CHERRY BIOMETRICS Inc. Press

Identification   Authentication   Encryption   Internet Security   Economic Loss Analysis  Trial Experts    

 

Home Recent Articles Results/Speaker Press Quotes
  • APRIL 29, 2008

Credit-Card Security Falters

Industry Standard Hasn't Prevented Recent Breaches

By JOSEPH PEREIRA

Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough.

Hannaford Bros., a unit of Belgium's Delhaize Group SA, says it received a certificate on Feb. 27 stating it was fully compliant with the credit-card industry's security protocols. But that same day, the New England supermarket chain was informed by its card-transaction processor that there appeared to be a problem with its customers' credit-card accounts. The chain soon learned that data for 4.2 million cards may have been stolen.

Until now, most known retail-data breaches occurred at companies that failed to comply with steps mandated by a credit-card industry group called the Payment Card Industry Security Standards Council, or PCI, in Wakefield, Mass. The Hannaford attack -- and another disclosed last month at Okemo Mountain Resort, a ski operator in Vermont -- has prompted retailers to seek security systems well beyond PCI standards.

Hannaford last week announced the adoption of two such measures. The company installed a round-the-clock security monitoring-and-detection service provided by International Business Machines Corp. to track all user log-ins. The chain has also begun to encrypt all its customer card information immediately from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit-card company. "PCI is a good place to start but retailers are going to have to go above and beyond PCI," said Bill Homa, Hannaford's chief information officer.

Says Bonnie MacPherson, a spokeswoman for the ski resort, which lost card data for nearly 50,000 customers, "We did everything we were supposed to." The company says it doesn't know whether the breach resulted in any theft.

Joshua Jewett, information chief at Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the cash register systems at about 2,500 of the company's stores by August with more data encryption than mandated by PCI. Both Hannaford and Family Dollar are purchasing security systems from Verifone Holdings Inc. of San Jose, Calif.

Until two years ago, retailers faced a cacophony of security requirements, with each of the major credit-card brands -- including Visa Inc., MasterCard Inc. and American Express Co. -- issuing their own set of standards. Then the credit-card industry established PCI, and consolidated the best data security practices into a single, unified code.

The compilation, called PCI Data Security Standards, requires such things as encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.

Retailers that fail to meet the requirements are subject to fines.

In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.

Credit card-related fraud grew to $5.49 billion in 2007 from $1.46 billion in 1997, according to industry tracker Nilson Report. Law-enforcement officials attribute the rise to new technological applications as well as increased participation by international organized-crime groups.

Bob Russo, PCI's general manager, says PCI believes its standards -- derived with input from more than 500 data-security specialists -- are adequate, but he adds that PCI is still awaiting the results of investigations into the Hannaford and Okemo breaches. "If there is something that's lacking in the standards, then we'll address it immediately," he says.

In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable -- a company's private internal computer network. Many previous breaches involved wireless network systems.

PCI mandates that all transaction data sent over networks that are publicly accessible -- such as in coffee shops -- be encrypted, but it doesn't require that for transmissions over internal private lines.

At Hannaford and Okemo, hackers managed to install malicious software into the companies' private networks to steal credit-card information being transmitted to processors for approval.

"This kind of attack would not have been possible if the credit-card data had been encrypted," says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.

Michael Cherry, an online-security consultant, says companies can encrypt credit-card data at cash registers, which PCI doesn't require, at minimal cost. "You can be worry free for less than $100 per cash register," says Mr. Cherry.

Two companies that provide such technology -- called personal identification number pad encryption -- are courting new customers, playing up Hannaford and Okemo's vulnerabilities.

Verifone Holdings is promoting its VeriShield system, which was purchased by Family Dollar. A similar product, called MagneSafe, is offered by MagTek Inc., of Carson, Calif.

Rob Caulfield, chief executive of TrustCommerce, an Irvine, Calif., credit-data processor that works with MagTek's clients, says he knows of about two dozen retailers currently using MagTek encryption and about 300 others that "are queuing up to become clients."

Meanwhile, PCI has been upgrading its requirements for retailers as more information about vulnerabilities is gleaned from data breaches. In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit-card data are rendered useless if they are opened. The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and accessed customers' debit-card passwords.

As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet, such as applications that handle online credit-card transactions. PCI also plans to toughen its standards in September in the areas of wireless transmissions, card-preauthorization procedures and software applications that handle credit-card data. "From all the data breaches we've seen, we're quickly learning that the point-of-sale is our weakest spot in the payment chain," says Mr. Russo.

Write to Joseph Pereira at joe.pereira@wsj.com

 
Friday, August 08, 2008
Finding Evidence in Fingerprints
A technique reveals drugs and explosives on the scene.
By Katherine Bourzac
A new method for examining fingerprints provides detailed maps of their chemical composition while creating traditional images of their structural features. Instead of taking samples back to the lab, law-enforcement agents could use the technique, a variation on mass spectrometry, to reveal traces of cocaine, other drugs, and explosives on the scene.

Fingerprints are traditionally imaged after coating crime-scene surfaces with chemicals that make them visible. These techniques can be destructive, and different methods must be used, depending on the surface under study, says John Morgan, deputy director of science and technology at the National Institute of Justice, the research branch of the U.S. Department of Justice. "Mass-spectrometric imaging could be a useful tool to image prints nondestructively on a wide variety of surfaces," says Morgan.

Traditional mass spectrometry, the gold standard for identifying chemicals in the lab that uses mass and charge measurements to parse out the chemical components of a sample, typically involves intensive sample preparation. It must be done in a vacuum, and the sample is destroyed during the process, making further examination impossible and eliminating information about the spatial location of different molecules in the sample that are needed to create an image.

R. Graham Cooks, a professor of analytical chemistry at Purdue University, who led the fingerprint research, and his group used a sample-collection technique that he developed in 2004 and that can be used with any commercial mass spectrometer. Desorption spray ionization uses a stream of electrically charged solvent, usually water, to dissolve chemicals in a fingerprint or any other sample on a hard surface. "The compounds dissolve, secondary droplets splash up and are then sucked into the mass spectrometer," explains Cooks. As the instrument scans over a surface, it collects thousands of data points about the chemical composition, each of which serves as a pixel. The mass-spectrometry method can create images of the characteristic ridges of fingerprints that also serve as maps of their chemical composition.

In a paper published in the journal Science this week, the Purdue researchers describe using the method to image clean fingerprints and prints made after subjects dipped their fingers in cocaine, the explosive RDX, ink, and two components of marijuana. "We know in the old-fashioned way who it was" by providing information about the fingers' ridges and whorls, says Cooks of the fingerprint-imaging technique. The technique could also address the problem of overlapping fingerprints, which can be difficult to tell apart: fingerprints made by different individuals should have a different chemical composition. And "you also get information about what the person has been dealing with in terms of chemicals," says Nicholas Winograd, a chemist at Pennsylvania State University, who was not involved in the research.

Some of the chemicals found in fingerprints come from things people have handled; others are made by the body. The metabolites found in sweat are not well understood, but it's likely that they differ with age, gender, and other characteristics that would help identify suspects, says Cooks. Mass spectrometry could help uncover these variations. And Winograd says that the chemicals found in fingerprints might also provide information about drug metabolism and other medically interesting processes. Winograd, Cooks, and many others have recently begun using mass spectrometry to study the molecular workings of cancerous tissues and cells. Mass spectrometry might reveal that diagnostic information exists in sweat as well, says Winograd.

However, Morgan cautions that the work is preliminary and that the technology may prove too expensive for widespread adoption by law-enforcement agencies. Indeed, Cooks has not developed a commercial version of the fingerprint-analysis instrument.

"They have a long way to go," agrees Michael Cherry, vice chairman of the digital technology committee at the National Association of Criminal Defense Lawyers, who has extensive experience interpreting fingerprints. He says that Cooks's group has demonstrated the potential of the technology. However, after examining some fingerprint images made using mass spectrometry, Cherry says that the technology will require further development to be good enough to hold up in court.

Copyright Technology Review 2008.

AFX News Limited
Researchers look to spot photo hoaxes
02.24.08, 2:51 PM ET

NEW YORK (AP) - Sometimes, a photo is simply too good to be true.

Tiny details in an image, for instance, may be too similar to have occurred naturally, suggesting a cut-and-paste maneuver. Or the color patterns may be too 'normal' -- beyond the limitations of sensors on digital cameras.


A growing number of researchers and companies are looking for such signs of tampering in hopes of restoring credibility to photographs at a time when the name of a popular program for manipulating digital images has become a verb, Photoshopping.

Adobe Systems Inc., the developer of Photoshop, said it may incorporate their techniques into future releases.

"There's much more awareness and much more skepticism when (people) are looking at images," said Kevin Connor, a senior director of product management at Adobe. "That's why we think that's something we need to get involved in. It's not healthy to have people be too skeptical about what they saw."

Meanwhile, camera maker Canon Inc. sells a data-verification kit with some models. It can stamp digital photos with an invisible, mathematical summary of the image, such that even one tiny change will produce a mismatch and flag the photo as an alteration.

These techniques are of interest to law-enforcement officials and defense attorneys because photographic evidence can make or break cases. News organizations also have been increasingly exploring ways to spot hoaxes.

Not everyone is on board, however.

Michael Cherry, vice chairman of the Digital Technology Committee at the National Association of Criminal Defense Lawyers, said too little is known about the nuances of digital photography to put much trust in such detection techniques.

For example, Cherry said, using a photo printer rather than a laser printer can make a color image look nicer but lose details, such that a gun appears slightly off. The detection tools would reveal nothing, he said, because the photo itself was never digitally tweaked.

Meanwhile, enhancements to bring out details, such as sharpening a fuzzy surveillance image, may inadvertently turn a dark spot into something that looks like a gun.

And when there is intent to deceive, people who have enough money, time and skills can cover their tracks and evade any tamper detection, he said.

Lawyers and juries ultimately have to consider circumstances beyond the image itself, Cherry said. For example, was the evidence available at the time of the dispute or did it suddenly show up six months later — giving that person time to manufacture it?

Researchers stand by their techniques.

"There will always be a countermeasure that cannot be prevented," said Jessica Fridrich, a professor at Binghamton University. "We are trying to make it harder for people who want to do these things to go unnoticed, undetected."

The key, she said, is to use tools in combination. A criminal or hoaxer might be sophisticated enough to defeat one technique, but not all at once.

Fridrich's research takes advantage of the fact that all cameras have tiny flaws, so small they don't affect what the eye can see. For example, her software could analyze a set of photographs taken by the same camera and notice that a certain, defective pixel is always dark. Seeing that pixel light up would suggest an alteration.

Dartmouth College professor Hany Farid, meanwhile, has developed a set of software tools he collectively calls Q-IF. He sells the programs for up to $25,000 (€16,872) a year.

One tool looks for the use of clone stamp, a feature for duplicating or erasing objects in an image. Two cloned flowers would appear identical and lack expected blemishes.

Another exploits how cameras capture color images. Color is a mixture of red, green and blue. Rather than have sensors that detect all three for each pixel, they generally alternate in a specific pattern. That pattern gets disrupted with airbrushing.

Other techniques include looking for inconsistencies in lighting and shadows.

A human still must make a final determination, and Farid admits he can never be certain. His techniques got challenged in one criminal case, and prosecutors withdrew him as an expert witness.

"If we don't find traces of tampering, we don't say it's real," Farid said. "We say we find no traces of tampering. That's the best we can say."

Nonetheless, his tools are innovative enough to pique the interest of Adobe, which is subsidizing his research.

Photoshop already has a logging feature, which can track and record every change made along the way — standard procedure these days in law enforcement.

"You have an audit trail, even if you have gone in and made changes to the image," said Cynthia Baron, author of "Adobe Photoshop Forensics: Sleuths, Truths and Fauxtography." Adobe has no specific release schedule, though, on tamper-detection tools. The worry is that these same tools can help hoaxers test whether their changes escape notice.

"One of the things we've got to tackle," Conner said, "is to figure out if we can put some of these features in without making it easier for people to thwart them."

New Hampshire Union Leader (Manchester, NH)-March 21, 2008
Author/Byline: DENIS PAISTE New Hampshire Union Leader
Edition: State
Section: News
Page: A4

MANCHESTER -- Ripples from the Hannaford security breach continued to spread yesterday as Citizens Bank sent out replacement MasterCards to customers.

Citizens determined which customers would get new cards based on reports from MasterCard as well as its own internal investigation, spokesman Chris Grenier said yesterday.

"People will start getting them tomorrow (Friday) through the early part of next week," said Grenier, who is community relations manager at Citizens Bank New Hampshire.

Citizens declined to say how many cards are being replaced.

Citigroup Inc. has also begun issuing replacement cards, but a spokesman would not confirm specifics, instead issuing a general statement.

"As a preventative measure, we notify and issue new credit cards to some customers whom we believe may be subject to increased risk. We do so in order to minimize any inconvenience to our customers," Samuel Wang, vice president of public affairs for Citigroup Global Consumer Group, said in an e-mail. "For security reasons, we do not discuss details of the potential compromises, such as the number of customers potentially at risk or our specific actions in each case to detect and prevent fraud."

A Manchester customer confirmed that his Citigroup credit card had been shut down and he had been notified he would be getting a new card.

The attack on Hannaford stores in the Northeast and its affiliated Sweetbay outlets in Florida revealed 4.2 million card numbers between Dec. 7 and March 10, the Associated Press reported yesterday. Apparently, about 1,800 cards have been used fraudulently. The U.S. Secret Service is investigating.

Also yesterday, the AP reported that Lasell College in Newton, Mass., said a hacker accessed data containing personal information on about 20,000 current and former students, faculty, staff and alumni. The college said it believes the hacker was an employee.

Michael Cherry, president of Cherry Biometrics Inc. and vice chairman of the Digital Technology Committee for the National Association of Criminal Defense Lawyers, faulted Hannaford for the extent to which it used encryption on its internal systems.

Apparently, hackers captured data while it was being transmitted internally through Hannaford computer systems, the AP reported. (See related article.)

"If they would have encrypted it at every step," it would have enhanced data security, Cherry said.

He added: "At the end of the day, there is a cost of doing business, and the cost of doing business is a safe set of customers. And if that means that you have to get faster computers, which you would have to do eventually anyway, that's what the cost of doing business is.

"You can't expose 4 million customers because you didn't want to spend the money for some upgrade. It's just morally wrong."

MasterCard Worldwide would not disclose details of the Hannaford breach. Spokesman Chris Monteiro wrote in an e-mail: "In response to a potential security breach involving a U.S.-based company, MasterCard has notified the banks that issued cards which could be at risk to monitor for any suspicious account activity and take the necessary steps to protect cardholders.

"If a cardholder is concerned about his or her individual account, they should contact their issuing financial institution," the MasterCard spokesman wrote.

Visa and other major credit cards were also compromised in the Hannaford breach.

New Hampshire Bankers Association President Gerald H. Little said yesterday it's difficult for banks to know whether to shut off someone's debit or credit card and reissue the card.

"Some folks want that to be done immediately," he said.

But others are unhappy about the inconvenience.

"By and large, they don't get angry at the retailer that caused the data breach, they get angry at the bank," he said.

He said that because Hannaford's business is concentrated in the Northeast, the breach has the potential to wreak as much havoc as the TJX Cos. intrusion last year that captured millions of credit card numbers.

Citizens Bank spokesman Grenier said customers can continue to use their existing cards until they receive new ones. They are not being charged for the replacements.

Carol Landry, director of deposit and lending operations at St. Mary's Bank in Manchester, said Wednesday the credit union hadn't seen any signs of fraud related to the Hannaford breach.

"Our members have zero liability with their Visa debit card," Landry said. "We are monitoring their transactions with fraud protection software, and it's business as usual."

Customers have to report suspicious activity to their bank, usually within 48 hours of when they first become aware of it.

-----

Portsmouth woman says she is a victim

PORTSMOUTH (AP) -- A Portsmouth woman says that she was one of thousands of Hannaford customers who had their credit card numbers stolen.

The woman, who asked not to be identified, said yesterday she discovered foreign transaction fees and charges from Bulgaria on this month's credit card statement.

The charges totaled $1,500 and happened on March 3 and 4, about a week after her last visit to a Hannaford in Farmington.

She called Hannaford, which told her to cancel her card, a step she had already taken. The charges were waived by her credit card company.

The FBI is investigating to determine if the charges were the result of a security breach at Hannaford that exposed more than 4 million customer card numbers to thieves since December.

Kevin Leonard is an attorney who has filed a class action lawsuit against Hannaford on behalf of three New Hampshire customers who have not seen any fraudulent charges yet.

He said his clients are concerned that their identity and financial safety are at risk.


Record Number: 11F99E0E27C0B648
Copyright 2008 Union Leader Corp.

USA Today (Magazine)  Date: 6/1/2007

Fingerprint matches--key to fighting international terrorism and keeping criminals off the street--no longer are foolproof, warns Edward Imwinkelried, professor of law at the University of California, Davis. He contends that the reliability of fingerprint identification has declined while the population of the world--and its fingerprints--has exploded. "We can no longer naively assume the reliability of our current fingerprint standards," he stresses. "Given the stakes--not only justice in a particular case, but national security itself--we must do better." Imwinkelried and his research co-author Mike Cherry, who is vice chair of the digital technology committee of the National Association of Criminal Defense Lawyers, urge reforms.

 

The current matching process identifies ridges within a fingerprint and categorizes it into one of three general patterns--including loops, arches, and whorls--and their subpatterns, and maps predetermined shapes and contours. A fingerprint is said to match when the pattern, subpattern, and some of the shapes and contours roughly correspond with each other.

 

In the late 1800s, Sir Francis Galton developed the first system for classifying and identifying fingerprints. He is quoted as having said that the odds of two individual fingerprints being the same are one in 64,000,000,000. The authors point out that the current world population exceeds 6,000,000,000 persons, and most have 10 prints. In short, they say, the world population of fingerprints now exceeds the odds Galton estimated.

 

At the same time, the authors maintain, fingerprint matching techniques that once used cards and then analog photographs to compare up to 10 fingerprints have been taken over by automated computerized systems that use less precise digital images and pre-screen matchers that sometimes use only a single index finger. "If we're going to rely on the computer technology for the Watch List on terrorism, when we do background checks ... we've got to have some assurance the computer system is reliably accurate," warns Imwinkelried. He is co-author of "Scientific Evidence," one of the leading treatises in its field that has been cited on several occasions by the Supreme Court.

 

Imwinkelried and Cherry call for high-powered computer analysis of existing fingerprint databases--data mining--to detect new patterns and develop new criteria for matching fingerprints. They also urge the return to the Henry Fingerprint Classification System, which uses all 10 fingers to classify an individual. The Henry System, Imwinkelried and Cherry insist, would better help identify suspects who use aliases and would prevent criminal suspects like alleged serial killer Jeremy Jones from being re-released after each arrest because just one print is used for matching. "If analyzed properly, fingerprints can be as accurate as DNA," they conclude

 


Adding to Security but Multiplying the Fears

February 26, 2007

By ADAM LIPTAK - NY Times

Foreigners arriving at the American border must present both index fingers for fingerprinting, but that will soon change. The Department of Homeland Security now wants 10 fingers.

The two-print system was largely a biometric backup, an added level of security to supplement and verify a passport or a visa. The 10-print system adds a powerful investigative tool.

"When we have a fingerprint of a terrorist who has left behind a bomb or an I.E.D. in Iraq or has left his fingerprint in a safe house somewhere, we don’t always have the two index fingers," Paul Rosenzweig, a Department of Homeland Security official, said at a briefing in December. "It could be the pinkie or the thumb. And thus by moving to a 10-print system, we will enhance our ability to use biometrics to enable us to identify threats before they occur in the United States."

Call it biometric mission creep.

People concerned about privacy and civil liberties say they fear the creation of gigantic biometric databases ripe for data-mining abuse. They note that Mr. Rosenzweig was a supporter of the Total Information Awareness program at the Defense Department, which had planned, as the Pentagon put it, to create "ultralarge all-source information repositories." The program was shut down in 2003 because it scared people.

The administration’s last-ditch defense of that effort was telling, too. It changed the name to the Terrorism Information Awareness program.

There is a pattern here, said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. "These techniques that are sold to us as necessary to identify terrorists inevitably become systems of mass surveillance directed at the American people," Mr. Rotenberg said.

In an interview, Robert A. Mocny, the acting director of U.S.-Visit, the unit in the Department of Homeland Security that is in charge of the fingerprint program, said all the right things. "We cannot," Mr. Mocny said, "have a reaction to 9/11 such that we’re sacrificing privacy and civil liberties on the altar of security."

But the privacy folks have a point. Once information is captured, it must be tempting to use it. With little discussion, for instance, driver’s license photographs have been dumped into enormous digital databases, ripe for searches with facial recognition technology. Police departments have started to use the databases to find people and identify suspects. That may be a fine idea, but it is one that has been pursued without real debate or disclosure.

Mr. Mocny made a persuasive case that the move to 10 prints enhanced the legitimate goals of identification and investigation.

"We’ve identified 1,800 people who’ve tried to lie their way into the United States, and their fingerprints tripped them up," he said.

The 10-print program will, he said, make identifications even more reliable. "We’re now at 80 million-plus individuals in the system," he said. "With that many fingerprints, they start to look alike." More fingers, he said, means more differentiation.

On the investigative side, more fingerprints give the authorities more opportunities to check them against a watch list of 2.5 million prints that includes, he said, "known and suspected terrorists," sexual predators and people wanted on criminal and immigration charges.

But there are real questions about the reliability of the technologies employed. Though fingerprint evidence is widely assumed to be close to infallible, recall the $2 million the federal government paid in November in the settlement of a lawsuit filed by Brandon Mayfield.

Mr. Mayfield, a lawyer in Oregon, was arrested in 2004 after the F.B.I. definitively and mistakenly concluded that his fingerprints matched one taken from a plastic bag containing detonator caps found at the scene of the bombings in Madrid that year.

"Fingerprints work fine when you have a bank robbery in Chicago," said Michael Cherry, vice chairman of the digital technology committee of the National Association of Criminal Defense Lawyers. But matching a partial fingerprint of poor quality and uncertain vintage collected in Afghanistan or Iraq to a database of global scope is a different matter.

The 10-print strategy, Mr. Cherry said, is a "technical nightmare that will produce many Brandon Mayfields."

At an American Bar Association conference in November, Michael Chertoff, the secretary of Homeland Security, said the 10-print program "creates a powerful deterrent for anybody who has ever spent time sitting in a training camp and training or building a bomb in a safe house or carrying out a terrorist mission on a battlefield."

Those terrorists, presumably, will be deterred by not wanting to test the nation’s border security. Or the deterrent may be a different one: encouraging a generation of young jihadists to wear gloves.

"Unless you believe there’s a constitutional right or a civil liberties right to have phony documents or to pretend to be someone you’re not, I don’t really see the cost in civil liberties," Mr. Chertoff told the assembled lawyers.

"By the way," he added, "we’ll be collecting all of your glasses after dinner."

Academics warn of fingerprint biometrics weaknesses

Ericka Chickowski
January 24, 2007
 
Experts from the University of California, Davis warned this week that the reliability of fingerprint biometrics has declined considerably due to technological concerns and a growing world population.

Law Professor Edward Imwinkelried and biometrics expert Mike Cherry released their findings this week in an article for the law journal Judicature about improving fingerprint identification.

"We can no longer naively assume the reliability of our current fingerprint standards," the pair wrote. "Given the stakes - not only justice in a particular case but national security itself - we must do better."

Imwinkelried and Cherry, who is vice chairman of the digital technology committee of the National Association of Criminal Defense Lawyers, said that the majority of the computerized systems used to match and categorized ridge patterns within fingerprints are far too imprecise for the important applications for which they are increasingly used.

"If we're going to rely on the computer technology for the watch list on terrorism (or) when we do background checks, we've got to have some assurance the computer system is reliably accurate," Imwinkelried said.

The world’s growing population also exacerbates the problem. When the first system for classifying and identifying fingerprints was created in the late 1800s, its creator said that the chances of two identical fingerprints were one in 64 billion.

Imwinkelried and Cherry said they worry that with the world population exceeding six billion, and with most owning 10 fingers, the pool of fingerprints exceeds those odds.

The pair wrote that improvements in biometrics need to be made by mining data from existing fingerprint databases to detect new patterns and classifications for fingerprint matching. They also encouraged law and industry to go back to using 10 fingers to classify an individual, a practice that has gone out of favor.

Fingerprinting reforms at hand

A novel means of print detection may be a golden opportunity to improve fingerprinting processes. Why is no one paying attention?

From the October 2007 Issue

By Douglas Page
 

     As most crime scene experts know, dusting for fingerprints can sometimes destroy parts of the prints, erasing potentially valuable forensic clues.

     Conventional fingerprinting methods involve treating samples with powders, liquids or vapors to add color to the fingerprint so it can be easily photographed, a process called contrast enhancement.

     But fingerprints left on many substances such as fibrous papers, textiles, wood, leather, plastic, multi-colored backgrounds and human skin can sometimes be difficult to detect this way. Plus, children's fingerprints are often more difficult to detect than adult prints due to the absence of an oily substance called sebum and the presence of other fatty acid deposits unique only to children.

     Any improvements in detection techniques that can be forensically useful are welcome, and a group of government chemists believe they have an answer.

     Researchers at the Los Alamos National Laboratory in New Mexico say they have developed a novel means of detecting fingerprints using X-rays that don't disturb the print in any way. The technique also is able to reveal chemical markers that could give investigators new clues for tracking suspects and missing persons.

     The technique uses a process called microbeam X-ray fluorescence (MXRF), which rapidly reveals the elemental composition of a sample by irradiating it with a thin beam of X-rays without disturbing the sample.

     This method is important because it does not require using developing agents to treat the print.

     "We collect an image of a print pattern intact without altering its composition," says Christopher Worley, an analytical chemist at Los Alamos.

     The research, however, has stalled at an unforeseen snag. The researchers have run out of money.

     "The research is currently at a standstill awaiting additional funding," Worley says. "So far, we have not been able to find anyone interested, willing and able to provide funding to pursue the idea further."

Hands down
     So far the research is proof-of-concept only, to demonstrate the possibility of detecting fingerprint patterns using MXRF, whereby the fingerprint pattern is determined by detecting inorganic elements present in the print residue.

     "Thus, we both detect the print pattern digitally and collect chemical information from the print as well," Worley says.

     Fingerprints contain detectable quantities of salts, such as sodium chloride and potassium chloride, excreted in sweat. The Los Alamos researchers have shown they could detect the sodium, potassium and chlorine from these salts. Since these salts are deposited along the patterns present in a fingerprint, an image of the fingerprint can be visualized producing an elemental image for analysis.

     Worley says the technique is another tool to be used in an attempt to visualize a print that might be difficult to detect with current powder or chemical treatment methods. He stresses that MXRF work is proof-of-concept only.

     "We are not claiming we have a method to replace current protocols," he says. Rather, Worley believes this method compliments current techniques.

     "While this method currently requires a prior knowledge of the print location, it clearly has some advantages over contrast-based techniques for special cases," he says.

     For example, a print left from a finger coated with a residue such as gunpowder might be detectable from the sulfur and potassium content. Other distinctive fingerprint examples, such as those containing lotion, sunscreen, saliva or certain food residue, can be detected by MXRF based on inorganic elemental constituents.

     "Because MXRF is a spectroscopic method, the elemental composition of a fingerprint is examined, and visual contrast with the substrate is irrelevant," Worley says.

     Thus, if sufficient detectable residue is present, the print can be identified regardless of the background color.

     "It is also a non-invasive tool, so the sample remains intact for other analysis or archiving," he says. Volatilization of water, oils and other organic components over time should not hinder print identification since only inorganic elements are detected.

     X-ray fluorescence itself is not a new technology. The phenomenon is widely used for chemical analysis, particularly in the investigation of metals, glass, ceramics and building materials, and for research in areas such as geochemistry and archaeology. But this is the first use of MXRF (XRF performed with micrometer-size beam) for fingerprint detection.

In the line of beauty
     One of the nation's leading experts on scientific evidence greeted Worley's MXRF work with enthusiasm.

     "The beauty of this new visualization technique is that it permits you to visualize the latent without altering it," says Edward Imwinkelried, law professor at the University of California -- Davis and former chair of the evidence section of the American Association of Law Schools.

     Any alteration in the visualization stage can distort subsequent stages in the process.

     "If the print is altered in visualizing it, it does not matter how accurately the visualized print is recorded -- that image will not be an accurate depiction of the fingerprint impression at the crime scene," he says.

     Imwinkelried, coauthor of the third edition of "Scientific Evidence," one of the leading treatises in its field that has been cited on several occasions by the U.S. Supreme Court, recently warned that existing fingerprint matches key to fighting international terrorism and keeping criminals off the street are no longer foolproof.

     "We can no longer naively assume the reliability of our current fingerprint standards," he writes in "How We Can Improve the Reliability of Fingerprint Identification," a paper published in a recent issue of "Judicature," co-authored by criminal defense attorney and biometrics expert Michael Cherry, president of Cherry Biometrics. "Given the stakes, not only justice in a particular case but national security itself, we must do better."

Calls for reform
     Cherry and Imwinkelried urge reforms.

     The first system for classifying and identifying fingerprints was developed in the late 19th century by Sir Francis Galton, known for his famous quote that the odds of two individual fingerprints being the same are one in 64 billion.

     Cherry and Imwinkelried are concerned that since the current world population exceeds 6 billion persons -- each usually with 10 prints -- the world population of fingerprints now therefore exceeds Galton's odds.

     They also worry that fingerprint matching techniques which once used cards and then analog photographs to compare up to 10 fingerprints have been taken over by computerized systems using less precise digital images, and pre-screen matchers sometimes use only a single index finger.

     "If we're going to rely on computer technology for the watch list on terrorism and for background checks ... we've got to have some assurance the computer system is reliably accurate," says Imwinkelried.

     He and Cherry call for the high-powered computer analysis of existing fingerprint databases, called data mining, to detect new patterns and develop new criteria for matching fingerprints.

     They also recommend the return to the Henry Fingerprint Classification System, which used all 10 fingers to classify an individual. The Henry system, Imwinkelried and Cherry say, would better help identify suspects who use aliases and would prevent criminal suspects, like alleged serial killer Jeremy Jones, from being re-released after each arrest by technical glitches in the FBI system. Jones is accused of committing several murders after he was repeatedly freed following arrests for other minor offenses. Because only one print was used for matching, the fingerprint-matching system failed to detect that he was using an alias.

     "If analyzed properly, fingerprints can be as accurate as DNA," the authors say.

     In an earlier "Judicature" article, Cherry and Imwinkelried argued for greater skepticism of using computerized fingerprint analysis, especially for its reliance on digitized images of fingerprint patterns.

     "The bottom line is that digital images are simple, incomplete approximations of the images they attempt to capture," they wrote. The authors encourage courts to take a more skeptical look at fingerprint testimony, recommend that computer systems check as many fingerprints as are available and advise greater scrutiny of the matching criteria embedded in the programs that match fingerprints.

Right on the money
     The Cherry-Imwinkelried articles relate to later stages in fingerprint analysis than the Worley MXRF visualization method. More specifically, they address the question of how prints should be recorded after visualization, the limitations of digital images and the criteria that the computer or human examiner uses to make the match or no-match decision.

     Imwinkelried believes the entire fingerprinting system is so fraught with unreliability, enhancements at any stage are welcome.

     "I applaud an improvement at any stage in the fingerprint process," Imwinkelried says. "Law enforcement and national security depend vitally on the validity of fingerprint analysis, and this research promises an improvement in the earliest stage of the process."

     A number of issues remain to be pursued with the Worley method before it's available, not the least of which is designing an X-ray instrument specifically for analyzing fingerprints in the field. The instrument Worley used in the lab for his concept work was built for a variety of material analysis applications and not specifically for fingerprints. It is therefore not optimized for detecting trace levels of chemicals found in some types of prints. Optimization is possible with additional funding.

Douglas Page (douglaspage@earthlink.net) is a science and technology writer living in Pine Mountain, California.

 

 

$2 million, apology settle FBI fingerprint error case

By Sam Howe Verhovek, LA Times Staff Writer
November 30, 2006

SEATTLE — A misidentified fingerprint cost federal taxpayers $2 million Wednesday and led to an unusual formal apology to Brandon Mayfield, a Muslim lawyer in Oregon whom the FBI says it wrongly named as a suspect in the 2004 Madrid train bombings.

The federal government "regrets that it mistakenly linked Mr. Mayfield to this attack," according to the apology issued by the Justice Department. It added that the FBI had implemented measures to "ensure that what happened to Mr. Mayfield and the Mayfield family does not happen again."

But Mayfield, who under the settlement can still proceed with a legal challenge to the controversial Patriot Act, said the nightmare he endured could happen to someone else.

"I look forward to the day the Patriot Act is declared unconstitutional and all citizens are safe from unwarranted arrest and searches by the federal government," Mayfield said in a statement.

Mayfield was detained in May 2004 after federal officials matched his fingerprint to one found on a bag of detonators in Madrid after the March 11, 2004, commuter train bombings that killed 191 people.

Two weeks later, however, Spanish police said the print belonged to an Algerian man, and the U.S. government said it had made a mistake.

The case highlighted the error potential for fingerprint matching, which some experts say is unacceptably high.

"This is a tip-of-the-iceberg phenomenon," said Simon A. Cole, a professor of criminology, law and society at UC Irvine and author of "Suspect Identities: A History of Fingerprinting and Criminal Identification."

"The argument has always been that no two people have fingerprints exactly alike," Cole said. "But that's not what you need to have an error. What you need is for two people to have very similar fingerprints, and that's what happened here."

Michael Cherry, president of Cherry Biometrics, an identification-technology company, said misidentification problems could grow worse as the U.S. and other governments add more fingerprints to their databases.

"I really believe there are a lot more Mayfields out there," Cherry said. "We just don't know about these cases because the Spanish police don't always get to oversee them. We simply don't have an identification standard that fits with today's times."

In a report on the Mayfield case in January, the Office of the Inspector General, the Justice Department's internal watchdog, said FBI experts had overlooked "important differences" between Mayfield's prints and those of the Algerian man, and had essentially ignored information from Spanish police that pointed to the other suspect.

"We believe that the FBI laboratory's overconfidence in the skill and superiority of its examiners prevented it from taking the [Spanish report] as seriously as it should have," Inspector General Glenn A. Fine said in a summary of that report.

The Justice Department reiterated its contention that mistakes in fingerprint identification were extremely rare.

"The inspector general made suggestions for improving the FBI's fingerprint identification process, and the FBI has adopted many of those suggestions," said Tasia Scolinos, director of public affairs for the Justice Department.

Mayfield, a former Army lieutenant and a convert to Islam, said Wednesday that the government had "targeted me and my family because of our Muslim religion."

But Fine, in his report, concluded that Mayfield's faith was not the reason the FBI came after him, and he said agency officials had not misused the Patriot Act, which Congress passed after the 2001 terrorist attacks.

President Bush and other defenders of the act say it is an important anti-terrorism tool, but critics say it has handed the government too much surveillance and wiretapping power and tramples on civil liberties. Mayfield's challenge contends the act violates the constitutional guarantee against unreasonable government searches.

*

sam.howe.verhovek@latimes.com

Times staff writer Lynn Marshall contributed to this report.

http://www.csmonitor.com/2006/1130/dailyUpdate.html 

Fingerprint Matching Techniques Need Reform

January 22, 2007

Fingerprint matches -- key to fighting international terrorism and keeping criminals off the street -- are no longer foolproof, warns a law professor at the University of California, Davis.

Professor Edward Imwinkelried, one of the nation's leading experts on scientific evidence, and co-author Mike Cherry, who designs identification systems, say the reliability of fingerprint identification has declined while the population of the world -- and its fingerprints -- has exploded.

"We can no longer naively assume the reliability of our current fingerprint standards," they write in "How We Can Improve the Reliability of Fingerprint Identification," an article recently published in Judicature. "Given the stakes -- not only justice in a particular case but national security itself -- we must do better."

Imwinkelried, the Edward Barrett Jr. Professor of Law at UC Davis, and Cherry, who is vice chair of the digital technology committee of the National Association of Criminal Defense Lawyers, urge reforms.

The current matching process identifies ridges within a fingerprint and categorizes it into one of three general patterns -- including loops, arches and whorls -- and their subpatterns, and maps predetermined shapes and contours. A fingerprint is said to match when the pattern, subpattern and some of the shapes and contours roughly correspond with each other.

Population and digitization

In the late 1800s, Sir Francis Galton developed the first system for classifying and identifying fingerprints. He is quoted as having famously said that the odds of two individual fingerprints being the same are one in 64 billion. The authors point out that the current world population exceeds six billion persons, and most have 10 prints. In short, they say, the world population of fingerprints now exceeds the odds Galton estimated.

At the same time, the authors say, fingerprint matching techniques that once used cards and then analog photographs to compare up to 10 fingerprints have been taken over by automated computerized systems that use less precise digital images and pre-screen matchers that sometimes use only a single index finger.

"If we're going to rely on the computer technology for the Watch List on terrorism, when we do background checks ... we've got to have some assurance the computer system is reliably accurate," said Imwinkelried. He is co-author of "Scientific Evidence," one of the leading treatises in its field that has been cited on several occasions by the U.S. Supreme Court.

Call for new matching criteria

Imwinkelried and Cherry call for high-powered computer analysis of existing fingerprint databases -- data mining -- to detect new patterns and develop new criteria for matching fingerprints. And they urge the return to the Henry Fingerprint Classification System, which used all 10 fingers to classify an individual.

The Henry system, Imwinkelried and Cherry say, would better help identify suspects who use aliases and would prevent criminal suspects like alleged serial killer Jeremy Jones from being re-released after each arrest because just one print is used for matching.

"If analyzed properly, fingerprints can be as accurate as DNA," they say.

In an earlier Judicature article, Cherry and Imwinkelried argue for greater skepticism of the use of computerized fingerprint analysis, especially for its reliance on digitized images of fingerprint patterns. "The bottom-line is that digital images are simple, incomplete approximations of the images they attempt to capture," they write.

The two authors call on courts to take a more skeptical look at fingerprint testimony, recommend that computer systems check as many fingerprints as are available, and advise greater scrutiny of the matching criteria embedded in the programs that match fingerprints.

Fingerprint analysis needs a hand, experts say

UC Davis professor publishes report calling to update print-matching process

By: Maia Bradley    The California Aggie

Digital digits

Before the digital print system Livescan was incorporated at police departments and Department of Motor Vehicle locations across the country, prints were catalogued manually in ink using the Henry Fingerprint Classification System. Individual cards were organized in giant files, not alphabetically, but according to the prints' patterns, such as arches, whorls or loops.

Today, prints are gathered digitally using Livescan and can be shared among agencies in a matter of minutes. While police departments require all 10 prints for occupational screening and citizenship applications, first-time visitors to the United States are printed for only two fingers.



Collected prints are then checked against an FBI database of fingerprints found at crime scenes or terrorist training camps. Imwinkelried and Cherry assert that if the FBI database contains single or partial prints, the system could fail to make a positive match because the prints collected at, for instance, an airport security station were different fingers from the same person.



According to the authors, an integrated look at all 10 fingers, including comparisons among neighboring fingers, would drastically improve the chances of a match, even with partial prints.



The future of fingers



Lee Willis, a supervisor in the Sacramento Police Department's forensic division, said there are some potential problems with the digital system, although they mostly include the actual gathering of prints.



"If people routinely handle a lot of paperwork ... or are older, it makes their prints less clear," Willis said. She added that anxious job applicants often complain about the time it takes to secure a Livescan appointment.



The latter problem, however, echoes the huge growth in demand for prints pointed out by Cherry and Imwinkelried. Their report estimates that roughly 50,000 prints are processed every day nationwide. According to Willis, the Sacramento area alone processes about 3,000 Livescan files every year.

Upgrading a system that handles such immense numbers might appear to be a daunting task. Even so, Imwinkelried alluded to past court cases that have demonstrated the "consequences of false negatives" due to failed matches. By ensuring that travelers provide 10 prints, and by modifying computer programs to support "the Henry System, alphabet indexing, and individual fingerprint indexing," Imwinkelried is confident that such misses could be avoided.

Lee Willis agreed that such an investment would be plausible.
"We already collect 10 prints, plus a palm print for every Livescan," Willis said. 
Asked if it would be possible to do the same for travelers, Willis said, "I don't think that's an impossibility."

MAIA BRADLEY can be reached at science@californiaaggie.com.

************************************************************************

Jail unlocked for alleged serial killer
FBI analysis misses fingerprint match in `worst-case scenario'

By Steve Mills and Flynn McRoberts, Tribune staff reporters. The Associated Press contributed to this report
Published May 5, 2005

An FBI computer failure allowed a sex-crime fugitive to go free in Georgia last year, a mistake that authorities now say came with a human toll: The man allegedly committed two murders following his release.

The FBI acknowledged the computer error this week and, in an effort to prevent another such failure, has begun rechecking fingerprints from hundreds of fugitives wanted for the most serious crimes.

"This is obviously a worst-case scenario for us," said Paul Bresson, an FBI spokesman, contending that the bureau's computer comparisons are 95 percent accurate. "We're able to identify thousands of fugitives every month . . . [but] there are going to be instances where the computer doesn't catch it. And in this case it was the most tragic of all consequences."

The disclosure was the second recent embarrassment for the FBI's vaunted fingerprint identification system. A year ago, FBI examiners falsely implicated an Oregon lawyer in the Madrid train bombings.

Unlike the case of attorney Brandon Mayfield, in which human error caused an innocent man to be arrested, the latest mistake involved the FBI's massive fingerprint database and allowed a suspected criminal to walk free--and, allegedly, commit murder.

Jeremy Bryan Jones, 32, released on a trespassing charge in January 2004, also has been charged with a third killing, in Louisiana, and has been named as a suspect in at least five other slayings in three states.

Jones was using an alias when he was arrested on the trespassing charge in Georgia. Local police sent his fingerprints to the FBI, but the bureau's computer failed to match them with Jones, who had been wanted since 2000 in Oklahoma on a sexual assault charge, the FBI said.

The bureau said it did not realize Jones had been in the database until September, when he was charged with raping and murdering Lisa Nichols of Turnerville, Ala.. Jones is being held in Alabama, where a grand jury indicted him Monday on a count of capital murder.

Jones has been named a suspect, but has not been charged, in at least two other killings in Georgia, two in Oklahoma and one in Missouri.

Law-enforcement and other agencies across the country submit roughly 50,000 fingerprint-comparison requests a day to the FBI's Integrated Automated Fingerprint Identification System, which contains 45 million sets of prints.

Given the size of the system, some experts said errors are bound to occur. "Understanding the system, you're looking for the needle in the haystack," said Alan McRoberts, editor of the Journal of Forensic Identification, "and occasionally you're going to miss."

Others were less forgiving.

"This tragic error, like the misidentification in the Mayfield case, further calls into question . . . the reliability of fingerprint analysis generally," said Robert Epstein, who as an assistant federal defender in Philadelphia was one of the first to challenge the century-old discipline of fingerprint comparison.

Like more than 80 percent of the fingerprints submitted to the FBI's database facility in Clarksburg, W.Va., Jones' fingerprints were sent to the FBI as digital images.

Imaging experts have warned that the relatively poor quality of many digital images can lead to errors.

"This shows that false negatives are just as bad as false positives," said Michael Cherry, a biometric expert, adding that digital images of fingerprints "don't have enough detail, and we're going to make mistakes."

Asked if there was not enough detail in the digital image submitted by Georgia authorities for the computer to recognize Jones' fingerprints, FBI officials said they would not know until the bureau completes an internal review of the case.

Defenders of the computer system noted that it is a big improvement over how the FBI compared fingerprints until the last decade. Before the ID system went online, police submitted inked print cards by mail and waited days or weeks to get a response from technicians who compared them by hand.

"If there were no [Fingerprint Identification System] at all, the guy might still be out there," said Ronald Singer, former president of the American Academy of Forensic Sciences.
*****************************************************************************

http://www3.nytimes.com/2005/05/05/national/05suspect.html?
THE NEW YORK TIMES
F.B.I. Apologizes for Failing to Identify Murder Suspect
By SHAILA DEWAN
Published: May 5, 2005

ATLANTA, May 4 - The F.B.I. defended itself on Wednesday after admitting that it had missed a fingerprint match for a man who the authorities say went on to kill three women and one teenage girl in three states.

The man, Jeremy B. Jones, was arrested for minor offenses in Georgia in January and June 2004. But Mr. Jones was released when computerized fingerprint checks did not turn up a 2000 warrant for him for rape, sodomy and jumping bail in Oklahoma.

The killings, most preceded by abduction and rape, have gripped communities and frustrated investigators. In one case, residents of Forsyth County, Ga., searched for a missing hairstylist for months before the sheriff said Mr. Jones had confessed to killing her.

"The F.B.I. regrets this incident," Thomas Bush III, the assistant director of Criminal Justice Information Services at the bureau, said in a statement released Tuesday in response to inquiries from The Atlanta Journal-Constitution.

The agency said the mistake was "a result of a technical database error, not a human examiner failing to make an appropriate match."

In a telephone interview on Wednesday, Mr. Bush said the system was more than 98 percent accurate and a vast improvement over manually matching fingerprint cards, a process that used to take 15 to 25 days.

The computerized system, called the Integrated Automated Fingerprint Identification System, was instituted in 1999 and usually has results in less than two hours, he said.

"It's an exceptional tool for law enforcement," Mr. Bush said. "Is it perfect? No."

Critics of the F.B.I. say the system's image resolution is too low and the agency's faith in it is too high.

"Since they've gotten involved with computers, they've screwed up everything," said Michael Cherry, a biometrics expert in New Jersey.

Mr. Jones, 32, is by many accounts a charming man. He told The Daily Oklahoman that until he developed a methamphetamines habit, people in his hometown, Miami, Okla., thought he could be president.

The drug, he said, led him down the wrong path, one that might have been cut short at his first arrest in Georgia last year had he been correctly identified. At that time, there was a warrant for his arrest on charges stemming from two rapes in 1996 in Oklahoma and a third rape in 2000. For the first two, he pleaded guilty to sexual battery and methamphetamine possession. In 2000, he jumped bail.

By 2004 Mr. Jones was living just west of Atlanta, where he was picked up in January on charges of trespassing. He gave the name John Paul Chapman. His prints were sent to the F.B.I. to run against the national database. No match turned up, and Mr. Jones was released. The F.B.I. created a new record for his prints under the name Chapman.

On Feb. 14, 2004, the body of Katherine Collins, a prostitute, was found in a vacant lot in New Orleans. She had been raped, stabbed and beaten.

In March, a 16-year-old girl, Amanda Greenwell, disappeared from a trailer park in Douglas County, Ga., where the police later realized Mr. Jones had been living. Her remains were found a month later.

On April 15, Patrice Endres, the hairstylist, was abducted from her salon in Forsyth County.

In June, Mr. Jones was arrested for methamphetamine possession. The F.B.I. computers hit only the Chapman prints. Again, he was released.

On Sept. 18, Lisa Marie Nichols, 45, was found dead in her trailer home in Mobile County, Ala. Mr. Jones, still going by the name Chapman and staying nearby, was arrested three days later and charged with capital murder, rape, kidnapping and burglary. The authorities would not say how he came to be a suspect.

When Mobile County officials issued an alert to other jurisdictions describing the crime, Missouri authorities sent notice that a John Paul Chapman with the same birthday and Social Security number was in their custody. After investigating, Mobile County officials determined Mr. Jones's true identity and asked the F.B.I. to review its database. The bureau then discovered its error.

Eleven law enforcement agencies have expressed an interest in talking to Mr. Jones about unsolved crimes; the Oklahoma Bureau of Investigation alone interrogated him about four killings. A spokeswoman said Mr. Jones remained a "person of interest" in those cases.

He has since been charged in the Collins and Greenwell killings. In the Endres case, Sheriff Ted Paxton of Forsyth County said Mr. Jones confessed but had not been charged, in part because the body had not been found.

Mr. Jones has made other confessions. Investigators said that he admitted to the Collins killing, and news reports indicated that he told the authorities where he put the bodies of two teenage girls in one of the Oklahoma cases.

Mr. Jones's lawyer in Alabama, Habib Yazdi, said he had sought, unsuccessfully, for a judge to silence his client.

"He would say anything if they would let him talk to his wife and his mother," Mr. Yazdi argued. "He would say, 'Tell me who was missing, I'll tell you that I killed her.' He would say he killed J.F.K. if he had been alive."

Mr. Yazdi said his client was mentally ill and would undergo a psychiatric evaluation.

Ariel Hart contributed reporting for this article.

******************************************************************

Digitized prints can point finger at innocent
Handling, quality of image are risks

By Flynn McRoberts and Steve Mills | Tribune staff reporters
January 3, 2005


CLARKSBURG, W.Va. - Deep inside a sprawling complex tucked in the hills of this Appalachian town, a room full of supercomputers attempts to sift America's guilty from its innocent.

This is where the FBI keeps its vast database of fingerprints, allowing examiners to conduct criminal checks from computer screens in less than 30 minutes--something that previously took them weeks as they rummaged through 2,100 file cabinets stuffed with inked print cards.

But the same digital technology that has allowed the FBI to speed such checks so dramatically over the last few years has created the risk of accusing people who are innocent, the Tribune has found.

Across the country, police departments and crime labs are submitting fingerprints for comparisons and for entry into databases, using digital images that may be missing crucial details or may have been manipulated without the FBI knowing it.

Not unlike a picture from a typical digital camera, a digital fingerprint provides less complete detail than a traditional photographic image. That matters little with pictures from the family vacation. But when the digital image is of a fingerprint, the lack of precision raises the specter of false identifications in criminal cases.

"There's a risk that not only would they exclude someone incorrectly--we have the potential to identify someone incorrectly," said David Grieve, a prominent fingerprint expert who is the latent prints training coordinator for the Illinois State Police crime lab system.

An FBI-sponsored group of fingerprint examiners was concerned enough about the quality of digital images that in 2001 it recommended doubling their resolution. Three years later, though, the vast majority of police agencies still use equipment with the lower resolution.

Equally troublesome, the most commonly used image-enhancement software, Adobe Photoshop, leaves no record of some of the changes police technicians can perform as they clean up fingerprint images to make them easier to compare.

This seemingly esoteric issue is crucial because it raises questions about a bulwark of the criminal justice system: chain of custody. If authorities cannot prove that a fingerprint is an accurate representation of the original and show exactly how it was handled, its validity can be questioned.

FBI officials recognize the resolution problem but say it leads to overlooking guilty people, not falsely accusing the innocent.

"The risk that we're hearing is that we miss people--because the resolution isn't enough--not that we're identifying people incorrectly," said Jerry Pender, deputy assistant director at the FBI's Clarksburg facility.

Potential for error rising

Such confidence is unwarranted, according to digital-imaging specialists and some leading fingerprint experts. And they say the potential for mistakes is growing inexorably as police departments around the nation switch from old inked cards to digitized computer images.

To do so, technicians scan an inked card into a computer, which converts it into a pattern of 0s and 1s that digitally represent the image, similar to how a fax machine works. And, like a fax machine, the process of digitizing the fingerprint loses considerable amounts of detail.

"It gives examiners the misleading impression that they're getting a better-quality image to examine," said Michael Cherry, an imaging expert who is on the evidentiary committee of the Association for Information and Image Management, a business technology trade group. "These images actually can eliminate fingerprint characteristics that might exclude a suspect."

Measuring the number of cases in which a digital image may have wrongly linked a suspect to a crime scene is difficult. The technology is so new that many defense attorneys do not know to ask if the fingerprint image entered into evidence has been digitized.

"I think it's a very real problem, but it's under the [radar] still," said Mary Defusco, director of training at the Defender Association of Philadelphia, a non-profit group that represents indigent defendants. "We have to get up to speed on it."

One of the nation's first successful challenges to the use of digital fingerprinting in the courtroom came in 2003 in Broward County, Fla.

The only physical evidence linking Victor Reyes to the murder of Henry Guzman was a partial palm print--an intriguing trace of evidence found on duct tape used to wrap the body in a peach-colored comforter.

A forensic analyst with the Broward County Sheriff's Office used a software program known as MoreHits along with Adobe Photoshop to darken certain areas and lighten others--a process called "dodge and burn," which has long been used in traditional photography.

Reyes' attorney, Barbara Heyer, argued that such digital enhancements were inappropriate manipulations of the evidence. "It just hasn't gotten to the point of reliability," Heyer said.

Jurors acquitted Reyes, largely because of sloppy handling of the evidence by police. But they also were troubled by the digital fingerprinting technology used in the case. The jury foreman, Richard Morris, who writes computer-imaging software for a living, said in a recent interview that he and his fellow jurors had significant concerns about it.

No record of image changes

"The makers of the [Adobe] software dropped the ball in not providing a digital record of every action applied to the image," Morris said. He said he would like to see lab analysts or police personnel use software that automatically would log any changes so other examiners could determine later whether the digital print had been altered inappropriately.

Ten years ago, only a handful of major police departments used digital fingerprinting. Today, more than 80 percent of the prints submitted to the FBI's Clarksburg facility are digital.

Along with the digital technology has come inexpensive software that allows personnel at many police stations to enhance the prints at their desks. One of the most widely used digital-print software programs, MoreHits, claims about 150 clients among local, state, federal and foreign law-enforcement agencies.

The creators of these explosively popular tools also recognize the potential problems.

"It's like a hammer. It's not evil unless someone who is evil picks it up and uses it," said Erik Berg, a forensic expert with the Police Department in Tacoma, Wash., who developed MoreHits.

Human element crucial

Defenders of the technology contend that concerns about it are overstated because computers only spit out a list of potential matches; typically, human fingerprint examiners at the FBI's lab and at state crime labs make the final matches introduced in court.

"The benefits to law enforcement with digital fingerprints are incalculable in terms of speed of identification and exoneration of the innocent," said Joseph Bonino, former chairman of the FBI's advisory policy board for the Criminal Justice Information Services division in Clarksburg. "They provide a high degree of accuracy, assuming your human examiners are properly trained."

Trust in that safeguard took a major hit last spring when the FBI falsely linked an Oregon lawyer, Brandon Mayfield, to terrorist bombings at Madrid train stations.

When Spanish authorities connected the Madrid print to an Algerian man, the FBI had to admit it erred.

The bureau initially blamed the quality of a digital fingerprint image forwarded from the Spanish National Police. An international panel of experts later concluded that the digital image was fine; instead, the panel found, several veteran FBI examiners had missed "easily observed" details that excluded Mayfield.

Asked last month about the questions involving digital prints, the FBI issued a statement saying it would not comment further until eight teams of forensic scientists--appointed after the Mayfield case unraveled--finish "methodically inspecting every aspect of the latent fingerprint process, which includes the examination of digital images."

The sleek computer equipment inside the bureau's facility in Clarksburg cannot negate this disturbing fact: The FBI does not know if a police agency has altered any of the thousands of new fingerprint images added every day to its database, which now has 48 million sets of prints.

As long as the submissions meet FBI standards on resolution, size and information about the subject, "we wouldn't have any concerns about the quality of images coming into IAFIS," said Steve Fischer, spokesman for the Clarksburg facility, referring to the FBI's Integrated Automated Fingerprint Identification System.

Improprieties possible

But Fischer acknowledged that those standards are not a safeguard against improper manipulation of the images.

"If they were doing something out there," he said, "we wouldn't know about it."

The broader concern, though, remains the quality of the digital images themselves. An FBI-sponsored scientific working group of fingerprint experts cited concerns about the quality of digital images in 2001, when it recommended doubling their resolution, from 500 pixels per inch to 1,000.

But that is only a guideline, and most police departments haven't invested in newer equipment that would upgrade the digital images.

"The quality of the detail . . . in the [lower-resolution] digital image is not sufficient to support a lot of what fingerprint comparisons rely on," said Alan McRoberts, chairman of the working group and editor of the Journal of Forensic Identification.

The roots of using digital images for crime-solving date to the early 1970s, when San Diego police brought a palm print image to the Jet Propulsion Laboratory in Pasadena, Calif., in the hope that scientists could enhance it.

Police had found a bloody palm print on a bedsheet at a murder scene, but the weave of the sheet obscured the print's detail. The lab's scientists managed to separate the print from the bedsheet's weave using a process similar to one employed to enhance photographs taken of the moon and planets.

Since then, the drop in prices for such technology has made it widely available to law enforcement, but critics question whether all police staffers using it fully understand its limitations.

One solution to the problem is simple, according to imaging experts: Have defense attorneys ask the right questions.

Berg, the developer of the MoreHits software, outlined them: "If this is a digital image, has it been enhanced or is this the original capture with no changes to it? If it's been enhanced, I want you to show me what you did and tell me what your training is. And did you go out of your area of expertise to do this?"

If those questions aren't asked, Berg noted, a false identification might not be caught.

************************************************************

___________________________________________________________________________

Terrorism & Security
posted November 30, 2006 at 12:45 p.m.
The Christian Science Monitor
 
 

"The horrific pain, torture and humiliation that this has caused myself and my family is hard to put into words," said Mr. Mayfield, an American-born convert to Islam and a former lieutenant in the Army.

"The days, weeks and months following my arrest," he said, "were some of the darkest we have had to endure. I personally was subject to lockdown, strip searches, sleep deprivation, unsanitary living conditions, shackles and chains, threats, physical pain and humiliation."

The Washington Post reports that the apology was "unusual" for the FBI, and that the payment (more than twice what the government paid to Wen Ho Lee, a US nuclear scientist who said officials violated his privacy rights) is a "clear embarrassment."

FBI examiners had erroneously linked him to a partial fingerprint on a bag of detonators found after terrorists bombed commuter trains in Madrid in March, killing 191 people. The bureau compounded its error by stridently resisting the conclusions of the Spanish National Police, which notified the FBI three weeks before Mayfield was arrested that the fingerprint did not belong to him.

Mayfield's lawsuit alleged that his civil rights had been violated and that he was arrested because he is a Muslim convert who had represented some defendants in terrorism-related cases.

The Los Angeles Times reports that Spanish authorities, who were dubious from the start that the prints were Mayfield's, eventually identified them as belonging to an Algerian. Experts say the case highlights the "error potential" for fingerprint matching, which they say is too high.

"This is a tip-of-the-iceberg phenomenon," said Simon A. Cole, a professor of criminology, law and society at UC Irvine and author of 'Suspect Identities: A History of Fingerprinting and Criminal Identification.' The argument has always been that no two people have fingerprints exactly alike ... But that's not what you need to have an error. What you need is for two people to have very similar fingerprints, and that's what happened here."

Michael Cherry, president of Cherry Biometrics, an identification-technology company, said misidentification problems could grow worse as the US and other governments add more fingerprints to their databases.

"I really believe there are a lot more Mayfields out there," Cherry said. "We just don't know about these cases because the Spanish police don't always get to oversee them. We simply don't have an identification standard that fits with today's times."

The Times also writes that a report on the Mayfield case, released last January by Glenn Fine of the Office of the Inspector General (the Justice Department's internal watchdog), said the bureau overlooked important differences between Mayfield's and the Algerian's prints. The report also said the FBI basically ignored the Spanish police when they said they had the wrong man.

McClatchy reports that Mr. Fine also said the case did not entail government abuse of the new powers it acquired as a result of the Patriot Act, as the FBI did not use those powers in survelliance of Mayfield. Fine also said that Mayfield's religion wasn't the "sole" reason for his arrested, but contributed to the failure "to sufficiently reconsider the identification after legitimate questions about it were raised."

The Associated Press reports, however, that in a separate statement released Wednesday, Mayfield said his religion was one of the main reasons that he was targeted by the FBI.

"Not only does my detention as a material witness in the Madrid bombing underscore the fallacy that fingerprint identification is reliable, I hope the public will remember that the US Government also targeted me and my family because of our Muslim religion," he said.

In another case related to the government's terrorism powers, a federal judge has ruled unconstitutional key portions of a presidential order that blocks financial assistance to terrorist groups. The Washington Post reports that the provisions are "impermissibly vague because they allow the president to unilaterally designate organizations as terrorist groups and broadly prohibit association with such groups."

Bruce Fein, a Justice Department official in the Reagan years who has criticized the Bush administration's broad assertions of executive power, said that appealing Collins's ruling may carry more risks for the government than simply changing the executive order's language.

"If they take this up on appeal, they risk another repudiation of this omnipotent-presidency theory that they have," Fein said.

Report blasts FBI lab
Peer pressure led to false ID of Madrid fingerprint

By Flynn McRoberts and Maurice Possley | Tribune staff reporters
November 14, 2004

Top FBI fingerprint examiners gave in to peer pressure when they rushed to link an Oregon lawyer to a terrorist attack in Madrid this year, according to a panel of forensic experts convened to explain the highest-profile mistake in the history of modern fingerprint comparison.

The finding contradicts the initial explanation given by the FBI, which had blamed the quality of a digital fingerprint image sent by Spanish police in the wake of the March 11 train bombings that killed 191 people.

Instead, the panel found that human error, defensiveness and a failure to follow some fundamental scientific practices, such as proper peer review, led to four of the nation's top fingerprint experts wrongly tying Brandon Mayfield, a Portland-area lawyer and a Muslim, to the bombings. Spanish national police later matched the print to an Algerian man.

"Once the mind-set occurred with the initial examiner, the subsequent examinations were tainted," Robert Stacey, chief of the FBI laboratory's quality assurance and training unit, wrote in a report outlining the findings of the international review committee. "To disagree was not an expected response."

The committee's findings underscored a central complaint about much of forensic science: The purportedly unbiased, scientific evidence introduced into American courts often fails to meet either of those standards.

A recent Tribune investigation found that fingerprinting is so subjective that the most experienced examiners can make egregious mistakes.

The FBI had asked the review committee to examine how three of its experts--and a fourth court-appointed expert--erred in declaring Mayfield's prints a match to one found on a plastic bag at the scene of the Madrid attack.

The committee convened at the FBI lab in Quantico, Va., for two days in June. It was given access to the FBI case file and met with the lab personnel involved in the Mayfield case. Stacey's report, published in the Journal of Forensic Identification, summarized the committee's review and its recommendations.

In reaching its conclusions, the panel didn't address the accusation at the center of a civil lawsuit Mayfield has filed against the federal government: That it targeted him because of his Muslim faith and violated his civil rights, holding him in jail for two weeks.

The suit alleges that the examiners had access to background information that showed Mayfield is a convert to Islam. He also had represented, in a child custody suit, one of the men convicted in a Portland terrorism case.

The committee's review prompted the FBI to form eight teams of scientists--from inside and outside the bureau--to "address all the concerns raised by the international panel," Ann Todd, spokeswoman for the FBI lab, said Friday. "It's going above and beyond to make sure that it doesn't happen again."

Todd would not comment further because of an ongoing investigation of the Mayfield case by the Justice Department's inspector general.

Rush to conclusion

In laying out a timeline of the Mayfield fiasco, the report shows how the FBI's Latent Print Unit rushed to conclude that Mayfield's prints matched the print found at the crime scene.

His was one of those spit out when a supervisory fingerprint examiner ran the crime scene print through a search of the FBI's vast database--one of 20 prints with enough similarities to warrant a manual comparison by an examiner.

On March 19, the FBI's Latent Print Unit made its initial report, finding that the print on the bag matched Mayfield's. "The unit chief provided this information by telephone to Interpol Washington," Stacey's report notes. But "the unit chief did not complete a thorough examination of the identification prior to making the telephone call."

Some veteran fingerprint experts welcomed the report as a good first step in confronting the fact that prominent fingerprint mistakes in recent years have occurred at major, respected law-enforcement agencies that employ well-trained examiners.

In addition to the Mayfield case, for instance, the Boston Police Department earlier this year admitted that two of its fingerprint examiners had linked Stephan Cowans to the 1997 shooting of a police sergeant, though a later review found that Cowans' prints weren't even close to those discovered at the scene.

The series of mistakes "means something. It means we have something to learn about our process," said Gerald Clough, a latent-print examiner and detective at a Texas sheriff's office. "Perhaps we have something to learn about the limits of our process."

One of the problems with that process in the Mayfield mistake, according to the committee, was the "inherent pressure of such a high-profile case" and the fact that the first examiner to render an opinion was a "highly respected supervisor with many years of experience."



Noting that the mistake was made not just by individual examiners but by an agency that considers itself one of the best latent-print units in the world, Stacey wrote: "Confidence is a vital element of forensics, but humility is too."

Yet when the Spanish police in May told the FBI that its examiners were wrong, the bureau immediately became defensive, sending the chiefs of its latent-print unit to Spain to explain how the FBI was correct.

"This was interesting," the report noted, "considering that the identification is filled with dissimilarities that were easily observed when a detailed analysis of the latent print was conducted."

Image quality not a factor

Despite earlier FBI attempts to blame the quality of the fingerprint image--a digital representation e-mailed to the U.S. by Spanish authorities--the report states that "all of the committee members agree that the quality of the images that were used to make the erroneous identification was not a factor."

Still, some experts questioned whether many fingerprint examiners fully understand the potential problems posed by using digital images of prints, instead of the old inked print cards. Digital images, though they may appear to be perfectly clear, can be less sharp than the original inked print or a film photo of it.

Because these possible image distortions are caused by computer technology, fingerprint experts are ill-suited to identify them, according to Michael Cherry, a biometrics expert who is on the evidentiary committee of the Association for Information and Image Management.

"The FBI needs improved computer standards," Cherry said. "I really believe there's a lot more Mayfields out there. We just don't know about them because the Spanish government doesn't overlook our work."

Bureau officials had claimed a flawless record until the FBI falsely linked Mayfield to the bombings.

To prevent such a mistake from happening again, the committee suggested a new quality assurance rule for "high-profile or high-pressure cases," including "supervisory verification of conclusions regardless of the normal quality and quantity standard."

The journal report already has set off debate and comment among fingerprint examiners, with some questioning why so-called heater cases should be given greater care.

"Every case should have the same safeguards," said Joseph Polski, chief operations officer of the International Association for Identification, the leading professional organization of fingerprint examiners. "Some people's life and liberty shouldn't be of more priority than other people's life and liberty."

In one online forum, another examiner said she thought it was "funny how they are recommending new procedures for high-profile and international cases."

"In my mind, every identification is just as important as the previous one. The type of case or who [is] asking for the information should have no reflection on my analysis," wrote Michele Triplett, a fingerprint examiner with the King County Sheriff's Office in Seattle. "I find the circular reasoning to be typical."

While crediting the FBI Latent Print Unit personnel for their "forthright manner in accepting responsibility" and the lab for taking "immediate steps to remedy the situation," the committee also noted the need for improvements throughout the latent-print community.

The committee recommended that an initial examiner's conclusion be sealed or withheld from subsequent verifiers to ensure an independent opinion.

And quality assurance programs ought to be designed so examiners are "encouraged to step forward, without fear of reprisal, if they disagree. This part of the scientific method must be institutionalized," Stacey wrote.

The report also calls for verifiers to be given challenging fingerprint cases during blind proficiency tests to ensure that their methods are correct and to detect "skill atrophy."

Acknowledging errors

Stacey emphasized the need for a lab culture where mistakes can be acknowledged quickly and addressed. "Many agencies are slow to do this or refuse to admit that errors have occurred," he wrote. "Admitting the error is the first step in the remediation process."

Barry Scheck, president of the National Association of Criminal Defense Lawyers, said the report amounts to "a powerful statement and something that critics of forensic science have been saying for a long time."

Said Scheck: "This demonstrates that examiner bias is an extremely serious problem in fingerprint identification."
 

Identification   Authentication   Encryption   Internet Security   Economic Loss Analysis  Trial Experts    

    

Home Recent Articles Results/Speaker Press Quotes Contact Us

 

(c) 2007, Copyright Cherry Biometrics Inc.  All rights reserved