Reading the Fine Prints
Posted: 08.01.05 - By Arielle Emmet

On the coattails of the U.S.A. Patriot Act, the Enhanced Border Security Act, the Visa Entry Reform Act, the Real ID Act and many other laws and regulations aimed at ferreting out spooks, spies, terrorists, identity thieves and even average citizens who drive cars or use library search tools to cruise the Internet, the United States has entered the era of biometric authentication.

A year ago, many announced systems were in the development stage. Now, large numbers of government and commercial deployments are becoming a reality, including voice verification systems, mobile fingerprint sensors available on IBM/Lenovo and HP laptops, mobile iris and retinal scanners, smartcards, facial recognition surveillance systems, palm prints and even crime databases composed of snippets of DNA code.

“Because of the laws that have been passed, we’re going to biometrically identify all the people who are coming into this country,” explains Melinda Morris, a partner/sales manager at Exton, Pa.–based DataStrip, a producer of standalone mobile biometric authentication devices based on fingerprint identification. “There are major changes in the numbers of actual deployments, the implementations of smartcard systems for authentication and security to campus access, and the adoption of mobile biometrics, either standalone or wirelessly enabled using systems such as GSM or GPRS.”

Beginning in October 2006, all travelers passing through U.S. ports of entry will be required to present biometric passports, complete with digital facial photographs and fingerprints embedded on a passport chip. By 2008, all U.S. drivers will be getting a biometric driver license, the first national ID card regardless of the state in which they live. A federal mandate known as the Real ID Act, passed in May 2005 by Congress without much ballyhoo, will concentrate an unprecedented amount of U.S. citizen biometric identity data, including digitally encoded photographs, into the hands of federal and state law enforcement and intelligence agencies.

Although the avowed purpose of the biometric license mandate is to provide common machine-readable technology that makes it faster and easier for police officers to confirm criminal or terrorist identities, almost certainly electronic snooping and sales of the data into vast commercial databases (i.e., credit checking and private insurance companies) will result, say a number of security experts. “This will, of course, make identity theft easier,” observes Bruce Schneier, an internationally recognized security expert, founder and CTO of Counterpane Internet Security and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World. “Assume that this [biometric] information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom.” ChoicePoint is one of the largest consumer, public record and business credit verification companies in America. Acxiom, a Little Rock, Ark.–based $1 billion provider of consumer data and customer information management systems, had its computers hacked over a two-year period by a 24-year-old data systems administrator, Daniel Bass, who was in possession, Cincinnati detectives discovered, of CDs containing the personal data of millions of Americans. Writes Schneier: “It actually doesn’t matter how well the states and federal government protect the data on driver’s licenses, as there will be parallel commercial databases with the same information.”

Privacy vs. Security

Tim Sparapani, the legislative counsel for privacy rights at the ACLU, argues that the federal collection and storage of local and state biometric information is a dangerous upending of Fourth Amendment privacy rights. “People have the right to be left alone unless the government has a suspicion based on real observation that the person officers are trying to seize is guilty of a crime or has done something for which they could be proven criminally liable,” he says. “Instead, the government is now blanketing the collection of individuals’ most sensitive information and turning the Fourth Amendment on its head. It’s exactly the opposite of what traditional law enforcement has always done and should do.”

To be clear, civil liberty and privacy groups such as the ACLU do not oppose the application of precision biometrics to authenticate identities on a limited basis—for example, retinal or iris scans, which are extremely accurate and less prone to fraud—provided the information is immediately expunged once verification is complete, suggests Sparapani. It’s the relentless pooling of digital fingerprint, iris and DNA data that presents a danger for abuse. “The average American would be shocked to know that [biometric] technology is not only catching up to science fiction, but the government is actively trying to procure it from both government and commercial sources,” he explains. “We do know, for example, that digital fingerprints can be stolen and then duplicated and copied. And so we believe it’s dangerous to rely on [biometric data] as a security mechanism.”

The Eyes Have It

Not all experts agree. A source who wished to remain anonymous says that biometric data make it easier to identify and exonerate the innocent. “A typical example would be the verification of Iraqi election workers,” he says. “People who wanted to work on the day of the election in polling places were enrolled using an iris recognition unit, checked and vetted. On the day of the election, when they showed up for work, security [checked their identities with the iris scan again]. That way you’re positive it’s the right person.” In a high-security environment, he continues, “a rugged handheld device can do enrollments and iris recognition without screening the whole Iraqi population, just a particular portion.”

Do biometrics represent “dark” technology, he asks? “I think of it as technology that exonerates individuals as much as looks for evil aspects of the population. It’s a robust technology that policy makers are deciding how effectively to use or not to use.”

The technology of mobile iris recognition is particularly promising, according to ophthalmic experts of the field. Irises are among the most unique and individuated anatomical structures on the body. Moreover, the differences in irises are not simply a matter of genetics; they result from a haphazard confluence of structural changes after birth (these changes are known as epigenetic). Irises become unique because of “random patterns created by arching ligaments, furrows, ridges, crypts, zigzags, sometimes freckles, coronas and a zigzag collarette,” according to John Daugman, a University of Cambridge professor and inventor in the 1990s of the original mathematical algorithms used to describe iris patterns. Another benefit is that it is comparatively easy for computer vision algorithms to find eyes in faces and track them. Among public field tests involving millions of iris comparisons, Daugman writes, “There has never been a single false match recorded.”

Most iris recognition companies say that the technology has better than 99.99 percent reliability. “Mostly the market has perceived it as being too advanced,” says SecuriMetrics’ Hanson. “The iris is one of those ‘when you absolutely positively need to know that the person is who he claims to be’ technologies.” The commercialization of iris recognition has primarily been for defense, but hospital facilities are also deploying iris recognition to comply with U.S. Health Insurance Portability and Accountability Act regulations to restrict access to medical records, according to officials at Iridian Technologies.

Many standalone systems are being ported to mobile devices, such as laptops and PDAs used at bedside. In addition, says Hanson, ruggedized biometrics are being combined in integrated units to increase accuracy rates. The U.S. Department of Defense initiative known as HIIDE (the Handheld Interagency Identity Detection Equipment), enacted last year, calls for a “single handheld device doing iris, fingerprint and facial recognition using standard algorithms,” Hanson says. “Actually, the device is algorithm
agnostic. It’s a handheld device and there’s a computer inside it so the database can be stored on the device or offloaded to a separate host.” The algorithms will be adapted to domestic and international applications for high-security environments.

A Finger on Mobile Biometrics

Many other changes are taking place in biometrics, both mobile and stationary. Among the trends and technologies to watch:

•This year Motorola partnered with DataStrip to produce a radio-enabled mobile biometric standalone unit combining DataStrip’s expertise in fingerprint detection with 802.11 wireless within the vehicle. Up to 5,000 fingerprint records can be stored within the unit, and transmitting digital fingerprints for matching can also be done via standard police radio networks. “We capture an image and extract fingerprint minutiae, including fingerprint ridge endings and bifurcations, then transmit the minutiae in a form 10 times smaller [than the original],” says DataStrip’s Melinda Morris. The Mobile AFIS technology can be 99 percent accurate, depending on how many fingers are used; hardware for AFIS fingerprint sensors range from DataStrip’s custom units to standard HP iPAQ hardware.

•IBM/Lenovo and HP have integrated biometric
fingerprint sensors in selected laptop and PDA models. Clain Anderson, program director for wireless and security for Lenovo, which acquired IBM’s PC division, says that planning for a biometric fingerprint sensor began more than two and a half years ago, and that prices have dropped sufficiently to where the technology can now be incorporated in laptops for $50. The sensor, initially released for the ThinkPad T-42 last October and now the T-43 and X-41, uses a silicon-based multiplayer device that reads the capacitance and electrical properties of subcutaneous skin layers to increase the accuracy of the scan, which he says is statistically one in 10,000 false matches and one in 20 false rejects (in which case the user must swipe the finger again). Streamlining authentication and password protection is the primary motivator for consumer and business purchase, says Anderson, and demand has been tremendous.

•HP has a suite of security tools known as HP ProtectTools, which includes biometric fingerprint sensing from Authentic, a leading sensor hardware producer, as well as embedded security chips, smartcards and other wireless and network security protections. In June 2005, the company released the NX 6125 Notebook PC, geared toward small and medium-size business, its first notebook with an integrated fingerprint biometric sensor.

•Lexar Media licensed Cogent Systems’ mobile
fingerprint sensing algorithms to produce the Lexar Media Touchguard, a secured USB flash drive that protects data with a fingerprint. The model incorporates a swipe sensor and an AES encryption for the USB flash drive. Sold by Best Buy, the product won Time magazine’s Best Gadgets of 2004.

•Voice verification systems are being commonly deployed for field service and financial user authentication at companies such as Telus and Bell Canada, AIM Funds and Austar, according to Laura Marino, director of product management and marketing at Nuance, a leading speech technology company. Nuance’s technology provides an accurate algorithmic comparison between original voice print templates recorded for a user and distortions that might occur in a voice signal from any of a number of different phones and signal “channels” (i.e., wireless/wireline). “It doesn’t matter whether you use your own cell phone or your office phone to make a call into the system. Our engine uses acoustic modeling and algorithms to detect channel differences in voice quality and adjust for the fact that you may have enrolled in a different channel,” Marino says. Voice verification is an ideal technology for remote authentication when fingerprinting, iris scans or other physical biometrics are not practical, she adds.•


Leisure Publications