Andrew Patrick

There is a new report out of the National Academies in the US on forensic science methods, including identification technologies based on fingerprints, DNA, etc.

The report suggests, not for the first time, that many of the methods used in forensic science have never undergone rigorous scientific testing, and that standards for methodology and accuracy are lacking.

Due to the heavy use of forensic identification in the legal system, there seems to be a serious reluctance to do any kind of research on the accuracy of the methods and results. We should be doing the opposite and making sure that these methods are thoroughly questioned and tested. This report calls for a new National Institute for Forensic Science to do that testing.

‘Badly Fragmented’ Forensic Science System Needs Overhaul; Evidence to Support Reliability of Many Techniques is Lacking

A congressionally mandated report from the National Research Council finds serious deficiencies in the nation’s forensic science system and calls for major reforms and new research. Rigorous and mandatory certification programs for forensic scientists are currently lacking, the report says, as are strong standards and protocols for analyzing and reporting on evidence. And there is a dearth of peer-reviewed, published studies establishing the scientific bases and reliability of many forensic methods. Moreover, many forensic science labs are underfunded, understaffed, and have no effective oversight.

Forensic evidence is often offered in criminal prosecutions and civil litigation to support conclusions about individualization — in other words, to “match” a piece of evidence to a particular person, weapon, or other source. But with the exception of nuclear DNA analysis, the report says, no forensic method has been rigorously shown able to consistently, and with a high degree of certainty, demonstrate a connection between evidence and a specific individual or source. Non-DNA forensic disciplines have important roles, but many need substantial research to validate basic premises and techniques, assess limitations, and discern the sources and magnitude of error, said the committee that wrote the report. Even methods that are too imprecise to identify a specific individual can provide valuable information and help narrow the range of possible suspects or sources.

When thinking about replacing or strengthening traditional passwords, one alternative is to add a hardware device that proves the users are in possession of a token. RSA has done this for years with their SecurID product, but people with multiple accounts have to carry multiple SecurID tokens. Now VeriSign has come out with an iPhone application that does the same thing, and already supports three different account types. Is this the solution to adding “something you have” to the authentication process, without requiring that people “have” too many things? Will the application be secure, or just another attack vector for the bad guys?

What’s the Password? Only Your iPhone Knows

As of Tuesday, you can now download an iPhone application that will generate a password for your AOL, eBay and PayPal accounts. It’s optional and free to consumers, but if you sign up, no one can get in your account without your user ID, your password and the six-digit number generated by your phone.