Next step in biometrics
New security projects need common standards for exchanging data<@VM>Northrop lab makes biometric cards smarter
- By Roseanne Gerin
- Dec 10, 2004
The U.S. Visit program launched at 115 airports and 14 seaports in January. In November, DHS began using biometric fingerprint scans and digital photographs at six entry points in three states.
U.S. Visit Program Office
Initial reports on the government's Registered Traveler program are promising.
"The feedback from the airlines and the traveling public was that it was a program that everyone was happy with and didn't want to see stop," said Larry Zmuda of Unisys Corp., regarding the pilot project that is using biometric identifiers to screen travelers and speed them through security checkpoints at five U.S. airports. Unisys is one of the prime contractors on the project.
But the project also faces a major hurdle if Transportation Security Administration officials decide to make it a national program and expand it to other airports. Currently, participants can use biometric kiosks only at the airports at which they registered. The next step for TSA is to adopt standards to make interoperable systems to allow rapid screening of Registered Traveler participants at all participating airports.
"Interoperability will be a big item, so a traveler entering one location can be transparent. ... Elsewhere around the world, similar programs are being explored," said Tom Grissen, chief executive officer of Daon Inc. of Herndon, Va., which supplies biometric identity management software for the program.
Registered Traveler is just one of a handful of the government's big biometrics projects that must adopt standards for interoperability. Government officials and contractors also are working to establish standards for the U.S. Visitor and Immigrant Status Indicator Technology (U.S. Visit) and Transportation Worker Identification Credential programs, two high-profile projects designed to improve security at the nation's borders and other sites.
Standards allow different biometric systems and devices to share information by establishing common formats, such as fingerprints, for representing and exchanging data. The National Institute of Standards and Technology for many years has been involved in setting biometric standards. The American National Standards Institute and the International Committee for Information Technology Standards also help create standards.
The Department of Homeland Security already has begun setting standards for facial recognition biometrics. In October, the department adopted its first biometric facial recognition standard that is consistent with international standards for applications that use biometrics, such as travel documents. The International Committee for Information Technology Standards, a standards development organization accredited by the American National Standards Institute, created the standard, which DHS will use as technical criteria in designing cameras and software for facial recognition.
"The adaptation of facial recognition standards is a first step in standardizing all types of biometrics, which is essential for the success of Homeland Security programs," said Undersecretary for Border and Transportation Security Asa Hutchinson in a department press release.
Growing government dependence on biometric solutions is fueling significant industry growth. Government spending on biometric technologies is expected to grow from $432 million in 2004 to nearly $1.8 billion in 2008, according to the International Biometric Group, a biometrics industry consulting firm in New York.
The government sector accounts for more than one-third of all biometric spending, which will grow from $1.2 billion this year to more than $4.6 billion in 2008, according to IBG, which measures only biometric hardware and software sales and not revenue from related professional and integration services.
But widespread adoption of biometric solutions depends on the creation and acceptance of biometric standards, to ensure that interoperable systems can identify users at all participating locations. A key challenge will be designing systems that protect privacy and alleviate fears of government abuse. Ultimately, it will have to be done on a worldwide basis to allow the free movement of goods and people.
"We must develop a set of international standards for capturing, analyzing, storing, reading and protecting biometric data to ensure maximum interoperability between systems and maximum privacy for individuals," said DHS Secretary Tom Ridge in remarks at the Asia-Pacific Homeland Security Summit Nov. 15. "The sooner the world community can embrace an international standard for biometrics, the quicker we'll be able to secure our borders."
SECURING AIRPORT TRAVELERS
The Registered Traveler program, which launched in the summer, records and stores passengers' biographical data along with a biometric fingerprint, iris scans or both. Unisys and EDS Corp. are the prime contractors leading the efforts at Minneapolis-St. Paul International Airport, George Bush/ Houston Intercontinental Airport, Los Angeles International Airport, Boston Logan International Airport and Ronald Reagan Washington National Airport.
TSA extended the program through January 2005 to continue to study the program's feasibility and to collect more data before determining whether to introduce the program at other national airports and which biometric identifiers to use, said Darrin Kayser, a TSA spokesman.
TSA and companies involved in Registered Traveler have just started discussing standards and a common architecture for the program to let travelers use the program at all participating airports, Kayser and Grissen said.
Zmuda of Unisys said making Registered Traveler interoperable shouldn't be difficult.
"The thing that needs to happen is to establish one set of standards and rules, which TSA is looking to do, to make the playing field and all the players look alike," he said. "It's the next logical step to further the effort."
SECURING U.S. BORDERS
DHS' U.S. Visit program is another government biometrics project trying to make headway with standards. The program to track foreign visitors traveling on a visa requires most visitors to have two fingers scanned by an inkless device, and a digital photograph taken by immigration officials upon entry to the United States. The scans are then checked against law enforcement databases and other watchlists.
On Jan.5, U.S. Visit entry procedures started operating at 115 airports and 14 seaports, and DHS began pilot testing biometric exit procedures at one airport and one seaport. In mid-November, DHS started using biometric fingerprint scans and digital photographs at six land entry points in three states. The border security system is scheduled to be implemented by the end of 2004 at the nation's 50 busiest land entry sites.
DHS is not hampered by the lack of national biometric standards, said Kimberly Weissman, a department spokesperson. Of the 13 million visitors that have passed through U.S. Visit, the program has helped law enforcement officials identify and capture more than 330 criminals or individuals with immigration violations, she said.
Weissman also noted that the 9/11 Commission report cited U.S. Visit as the foundation upon which all border screening programs should be consolidated to allow for a fully integrated screening system.
Many foreign countries must also create machine-readable biometric passports that are acceptable for the U.S. Visit program, adding another twist to the interoperability issue. Congress is requiring citizens of 27 countries whose citizens can enter the United States without a visa to obtain passports with a biometric identifier, such as a digital fingerprint, by Oct. 26, 2005.
Most of these countries are in the European Union, but E.U. members will not be ready to issue biometric passports until the end of 2005, E.U. Justice and Home Affairs Commissioner Antonio Vitorino said at a joint news conference with U.S. Attorney General John Ashcroft Oct. 1 at The Hague.
But DHS is addressing the issue by adopting biometrics standards set by the International Organization for Standardization, which will ensure interoperability for data exchange when required and make it lawful to exchange biometrics data, Weissman said.
DHS also is active in developing the Enhanced Information Travel Security initiative that will enable various national and international systems to swap real-time data without the need for centralized storage, she said.
"However, we are not designing our databases for direct exchange of biometric data with other nations," Weissman said. "We are very aware and cognizant of the privacy rights associated with the biometric data and associated information."
The program to create a Transportation Worker Identification Credential, also known as the TWIC card, is grappling with standardization issues.
BearingPoint Inc. and its team of subcontractors are developing a prototype common access credential for transportation workers who need physical or logical access to secure areas. The McLean, Va., contractor won the $12 million contract in August.
TSA kicked off its pilot project in November and is testing it in Los Angeles, Philadelphia and Florida. The test phase will last seven months and eventually include up to 200,000 workers from the transportation sector in 34 additional locations in six states.
The program is being implemented in partnership with Florida, which passed legislation to adopt TWIC cards for its state transportation workers. The state's formal partnership with TSA defined requirements for background checks and state-of-the-art identification credentials for truck drivers, dockworkers and others who require unescorted access to secure areas within transportation facilities.
TWIC eliminates the need for workers to have numerous cards and pass through redundant background checks to enter secure areas at multiple facilities.
TWIC is following ANSI standards that are interoperable across vendors, said Conor White, chief technology officer at Daon.
It's still unclear whether other states and parties, such as airports or seaports, will align their worker credential systems with TWIC and adopt the same biometric standards.
he states and other ports likely would have to replace some of their legacy ID-verification systems that provide access control or tracking to adopt TWIC standards. So far, only Florida has taken the lead in this area.
"[They] must provide a secure credential but allow those legacy systems to be replaced," said Mark Heilman, executive vice president of business development at Anteon International Corp., a subcontractor on the TWIC contract. The company is completing site surveys, installation and training for all the systems to be deployed.
TSA said TWIC will be interoperable with any state systems because the program uses multiple technologies.
"The credential at each facility is identical and includes multiple data storage, so that it can be used with various legacy systems," Kayser said.
He added that both Georgia and the New York/New Jersey Port Authority have expressed interest in making their systems compatible and interoperable with TWIC. TSA and DHS also have monthly homeland security liaison calls with state representatives to share information, he said.
"Many states and ports are looking to stay current on what's happening with the TWIC program," said Daon's Grissen. "The intention from a technology perspective is to be very flexible, so different ports could adopt the technology and not have any interoperability issues."
Staff Writer Roseanne Gerin can be reached at firstname.lastname@example.org.
John Raiello (left) and Erik Bowman are part of a Northrop Grumman Corp. laboratory exploring smart cards and the infrastructure around them, such as standardizing the data on ID-card chips (below) that can store background data.
When the new standards for federal identification cards are made final next year, the resulting cards will not be that much different from those many federal workers use today.
However, the infrastructure around cards -- the turnstiles, door locks, computer keyboards and more -- likely will become more entwined with smart cards over the coming years, according to identification and authentication experts at Northrop Grumman Corp.
In a Reston, Va., office, Northrop Grumman has set up a lab filled with the latest technology related to smart cards and identification: iris scanners, face recognition systems and smart-card encoding machines.
The requirement for new ID cards comes from the Homeland Security Presidential Directive 12, issued last summer. The directive is more about standardization and interoperability than new technology, said Erik Bowman, a systems engineer with Northrop Grumman.
"What it is mandating is that you capture and store the data in a standard way, so that you can use it across agencies so you have interoperability," Bowman said.
The directive also sets some cosmetic requirements for cards, such as photo location and where and what kind of information can be printed on them. Background-check data such as fingerprints can be stored on smart-card chips, for example. Electronic fingerprint machines will capture minute details and give instant feedback, determining whether the print quality is sufficient to search databases.
Besides using them for background checks, the prints can be used to control access to a building or computer desktop.
"The prints can also be used to make sure the person you took fingerprints of is the same person you're going to issue the credentials to," Bowman said.
Turnstiles to enter a building can be set to require the swipe of a card, a PIN number, fingerprint verification or some combination of the three, said John Raiello, a Northrop Grumman engineer.
In a security situation, the access requirements for a building could be increased from just a card swipe to a swipe and fingerprint verification, he said.
A similar method could be used for accessing computer desktops. Keyboards equipped with a card reader and a fingerprint device could be integrated with the new smart cards.
"You can store the credentials on the card's chip rather than on the computer where they are more vulnerable," Bowman said.
The ability to digitally sign an e-mail or open an encrypted e-mail can also be included in the smart cards.
Staff Writer Doug Beizer can be reached at email@example.com.