Biometrics 101
Posted under Biometrics, Identification, Privacy on September 28th, 2013 by Mary Haskett
We are always happy to participate in the conferences put on by privacy identity innovation and this year was no exception. We have participated in pii conferences for the last three years and have always met interesting people, found new companies and generally had a great time with kindred spirits.
This year, BeehiveID was in the Technology Showcase of pii2013.
Also, our co-founder, Dr. Alex Kilpatrick did a short presentation on Biometrics 101 at the traditional Ignite! event held during the conference. If you aren’t familiar with the Ignite! format you should go look it up. The format is 5 minutes – you have 20 slides and they auto advance every 15 seconds. This means the timing is super tricky and nothing like anything you have ever done. Ignite! presentations traditionally cover a wide range of topics and tend to be both entertaining and interesting.
This year our co-founder, Dr. Alex Kilpatrick, did an Ignite! presentation called “Lies, Damned Lies and Biometrics” which quickly covers some common misconceptions about biometric technology.
You can watch it here:
Posted under Biometrics, Data, Uncategorized on August 16th, 2013 by Alex
In our industry we use the terms “identity assertion” or “identity claim,” and I think there are a lot of people who don’t know what we mean, so I thought I would write a blog post about it.
We all think we know what “identity” is. In general, we don’t think about it much. You go to the bank to cash a check and the teller asks for proof of your identity. You give her your driver’s license and everything is fine. Your identity has been established. Or has it?
To get started, let’s back up a bit and look at the concept of identity at the root level. There are essentially two notions of identity – one is biological, and one is social. Let’s look at the biological identity first. Biological identity is established by DNA – essentially a long code that makes you unique among all of the other people on the planet. But we are using “unique” here just a bit loosely. It is theoretically possible that two completely unrelated people will have the same DNA, but that probability is astronomical, so we will just assume for this discussion that DNA is truly unique among individuals. Interestingly, 99.9% of our DNA is all the same, but that leaves plenty that is still unique. The FBI has said that they consider that if the odds of a false match are 1:267 billion, they consider that the same person. Fair enough, and we will use that definition here.
So, in the biological sense we establish a unique identity when a new person is conceived. That’s interesting, but not very satisfying for day-to-day business. We could register every new baby into a national database and then use some sort of magic box to test DNA of people we wanted to verify. That’s technologically possible, but expensive (right now) and it has all sorts of practical complications. For an interesting view of how this might look, see the movie Gattaca.
In the social realm, we aren’t so concerned about biological identity. Instead, we are concerned about identity in a certain context. When you cash the check at the bank, they are only concerned about one small aspect of your identity – are you the same person who opened the account? They don’t care about whether you really got a PhD from Princeton, or all the other things that make up your social identity. All of those other things are attributes of your identity, and they are relevant for different types of contexts.
Let’s look at that bank transaction in a little more detail. You present your driver’s license to the teller. You are making an identity claim, and using that license to back your claim. What does that claim mean, though? That claim is established through a chain of trust. That starts with the birth certificate, which is usually required in order to get a driver’s license. That process looks something like this:
- A child is born
- A doctor or hospital certifies the birth
- A birth certificate is registered with the state
- The grown-up person goes to the state and applies for a driver’s license
- The state examines the birth certificate and issues a license.
In terms of identity, the driver’s license is essentially a proxy for the birth certificate, with a photo thrown in for secondary verification. It is only as good as that entire chain of events. And that’s assuming the driver’s license isn’t fake in the first place. As you can see from this example, there are lots of opportunities for fraud – people can be bribed; parent’s can lie; supporting documents can be faked. All of these things happen, and yet our financial system doesn’t fall apart.
This system isn’t perfect, but no system of identity is perfect (even DNA). Identity comes down to trying establish what is good enough. Banks have lots of data on their levels of fraud, and they manage this closely as one of their costs. As an interesting side example of this, consider credit card transactions. Credit card transactions typically have involved two forms of identity claim – the physical possession of the card and a signature. These are both weak forms of identity, but they seem to work pretty well (typical fraud rates are 1%-2%). But some merchants drop the signature requirement for small transactions because they would rather have the lower friction instead of the very slightly reduced fraud that comes with signatures.
So how is identity done in regular social life? In general, one of two things happens: someone you don’t know at all tries to contact you through email/phone, or you get introduced through someone you know. Consider the following people coming to you with an opportunity:
- A Nigerian prince sends you an email
- A salesman makes a cold call
- You get an email from someone who claims to be a friend of a friend
- You get an introductory email from an acquaintance
- You get an introductory email from a trusted colleague or friend
Most people would treat these quite a bit differently. A Nigerian prince in principle represents a great business opportunity, but the identity claim behind it is extremely weak. In contrast, a warm introduction from a friend represents a strong claim.
Let’s look at how identity is done on the Internet. One of my pet peeves about Internet terminology in this area is that people use “identity” in the weakest possible way. Google is an identity provider. While that is strictly clue, the only identity attribute they are certifying is that you have a particular email address. That’s not nothing, but it is practically nothing. For many websites, that’s perfectly fine. They don’t care who you are at all. ” and user “3389318984” are essentially the same identity claim. They just need an identifier to track, so that they can remember your preference, pitch you things they think you would like, or whatever.
Things break down when we start to get into more complex transactions, though. There are many, many more transactions that need a stronger identity claim than a simple email identified. Financial transactions are an obvious example, but there are many others – review sites, dating sites, online forums, and government sites to name a few. In those cases, we need stronger identity claims, and that is where BeehiveID comes in.
We provide means for a very low-friction, relatively strong identity claim that is tied to your social network presence. It isn’t backed by any government, but it is still strong because it relies on your social network to provide strengthening ties. Conceptually, our model is a prototypical identity claim with its own sets of strengths and weaknesses. But the Internet is in dire need of new methods for claiming identity, and we believe our solution is totally new, and future of strong identity.
Posted under Data on August 9th, 2013 by Mary Haskett
We are working with large amounts of Facebook data. BeehiveID is, at its heart, an algorithm and an algorithm is always growing and changing as we get new data and draw conclusions based on existing data.
Below is a representation of Alex’s Facebook profile. You can see he has a rich, deep network of connections to some people. But if you look on the periphery, you see a ring of isolated blue dots. These are the people that have no connection to him other than an initial friend request. You can’t really see this in Facebook at all, but once you visualize it in a graph, it is immediately apparent.
[Click to zoom in for awesome detail]
In our experience, most profiles are like this – about 20% to 30% of the connections are totally isolated. Of course, this begs the question – why do we have these people in our networks at all, if we never interact with them?
Posted under Start up on July 19th, 2013 by Mary Haskett
One of the odd things about being in the Microsoft Accelerator was the camera crew that randomly showed up now and then. This is a picture of me getting my microphone adjusted for demo day. It’s slightly disconcerting to have another person adjusting your clothing; it’s just not something that happens very often.
It’s also slightly disconcerting to have a film crew working around you. I’m sure being the only female co-founder in our cohort made me more of a magnet for the camera crew than others, but they followed everyone. Walking downstairs to The Easy for a presentation, I turned and realized someone had been walking behind me and filming without me realizing. You notice a video camera out of your peripheral vision, but you aren’t supposed to look at the camera. But once you notice it, it’s hard not to look. It’s just odd.
We did video interviews over the course of the three month program and it actually ended up being a great preparation – being a founder is all about telling your story to everyone who will listen and video is a great way to reach more people.
Posted under Start up on July 7th, 2013 by Mary Haskett
This is another blog post about our experiences in the Microsoft Accelerator powered by TechStars program so if you are more interested in biometrics or privacy you can just skip this one and go to the next entry. =)
To me, the main reason to join an accelerator program is to get access to the mentors and other resources in the network. Over the course of the three month program, we had dozens of people who were experts in their various areas come to us and talk about various topics. Plus mentors came in weekly to work specifically with us on our business. I think it would have easily taken me a year to set up and have the meetings I had during the program – assuming I could have gotten them to even answer my call.
We had over 120 meetings during the three month program with potential investors, technical mentors, pricing mentors, marketing mentors, sales mentors, operations mentors, potential customers and other founders. There is a downside – it’s hard to keep track of that many people. And with that many people listening to your concept and giving you feedback, you are going to get a lot of confusing and conflicting advice. It’s called “mentor whiplash” and it’s just what it sounds like.
Also, mentors typically only met with a few companies, so they remembered us (especially me with my long white hair). However, we met with hundreds of mentors and couldn’t remember them all. There were several embarrassing moments when someone would come up to us on the street as if they knew us, and we just had to pretend we remembered them until we figured out who they were.
There were days when I went home at the end of the day and my brain was so full that I could not remember who I had met and I had to review my notes. It takes time to sort through conflicting advice, research alternatives, get second opinions or maybe third opinions (what if that guy is super famous but also just wrong?) and time is not something you have a lot of in an accelerator. You spend a lot of time walking around in a fog.
But how on earth is a start-up going to get that kind of attention without a program like this?
Posted under Start up on June 28th, 2013 by Mary Haskett
We got to work very closely with Microsoft in the Microsoft Accelerator program. I think this is one of the biggest differences between this program and the regular TechStars program. We were issued Microsoft badges so we could work onsite and meet with Microsoft people at any time. There were dozens of Microsoft people in all the various departments that were relevant who were amazingly generous with their time.
We met with their pricing team who reviewed our pricing and provided feedback. We had weekly meetings with their technical people working on Azure who reviewed our architecture, looked at code, helped us identify problems and optimize everything.
The facilities are amazing – I took a photograph of a water feature in the landscaping near one of the cafeterias and everyone thought it was a photo from a resort. Oh, did I mention a large amount of free credit on Azure to get us started?
Posted under Start up on June 7th, 2013 by Mary Haskett
BeehiveID has recently graduated from the Microsoft Accelerator for Windows Azure in Seattle. It was run by TechStars and structured like any TechStars program, but we got to work very closely with Microsoft. I haven’t talked much about our experience there but I’m going to dedicate a few blog posts to it because we have a lot of people ask us about accelerator programs in general and TechStars in specific. Plus it was a wonderful experience, kind of like a cross between graduate school and summer camp. They did a series of videos and I’ll be linking to those as well.
We actually started the program with the the tag line “Twilio for biometric matching”. Our first concept was to create an API so that other developers could incorporate biometric matching – fingerprint, iris or face – into their own applications with one or two lines of code. Biometrics is a field that is growing rapidly and there are many, many applications of the technology but it’s a bit on the arcane, poorly documented side. We thought (and still do) that it would be cool to develop a tool that would make it easier.
The thing about TechStars, and I suspect every accelerator program out there, is that despite the “Tech” in the title, the focus is on the market. It doesn’t matter how cool your technology is if nobody will buy it. More start-ups fail because they build something wonderful that nobody wanted than vice versa. It became clear early on that selling to developers was going to be difficult. So almost the first thing we did was toss out the business concept that got us accepted into the program and start over.
Posted under Biometrics, Identification on May 24th, 2013 by Alex
Most people who work in the field of Artificial Intelligence come away with a healthy respect for the miracle of human intelligence. Humans are wonderful at certain kinds of tasks, and trying to make computers do them well is extremely frustrating. I would like to talk today about the ability of humans to recognize faces. We are genetically wired to recognize faces, so it is no real surprise that we can do it well. Recognizing mom’s face leads to better survival.
When I work with computer face matching, people will come to me with two pictures that the computer says don’t match and ask me “Why don’t these match?” I look at them and they are an obvious match. But I am seeing them with human eyes, not computer eyes. Computers don’t recognize face even remotely the same way we do. To a computer, a face is just an square array of pixels (dots) of different colors. Let’s look at some examples:
These two pictures are reduced to about the size of a driver’s license photo. I am sure that 100% of the people out there will recognize that this is the same person, and the same pose. If you are discriminating, you might be able to tell which picture is higher quality. But if you just glance, you may see them about the same. However, they are not really the same at all.
Let’s enlarge them.
Now you can probably see some differences between the pictures. Look at the finer strands of hair at her scalp. You can probably tell which image is more compressed. But overall, they really look pretty close to being the same. No human would ever have a problem being able to tell that there the same person and same photo.
However, I am going to give you a glimpse into what the computer sees. Let’s zoom in to just her eye:
In these images you can see the individual pixels of color. These images are the same resolution, but one image clearly contains a lot more information that can be used by the computer than the other one. The higher quality image is 1.2 MB and the lower quality image is 150 KB, a factor about 10X. (not that a bigger file necessarily contains more information)
Your brain kind glosses over this lack of information. You see eyes in both pictures, and one is lower quality than the other one, but your brain knows it is an eye and fills in the detail for you. You are not really conscious of it. But to a computer, these images are very, very different, and will not match.
Let’s look at one final example. The “high resolution” picture I used in this blog post was actually compressed in order to make it palatable for the Web. The original image was about 10 MB. Here is the same eye from the original image:
You can see that this image has a lot more detail, and more information usable by the computer for face matching.
This is why we say you can’t trust your eyes when evaluating whether a picture is good for face matching. Your brain lies to you. You have to zoom in to the pixel level to see what the computer sees.
Posted under Start up on May 10th, 2013 by Mary Haskett
This morning I flipped through the channels trying to see what the options were for cable in Seattle. I stopped for a few minutes on a TV show about Hoarders and it just chilled me to the bone.
No, I don’t feel crowded. This is a perfectly reasonable way to live.
It wasn’t the living conditions that scared me, it was the amazing ability of the person on the show to rationalize how they were living and how unable they were to part with what was obviously trash. I don’t mean items that might have use to anyone, but cheap plastic toys that came with a fast food meal years ago that is of no use to anyone.
I know that hoarding is a psychological disorder but I also know that it’s human nature to see what you want to see and hear what you expect to hear.
So I’m in the Microsoft Accelerator for Windows Azure powered by TechStars and we are spending an enormous amount of time validating our business idea by talking to potential customers and finding out if they are willing to pay for what we want to build. Sounds really straightforward and it should be. It’s just not.
Let’s just keep collecting data until someone offers to buy us.
I talk to someone who loves what we are doing and wants to be a beta tester. That’s a really good sign, right? Maybe, or maybe they just like mucking about with new technology but don’t have a financially viable use. I talk to someone who says our technology really wouldn’t solve the problems they are facing. Well, that’s OK because our technology certainly isn’t for everyone, right? Maybe, or maybe I’m just unwilling to see the obvious signs that there isn’t sufficient interest.
I need to get out of the building and talk to 100 potential customers. But I also need to avoid analysis paralysis and make a decision quickly and decisively move forward. We need one customer that is cool and interesting so we can get the word out about our platform and we should also get out and evangelize the developer community. We need to make careful, thoughtful decisions based on collected data but we need to do it quickly. You shouldn’t build anything until you know there is a big enough market of people willing to pay for it but you should also just focus on building amazing things and the money will follow.
Yep. Pretty much how it works for me.
The path to success been a tangled, muddy mess for all my past triumphs. In the middle of it all, it’s complicated and even the obvious, clear indicators were only so clear in hindsight. I guess all you can do is get used to and make peace with the tangled mess and just keep swimming.
Just keep swimming.
Posted under Biometrics on May 3rd, 2013 by Alex
I sometimes get asked to show someone how big a graphic is “at full size” and this request always confuses me because fundamentally, images don’t really have a size, per se. An image is an array of pixels, which don’t have sizes. Let’s look at the Beehive Logo, which is 899 pixels wide by 153 pixels high.
It looks like a complete picture, but it is actually composed of individual pixels, which are the smallest possible element of the picture. Here is a zoom view of some pixels around the ‘b’ with a single pixel colored black.
As an aside, if you notice the weird patterns of different shades of gold, that is anti-aliasing. It is designed to fool your eyes into seeing a jagged thing like this as a smooth curve. Anyhow, I know exactly how many pixels our logo has, but I can’t tell you how big it will be on your screen, or if you print it out. I am currently on a laptop that is very dense – 1920×1280 pixels, but it is a small (13”) screen. The logo is small on my screen. On yours, it is likely to be different. That’s because it doesn’t have an actual size, it just have pixels.
However, all is not lost. There is a property of an image called dpi – dots per inch. You can think of this as a “suggestion” of how the image should be sized. This is available as a file property in Windows 7, but they dropped it in Windows 8. You can see it in an image editor, though. Here it is in the “Image Adjustment” dialog in Photoshop.
This shows the image is 72 dpi, which is typical for the vast majority of images. 72 dpi is a typical screen resolution. That means on a typical screen (not every screen), this image will be 899 pixels / 72 dpi = 12.5 inches, as shown here. However, when I look at the logo in 1:1 zoom on my computer, it isn’t that big. That’s because my monitor isn’t 72 dpi, it is 108 dpi So, this logo is closer to 8 inches. As you can see, there is no absolute size to this image. There are pixels, and dpi, which provide an idea on size, but not an absolute size.
So what does this have to do with biometrics? A lot, actually. When we compare fingerprints, we are looking at the X and Y locations of minutiae points – ridge endings, splits, etc. In order to compare them, we need to know absolutely where they are, none of this “dpi suggestion” stuff like in the previous example. We need to know exactly where each point is. Luckily, the FBI solved this problem a long time ago, because they have a selfish interest in trying to make it easy to collect and compare fingerprints. They (along with NIST), established a standard that says all fingerprints are collected at 500 dpi. That is a different kind of measurement that in our logo example, because it is an indication of something collected from a scanner. So, we know for sure that 500 pixels is 1 inch. So, if a particular point is at the location (250,250), we know that point is at the location 1/2”, 1/2” on the finger. So, we can compare all fingers along the same scale.
You can see this in the following illustration of matched points. We still have to deal with rotation, but that is not too hard.
Face matching and iris matching are totally different, though. They do not rely on X,Y positions of points, so dpi is not important, just pixels. Additionally, faces and irises have easily locatable marker points that provide a basis for positional information. For faces, it is the eyes, and for iris it is the pupil. This allows faces and irises to be compared on the same scale without requiring precise DPI for collection.
In short, pixels have no absolute size, nor do images. The only thing that establishes a relationship between an image and anything approaching a real size is to know the dpi of the sensor that acquired a particular image.