CHALLENGES AND OPPORTUNITIES
Joseph N. Pato and Lynette I. Millett, Editors
NATIONAL RESEARCH COUNCIL
OF THE NATIONAL ACADEMIES
THE NATIONAL ACADEMIES PRESS
THE NATIONAL ACADEMIES PRESS
500 Fifth Street, N.W.
Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
Support for this project was provided by the Defense Advanced Research Projects Agency (Award No. N00174-03-C-0074) and by the Central Intelligence Agency and the Department of Homeland Security with assistance from the National Science Foundation (Award No. IIS-0344584). Any opinions expressed in this material are those of the authors and do not necessarily reflect the views of the agencies and organizations that provided support for the project.
International Standard Book Number-13: 978-0-309-14207-6
International Standard Book Number-10: 0-309-14207-5
Copies of this report are available from
The National Academies Press
500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington metropolitan area) http://www.nap.edu
Copyright 2010 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council.
WHITHER BIOMETRICS COMMITTEE
JOSEPH N. PATO,
IBM Almaden Research Center
JOSEPH P. CAMPBELL,
Massachusetts Institute of Technology, Lincoln Laboratory
GEORGE T. DUNCAN,
Carnegie Mellon University
GEORGE R. FISHER,
STEVEN P. GOLDBERG,1
Georgetown University Law Center
PETER T. HIGGINS,
Higgins & Associates, International
PETER B. IMREY,
Cleveland Clinic and Case Western Reserve University
ANIL K. JAIN,
Michigan State University
The Walt Disney World Company
LAWRENCE D. NADEL,
JAMES L. WAYMAN,
San Jose State University
LYNETTE I. MILLETT, Senior Program Officer
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
ROBERT F. SPROULL,
STEVEN M. BELLOVIN,
SEYMOUR E. GOODMAN,
Georgia Institute of Technology
JOHN E. KELLY III,
JON M. KLEINBERG,
Carnegie Mellon University
Radcliffe Institute for Advanced Study
DAVID E. LIDDLE,
US Venture Partners
WILLIAM H. PRESS,
University of Texas, Austin
DAVID E. SHAW,
D.E. Shaw Research
ALFRED Z. SPECTOR,
JOHN A. SWAINSON,
Massachusetts Institute of Technology
PETER J. WEINBERGER,
ERNEST J. WILSON,
University of Southern California
JON EISENBERG, Director
VIRGINIA BACON TALATI, Associate Program Officer
SHENAE BRADLEY, Senior Program Assistant
RENEE HAWKINS, Financial and Administrative Manager
HERBERT S. LIN, Chief Scientist
EMILY ANN MEYER, Program Officer
LYNETTE I. MILLETT, Senior Program Officer
ERIC WHITAKER, Senior Program Assistant
ENITA A. WILLIAMS, Associate Program Officer
For more information on CSTB, see its website at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at firstname.lastname@example.org.
In a variety of government and private domains biometric recognition is being promoted as a technology that can help identify terrorists, provide better control of access to physical facilities and financial accounts, and increase the efficiency of access to services and their utilization. Biometric recognition has been applied to identification of criminals, patient tracking in medical informatics, and the personalization of social services, among other things. In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition, as well as the appropriateness and societal impact of their use. Moreover, the general public has been exposed to biometrics largely as high-technology gadgets in spy thrillers or as fear-instilling instruments of state or corporate surveillance in speculative fiction.
Now, at the beginning of the second decade of the twenty-first century, biometric technologies appear poised for broader use. Increased concerns about national security and the tracking of individuals as they cross borders have caused passports, visas, and border-crossing records to be linked to biometric data. A focus on fighting insurgencies and terrorism has led to the military deployment of biometric tools to enable recognition of individuals as friend or foe. Commercially, finger-imaging sensors, whose cost and physical size have been reduced, now appear on many laptop personal computers, handheld devices, mobile phones, and other consumer devices.
In 2001 the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) formed a committee whose 2003 report Who Goes There? Authentication Through the Lens of Privacy, considered several authentication technologies, one of which was biometrics. After the publication of that report, the CSTB held several discussions with various federal agencies interested in biometrics. Jonathon Phillips (then at the Defense Advanced Research Projects Agency (DARPA)), Gary Strong (then at the Department of Homeland Security (DHS)), and Andrew Kirby (of the Central Intelligence Agency (CIA)) actively participated in the discussions and helped to move them forward. The discussions resulted in agreement to undertake this comprehensive assessment of biometrics (see Appendix C for the project’s original statement of task). Funding for the project was obtained from DARPA and from the CIA and the DHS with assistance from the National Science Foundation. The Whither Biometrics Committee was formed to conduct the study.
The Whither Biometrics Committee consisted of 13 members1 from industry and academia who are experts in different aspects of distributed systems, computer security, biometrics (of various flavors), systems engineering, human factors, the law, and statistics, as well as in computer science and engineering (see Appendix A for committee and staff biographies).
Early in the study the committee organized a public workshop. Held on March 15 and 16, 2005, in Washington, D.C., the workshop was attended by members of industry, government, and academia and reported on by the committee in Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems.2 In the course of the study, inputs were gathered on the challenges, capabilities, and requirements of biometric systems as well as related policy and social questions. This report draws on what was learned at the workshop and in subsequent briefings to the committee.
The report makes two main points. First, developers and analysts of biometric recognition systems must bear in mind that such systems are complex and need to be addressed as such. Second, biometric recognition is an inherently probabilistic endeavor. The automated recognition of individuals offered by biometric systems must be tempered by an awareness of the uncertainty associated with that recognition. Uncertainty arises in numerous ways in biometric systems, including from poor or incomplete
understanding of the distinctiveness and stability of the traits measured by biometric systems; the difficulty of characterizing the probability that an imposter will attack the system; and even the attitudes of the subjects using the systems—subjects who may have become conditioned by fictional depictions to expect, or even fear, that recognition will be perfect. Consequently, even when the technology and the system it is embedded in are behaving as designed, there is inevitable uncertainty and risk of error. The probabilistic nature of biometric systems also means that the measured characteristics of the population of intended users (those the system is designed to recognize) matter and affect design and implementation choices.
This report elaborates on these themes in detail and is aimed at a broad audience, including policy makers, developers, and researchers. For policy makers, it seeks to provide a comprehensive assessment of biometric recognition that examines current capabilities, future possibilities, and the role of government in technology and system development. For developers and researchers, the report’s goals are to articulate challenges posed by understanding and developing biometric recognition systems and to point out opportunities for research. Building on CSTB’s work on authentication technologies and privacy, it explores the technical and policy challenges associated with the development, evaluation, and use of biometric technologies and systems that incorporate them.
The committee members brought different and complementary perspectives to their efforts as they deliberated and solicited input from a number of other experts. The committee held six plenary meetings, including the workshop. It thanks the many individuals who contributed, including the project sponsors that enabled this activity. The committee also conducted three site visits, one to the Boston Police Department’s Identification Center, one to the U.S. Naval Academy, and another to Walt Disney World. The committee thanks those who came and briefed the committee at those meetings and site visits: Andrew Kirby, Joseph Kielman, John Atkins, Martin Herman, Duane Blackburn, Jean-Christophe Fondeur, James Matey, Sharath Pankanti, Jonathon Phillips, David Scott, George Doddington, Michele Freadman, Patrick Grother, Austin Hicklin, Nell Sedransk, Tora Bikson, David Kaye, Lisa Nelson, Peter Swire, Joseph Atick, Rick Lazarick, Tony Mansfield, Marek Rejman-Greene, Valorie Valencia, Cynthia Musselman, William Casey, Patty Cogswell, Neal Latta, K.A. Taipale, John Woodward, Jim Dempsey, Ari Schwartz, Michael Cherry, Mike Labonge, Richard Nawrot, Diane Ley, John Schmitt, Michael Wong, Vance Bjorn, Betty LaCrois, Ken Fong, Joseph Dahlbeck, Dennis Treece, and Lynne Hare. It appreciates briefers’ willingness to answer the questions they were asked and is grateful for their insights. Additional information was garnered from reviewing the published literature and
obtaining informal input at various conferences and other meetings. Input was also derived from committee members during the course of their professional activities outside the committee’s work.
It is with great sadness that we mourn the passing of our colleague and fellow committee member Steven Goldberg, who died just prior to this report’s publication. He was a valued member of our study team. His insights on science and the law and his collegial and constructive approach to interdisciplinary work are greatly missed.
We thank the sponsors who enabled this project, the reviewers whose constructive criticism improved the report, and the editor Liz Fikre for her help in refining the final draft of the report. The committee is grateful to the CSTB staff members whose work has made this report possible. The committee thanks Jon Eisenberg for his extensive helpful feedback throughout the process, Margaret Huynh for impeccable coordination of logistics, Kristen Batch for her work in assisting with our earlier workshop report, and Ted Schmitt, who helped structure early drafts of the final report. Finally, we thank Lynette Millett, Senior Program Officer, who has ably guided this project as study director from its inception and was essential to completing our work.
Joseph N. Pato, Chair
Whither Biometrics Committee
Acknowledgment of Reviewers
This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:
Michael F. Angelo, Net IQ,
Ming Hsieh, Cogent Systems, Inc.,
Stephen Kent, BBN Technologies,
Sara Kiesler, Carnegie Mellon University,
Herbert Levinson, Transportation Consultant,
Steven Lipner, Microsoft Corporation,
Helen Nissenbaum, New York University,
Louise Ryan, Harvard School of Public Health,
Michael Saks, Arizona State University, and
Valorie Valencia, Authenti-Corp.
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclu-
sions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Robert F. Sproull of Oracle Corporation. Appointed by the National Research Council, he was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.