Fingerprints are not necessarily unique. This is also not a new revelation. While the observed variations in fingerprints have led to a widespread belief that each person’s fingerprints are unique, various experts are quick to point out that this cannot be proved.
Essentially you can’t prove that no two fingerprints are the same. It’s improbable, but so is winning the lottery, and people do that every week. says Mike Silverman told the Telegraph in 2106. Mr Silverman introduced the first automated fingerprint detection system to the Metropolitan Police (UK).
No two fingerprints are ever exactly alike in every detail, even two impressions recorded immediately after each other from the same finger.
Between the two statements lies a whole world of probability. It cannot be proved that every fingerprint is unique and no two fingerprints will be exactly the same either – even two prints from the same finger taken at the same time.
What the UIDAI does, is matches the fingerprint it receives during authentication with the stored fingerprint and accepts or rejects it as a match based on how similar it is to the stored print. This creates some odd ironies too, as J T D’souza pointed out in his speech at the Break Aadhaar Chains Press Conference in Mumbai. JT D’souza is a technocrat and security expert who had shown in 2011 that fingerprint matches can be spoofed easily.
He described how fingerprints could easily be duplicated using a little candle wax and some fevicol. All you have to do is warm the wax till it softens and press the finger of which you’d like to make a print into it, so that the wax captures the fingerprint impression (in reverse). Then you apply a thin film of fevicol on the impression in the wax and let it dry. When you peel it off, you have a copy of the fingerprint.
Ironically, unlike real fingerprints, this print will not change with age and thus is more likely to validate a fingerprint match against a stored fingerprint than the actual finger after some years have passed.
The man whose fingerprints matched seven people
Perhaps more dramatic is the case of Mallikarjun Gurikar who was refused an Aadhaar in spite of applying over 30 times because his fingerprints matched with seven others. He would get a message citing rejection or technical error but no explanation. Frustrated and desperate because of the necessity of linking Aadhaar everyhwere, he wrote to the Prime Minister threatening suicide which was when he finally received an explanation. His application was being rejected because his prints matched with seven others. The frustrated man physically located and brought the seven other people to demonstrate that they were separate individuals. The UIDAI reenrolled them and him and finally everyone had an Aadhaar.
According to UIDAI, Mr. Gurikar faced this problem because he tried to help people who had come to enrolment centers to get enrolled, which resulted in his fingerprints being captured. If this is right, then the UIDAI is saying two things about their enrolment system.
- That there isn’t adequate procedure that ensures that only the fingerprints of the person who is applying get captured.
- That a person who does not have an Aadhaar himself was helping with enrolments – UIDAI has a requirement that enrolment agents have an Aadhaar themselves. In spite of this, it is clear that what actually happens is way outside their control as well as capability for quality control.
- A third question, of course is the one of how Mr. Gurikar knew the names of whose fingerprints matched with his, in order to locate and produce them physically. Clearly he received enough personal information about these people to find them. What are the security procedures UIDAI has to give out information of this sort to non-authorized people?
Or perhaps, there is a simpler explanation that the UIDAI is unlikely to like hearing. That the fingerprints were indeed similar enough to pass off as identical if a low threshold was used in declaring matches based on probability. This is not inconceivable. As J T D’souza explans in his speech, the probability of finding identical fingerprints in a small sample size is quite negligible. However, when you speak of the question of billions of people, the larger the size, the greater the potential for matches – both for each individual print to find a match in a larger sample size as well as the number of prints that would find matches overall.
Given that the match of fingerprints is based on probability rather than being a deterministic one, the lower the threshold for declaring a match, the greater the chance of a match happening. However, setting a high threshold also risks the original person giving the fingerprint being declared a non-match, because as Mr. Silverman explained above, even two fingerprints from the same finger are not identical.
The Quest for a MasterPrint – a Universal Fingerprint
So how probable is probable? To get an idea, let me tell you about the attempt of researchers to create at a “MasterPrint” – a fingerprint or set of fingerprints that could match on any biometric device currently available. It is like a dictionary attack for fingerprints. To do this, the researchers subdivided a record of 800 fingerprints into 8200 partial impressions and tested them for a match against each other using a commercial algorithm. Where most complete fingerprints matched usually only to themselves, 1200 of the partial impressions matched over 4% of other impressions.
Fingerprint made by algorithm
The 1200 impressions where then plugged into a simple machine-learning algorithm that randomly modified the fingerprints and matched them with different patterns. If the match was higher than the original, the modified impression would be used in the place of the original until the maximum match was achieved. The project currently has reached a 65% success rate with smartphone sensors. This means, that the “MasterPrint” is able to unlock 65% of smartphones locked using a fingerprint.
How certain do you feel now that it would be impossible to access your “secure” Aadhaar identity using your “fingerprint”? How “safe” is UIDAI’s biometric data?