DHS Special Report | Authentication, ID are in the cards
RFID, biometrics are integral to many of DHS’ plans
Robert Mocny, deputy program manager for the U.S. Visitor and Immigrant Status Indicator Technology program, has a simple vision for making the borders more secure.
It doesn’t have to do with 12-foot fences, or unmanned aerial vehicles or anything fancy. It is a simple card combining two technologies that have been around for decades—biometrics and radio frequency identification.
Such a card, Mocny envisions, would give border patrol officers a complete picture of visitors as they enter and exit the country, and ensure that they actually leave when they’re supposed to.
This is a big difference from what is happening now under the I-94 pilot program that DHS is running as part of the U.S. Visit system. The pilot uses a long-range RFID chip implanted in a form for visitors who require a visa, but critics contend that it can guarantee only that the form leaves the country, not the visitor.
Mocny agrees with that criticism.
“That is why we will challenge industry to devise a way to make sure that a person is leaving the country by having a RFID and biometric device together,” he said. “It could become the [People Access Security Service under the Western Hemisphere Initiative] card or something else. It is all about the timing of the marriage of the technology.”Starring roles
In the meantime, biometrics and RFID—both separately and together—are playing significant roles in at least four high-profile programs across DHS.
Along with the I-94 pilot, U.S. Visit captures biometric data on visitors and checks their fingerprints against terrorist and criminal databases.
The PASS card, though Congress likely will delay its implementation, would include a long-range RFID chip to quickly transmit information to border control officers about the holder of the card.
The Transportation Security Administration is relying on fingerprint and iris biometrics for its Registered Traveler Program. Under RT, volunteers submit biometrics, go through FBI background checks and, if approved, receive an identification card to go through airport security more quickly. TSA launched five pilots in 2004 and now has implemented the program at a handful of airports, including Orlando, Fla.
The Transportation Worker Identity Credential, another TSA program, uses a biometric ID card for port workers to gain physical or logical access to secure areas. TSA tested the program from Nov. 2004 until June 2005 at 28 sites around the country using fingerprints and iris biometrics.
Other parts of DHS also are using RFID and biometrics in other ways. The Coast Guard is using biometrics to authenticate vendors into their facilities more quickly, and the Secret Service is relying on RFID for asset tracking.No-longer-missing link
While biometrics and RFID technologies hardly are new, their maturation and public acceptance seem to pave the way for extensive, long-term use.
“Biometrics is the key link that connects the individual to the threat assessment,” said Darrin Kayser, a TSA spokesman. “It allows us to combat fraud and ensures that the individual at the access point is who they said they are. It is a key piece to TWIC and Registered Traveler.”
Mocny said that adding RFID tags to certain documents will simplify and ensure safe travel, while guaranteeing citizens’ privacy and allowing people to move through checkpoints quickly enough to allow for the flow of commerce over the borders.
“RFID is playing a larger role, especially for cargo,” said Jeremy Grant, a senior vice president and emerging technologies analyst for the Stanford Washington Research Group of Washington. “DHS still needs to better develop how to deploy it and manage it. It reminds me [of] where biometrics was four or five years ago. It has a lot of promise, but people still are figuring out the best way to use it.”
At least one vendor agrees with Mocny’s vision of marrying the two technologies.
Jim Stolarski, program manager of the Smart Border Alliance for U.S. Visit and director of homeland security for Accenture LLP of Chicago, said his company
is lab-testing an RFID and biometric
“We think this is closer than five years out,” Stolarski said. “We are far from a working model, but the idea is that to biometrically enable a RFID card will make an ID as certain as possible.”
Stolarski plans to demonstrate the technology to U.S. Visit CIO Scott Hastings later this summer.
But there still is a lot of uncertainty about using RFID to authenticate and identify people.
Jim Harper, director of information policy studies for the Cato Institute in Washington and a member of the Emerging Applications and Technology Subcommittee of the DHS Data Privacy and Integrity Advisory Committee, said using RFID to “track” people creates too many security and privacy risks.
Harper is one of the authors of the controversial draft report The Use of RFID for Human Identification, which received a lot of criticism from industry and even within DHS itself.
“RFID is appropriate to drive down costs and allows you to get information a little more quickly, but it doesn’t solve the security problems,” Harper said. “They aren’t responding to Sept. 11, they are trying to harden everything.”
The draft report said RFID is only appropriate for “human identification” when used for miners or firefighters when they go into dangerous situations.
Melissa Ngo, staff counsel for the Electronic Privacy Information Center in Washington, said one of the biggest questions with RFID is how much information should be collected for each person.
“If you collect too much information, it becomes bloated,” she said. “If you want to authenticate someone, you should collect only the information needed to do that.”
Mocny said there are a lot of misplaced fears around RFID, with some people thinking the government wants to put a chip in their necks.
“The specter of someone walking around with a black hat and surreptitiously using a reader to capture someone’s 96-digit number is wrong,” Mocny said. “People want to paint a negative picture of the next best idea from this administration all the time. We don’t want to track humans [everywhere they go]. We want to record the entry and exit of visitors. We want to do what we are doing today, but do it more efficiently.”
Patrick Sweeney, president and chief executive officer of ODIN Technologies of Dulles, Va., said a lot of how the government is using RFID is more efficient because of the lessons it learned from the bar code industry.
“RFID streamlined standards into 12 primary ones so hardware can be designed with more flexibility,” said Sweeney, author of RFID for Dummies.
While RFID is in its infancy at DHS, the promise of biometrics is quickly coming to fruition.
U.S. Visit and other programs are successfully using biometrics. For Registered Traveler, TSA tested two kinds of biometrics at five airports for more than a year and had a lot of success, according to agency officials, vendors who ran the program and industry experts.Registered Traveler
Under Registered Traveler, citizens who pass a background check use an ID card and a biometric—either a fingerprint or iris scan—to shave the time it takes to go through the initial stage of security at airports.
The goal of RT is to have the biometric databases interoperable around the country, so the information can be read at any airport.
Jeff Poulson, EDS Corp.’s program manager for the Registered Traveler pilots run at Washington Reagan National and Boston Logan airports, said the biometrics capture rates were high.
TWIC, another TSA program that relies heavily on fingerprint biometrics, will be rolled out for 10 million transportation workers over the next two years, DHS secretary Michael Chertoff said in a press briefing earlier this year.
TSA hired BearingPoint Inc. of McLean, Va., as the lead contractor for the TWIC prototype, used at 28 sites around the country from January 2004 to June 2005. During the test, BearingPoint collected two biometrics and stored them on chips on an ID card.
Port or transportation workers had to use the card with their fingerprint and a personal identification number to gain access to a facility or a system, said Gordon Hannah, managing director of BearingPoint’s security and identity management group.
Lisa Himber, vice president of the Maritime Exchange for the Delaware River and Bay in Philadelphia, said her organization, which represents businesses along the Delaware River and took part in the TWIC prototype, had concerns about whether TSA tested biometrics readers adequately.
“The types of people who work outdoors with rough hands or with scars on their hands, what kind of reads will they get?” she asked. “If fingers don’t work, what alternate biometrics will they use?”
TWIC did not widely test such other forms of biometrics systems as iris scanning, TSA’s Kayser said. Only Los Angeles Airport used iris recognition on a local scale, Hannah said.
“Biometrics makes sense, but it can’t delay the time it takes to get into the main gate,” said Bill Boles, security manager at the Port of Wilmington, Del. “With the TWIC card now, it takes two or three seconds. If you add the biometric, it will add another second or two. If there are really busy days, it could add as much as five seconds, and that could be a real problem.”
Along with fingerprint biometrics, Chuck Archer, vice president of the federal sector for Identix of Minnetonka, Minn., and a former FBI official, said iris and facial recognition also are rapidly closing the gap in terms of making positive identification.
“Every year, the algorithm that supports iris and facial recognition ... comes closer to approximating identification of fingerprints,” he said. “Iris and facial are less intrusive than finger, and as the technology improves and gains credibility, iris and facial are climbing the ladder of acceptability.”
Even with the blemishes and hiccups that accompany any maturing technology, DHS is wedded to RFID and biometrics.
Mocny and other agency officials made it clear that ensuring privacy and security is a top concern, but whether the agency can more fully integrate these technologies remains unclear.