Jusletter IT

Over-concerned with election fraud, legislators are continually justifying new restrictions on voter identification processes.¹ Many states in the US require voters to verify their identity by presenting some form of identification at the polls before they are permitted to cast their ballots normally.² In previous elections, voters lacking ID have caused many problems, and while US election officials cannot prevent a voter without an ID from voting, this voter is given what is known as a provisional ballot instead of a regular one.³ Unlike the regular ballot, a provisional ballot is not counted until the voter returns (within a specified period of time) to the poll site with his ID. Although this seems like a simple procedure, over half a million provisional ballots were rejected in the 2004 US general election.⁴

Many studies have concluded that these strict voter identification laws exclude an eligible segment of people from voting.⁵ These studies showed that access to valid photo identification is highly dependent upon the ethnicity, income-level, education-level, and age of an eligible voter. For example, a study found a difference of 11.5 percent between whites in Indiana reporting access to valid photo identification, compared to blacks statewide.⁶ The study also found that Democrats have a lower access rate to valid photo IDs when compared to Republicans.⁷ Thus, more Democrats are disenfranchised than Republicans as a result of this law. In addition to problems associated with a lack of ID, an investigation showed that election officials excessively issued provisional ballots in unnecessary cases resulting from flaws in the registration process.⁸ There were cases where election officials unintentionally misspelled the voter’s name or forgot to fill in some information during the registration process resulting in the rejection of ballots cast by eligible voters.⁹ Thus, the need for a new identification trait arises - an identification trait that would not provide preferential treatment based on ethnicity, income, education, or age. Using a biometric identification method could have significantly reduced the number of issued provisional ballots over previous elections. Authenticating voters using biometric methods could also eliminate the possibility of registration fraud, double voting, and unintentional human errors that might seem like fraud.

Biometric identification, as the term implies, refers to using a person’s unique biometrics to verify his identity. Passwords, pin numbers, and credit cards are keys of a person’s identity that can be forgotten, lost, copied, stolen or easily guessed compared to a person’s physical trait. There are several physical characteristics that can be used to distinguish a person from another. These characteristics include, but are not limited to, the following: fingerprints¹⁰, palm prints¹¹, DNA¹², iris scans¹³, retina scans^14, and hand geometry.¹⁵ There are also several behavioral characteristics that can be used to distinguish one person from another such as an individual’s voice¹⁶ or handwriting¹⁷.

Additionally, we will discuss the advantages and the difficulties that such a system may face. While biometric traits are difficult to forge or lose, it is still possible for an attacker to steal the digital representation of a biometric and reuse it.¹⁸ A major advantage of traditional password schemes is the ability to change it if stolen, whereas it is not possible to assign a new biometric trait to an individual.¹⁹ Thus, it is important to ensure the security of the biometric data, especially when transmitted remotely over an unsecured network. Transmitting biometric data safely over the Internet can be very challenging. We will discuss possible attacks and how can they be avoided.²⁰

As we mentioned earlier, biometric techniques identify a person based on his own unique physical and behavioral characteristics. An individual’s fingerprints are one of the most commonly used characteristics, especially in forensic science. While the fingerprint matching process is highly accurate and relatively affordable, the fact that individuals can leave fingerprints behind them or that they can be acquired without their consent makes them a less attractive option for voting purposes. Human rights activists showed some concerns regarding individuals’ privacy and the risk that law enforcement could misuse this data without the individuals‘ consent for purposes other than the intended, such as for forensics and tracking.²¹ The importance of user privacy raises the need for a nonintrusive biometric technique. Unlike fingerprints, DNA, and other biometric traits, it is highly unlikely that iris images could be used during crime investigation. The present technique to acquire a user’s iris image requires a high degree of user cooperation, which makes the image difficult to obtain without the user’s consent.²² The iris has many advantages over the other biometrics. The iris is the only internal organ that is externally visible; it develops in early stages of a human’s life and doesn’t change thereafter.²³ Other biometrics might be affected by an individual’s age such as is the case when fingerprints are inaccurately read due to dry skin. Additionally, a voice recognition system may not be able to recognize a user suffering from a cold.²⁴ Scars, wounds and even altered environmental conditions might result in falsely rejecting authorized voters. Another advantage of iris scans over fingerprints and hand geometry is the fact that it doesn’t require the user to physically touch the device, making it more hygienically appealing.²⁵

Other hygienic, non-intrusive techniques are retina scans and face recognition. Retina scanners scan an individual’s blood vessels by acquiring an internal body image, and generate a unique data set.²⁶ However, iris scans are performed faster and are much more affordable. Face recognition is achieved by analyzing the size and position of different facial features. Since facial features are highly changeable over time and due to the fact that the face has a variety of expressions, face recognition results in a very high rate of error.²⁷

Iris prints are unique; even an individual’s right and the left iris prints do not match. Various iris recognition algorithms exist; these algorithms share the following steps: capturing the image, locating the iris, and comparing it to previously stored irises. An iris image can be captured using a relatively inexpensive camera in the range of US-$ 200.²⁸ Usually pictures need to be taken from close distance (less than one meter).²⁹ Iris recognition technologies do not depend on the iris color to distinguish one iris from the other, but on the iris patterns like the connective tissues, cilia, contractions, and rings.

Once the image is taken using an infrared camera, and after filtering the image, the pupil can be easily located since it is the darkest circle in the image³⁰ (see Figure 1). The center of the pupil is the black point within the pupil that is the farthest from the pupil circumferences. After determining the pupil parameters, the iris (the pigmented outer circle) can be located. The pupil and the iris do not share the same center, so we cannot use the pupil parameters to locate the iris directly. Most modern algorithms generate random circles around the pupil until they find the exact iris circumference. While this method is highly accurate, it can be very time consuming.³¹

Figure 1: Detecting the center and the circumference of the pupil³²

Knowing that the iris varies significantly from one individual to another, and less than half of the iris surface is needed to identify a person, our algorithm detects the iris partially using the following process: detect the edge of the iris on both sides (left and right) of the pupil. In other words, locate the edges of the iris on a horizontal line that passes through the center of the pupil. The iris circumference will cross the horizontal line twice at point x (to the left of the pupil’s center) and point y (to the right of the pupil’s center). It is unlikely for the pupil and the iris to share a center, hence it is unlikely that x and y are of equal distance to the pupil center. Since less than half of the iris surface is needed to identify a person, we can use the area of the circle whose radius is from the pupil center to the nearest edge (either x or y) for identification purposes. In fact, we might be able to use an area that is slightly less than the shorter radius; this is due to the possibility that a part of the iris might be obscured by eyelids and eyelashes. The iris edge (circumference) can be easily detected after using a median filter.³³

After that, we can exclude the pupil and convert the captured partial iris into a digital format (a matrix of 1’s and 0’s). This is done by mapping the image into Cartesian coordinates.³⁴ To authenticate a user, his image is captured and processed, as previously mentioned, and then compared to the stored images. The most commonly used comparison technique is calculating the Hamming distance between the newly captured image and the existing ones. The Hamming distance between any two equal length binary vectors is the number of positions in which these vectors differ divided by the vector length.³⁵ If two images are identical, the Hamming distance is 0, and if they differ in every point, the Hamming distance is 1. In reality, it is very unlikely for two iris codes to be identical, even if they belong to the same person. This is due to different reasons such as, imperfections in the camera, differences in lighting when the images were captured, or the image being shot from a different angle. Unlike traditional password schemes where an exact match is required, a biometric authentication is approved when the biometric measurement data is similar to the stored data. The required percentage of similarity in order to generate a match depends on the desired level of accuracy. On average, any two random iris codes differ in half of their bits; in other words, the Hamming distance for any two different iris codes is around 0.5.³⁶

When evaluating the performance of any biometric techniques, there are two error rates that need to be tested: the False Reject Rate (FRR) and the False Accept Rate (FAR). A False Reject occurs when the system incorrectly rejects a valid subject (a subject whose biometric template is stored in the database). The False Accept happens when an unauthorized user’s measurement is incorrectly matched to a stored template that belongs to another subject.³⁷ Biometric identification technique decision-making policy relies on both FRR and FAR. If the required level of similarity between a measurement and a template is too high, the FAR will be minimal; however, FRR will be too high for the reasons we mentioned above. On the other hand, reducing the required similarity level will result in a higher ratio of false accepts. A trade-off point is needed; the point where FRR is equal to FAR is known as the Crossover Error Rate (CER). The lower the CER, the higher the accuracy. In iris recognition technology, the nominal CER was found at a Hamming distance of 0.342. In other words, a match between two iris codes is generated, if their similarity percentage is 65.8% or more.³⁸ These percentages and rations can be modified based on the recognition algorithm, size of the database, the desired level of accuracy.

In traditional voting, biometric identification techniques can improve the registration and authentication processes and help avoid the previously mentioned flaws. During the registration process, trained election officials enroll potential voters by capturing their iris images, which will be then converted by the system into digital templates and stored in the database. This requires the physical presence of all potential voters in order to capture and store their biometrics. While this procedure might sound inconvenient, it can be performed over a period of time in several locations and only needs to be done once. On election day, the potential voter’s iris image is captured by election officials. The potential voter’s biometric measurement is then compared to the stored templates. If the voter is identified and the system indicates the voter is eligible and has not voted before, the voter is directed into a private election booth where he can cast his ballot.

The data templates acquired during the registration phase can be stored locally on a workstation at each polling station or on a central database that is accessed remotely. In the latter case, it is necessary to secure the pathways of the network and to encrypt the transmitted biometric measurements. Unlike with regular password schemes, an individual whose biometric data is comprised will not be able to change it. Biometric traits are highly distinctive and accurate; however, transmitting this unprotected data over an unsecured channel can jeopardize the system’s integrity.

Leiss mentions two possible attacks and how they can be avoided.³⁹ These attacks happen during the transmission of the captured data over an unsecured channel. The first attack happens when a third party intercepts the captured measurement and reuses it later on. This attack can be avoided by encrypting the measurements before transmitting them making it impossible to figure out the plaintext of the measurement. Since no two measurements are completely identical, storing every measurement that resulted in a successful match and comparing any new measurement against them will prevent reusing any intercepted measurements. A more threatening attack is “sniff and suppress”; in this attack a third party captures the transmitted measurement and replaces it with a random message. This way, the attacker acquires a set of measurements that has never been used before and which he can use once before it is stored with all the other measurements that resulted in a successful match. To prevent this attack, a list of detailed requirements must be satisfied.⁴⁰ These requirements include precisely timed handshakes and encrypting the transmitted data on various levels.
For Internet voting, biometric authentication can be used to replace the current password schemes, if the above list of requirements is satisfied. However, supervised biometric authentication at the polling station might have some advantages over remote authentication. Election officials will be trained to handle any unexpected failure. Supervising the authentication process would also eliminate the possibility of voters spoofing (willfully attempting to impose a false accept on the biometric system) the camera. At a polling station, a camera can be used to authenticate hundreds of voters; whereas, each voter voting from his own home will need a camera.

Iris recognition has been used to enhance several crucial applications including airport security, boarder clearance, and banking, and it has been proven accurate and reliable. In this paper, we have discussed the possibility of implementing iris recognition as an authentication tool for the electoral process. We have also introduced a less time-consuming algorithm that extracts less iris data for comparison.
An individual’s biometrics are very distinctive and unique; however, failure to securely transmit and protect this data will introduce undissolvable vulnerabilities to the authentication system.

Barreto, M./Nuño, S./ Sanchez, G., The Disproportionate Impact of Indiana Voter ID Requirements on the Electorate. http://depts.washington.edu/uwiser/documents/Indiana_voter.pdf, accessed 11. Januar 2010 (2007).
Carr, D., Iris Recognition: Gabor Filtering. http://cnx.org/content/m12493/1.4/ accessed 11. Dezeber 2009 (2004).
Clelland, C.T./ Risca, V./ Bancroft, C., Hiding Messages in DNA Microdots, Nature 399:533-534 (1999).
Daugman, J., How Iris Recognition Works. IEEE Transactions on Circuits and Systems for Video Technology, 14, 21-30. http://www.cl.cam.ac.uk/~jgd1000/ accessed 1. Dezember 2009 (2004).
Dunker, M., Don’t Blink: Iris Recognition for Biometric Identification. http://www.sans.org/reading_room/whitepapers/authentication/
dont_ blinkiris_recognition_for_biometric_identification_1341 accessed 11. November 2009 (2004).
Fang, L./Leung, M./Shikhare,T./Chan, V./Choon, K., Palmprint Classification, The 2006 IEEE International Conference on Systems, Man, and Cybernetics (IEEE SMC2006) http://www3.ntu.edu.sg/SCE/labs/forse/PDF/palmprintClass.pdf accessed 12. September 2009 (2006).
Friel, B., Let The Recounts Begin. National Journal. http://www.nationaljournal.com/about/njweekly/stories/2006/
1103nj1.htm accessed 19. Dezember 2009 (2006).
Hof, S., E-Voting and Biometric Systems?, Electronic Voting in Europe – Technology, Law, Politics and Society (pp. 63-72), Austria (2004).
Khaw, P., Iris Recognition Technology for Improved Authentication. http://www.sans.org/reading_room/whitepapers/authentication/
iris _recognition_technology_for_improved_authentication_132 accessed 18. August 2009 (2002).
Leiss, E.L., Requirements for the Safe Transmission of Biometric Measurements for Authenticating Individuals, Conferencia Latinoamerica de Informatic, Santa Fe, Argentina (2008).
Leonidou, M., Iris Recognition: Closer Than We Think?. http://www.sans.org/reading_room/whitepapers/authentication/iris_
recognition _closer_than_we_think_143 accessed 11. November 2009 (2002).
Levitt, J., The Truth About Voter Fraud, Brennan Center for Justice, New York University School of Law. http://www.brennancenter.org/content/resource/truthaboutvoterfraud/ accessed. 5. Januar 2010 (2007).
Lipinski, B., Iris Recognition: Detecting the Iris. http://cnx.org/content/m12489/1.3/ accessed 13. November 2009 (2004).
Lipinski, B., Iris Recognition: Detecting the Pupil. http://cnx.org/content/m12487/1.4/ accessed 17. November 2009 (2004).
Maltoni, D./Maio, A./ Jain,K./Prabhakar, S., Handbook of fingerprint Recognition, Springer, New York (2003).
Access Control Systems, Microsoft informit.com. http://www.informit.com/guides/content.aspx?g=security&seqNum=149&rll=1 accessed 1. November 2010 (2005).
National Conference of State Legislatures, Voter Identification Requirements. http://www.ncsl.org/LegislaturesElections/ElectionsCampaigns
/State RequirementsforVoterID/tabid/16602/Default.aspx accessed. 5. November 2009 (2009).
Penny, W., Biometrics: A Double Edged Sword - Security and Privacy. http://www.sans.org/reading_room/whitepapers/authentication/bio
metrics_a_ double_edged_sword_security_and_privacy_137 accessed 10. November 2009 (2002).
Provisional Voting: Fail-Safe Voting or Trapdoor to Disenfranchisement? Advancement Project website. http://www.advancementproject.org/pdfs/Provisional-Ballot-Report-Final-9-16-08.pdf accessed 1. Oktober 2009 (2008).
Riha, Z./ Matyas, V., Biometric Authentication Systems, Tech. Repot FIMU-RS-2000-08, Faculty of Informatics, Masaryk University (2000).
Robichaux, P./Khabashesku, D., Iris Recognition Results and Conclusions. http://cnx.org/content/m12495/1.2/ accessed 11. Dezember 2009 (2004).
Russ, T.D. /Koch, M.W./ Little, C.Q., 3D Facial Recognition: A Quantitative Analysis, 38th Ann. IEEE Int'l Carnahan Conf. Security Technology, Albuquerque (2004).

Mohammed Awad, Ernst L. Leiss, University of Houston, 4800 Calhoun Rd., Houston, TX, 77004, USA, maawad@cs.uh.edu, coscel@cs.uh.edu