National Academies Press: OpenBook

Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems (2006)

Chapter: 2 Summary of Panel Sessions and Presentations

« Previous: 1 Overview of Workshop Discussions
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

2
Summary of Panel Sessions and Presentations

SESSION 1: SCIENTIFIC AND TECHNICAL CHALLENGES FOR BIOMETRIC TECHNOLOGIES AND SYSTEMS, INCLUDING SYSTEM INTEGRATION, ARCHITECTURE, AND CONTEXTS OF USE

Panelists: Jean-Christophe Fondeur, James Matey, Sharath Pankanti, Jonathon Phillips, and David Scott

Moderator: Anil Jain

In Session 1, participants from industry, government, and academic research centers discussed the state of the art of biometric systems, the current bottlenecks, and areas where performance could be improved. Among the different types of biometrics, three were highlighted by the panelists—fingerprint, iris, and face—as being those accepted by the International Civil Aviation Organization for use in border-crossing documents.1 All panelists agreed that biometric systems cannot be made perfect—that is, the focus should be on how to evaluate and reduce, rather than eliminate, error rates. The challenges relevant in varying degrees to all biometric systems were grouped in three categories by the panelists, with primary emphasis during this discussion given to the first category of challenges.

  • Improving the accuracy of biometric technologies and related performance evaluations through research on sensor resolution and ergonomics, algorithms and techniques for biometric fusion, characteristics of biometric feature spaces, and scientific methods to better quantify biometric systems’ performance under realistic conditions.

  • Systematically and thoughtfully integrating biometric systems with other security systems.

  • Promoting interoperability of biometric systems, especially internationally, through a framework of standards, test methodologies, and independent evaluations.

Underlying many of the scientific and technical challenges for biometric technologies and systems is the need to reduce the error and variability that can be introduced at various stages. The

1  

While these particular types of biometrics were highlighted by these panelists, there are scientific and technical challenges across a range of biometrics, including non-image-based measures such as voice recognition. The committee’s final report will aim to incorporate and extend the discussions at this workshop and to include biometric measures and systems that were not specifically mentioned at this event.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

sources of error begin with insufficient distinguishing detail in the biometric identifiers themselves (such as faint fingerprint ridges) and extend to variability in their presentations to a sensing instrument (which, depending on what is being measured and how, may result from injury, changing lighting conditions, or the aging process). The capture of the biometric identifiers by the sensors is affected both by the human interaction with the sensor (such as assisted vs. nonassisted sample capture and cooperative vs. noncooperative system users) and by the precision of the acquisition device itself. The quality of the information extracted from the sensor and used in the subsequent matching process can vary as well. The metric used in the matching process to measure similarities may be faulty or lack sufficient information to determine a match or a mismatch. Furthermore, to understand how the various stages of the data acquisition and processing sequence affect the end performance of the biometric system and how they can be improved, each stage needs to be modeled independently as well as in different system architectures.

Biometrics and Accuracy

To increase the information captured by the biometric system and to facilitate matching, including the ability to discriminate between genuine and imposter matches, participants suggested that sensor improvements could involve higher resolution and a higher signal-to-noise ratio (SNR). In addition, sensors that collect multiple biometrics within one device or system may offer improvements with respect to a range of characteristics such as accuracy and efficiency and accommodation of a broader population. Current research in this area aims to make multiple low-resolution images from video surveillance systems usable for facial recognition. An example was given of a system that uses several different cameras to track the location of a person in a room, with one of the cameras controlled by the location of the person’s head. Such a system can log all the people who have been in a room and capture the frontal images that are best suited to facial recognition at higher resolution.

Given that users of biometric systems may not be familiar with the technology, the ergonomics of the sensor and associated data capture hardware may affect the biometric information that is collected. To improve results, some participants suggested that user interaction must be either intuitive or minimized to the point that there is little, or no, interaction with the acquisition device. The prototype discussed at the workshop for on-the-move iris recognition allows iris images to be captured while the individual is walking past the sensor. This approach aims to minimize the acquisition constraints by expanding the standoff distance, or the distance of the acquisition system and the camera illumination from the subject, and the capture volume, or the area in which the biometric may be captured within a particular length of time.2 However, additional improvements in algorithms will be required to further minimize these constraints as well as reduce orientation requirements that currently require a direct gaze into the camera.

Continued algorithm development and better fusion of biometrics will generate more information to aid in the matching process. Though algorithms are continuing to improve and to process more information, additional research will be needed in coping with the variability of information over time—a consequence of the human aging process—especially for the processing of children and particularly for new biometric modes, such as three-dimensional facial recognition. For biometric fusion, panelists suggested potentially good combinations, such as face and finger, finger

2  

The performance of the off-the-shelf iris recognition system described at the workshop, the LG-3000, includes a standoff of 10 cm, a capture volume of 0.04 liters, or 2 cm * 2 cm * 10 cm, within 3-10 seconds, and requires stationary use. In contrast, the on-the-move iris recognition prototype increases the camera standoff to 3 m and illumination by 1 m, capture volume expands to 10 liters, or 60 cm * 30 cm * 5 cm, within 0.05 seconds, and permits a walking speed of 1 m per second.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

and iris, and face and iris. Research in this area also includes mosaicking templates3 that allow for the integration of multiple acquisitions of a biometric to enhance its representation.

In addition to improving the collection, processing, and integration of biometric information, panelists also underscored the importance of understanding more about biometrics feature spaces, including determining how many independent dimensions there are for each unimodal biometric, how many are required to determine distinctness, and variation in feature space dimensionality across different biometric modes. Biostatistical tools and processes could also be helpful in determining the effectiveness of dimensions in creating and using representative but smaller test populations and in understanding changes in biometric identifiers over time.

Biometrics and Performance

Though many panelists believed that the performance issues surrounding biometric technologies are tractable, they agreed that resolving these issues will require a systems approach rather than a focus on individual sensors and recognition algorithms. This approach calls for collaboration by those involved with different stages of a biometric application and the integration of modalities, sensors, and application subcontexts—for example, the integration of liveliness detection with signal quality assessment—to promote better system decisions. In general, effective system integration was considered to be necessary for improving accuracy and performance.

To evaluate and to compare the current accuracy and improvements in accuracy of biometric systems, a more scientific approach to biometric performance research was suggested. Participants recognized the progression of biometric research, from the early approach of selective performance tests to the recent use of more robust approaches to technology evaluation, which can aid in organizing and comparing the results of the system under evaluation.4 But some panelists stressed the importance of more systematic research. Additional progress could be made by the more systematic use of control groups (for example, testing a new algorithm against a control algorithm), by establishing confidence intervals to indicate statistical significance to achieve better consistency across studies,5 and by aiming for repeatability of studies to verify performance improvements through independent evaluations. Various suggestions that were offered to develop a research agenda are described in Box 2.1.

Biometrics and Security

The panelists agreed that biometrics should not stand alone in security practices but should be systematically and thoughtfully integrated with other security features. Noting that a biometric (for example, a fingerprint or an iris pattern) itself is not secret, panelists observed that it is necessary to consider its integration with other security mechanisms such as encryption and/or smart cards. Integrity mechanisms employing encryption, for example, are required to provide continuity of authentication for the duration of a session, something that biometrics alone cannot provide for this sort of application. One suggestion was to pursue a holistic approach for integrating biometrics into a

3  

Anil K. Jain and Arun Ross, 2002, “Fingerprint mosaicking,” Proceedings of IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), Orlando, Fla., May 13-17.

4  

Some formal technology evaluations conducted by the National Institute of Standards and Technology (NIST), for example, include the Face Recognition Grand Challenge (FRGC), the Iris Challenge Evaluation (ICE), the Speaker Recognition Evaluation (SRE), and the Minutiae Operability Exchange Test (MINEX04).

5  

This would be helpful when replicating experiments with different data sets and to verify the correctness of testing methodologies.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

BOX 2.1
Suggestions for Improving Biometrics Research Endeavors

Various suggestions were offered to improve biometrics research:

  • Improve the consistency of review policies by using a peer-review process (such as is used for journals) to facilitate repeatability, documentation of experiments, and executability.

  • Provide access to large data sets and different types of data, such as multimodal data, to measure performance improvements and find ways to increase the amount of data used in biometric performance studies.1

  • Develop challenge problems to guide academic research and to create a baseline for comparisons and independent evaluations.

  • Increase the documentation of government-funded and -proposed research (see Session 2 for additional discussion).

1  

It was also noted that studies outlining new performance techniques may not require data for testing until later stages.

security system and to consider employing techniques like the Common Criteria certification approach. 6

Biometrics and Interoperability

An international framework to support the worldwide interoperability of biometrics requires the creation of standards, test methodologies, and independent evaluations. Interoperability challenges described during the workshop include identity documents issued in one country using the system of a particular vendor, which must be accessible in other countries using different systems of different vendors. Standards are needed to facilitate this interchangeability, but it was noted that they will not solve all the problems, because they often involve compromises among the different and sometimes competing interest groups that are involved in any given standards process. Incompatibilities in the interpretation of standards require evaluation tests to be conducted. In addition, it was suggested that many operational pilot programs should also include interoperability testing in multiple countries to verify that systems will be compatible (see Session 4 for more discussion).

SESSION 2: MEASUREMENT, STATISTICS, TESTING, AND EVALUATION

Panelists: George Doddington, Michele Freadman, Patrick Grother, Austin Hicklin, and Nell Sedransk

Moderator: Joseph Campbell

Session 2 explored issues surrounding the measurement, statistics, testing, and evaluation of biometrics and biometric systems. It should be noted that statistical analysis in the context of biometric systems is employed for a range of purposes, including assessments of the underlying

6  

For more information, see <http://csrc.nist.gov/cc/>.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

technology, analysis of user behavior, data mining, and so on. Indeed, such issues were discussed throughout the workshop in several different contexts. Questions raised for this panel included these: Do biometric systems work? What is meant by “work” in the context of a biometrics system? What is being measured, tested, and evaluated, and how can confidence in the experiments be created? The panelists presented a range of perspectives on these issues, from broad explorations of the nature of experimentation and representative populations to discussions of specific evaluation regimens and real-world deployment at a major international airport (see Box 2.2). Several overarching themes arose:

  • Evaluating biometric systems serves three purposes: to guide and support research and development, to assess the readiness of a system for deployment, and to monitor performance of a system in the field.

  • As in many other domains, appropriate experimental design and solid statistical underpinnings are needed to produce effective testing and evaluation regimes. There is no one-size-fits-all solution, given the range of types of systems that are deployed.

  • Data and data selection choices, which include understanding the reference and expected user populations, can have a large impact on the accuracy and effectiveness of testing and evaluation.

BOX 2.2
Early Biometrics System Deployment at an Airport

One panelist described the evaluation of different biometric technologies for several operational deployments, as well as the design of a future biometric system for controlling access to Boston’s air transportation system. At the time of this workshop the biometric systems deployed by Massport, the responsible government agency, included an ultrasonic fingerprint reader at the regional airport and hand geometry readers in the administration building. The planned system for Logan airport, soon to be deployed, takes a layered approach, following Secure Identification Display Area (SIDA) procedures, and uses a proximity card, a personal identification number (PIN), and a fingerprint reader. The panelist emphasized the importance of examining an organization’s expectations of a biometric system and what such a system could accomplish, in particular recognizing that biometrics alone would not solve security concerns, and stressed the importance of initial enrollments and the need to educate both enrollment administrators and system users to acquire high-quality enrollments. Educating employees was also critical to gaining acceptance for the technology. To promote the success of the Massport system, the importance of addressing concerns about the technology as they arose was noted. A general plan was also proactively put in place, increasing administrative staff to assist with any problems or issues that might arise during the initial deployment period.

Purpose and Goals of Evaluation

Biometric technologies and systems are commonly used for security purposes and for the sake of convenience. One application of biometrics is to gain a privilege (for example, access to buildings or other resources). Another class of biometric applications is forensics and intelligence gathering—specifically, the use of biometrics to validate the identity of a person who does not want to be identified. Both classes of applications should be kept in mind when exploring testing and

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

evaluation approaches. For both, the major challenge is obtaining a biometric trait sufficiently distinctive to determine differences between people in the face of measurement variability across multiple presentations of the user to the system, which may vary greatly in time and circumstances (including degree of user cooperation), and in the face of possible attempts to manipulate and/or circumvent the system by imposters.

There are many types of biometrics that might be used in a system. Some biometrics are based on physical characteristics, such as fingerprints, hand geometry, facial features, and so on, whereas others are based more on performance or behavior, such as signatures and speech. Biometric measurements have a range of variabilities, including physical variabilities (due, for example, to aging or trauma) and physiological variabilities, such as emotional or metabolic changes. Additional variability may be due to idiosyncrasies of the population (see Box 2.3). All of these types of variability, and others, pose challenges for collecting a corpus (training set) representing the problem space and for ensuring that quantitative indices of performance are sufficiently precise. They also can be sources of error when considering a distribution of subjects for enrollment and verification. The challenges associated with data and data selection are described further in a later section.

BOX 2.3
Sheep and Goats

The performance challenges to biometric systems due to variability, particularly in the recognition of different speakers within a population, are a well-recognized problem within the speaker recognition community. Variability among speakers has led some researchers to class them as “sheep,” “goats,” “lambs,” and “wolves.” Sheep represent the largest portion of the population—their performance is both predictable and reliably recognized by the system. Goats are fewer in number—their performance in the system is unpredictable and not reliably recognized, often resulting in detection errors. Lambs and wolves are easily confused with others and can result in false matches. The characteristics of lambs are easy to imitate. Wolves, on the other hand, can imitate others easily.

1  

For more, see George Doddington, Walter Liggett, Alvin Martin, Mark Przybocki, and Douglas Reynolds, 1998, “Sheep, goats, lambs and wolves: A statistical analysis of speaker performance in the NIST 1998 speaker recognition evaluation,” Proceedings of the 5th International Conference on Spoken Language Processing, November.

Why Evaluate?

What is the reason for evaluation and testing of a biometric system? At a high level, it was suggested, evaluation serves three purposes: (1) to guide and support research and development by, among other things, identifying important dimensions of variability and providing feedback on what works and what does not; (2) to assess the readiness of a system for deployment and to provide a framework for characterizing performance as a function of variability in a given system; and (3) to monitor performance of a system in the field, which includes characterizing system performance in terms of the failure mechanisms and identifying technical challenges that can feed back to research and development.

Over time, tension may result between research and applications. For research, the requirement is to represent core technical challenges in a very distilled way that separates the

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

technical issues from numerous application/operational issues. As application and operational issues arise, they may complicate and obscure the core research challenges. At the same time, if evaluation is needed to assess readiness, then the prediction of a system’s performance in the field may be based on what the system achieved on a corpus of evaluation data. Accurate predictions can be a challenge.

The Role of Technology

Regardless of the specific reasons for evaluating a given system, ultimately the role of technology—in this case of a biometric system—is to enable accurate and responsible decision making. At heart, a panelist suggested, all practical biometric applications are “detection” applications: The application seeks to assert that an identity is known or is not known. It was suggested that this assertion can be formulated in terms of a probability—namely, is the probability of the identity hypothesis, given the data, above a certain threshold? Participants acknowledged that answering this question is not solely a technical matter. Policy matters as well. What are the criteria on which this judgment is based? What are the prior probabilities—that is, Is anything known about the probabilities associated with the population using the technology? How will the answer that the technology is attempting to provide weigh into the ultimate decision making? Policy and adjudication mechanisms are needed in addition to what the technologists and technological systems can offer. Participants observed that the technical and policy components of decision making must inform and provide feedback to each other.

Experimental Design

Participants noted that good experimental design is important in evaluating systems and selecting evaluation data and that many of the issues that arise are not specific to biometrics. Data selection issues need to be acknowledged up front rather than being hidden or elided in the evaluation of systems. Issues of proper data use were also raised, such as including all data in the test evaluation. Removal of poor quality data from the test could have the effect of filtering out problems that would occur with real data and might produce overoptimistic assessments of system performance. Additionally, the operational and evaluation data need to be kept separate to prevent developers from tuning their systems to known evaluation data sets in preparation for testing.

Some challenges specific to evaluating biometric systems are specific to each of the many types of systems that are deployed. As one panelist noted, evaluating “operational fingerprint identification systems on a large scale” is a specific challenge—changing any of the characteristics mentioned in that phrase changes the evaluation process. Another challenge relates to what is known as ground truth and the process of determining whether there is a matching error. Fingerprint identification may involve working with latent fingerprint examiners, who, as is well known, can make errors. Testing also needs to be done for system vulnerabilities, and distinctions should be made between active and passive imposters. Additionally, it was noted that a one-size-fits-all approach to testing might not be feasible, because the intended use for the system and the type of application might have an impact on the referent population and on the types of data necessary to evaluate the system. It was suggested that layering the overall problem into general problems, biometric-related problems, specific biometric modalities issues, and so on would generally be helpful. One suggestion was to layer the problem so as to address all the generic problems first (such as defining the general-purpose evaluation and data selection and corpus) and then to address problems relating to the specific biometric technologies and modalities in use. Of course, the generic and the specific may not always be easily separable.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

Impact of Data Selection on Testing and Evaluation

Data selection is central to effective evaluation approaches. That which can be learned from a data set that is not representative of the population of interest is of limited, if any, value.7 The degree of similarity among different elements in a population is a related concern and must be considered when establishing a representative population sample and incorporating appropriate gradation and other challenges into test scenarios. Biometric tests are almost universally based on “opportunity” samples, testing whatever volunteers happen to be available. It might be possible to develop “judgment” samples chosen in some systematic way to represent population variation. The application of statistical methods to evaluations in the biometrics domain would seem viable, provided that the methods are well designed and the samples are representative.8

One panelist argued that large quantities of operational data are needed for testing. While most systems do not archive all of their data, much could be learned from the analysis of data that are routinely discarded if they are collected and stored (for example, retaining the information that a person had to make three attempts before the system recognized him or her, and the biometric images or signals associated with those repeated attempts). Data also drive how thresholds are set for biometric systems. Thresholds are predicated on what is known about the distributions of imposters and genuine subjects. Developing an infrastructure to extract operational data from devices may be helpful, but techniques for anonymization and privacy protection along with authentication, where appropriate, will also be needed. It was suggested that a combination of interfaces, infrastructures, audit trails, metadata, and data formats is needed. Despite the difficulty of gathering data from subjects, participants were skeptical about the use of synthetic data (created through morphing and other techniques) for testing a system for deployment but allowed that such data might be useful in the early stages of research and development testing.

Data distributions also vary by collection characteristics as well as population characteristics. For instance, data compiled by trained collectors in a controlled environment who aim to gather perfect samples from willing participants will likely be less variable than data collected in operational field tests under chaotic conditions by untrained collectors or from uncooperative participants. Additionally, the two kinds of data—controlled versus operational—also have different uses. For purposes of research and development, controlled laboratory data might be more useful—for example, in order to assess the sensitivities of one’s algorithms. However, for testing purposes, operational data are preferable.

Quality

In some biometric systems, annotations that indicate the quality of a particular sample can be used. For example, some data formats for face, finger, and iris have fields that allow a quality metric to be inserted. This metric can be used to guide what sort of analysis might be needed or, at

7  

One example was of a data set collected in an Ohio prison—not only was the collection process very controlled, but the population was homogeneous (primarily young and male) compared with the general population. Another example addressing the issue of collection involved two different populations but used the same fingerprint scanners and the same software: one set of data was collected by the border patrol (primarily from Mexican illegal immigrants) and the other one was collected in an office environment (from people trying to get border-crossing cards). These systems were orders of magnitude apart in terms of error rates, presumably because the two populations from which the data were being collected had very different motivations.

8  

It was noted that statistical error bars on data will indicate the degree of error only if the data reflect the population. If the data do not reflect the population, then the error bars will not have any bearing on the true magnitude of error.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

enrollment, to ask that the sample be collected again. It can also be used in aggregate to assess or monitor the overall quality of the collected data. For example, if enrollment is being done at multiple stations, system operators can learn about the average quality on, for instance, Mondays, or in the afternoons. Much of this falls under traditional quality control and analysis.9 How best to use such a quality metric, what standards it might be useful for, and what it actually means are being discussed in the biometrics community.

SESSION 3: LEGISLATIVE, POLICY, HUMAN, AND CULTURAL FACTORS

Panelists: Tora Bikson, David Kaye, Lisa Nelson, and Peter Swire

Moderator: Jeanette Blomberg

In Session 3 panelists were asked to address the legal, policy, social, and cultural aspects of biometric systems, as well as the implications for the collection and use of biometric data in different contexts at both the national and international levels. Five main themes emerged during this session:

  • Three different modes of identification evidence—mitochondrial DNA, facial recognition, and latent fingerprints—were discussed in relation to “general acceptance” and “scientific validity”—two legal standards for the admissibility of evidence in a court of law.

  • Lessons for biometric system security were drawn from the current use of SSNs and the growing incidence of identity fraud. The proposition of a new law restricting the sale and disclosure of biometric identifiers was debated.

  • The meaning of “privacy” in relation to the use of biometrics technologies was discussed in terms of legal principles and some preliminary public opinion survey research.

  • Issues related to the collection and use of data generated by biometric technologies and associated fair information practices were discussed in relation to an earlier study on the use of RFIDs and access cards in the private sector.

  • The international legal and cultural dimensions of privacy were discussed, including their implications for the use of biometrics.

Admissibility of Biometric Identification Evidence

Two standards in common use for the admissibility of evidence in American trial courts,10 typically called “general acceptance” and “scientific validity,” were discussed and later applied to three different biometric identification modes. In practice, which of these standards applies varies by jurisdiction. The first standard, “general acceptance,” originated in Frye v. United States, a District of Columbia Court of Appeals case that upheld a ruling rejecting the admissibility of expert testimony

9  

The importance of image quality for biometric systems and the need to evaluate image quality across multiple factors jointly rather than a single factor at a time was also noted. To incorporate a measure for image quality, the possibility of tagging the quality was suggested to account for quality differences (difference in granularity, in lighting, in aging, and so on).

10  

As a point of clarification and context, it was noted that before evidence can be put before a jury or, in theory, a court, there may need to be a number of preliminary determinations. Such determinations may include whether the evidence is excludable as hearsay or whether it is relevant, scientific, and sufficiently reliable. Additionally, the debate about admissibility takes place in front of the judge rather than the jury. There may be experts on both sides, and federal judges may appoint their own experts. However, these rules apply only to evidence presented to juries and not to warrant requests.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

about a then-new technique that could identify the act of lying by measuring systolic blood pressure.11 The decision recognized, however, that courts would permit expert testimony derived from “a well-recognized scientific principle or discovery, when it is sufficiently established to have gained general acceptance in the particular field in which it belongs.”12 Over the years, the Frye standard became the dominant criterion for admitting scientific evidence. Under Frye, a court would decide if general acceptance had been shown by looking to expert testimony and the existence of publications, by determining that the scientific technique had been put to nonjudicial uses, and by considering other cases that might manifest judicial acceptance.

The second standard, “scientific validity,” emerged in Daubert v. Merrell Dow Pharmaceuticals, a case that involved birth defects from an antinausea drug known as Bendectin.13 In this ruling, the Supreme Court overturned the decision of the lower courts to exclude evidence of toxicological epidemiology on the grounds that there was not general acceptance. Given the difficulty of determining when general acceptance has been reached, the Court deemed the Frye test to be inappropriate, under the Federal Rules of Evidence, for governing admissibility, and determined that the evidence admitted should constitute “scientific knowledge” and “be supported by appropriate validation.”14 The general guidance offered for the admissibility of evidence obtained by new scientific techniques included the following considerations: whether the theory or technique has been or could be tested, with appropriate controlling standards in applying the test; whether it has been subjected to peer review and publication; whether the potential rate of error is known; and, more broadly, whether the theory or technique is generally accepted.15

As an example, in applying these standards to mitochondrial DNA evidence obtainable from a strand of hair, it was noted that this type of evidence has been admissible in courts even in the case of comparatively small or unrepresentative sample sets. In a mitochondrial DNA match, the proposition that it is “almost always” maternally inherited and “usually” remains constant over time is generally accepted. Mitochondrial DNA has also been accurately sequenced in a laboratory, and the frequency of mitochondrial haplotypes can be estimated to determine if two samples being analyzed are similar.16

It was noted that questions pertaining to the theory and appropriateness of the computer algorithms used to perform facial recognition, a relatively new type of biometric identification, would need to be answered to determine the technique’s admissibility in a court of law. It would be important to know if the algorithm has been adequately tested and the results have been published or if it is proprietary and not published; whether there is sufficient research literature demonstrating the validity of the approach; whether conditional error probabilities have been established and, if so, their values; and how the matches are presented (e.g., in a binary form or as the probability that the two signals come from a common source); and, finally, whether it is generally accepted that the algorithm makes correct identifications.

11  

This technique has been described as a precursor to the polygraph test.

12  

Frye v. United States, 293 F. 1013 (C.A.D.C 1923). The Frye opinion is available online at <http://www.daubertontheweb.com/frye_opinion.htm>.

13  

Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).

14  

The Daubert decision is not binding on the states, but more than half the states have adopted the Daubert standard to determine the admissibility of evidence in state courts.

15  

These factors, from a nonexclusive list by Justice Blackmun in Daubert v. Merrell Dow Pharmaceuticals, Inc., have become known as the Daubert factors.

16  

An example of the use of DNA evidence in the Scott Peterson case was provided. An FBI analyst testified that a hair found in Scott Peterson’s boat could not have been his, and that it matched Lacey Peterson’s mother’s mitochondrial DNA that should have been inherited by Lacey, the victim. Furthermore, the analyst testified that this haplotype would be seen in one out of 112 Caucasians, based on an FBI database of several thousand. It was noted that this type of evidence is generally admissible despite the statistically unrepresentative sample population of the database.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

With regard to latent fingerprints, the form of biometric identification evidence with the longest use, courts historically have accepted this type of evidence under the Frye standard, and it continues to be accepted. However, the application of analysis, comparison, evaluation, and verification (ACE-V), performed by fingerprint analysts, has recently been challenged under the Daubert standard. The problem surrounding fingerprints lies with ACE-V and the human analysis, which some claim lacks scientific rigor—with respect, for instance, to establishing the known error rates and in the controlling standards used by the examiners. As a result, this identification technique continues to be subject to scrutiny; whether court challenges to it will succeed is an open question.17

It was noted that defense attorneys try to subpoena basic biometric methods information in an attempt to prevent biometric identification data from being introduced in courts; if it is introduced, they try to identify a factor that will compromise the accuracy and/or validity of the biometric method used. In the discussion, it was suggested that a defense based on the Daubert standard is generally a last resort but can be important when fingerprint evidence is critical to the case.

Lessons for Biometric System Security from the Use of Social Security Numbers

Lessons learned from the use and treatment of SSNs and the related problem of identity fraud were applied to understand and strengthen the security of biometric systems. One problem with the expanded use of SSNs in combination with publicly available personal information (e.g., mother’s maiden name) as an identifier, or “key,” to gain access to an individual’s credit records and other authoritative credentials is their lack of secrecy, given the ease with which they can be shared, sold, and compromised.18 In the computer science world, it was noted, keys or passwords are kept secret to prevent access to the system by an unauthorized user.19 While keeping information secret may be a common practice for online and other remote applications, it is common as well in the process of establishing credentials in the physical world, where fake identities can be created by using SSNs and other personal information that is presumed secret or private to acquire so-called “breeder” documents (e.g., driver’s licenses) that can be used to gain access to an individual’s personal or financial information.

To prevent similar problems with new biometric identifiers and the loss of the “keys” that breed fraud, a law was proposed at the workshop that would prohibit the selling or sharing of unencrypted biometric data. Similar to recently proposed legislation to prohibit the “sale or display of social security numbers,”20 the draft law aims to minimize access to high-quality images of biometrics (irises, fingerprints, and so on) to keep the new keys more secure, particularly for their use in legal identification. Such a law would shift onto those who would sell or display biometric identifiers the burden of explaining why that sale or display should be warranted. Among the several biometrics that are excluded by the rule are photographs of faces, which have many nonsecurity uses

17  

The lengthiest Daubert hearing on fingerprints that was recently affirmed was U.S. v. Byron Mitchell, Criminal Action No. 96-407, U.S. District Court for the Eastern District of Pennsylvania, July 1999.

18  

The personal and financial information for 145,000 people that was recently lost by ChoicePoint was provided as an example of compromised data, as key information that can be used to gain access to an individual’s financial information becomes accessible to others.

19  

For more on this approach, see Peter Swire, 2004, “A model for when disclosure helps security: What is different about computer and network security?” Journal on Telecommunications and High Technology Law, Vol. 2. Available online at <http://ssrn.com/abstract=531782>.

20  

In an effort to prevent identity theft, the Social Security Number Misuse Prevention Act (S. 29), introduced by Senators Feinstein and Leahy in January 2005, aims to prohibit, among other actions, the sale or display of SSNs to the public without the individual’s consent. For more information, see also Mark Roy, 2005, “Feinstein tightens ID theft proposal.” Internetnews.com, April 12. Available online at <http://www.internetnews.com/security/article.php/3497161>.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

and are generally not secret, as well as DNA used for medical treatment and research. Additionally, it was suggested that encryption should be encouraged as a best practice in the transmission and storage of biometric identifiers. The recent loss of unencrypted backup tapes storing financial and credit card purchase data for 1.2 million federal employees and U.S. senators by the Bank of America was cited to illustrate the need for such practices.21 Without encryption, a database of biometric identifiers is as vulnerable to unauthorized release as other kinds of personal data. Notwithstanding the challenges in acquiring a new SSN, it is certainly more difficult to replace a compromised fingerprint, for instance, than an SSN. It was argued that without such a law and without encryption, biometric approaches to security, particularly their use as presumably private keys, could fail just as applications using SSNs for secure authentication have failed already.

During the discussion, several questions were raised about the proposed biometric legislation, including how to distinguish which biometrics are worthy of protection and how they could be defined. For instance, it was noted that it may be possible to obtain iris information from a high-resolution photograph. However, there was some agreement by the participants that even though biometrics such as fingerprints are not secret and can be obtained by anyone determined to collect them, it may be useful to restrict the release of fingerprint information online. It was noted that a fingerprint that can be collected from a surface may not have adequate detail to be used in an attack on a system. It was also suggested that such a practice would keep the cost of attack high, as obtaining fingerprints individually is much more expensive than obtaining them in a fingerprint database.

Legal and Societal Issues of Biometric Technologies

To assess what “privacy” means in relation to the use of biometrics technologies, a few ongoing research efforts were discussed, beginning with an overview of the legal doctrine and normative expectations of privacy and its potential applicability to biometrics technology and followed by a brief presentation of preliminary findings of some early survey research designed to elicit public opinion about privacy concerns related to the use of biometrics technology.22 A distinction was made between the factual parameters of privacy—constitutional, statutory, and common law protections—and the normative perceptions of privacy. It was suggested that although factual legal doctrine does not directly relate to biometric technology, principles from constitutional cases defining protections against searches and seizures and in the realms of informational privacy and intimate decision making were applicable for the development of biometric technology policy. Furthermore, normative expectations of privacy also must be taken into consideration and might well be decisive for the acceptance of the broader use of biometric technologies.

It was noted that although the constitutional doctrine of informational privacy is not fully developed, it provides general guidance for the balance that should be struck between the use of biometric identifiers to enhance security and/or to increase convenience and the individual right to privacy. In Whalen v. Roe (1973), a foundational case, the Supreme Court was asked to consider if the accumulation of statistical information as part of the “war on drugs” encroached on a reasonable expectation of privacy regarding an individual’s arrest and drug rehabilitation records. The Court ruled that in such situations an individual’s interest in informational privacy always has to be weighed against the societal objective. It was suggested that this constitutional case provides some principles

21  

See Paul Shread, 2005, “Bank’s tape loss puts spotlight on backup practices,” Internetnews.com, February 28. Available online at <http://www.internetnews.com/storage/article.php/3486036>.

22  

Part of a larger project being funded by the National Science Foundation and the Department of Homeland Security to explore obstacles to the maturity of biometric technology, this research aims to provide a sociolegal assessment through the use of various surveys that would gauge the public’s privacy concerns and social perceptions of biometric technology.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

to consider, particularly in terms of the interest in storing and sharing biometrics information and the need to also protect privacy.

It was suggested that several cases within the realm of intimate decision making, though only tangentially related, may indicate some potential concerns about and barriers to the collection of biometric information. Griswold v. Connecticut (1965) established a realm of intimate decision making around contraceptive usage. In a more recent federal case, Planned Parenthood Federation of America v. Ashcroft (2004), the Court was asked to consider whether or not individual privacy rights precluded the Justice Department from gathering information on how many abortions had been performed at a particular clinic. The Court found that the privacy rights in that information were a barrier, and it prohibited the gathering of the statistical information because it intruded on the intimate decision making of the individuals served by the clinic. It was suggested that principles illustrated by this case might inform the limits to using biometric identifiers to access information on the intimate decision making processes of individuals.

In addition to the overview of the legal doctrine of privacy, the initial results from a limited 100-person survey on privacy were discussed, and the designs of proposed surveys following on the initial survey were described.23 The preliminary results from the small survey sample as described to workshop participants include the following:

  • Privacy was by far the greatest concern among the various concerns expressed.

  • Concerns about technological fallibilities and procedures to rectify technological failures were also raised.

  • Acceptance of biometric technology will increase as technology reliability improves.

  • Two of the lesser concerns were inappropriate information sharing, in either government or private sector settings, and the theft of biometric identifiers. The low ranking of these concerns was a surprising survey result.

  • Perceptions of biometric technology varied depending on the context of use. For instance, inconvenience was a concern with the use of biometric identifiers at automated teller machines (ATMs) or banks, but there was general support for biometric identifiers when boarding an airplane.

A preliminary suggestion from the survey data was that the public may generally accept the need for give-and-take between expectations of privacy and societal objectives. The public seemed willing to weigh privacy concerns against the purpose of biometrics usage. Relative to this finding, the importance of contextualizing the use of biometrics was also stressed so that polices could be constructed to address different privacy concerns.

During the discussion, a participant suggested that legislation intended to control the use of biometrics technology and protect privacy through the creation of consent provisions is not a panacea, as it would not sufficiently address other issues, such as technological and administrative safeguards and information-sharing rules, that might arise with the use of biometrics technology and that are often not well understood by the public. It was suggested that a broader policy perspective would help to address related issues that will have impacts on privacy. Such concerns were echoed by other

23  

The proposed research surveys that will be conducted include (1) a 2,000-person end user survey of those who have been exposed to biometric technology, to understand users’ perceptions and acceptance of biometric technology after having been exposed to it as well as existing concerns and problems with the technology; (2) a 1,000-person national random digit dialing survey to compare the perceptions of biometric users with those of nonusers; and (3) a 2,000-person international end user survey to explore and compare different societal notions of privacy, needed since biometrics technologies such as those that are part of US-VISIT (see summary of Session 5) will increasingly involve cross-jurisdictional issues.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

participants, who suggested that privacy issues and fair information practices should be proactively addressed rather than relying on the courts, which may not be effective in developing coherent policy.

Issues Related to Policies on Biometrics Data Collection and Use in the Workplace

Several issues emerging from a study recently conducted on RFID tags in the workplace24 were discussed and related to those that might arise with the use of biometric technologies. The study gathered data from six large private corporations in the United States that required employees to swipe access cards embedded with an RFID chip to gain access to buildings. Four findings from the study were these:

  • The data generated by the access cards were sometimes used for much more than controlling building access, including for monitoring adherence to workplace norms and rules, investigating inappropriate activities such as asset thefts, and accessing medical health information in emergencies.

  • Appropriate uses of data tended to be determined by security units rather than by executive management, without policies or guidelines for data sharing having been established.

  • Data in all surveyed organizations were kept indefinitely, with no retention schedule, and were never independently audited.

  • Employees using the swipe cards had not been informed about data retention and alternative data uses.

It was noted that the study—given that it explores issues related to access control and identification, and given that there are proposed applications that would combine biometrics and RFID tags—raised concerns about the use of biometric technologies in the workplace, including these:

  • Were the practices seen in the gathering and use of RFID data likely to be precedents for similar practices with data generated by biometric technologies, or will explicit policies be developed comparable to policies for computers, networks, and e-mail?

  • Because individuals may not be cognizant of the collection of biometric data, especially for remote-sensing applications, how should, or could, they be notified, and how could their consent be solicited?

  • As biometric data will probably be linked to other databases, either directly or through association with an RFID code, identifying individuals by matching newly collected data sets against extant data sets will become more feasible. How will concerns about this new capability be addressed? How long should the collected data be retained?25

  • Will individuals be given the opportunity to inspect and to correct biometric information collected about them? How will this be done?

24  

Edward Balkovich, Tora K. Bikson, and Gordon Bitko, 2005, “9 to 5: Do you know if your boss knows where you are? Case studies of radio frequency identification usage in the workplace,” Research brief and report available online at <http://www.rand.org/publications/RB/RB9107/>.

25  

Several models include the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available online at http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html, and the European Union privacy directive, which limits retention to a period appropriate to the purpose for which the data were collected (more information can be found at <http://www.epic.org/privacy/intl/data_retention.html>).

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
  • Who should be entitled to access the collected data, and what will be this entity’s responsibilities for data integrity, protection, and notification?

International Perspectives

Participants also raised several international legal and normative concerns that have implications for the use of biometrics. Different privacy and data collection laws and regulations may have an impact on what technological capabilities will be permitted. Often, cultural and legal differences can affect monitoring rules in the workplace. While it is commonly understood in the United States that the employer runs the computer system and can monitor the network for security purposes, employees in France and Germany have the right to confidential communications while they are sitting at their office desks, and employers are required to obtain a wiretap to read an employee’s e-mails that go through the employer’s system. This could present difficulties, particularly for a global company that is trying to implement standard procedures across the organization. In addition, there is a broader view of personal information under European law, which uses the term “identifiable” rather than the more narrowly conceived term “personally identified information” under American law—the former suggesting that the connection between the information and the person is determinable even if no explicit connection is immediately accessible.

During the discussion, a participant alluded to the current attempt of the International Organization for Standardization/International Electrotelecommunications Commission (ISO/IEC’s) Joint Technical Committee 1 Standards Committee 37 to develop voluntary best practices for the international use of biometric technology in private corporations by 2006. The international working group aims to bring together different cultural and legal perspectives into a common framework of principles based on fair information practices. The effort is intended to help companies recognize the importance of keeping their workforces informed about the use and implications of biometric technologies.

SESSION 4: SCENARIOS AND APPLICATIONS

Panelists: Joseph Atick, Rick Lazarick, Tony Mansfield, Cynthia Musselman, and Marek Rejman-Greene

Moderator: Gordon Levin

Session 4 participants were asked to discuss the impact of different application contexts on the performance of biometric systems and to describe the general characteristics of successfully deployed biometric systems. Other topics covered in this session included approaches to the fusion of multiple biometric techniques and methods for integrating biometrics into particular systems and environments. Some of the themes that emerged during the discussion were the following:

  • The challenges identified for biometric identity management applications will vary depending on the application requirements, system scale, and the security environment.

  • Nontechnical factors such as human factors and user training can have significant impacts on biometric system performance.

  • Standards and interoperability are important for better system performance and the global use of biometric systems.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

Identity, Identity Management, and Biometrics

For identity management applications, one panelist referred to biometrics as the glue that can bind four elements: authorized actions, trust, reputation, and identity.26 In the identity management process being described, the decision to authorize an action, from logging into a network to entering a country, is operationally based on a level of trust that relies on an individual’s reputation, which is linked to an identity. By matching an individual’s live biometric against the enrolled or reference sample of that individual, the system can associate actions with an identity based on levels of trust and reputation established for the individual.27 “Risky” identities can also be flagged by comparing the biometric in question to biometrics in other databases to determine, for example, if an individual’s biometric matches that of someone who has been placed on a watch list.

Though biometrics can be used to link these four elements, the panelists stressed that establishing a human identity involves more than capturing a biometric. An individual’s identity can be established initially in a number of ways, depending on the application needs and context. For instance, the identity can be linked to a unique enrollment that tracks information from day one forward but does not reveal the individual’s legal name (the approach used by eBay, albeit not with biometrics). Alternatively, a legal identity can be established by linking historical and document-based information such as that contained on a driver’s license or passport. One account was given of a remote village chief vouching for an individual’s proper name when no paper documents existed.

An underlying problem with large-scale biometric identity management applications that rely on paper-based documents to establish a legal identity lies not so much in capturing the biometrics, it was suggested, but in creating and trusting the linkages.28 A panelist called the mapping of a traditional, paper-based identity to a biometrics-based identity the Achilles’ heel of biometric identity management applications. This mapping process creates an opportunity for identity laundering (the legitimizing of a “bad” identity) when documents can be falsified and used to bypass the reputation discovery processes to obtain a “clean” identity. A panelist also noted that tying a biometrics-based identity to multiple paper-based documents is a time-intensive process that would require traditional investigations to determine if the documents are authentic. In discussion this problem was illustrated by national ID card applications, which would presumably entail a gradual linking of an initial ID to more assets and information (e.g., mortgage and credit history) after initial establishment of the linkage between an individual and his/her national ID. However, national ID cards would probably not adequately deter identity theft or identity laundering, presumably an intended purpose of such an application. In addition to the challenges of linking identity information to a biometric, it was suggested that other applications—such as an e-passport intended for the global recognition or assignment of a legal identity for an individual—would require open interoperability standards to enable the exchange of information across governments. Such cards would likely require the creation of a federated identity system, or silos of identity, rather than a single, centralized identity.29

26  

There was not time for in-depth discussions of the meanings of these terms and their interrelationship at the workshop.

27  

Dynamic knowledge discovery was also briefly touched on as a mechanism to reassess and update an individual’s reputation (based, for example, on periodic reinvestigations vs. a one-time investigation) in order to adjust levels of trust used to authorize or revoke access rights on a timely basis.

28  

One participant cautioned that the biometrics themselves, used to create and fix the linkages to identity, are not secret.

29  

A previous NRC report explored the question of a nationwide identity system at length: see S. Kent and L. Millett, eds., IDs—Not That Easy: Questions About Nationwide Identity Systems. National Research Council. Washington, D.C., 2002.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

Application Contexts and Security Environments

Panelists discussed some of the characteristics of and challenges for biometrics systems in relation to different application contexts (e.g., large versus small deployments) and security environments (in the case discussed, government versus commercial). Some of the challenges particular to a large-scale, government (rather than commercial) biometric identification application were discussed, and some solutions were presented.

The national ID card30 being developed by the United Kingdom was described. The central challenge identified at the workshop was the need to establish realistic policy and performance requirements for the biometric technologies in light of the system scale and the diverse enrollment population. The system scale of 60 million users introduces significant challenges for achieving the required performance metrics (a false nonmatch rate of less than 1 percent, or 1 in 100, and a false match rate of less than 0.1 percent, or 1 in 1,000), as these rates are not directly measurable without an operational system or a large database for testing. The system scale and related costs of enrollment also raise questions about the age requirement for initial enrollment and the frequency of reenrollment in the system. A second distinct and critical requirement for a national biometric system is the need for universal enrollment across all sectors of society. It is not known if biometrics can be inclusive of all sectors, as few tests have been conducted that represent society as a whole. However, it is known that a small fraction of the population will not be capable of providing an adequate sample, as a consequence of inherited biology or temporary or permanent conditions—for example, fingerprint damage in the form of a cut, burn, or scarring; arthritic fingers for hand geometry, and some eye injuries or conditions for iris recognition. Furthermore, a policy requirement for a mandatory and universally deployed national system in the United Kingdom is that it must be nondiscriminatory, both in perception and in actuality, to individuals with disabilities or specific cultural or ethnic backgrounds. The system must also accommodate those who are not familiar with the biometric technology and process as well as those who intend to be uncooperative.

The potential solutions offered by the panelists for the false nonmatch rate and enrollment problems include the improvement of sensors and system ergonomics in order to acquire higher quality biometrics. To further minimize enrollment problems, it was suggested that users be permitted to choose a second biometric modality for enrollment. If multibiometric fusion is involved, multi-instance rather than multimodal fusion would simplify user training.

Panelists drew clear distinctions between the purposes and functions of commercial vs. government biometric applications. Commercial applications aim to provide convenience and assistance to voluntary users in targeted sectors. Two possible applications are the personalization of services and the facilitation of individual accountability; in the latter, an individual’s name, reputation, and biometric accompany a transaction to allow for tracking over time. To be operationally viable, commercial applications must be able to tolerate some error in enrollment rates among the user population.31 Additionally, performance should degrade gracefully, and operations should include redundancy. Some hypothesize that to achieve widespread acceptance among a voluntary user population, the technology should facilitate clever, personally useful applications that are reasonably routine, transparent, and, as one participant called for, “cool.” The use of the technology should be intuitive, and its purpose should be clear and understandable to the user. The

30  

The national ID card aims to reduce the registration of multiple identities and establish a single, verifiable identity per individual that will be linked to a previously established (document-based) identity and used for national identification purposes when an individual appears to receive government services.

31  

A panelist noted that in some cases an extra measure of security (performance) might not be worth the reduction in throughput. It was suggested that rather than always striving for 100 percent accuracy, the target error rate should depend on the type of application: In other words, it should be “good enough” for the application.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

example given—an integrated mobile device, a hypothetical commercial application combining the functionality of a mobile phone and a personal data assistant—illustrated some of these characteristics. It could be an individual’s primary device for communication and information access, and the biometric could be used to provide secure access. Other information could be used by the system, including a personal identification number, an equipment-unique identifier, physical location, other biometrics (voice, face, fingerprint), and history of use.

It was suggested that user-centered design principles be applied to develop application features and to determine the features’ value and usefulness. Recent findings suggest that the utility and convenience of biometrics may somewhat lessen privacy concerns as individual users begin to explore and weigh the costs and benefits.32

Nontechnical Factors and General System Characteristics

Panelists identified additional nontechnological factors that impact the performance of biometric systems:

  • The type of biometric system will impact user behavior and system performance. For instance, in a system that aims to verify a claim of enrollment, such as in the administration of government benefits, the individual is trying to produce a matching result. By contrast, in a system that aims to verify a claim (sometimes implicit) of nonenrollment, such as screening for inclusion on a watch list, the individual is trying to avoid a match.33

  • Human factors are critical for optimizing the capture performance of biometric techniques. Attention to system ergonomics that automatically adapt to human factors, such as a facial recognition camera that adjusts to differences in height and presentation, can make a system less intimidating and more natural for users and may significantly reduce enrollment error rates. It was suggested that systems that provide useful feedback to users and systems that incorporate touch screen technology rather than a keyboard enhance capture and enrollment performance.

  • Training is useful for system operators to understand system operations but should not be needed for users as the systems should be sufficiently intuitive. Some panelists noted that training did improve sample collection in deployed systems; others stressed that user training could have the opposite effect because it could teach a user who chooses to be noncompliant how to improperly enroll.

Participants noted that successfully deployed biometric applications tend to have the following characteristics:

  • The ability to select out individuals who cannot provide or have difficulty providing a good quality sample for a given modality.

  • Robustness to variation in the false rejection rate, given that some error is to be expected with a biometric system.

32  

Findings from BIOVISION, a project sponsored by the European Commission to explore successful biometric deployments from a user and system integrator perspective.

33  

Adversarial analysis is a hard problem to solve because real numbers for false reject and accept rates are difficult to obtain from adversaries who have successfully defeated a system. In addition, an adversary may purposely inflict an injury to create a legitimate problem of entering through a biometric system, requiring a secondary entry procedure.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
  • Realistic system performance requirements with respect to the application and the technology, offering an effective improvement for the particular application at a reasonable cost.

Standards and Global Interoperability of Biometric Systems

To illustrate the importance of standards setting and the interoperability of systems, panelists highlighted early work in multibiometric standards formation and data collection as well as the results from a recent interoperability test. For future integration of multibiometric systems, ISO/IEC’s Joint Technical Committee 1 Standards Committee 3734 has focused on defining multibiometric terminology to develop standardized approaches for assessing and improving multibiometric fusion.35 The terminology development process provided the background to break down the problem (see Box 2.4).

It was suggested that if designed and implemented effectively, multibiometric approaches have the potential to improve biometric system performance—that is, to reduce the false acceptance rate (FAR), the false rejection rate (FRR), the failure to enroll (FTE) rate, and the failure to acquire (FTA) rate—and can be more resistant to spoofing.

However, participants noted that one challenge to research in multibiometric fusion techniques has been the limited supply of true multibiometric data (i.e., multibiometric data from the same human being). Typical studies have involved tens to several hundreds of individuals. In attempts to achieve large multibiometric data sets, some researchers have assumed that biometric samples from completely different modalities (e.g., face, fingerprint, iris) are fully uncorrelated. Based on this assumption, they may create a chimeric multibiometric data sample by combining a facial image from one individual, a fingerprint from another individual, and an iris image from another individual. To validate this assumption and evaluate multibiometric systems, NIST and TSA, at the time of the workshop, were planning a 2005 deployment of the Multimodal Biometric Accuracy Research Kiosk (MBARK) to collect face, fingerprint, and iris data from the same individuals. The importance of independent testing was discussed, along with the remaining work to be done in the development of worldwide applications that will rely on biometric technology. A third-party test to evaluate the compliance of several commercial technologies with a secondary standard modeled after the draft ISO standard revealed poor performance and interoperability among the vendors that were tested. The test, conducted on seven different products and using biometric data gathered from volunteers from the intended user population,36 had three components: (1) conformance to the requirements of the standard; (2) performance of the system, consisting of a sensor and an algorithm each from different providers; and (3) the interoperability of the systems. When multiple sensors were tested against one algorithm, there were large (up to 40 percent) differences in performance among the biometric systems. Within the small test sample, only two sets of product combinations (each consisting of a distinct sensor and an algorithm) were interoperable

34  

The technical report Multi-modal and Other Multi-biometric Fusion was issued by Working Group 2 of ISO/IEC JTC1 SC37 with support and technical contributions from the International Committee for Information Technology Standards (INCITS) M1 Technical Committee on Biometrics—Ad Hoc Group on Evaluating Multi-biometric Systems (AHGEMS).

35  

Fusion has been implemented for many years in large automated fingerprint identification systems (AFISs) using multi-instance and multialgorithmic approaches.

36  

The test sample of 125 was smaller than the anticipated 225 participants. Though it did not include any noncooperative users, it was drawn from the user population and was representative of some of the problems users of biometrics systems may confront.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

and achieved the target FAR and FRR of 1 percent out of the 125 participants.37 Despite the few technologies that passed this independent evaluation, to be accepted in this arena, all future products must meet or exceed the performance and interoperability levels that have already been set.

BOX 2.4
Multibiometric Systems

Multibiometric systems comprise four distinct subcategories—multimodalities (e.g., finger, iris, face), multi-instances (e.g., right and left index fingers or multiple images of a face or scene), multisensors (e.g., optical, capacitive, and ultrasonic), and/or multialgorithms (different matchers)—that can be fused at four different levels: the decision level, the score level, the signal level, and the feature level. At the feature level, the biometric samples can be combined to create a feature space for processing in the matching (score) and decision levels. Current fusion approaches occur at the score level, where scores assigned by each biometric channel are combined before the system issues a decision based on the score. To enhance score fusion, prior probabilities that approximate prior beliefs of experts can be taken into account and score normalization between matching algorithms can also be used to provide additional information when implementing a fusion scheme. Other fusion approaches that can be systematically applied to improve fusion accuracy and/or throughput include combination techniques such as summing rules and products or combining different classifiers, the use of layering or cascading logic when gathering and using multiple measures and sources of information, and simultaneous versus sequential sample presentation while capturing information.

SESSION 5: TECHNICAL AND POLICY ASPECTS OF INFORMATION SHARING AND COOPERATION

Panelists: William Casey, Patty Cogswell, Neal Latta, K.A. Taipale, and John Woodward

Moderator: Peter Higgins

In Session 5, panelists were asked to discuss a variety of issues related to biometric data sharing, including technical challenges as they relate to synchronicity and connectivity of data on the one hand and security and privacy of data on the other hand; policy considerations for sharing biometric data between agencies; and practical consideration of standards development and cross-jurisdictional cooperation. The following are some of the topics covered in this session:

  • Newly established and long-standing biometric data-sharing applications at the state, national, and international levels were described in the contexts of military defense, law enforcement, and immigration. Systems discussed included the Automated Biometric Identification System (ABIS), the Criminal Alien Identification System (CAIS), the Integrated Automated Fingerprint Identification System (IAFIS), and the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program.

37  

The test involved one-to-one verification between a seafarer’s biometric and the two fingerprints stored on the ID card. A false accept scenario consisted of stealing the issued IDs and being a close enough match to another seafarer’s stored biometric. Problems posed by larger databases, such as the legitimacy of issued IDs and other matching problems, were not part of the test. For more information, see International Labour Organization, 2004, Seafarers Identity Documents Convention (Revised), 2003 (No. 185), ILO Seafarers’ Identity Documents, Biometric Testing Campaign Report. Part I. Geneva. Available online at <http://www.ilo.org/public/english/dialogue/sector/sectors/mariti/sid.pdf>.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
  • Technical and policy challenges related to information sharing among large-scale biometrics systems were addressed, including data integrity and procedural analysis, consolidation of biometric information, and integration of databases.

  • Broader policy challenges of biometric information sharing also were discussed, including (1) the importance of evaluating biometric systems based on their context, purpose, and the policies they serve; (2) establishing criteria to determine the usefulness of data for decision making; and (3) instituting careful procedures for maintaining and sharing digital records.

Automated Biometric Identification System

The Automated Biometric Identification System (ABIS), a new biometric identification system designed by the Department of Defense (DOD), was described as a system modeled after the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) (see Box 2.5) for the collection, storage, and sharing of overseas biometric data within the military and with other government organizations for counterterrorism purposes. A guiding concept for the system was described as “identity dominance,” or the use of biometrics to increase the level of confidence in the linkages between individuals and their previous identities, criminal histories, or terrorist activities in the United States and in other countries.38

The conceptual architecture of ABIS, similar to the information architecture of IAFIS, aims to integrate into one database information (in electronically searchable format) from operations and other sources that has been gathered by combatant commands (COCOMs). The collected biometric data would include 10 rolled fingerprints, mug shots, and a DNA sample. The DNA sample, it was noted, would be handled separately; fingerprints and mug shots would be stored in ABIS and searched against the ABIS database for possible matches. The fingerprints also would be shared with the FBI, according to information-sharing policies, and searched against the FBI’s IAFIS database to identify any matches with existing U.S. criminal records.

ABIS was described as a type of “biometric-based identity management service provider” in the situation where DOD determines if any samples match and sends those results to other national security organizations on a need-to-know basis. There is also general interest in developing procedures for sharing information with the Department of Homeland Security (DHS). Since becoming operational in the summer of 2004, ABIS has been used to identify individuals in Iraq as former detainees and as individuals with U.S. criminal histories.

Criminal Alien Identification System

As presented by one of the panelists, the Criminal Alien Identification System (CAIS) is a pilot biometric information-sharing system within the Boston Police Department that was developed to recognize foreign-born individuals illegally residing in the United States and to facilitate access to information about immigration violations.39 The panelist described the process as follows: When an individual is arrested on any charge, 10 rolled fingerprints, mug shots, and information on distinguishing features such as tattoos are entered and stored in CAIS. The same information is entered in the Massachusetts State Police Department’s Automated Fingerprint Identification System (AFIS), the FBI’s IAFIS (see Box 2.5), and, if necessary, shared with Immigration and Customs

38  

Identity dominance is analogous in some ways to the concept of identity management discussed in Session 1.

39  

Based on a study conducted by the Boston Police Department, 19 percent of its arrestees had immigration issues of varying seriousness.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

Enforcement (ICE).40 These data are searched against the FBI’s IAFIS database, with responses generally returning in 15 to 20 minutes.41 If the arrestee was not born in the United States, the information is sent to ICE in Boston, which begins an investigation. For serious crimes, Interpol also has fingerprint search capability across multiple jurisdictions. The panelist also noted that the Boston Police Department audits department practices and issues sanctions for data misuse.

BOX 2.5
Integrated Automated Fingerprint Identification System

As described by several panelists, the FBI’s Integrated Automatic Fingerprint Identification System (IAFIS) criminal master file is a criminal law enforcement technical capability with a database consisting of over 48 million electronically searchable sets of fingerprints and corresponding criminal history information on individuals arrested in the United States for a felony or serious misdemeanor charge.1 The panelists highlighted some of the system capabilities that facilitate the linking of past criminal records across jurisdictions and contribute to a high degree of accuracy and effectiveness in biometric identification. IAFIS became operational in July 1999.

The panelists described the information entered into IAFIS during the criminal booking process as including 10 rolled fingerprints and a mug shot. They noted that the FBI receives around 25,000 criminal fingerprint submissions per day from law enforcement at the local, state, and federal level and around 25,000 civil requests from DHS, the Office of Personnel Management, school boards, etc. that are searched against IAFIS to determine if the individual has been involved in any previous criminal activities.2 Unlike the criminal transactions, the majority of the civil search transactions are not entered into the IAFIS repository. As most information that is entered into the databases, including criminal bookings, investigations, and other operations and information3 comes from state and local police departments,4 the panelists emphasized the importance of the advisory policy process conducted by the FBI’s Criminal Justice Information Services (CJIS). The advisory policy board—consisting of local and state representatives—serves to advise the FBI on data management issues and has worked to develop standards, perform audits of state repositories, and issue sanctions for misuses of data.

1  

In addition to storing criminal fingerprints in IAFIS, the panelists noted that military fingerprints are also stored in the database but are not searched routinely in criminal cases. Federal employees’ and police officers’ fingerprints also are enrolled in the database, but not all are in electronic form. Furthermore, IAFIS contains fingerprints for both living and deceased individuals (albeit with conservative criteria by which a set of prints may be marked as belonging to a deceased individual).

2  

Law enforcement studies have found that 62 percent of arrestees have a previous criminal history.

3  

The FBI is the repository of U.S. criminal data, including fingerprints, the Interstate Identification Index, national files for warrants, sex offenders, etc.

4  

The Boston Police Department was the first agency to send fingerprints electronically to the FBI in 1995, an early implementation of an IAFIS function.

40  

The information is also shared with the Commonwealth of Massachusetts Probation Department and the Suffolk County District Attorney.

41  

The panelist indicated that since 2002, 62,000 arrests had been processed, including 8,153 flagged individuals. Among these were 43 with illegal reentries, 166 with outstanding warrants for removal, 51 with overstayed visa waivers, 207 in removal proceedings, 19 who had been granted relief or whose proceedings had been terminated, and 377 foreign juveniles.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

United States Visitor and Immigrant Status Indicator Technology

As discussed in this session, the US-VISIT program42 centers on issues of immigration and border management during preentry, entry, status management, and exit procedures. In contrast to criminal law enforcement applications, US-VISIT aims to collect, maintain, and share information, including biometrics information, on foreign nationals to help determine who should be permitted to enter, who should be removed, and who should be provided special protection, such as refugees.43 One of the largest and busiest deployments,44 US-VISIT captures and stores a digital photograph and two electronically scanned fingerprints for each entrant.

The panelists noted that a core component of US-VISIT45 is the Biometric Identification System (IDENT) database of the Department of Homeland Security (DHS). The IDENT database, separate from the IAFIS database, comprises several databases, including the following:

  • The US-VISIT enrollment database containing biometric information and allowing verification of an individual’s records upon entry and exit.

  • A watch list and lookout database with information related to terrorists, wanted criminals, sexual offenders, immigration violators, and international fugitives, among other categories. This database is populated with information from the FBI, state or local authorities, DHS, the Department of State, and Interpol.

  • A recidivist database46 containing information (for example, the number of illegal border crossings) about previous DHS apprehensions that does not qualify for entry into the IAFIS or watch list databases.

42  

The Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) Section 110 created the US-VISIT program in September 1996. Subsequent legislation expanding the program requirements includes the Data Management Improvement Act (DMIA) of 2000; the Visa Waiver Permanent Program Act in 2000, the USA Patriot Act and the Aviation Transportation Security Act in 2001, and the Enhanced Border Security and Visa Entry Reform Act in 2002. More recently, the Intelligence Reform and Terrorism Prevention Act in December 2004 added the requirement to expedite the addition of a biometric to the entry and exit system.

43  

The panelists indicated that since the beginning of the US-VISIT program in January 2004, there have been 5,342 watch list hits, with a 1 percent error rate, out of more than 4.2 million visa applications. At entry, for travelers who are not entered in the systems, 2,375 watch list hits have resulted from the 18.9 million travelers processed. As for the identity verification of travelers, among those who had been previously enrolled, there have been 11,622 mismatches out of about 4.4 million one-to-one matches. For status management, 175,234 new watch list records have been generated, with 131 hits against entry records, 86 hits against visa records, 165 cases referred to ICE, and 4 arrests. Identity verification at the border has resulted in 11,600 false matches among the 4,369,569 one-to-one matches performed. The number of travelers processed through exit controls via an automated kiosk was 355,967, resulting in 54 watch list hits, with no stops or arrests. IDENT has made seven identifications. The panelists noted that all watch list matches, based on a threshold level set by NIST guidelines, go to secondary processing, where human examiners determine if the match is true, false, or a mismatch.

44  

As of January 2004, US-VISIT was operational at 115 airports and 15 seaports; as of December 2004, coverage included 50 land border ports of entry, with the remaining 115 to be covered by December 2005.

45  

US-VISIT includes the interfacing and integration of over 20 existing systems, including, among others, the Arrival Departure Information System (ADIS), storing traveler arrival and departure information; the Advance Passenger Information System (APIS), containing arrival and departure manifest information; Computer Linked Application Information Management System 3 (CLAIMS 3), holding information on foreign nationals who request benefits; the Student Exchange Visitor Information System (SEVIS), containing information on foreign students in the United States; and the Consular Consolidated Database (CCD), containing information about whether an individual holds a valid visa or has previously applied for a visa.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

The US-VISIT process was described as follows: During the preentry phase, information on the visa applicant is captured at an overseas consulate and searched against the IDENT and watch list databases. At the point of entry, an individual is enrolled and a search is performed against only the watch list database. The response time for issuance of a visa at a consulate is, on average, approximately 15 minutes; at the point of entry, responses are returned in approximately 10 seconds.47 Other potential program capabilities include generating an exit record of visitors48 based on one-to-one verification and status management and maintaining an accurate record of changes in an individual’s residence eligibility (for example, marriage to a U.S. citizen) or ineligibility (for example, an expired visa or other immigration violation). The panelists explained that status management consisted of checking IAFIS records (including the new criminal records, which are updated every 24 hours) and the 1.8-million-entry watch list database against the 14-million-entry US-VISIT database to identify new watch list records and to pursue investigations. Requirements for the future evolution of US-VISIT include biometric comparison and travel document authentication for both U.S.-issued travel documents to permanent residents, such as refugees, and visa-waiver program passports issued by other countries.49 A privacy protection program for US-VISIT was also discussed that included information use rules and notification requirements, redress policies to request corrections of errors, and privacy impact and privacy risk assessments. There is ongoing work to develop information-sharing models with other governments, such as the Enhancing International Travel Security program, intended to enable governments to validate “good” people, not just to identify the “bad.”

Policy Challenges Related to Large-Scale Systems

Technical and policy challenges raised by information sharing among large-scale biometrics systems were also discussed. Such challenges include maintaining data integrity, consolidation of biometric information, and integration of databases. Participants also underscored the importance of clearly defining the purpose of a system before adding new requirements to the existing system.

The panelists indicated that to ensure military and civilian agencies are collecting data to the necessary technical standards would require the development of policy to determine that the data are being collected uniformly and by high-quality, sufficiently-trained staff using proper equipment. Panelists also stressed the need to improve the quality of information transmission to facilitate decision making. However, improvements to the analysis procedure also require other organizations to perform intelligence link analysis50 quickly, which is often difficult given the different missions of the different agencies. For instance, the US-VISIT program operates under certain efficiency constraints, given the need to manage the flow of travelers quickly. When individuals are held in custody suspected of wrongdoing, such as occurs in law enforcement and military operations, more time may be available to return results. Participants noted that the Defense Science Board is

46  

The recidivist database, which began in 1994, is the original biometric foundation of US-VISIT and has grown with the addition of the biometric enrollment database.

47  

Currently, more then 25,000 people a day are biometrically checked as part of the visa process. Since January 2004, there have been more than 4 million visa applications. At entry, approximately 75,000 people a day are run through the US-VISIT system.

48  

The panelists noted that the exit record may also be used for identification against watch lists, but it will not be used to enable enrollment.

49  

One factor that could delay the implementation of these requirements is the current difficultly most visa waiver countries are experiencing to meet the deadline and the inability of the United States to acquire readers for these passports.

50  

Intelligence link analysis refers to the process of associating other pieces of data with the biometric match.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

beginning to address improvements in the communication of results from the biometric information captured and stored in different agency databases.

The panelists suggested that the greatest challenges in integrating databases were not only the differences in the number of samples (e.g., prints) collected, the time constraints, and conditions of the facilities51 but also the different contexts in which the information is collected. For instance, IDENT/US-VISIT is generally used in a context where people have incentives to tell the truth and describe their real identities; IAFIS is not. Additionally, individuals in the US-VISIT database are not usually in IAFIS, because they are not likely to have been charged with a crime in the United States.

As the information that a system collects will depend on its intended use, some participants stressed that it is important to clearly identify the problems that the system intends to address before the collection of biometric information is consolidated across government agencies. For instance, the information DHS collects regarding the entry of a foreigner is not necessarily related to the threat that individual poses to a plane, a separate area in which DHS also collects information. Panelists suggested that existing problems should be defined and the best technology should be selected before missions change or are expanded.

Broader Technical and Policy Challenges Related to Biometric Information-Sharing Systems

In examining the broader goals for and challenges of biometrics systems, the importance of evaluating such systems with respect to their purposes and context was stressed, along with the need for policies to establish appropriate error rate goals or thresholds, facilitate the identification of potential sources of error, and promote a better understanding of what improvements biometric systems offer over existing security, access control, and other systems (see Session 3). Furthermore, it was suggested that the scope of the difficult policy problems that should be addressed extends beyond issues of biometric technology and system accuracy to considerations of the usefulness of the data for decision making and to policies for maintaining and sharing digital records.

There was a discussion on the adequate alignment of policy and technological capabilities. Not only is it economically infeasible from a technology and policy perspective to have an error rate of zero, but also such an error rate requirement would imply that no risk assumptions need be considered in designing policy. As both systems and policies must be designed to accommodate failure, it was suggested that redundancies and error handling procedures should be created for both. Additionally, the interaction between the technology—a tool for a particular purpose—and the system must be considered, because the technology choice may also have policy implications. For instance, when liveliness is being screened for (to ensure that the biometric information being detected comes from a living human being), it may be easier for an attacker to emulate liveliness than to defeat or circumvent nonliveliness detection. Given the tight coupling between the technology selection and policy goals, it was suggested that the explicit biometric technology designations in recent legislation might be too specific for Congress to mandate effectively.

In addition to the potential sources of error previously identified in the workshop (see Session 1), it was suggested that human factors should also be considered in addressing insider threats. By some measures, 70 percent of IT system breaches or compromises are reportedly attributable to insider threats. All systems are subject to both intentional and unintentional errors. Participants discussed the

51  

It was noted that military field facilities for capturing biometrics differ significantly from those for law enforcement booking and DHS. Currently, the National Institute of Justice has an initiative to design equipment capable of taking 10 high-quality rolled fingerprints accurately in 10 seconds.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

trade-offs between secrecy and security: When is openness necessary (for example, in terms of algorithms or error rates) to achieve a robust system, and when is secrecy a better strategy?52

It was emphasized that understanding the intended purpose of a biometric system—be it security, “security theater,” or social control—is necessary to properly appraise the system’s effectiveness. Security theater (for example, requiring display of a driver’s license to enter a building, or removal of shoes before entering an airport boarding area—provides little real security protection but may have social value by allowing people to feel more secure. On the other hand, while improving the document security and issuance processes for driver licenses might be worthwhile, there is a need to clarify the purpose of such measures and to carefully distinguish between measures aimed at increased social control and measures aimed at counterterrorism or national security. For instance, the proposed provision of the Real ID Act that requires states to issue drivers’ licenses only against proof of legal U.S. residence may begin to address issues of illegal immigration. However, it also may exclude a significant portion of the population from the driver’s license system and from any identification systems based on drivers’ licenses, preventing the identification of such individuals after the fact. One consequence of this may be to increase the size of the suspect pool that law enforcement and national security resources must be devoted to.

Several participants emphasized that biometrics may improve identification procedures but are not a panacea. Different types of identification have different characteristics, and determining which type is appropriate will depend on the application. Verification of a claim of enrollment, for instance, stands in contrast to identification of a person without an enrollment claim. The former, verification of an enrollment claim, serves to verify the individual identity, often with the subject retaining control over his or her own information. In the latter, identification without an enrollment claim, additional data are attributed and tied to an individual based on biometric identifiers, with third parties generally controlling data attribution and reputation of the subject.53

With respect to limiting identity theft, it was suggested that claim verification, where individuals have an incentive to control their reputation, might be more useful than a system in which biometrics are aggregated in a database and later sold, which would not be much better than current processes that aggregate and sell SSNs. With respect to security screening, when attempting identification absent a claim, there are concerns not only about the accuracy of the biometric identifier but also about the usefulness of data that are linked to an identity and used by the system for decision making.54 If a watch list is being employed, the integrity and usefulness of the data (and by extension the list itself) will depend on the criteria for inclusion on the watch list, on who has responsibility for different segments of a presumably integrated list, and on policy limits that prevent the inclusion of minor offenses that might dilute the data.55

Various issues related to information sharing were identified, including clarifying the role of privacy and the differences between the rules for preemption and counterterrorism and those for due process in criminal prosecutions. Several principles for information sharing and biometric system use were offered, including these:

52  

For a recent take on this issue, see Peter Swire, 2004, “A model for when disclosure helps security: What is different about computer and network security?” Journal on Telecommunications and High Technology Law, Vol. 2. Available online at <http://ssrn.com/abstract=531782>.

53  

Participants suggested that clear policy rules and mechanisms are needed for managing reputation elements and more general data in systems, for matching systems to needs, and for addressing data issues such as transience (or how long information should be maintained) and error correction.

54  

The panelist suggested that data mining presents the reverse problem, as data are used to try to reveal the legal identity; biometric systems begin with the identity to try to reveal the data.

55  

For an overview of problems that can arise with watch lists see, K.A. Taipale, 2004, “Public safety vs. personal privacy: The case for and against secure flight,” presented at the InfoSecurity 2004 conference in New York on December 8. Available online at <http://www.stilwell.org/presentations/CAS-InfoSec2004.pdf>.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
  • Make clear the purpose of the system and how potential intrusion on rights is balanced with functional requirements.

  • Identify alternatives and choose less intrusive means to accomplish the objective once the technology has been selected.

  • Ensure the ability to correct errors in the system.

  • Design system policies that appropriately consider the consequences of different system errors (for example, the consequence of someone gaining access to an airplane versus the consequence of someone’s flawed prosecution and wrongful incarceration).

It was emphasized that the lack of clear policies and rules creates problems, particularly because preemptive counterterrorist actions take place in a context that presumes the innocence of foreign travelers and U.S. citizens.

Several principles were offered for biometric system use. First, do no harm. Understand the system design and features that are necessary for the policy purpose. For instance, do not build systems that center on identification rather than security if the rationale for the system is security. Second, limit the harm. Include only those features that are necessary to support the system purpose and process. Third, be aware of unintended consequences (see Session 3). Consider when transaction records are necessary, when they are not, and when records should expire. Additionally, it was suggested that technical systems should include “policy appliances,” or mechanisms that (1) permit an intervention point for human beings to make a decision to control data sharing and (2) provide a technical means for carrying it out, which can be adjusted depending on the particular application, threat level, etc.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×

This page intentionally left blank.

Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 5
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 6
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 7
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 8
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 9
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 10
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 11
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 12
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 13
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 14
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 15
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 16
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 17
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 18
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 19
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 20
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 21
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 22
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 23
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 24
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 25
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 26
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 27
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 28
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 29
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 30
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 31
Suggested Citation:"2 Summary of Panel Sessions and Presentations." National Research Council. 2006. Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems. Washington, DC: The National Academies Press. doi: 10.17226/11573.
×
Page 32
Next: Appendix A Workshop Agenda »
Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems Get This Book
×
Buy Paperback | $29.00 Buy Ebook | $23.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Biometrics—the use of physiological and behavioral characteristics for identification purposes—has been promoted as a way to enhance security and identification efficiency. There are questions, however, about, among other issues, the effectiveness of biometric security measures, usability, and the social impacts of biometric technologies. To address these and other important questions, the NRC was asked by DARPA, the DHS, and the CIA to undertake a comprehensive assessment of biometrics that examines current capabilities, future possibilities, and the role of the government in their developments. As a first step, a workshop was held at which a variety of views about biometric technologies and systems were presented. This report presents a summary of the workshop’s five panels: scientific and technical challenges; measurement, statistics, testing, and evaluation; legislative, policy, human, and cultural factors; scenarios and applications; and technical and policy aspects of information sharing. The results of this workshop coupled with other information will form the basis of the study’s final report.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!