Facing facts

Biometrics, seen as a future cornerstone of security, proves more difficult than feds anticipated

A facial-recognition system tested at a Palm Beach, Fla., airport last spring failed to match airport employees with their digital photos 53 percent of the time. Legislation to require the states to adopt standardized driver's licenses with biometric identifiers has stalled. As of now, there are no biometric "trusted traveler" cards to whisk registered travelers through airports.

The Defense Department is issuing 4 million new smart identification cards — all without digital fingerprints, iris scans or other biometric identifiers. The State Department's new high-tech ID cards being distributed this month also lack biometrics.

Biometric identification technology seemed like a sure and swift solution to homeland security problems in the aftermath of last year's Sept. 11 terrorist attacks, but today it seems less sure and a lot less immediate.

"After Sept. 11, people were desperately searching for a solution to terrorism and they fixed on biometrics," said John Woodward Jr., a policy analyst at the think tank Rand Corp. and a member of its biometrics team. But since then, it has become evident that the path to usable biometrics is blocked by a dense tangle of operational, technical and political challenges, he said.

Tests have revealed that some biometric technologies, such as facial recognition, are not as accurate as hoped — and that accuracy itself is not so simple a concept. Choosing among different versions of the same technology, such as biometric smart cards with the user's fingerprint template on the card or in a central database, has proven complicated. And scaling biometric projects from the laboratory to government deployment is daunting.

"There was a lot of hype about biometrics," Woodward said. During the past year, it has become clearer that "it's emerging technology, but it's not fully emerged."

For Bruce Mehlman, whose job at the Commerce Department is to promote greater use of technology, the absence of biometric identification systems is striking.

Last winter it seemed that "biometrics' time had arrived," said Mehlman, Commerce's assistant secretary for technology policy.

"Experts anticipated rapid deployment and usage of biometrics-based security solutions by businesses and governments," he told a gathering of scientists and vendors during a government-sponsored biometrics conference Sept. 23.

But today, "we see few biometrics devices at high-security locations. Few companies have overhauled their security systems to incorporate biometrics. There's not a fingerprint pad on every computer keyboard or a retina scanner at every ATM, nor have there been major advances in the reliability or effectiveness of new biometrics technologies," he said.

Whether that picture will change remains "to be determined," Mehlman said in an interview. "Systems have to work, they have to be scalable, they've got to be easy to use, they've got to be reliable." And so far, the jury is still out on all that.

A variety of "bio-trials" are under way at Commerce's National Institute of Standards and Technology, the Defense and Justice departments and other federal agencies to see just how well various biometric technologies work.

DOD, for example, is "evaluating various alternatives" for biometric identifiers that it may add to its smart card IDs "sometime in the next year," said Lt. Col. James Cassella, an Army spokesman.

Even Congress, which has passed several laws requiring the use of biometric IDs, has adopted a more cautious approach. This summer, lawmakers halted spending on a Transportation Security Administration program to issue biometric ID cards to airport and airline employees until the agency develops a system that won't impede the movement of employees or divert security screeners' attention away from screening passengers.

"There's lots of good promise," but so far, not much else, Mehlman said.

Delays in the deployment of biometric systems by the federal government aren't that surprising, said Frances Zelazny, director of corporate communications at Identix Inc., which makes fingerprint and facial-recognition technology. "On the federal level, the applications are massive critical infrastructure projects that don't materialize overnight."

Scaling Up

Size alone vastly complicates government biometric projects.

Attorney General John Ashcroft wants Justice to build an electronic entry/exit system to keep track of virtually all foreign visitors to the United States. That's about 35 million people each year.

Last month, Ashcroft launched a miniature version of the system that is designed to photograph and fingerprint 100,000 foreign visitors a year as they arrive in the United States.

Beefing that system up to process 35 million visitors will not be easy or cheap, Woodward said. In addition to a complex new computer infrastructure, such a system will incur substantial additional costs, such as a large number of employees to process applications and operate equipment, and even more waiting rooms for visa applicants during what will be a longer application process.

And there is bound to be diplomatic fallout. The fingerprinting requirement is sure to prompt protests from countries that do not require fingerprints from traveling Americans, Woodward said.

The scale of systems poses an equally tough problem for TSA. The huge number of people streaming through major airports means that even a small false match rate by biometric ID systems would result in hundreds or thousands of passengers being wrongly singled out as suspected terrorists or not being recognized as trusted travelers, said biometrics consultant Peter Higgins.

At an airport like New Jersey's Newark Liberty International Airport, which handles 5,000 travelers per hour, trusted traveler ID systems might fail to properly identify as many as 3,500 passengers in a 14-hour period, said Higgins, who is a former chief of the FBI's Integrated Automated Fingerprint Identification System, a system for electronically searching fingerprints.

The error rate for facial-recognition systems is even worse. One analysis concludes that a system scanning 300 passengers about to board a jumbo jet is likely to identify seven as possible matches to photos of terrorists, Higgins said.

It is easy to see that such systems would be extraordinarily disruptive with so many "people being asked to step aside to prove they're not someone on a watch list," he said.

The performance of facial-recognition systems and other biometric systems depends heavily on the conditions in which they are used. When used to control access to buildings, for example, facial-recognition systems compare faces in their databases with the faces of people seeking admission to buildings.

In such a case, conditions such as lighting, position of the face and quality of the photos in the database can be carefully controlled and the systems work well. In public settings, such as airports or streets, conditions such as lighting are variable, the quality of photographs of criminals and terrorists may be inferior, and thus system performance degenerates.

Because of their high error rate in adverse conditions, facial-recognition systems are doomed to the same fate as car alarms, predicts Jeff Johnson of Computer Professionals for Social Responsibility. Because car alarms can be set off by a passing bus, a gust of wind or some other benign stimulus, they have come to be widely ignored.

When facial-recognition systems begin producing too many false matches, they will simply be adjusted to produce fewer matches, which means they will also produce more false negatives.

Facial-recognition systems make two kinds of mistakes, Johnson explained. They accuse people who aren't terrorists of being terrorists — false positives — or they fail to recognize people who really are terrorists — false negatives. "You can't lower both error rates simultaneously."

Solutions and Problems

Identix had to confront that problem while testing facial-recognition systems at the Palm Beach International Airport, Zelazny said.

One goal of the company's test was to minimize the number of false positives in a busy airport setting, she said. The facial-recognition equipment was calibrated so the number of false positives was almost zero. But that pushed the false negative rate up so that 53 percent of the time, the system did not match employees with their photos in the system database.

Identix conducted a similar test in Dallas, during which the facial-recognition equipment recognized subjects correctly 94 percent of the time, Zelazny said. However, achieving greater accuracy in recognition pushed the false positive rate to about 4 percent, which is too high for a busy airport. At airports such as Tampa International Airport, Fla., or Portland International Jetport, Ore., which handle about a million passengers a month, that false positive rate would mean that 40,000 passengers would falsely match terrorists' photos.

One way to cope with the false positive and false negative rates is to increase the sensitivity of facial-recognition systems during periods of high threat and lower it when the threat is less imminent, Zelazny said.

Another solution to the accuracy problem is to just wait a while, advises Christopher Baum, vice president and research area director of Gartner Inc.'s public sector. "The technology will get better," he said.

Besides, he said, when biometric ID systems make mistakes, "they're not going to shoot people, they're just going to ask them some additional questions." As long as acceptable protocols are followed, the traveling public should suffer little more than mild inconvenience from less-than-perfect biometric systems, he said.

Inconvenience is a minor concern for Johnson. What really worries him is that biometric technology set up to detect terrorists can easily be adapted to other uses, including keeping an eye on the everyday activities of ordinary people.

Facial-recognition systems, for example, can be and have been used for surveillance. Fingerprint, hand geometry, iris scans and other biometric systems can be used to create a detailed electronic trail of travel, purchases and other transactions. Much of that information is already collected when purchases are made with credit cards, highway tolls are paid with an electronic pass or money is withdrawn from an ATM, Johnson said. But today, "this information is available only in bits and scraps and various places. It is not all available centrally to be combined, compared and matched."

With wider use of biometric identification systems, much more information would pour into databases, where it could be sifted through and mined to trace patterns of individuals' activities, he said.

Analysts at the Electronic Frontier Foundation share Johnson's concern.

"By far, the most significant negative aspect of biometric ID systems is their potential to locate and track people physically," wrote William Abernathy and Lee Tien of the foundation. "A society in which everyone's actions are tracked is not, in principle, free. It may be a liveable society, but would not be our society."

They present a long list of potential ills, from loss of privacy and greater opportunities for blackmail to more wrongful convictions due to greater collection of circumstantial evidence.

Rand's Woodward is not as worried.

Although it would be possible to use biometric identification systems to track individuals, "the government hasn't got the kind of incentive" to do so as a matter of routine, he said. "It seems to me it's the private sector that has the incentive."

"People are right to worry about privacy," Commerce's Mehlman said. And the federal government should take an active role in setting policies and standards that ensure high levels of security and protection of privacy, he said.

Wait and See

The private sector has shown some interest in biometric technologies, but is not yet ready to embrace them.

Grocery chains Kroger Co. in Texas and Thriftway Stores in Seattle have experimented with biometric ID systems that permit customers to pay for groceries with a fingerprint. In such systems, the fingerprint is linked to a credit or debit account and works just like a signature.

For consumers, one lure is convenience. "It's hard to leave home and forget your fingerprint," Mehlman said. But to win public acceptance, "the most critical question is whether these systems can be designed to increase security. I'm optimistic that they can be — and if they do, they will be wildly successful."

Earlier this year, fast-food giant McDonald's Corp. tested a fingerprint payment system in a restaurant in Fresno, Calif., but was unimpressed with the results. After a brief experiment, the technology has been dropped, a McDonald's spokeswoman said.

Disney uses a finger geometry system to identify its season pass holders for its theme parks. The system prevents passes from being lent to friends and relatives. And at the Children's Hospital Inc. in Columbus, Ohio, fingerprint identification technology is being used to authenticate doctors who order tests and prescribe drugs.

Identix's Zelazny said successful use of biometric ID systems by the government might be the key to their adoption by the private sector.

If TSA can reduce travel delays without creating other problems, consumers might want similar systems to reduce the waits in checkout lines. And if the Immigration and Naturalization Service, for example, can reduce immigration fraud with biometric visas and passports, the public might trust biometrics to reduce credit card fraud.

But that's going to take time. As of Oct. 1, INS requires biometric visas only from Mexican citizens attempting to enter the United States along the U.S./Mexican border. Other biometric visas aren't required until late 2004.

At TSA, the trusted traveler card is stalled in its early planning stages. Adm. James Loy, undersecretary of transportation for security, said Congress' spending freeze on the Transportation Worker Identification Credential system has also halted work on the trusted traveler card.

Holding Back

Despite an aggressive launch last winter, there has been little real progress toward adopting biometric driver's licenses.

A House bill that would make $315 million available to the states to develop biometric licenses stalled in a subcommittee. A Senate version has not been introduced yet.

"There's a lack of political will," said Jason King, spokesman for the American Association of Motor Vehicle Administrators, which issued an urgent plea for creating biometric driver's licenses last January.

Unable to motivate Congress, AAMVA has turned to the National Governors Association to press for uniform driver's licenses with biometric identifiers. "It's going to take legislation at the state level, and it's going to require funding," King said. And getting either is expected to take time.

Meanwhile, King conceded, AAMVA has not yet decided which biometric identifier should be used on driver's licenses.

It all has a familiar ring to Ken Gregory, U.S. project manager for a Swedish company named Precise Biometrics.

Every year for the past six years, Gregory said he and his colleagues have assured one another that "this is the year" biometric technology would take off. Each year, they have been wrong.

But this year, Gregory said he was convinced this really was going to be the year that biometrics boomed.

Market conditions never looked better. After the terrorist attacks, the U.S. government seemed eager to use biometric technologies to improve security at airports, government buildings, border crossings and ports of entry.

Entire departments were being created to focus on improving homeland security. Laws were being debated and occasionally passed requiring the use of biometrics. Equipment costs were dropping and capabilities were improving.

But 2002 is down to its final quarter now, and the biometric business has yet to boom.

Instead of unbridled buying, "you're seeing a lot of pilot projects," Gregory said. Some results are expected to begin trickling in this month and next. But others, such as a TSA program to test security technology in airports, won't get started until December and won't end until next August.

Maybe next year will be the year for biometrics.

***

Checking for prints

Prices have dropped dramatically and the reliability of biometric identification systems has improved in recent years, but not all biometric systems are ready for widespread use, according to the General Accounting Office.

In an April report to Congress, here's how GAO rated various biometric systems:

Technology ... Reliability ... Performance factors

Fingerprint scan ... Reliable ... Dirty, dry or worn may degrade performance

Hand geometry ... Fewer unique characteristics ... Injuries, jewelry may reduce accuracy

Retina scan ... Highly accurate ... Hard to use

Iris scan ... Highly accurate ... Poor lighting, movement may degrade peformance

Facial recognition Variable... Requires proper lighting, face positioning and undated photo database to work well

NEXT STORY: Census tests boundaries on Web

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.