2
Summary of Panel Sessions and Presentations

SESSION 1: SCIENTIFIC AND TECHNICAL CHALLENGES FOR BIOMETRIC TECHNOLOGIES AND SYSTEMS, INCLUDING SYSTEM INTEGRATION, ARCHITECTURE, AND CONTEXTS OF USE

Panelists: Jean-Christophe Fondeur, James Matey, Sharath Pankanti, Jonathon Phillips, and David Scott

Moderator: Anil Jain

In Session 1, participants from industry, government, and academic research centers discussed the state of the art of biometric systems, the current bottlenecks, and areas where performance could be improved. Among the different types of biometrics, three were highlighted by the panelists—fingerprint, iris, and face—as being those accepted by the International Civil Aviation Organization for use in border-crossing documents.1 All panelists agreed that biometric systems cannot be made perfect—that is, the focus should be on how to evaluate and reduce, rather than eliminate, error rates. The challenges relevant in varying degrees to all biometric systems were grouped in three categories by the panelists, with primary emphasis during this discussion given to the first category of challenges.

  • Improving the accuracy of biometric technologies and related performance evaluations through research on sensor resolution and ergonomics, algorithms and techniques for biometric fusion, characteristics of biometric feature spaces, and scientific methods to better quantify biometric systems’ performance under realistic conditions.

  • Systematically and thoughtfully integrating biometric systems with other security systems.

  • Promoting interoperability of biometric systems, especially internationally, through a framework of standards, test methodologies, and independent evaluations.

Underlying many of the scientific and technical challenges for biometric technologies and systems is the need to reduce the error and variability that can be introduced at various stages. The

1  

While these particular types of biometrics were highlighted by these panelists, there are scientific and technical challenges across a range of biometrics, including non-image-based measures such as voice recognition. The committee’s final report will aim to incorporate and extend the discussions at this workshop and to include biometric measures and systems that were not specifically mentioned at this event.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems 2 Summary of Panel Sessions and Presentations SESSION 1: SCIENTIFIC AND TECHNICAL CHALLENGES FOR BIOMETRIC TECHNOLOGIES AND SYSTEMS, INCLUDING SYSTEM INTEGRATION, ARCHITECTURE, AND CONTEXTS OF USE Panelists: Jean-Christophe Fondeur, James Matey, Sharath Pankanti, Jonathon Phillips, and David Scott Moderator: Anil Jain In Session 1, participants from industry, government, and academic research centers discussed the state of the art of biometric systems, the current bottlenecks, and areas where performance could be improved. Among the different types of biometrics, three were highlighted by the panelists—fingerprint, iris, and face—as being those accepted by the International Civil Aviation Organization for use in border-crossing documents.1 All panelists agreed that biometric systems cannot be made perfect—that is, the focus should be on how to evaluate and reduce, rather than eliminate, error rates. The challenges relevant in varying degrees to all biometric systems were grouped in three categories by the panelists, with primary emphasis during this discussion given to the first category of challenges. Improving the accuracy of biometric technologies and related performance evaluations through research on sensor resolution and ergonomics, algorithms and techniques for biometric fusion, characteristics of biometric feature spaces, and scientific methods to better quantify biometric systems’ performance under realistic conditions. Systematically and thoughtfully integrating biometric systems with other security systems. Promoting interoperability of biometric systems, especially internationally, through a framework of standards, test methodologies, and independent evaluations. Underlying many of the scientific and technical challenges for biometric technologies and systems is the need to reduce the error and variability that can be introduced at various stages. The 1   While these particular types of biometrics were highlighted by these panelists, there are scientific and technical challenges across a range of biometrics, including non-image-based measures such as voice recognition. The committee’s final report will aim to incorporate and extend the discussions at this workshop and to include biometric measures and systems that were not specifically mentioned at this event.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems sources of error begin with insufficient distinguishing detail in the biometric identifiers themselves (such as faint fingerprint ridges) and extend to variability in their presentations to a sensing instrument (which, depending on what is being measured and how, may result from injury, changing lighting conditions, or the aging process). The capture of the biometric identifiers by the sensors is affected both by the human interaction with the sensor (such as assisted vs. nonassisted sample capture and cooperative vs. noncooperative system users) and by the precision of the acquisition device itself. The quality of the information extracted from the sensor and used in the subsequent matching process can vary as well. The metric used in the matching process to measure similarities may be faulty or lack sufficient information to determine a match or a mismatch. Furthermore, to understand how the various stages of the data acquisition and processing sequence affect the end performance of the biometric system and how they can be improved, each stage needs to be modeled independently as well as in different system architectures. Biometrics and Accuracy To increase the information captured by the biometric system and to facilitate matching, including the ability to discriminate between genuine and imposter matches, participants suggested that sensor improvements could involve higher resolution and a higher signal-to-noise ratio (SNR). In addition, sensors that collect multiple biometrics within one device or system may offer improvements with respect to a range of characteristics such as accuracy and efficiency and accommodation of a broader population. Current research in this area aims to make multiple low-resolution images from video surveillance systems usable for facial recognition. An example was given of a system that uses several different cameras to track the location of a person in a room, with one of the cameras controlled by the location of the person’s head. Such a system can log all the people who have been in a room and capture the frontal images that are best suited to facial recognition at higher resolution. Given that users of biometric systems may not be familiar with the technology, the ergonomics of the sensor and associated data capture hardware may affect the biometric information that is collected. To improve results, some participants suggested that user interaction must be either intuitive or minimized to the point that there is little, or no, interaction with the acquisition device. The prototype discussed at the workshop for on-the-move iris recognition allows iris images to be captured while the individual is walking past the sensor. This approach aims to minimize the acquisition constraints by expanding the standoff distance, or the distance of the acquisition system and the camera illumination from the subject, and the capture volume, or the area in which the biometric may be captured within a particular length of time.2 However, additional improvements in algorithms will be required to further minimize these constraints as well as reduce orientation requirements that currently require a direct gaze into the camera. Continued algorithm development and better fusion of biometrics will generate more information to aid in the matching process. Though algorithms are continuing to improve and to process more information, additional research will be needed in coping with the variability of information over time—a consequence of the human aging process—especially for the processing of children and particularly for new biometric modes, such as three-dimensional facial recognition. For biometric fusion, panelists suggested potentially good combinations, such as face and finger, finger 2   The performance of the off-the-shelf iris recognition system described at the workshop, the LG-3000, includes a standoff of 10 cm, a capture volume of 0.04 liters, or 2 cm * 2 cm * 10 cm, within 3-10 seconds, and requires stationary use. In contrast, the on-the-move iris recognition prototype increases the camera standoff to 3 m and illumination by 1 m, capture volume expands to 10 liters, or 60 cm * 30 cm * 5 cm, within 0.05 seconds, and permits a walking speed of 1 m per second.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems and iris, and face and iris. Research in this area also includes mosaicking templates3 that allow for the integration of multiple acquisitions of a biometric to enhance its representation. In addition to improving the collection, processing, and integration of biometric information, panelists also underscored the importance of understanding more about biometrics feature spaces, including determining how many independent dimensions there are for each unimodal biometric, how many are required to determine distinctness, and variation in feature space dimensionality across different biometric modes. Biostatistical tools and processes could also be helpful in determining the effectiveness of dimensions in creating and using representative but smaller test populations and in understanding changes in biometric identifiers over time. Biometrics and Performance Though many panelists believed that the performance issues surrounding biometric technologies are tractable, they agreed that resolving these issues will require a systems approach rather than a focus on individual sensors and recognition algorithms. This approach calls for collaboration by those involved with different stages of a biometric application and the integration of modalities, sensors, and application subcontexts—for example, the integration of liveliness detection with signal quality assessment—to promote better system decisions. In general, effective system integration was considered to be necessary for improving accuracy and performance. To evaluate and to compare the current accuracy and improvements in accuracy of biometric systems, a more scientific approach to biometric performance research was suggested. Participants recognized the progression of biometric research, from the early approach of selective performance tests to the recent use of more robust approaches to technology evaluation, which can aid in organizing and comparing the results of the system under evaluation.4 But some panelists stressed the importance of more systematic research. Additional progress could be made by the more systematic use of control groups (for example, testing a new algorithm against a control algorithm), by establishing confidence intervals to indicate statistical significance to achieve better consistency across studies,5 and by aiming for repeatability of studies to verify performance improvements through independent evaluations. Various suggestions that were offered to develop a research agenda are described in Box 2.1. Biometrics and Security The panelists agreed that biometrics should not stand alone in security practices but should be systematically and thoughtfully integrated with other security features. Noting that a biometric (for example, a fingerprint or an iris pattern) itself is not secret, panelists observed that it is necessary to consider its integration with other security mechanisms such as encryption and/or smart cards. Integrity mechanisms employing encryption, for example, are required to provide continuity of authentication for the duration of a session, something that biometrics alone cannot provide for this sort of application. One suggestion was to pursue a holistic approach for integrating biometrics into a 3   Anil K. Jain and Arun Ross, 2002, “Fingerprint mosaicking,” Proceedings of IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), Orlando, Fla., May 13-17. 4   Some formal technology evaluations conducted by the National Institute of Standards and Technology (NIST), for example, include the Face Recognition Grand Challenge (FRGC), the Iris Challenge Evaluation (ICE), the Speaker Recognition Evaluation (SRE), and the Minutiae Operability Exchange Test (MINEX04). 5   This would be helpful when replicating experiments with different data sets and to verify the correctness of testing methodologies.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems BOX 2.1 Suggestions for Improving Biometrics Research Endeavors Various suggestions were offered to improve biometrics research: Improve the consistency of review policies by using a peer-review process (such as is used for journals) to facilitate repeatability, documentation of experiments, and executability. Provide access to large data sets and different types of data, such as multimodal data, to measure performance improvements and find ways to increase the amount of data used in biometric performance studies.1 Develop challenge problems to guide academic research and to create a baseline for comparisons and independent evaluations. Increase the documentation of government-funded and -proposed research (see Session 2 for additional discussion). 1   It was also noted that studies outlining new performance techniques may not require data for testing until later stages. security system and to consider employing techniques like the Common Criteria certification approach. 6 Biometrics and Interoperability An international framework to support the worldwide interoperability of biometrics requires the creation of standards, test methodologies, and independent evaluations. Interoperability challenges described during the workshop include identity documents issued in one country using the system of a particular vendor, which must be accessible in other countries using different systems of different vendors. Standards are needed to facilitate this interchangeability, but it was noted that they will not solve all the problems, because they often involve compromises among the different and sometimes competing interest groups that are involved in any given standards process. Incompatibilities in the interpretation of standards require evaluation tests to be conducted. In addition, it was suggested that many operational pilot programs should also include interoperability testing in multiple countries to verify that systems will be compatible (see Session 4 for more discussion). SESSION 2: MEASUREMENT, STATISTICS, TESTING, AND EVALUATION Panelists: George Doddington, Michele Freadman, Patrick Grother, Austin Hicklin, and Nell Sedransk Moderator: Joseph Campbell Session 2 explored issues surrounding the measurement, statistics, testing, and evaluation of biometrics and biometric systems. It should be noted that statistical analysis in the context of biometric systems is employed for a range of purposes, including assessments of the underlying 6   For more information, see <http://csrc.nist.gov/cc/>.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems technology, analysis of user behavior, data mining, and so on. Indeed, such issues were discussed throughout the workshop in several different contexts. Questions raised for this panel included these: Do biometric systems work? What is meant by “work” in the context of a biometrics system? What is being measured, tested, and evaluated, and how can confidence in the experiments be created? The panelists presented a range of perspectives on these issues, from broad explorations of the nature of experimentation and representative populations to discussions of specific evaluation regimens and real-world deployment at a major international airport (see Box 2.2). Several overarching themes arose: Evaluating biometric systems serves three purposes: to guide and support research and development, to assess the readiness of a system for deployment, and to monitor performance of a system in the field. As in many other domains, appropriate experimental design and solid statistical underpinnings are needed to produce effective testing and evaluation regimes. There is no one-size-fits-all solution, given the range of types of systems that are deployed. Data and data selection choices, which include understanding the reference and expected user populations, can have a large impact on the accuracy and effectiveness of testing and evaluation. BOX 2.2 Early Biometrics System Deployment at an Airport One panelist described the evaluation of different biometric technologies for several operational deployments, as well as the design of a future biometric system for controlling access to Boston’s air transportation system. At the time of this workshop the biometric systems deployed by Massport, the responsible government agency, included an ultrasonic fingerprint reader at the regional airport and hand geometry readers in the administration building. The planned system for Logan airport, soon to be deployed, takes a layered approach, following Secure Identification Display Area (SIDA) procedures, and uses a proximity card, a personal identification number (PIN), and a fingerprint reader. The panelist emphasized the importance of examining an organization’s expectations of a biometric system and what such a system could accomplish, in particular recognizing that biometrics alone would not solve security concerns, and stressed the importance of initial enrollments and the need to educate both enrollment administrators and system users to acquire high-quality enrollments. Educating employees was also critical to gaining acceptance for the technology. To promote the success of the Massport system, the importance of addressing concerns about the technology as they arose was noted. A general plan was also proactively put in place, increasing administrative staff to assist with any problems or issues that might arise during the initial deployment period. Purpose and Goals of Evaluation Biometric technologies and systems are commonly used for security purposes and for the sake of convenience. One application of biometrics is to gain a privilege (for example, access to buildings or other resources). Another class of biometric applications is forensics and intelligence gathering—specifically, the use of biometrics to validate the identity of a person who does not want to be identified. Both classes of applications should be kept in mind when exploring testing and

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems evaluation approaches. For both, the major challenge is obtaining a biometric trait sufficiently distinctive to determine differences between people in the face of measurement variability across multiple presentations of the user to the system, which may vary greatly in time and circumstances (including degree of user cooperation), and in the face of possible attempts to manipulate and/or circumvent the system by imposters. There are many types of biometrics that might be used in a system. Some biometrics are based on physical characteristics, such as fingerprints, hand geometry, facial features, and so on, whereas others are based more on performance or behavior, such as signatures and speech. Biometric measurements have a range of variabilities, including physical variabilities (due, for example, to aging or trauma) and physiological variabilities, such as emotional or metabolic changes. Additional variability may be due to idiosyncrasies of the population (see Box 2.3). All of these types of variability, and others, pose challenges for collecting a corpus (training set) representing the problem space and for ensuring that quantitative indices of performance are sufficiently precise. They also can be sources of error when considering a distribution of subjects for enrollment and verification. The challenges associated with data and data selection are described further in a later section. BOX 2.3 Sheep and Goats The performance challenges to biometric systems due to variability, particularly in the recognition of different speakers within a population, are a well-recognized problem within the speaker recognition community. Variability among speakers has led some researchers to class them as “sheep,” “goats,” “lambs,” and “wolves.” Sheep represent the largest portion of the population—their performance is both predictable and reliably recognized by the system. Goats are fewer in number—their performance in the system is unpredictable and not reliably recognized, often resulting in detection errors. Lambs and wolves are easily confused with others and can result in false matches. The characteristics of lambs are easy to imitate. Wolves, on the other hand, can imitate others easily. 1   For more, see George Doddington, Walter Liggett, Alvin Martin, Mark Przybocki, and Douglas Reynolds, 1998, “Sheep, goats, lambs and wolves: A statistical analysis of speaker performance in the NIST 1998 speaker recognition evaluation,” Proceedings of the 5th International Conference on Spoken Language Processing, November. Why Evaluate? What is the reason for evaluation and testing of a biometric system? At a high level, it was suggested, evaluation serves three purposes: (1) to guide and support research and development by, among other things, identifying important dimensions of variability and providing feedback on what works and what does not; (2) to assess the readiness of a system for deployment and to provide a framework for characterizing performance as a function of variability in a given system; and (3) to monitor performance of a system in the field, which includes characterizing system performance in terms of the failure mechanisms and identifying technical challenges that can feed back to research and development. Over time, tension may result between research and applications. For research, the requirement is to represent core technical challenges in a very distilled way that separates the

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems technical issues from numerous application/operational issues. As application and operational issues arise, they may complicate and obscure the core research challenges. At the same time, if evaluation is needed to assess readiness, then the prediction of a system’s performance in the field may be based on what the system achieved on a corpus of evaluation data. Accurate predictions can be a challenge. The Role of Technology Regardless of the specific reasons for evaluating a given system, ultimately the role of technology—in this case of a biometric system—is to enable accurate and responsible decision making. At heart, a panelist suggested, all practical biometric applications are “detection” applications: The application seeks to assert that an identity is known or is not known. It was suggested that this assertion can be formulated in terms of a probability—namely, is the probability of the identity hypothesis, given the data, above a certain threshold? Participants acknowledged that answering this question is not solely a technical matter. Policy matters as well. What are the criteria on which this judgment is based? What are the prior probabilities—that is, Is anything known about the probabilities associated with the population using the technology? How will the answer that the technology is attempting to provide weigh into the ultimate decision making? Policy and adjudication mechanisms are needed in addition to what the technologists and technological systems can offer. Participants observed that the technical and policy components of decision making must inform and provide feedback to each other. Experimental Design Participants noted that good experimental design is important in evaluating systems and selecting evaluation data and that many of the issues that arise are not specific to biometrics. Data selection issues need to be acknowledged up front rather than being hidden or elided in the evaluation of systems. Issues of proper data use were also raised, such as including all data in the test evaluation. Removal of poor quality data from the test could have the effect of filtering out problems that would occur with real data and might produce overoptimistic assessments of system performance. Additionally, the operational and evaluation data need to be kept separate to prevent developers from tuning their systems to known evaluation data sets in preparation for testing. Some challenges specific to evaluating biometric systems are specific to each of the many types of systems that are deployed. As one panelist noted, evaluating “operational fingerprint identification systems on a large scale” is a specific challenge—changing any of the characteristics mentioned in that phrase changes the evaluation process. Another challenge relates to what is known as ground truth and the process of determining whether there is a matching error. Fingerprint identification may involve working with latent fingerprint examiners, who, as is well known, can make errors. Testing also needs to be done for system vulnerabilities, and distinctions should be made between active and passive imposters. Additionally, it was noted that a one-size-fits-all approach to testing might not be feasible, because the intended use for the system and the type of application might have an impact on the referent population and on the types of data necessary to evaluate the system. It was suggested that layering the overall problem into general problems, biometric-related problems, specific biometric modalities issues, and so on would generally be helpful. One suggestion was to layer the problem so as to address all the generic problems first (such as defining the general-purpose evaluation and data selection and corpus) and then to address problems relating to the specific biometric technologies and modalities in use. Of course, the generic and the specific may not always be easily separable.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems Impact of Data Selection on Testing and Evaluation Data selection is central to effective evaluation approaches. That which can be learned from a data set that is not representative of the population of interest is of limited, if any, value.7 The degree of similarity among different elements in a population is a related concern and must be considered when establishing a representative population sample and incorporating appropriate gradation and other challenges into test scenarios. Biometric tests are almost universally based on “opportunity” samples, testing whatever volunteers happen to be available. It might be possible to develop “judgment” samples chosen in some systematic way to represent population variation. The application of statistical methods to evaluations in the biometrics domain would seem viable, provided that the methods are well designed and the samples are representative.8 One panelist argued that large quantities of operational data are needed for testing. While most systems do not archive all of their data, much could be learned from the analysis of data that are routinely discarded if they are collected and stored (for example, retaining the information that a person had to make three attempts before the system recognized him or her, and the biometric images or signals associated with those repeated attempts). Data also drive how thresholds are set for biometric systems. Thresholds are predicated on what is known about the distributions of imposters and genuine subjects. Developing an infrastructure to extract operational data from devices may be helpful, but techniques for anonymization and privacy protection along with authentication, where appropriate, will also be needed. It was suggested that a combination of interfaces, infrastructures, audit trails, metadata, and data formats is needed. Despite the difficulty of gathering data from subjects, participants were skeptical about the use of synthetic data (created through morphing and other techniques) for testing a system for deployment but allowed that such data might be useful in the early stages of research and development testing. Data distributions also vary by collection characteristics as well as population characteristics. For instance, data compiled by trained collectors in a controlled environment who aim to gather perfect samples from willing participants will likely be less variable than data collected in operational field tests under chaotic conditions by untrained collectors or from uncooperative participants. Additionally, the two kinds of data—controlled versus operational—also have different uses. For purposes of research and development, controlled laboratory data might be more useful—for example, in order to assess the sensitivities of one’s algorithms. However, for testing purposes, operational data are preferable. Quality In some biometric systems, annotations that indicate the quality of a particular sample can be used. For example, some data formats for face, finger, and iris have fields that allow a quality metric to be inserted. This metric can be used to guide what sort of analysis might be needed or, at 7   One example was of a data set collected in an Ohio prison—not only was the collection process very controlled, but the population was homogeneous (primarily young and male) compared with the general population. Another example addressing the issue of collection involved two different populations but used the same fingerprint scanners and the same software: one set of data was collected by the border patrol (primarily from Mexican illegal immigrants) and the other one was collected in an office environment (from people trying to get border-crossing cards). These systems were orders of magnitude apart in terms of error rates, presumably because the two populations from which the data were being collected had very different motivations. 8   It was noted that statistical error bars on data will indicate the degree of error only if the data reflect the population. If the data do not reflect the population, then the error bars will not have any bearing on the true magnitude of error.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems enrollment, to ask that the sample be collected again. It can also be used in aggregate to assess or monitor the overall quality of the collected data. For example, if enrollment is being done at multiple stations, system operators can learn about the average quality on, for instance, Mondays, or in the afternoons. Much of this falls under traditional quality control and analysis.9 How best to use such a quality metric, what standards it might be useful for, and what it actually means are being discussed in the biometrics community. SESSION 3: LEGISLATIVE, POLICY, HUMAN, AND CULTURAL FACTORS Panelists: Tora Bikson, David Kaye, Lisa Nelson, and Peter Swire Moderator: Jeanette Blomberg In Session 3 panelists were asked to address the legal, policy, social, and cultural aspects of biometric systems, as well as the implications for the collection and use of biometric data in different contexts at both the national and international levels. Five main themes emerged during this session: Three different modes of identification evidence—mitochondrial DNA, facial recognition, and latent fingerprints—were discussed in relation to “general acceptance” and “scientific validity”—two legal standards for the admissibility of evidence in a court of law. Lessons for biometric system security were drawn from the current use of SSNs and the growing incidence of identity fraud. The proposition of a new law restricting the sale and disclosure of biometric identifiers was debated. The meaning of “privacy” in relation to the use of biometrics technologies was discussed in terms of legal principles and some preliminary public opinion survey research. Issues related to the collection and use of data generated by biometric technologies and associated fair information practices were discussed in relation to an earlier study on the use of RFIDs and access cards in the private sector. The international legal and cultural dimensions of privacy were discussed, including their implications for the use of biometrics. Admissibility of Biometric Identification Evidence Two standards in common use for the admissibility of evidence in American trial courts,10 typically called “general acceptance” and “scientific validity,” were discussed and later applied to three different biometric identification modes. In practice, which of these standards applies varies by jurisdiction. The first standard, “general acceptance,” originated in Frye v. United States, a District of Columbia Court of Appeals case that upheld a ruling rejecting the admissibility of expert testimony 9   The importance of image quality for biometric systems and the need to evaluate image quality across multiple factors jointly rather than a single factor at a time was also noted. To incorporate a measure for image quality, the possibility of tagging the quality was suggested to account for quality differences (difference in granularity, in lighting, in aging, and so on). 10   As a point of clarification and context, it was noted that before evidence can be put before a jury or, in theory, a court, there may need to be a number of preliminary determinations. Such determinations may include whether the evidence is excludable as hearsay or whether it is relevant, scientific, and sufficiently reliable. Additionally, the debate about admissibility takes place in front of the judge rather than the jury. There may be experts on both sides, and federal judges may appoint their own experts. However, these rules apply only to evidence presented to juries and not to warrant requests.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems about a then-new technique that could identify the act of lying by measuring systolic blood pressure.11 The decision recognized, however, that courts would permit expert testimony derived from “a well-recognized scientific principle or discovery, when it is sufficiently established to have gained general acceptance in the particular field in which it belongs.”12 Over the years, the Frye standard became the dominant criterion for admitting scientific evidence. Under Frye, a court would decide if general acceptance had been shown by looking to expert testimony and the existence of publications, by determining that the scientific technique had been put to nonjudicial uses, and by considering other cases that might manifest judicial acceptance. The second standard, “scientific validity,” emerged in Daubert v. Merrell Dow Pharmaceuticals, a case that involved birth defects from an antinausea drug known as Bendectin.13 In this ruling, the Supreme Court overturned the decision of the lower courts to exclude evidence of toxicological epidemiology on the grounds that there was not general acceptance. Given the difficulty of determining when general acceptance has been reached, the Court deemed the Frye test to be inappropriate, under the Federal Rules of Evidence, for governing admissibility, and determined that the evidence admitted should constitute “scientific knowledge” and “be supported by appropriate validation.”14 The general guidance offered for the admissibility of evidence obtained by new scientific techniques included the following considerations: whether the theory or technique has been or could be tested, with appropriate controlling standards in applying the test; whether it has been subjected to peer review and publication; whether the potential rate of error is known; and, more broadly, whether the theory or technique is generally accepted.15 As an example, in applying these standards to mitochondrial DNA evidence obtainable from a strand of hair, it was noted that this type of evidence has been admissible in courts even in the case of comparatively small or unrepresentative sample sets. In a mitochondrial DNA match, the proposition that it is “almost always” maternally inherited and “usually” remains constant over time is generally accepted. Mitochondrial DNA has also been accurately sequenced in a laboratory, and the frequency of mitochondrial haplotypes can be estimated to determine if two samples being analyzed are similar.16 It was noted that questions pertaining to the theory and appropriateness of the computer algorithms used to perform facial recognition, a relatively new type of biometric identification, would need to be answered to determine the technique’s admissibility in a court of law. It would be important to know if the algorithm has been adequately tested and the results have been published or if it is proprietary and not published; whether there is sufficient research literature demonstrating the validity of the approach; whether conditional error probabilities have been established and, if so, their values; and how the matches are presented (e.g., in a binary form or as the probability that the two signals come from a common source); and, finally, whether it is generally accepted that the algorithm makes correct identifications. 11   This technique has been described as a precursor to the polygraph test. 12   Frye v. United States, 293 F. 1013 (C.A.D.C 1923). The Frye opinion is available online at <http://www.daubertontheweb.com/frye_opinion.htm>. 13   Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993). 14   The Daubert decision is not binding on the states, but more than half the states have adopted the Daubert standard to determine the admissibility of evidence in state courts. 15   These factors, from a nonexclusive list by Justice Blackmun in Daubert v. Merrell Dow Pharmaceuticals, Inc., have become known as the Daubert factors. 16   An example of the use of DNA evidence in the Scott Peterson case was provided. An FBI analyst testified that a hair found in Scott Peterson’s boat could not have been his, and that it matched Lacey Peterson’s mother’s mitochondrial DNA that should have been inherited by Lacey, the victim. Furthermore, the analyst testified that this haplotype would be seen in one out of 112 Caucasians, based on an FBI database of several thousand. It was noted that this type of evidence is generally admissible despite the statistically unrepresentative sample population of the database.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems With regard to latent fingerprints, the form of biometric identification evidence with the longest use, courts historically have accepted this type of evidence under the Frye standard, and it continues to be accepted. However, the application of analysis, comparison, evaluation, and verification (ACE-V), performed by fingerprint analysts, has recently been challenged under the Daubert standard. The problem surrounding fingerprints lies with ACE-V and the human analysis, which some claim lacks scientific rigor—with respect, for instance, to establishing the known error rates and in the controlling standards used by the examiners. As a result, this identification technique continues to be subject to scrutiny; whether court challenges to it will succeed is an open question.17 It was noted that defense attorneys try to subpoena basic biometric methods information in an attempt to prevent biometric identification data from being introduced in courts; if it is introduced, they try to identify a factor that will compromise the accuracy and/or validity of the biometric method used. In the discussion, it was suggested that a defense based on the Daubert standard is generally a last resort but can be important when fingerprint evidence is critical to the case. Lessons for Biometric System Security from the Use of Social Security Numbers Lessons learned from the use and treatment of SSNs and the related problem of identity fraud were applied to understand and strengthen the security of biometric systems. One problem with the expanded use of SSNs in combination with publicly available personal information (e.g., mother’s maiden name) as an identifier, or “key,” to gain access to an individual’s credit records and other authoritative credentials is their lack of secrecy, given the ease with which they can be shared, sold, and compromised.18 In the computer science world, it was noted, keys or passwords are kept secret to prevent access to the system by an unauthorized user.19 While keeping information secret may be a common practice for online and other remote applications, it is common as well in the process of establishing credentials in the physical world, where fake identities can be created by using SSNs and other personal information that is presumed secret or private to acquire so-called “breeder” documents (e.g., driver’s licenses) that can be used to gain access to an individual’s personal or financial information. To prevent similar problems with new biometric identifiers and the loss of the “keys” that breed fraud, a law was proposed at the workshop that would prohibit the selling or sharing of unencrypted biometric data. Similar to recently proposed legislation to prohibit the “sale or display of social security numbers,”20 the draft law aims to minimize access to high-quality images of biometrics (irises, fingerprints, and so on) to keep the new keys more secure, particularly for their use in legal identification. Such a law would shift onto those who would sell or display biometric identifiers the burden of explaining why that sale or display should be warranted. Among the several biometrics that are excluded by the rule are photographs of faces, which have many nonsecurity uses 17   The lengthiest Daubert hearing on fingerprints that was recently affirmed was U.S. v. Byron Mitchell, Criminal Action No. 96-407, U.S. District Court for the Eastern District of Pennsylvania, July 1999. 18   The personal and financial information for 145,000 people that was recently lost by ChoicePoint was provided as an example of compromised data, as key information that can be used to gain access to an individual’s financial information becomes accessible to others. 19   For more on this approach, see Peter Swire, 2004, “A model for when disclosure helps security: What is different about computer and network security?” Journal on Telecommunications and High Technology Law, Vol. 2. Available online at <http://ssrn.com/abstract=531782>. 20   In an effort to prevent identity theft, the Social Security Number Misuse Prevention Act (S. 29), introduced by Senators Feinstein and Leahy in January 2005, aims to prohibit, among other actions, the sale or display of SSNs to the public without the individual’s consent. For more information, see also Mark Roy, 2005, “Feinstein tightens ID theft proposal.” Internetnews.com, April 12. Available online at <http://www.internetnews.com/security/article.php/3497161>.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems example given—an integrated mobile device, a hypothetical commercial application combining the functionality of a mobile phone and a personal data assistant—illustrated some of these characteristics. It could be an individual’s primary device for communication and information access, and the biometric could be used to provide secure access. Other information could be used by the system, including a personal identification number, an equipment-unique identifier, physical location, other biometrics (voice, face, fingerprint), and history of use. It was suggested that user-centered design principles be applied to develop application features and to determine the features’ value and usefulness. Recent findings suggest that the utility and convenience of biometrics may somewhat lessen privacy concerns as individual users begin to explore and weigh the costs and benefits.32 Nontechnical Factors and General System Characteristics Panelists identified additional nontechnological factors that impact the performance of biometric systems: The type of biometric system will impact user behavior and system performance. For instance, in a system that aims to verify a claim of enrollment, such as in the administration of government benefits, the individual is trying to produce a matching result. By contrast, in a system that aims to verify a claim (sometimes implicit) of nonenrollment, such as screening for inclusion on a watch list, the individual is trying to avoid a match.33 Human factors are critical for optimizing the capture performance of biometric techniques. Attention to system ergonomics that automatically adapt to human factors, such as a facial recognition camera that adjusts to differences in height and presentation, can make a system less intimidating and more natural for users and may significantly reduce enrollment error rates. It was suggested that systems that provide useful feedback to users and systems that incorporate touch screen technology rather than a keyboard enhance capture and enrollment performance. Training is useful for system operators to understand system operations but should not be needed for users as the systems should be sufficiently intuitive. Some panelists noted that training did improve sample collection in deployed systems; others stressed that user training could have the opposite effect because it could teach a user who chooses to be noncompliant how to improperly enroll. Participants noted that successfully deployed biometric applications tend to have the following characteristics: The ability to select out individuals who cannot provide or have difficulty providing a good quality sample for a given modality. Robustness to variation in the false rejection rate, given that some error is to be expected with a biometric system. 32   Findings from BIOVISION, a project sponsored by the European Commission to explore successful biometric deployments from a user and system integrator perspective. 33   Adversarial analysis is a hard problem to solve because real numbers for false reject and accept rates are difficult to obtain from adversaries who have successfully defeated a system. In addition, an adversary may purposely inflict an injury to create a legitimate problem of entering through a biometric system, requiring a secondary entry procedure.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems Realistic system performance requirements with respect to the application and the technology, offering an effective improvement for the particular application at a reasonable cost. Standards and Global Interoperability of Biometric Systems To illustrate the importance of standards setting and the interoperability of systems, panelists highlighted early work in multibiometric standards formation and data collection as well as the results from a recent interoperability test. For future integration of multibiometric systems, ISO/IEC’s Joint Technical Committee 1 Standards Committee 3734 has focused on defining multibiometric terminology to develop standardized approaches for assessing and improving multibiometric fusion.35 The terminology development process provided the background to break down the problem (see Box 2.4). It was suggested that if designed and implemented effectively, multibiometric approaches have the potential to improve biometric system performance—that is, to reduce the false acceptance rate (FAR), the false rejection rate (FRR), the failure to enroll (FTE) rate, and the failure to acquire (FTA) rate—and can be more resistant to spoofing. However, participants noted that one challenge to research in multibiometric fusion techniques has been the limited supply of true multibiometric data (i.e., multibiometric data from the same human being). Typical studies have involved tens to several hundreds of individuals. In attempts to achieve large multibiometric data sets, some researchers have assumed that biometric samples from completely different modalities (e.g., face, fingerprint, iris) are fully uncorrelated. Based on this assumption, they may create a chimeric multibiometric data sample by combining a facial image from one individual, a fingerprint from another individual, and an iris image from another individual. To validate this assumption and evaluate multibiometric systems, NIST and TSA, at the time of the workshop, were planning a 2005 deployment of the Multimodal Biometric Accuracy Research Kiosk (MBARK) to collect face, fingerprint, and iris data from the same individuals. The importance of independent testing was discussed, along with the remaining work to be done in the development of worldwide applications that will rely on biometric technology. A third-party test to evaluate the compliance of several commercial technologies with a secondary standard modeled after the draft ISO standard revealed poor performance and interoperability among the vendors that were tested. The test, conducted on seven different products and using biometric data gathered from volunteers from the intended user population,36 had three components: (1) conformance to the requirements of the standard; (2) performance of the system, consisting of a sensor and an algorithm each from different providers; and (3) the interoperability of the systems. When multiple sensors were tested against one algorithm, there were large (up to 40 percent) differences in performance among the biometric systems. Within the small test sample, only two sets of product combinations (each consisting of a distinct sensor and an algorithm) were interoperable 34   The technical report Multi-modal and Other Multi-biometric Fusion was issued by Working Group 2 of ISO/IEC JTC1 SC37 with support and technical contributions from the International Committee for Information Technology Standards (INCITS) M1 Technical Committee on Biometrics—Ad Hoc Group on Evaluating Multi-biometric Systems (AHGEMS). 35   Fusion has been implemented for many years in large automated fingerprint identification systems (AFISs) using multi-instance and multialgorithmic approaches. 36   The test sample of 125 was smaller than the anticipated 225 participants. Though it did not include any noncooperative users, it was drawn from the user population and was representative of some of the problems users of biometrics systems may confront.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems and achieved the target FAR and FRR of 1 percent out of the 125 participants.37 Despite the few technologies that passed this independent evaluation, to be accepted in this arena, all future products must meet or exceed the performance and interoperability levels that have already been set. BOX 2.4 Multibiometric Systems Multibiometric systems comprise four distinct subcategories—multimodalities (e.g., finger, iris, face), multi-instances (e.g., right and left index fingers or multiple images of a face or scene), multisensors (e.g., optical, capacitive, and ultrasonic), and/or multialgorithms (different matchers)—that can be fused at four different levels: the decision level, the score level, the signal level, and the feature level. At the feature level, the biometric samples can be combined to create a feature space for processing in the matching (score) and decision levels. Current fusion approaches occur at the score level, where scores assigned by each biometric channel are combined before the system issues a decision based on the score. To enhance score fusion, prior probabilities that approximate prior beliefs of experts can be taken into account and score normalization between matching algorithms can also be used to provide additional information when implementing a fusion scheme. Other fusion approaches that can be systematically applied to improve fusion accuracy and/or throughput include combination techniques such as summing rules and products or combining different classifiers, the use of layering or cascading logic when gathering and using multiple measures and sources of information, and simultaneous versus sequential sample presentation while capturing information. SESSION 5: TECHNICAL AND POLICY ASPECTS OF INFORMATION SHARING AND COOPERATION Panelists: William Casey, Patty Cogswell, Neal Latta, K.A. Taipale, and John Woodward Moderator: Peter Higgins In Session 5, panelists were asked to discuss a variety of issues related to biometric data sharing, including technical challenges as they relate to synchronicity and connectivity of data on the one hand and security and privacy of data on the other hand; policy considerations for sharing biometric data between agencies; and practical consideration of standards development and cross-jurisdictional cooperation. The following are some of the topics covered in this session: Newly established and long-standing biometric data-sharing applications at the state, national, and international levels were described in the contexts of military defense, law enforcement, and immigration. Systems discussed included the Automated Biometric Identification System (ABIS), the Criminal Alien Identification System (CAIS), the Integrated Automated Fingerprint Identification System (IAFIS), and the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program. 37   The test involved one-to-one verification between a seafarer’s biometric and the two fingerprints stored on the ID card. A false accept scenario consisted of stealing the issued IDs and being a close enough match to another seafarer’s stored biometric. Problems posed by larger databases, such as the legitimacy of issued IDs and other matching problems, were not part of the test. For more information, see International Labour Organization, 2004, Seafarers Identity Documents Convention (Revised), 2003 (No. 185), ILO Seafarers’ Identity Documents, Biometric Testing Campaign Report. Part I. Geneva. Available online at <http://www.ilo.org/public/english/dialogue/sector/sectors/mariti/sid.pdf>.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems Technical and policy challenges related to information sharing among large-scale biometrics systems were addressed, including data integrity and procedural analysis, consolidation of biometric information, and integration of databases. Broader policy challenges of biometric information sharing also were discussed, including (1) the importance of evaluating biometric systems based on their context, purpose, and the policies they serve; (2) establishing criteria to determine the usefulness of data for decision making; and (3) instituting careful procedures for maintaining and sharing digital records. Automated Biometric Identification System The Automated Biometric Identification System (ABIS), a new biometric identification system designed by the Department of Defense (DOD), was described as a system modeled after the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) (see Box 2.5) for the collection, storage, and sharing of overseas biometric data within the military and with other government organizations for counterterrorism purposes. A guiding concept for the system was described as “identity dominance,” or the use of biometrics to increase the level of confidence in the linkages between individuals and their previous identities, criminal histories, or terrorist activities in the United States and in other countries.38 The conceptual architecture of ABIS, similar to the information architecture of IAFIS, aims to integrate into one database information (in electronically searchable format) from operations and other sources that has been gathered by combatant commands (COCOMs). The collected biometric data would include 10 rolled fingerprints, mug shots, and a DNA sample. The DNA sample, it was noted, would be handled separately; fingerprints and mug shots would be stored in ABIS and searched against the ABIS database for possible matches. The fingerprints also would be shared with the FBI, according to information-sharing policies, and searched against the FBI’s IAFIS database to identify any matches with existing U.S. criminal records. ABIS was described as a type of “biometric-based identity management service provider” in the situation where DOD determines if any samples match and sends those results to other national security organizations on a need-to-know basis. There is also general interest in developing procedures for sharing information with the Department of Homeland Security (DHS). Since becoming operational in the summer of 2004, ABIS has been used to identify individuals in Iraq as former detainees and as individuals with U.S. criminal histories. Criminal Alien Identification System As presented by one of the panelists, the Criminal Alien Identification System (CAIS) is a pilot biometric information-sharing system within the Boston Police Department that was developed to recognize foreign-born individuals illegally residing in the United States and to facilitate access to information about immigration violations.39 The panelist described the process as follows: When an individual is arrested on any charge, 10 rolled fingerprints, mug shots, and information on distinguishing features such as tattoos are entered and stored in CAIS. The same information is entered in the Massachusetts State Police Department’s Automated Fingerprint Identification System (AFIS), the FBI’s IAFIS (see Box 2.5), and, if necessary, shared with Immigration and Customs 38   Identity dominance is analogous in some ways to the concept of identity management discussed in Session 1. 39   Based on a study conducted by the Boston Police Department, 19 percent of its arrestees had immigration issues of varying seriousness.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems Enforcement (ICE).40 These data are searched against the FBI’s IAFIS database, with responses generally returning in 15 to 20 minutes.41 If the arrestee was not born in the United States, the information is sent to ICE in Boston, which begins an investigation. For serious crimes, Interpol also has fingerprint search capability across multiple jurisdictions. The panelist also noted that the Boston Police Department audits department practices and issues sanctions for data misuse. BOX 2.5 Integrated Automated Fingerprint Identification System As described by several panelists, the FBI’s Integrated Automatic Fingerprint Identification System (IAFIS) criminal master file is a criminal law enforcement technical capability with a database consisting of over 48 million electronically searchable sets of fingerprints and corresponding criminal history information on individuals arrested in the United States for a felony or serious misdemeanor charge.1 The panelists highlighted some of the system capabilities that facilitate the linking of past criminal records across jurisdictions and contribute to a high degree of accuracy and effectiveness in biometric identification. IAFIS became operational in July 1999. The panelists described the information entered into IAFIS during the criminal booking process as including 10 rolled fingerprints and a mug shot. They noted that the FBI receives around 25,000 criminal fingerprint submissions per day from law enforcement at the local, state, and federal level and around 25,000 civil requests from DHS, the Office of Personnel Management, school boards, etc. that are searched against IAFIS to determine if the individual has been involved in any previous criminal activities.2 Unlike the criminal transactions, the majority of the civil search transactions are not entered into the IAFIS repository. As most information that is entered into the databases, including criminal bookings, investigations, and other operations and information3 comes from state and local police departments,4 the panelists emphasized the importance of the advisory policy process conducted by the FBI’s Criminal Justice Information Services (CJIS). The advisory policy board—consisting of local and state representatives—serves to advise the FBI on data management issues and has worked to develop standards, perform audits of state repositories, and issue sanctions for misuses of data. 1   In addition to storing criminal fingerprints in IAFIS, the panelists noted that military fingerprints are also stored in the database but are not searched routinely in criminal cases. Federal employees’ and police officers’ fingerprints also are enrolled in the database, but not all are in electronic form. Furthermore, IAFIS contains fingerprints for both living and deceased individuals (albeit with conservative criteria by which a set of prints may be marked as belonging to a deceased individual). 2   Law enforcement studies have found that 62 percent of arrestees have a previous criminal history. 3   The FBI is the repository of U.S. criminal data, including fingerprints, the Interstate Identification Index, national files for warrants, sex offenders, etc. 4   The Boston Police Department was the first agency to send fingerprints electronically to the FBI in 1995, an early implementation of an IAFIS function. 40   The information is also shared with the Commonwealth of Massachusetts Probation Department and the Suffolk County District Attorney. 41   The panelist indicated that since 2002, 62,000 arrests had been processed, including 8,153 flagged individuals. Among these were 43 with illegal reentries, 166 with outstanding warrants for removal, 51 with overstayed visa waivers, 207 in removal proceedings, 19 who had been granted relief or whose proceedings had been terminated, and 377 foreign juveniles.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems United States Visitor and Immigrant Status Indicator Technology As discussed in this session, the US-VISIT program42 centers on issues of immigration and border management during preentry, entry, status management, and exit procedures. In contrast to criminal law enforcement applications, US-VISIT aims to collect, maintain, and share information, including biometrics information, on foreign nationals to help determine who should be permitted to enter, who should be removed, and who should be provided special protection, such as refugees.43 One of the largest and busiest deployments,44 US-VISIT captures and stores a digital photograph and two electronically scanned fingerprints for each entrant. The panelists noted that a core component of US-VISIT45 is the Biometric Identification System (IDENT) database of the Department of Homeland Security (DHS). The IDENT database, separate from the IAFIS database, comprises several databases, including the following: The US-VISIT enrollment database containing biometric information and allowing verification of an individual’s records upon entry and exit. A watch list and lookout database with information related to terrorists, wanted criminals, sexual offenders, immigration violators, and international fugitives, among other categories. This database is populated with information from the FBI, state or local authorities, DHS, the Department of State, and Interpol. A recidivist database46 containing information (for example, the number of illegal border crossings) about previous DHS apprehensions that does not qualify for entry into the IAFIS or watch list databases. 42   The Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) Section 110 created the US-VISIT program in September 1996. Subsequent legislation expanding the program requirements includes the Data Management Improvement Act (DMIA) of 2000; the Visa Waiver Permanent Program Act in 2000, the USA Patriot Act and the Aviation Transportation Security Act in 2001, and the Enhanced Border Security and Visa Entry Reform Act in 2002. More recently, the Intelligence Reform and Terrorism Prevention Act in December 2004 added the requirement to expedite the addition of a biometric to the entry and exit system. 43   The panelists indicated that since the beginning of the US-VISIT program in January 2004, there have been 5,342 watch list hits, with a 1 percent error rate, out of more than 4.2 million visa applications. At entry, for travelers who are not entered in the systems, 2,375 watch list hits have resulted from the 18.9 million travelers processed. As for the identity verification of travelers, among those who had been previously enrolled, there have been 11,622 mismatches out of about 4.4 million one-to-one matches. For status management, 175,234 new watch list records have been generated, with 131 hits against entry records, 86 hits against visa records, 165 cases referred to ICE, and 4 arrests. Identity verification at the border has resulted in 11,600 false matches among the 4,369,569 one-to-one matches performed. The number of travelers processed through exit controls via an automated kiosk was 355,967, resulting in 54 watch list hits, with no stops or arrests. IDENT has made seven identifications. The panelists noted that all watch list matches, based on a threshold level set by NIST guidelines, go to secondary processing, where human examiners determine if the match is true, false, or a mismatch. 44   As of January 2004, US-VISIT was operational at 115 airports and 15 seaports; as of December 2004, coverage included 50 land border ports of entry, with the remaining 115 to be covered by December 2005. 45   US-VISIT includes the interfacing and integration of over 20 existing systems, including, among others, the Arrival Departure Information System (ADIS), storing traveler arrival and departure information; the Advance Passenger Information System (APIS), containing arrival and departure manifest information; Computer Linked Application Information Management System 3 (CLAIMS 3), holding information on foreign nationals who request benefits; the Student Exchange Visitor Information System (SEVIS), containing information on foreign students in the United States; and the Consular Consolidated Database (CCD), containing information about whether an individual holds a valid visa or has previously applied for a visa.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems The US-VISIT process was described as follows: During the preentry phase, information on the visa applicant is captured at an overseas consulate and searched against the IDENT and watch list databases. At the point of entry, an individual is enrolled and a search is performed against only the watch list database. The response time for issuance of a visa at a consulate is, on average, approximately 15 minutes; at the point of entry, responses are returned in approximately 10 seconds.47 Other potential program capabilities include generating an exit record of visitors48 based on one-to-one verification and status management and maintaining an accurate record of changes in an individual’s residence eligibility (for example, marriage to a U.S. citizen) or ineligibility (for example, an expired visa or other immigration violation). The panelists explained that status management consisted of checking IAFIS records (including the new criminal records, which are updated every 24 hours) and the 1.8-million-entry watch list database against the 14-million-entry US-VISIT database to identify new watch list records and to pursue investigations. Requirements for the future evolution of US-VISIT include biometric comparison and travel document authentication for both U.S.-issued travel documents to permanent residents, such as refugees, and visa-waiver program passports issued by other countries.49 A privacy protection program for US-VISIT was also discussed that included information use rules and notification requirements, redress policies to request corrections of errors, and privacy impact and privacy risk assessments. There is ongoing work to develop information-sharing models with other governments, such as the Enhancing International Travel Security program, intended to enable governments to validate “good” people, not just to identify the “bad.” Policy Challenges Related to Large-Scale Systems Technical and policy challenges raised by information sharing among large-scale biometrics systems were also discussed. Such challenges include maintaining data integrity, consolidation of biometric information, and integration of databases. Participants also underscored the importance of clearly defining the purpose of a system before adding new requirements to the existing system. The panelists indicated that to ensure military and civilian agencies are collecting data to the necessary technical standards would require the development of policy to determine that the data are being collected uniformly and by high-quality, sufficiently-trained staff using proper equipment. Panelists also stressed the need to improve the quality of information transmission to facilitate decision making. However, improvements to the analysis procedure also require other organizations to perform intelligence link analysis50 quickly, which is often difficult given the different missions of the different agencies. For instance, the US-VISIT program operates under certain efficiency constraints, given the need to manage the flow of travelers quickly. When individuals are held in custody suspected of wrongdoing, such as occurs in law enforcement and military operations, more time may be available to return results. Participants noted that the Defense Science Board is 46   The recidivist database, which began in 1994, is the original biometric foundation of US-VISIT and has grown with the addition of the biometric enrollment database. 47   Currently, more then 25,000 people a day are biometrically checked as part of the visa process. Since January 2004, there have been more than 4 million visa applications. At entry, approximately 75,000 people a day are run through the US-VISIT system. 48   The panelists noted that the exit record may also be used for identification against watch lists, but it will not be used to enable enrollment. 49   One factor that could delay the implementation of these requirements is the current difficultly most visa waiver countries are experiencing to meet the deadline and the inability of the United States to acquire readers for these passports. 50   Intelligence link analysis refers to the process of associating other pieces of data with the biometric match.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems beginning to address improvements in the communication of results from the biometric information captured and stored in different agency databases. The panelists suggested that the greatest challenges in integrating databases were not only the differences in the number of samples (e.g., prints) collected, the time constraints, and conditions of the facilities51 but also the different contexts in which the information is collected. For instance, IDENT/US-VISIT is generally used in a context where people have incentives to tell the truth and describe their real identities; IAFIS is not. Additionally, individuals in the US-VISIT database are not usually in IAFIS, because they are not likely to have been charged with a crime in the United States. As the information that a system collects will depend on its intended use, some participants stressed that it is important to clearly identify the problems that the system intends to address before the collection of biometric information is consolidated across government agencies. For instance, the information DHS collects regarding the entry of a foreigner is not necessarily related to the threat that individual poses to a plane, a separate area in which DHS also collects information. Panelists suggested that existing problems should be defined and the best technology should be selected before missions change or are expanded. Broader Technical and Policy Challenges Related to Biometric Information-Sharing Systems In examining the broader goals for and challenges of biometrics systems, the importance of evaluating such systems with respect to their purposes and context was stressed, along with the need for policies to establish appropriate error rate goals or thresholds, facilitate the identification of potential sources of error, and promote a better understanding of what improvements biometric systems offer over existing security, access control, and other systems (see Session 3). Furthermore, it was suggested that the scope of the difficult policy problems that should be addressed extends beyond issues of biometric technology and system accuracy to considerations of the usefulness of the data for decision making and to policies for maintaining and sharing digital records. There was a discussion on the adequate alignment of policy and technological capabilities. Not only is it economically infeasible from a technology and policy perspective to have an error rate of zero, but also such an error rate requirement would imply that no risk assumptions need be considered in designing policy. As both systems and policies must be designed to accommodate failure, it was suggested that redundancies and error handling procedures should be created for both. Additionally, the interaction between the technology—a tool for a particular purpose—and the system must be considered, because the technology choice may also have policy implications. For instance, when liveliness is being screened for (to ensure that the biometric information being detected comes from a living human being), it may be easier for an attacker to emulate liveliness than to defeat or circumvent nonliveliness detection. Given the tight coupling between the technology selection and policy goals, it was suggested that the explicit biometric technology designations in recent legislation might be too specific for Congress to mandate effectively. In addition to the potential sources of error previously identified in the workshop (see Session 1), it was suggested that human factors should also be considered in addressing insider threats. By some measures, 70 percent of IT system breaches or compromises are reportedly attributable to insider threats. All systems are subject to both intentional and unintentional errors. Participants discussed the 51   It was noted that military field facilities for capturing biometrics differ significantly from those for law enforcement booking and DHS. Currently, the National Institute of Justice has an initiative to design equipment capable of taking 10 high-quality rolled fingerprints accurately in 10 seconds.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems trade-offs between secrecy and security: When is openness necessary (for example, in terms of algorithms or error rates) to achieve a robust system, and when is secrecy a better strategy?52 It was emphasized that understanding the intended purpose of a biometric system—be it security, “security theater,” or social control—is necessary to properly appraise the system’s effectiveness. Security theater (for example, requiring display of a driver’s license to enter a building, or removal of shoes before entering an airport boarding area—provides little real security protection but may have social value by allowing people to feel more secure. On the other hand, while improving the document security and issuance processes for driver licenses might be worthwhile, there is a need to clarify the purpose of such measures and to carefully distinguish between measures aimed at increased social control and measures aimed at counterterrorism or national security. For instance, the proposed provision of the Real ID Act that requires states to issue drivers’ licenses only against proof of legal U.S. residence may begin to address issues of illegal immigration. However, it also may exclude a significant portion of the population from the driver’s license system and from any identification systems based on drivers’ licenses, preventing the identification of such individuals after the fact. One consequence of this may be to increase the size of the suspect pool that law enforcement and national security resources must be devoted to. Several participants emphasized that biometrics may improve identification procedures but are not a panacea. Different types of identification have different characteristics, and determining which type is appropriate will depend on the application. Verification of a claim of enrollment, for instance, stands in contrast to identification of a person without an enrollment claim. The former, verification of an enrollment claim, serves to verify the individual identity, often with the subject retaining control over his or her own information. In the latter, identification without an enrollment claim, additional data are attributed and tied to an individual based on biometric identifiers, with third parties generally controlling data attribution and reputation of the subject.53 With respect to limiting identity theft, it was suggested that claim verification, where individuals have an incentive to control their reputation, might be more useful than a system in which biometrics are aggregated in a database and later sold, which would not be much better than current processes that aggregate and sell SSNs. With respect to security screening, when attempting identification absent a claim, there are concerns not only about the accuracy of the biometric identifier but also about the usefulness of data that are linked to an identity and used by the system for decision making.54 If a watch list is being employed, the integrity and usefulness of the data (and by extension the list itself) will depend on the criteria for inclusion on the watch list, on who has responsibility for different segments of a presumably integrated list, and on policy limits that prevent the inclusion of minor offenses that might dilute the data.55 Various issues related to information sharing were identified, including clarifying the role of privacy and the differences between the rules for preemption and counterterrorism and those for due process in criminal prosecutions. Several principles for information sharing and biometric system use were offered, including these: 52   For a recent take on this issue, see Peter Swire, 2004, “A model for when disclosure helps security: What is different about computer and network security?” Journal on Telecommunications and High Technology Law, Vol. 2. Available online at <http://ssrn.com/abstract=531782>. 53   Participants suggested that clear policy rules and mechanisms are needed for managing reputation elements and more general data in systems, for matching systems to needs, and for addressing data issues such as transience (or how long information should be maintained) and error correction. 54   The panelist suggested that data mining presents the reverse problem, as data are used to try to reveal the legal identity; biometric systems begin with the identity to try to reveal the data. 55   For an overview of problems that can arise with watch lists see, K.A. Taipale, 2004, “Public safety vs. personal privacy: The case for and against secure flight,” presented at the InfoSecurity 2004 conference in New York on December 8. Available online at <http://www.stilwell.org/presentations/CAS-InfoSec2004.pdf>.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems Make clear the purpose of the system and how potential intrusion on rights is balanced with functional requirements. Identify alternatives and choose less intrusive means to accomplish the objective once the technology has been selected. Ensure the ability to correct errors in the system. Design system policies that appropriately consider the consequences of different system errors (for example, the consequence of someone gaining access to an airplane versus the consequence of someone’s flawed prosecution and wrongful incarceration). It was emphasized that the lack of clear policies and rules creates problems, particularly because preemptive counterterrorist actions take place in a context that presumes the innocence of foreign travelers and U.S. citizens. Several principles were offered for biometric system use. First, do no harm. Understand the system design and features that are necessary for the policy purpose. For instance, do not build systems that center on identification rather than security if the rationale for the system is security. Second, limit the harm. Include only those features that are necessary to support the system purpose and process. Third, be aware of unintended consequences (see Session 3). Consider when transaction records are necessary, when they are not, and when records should expire. Additionally, it was suggested that technical systems should include “policy appliances,” or mechanisms that (1) permit an intervention point for human beings to make a decision to control data sharing and (2) provide a technical means for carrying it out, which can be adjusted depending on the particular application, threat level, etc.

OCR for page 5
Summary of a Workshop on the: Technology, Policy, and Cultural Dimensions of Biometric Systems This page intentionally left blank.