Patriot law puts federal eye on biometric use

Although the U.S. Patriot Act encourages agencies to spend IT funds for authentication security, they should avoid using these new technologies too quickly, both industry and federal officials warn.'We have an ethical obligation not to use technology that may in fact not stop the bad guy or may in fact bias and discriminate against innocent people,' said Larry Ponemon, head of the Privacy Council Inc. of Richardson, Texas.Biometric technology, a popular choice among agencies trying to boost security since the Sept. 11 attacks, is in its infancy, Ponemon said, and 'the risk we run is false comfort.'The privacy and technical issues also make the General Accounting Office's David McClure uncomfortable with agencies buying into biometrics too quickly. McClure, GAO's director of IT management issues, cautioned agencies that the Patriot Act 'doesn't give you carte blanche to just start applying technologies.'Ponemon and McClure suggested agencies conduct more research, study the nuances of the technology and figure out how they're going to use it.For every 1 million people in an airport's facial recognition biometric database, 40,000 or 50,000 might have to be 'wrestled to the ground, treated poorly' because of a technical error, Ponemon said.'By the time you got to the bad guy, he or she would have slipped away,' he said.David Temoshok, the General Services Administration's senior public-key infrastructure policy analyst and spokesman for the Federal Bridge Certification Authority, said the 2001 law gives agencies a reason to re-examine existing IT contracts and acquire strong authentication.The act calls for the attorney general, the secretaries of State and Treasury, the National Institute of Standards and Technology, and other federal law enforcement and intelligence agencies to certify a surveillance technology standard that can 'confirm the identity of a person applying for a United States visa or seeking to enter the United States pursuant to a visa.'No such system exists, but the law lets Congress appropriate $2 million toward its development.The State Department had put out a formal request for information before Sept. 11 for IT that would eliminate passport and visa fraud and digitize existing photographs. The agency has not yet issued a request for proposals.Some makers of the latest tools, along with government officials developing and testing the new technologies, are less critical of biometrics than Ponemon and McClure. They said how agencies adopt the tools affects their reliability as much as any other factor.Helena Wisniewski, chairwoman and chief executive officer of Aurora Biometrics of Rockville, Md., said she is keeping her eye on State's efforts and will submit a proposal to the Transportation Security Administration, which plans to issue its own RFP to implement biometrics on smart cards.'I believe that the biometrics are ready, and it's a matter of getting the procurements out,' Wisniewski said.Late last month, President Bush told Congress he would reallocate $760 million from the Federal Emergency Management Agency to TSA, according to information from the Office of Management and Budget.Wisniewski, a former researcher for the Defense Advanced Research Projects Agency, received an $8 million federal grant in 1997 to build an integrated system using facial recognition and intelligent software agents.'The Patriot Act has caused agencies to start focusing on securing biometrics,' Wisniewski said.That's a good thing, she added, because the technology is ready, although agencies aren't.'One way to show the effectiveness is to implement pilots within agencies,' she said. 'An operational setting is very different from laboratory testing.'Wisniewski suggested agencies track the work of the Defense Department's Biometrics Fusion Center, which is testing several devices, including her company's facial recognition technology.The center plans to move testing from its lab to field locations, said Linda Dean, chief of DOD's Biometrics Management Office. The center tests devices for physical and logistical access requirements and helps DOD's offices integrate biometrics into existing systems.Dean said the greatest threat to any integration effort is the failure to define a final objective.'Hasty adoption of any technology will result in substandard performance and lack of interoperability,' she said. 'This will dramatically increase costs and limit the capability of any technology.'That's the problem, McClure said. Biometrics is an emerging area, he said.DOD is ahead of all other agencies in its testing of biometric devices and making sure its offices know how to store, retrieve and use biometric data, McClure said. Other agencies need to figure out the best uses for biometrics in their respective programs, he said.Wisniewski said a key factor is how an agency plans to use a biometric tool. Facial recognition technology, for instance, is not good for surveying crowds, she said, because the success rate is 50 percent. But, it's great for access control, she said.DOD's Dean said the Patriot Act has raised the visibility of biometrics to a greater audience across government. 'As biometrics continues to increase in acceptance as a viable identification technology it will better serve the intentions of the Patriot Act,' she said.McClure also encouraged agencies to think about how their systems might be evaded. He cited a cryptographer who created a fingerprint out of a gelatin mold that fooled fingerprint readers 80 percent of the time. Agencies must pay attention to vulnerabilities in the use of even fingerprints, which many consider a tried and tested biometric, he said.Dean noted that methods exist to guard against such evasion.The primary answer is so-called live-ness testing, she said. Agencies need to test systems to prevent, for instance, someone being able to use a snapshot to foil a facial recognition application, Dean said. Likewise, a fingerprint reader can incorporate a heat sensitivity mechanism to gauge the presence of a real finger versus a gelatin one.Agencies also will need to consider layering technologies, mixing the use of biometrics tools with tokens, personal identification numbers and pass codes, Dean said. Finally, any biometrics approach demands corresponding implementation policies and guidance, she said.Ponemon said it's not just a technology issue. Agencies must also reduce human error; 'we have to be there behind those machines.'The biometrics tools will be aids not replacements for security personnel. 'The human factor will never be diminished,' he said. The people using the systems still need to have the skills to 'smell, feel or sense the bad guy.'