occasions by the U.S. Supreme Court.
Call for new matching criteria
Imwinkelried and Cherry call for high-powered computer analysis of existing
fingerprint databases -- data mining -- to detect new patterns and develop new
criteria for matching fingerprints. And they urge the return to the Henry
Fingerprint Classification System, which used all 10 fingers to classify an
The Henry system, Imwinkelried and Cherry say, would better help identify
suspects who use aliases and would prevent criminal suspects like alleged
serial killer Jeremy Jones from being re-released after each arrest because
just one print is used for matching.
"If analyzed properly, fingerprints can be as accurate as DNA," they say.
In an earlier Judicature article, Cherry and Imwinkelried argue for greater
skepticism of the use of computerized fingerprint analysis, especially for its
reliance on digitized images of fingerprint patterns. "The bottom-line is that
digital images are simple, incomplete approximations of the images they
attempt to capture," they write.
The two authors call on courts to take a more skeptical look at fingerprint
testimony, recommend that computer systems check as many fingerprints as are
available, and advise greater scrutiny of the matching criteria embedded in
the programs that match fingerprints.
Before the digital print system Livescan was incorporated at police departments and Department of Motor Vehicle locations across the country, prints were catalogued manually in ink using the Henry Fingerprint Classification System. Individual cards were organized in giant files, not alphabetically, but according to the prints' patterns, such as arches, whorls or loops.
Today, prints are gathered digitally using Livescan and can be shared among agencies in a matter of minutes. While police departments require all 10 prints for occupational screening and citizenship applications, first-time visitors to the United States are printed for only two fingers.
Collected prints are then checked against an FBI database of fingerprints found at crime scenes or terrorist training camps. Imwinkelried and Cherry assert that if the FBI database contains single or partial prints, the system could fail to make a positive match because the prints collected at, for instance, an airport security station were different fingers from the same person.
According to the authors, an integrated look at all 10 fingers, including comparisons among neighboring fingers, would drastically improve the chances of a match, even with partial prints.
The future of fingers
Lee Willis, a supervisor in the Sacramento Police Department's forensic division, said there are some potential problems with the digital system, although they mostly include the actual gathering of prints.
"If people routinely handle a lot of paperwork ... or are older, it makes their prints less clear," Willis said. She added that anxious job applicants often complain about the time it takes to secure a Livescan appointment.
The latter problem, however, echoes the huge growth in demand for prints pointed out by Cherry and Imwinkelried. Their report estimates that roughly 50,000 prints are processed every day nationwide. According to Willis, the Sacramento area alone processes about 3,000 Livescan files every year.
Upgrading a system that handles such immense numbers might appear to be a daunting task. Even so, Imwinkelried alluded to past court cases that have demonstrated the "consequences of false negatives" due to failed matches. By ensuring that travelers provide 10 prints, and by modifying computer programs to support "the Henry System, alphabet indexing, and individual fingerprint indexing," Imwinkelried is confident that such misses could be avoided.
Lee Willis agreed that such an investment would be plausible. "We already collect 10 prints, plus a palm print for every Livescan," Willis said. Asked if it would be possible to do the same for travelers, Willis said, "I don't think that's an impossibility."
MAIA BRADLEY can be reached at firstname.lastname@example.org.
Jail unlocked for alleged serial killer
FBI analysis misses fingerprint match in `worst-case scenario'
By Steve Mills and Flynn McRoberts, Tribune staff reporters. The
Associated Press contributed to this report
Published May 5, 2005
An FBI computer failure allowed a sex-crime fugitive to go free in
Georgia last year, a mistake that authorities now say came with a
human toll: The man allegedly committed two murders following his
The FBI acknowledged the computer error this week and, in an effort
to prevent another such failure, has begun rechecking fingerprints
from hundreds of fugitives wanted for the most serious crimes.
"This is obviously a worst-case scenario for us," said Paul Bresson,
an FBI spokesman, contending that the bureau's computer comparisons
are 95 percent accurate. "We're able to identify thousands of
fugitives every month . . . [but] there are going to be instances
where the computer doesn't catch it. And in this case it was the
most tragic of all consequences."
The disclosure was the second recent embarrassment for the FBI's
vaunted fingerprint identification system. A year ago, FBI examiners
falsely implicated an Oregon lawyer in the Madrid train bombings.
Unlike the case of attorney Brandon Mayfield, in which human error
caused an innocent man to be arrested, the latest mistake involved
the FBI's massive fingerprint database and allowed a suspected
criminal to walk free--and, allegedly, commit murder.
Jeremy Bryan Jones, 32, released on a trespassing charge in January
2004, also has been charged with a third killing, in Louisiana, and
has been named as a suspect in at least five other slayings in three
Jones was using an alias when he was arrested on the trespassing
charge in Georgia. Local police sent his fingerprints to the FBI,
but the bureau's computer failed to match them with Jones, who had
been wanted since 2000 in Oklahoma on a sexual assault charge, the
The bureau said it did not realize Jones had been in the database
until September, when he was charged with raping and murdering Lisa
Nichols of Turnerville, Ala.. Jones is being held in Alabama, where
a grand jury indicted him Monday on a count of capital murder.
Jones has been named a suspect, but has not been charged, in at
least two other killings in Georgia, two in Oklahoma and one in
Law-enforcement and other agencies across the country submit roughly
50,000 fingerprint-comparison requests a day to the FBI's Integrated
Automated Fingerprint Identification System, which contains 45
million sets of prints.
Given the size of the system, some experts said errors are bound to
occur. "Understanding the system, you're looking for the needle in
the haystack," said Alan McRoberts, editor of the Journal of
Forensic Identification, "and occasionally you're going to miss."
Others were less forgiving.
"This tragic error, like the misidentification in the Mayfield case,
further calls into question . . . the reliability of fingerprint
analysis generally," said Robert Epstein, who as an assistant
federal defender in Philadelphia was one of the first to challenge
the century-old discipline of fingerprint comparison.
Like more than 80 percent of the fingerprints submitted to the FBI's
database facility in Clarksburg, W.Va., Jones' fingerprints were
sent to the FBI as digital images.
Imaging experts have warned that the relatively poor quality of many
digital images can lead to errors.
"This shows that false negatives are just as bad as false
positives," said Michael Cherry, a biometric expert, adding that
digital images of fingerprints "don't have enough detail, and we're
going to make mistakes."
Asked if there was not enough detail in the digital image submitted
by Georgia authorities for the computer to recognize Jones'
fingerprints, FBI officials said they would not know until the
bureau completes an internal review of the case.
Defenders of the computer system noted that it is a big improvement
over how the FBI compared fingerprints until the last decade. Before
the ID system went online, police submitted inked print cards by
mail and waited days or weeks to get a response from technicians who
compared them by hand.
"If there were no [Fingerprint Identification System] at all, the
guy might still be out there," said Ronald Singer, former president
of the American Academy of Forensic Sciences.
ATLANTA, May 4 - The F.B.I. defended itself on Wednesday after
admitting that it had missed a fingerprint match for a man who the
authorities say went on to kill three women and one teenage girl in
The man, Jeremy B. Jones, was arrested for minor offenses in Georgia
in January and June 2004. But Mr. Jones was released when
computerized fingerprint checks did not turn up a 2000 warrant for
him for rape, sodomy and jumping bail in Oklahoma.
The killings, most preceded by abduction and rape, have gripped
communities and frustrated investigators. In one case, residents of
Forsyth County, Ga., searched for a missing hairstylist for months
before the sheriff said Mr. Jones had confessed to killing her.
"The F.B.I. regrets this incident," Thomas Bush III, the assistant
director of Criminal Justice Information Services at the bureau,
said in a statement released Tuesday in response to inquiries from
The Atlanta Journal-Constitution.
The agency said the mistake was "a result of a technical database
error, not a human examiner failing to make an appropriate match."
In a telephone interview on Wednesday, Mr. Bush said the system was
more than 98 percent accurate and a vast improvement over manually
matching fingerprint cards, a process that used to take 15 to 25
The computerized system, called the Integrated Automated Fingerprint
Identification System, was instituted in 1999 and usually has
results in less than two hours, he said.
"It's an exceptional tool for law enforcement," Mr. Bush said. "Is
it perfect? No."
Critics of the F.B.I. say the system's image resolution is too low
and the agency's faith in it is too high.
"Since they've gotten involved with computers, they've screwed up
everything," said Michael Cherry, a biometrics expert in New Jersey.
Mr. Jones, 32, is by many accounts a charming man. He told The Daily
Oklahoman that until he developed a methamphetamines habit, people
in his hometown, Miami, Okla., thought he could be president.
The drug, he said, led him down the wrong path, one that might have
been cut short at his first arrest in Georgia last year had he been
correctly identified. At that time, there was a warrant for his
arrest on charges stemming from two rapes in 1996 in Oklahoma and a
third rape in 2000. For the first two, he pleaded guilty to sexual
battery and methamphetamine possession. In 2000, he jumped bail.
By 2004 Mr. Jones was living just west of Atlanta, where he was
picked up in January on charges of trespassing. He gave the name
John Paul Chapman. His prints were sent to the F.B.I. to run against
the national database. No match turned up, and Mr. Jones was
released. The F.B.I. created a new record for his prints under the
On Feb. 14, 2004, the body of Katherine Collins, a prostitute, was
found in a vacant lot in New Orleans. She had been raped, stabbed
In March, a 16-year-old girl, Amanda Greenwell, disappeared from a
trailer park in Douglas County, Ga., where the police later realized
Mr. Jones had been living. Her remains were found a month later.
On April 15, Patrice Endres, the hairstylist, was abducted from her
salon in Forsyth County.
In June, Mr. Jones was arrested for methamphetamine possession. The
F.B.I. computers hit only the Chapman prints. Again, he was
On Sept. 18, Lisa Marie Nichols, 45, was found dead in her trailer
home in Mobile County, Ala. Mr. Jones, still going by the name
Chapman and staying nearby, was arrested three days later and
charged with capital murder, rape, kidnapping and burglary. The
authorities would not say how he came to be a suspect.
When Mobile County officials issued an alert to other jurisdictions
describing the crime, Missouri authorities sent notice that a John
Paul Chapman with the same birthday and Social Security number was
in their custody. After investigating, Mobile County officials
determined Mr. Jones's true identity and asked the F.B.I. to review
its database. The bureau then discovered its error.
Eleven law enforcement agencies have expressed an interest in
talking to Mr. Jones about unsolved crimes; the Oklahoma Bureau of
Investigation alone interrogated him about four killings. A
spokeswoman said Mr. Jones remained a "person of interest" in those
He has since been charged in the Collins and Greenwell killings. In
the Endres case, Sheriff Ted Paxton of Forsyth County said Mr. Jones
confessed but had not been charged, in part because the body had not
Mr. Jones has made other confessions. Investigators said that he
admitted to the Collins killing, and news reports indicated that he
told the authorities where he put the bodies of two teenage girls in
one of the Oklahoma cases.
Mr. Jones's lawyer in Alabama, Habib Yazdi, said he had sought,
unsuccessfully, for a judge to silence his client.
"He would say anything if they would let him talk to his wife and
his mother," Mr. Yazdi argued. "He would say, 'Tell me who was
missing, I'll tell you that I killed her.' He would say he killed
J.F.K. if he had been alive."
Mr. Yazdi said his client was mentally ill and would undergo a
Ariel Hart contributed reporting for this article.
Digitized prints can point
finger at innocent
Handling, quality of image are risks
By Flynn McRoberts and Steve Mills | Tribune staff reporters
January 3, 2005
CLARKSBURG, W.Va. - Deep inside a sprawling complex tucked in the
hills of this Appalachian town, a room full of supercomputers
attempts to sift America's guilty from its innocent.
This is where the FBI keeps its vast database of fingerprints,
allowing examiners to conduct criminal checks from computer screens
in less than 30 minutes--something that previously took them weeks
as they rummaged through 2,100 file cabinets stuffed with inked
But the same digital technology that has allowed the FBI to speed
such checks so dramatically over the last few years has created the
risk of accusing people who are innocent, the Tribune has found.
Across the country, police departments and crime labs are submitting
fingerprints for comparisons and for entry into databases, using
digital images that may be missing crucial details or may have been
manipulated without the FBI knowing it.
Not unlike a picture from a typical digital camera, a digital
fingerprint provides less complete detail than a traditional
photographic image. That matters little with pictures from the
family vacation. But when the digital image is of a fingerprint, the
lack of precision raises the specter of false identifications in
"There's a risk that not only would they exclude someone
incorrectly--we have the potential to identify someone incorrectly,"
said David Grieve, a prominent fingerprint expert who is the latent
prints training coordinator for the Illinois State Police crime lab
An FBI-sponsored group of fingerprint examiners was concerned enough
about the quality of digital images that in 2001 it recommended
doubling their resolution. Three years later, though, the vast
majority of police agencies still use equipment with the lower
Equally troublesome, the most commonly used image-enhancement
software, Adobe Photoshop, leaves no record of some of the changes
police technicians can perform as they clean up fingerprint images
to make them easier to compare.
This seemingly esoteric issue is crucial because it raises questions
about a bulwark of the criminal justice system: chain of custody. If
authorities cannot prove that a fingerprint is an accurate
representation of the original and show exactly how it was handled,
its validity can be questioned.
FBI officials recognize the resolution problem but say it leads to
overlooking guilty people, not falsely accusing the innocent.
"The risk that we're hearing is that we miss people--because the
resolution isn't enough--not that we're identifying people
incorrectly," said Jerry Pender, deputy assistant director at the
FBI's Clarksburg facility.
Potential for error rising
Such confidence is unwarranted, according to digital-imaging
specialists and some leading fingerprint experts. And they say the
potential for mistakes is growing inexorably as police departments
around the nation switch from old inked cards to digitized computer
To do so, technicians scan an inked card into a computer, which
converts it into a pattern of 0s and 1s that digitally represent the
image, similar to how a fax machine works. And, like a fax machine,
the process of digitizing the fingerprint loses considerable amounts
"It gives examiners the misleading impression that they're getting a
better-quality image to examine," said Michael Cherry, an imaging
expert who is on the evidentiary committee of the Association for
Information and Image Management, a business technology trade group.
"These images actually can eliminate fingerprint characteristics
that might exclude a suspect."
Measuring the number of cases in which a digital image may have
wrongly linked a suspect to a crime scene is difficult. The
technology is so new that many defense attorneys do not know to ask
if the fingerprint image entered into evidence has been digitized.
"I think it's a very real problem, but it's under the [radar]
still," said Mary Defusco, director of training at the Defender
Association of Philadelphia, a non-profit group that represents
indigent defendants. "We have to get up to speed on it."
One of the nation's first successful challenges to the use of
digital fingerprinting in the courtroom came in 2003 in Broward
The only physical evidence linking Victor Reyes to the murder of
Henry Guzman was a partial palm print--an intriguing trace of
evidence found on duct tape used to wrap the body in a peach-colored
A forensic analyst with the Broward County Sheriff's Office used a
software program known as MoreHits along with Adobe Photoshop to
darken certain areas and lighten others--a process called "dodge and
burn," which has long been used in traditional photography.
Reyes' attorney, Barbara Heyer, argued that such digital
enhancements were inappropriate manipulations of the evidence. "It
just hasn't gotten to the point of reliability," Heyer said.
Jurors acquitted Reyes, largely because of sloppy handling of the
evidence by police. But they also were troubled by the digital
fingerprinting technology used in the case. The jury foreman,
Richard Morris, who writes computer-imaging software for a living,
said in a recent interview that he and his fellow jurors had
significant concerns about it.
No record of image changes
"The makers of the [Adobe] software dropped the ball in not
providing a digital record of every action applied to the image,"
Morris said. He said he would like to see lab analysts or police
personnel use software that automatically would log any changes so
other examiners could determine later whether the digital print had
been altered inappropriately.
Ten years ago, only a handful of major police departments used
digital fingerprinting. Today, more than 80 percent of the prints
submitted to the FBI's Clarksburg facility are digital.
Along with the digital technology has come inexpensive software that
allows personnel at many police stations to enhance the prints at
their desks. One of the most widely used digital-print software
programs, MoreHits, claims about 150 clients among local, state,
federal and foreign law-enforcement agencies.
The creators of these explosively popular tools also recognize the
"It's like a hammer. It's not evil unless someone who is evil picks
it up and uses it," said Erik Berg, a forensic expert with the
Police Department in Tacoma, Wash., who developed MoreHits.
Human element crucial
Defenders of the technology contend that concerns about it are
overstated because computers only spit out a list of potential
matches; typically, human fingerprint examiners at the FBI's lab and
at state crime labs make the final matches introduced in court.
"The benefits to law enforcement with digital fingerprints are
incalculable in terms of speed of identification and exoneration of
the innocent," said Joseph Bonino, former chairman of the FBI's
advisory policy board for the Criminal Justice Information Services
division in Clarksburg. "They provide a high degree of accuracy,
assuming your human examiners are properly trained."
Trust in that safeguard took a major hit last spring when the FBI
falsely linked an Oregon lawyer, Brandon Mayfield, to terrorist
bombings at Madrid train stations.
When Spanish authorities connected the Madrid print to an Algerian
man, the FBI had to admit it erred.
The bureau initially blamed the quality of a digital fingerprint
image forwarded from the Spanish National Police. An international
panel of experts later concluded that the digital image was fine;
instead, the panel found, several veteran FBI examiners had missed
"easily observed" details that excluded Mayfield.
Asked last month about the questions involving digital prints, the
FBI issued a statement saying it would not comment further until
eight teams of forensic scientists--appointed after the Mayfield
case unraveled--finish "methodically inspecting every aspect of the
latent fingerprint process, which includes the examination of
The sleek computer equipment inside the bureau's facility in
Clarksburg cannot negate this disturbing fact: The FBI does not know
if a police agency has altered any of the thousands of new
fingerprint images added every day to its database, which now has 48
million sets of prints.
As long as the submissions meet FBI standards on resolution, size
and information about the subject, "we wouldn't have any concerns
about the quality of images coming into IAFIS," said Steve Fischer,
spokesman for the Clarksburg facility, referring to the FBI's
Integrated Automated Fingerprint Identification System.
But Fischer acknowledged that those standards are not a safeguard
against improper manipulation of the images.
"If they were doing something out there," he said, "we wouldn't know
The broader concern, though, remains the quality of the digital
images themselves. An FBI-sponsored scientific working group of
fingerprint experts cited concerns about the quality of digital
images in 2001, when it recommended doubling their resolution, from
500 pixels per inch to 1,000.
But that is only a guideline, and most police departments haven't
invested in newer equipment that would upgrade the digital images.
"The quality of the detail . . . in the [lower-resolution] digital
image is not sufficient to support a lot of what fingerprint
comparisons rely on," said Alan McRoberts, chairman of the working
group and editor of the Journal of Forensic Identification.
The roots of using digital images for crime-solving date to the
early 1970s, when San Diego police brought a palm print image to the
Jet Propulsion Laboratory in Pasadena, Calif., in the hope that
scientists could enhance it.
Police had found a bloody palm print on a bedsheet at a murder
scene, but the weave of the sheet obscured the print's detail. The
lab's scientists managed to separate the print from the bedsheet's
weave using a process similar to one employed to enhance photographs
taken of the moon and planets.
Since then, the drop in prices for such technology has made it
widely available to law enforcement, but critics question whether
all police staffers using it fully understand its limitations.
One solution to the problem is simple, according to imaging experts:
Have defense attorneys ask the right questions.
Berg, the developer of the MoreHits software, outlined them: "If
this is a digital image, has it been enhanced or is this the
original capture with no changes to it? If it's been enhanced, I
want you to show me what you did and tell me what your training is.
And did you go out of your area of expertise to do this?"
If those questions aren't asked, Berg noted, a false identification
might not be caught.
horrific pain, torture and
humiliation that this has caused
myself and my family is hard to put
into words," said Mr. Mayfield, an
American-born convert to Islam and a
former lieutenant in the Army.
"The days, weeks and months
following my arrest," he said, "were
some of the darkest we have had to
endure. I personally was subject to
lockdown, strip searches, sleep
deprivation, unsanitary living
conditions, shackles and chains,
threats, physical pain and
The Washington Post reports
the apology was "unusual" for the
FBI, and that
the payment (more than twice what
the government paid to Wen Ho Lee, a
US nuclear scientist who said
officials violated his privacy rights)
is a "clear embarrassment."
FBI examiners had erroneously
linked him to a partial fingerprint
on a bag of detonators found after
terrorists bombed commuter trains in
Madrid in March, killing 191 people.
The bureau compounded its error by
stridently resisting the conclusions
of the Spanish National Police,
which notified the FBI three weeks
before Mayfield was arrested that
the fingerprint did not belong to
Mayfield's lawsuit alleged that
his civil rights had been violated
and that he was arrested because he
is a Muslim convert who had
represented some defendants in
The Los Angeles Times
reports that Spanish authorities,
who were dubious from the start
that the prints were Mayfield's,
eventually identified them as
belonging to an Algerian. Experts say
the case highlights the "error
potential" for fingerprint matching,
which they say is too high.
"This is a tip-of-the-iceberg
phenomenon," said Simon A. Cole, a
professor of criminology, law and
society at UC Irvine and author of
'Suspect Identities: A History of
Fingerprinting and Criminal
Identification.' The argument has
always been that no two people have
fingerprints exactly alike ... But
that's not what you need to have an
error. What you need is for two
people to have very similar
fingerprints, and that's what
Michael Cherry, president of
Cherry Biometrics, an
said misidentification problems
could grow worse as the US and other
governments add more fingerprints to
"I really believe there are a lot
more Mayfields out there," Cherry
said. "We just don't know about
these cases because the Spanish
police don't always get to oversee
them. We simply don't have an
identification standard that fits
with today's times."
The Times also writes that a report
on the Mayfield case, released last
January by Glenn Fine of the Office of
the Inspector General (the Justice
Department's internal watchdog), said
the bureau overlooked important
differences between Mayfield's and the
Algerian's prints. The report also
said the FBI basically ignored the
Spanish police when they said they had
the wrong man.
McClatchy reports that Mr.
Fine also said the case
did not entail government abuse of the
new powers it acquired as a result
of the Patriot Act, as the FBI did not
use those powers in survelliance of
Mayfield. Fine also said that
Mayfield's religion wasn't the "sole"
reason for his arrested, but
contributed to the failure "to
sufficiently reconsider the
identification after legitimate
questions about it were raised."
The Associated Press
reports, however, that in a separate
statement released Wednesday, Mayfield
said his religion was
one of the main reasons that he
was targeted by the FBI.
"Not only does my detention as a
material witness in the Madrid
bombing underscore the fallacy that
fingerprint identification is
reliable, I hope the public will
remember that the US Government also
targeted me and my family because of
our Muslim religion," he said.
In another case related to the
government's terrorism powers, a
federal judge has ruled
unconstitutional key portions of a
presidential order that blocks
financial assistance to terrorist
groups. The Washington Post
reports that the provisions are
"impermissibly vague because they
allow the president to unilaterally
designate organizations as terrorist
groups and broadly prohibit
association with such groups."
Bruce Fein, a Justice Department
official in the Reagan years who has
criticized the Bush administration's
broad assertions of executive power,
said that appealing Collins's ruling
may carry more risks for the
government than simply changing the
executive order's language.
"If they take this up on appeal,
they risk another repudiation of
this omnipotent-presidency theory
that they have," Fein said.
Report blasts FBI lab
Peer pressure led to false ID of Madrid fingerprint
By Flynn McRoberts and Maurice Possley | Tribune staff reporters
November 14, 2004
Top FBI fingerprint examiners gave in to peer pressure when they
rushed to link an Oregon lawyer to a terrorist attack in Madrid this
year, according to a panel of forensic experts convened to explain
the highest-profile mistake in the history of modern fingerprint
The finding contradicts the initial explanation given by the FBI,
which had blamed the quality of a digital fingerprint image sent by
Spanish police in the wake of the March 11 train bombings that
killed 191 people.
Instead, the panel found that human error, defensiveness and a
failure to follow some fundamental scientific practices, such as
proper peer review, led to four of the nation's top fingerprint
experts wrongly tying Brandon Mayfield, a Portland-area lawyer and a
Muslim, to the bombings. Spanish national police later matched the
print to an Algerian man.
"Once the mind-set occurred with the initial examiner, the
subsequent examinations were tainted," Robert Stacey, chief of the
FBI laboratory's quality assurance and training unit, wrote in a
report outlining the findings of the international review committee.
"To disagree was not an expected response."
The committee's findings underscored a central complaint about much
of forensic science: The purportedly unbiased, scientific evidence
introduced into American courts often fails to meet either of those
A recent Tribune investigation found that fingerprinting is so
subjective that the most experienced examiners can make egregious
The FBI had asked the review committee to examine how three of its
experts--and a fourth court-appointed expert--erred in declaring
Mayfield's prints a match to one found on a plastic bag at the scene
of the Madrid attack.
The committee convened at the FBI lab in Quantico, Va., for two days
in June. It was given access to the FBI case file and met with the
lab personnel involved in the Mayfield case. Stacey's report,
published in the Journal of Forensic Identification, summarized the
committee's review and its recommendations.
In reaching its conclusions, the panel didn't address the accusation
at the center of a civil lawsuit Mayfield has filed against the
federal government: That it targeted him because of his Muslim faith
and violated his civil rights, holding him in jail for two weeks.
The suit alleges that the examiners had access to background
information that showed Mayfield is a convert to Islam. He also had
represented, in a child custody suit, one of the men convicted in a
Portland terrorism case.
The committee's review prompted the FBI to form eight teams of
scientists--from inside and outside the bureau--to "address all the
concerns raised by the international panel," Ann Todd, spokeswoman
for the FBI lab, said Friday. "It's going above and beyond to make
sure that it doesn't happen again."
Todd would not comment further because of an ongoing investigation
of the Mayfield case by the Justice Department's inspector general.
Rush to conclusion
In laying out a timeline of the Mayfield fiasco, the report shows
how the FBI's Latent Print Unit rushed to conclude that Mayfield's
prints matched the print found at the crime scene.
His was one of those spit out when a supervisory fingerprint
examiner ran the crime scene print through a search of the FBI's
vast database--one of 20 prints with enough similarities to warrant
a manual comparison by an examiner.
On March 19, the FBI's Latent Print Unit made its initial report,
finding that the print on the bag matched Mayfield's. "The unit
chief provided this information by telephone to Interpol
Washington," Stacey's report notes. But "the unit chief did not
complete a thorough examination of the identification prior to
making the telephone call."
Some veteran fingerprint experts welcomed the report as a good first
step in confronting the fact that prominent fingerprint mistakes in
recent years have occurred at major, respected law-enforcement
agencies that employ well-trained examiners.
In addition to the Mayfield case, for instance, the Boston Police
Department earlier this year admitted that two of its fingerprint
examiners had linked Stephan Cowans to the 1997 shooting of a police
sergeant, though a later review found that Cowans' prints weren't
even close to those discovered at the scene.
The series of mistakes "means something. It means we have something
to learn about our process," said Gerald Clough, a latent-print
examiner and detective at a Texas sheriff's office. "Perhaps we have
something to learn about the limits of our process."
One of the problems with that process in the Mayfield mistake,
according to the committee, was the "inherent pressure of such a
high-profile case" and the fact that the first examiner to render an
opinion was a "highly respected supervisor with many years of
Noting that the mistake was made not just by individual examiners
but by an agency that considers itself one of the best latent-print
units in the world, Stacey wrote: "Confidence is a vital element of
forensics, but humility is too."
Yet when the Spanish police in May told the FBI that its examiners
were wrong, the bureau immediately became defensive, sending the
chiefs of its latent-print unit to Spain to explain how the FBI was
"This was interesting," the report noted, "considering that the
identification is filled with dissimilarities that were easily
observed when a detailed analysis of the latent print was
Image quality not a factor
Despite earlier FBI attempts to blame the quality of the fingerprint
image--a digital representation e-mailed to the U.S. by Spanish
authorities--the report states that "all of the committee members
agree that the quality of the images that were used to make the
erroneous identification was not a factor."
Still, some experts questioned whether many fingerprint examiners
fully understand the potential problems posed by using digital
images of prints, instead of the old inked print cards. Digital
images, though they may appear to be perfectly clear, can be less
sharp than the original inked print or a film photo of it.
Because these possible image distortions are caused by computer
technology, fingerprint experts are ill-suited to identify them,
according to Michael Cherry, a biometrics expert who is on the
evidentiary committee of the Association for Information and Image
"The FBI needs improved computer standards," Cherry said. "I really
believe there's a lot more Mayfields out there. We just don't know
about them because the Spanish government doesn't overlook our
Bureau officials had claimed a flawless record until the FBI falsely
linked Mayfield to the bombings.
To prevent such a mistake from happening again, the committee
suggested a new quality assurance rule for "high-profile or
high-pressure cases," including "supervisory verification of
conclusions regardless of the normal quality and quantity standard."
The journal report already has set off debate and comment among
fingerprint examiners, with some questioning why so-called heater
cases should be given greater care.
"Every case should have the same safeguards," said Joseph Polski,
chief operations officer of the International Association for
Identification, the leading professional organization of fingerprint
examiners. "Some people's life and liberty shouldn't be of more
priority than other people's life and liberty."
In one online forum, another examiner said she thought it was "funny
how they are recommending new procedures for high-profile and
"In my mind, every identification is just as important as the
previous one. The type of case or who [is] asking for the
information should have no reflection on my analysis," wrote Michele
Triplett, a fingerprint examiner with the King County Sheriff's
Office in Seattle. "I find the circular reasoning to be typical."
While crediting the FBI Latent Print Unit personnel for their
"forthright manner in accepting responsibility" and the lab for
taking "immediate steps to remedy the situation," the committee also
noted the need for improvements throughout the latent-print
The committee recommended that an initial examiner's conclusion be
sealed or withheld from subsequent verifiers to ensure an
And quality assurance programs ought to be designed so examiners are
"encouraged to step forward, without fear of reprisal, if they
disagree. This part of the scientific method must be
institutionalized," Stacey wrote.
The report also calls for verifiers to be given challenging
fingerprint cases during blind proficiency tests to ensure that
their methods are correct and to detect "skill atrophy."
Stacey emphasized the need for a lab culture where mistakes can be
acknowledged quickly and addressed. "Many agencies are slow to do
this or refuse to admit that errors have occurred," he wrote.
"Admitting the error is the first step in the remediation process."
Barry Scheck, president of the National Association of Criminal
Defense Lawyers, said the report amounts to "a powerful statement
and something that critics of forensic science have been saying for
a long time."
Said Scheck: "This demonstrates that examiner bias is an extremely
serious problem in fingerprint identification."
Identification Authentication Encryption Internet
Security Economic Loss Analysis Trial Experts
Copyright Cherry Biometrics Inc. All rights reserved