E
The Biometrics Standards Landscape

Since September 11, 2001, there has been increased interest in using biometrics for national security purposes, some of which have been codified in legislation, including the Enhanced Border Security and Visa Entry Reform Act of 20021 and the PATRIOT Act of 2001.2 As a result, biometric standards activities, previously largely limited to the forensics community, have been accelerated through national and international standards bodies. To speed up development of standards, NIST helped to establish a national standards body and requested the formation of an international standards body, both of which aim to increase the development and deployment of national and international biometrics standards for a variety of applications.

The following sections outline the main biometrics standards bodies, discuss some specific standards, and describe some of the challenges facing the processes. As with standards in other technologies, biometric standards face tension between being flexible enough to enable innovation while sufficiently prescriptive and detailed to allow interoperability and useful comparison of technologies and their capabilities.

1

PL 107-173.

2

PL 107-56.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 159
E The Biometrics Standards Landscape Since September 11, 2001, there has been increased interest in using biometrics for national security purposes, some of which have been codi - fied in legislation, including the Enhanced Border Security and Visa Entry Reform Act of 20021 and the PATRIOT Act of 2001.2 As a result, biometric standards activities, previously largely limited to the forensics commu- nity, have been accelerated through national and international standards bodies. To speed up development of standards, NIST helped to establish a national standards body and requested the formation of an interna- tional standards body, both of which aim to increase the development and deployment of national and international biometrics standards for a variety of applications. The following sections outline the main biometrics standards bod - ies, discuss some specific standards, and describe some of the challenges facing the processes. As with standards in other technologies, biometric standards face tension between being flexible enough to enable innova - tion while sufficiently prescriptive and detailed to allow interoperability and useful comparison of technologies and their capabilities. 1 PL 107-173. 2 PL 107-56. 

OCR for page 159
0 BIOMETRIC RECOGNITION STANDARDS BODIES To facilitate standards work at the international level, ISO/IEU JTC 1/SC 37 was established in June 2002 at the request of the United States, which is represented within SC37 by the International Committee for Information Technology Standards, M1 technical committee on biomet - rics (INCITS M1). This body coordinates the development of biometric standards based on consensus development with the industrial, academic, and government communities. Within SC 37, there are six areas of focus: (1) vocabulary and concept harmonization; (2) biometrics data transfer; (3) data format standards for interoperability; (4) standard specific appli - cation profiles; (5) performance testing and reporting; and (6) cross-juris - dictional (legal and social) aspects for nongovernmental applications of biometrics.3 INCITS M1 participates in five of these six working groups. Development of security standards for biometrics is specifically outside the remit of SC37 but is included in the work of SC27. Other international standards bodies include the International Telecommunication Union (ITU-T) and the International Civil Aviation Organization (ICAO). Spe- cific work is also being carried out by specialized international groups including OASIS and the Open Group. Nationally, the American National Standards Institute (ANSI) coor- dinates voluntary standardization and conformity assessments in the United States, approves the creation of all national and international stan- dards, and may also implement any changes to the standards as well. MAJOR STANDARDS Standards aim to establish generic sets of rules for different products and to facilitate interoperability, data exchange, consistency of use, and other desirable features. One outcome of standards development is to achieve stability and consistency of biometric technologies and products that benefit consumers and investors. In the past decade, over 20 major international standards have been developed and approved, including the following: • BioAPI, to enable hardware interoperability while retaining previ- ous data, • Fingerprint minutiae 19794-2, • Fingerprint image 19794-4, • Face image 19794-5, 3 The work of WG6 was limited to nongovernmental applications at the request of INCITS M1.

OCR for page 159
 APPENDIX E • Iris image 19794-6, • Hand geometry image 19794-10, and • Testing and reporting fundamentals 19795-1. ANSI has approved multiple national standards for the exchange of biometric data, two biometric application profiles, two biometric inter- face standards, and the Common Biometric Exchange Formats Frame- work. These standards are generally closely related to corresponding international standards, either serving as input to the creation of the corresponding international standard or simply repeating an established international standard. Application tensions can arise when the ANSI standard and the corresponding international standard have significant differences. The National Science and Technology Council Subcommittee on Biometrics and Identity Management released the report “Registry of USG-Recommended Biometric Standards Version 1.0” on June 5, 2008, clarifying which parts of which standards should be used for U.S. govern- ment applications. Two other standards are described below as examples of the challenges and complexities that can arise in the development of biometric standards. Standard for the Interchange of Biometric Data For the past 25 years the FBI and NIST have successfully developed and updated a standard for the exchange of fingerprint information. This standard is officially titled Information Technology: American National Stan- dard for Information Systems—Data Format for the Interchange of Fingerprint, Facial, & Other Biometric Information—Part  NIST Special Publication 00-  ANSI/NIST-ITL -00. That standard has recently been updated to XML format to reflect the emerging needs of the defense and intelligence communities and defines about 20 record types for use in exchanging biometric information (faces, fingers, palms, latent prints, and irises) and related biographic and event data (e.g., date and time of enrollment). It has been one of the most successful and widely used biometrics stan - dards. Criminal justice, border control, national identity, and social ben - efits programs all over the world have adopted the ANSI/NIST standard for the exchange of fingerprint images for their electronic fingerprint- based transactions. This standard permits communities of interest, known as domains, to implement those portions of the standard that are relevant to their needs. For instance, the FBI’s implementation, known as the Electronic Biometric Transmissions Specification, or EBTS, permits local, state, and federal agencies and departments to electronically exchange biometric and biographic information across various criminal-justice-oriented net -

OCR for page 159
 BIOMETRIC RECOGNITION works, independent of the source (vendor) of the equipment used. When the FBI first issued the EFTS4 in 1994, it selected Type 4 high-resolution gray-scale images and stated that they would not accept Types 3, 5, or 6 fingerprint images. As a result, those record types are not used in any large-scale fingerprint automation projects. After producing the EFTS the FBI next focused on image quality stan- dards. Fingerprint image quality is the dominant factor in the AFIS ability to match fingerprints. The FBI added an Appendix F to the EFTS to specify image quality specifications (IQS) for capture devices and printers. This IQS standard is also used worldwide in procurement of live scan devices, fingerprint card scanners, and printers. Each domain (e.g., Interpol) has its own implementation document that specifies which records and which demographic data fields it will accept. These implementation documents normally show their relationship to the FBI’s EFTS to include the IQS. NIST developed an automated tool to rate the quality of fingerprint images. In October 2004 NIST released an updated version of this suite of tools for handling digital fingerprint images. NIST Fingerprint Image Software 2 was developed by NIST’s Image Group for the FBI and DHS and is available free to U.S. law enforcement agencies as well as to manu - facturers and researchers of biometric systems. New to this release is a tool that evaluates the quality of a fingerprint scan at the time it is made. Problems such as dry skin, the size of the fingers, and the quality and condition of the equipment used can affect the quality of a print and its ability to be matched with other prints. The tool rates each scan on a scale from 1 for a high-quality print to 5 for an unusable one. NIST also worked with the FBI to develop fingerprint data compres - sion standards acceptable to the latent print examination community. This compression standard, known as Wavelet Scalar Quantization (WSQ), is widely used in both forensic and civil AFIS systems, although newer systems seem to be migrating to use of JPEG-2000 for the compression of fingerprints. It is important to note that the 10-fingerprint images are compressed for transmission and storage while the latent print images are never compressed. The FBI works with industry to permit vendors to self-assess prod - ucts in order to place the products on the FBI certified products list. The self-certification reports are evaluated by FBI personnel supported by MITRE Corporation experts. Products on the list are typically certified as meeting Appendix F IQS with specific software drivers and operating system releases. This is a case of a particular project or system, IAFIS, requiring a stan - 4 Electronic fingerprint transmission specification (EFTS) is the predecessor of the current EBTS. The EBTS expands upon the EFTS to include additional biometric modalities.

OCR for page 159
 APPENDIX E dard and driving the development and implementation. Most of the other standards activity in the biometrics arena is driven not by a project but by a more general sense of a need for interoperability and a level playing field for technology providers. Fingerprint Minutiae Exchange Standard One area where there is a big push to develop and implement an extension to the ANSI/NIST standard for fingerprint exchange is the exchange of certain types of minutiae (or features) records rather than images. While the standard as written permits the exchange of minutiae in lieu of images, the minutiae defined in the standard are not as useful for processing across different vendor environments, from an algorithmic perspective, as permitting a vendor to receive an image and extract their proprietary minutiae set.5 The ANSI/NIST standard currently supports at least eight vendor minutiae sets, per Table 15 of the standard. The reasons for the push in this direction are twofold. First, when agencies exchange fingerprints for searching rather than retention, fin - gerprint minutiae can be transmitted and searched much more rapidly than fingerprint images. Second, when verifying the identity of a person presenting a personal identity verification (PIV) card, it would be time- consuming to extract the fingerprint image from the PIV card’s chip and extract the features each time the card is used. Storing a common, interop- erable set of minutiae on the card was selected to reduce transaction time considerably. The standard selected for storing templates on PIV cards is ANSI/INCITS 378. Benchmarking is a form of testing often used in large-scale AFIS and Automated Biometric Identification Systems (ABIS)6 source selection. In the 1980s there was an ANSI/IAI standard for Benchmarking AFIS Sys- tems,7 but when the time came to update the standard a decision was made to not update it; as a result, in conformance with ANSI process rules, the standard was allowed to fade away. 5A new standard for fingerprints that includes extended features is available at http:// fingerprint.nist.gov/standard/cdeffs/Docs/CDEFFS_DraftStd_v03_Final.pdf. A recent paper shows there is a strong performance gain in using extended features for latent finger- print matching. See Anil K. Jain and Jianjiang Feng, Latent fingerprint matching, IEEE Transactions on Pattern Analysis and Machine Intelligence, February 25 (2010). IEEE Computer Society Digital Library, IEEE Computer Society, available at http://doi.ieeecomputersociety. org/10.1109/TPAMI.2010.59. 6Automated Biometric Identification Systems are modeled on the function of AFIS systems but are not tied to finger imaging modalities and are often multimodal. 7American National Standard for forensic identification—automated fingerprint identifica- tion systems—benchmark tests of relative performance [ANSI/IAI 1-1988].

OCR for page 159
 BIOMETRIC RECOGNITION One trend in large-scale AFIS benchmarking is to perform three sets of tests that are described below. This approach is becoming an ad hoc standard for large-scale AFIS benchmarking: • Operational demonstrations, • Lights-out performance, and • Best practices performance. Operational demonstrations are intended to evaluate user interfaces, compression rates, scanner flexibility, end-to-end workflows, report gen - eration, and administrative tasks. Lights-out testing measures the perfor- mance of the underlying biometric matchers for fingerprints, palm prints, and latent impressions with no human intervention other than feeding scanners and “lassoing” latent impressions within an image. Best prac- tices performance testing measures the performance of the underlying biometric matchers for fingerprints, palm prints, and latent impressions, with fingerprint personnel permitted to perform quality control steps such as sequence correction and editing of low-quality images. Another trend in benchmarking large-scale matcher systems that will be servicing larger systems is to bring the algorithms in house and run them under very controlled conditions against millions of records. CHALLENGES IN THE BIOMETRIC STANDARDS ARENA Despite the growing interest in and increasing approval of adopting biometric standards, a variety of challenges remain. So-called patent ambush is one such challenge. It involves embed - ding a company’s proprietary information in a standard and revealing the information only after the standard has been approved by a standards body, with the intention to exclude some companies from using the stan - dard or to extract higher royalties from other companies that use the stan- dard. Although proprietary information may become part of the standard, companies are required to formally disclose such information. However, the standards process should also uncover instances of patented tech - nology as a proposed standard proceeds through review and approval phases. Instances of patent ambush have occurred in other technology industries8 and are the subject of litigation in the area of biometrics. As the standards process is designed to enhance the competitive- ness of biometrics markets, many biometrics companies want to develop 8 See,for instance, a discussion of patent ambush in telecommunications standards, avail - able at http://www.lawdit.co.uk/reading_room/room/view_article.asp?name=../articles/ EC%20Closes.htm.

OCR for page 159
 APPENDIX E their own standard rather than pay royalties to use another company’s approved standard. This is not unique to biometrics by any means but often results in international standards bodies granting standards to the companies that propose them. A related challenge is that standards inevitably involve compromises and thus end up as a lowest common denominator among the various companies offering competing commer- cial biometric products. Evaluation and testing might then require more than mere standards compliance. NIST, for example, has conducted per- formance tests at a level that surpasses the standards that have been estab - lished by the international standards body. Two tests that have included additional criteria by NIST include the facial recognition challenge 2006 test and the MINEX 2006 test, which aim to enable interoperability of fingerprints at the minutiae level. Interoperability presents its own problem in the standards arena. What is an appropriate or useful level of interoperability? How can we arrive at a shared definition? These issues have been addressed by the international standards community,9 but work remains to be done. A related problem of interoperability is the tendency to decrease overall performance as the standard seeks the lowest common factors among the interoperating technologies. Multimodal biometrics fusion (MBF) can add more complexity to the standards process. MBF is the combining of more than one biometric modality, such as combining a fingerprint with an iris scan. (See Chapter 2 for more details.) Establishing standards for multimodal biometrics presents additional challenges, given the difficul - ties of establishing interoperability among unimodal biometrics. Many of these issues have been discussed in ISO/IEC documents.10 9 Information technology—Biometric performance testing and reporting—Part 4: Inter- operability performance testing, ISO/IEC 19795-4:2008. 10 Information technology—Biometrics—Multimodal and other multibiometric fusion, ISO/IEC Technical Report 24722:2007.

OCR for page 159