Biometric security and AI: dangerous partners

If you see it in Star Trek, then it’s about to happen, isn’t it? No matter how outlandish the idea, it gets instant credibility once we have seen it in an episode of Star Trek or another major science fiction series. I’m afraid that I’m just about to draw attention to the importance of that f-word: it’s fiction, and we must never allow that to build other expectations.

Biometrics are booming. You only have to look at Apple’s iPhone X. Or talk to any of the voice-driven systems like HomePod. There are always a few users who seem to struggle with such systems, but for many they work well. We’re already letting our face unlock our phones, and our words control the actions of our devices. After all, what can be more secure than your own physical features?

The answer is proven, old-fashioned and dull: a good robust password. I’ll match that against any biometric system you care to pick, when that system depends on artifical intelligence of any form.

Voice recognition using a ‘voiceprint’ is a well-explored example. Talk to a linguist who understands the sound of human speech, and you’ll discover that such experts refute the whole concept of a ‘voiceprint’. Max Little has just written a brief and clear account of how voice recognition systems can be duped on Language Log. Listen to his sample audio for a stunning example.

In essence, all you have to do to fool a biometric security system which relies on AI is to work out how to exploit its blind spots. Your iPhone X may be very good at telling apart two quite visually similar faces, and only unlocking when presented with the right one. But if you were to explore its response to carefully-designed departures from the normal face, you are almost guaranteed to find blind spots in the algorithms used.

Behind this is another problem with almost all AI: it doesn’t work in simple binomial terms, right or wrong, but everything gets messily statistical and fuzzy.

A traditional dialog requiring you to authenticate with your password is simple in its behaviour. Enter the correct password, and you’re good to go. Enter anything else, and you’re blocked. We understand well how attacks against such systems can capitalise on weaknesses in password construction, and we can calculate how long it would take to gain a 50% chance of guessing the correct password when its contents are apparently random.

Even when using what appear to be very sophisticated methods of recognition such as those in Mozilla DeepSpeech, AI methods have been shown to be brittle. Max Little states that DeepSpeech has 120 million parameters which have been trained exhaustively on labelled speech data. Yet with some careful audio engineering, what we hear as without the dataset the article is useless is recognised as okay google browse to evil dot com.

I am reminded of some biological research that was carried out just after the Second World War by the great Niko Tinbergen, into the feeding behaviour of young herring gulls. Using coloured cardboard models, he discovered that a chick could be fooled into treating a piece of cardboard with a bright red spot on it as if it were its parent. (Interestingly, his original work has been repeated and re-analysed since, and some of his conclusions have now been revised. That doesn’t alter its relevance here.)

Tinbergen had discovered a ‘blind spot’ in young herring gull behaviour. Before you dismiss this as being a failure in a mere bird brain, recall that birds like herring gulls have excellent vision, and well-developed visual areas in their brains. Their brains also have high density of neurons, such that the total number exceeds those of some primates.

In terms of sensory and intelligence capabilities, a young herring gull is far superior to anything yet made by man, but by exploiting this ‘blind spot’ its brain can be misled so easily.

There is extensive literature demonstrating the brittleness of current machine learning systems, and simple demonstrations such as that provided by Max Little. So should we trust these combinations of biometrics and AI with the security of our computers and sensitive data? Do I need to mention the words Meltdown and Spectre to make you think again?