Every society exists somewhere on the spectrum between complete openness and total restriction of behavior and movement. In the United States, we are proud of our society’s extremely open nature, but that asset is also a basic element of its vulnerability to terrorism.
An obvious solution is increased physical and information-technology security, though the appropriate level of security should not be uniform throughout the country. It would depend on the type of facility or system being guarded, the potential damage if an intrusion occurs, and the degree to which security interferes with effective functioning of the system. Clearly, the rules for nuclear power plants should be different from those for buses.
One developing set of technologies that could play a role across the board—ranging from major to minor, depending on the specific case—is biometrics. In authorizing participants in any particular system—physical or IT security alike—biometrics may provide alternatives to picture IDs, magnetic entry cards, or passwords.
Biometrics uses behavioral and physiological characteristics—including fingerprints, irises, written signatures, faces, voices, and hand shape—to authenticate the identity of an individual. These characteristics are distinctive but not necessarily unique, and they can vary over time and conditions of collection and may change with medical condition, advancing age, or the onset of puberty. Still, biometric identification may provide a higher level of confidence for the authentication of identity than can devices such as passwords. And, as opposed to other authentication tokens that might be used (such as keys), biometric measures cannot easily be stolen or mimicked. However, biometrics must be part of a multifactor authentication scheme rather than a one-stop solution. Biometric authentication is most applicable to sensitive applications in which the security risk of a false positive (an imposter being accepted as legitimate) is much higher than that of a false negative (an authorized individual being rejected as illegitimate). Several U.S. government projects are currently aimed at improving the distinctiveness of individual measures and exploring “biometric data fusion” for combining multiple measures. Such advances would allow for almost one-to-one mappings of measure sets to individuals, making the technology exceedingly reliable but also more subject to privacy abuses.7
On a less invasive level, biometrics at more or less its present state could enhance the protective value of more traditional security systems. While the technological elements behind barriers, fences, locks, perimeters, and other physical ways of safeguarding a location—as well as nonphysical approaches such as
Authentication technologies (including biometrics) and their implications for privacy will be explored in depth in a forthcoming CSTB report from the Committee on Authentication Technologies and Their Privacy Implications; see information available online at <http://cstb.org/project_authentication>.