Proving our identities is difficult, but a company called Thinsia has come up with a novel biometric: your heartbeat. They also have a little story about “Adrian” that illustrates how it will all work. Now let’s take that story a little further…
Adrian Goes Home
Adrian leaves his desk, and is automatically logged of his computer. In the carpark, his Heartbeat-ID again unlocks the car door automatically. On the way home, he feels unwell, he's having a mild heart attack. He pulls over, stops the car and calls an ambulance. While he's waiting, he opens the window... it doesn't work. It's feeling stuffy, the door won't open either, he's trapped and feels panicky. The extra stress brings on a second, larger heart attack and he dies while the ambulance crew are waiting for firemen with cutting equipment. The body remains unidentified, because Adrian was using his heartbeat as his only form of ID.
OK, a bit melodramatic, but is Heartbeat-ID a good identity system? The PDF linked from the Thinsia site (http://www.pa.icar.cnr.it/IDAschool/lectures/chaos_realworld1.pdf) has this line:
"This observed pattern can be modified if pathological heart conditions take place."
So, heart disease changes your heartbeat (sounds kind of obvious). Everyone's heartbeat might be unique, but does it have constant elements that can be used for identification? What about other changes to heartbeat - like during exercise? It could be kind of awkward to discover you can't open your car door until you've relaxed for five minutes after running from muggers.
Before deciding that Heartbeat-ID is the perfect biometric, let's have some traditional measures of reliability: false positives, and false negatives. What is the protection against replay attacks (record someone's heartbeat, replay it to the Heartbeat-ID watch)? Are there vulnerabilities in the implementation: e.g. could someone build a Heartbeat-ID watch that can produce a fake, variable signal (keep varying the signal until the lock opens - just like password guessing)?
There are questions about Adrian's seamless experience too... Is it really practical, e.g. how do you ask a friend to open the door for you when your hands are full? Is this the new Big Brother – total monitoring of people's every move and action? If extremists got access to the central database, they could target people by beliefs or affiliations extremely efficiently!
Any claim that a new authentication or identification method will solve all our problems is likely to be bogus. Different applications require different characteristics: you want to know that the person accessing your database is alive, but dental records are far more useful in grimmer circumstances.