Great expectations: Biometrics

"1995 is the Year of Biometrics."That's what John Woodward, then a senior policy analyst at Rand Corp., wrote in a book he authored eight years ago. For several years thereafter, as he updated the text, Woodward would repeat the phrase, firmly believing that the current year would finally see biometrics take off. Woodward, who takes over Oct. 1 as director of the Defense Department's Biometrics Management Office, tells this story about himself to acknowledge that biometrics' payoff has yet to match its promise. Government interest in using biometric technologies to improve security rose dramatically following the Sept. 11, 2001, terrorist attacks, but many obstacles and problems have prevented the widespread deployment of biometrics that was originally envisioned. Some technologies, such as facial recognition solutions, are still immature, and many photographic collections, such as police mug shots, have not been converted for use with new systems. Digital fingerprinting is much more mature, but agencies have not taken full advantage of this technology, because databases have been developed primarily for law enforcement, not authentication. Using biometrics requires agencies to rethink security procedures and, in many cases, adapt their IT infrastructures to the new technologies. And proponents of biometrics are finding strong resistance to the new technologies from both citizens and government users.[IMGCAP(2)]"John and many others have, for many years, predicted that [biometrics] is about to take off," said Dennis Carlton, director of Washington operations for the International Biometric Group, a consulting and research firm in New York. "It is a curiosity that technologies that really are quite capable ... have not yet slipped into the mainstream of commerce, in either government or private applications."Not surprisingly, the current market for biometrics technologies is not huge. Allied Business Intelligence Inc. of Oyster Bay, N.Y., last December estimated that the industry would generate only about $153 million in 2003. But the research firm forecast annual growth through 2007 at about 47 percent. And while biometrics may be only a small part of the total government IT market, it plays a disproportionately important role in major infrastructure projects aimed at overhauling U.S. border controls, changing visa and passport systems and credentialing transportation industry workers.Still, Carlton questions whether emerging biometric solutions can sustain a new industry and market, given the unmet expectations over the years. "Now, I'm a lot more skeptical," he said. "Show me it's moved from the hands of the R&D people to the production people." THE HOLLYWOOD CURSEBiometrics is the science of identifying, recording and matching unique physical characteristics to individuals. There are five basic technologies: facial recognition, fingerprint, hand geometry, iris recognition and voice recognition. There also are many different vendors, and each has its own technological variations.Biometrics offer the promise of improved security for both physical access and what the industry calls logical access, or entry into computer networks and applications. "The space we're in fundamentally is not a shrink-wrapped space," said John Dorr, vice president of marketing for Viisage Technology Inc., a Littleton, Mass. company that provides facial recognition technology for identity verification. "We don't just build technology, ship it in a box and tell the customer to just add water and stir."By combining a biometric such as an iris scan, to verify a person's identity with other security measures, such as an access card or a password, it becomes much more difficult for unauthorized people to gain entry to airport runways, for instance, or to break into computers. For state governments, it can make it much easier to identify people trying to set up multiple identities, whether their motive is fraud or terrorism. Federal agencies have begun small-scale projects that incorporate biometrics for security purposes. The Office of Legislative Counsel in the House of Representatives uses an iris recognition system to protect confidential files and working documents, while the Pentagon's athletic club uses a facial recognition system to control access.The General Accounting Office reported to Congress that the State Department has been running pilot programs using facial recognition systems at 23 overseas consular posts for several years. But agencies do not have any large-scale programs in place.In many of the large applications the government is considering, such as the proposed U.S. Visitor and Immigration Status Indication Technology system to monitor the entry and exit of foreign nationals at the country's borders, biometrics is a key technology but only one part of a complete overhaul of the infrastructure and procedures for border control, Dorr said.US Visit is valued at anywhere between $1.5 billion and $10 billion, depending on the scope and duration of the project. The Homeland Security Department is expected to release the request for proposal in November.Another major biometrics initiative on the horizon is Homeland Security's Transportation Worker Identification Credential program. Under TWIC, the Transportation Security Administration is planning to create a smart card that incorporates a biometric feature and will be issued to as many as 15 million workers in the transportation industry nationwide from airports to seaports to railways. Because many, if not most, of these workers are employed in the private sector, questions remain regarding who will bear the cost of implementing the new technology and how to enroll people, track their employment and then remove or change their records when they change jobs. Another problem to resolve is how to ensure the compatibility of the hardware and software that will be purchased by many different buyers.[IMGCAP(3)]Mike Brooks, director of the General Services Administration's Center for Smart Card Solutions, said his office is putting together a team to evaluate biometrics technologies to be incorporated into smart cards, eventually being able to program and reprogram cards to allow changes in user access to facilities, computers and applications."We're looking at biometrics as a secondary level of authentication and security," Brooks said. "We want to be able to have those capabilities, be able to turn it off and on when we go to levels of higher security."But just as US Visit and TWIC are being readied for systems integrators, at least one biometrics technology has stumbled in public perception. High-visibility pilot projects, one in Tampa, Fla., the other at Boston Logan International Airport, were halted in large part because the facial recognition technology being tested did not accomplish what the project's designers had hoped.At Logan, where 10 of the Sept. 11 terrorists boarded flights that were hijacked, facial recognition systems had a failure rate of 38.6 percent. According to press reports, the systems didn't detect volunteers playing potential terrorists. In Tampa, the police department spent two years testing a facial recognition system. During that time, no arrests were made based on the system, and all the facial matches made were false positives -- that is, incorrect. Both programs received widespread media attention.One industry expert cited the Tampa experiment as an example of the need for better integration of the component parts. That trial failed, he said, because the cameras didn't match the facial recognition technology.Another problem is what many experts call "the Hollywood mystique." In television shows and movies, special effects make biometrics appear efficient and effortless, creating a perception that the technology is speedy, 100 percent accurate and comprehensive.For instance, on the CBS show "CSI: Crime Scene Investigation," a crime lab receives the results of DNA test results in hours. The reality is more like weeks, experts said. Similarly on the show, fingerprints get matched automatically, seemingly within minutes, without human involvement. In reality, the FBI tries to honor law enforcement requests for fingerprint searches within two hours (24 hours for a civilian background check), and the results have to be evaluated by a trained technician.[IMGCAP(4)]"People think that ["CSI"] is a baseline for how forensic science works, and it's not like that," said Viisage's Dorr."The biometrics industry has suffered most from the hype over capabilities over the years, and Hollywood has made it worse," said Gordon Hannah, senior manager of the security access and identity management team at BearingPoint Inc. "We see those [unrealistic expectations] not just in this country, but around the world."BIOMETRIC HURDLESA key House panel on technology met earlier this month to examine why smart cards have not been widely adopted throughout the government, including the incorporation of biometrics for security and convenience."The University of Florida gave smart cards to 50,000 students 10 years ago that they could use as room keys, lab keys or to charge pizza and books at stores around town," said Rep. Adam Putnam, R-Fla., chairman of the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census, at the Sept. 9 hearing. "Why can't the federal government do what Florida universities have been doing for years?"Several witnesses noted the widely differing priorities among all the federal agencies, which make it extremely difficult to set up a single departmentwide structure. An equally important though more subtle challenge is resistance among federal employees to using biometrics. "Some people find biometric technologies difficult, if not impossible to use," said Keith Rhodes, GAO's chief technologist. "Others resist biometrics because they believe them to be intrusive, inherently offensive or just uncomfortable to use."Ken Scheflen, director of the Defense Manpower Data Center, said security personnel have grown accustomed to using physical documents, things they can read, hold and compare to the person presenting them. "We have to move people away from the idea that [visual] inspection of documents is sufficient," he said.GAO officials also said agencies face a potentially high price tag for security systems using biometric technologies. In a November 2002 report on the prospective use of biometrics for border security, for instance, GAO estimated that implementing visas that incorporate biometrics would have an upfront cost of anywhere from $1.3 billion to $2.9 billion, with annual operating costs of from $700 million to $1.5 billion thereafter.Lack of standardization also has hindered adoption of biometric technologies, experts said. The biometrics industry is highly fragmented, with hundreds of vendors. Competing vendors for biometrics systems, such as fingerprint technologies, use different algorithms to map points on the prints and set up unique databases to handle storage and retrieval. Federal agencies need technological standardization among competing suppliers so they can communicate and share information with other agencies. The National Institute for Standards and Technology is working with other government agencies and industry to devise standards that will ensure interoperability. NIST already has released two drafts, the most recent one this summer. But agencies that purchased technology that met the first draft now are left wondering whether the new draft standard is backward-compatible with their equipment.The Defense Department's Common Access Card program, which ultimately will issue smart cards to more than 4.4 million users, does not yet include a biometric identifier such as a fingerprint template, in part because the standards are not yet finalized, and because it would require more investment in issuer and reader equipment.In his new Pentagon job, Woodward will direct the group charged with helping private industry and NIST establish standards to allow interoperability and integrate biometric technologies into the military's Common Access Card program. Woodward said the NIST effort to devise industry standards complements his office's responsibility for trying to unify and standardize biometrics throughout the Pentagon. As part of that mission, the BMO will be one of the first organizations at the Pentagon to implement a new, streamlined acquisition process that is intended to stress interoperability and joint functionality between defense organizations. WORTH THE TROUBLEDespite the uncertainties facing the biometrics industry, the success stories demonstrate why the industry is full of true believers and evangelists.Viisage, for instance, has installed its facial recognition technology in the Pinellas County, Fla., sheriff's office. When a suspect is brought in to be booked and photographed, the technology can screen to see if the person is using an assumed name and is actually someone else who's been in the system before."You can use facial recognition to identify that it's really not John Doe, it's Fred Smith, and he's got three outstanding warrants," Dorr said. "You're going to handle the situation completely differently."Visitors to the Pinellas County jail also are screened and matched to the database. The facial recognition system has identified two or three visitors who had outstanding arrest warrants, Dorr said. As a result, there has been a 17 percent drop in visitors"When you've got bad guys in a building, everybody visiting isn't going to be goody two shoes," Dorr said. "This is kind of a deterrent."Facial recognition technology also is being used extensively in state motor vehicle licensing systems to combat false issuance and duplication of licenses. The state of Illinois, for example, has collected 15 million images since 1999. Not that long ago, the system identified someone who had created 13 different identities."The facial recognition element is what enabled them to figure that out. That's solving a real problem," Dorr said. Staff Writer Patience Wait can be reached at pwait@postnewsweektech.com.XXXSPLITXXX-Viisage Inc., maker of facial recognition technology, considers the Pinellas County, Fla., Sheriff's Office one of its particularly significant clients."They're essentially using biometrics right at the beginning of the booking process," said John Dorr, vice president of marketing for the company.And the sheriff's office is pleased with the company's technology, despite the negative national press garnered by biometrics pilot programs at some airports around the country."It's all about setting reasonable expectations," said Lt. Jim Main. "The technology works because it's ... how we're using it that makes it work."The county is using Viisage facial recognition systems in three different installations: the St. Petersburg-Clearwater International Airport, the jail in the county courthouse and the jail's visitor center.At the airport, images are taken of every ticketed passenger. They are then compared to a small database of about 5,000 images, made up of the region's priority wanted felons and the most-wanted lists of the FBI and the Royal Canadian Mounted Police.At the jail, cameras at the doors capture images of people brought in by deputies. In pre-booking, those images are compared against a database of some 500,000 pictures. "People coming in are uncooperative with the arresting officer, there are people who give erroneous names, [or] a person is so drunk, he can't tell us his name," Main said. The facial recognition system will search for matches, determining whether the person has been arrested before, and link all applicable records together."We're furthest along" in using facial recognition, Main said. "We have had quite a bit of interest outside the state [from] some other law enforcement agencies, and they've written RFPs for similar setups.XXXSPLITXXX-These days, biometric devices are ubiquitous. They can be found on notebooks, mice, keyboards, handhelds, even universal serial bus hard drives and phones. Once the white elephant in most offices, biometric devices are commonly deployed for many uses, particularly in areas with stringent security standards.But does biometrics on a device make it impregnable from a hacker or impervious to theft? And do we really need this level of security on everything? No and no. Most standalone types of biometrics are no safer than well-encrypted, random generated passwords and are still commonly subject to a lot of technical problems, most notably user error. Even though biometric vendors in the past boasted about being the only line of defense an agency needs, they now know better. These devices are most effective playing the role of a cog in a security policy and not the security policy itself. Any good security policy means using multiple forms of security to create redundancy and make it harder on an intruder. Therefore, it's important that a network maintain the password and implement biometrics as an added measure of security.Security administrators need to choose the right biometric product based upon the level of security needed, number and type of users, and budget.If you need the highest level of security possible, currently the best way to protect data is by using iris authentication software by Iridian Technologies Inc. of Moorestown, N.J. It'll take a bit to enroll your users and get them used to the authentication process, but the fact is you can't physically match an iris because each one in the world is unique. This forces an intruder to attack the system through the middleware or move on to another way in.If your network consists of multiple users in a busy environment, facial biometrics can be effective, particularly if you're using the latest software, such as holographic quantum nurotechnology from AcSys Biometrics Corp. of Burlington, Ontario. The AcSys system creates a virtual, three-dimensional composite of your head and compares you to roughly 20,000 images in a database, learning what makes your face similar yet distinct from every image. Therefore, the computer in a way learns what you look like instead of measuring your features like many other facial biometric vendors.The problem with AcSys is that it's expensive and sensitive to lighting, but very effective in crowded or busy areas, especially if combine with a keycard and combination or password. Offices with a security policy in place can also use a fingerprint authentication device. Because it's the most common biometric device available, the problem comes in choosing the type of fingerprint biometric. If you need this type of security for only a few users in a small environment and funding is tight, single units by companies that have survived in the industry for a length of time, such as Digital Person Inc., work well. However, for larger offices and multiple workers, the most cost-effective measure is to use biometric smart-card technology in conjunction with readers.Biometric smart cards are effective because the information is on the card, which is only retrievable through a reader and users' fingerprints. If the card gets stolen or lost, the administrator can simply edit the security policy accordingly so that that card cannot gain access to the network.Likewise, this method allows a user to logon to any machine with the card as long as the administrator grants the user access to the machine.Although there are several ways to enforce security on a network using biometrics, it is useless unless policies are well established and organized, including redundancy.The problem with biometrics on smaller devices, such as PDAs, key-chain devices or cell phones, is that the technology isn't mature enough to cover them under such policies, often rendering them useless. And if a thief steals a PDA, even if the thief could not break into the biometric feature, he still could gain access to the data through a password algorithm. Or if the person didn't care about the data on the device but just wanted a functional $600 PDA, he can get a pencil and hit the manual reboot button, which returns everything back to the default settings, eliminating the data on the device but also turning off the biometric feature.Biometric products are still better left on the network and supervised by administrators holding all the keys and passwords for supplementary protection or as a backup.Carlos Soto is an associate editor of Government Computer News and is a technology reviewer with an expertise in security, storage, wireless devices and digital cameras. He can be reached at csoto@postnewsweektech.com.