‘Informed’ consent must be ‘Respected’. ‘Misinformed’ Consent must be ‘Corrected’.

In February 2018 we felt a big shockwave to have heard a mind-bogglingreport of unnecessary deaths presumably brought by biometrics misunderstood from India where the biometrics; is mandatory for its Aadhaar-based Public Distribution System. There have since been intriguing new findings.

According to a report from India, actual False Acceptance Rates turned out to be 6% for fingerprints and 8.5% for iris scans in the large-scale use case of Aadhaar, which may look far higher than you have heard. And, a follow-up report says that a lock function has been introduced for the biometrics data.

By the way, the reports refer to ‘failure’ or ‘glitch’ of biometrics, but it is not necessarily correct. 'False Rejection' as against 'False Acceptance' is inherent in biometrics; there is no biometrics that is free from False Rejection. Let us explain this point closely.

A graph (*1) below shows the False Acceptance Rates (FAR) and False Rejection Rates (FRR) of two biometrics products - one relatively more accurate and the other less accurate.

What this graph indicates is, firstly, that FAR and FRR are not the variables that are independent from each other, but are dependent on each other.

A FAR could be fixed only against a certain FRR, i.e., both variables can be positioned only at the same single point on the same single curve. In other words, the couple of a FAR and a FRR can exist only in a certain combination.

Secondly, it also indicates that the lower a FAR is, the higher the corresponding FRR is. The lower a FRR, the higher the corresponding FAR. That is, FAR and FRR are not just mutually dependent but are in a trade-off relation

The level of a FAR that rejects a twin would have to bring the level of a FRR that rejects the registered user very frequently. The level of a FRR that eliminates the need of a fallback means would have to bring the level of a FAR that accepts nearly anyone.

Thirdly, also indicated is that the more accurate the biometrics sensor becomes (the lower the Equal Error Rate becomes), the curve goes downwards/leftwards in this graph. But, when a FAR is 0 (zero), the corresponding FRR still remains close to 1 (one). When a FRR is 0 (zero), the corresponding FAR remains close to 1 (one).

Another graph (*2) helps us to grasp how FAR and FRR are mutually dependent and also in a trade-off relation.

Move the threshold to the right (more strict) and we would see the combination of a lower FAR and a higher FRR. Moving it to the left (more lenient), the outcome would be the combination of a higher FAR and a lower FRR.

The presence of False Rejection, however close to 0 (zero) the rate might be, would require a fallback means against the False Rejection.

If the officials responsible for the Aadhaar-based PDS had been informed of the above, they must have provided a fallback means in case of the false rejection. Then this kind of misery could have been avoided. We have to wonder how it was possible that these people were not advised of the issue of false rejection.

The touted merits of biometrics were (a) security higher than passwords and (b) convenience better than passwords. We have been trying to demystify (a) and the actual case of Aadhaar and the like will hopefully be demystifying (b).

* Look at this brief video for demystification (a) of biometrics.

Biometrics in Cyber Space -"below-one" factor authentication