Irisrecognition technology relies on the distinctly colored ring thatsurrounds the pupil of the eye. Irises have approximately 266distinctive characteristics, including a trabecular meshwork,striations, rings, furrows, a corona, and freckles. Typically,about 173 of these distinctive characteristics are used in creatingthe template. Irises form during the eighth month of pregnancy andare thought to remain stable throughout an individual's life,barring injury.
These systems usually use a small camerato take a black-and-white, high-resolution image of the iris.Algorithms then define the boundaries of the iris and create acoordinate grid over the image. All the selected characteristicswithin the zones are then stored in a database as the individual'sbiometric template.
Irisrecognition units -- typically used to authorize physical access to aplace -- cost about $2,000 per unit. Putting together a comprehensiveiris recognition system would cost far more, and involves hardware,software, and licensing costs.
Irisrecognition technology is relatively easy to use and can processlarge numbers of people quickly. It is also only minimallyintrusive. However, colored or bifocal contact lenses may hinderthe effectiveness of the iris recognition system, as may strongeyeglasses. Glare or reflections can also be problematic for thecameras. In addition, people with poor eyesight occasionally havedifficulty aligning their eyes correctly with the camera. Finally,people who have glaucoma or cataracts may not be able to reliablyuse iris recognition technology.
TheUnited Arab Emirates (UAE) has found iris recognition to be aneffective overt security means for preventing expelled foreignersfrom re-entering the country. The UAE faced a situation in which anexpelled foreigner would return to his or her home country andlegally change his/her name, date of birth, and address -- alldescriptors traditionally used to screen individuals entering thecountry. Since the new identity would not be on any of thetraditionally maintained, name-dependent lists, government agentswould admit the banned individual to the UAE.
Tocounter this problem, the UAE began developing a biometric systemthat could be used to scan all individuals arriving in the countryand determine whether the person is banned from entering. The UAE'sspecifications for the system included using a biometric that didnot change over time; could be quickly acquired; was easy to use;could be used in real time; is safe and non-invasive; and whichcould be scaled in the millions. The UAE determined that irisrecognition technology was the only technology that produced asingle-person match in a sufficiently short period of time to meetits needs.
Asof March 4, 2004, the UAE had enrolled 355,000 irises. It enrollsapproximately 600 new irises per day. Over 6,220 expelledforeigners have been caught trying to re-enter the UAE, whichaverages to about 30 individuals caught per day. There have beenover 1,613,000 searches of the database so far, with no falsematches. A statistical analysis of the program suggests that thelikelihood of a false positive match is less than 1 in 80billion -- in other words, effectively impossible.
TheUAE has found iris recognition technology easy to use. There havebeen no failures to acquire an iris scan; the system is regularlyused by people unfamiliar with or unskilled in the technology, andin transit areas. The UAE is now considering creating a unifiedArab list. The country is also considering a similar system toidentify all individuals. Currently, the UAE identity cards aresmart cards that contain fingerprints, and the UAE is consideringincluding a person's iris code in the near future. Iris codes mayalso be placed on passports. The UAE's experience with irisrecognition technology is that biometrics enhance the nation'ssecurity.
Handgeometry relies on measurements of the width, height, and length ofthe fingers, distances between joints, and the shape of knuckles.Using optical cameras and light-emitting diodes that have mirrorsand reflectors, two orthogonal, two-dimension images of the backand the sides of the hand are taken. Based on these images, 96measurements are then calculated and a template created. Most handreaders have pins to help position the hand properly. These pinshelp with consistent hand placement and template repeatability, sothere is a low false positive rate and a low failure to matchrate.
Handgeometry readers usually cost between $2,000 and $4,000. Handgeometry is a mature technology primarily used for high-volumetime-and-attendance and access control. For instance, both KrispyKreme and McDonald's rely on hand geometry to record staff time andattendance. Hand geometry works well when many people need to beprocessed in a short period of time, so long as it is one-to-onematching. Although people's hands differ, they are not individuallydistinct. As a result, hand geometry technology cannot be used forone-to-many matching.
Handgeometry is perceived as very accurate and has been used in avariety of industries to regulate access control for more than 30years. It is useful in identifying who is permitted somewhere or todo something and who is not. It is very difficult to spoofsomeone's hand shadow without the person's cooperation. Thenecessary information is not left behind physically (as, bycontrast, a fingerprint often is), so that it is quite difficult tocreate a fake hand that would work on the unit without the enrolledperson's knowledge. The technology is relatively stable -- unitsplaced in the field in 1991 are still working. The main change overthe years has been in cost reduction. A wide variety of places relyon hand geometry for access. The San Francisco airport uses it foraccess to the tarmac; the port of Rotterdam, Scott Air Force Base,and a sorority at the University of Oklahoma also rely on it.
Mostpeople are comfortable using the technology. Since it is an imageof a hand as opposed to something more intrusive, most peopleconsent to enrollment in the program. In addition, it is no lesshygienic than touching a doorknob. (Indeed, acceptance of thetechnology by users has been made relatively easy by describing thehand geometry reader as a funny-looking doorknob.) Furthermore,people's unwillingness to accept hand geometry technology can beovercome if the individuals can see that they will get something inreturn. For instance, Gold's Gym uses the units for access, whichallows its members to avoid the hassle of carrying keys or cards;the University of Georgia employs the technology for tracking mealplans. In the near future, Sea World annual pass holders will usehand geometry to enter the park. It is also used in approximately15,000 banking applications.
Fingerprint recognition technology isprobably the most widely used and well-known biometric. Fingerprintrecognition relies on features found in the impressions made bydistinct ridges on the fingertips. There are two types offingerprints: flat or rolled. Flat prints are an impression of onlythe central area of the finger pad while rolled prints captureridges on the sides of the finger as well as the central portionbetween the tip and first knuckle.
Fingerprint images are scanned, enhanced,and then converted into templates. These templates are saved in adatabase for future comparisons using optical, silicon, orultrasound scanners. Ultrasound appears to be the most accurate,but is rarely used. Optical scanners are the most commonlyused.
According to a report by the U.S. GeneralAccounting Office, fingerprint readers for physical access controlcost approximately $1,000 to $3,000. There are also additionalsoftware licensing expenses of about $4/user. Smaller fingerprintscanners also have maintenance costs of 15 to 18 percent of theirpurchase price. The larger live-scan, 10-print readers run about$25,000 and have upkeep costs of about 14 percent of the reader'scost.
Onlya small percentage of people cannot be enrolled because theirfinger ridges have become dry, worn with age, or worn from usingcorrosive chemicals. There are, in addition, some people who areuncomfortable with this technology because of its relationship toforensic fingerprinting -- certain cultures, for example, equate thetaking of a fingerprint with identification as a criminal andresist its use as a biometric. There is also concern thatfingerprints collected for one purpose could be used to track anindividual's activities elsewhere. people occasionally complainabout touching a scanner that many other people have touched,thinking it unhygienic. In addition, fingerprint biometric systemsdo not work everywhere; they are inappropriate, for example, ingloved environments like operating rooms in hospitals.
Onearea where fingerprint biometrics has been used is for identity andaccess management in health care (e.g., VA and teaching hospitals).The biometric technology is used to solve the challenge of howhospitals can give access to users and yet maintain security levelsthat provide confidence and comfort. This is a critical challenge,since greater security usually decreases access. There have beenvery few complaints about the technology in hospitals. peopleseemed comfortable with having their fingerprints stored in adatabase, since it was stored as a string of numbers rather thanthe actual digital image.
Facerecognition technology identifies individuals by analyzing certainfacial features such as the upper outlines of the eye sockets orsides of the mouth. Typically, facial recognition compares a liveperson with a stored template, but it has also been used forcomparison between static images and templates. This technologyworks for both verification and identification. In addition, it isthe only biometric system that can routinely be used in a covertmanner, for surveillance, since a person's face is easily capturedby video technology.
Facial recognition technology usually hasa very low failure to enroll rate. However, reports the GAO, "theperformance of facial recognition technology appears to depend onthe operational setting and specific application. Pilots of facialrecognition surveillance at airports have resulted in [failure tomatch rates] between 0.3 percent and 5 percent and [failure to notmatch rates] between 5 percent and 45 percent." Environmental factors have a greatimpact on these rates because variations in camera performance,facial position, expression, or features may hinder the algorithmswhen trying to match the presented face to a template. The age ofthe template can further degrade the ability for a correctmatch.
Facial recognition technologies can bevery expensive. "A facial recognition server controlling access ata facility with up to 30,000 persons would cost about $15,000.Depending on the number of entrances installed with facialrecognition devices, the cost of software licenses would range fromabout $650 to $4,500." As the database size and number ofattempted matches increases, so does the system's cost. In caseswhere closed-circuit television (CCTV) surveillance is used inconjunction with the facial recognition software, the costs for theCCTV range between $10,000 and $200,000 depending on the entrancesize and the type of monitoring required. Additional CCTV camerasrun between $125 and $500, reaching up to $2,300 for cameras withadvanced features.
Voice recognition technology identifiespeople based on the differences in the voice resulting fromphysiological differences and learned speaking habits. When anindividual is enrolled, the system captures samples of the person'sspeech as the individual says certain scripted information into amicrophone or telephone multiple times. This information is knownas a "pass phrase." (There are also biometric systems availablethat can distinguish between people's voices without requiring apredefined phrase.) The pass phrase is then converted to a digitalformat and distinctive characteristics (e.g., pitch, cadence, tone)are extracted to create a template for the speaker. Voicerecognition templates require the most data space of all thebiometric templates. Voice recognition technology can be used forboth identification and verification.
Voice recognition technology requiresminimal training for those involved. It is also fairly inexpensiveand is very non-intrusive. The biggest disadvantage with thetechnology is that it can be unreliable and does not work well innoisy environments (like points of entry).
Oneexample of where voice recognition systems might be used is theUS-VISIT program. As one company has conceived in its proposal, anindividual would be enrolled in a U.S.-managed database whenapplying for a visa at a U.S. consulate. The person would recordhis or her name and pass phrase then. Later, in the United States,local, state, or federal employees could use a telephone, cellphone, or the Web to verify if the individual is who he or sheclaims to be. Since visa holders would have gone through theprocess once when they received their visas, it should not be toodifficult for them to repeat the process in the United States, evenif they are not English speakers.
Biometric Match-on-Card technology
Match-on-card technology can be used withvirtually any biometric and usually takes the form of a smart card.The card has a biometric template (for example, a digitized andencoded fingerprint) stored in a computer chip. A live version ofthe fingerprint is then compared with the stored template forverification purposes. The technology's advantage is that it can beused as part of a network where the presented biometric is comparedto a centralized database (e.g., the US-VISIT program), forcomparison with local databases, or for an offline comparisonbetween the presented biometric and the stored template on the carditself. Smart cards essentially act as the "issuer's security agentin the hands of the user." In addition, the security levelsavailable are scalable. One could use the card and biometric, cardscombined with PINs, cards with biometric templates used inconjunction with PINs. The proposed E-passport system now underdevelopment worldwide is a form of match-on-card technology.
Biometrics for Securing Hazardous MaterialTransportation
TheDepartment of Transportation has sponsored a project to examinecommercially available technologies to protect transportedhazardous materials from terrorist attack. The test involves 100 trucks outfittedwith an assortment of technologies, including biometric ones. Theproject will test whether these technologies can verify drivers;track vehicles and loads; alert the appropriate organizations andindividuals about off-route or stolen vehicles, cargo tampering,and driver distress; and provide remote vehicle disabling in theevent that terrorists successfully capture the vehicle.
Thisproject uses biometric technologies for driver authentication.Smart cards and biometrics are used to confirm drivers' identitiesto shippers, consignees, and the drivers' vehicles. Smart cardsholding predetermined, driver-specific information will be used inconjunction with fingerprint scanners to validate drivers'identities. These technologies will also record drop-off, pickup,and truck start-up events. This bio-login in the truck alertsdispatchers if an unauthorized person tries to operate the truck.Biometric and smart card technologies are also used to secure theshipping manifest system so that only authorized users can createor view the documentation for shipping the hazardous cargo or toaccess the loads themselves.
There have been only two device failuresthus far. The biggest problem has been with driver impatience withsome of the authentication procedures relying on information passedthrough satellites, which can be slow during heavy loadperiods.
Inaddition to the mature technologies discussed above, researchersare also looking for other useful biometrics. Some of theseemerging technologies include vein scans, facial thermography, DNAmatching, odor sensing, blood pulse measurements, skin patternrecognition, nailbed identification, gait recognition, and earshape recognition. Some of these biometrics, like vein scanning,are just becoming commercially available, while others, such as earshape recognition, are recently started research projects.
Anyorganization interested in biometric safeguards must look carefullyat its requirements and then choose the biometric and the relevantsafeguards that meet those requirements. The organization mustchoose the level of security based on the threat. The more securityused to prevent people from fooling the system, the greater thepotential for false positives. For instance, if an organizationwants to use a biometric for time and attendance, it is unlikely tocare about whether the sample is alive. The threat is too minor forsuch security guards.
legal and Political Implications
Asthe foregoing review suggests, the use of biometric technologiesposes a host of interrelated policy questions, some of which are ofgeneral applicability to all biometric systems and others of whichare technology- or use-specific. Among the questions one might askare: Can the biometric system be narrowly tailored to its task? Whowill oversee the program? What alternatives are there to biometrictechnologies? What information will be stored and in what form? Towhat facility/location will the biometric give access? Will theoriginal biometric material be retained? Will biometric data bekept separately from other identifying personal information? Whowill have access to the information? How will access to theinformation be controlled? How will the system ensure accuracy?Will data be aggregated across databases? If information is storedin a database, how will it be protected? Who will make sure thatprogram administrators are responsive to privacy concerns? Canpeople remove themselves from a database voluntarily -- in effect,can they "unenroll"? How will consistency between data collected atmultiple sites be maintained? If there is a choice, will people beinformed of optional versus mandatory enrollment alternatives?
These are difficult questions -- ones that apaper of this nature cannot comprehensively answer. We offer,however, the following preliminary thoughts as a framework foranswering these questions.
First, and foremost, we are convinced ofthe utility of biometric identification as a general matter.Biometric technologies have substantial potential to improvenational security by providing a means to identify and verifypeople in many contexts. In many circumstances they will provide asubstantially higher level of security beyond current means ofidentification. This will be of especial utility in controllingaccess to areas where security risks are especially high -- airporttarmacs, critical infrastructure facilities, and the like.
Atthe same time, however, as with any other new technology, there isthe potential for abuse. Thus, there is legitimate public concernthat biometric technology can be misused to invade or violatepersonal privacy or other civil liberties. Some of the fearssurrounding biometric information include that it will be gatheredwithout permission, knowledge, or clearly defined reasons; used fora multitude of purposes other than the one for which it wasinitially gathered (function creep); disseminated without explicitpermission; used to help to create a complete picture about peoplefor surveillance or social control purposes. There are alsoconcerns about tracking, which is real-time or near-real-timesurveillance of an individual, and profiling, where a person's pastactivities are reconstructed; both of these would destroy aperson's anonymity.There are also concerns about identity fraud.
Inlight of these and other similar fears, some conclude that thetechnology should not be developed at all. But given the veryserious terrorist threat that we face, if biometric technology isproved to enhance security in a particular context and appropriatesafeguards can be put in place, we believe it is worthpursuing.
Somecritics of biometrics believe that liberty derives fromanonymity, whilesupporters are of the view that proper security is dependent oncomplete identification and that liberty would in no way be put atrisk. Yet, insteadof depending solely on anonymity or full identification, Americanswould be better served by a range of authentication solutions thatfit the context of the interaction between government andindividual.
Anonymous political speech remains animportant ideal for maintaining liberty, yet -- outside of thisspecific realm -- anonymity is a different, and possibly weaker, formof liberty. The American understanding of liberty interestsnecessarily acknowledges that the personal data of those who havenot committed any criminal offense (such as biometric data) can becollected for legitimate governmental purposes. On the otherextreme, liberty could be put at risk if biometric data wererequired for even the smallest interaction with the government,such as using a government public Web site.
Itis important to note that between complete anonymity and fullidentity there are gradations. Many transactions with governmentcan be accomplished without requiring detailed personalinformation, though they would not be completely anonymous. Infact, we already have the beginning of a graduated understanding ofidentification; there is a spectrum of authentication and personalidentification solutions available to the government. In a transactionwhere no identifying information about the individual is necessary,but actual authentication is needed -- for example, for use in anongoing government research study -- a lower level of authenticationwill be required. By contrast, in cases where the actual identityis not important, but identifying information is necessary -- forexample, in accepting online regulatory compliance filings from acompany -- a higher level will be needed.
Whatthese examples demonstrate is not so much that our conception ofliberty is based upon absolute privacy expectations, but rather that anygovernment impingement on our liberty will occur only with goodcause. We must be able to voice controversial political viewpointswith the expectation that the government will only investigatethose that truly may threaten national interests. When a criminalor terror investigation is underway, we must be able to expect thatthe spotlight of scrutiny will not turn upon us individuallywithout some good reason. However, most interactions with thegovernment fall somewhere in between expectations of completeanonymity and a detailed investigation. We must be able to continueto expect that government will ensure that any possible impingementon liberty is commensurate to the interaction with the individualand that the government has the technological tools to achievethis. If there is no true spectrum of authentication choices (fromanonymity to pseudonymity to full identity) for use, allexpectations of privacy will erode simply because government willbe forced to treat every interaction as investigative.
Inmany ways, the implementation of new laws and systems to combatterror are not an unalloyed diminution of privacy. Rather, the lawsand practices can substitute one privacy intrusion (for example, asearch of electronic biometric data about an individual) foranother privacy intrusion (the physical intrusiveness of bodysearches before entry into a facility). But this means that legalanalysts cannot make broad value judgments -- each person weighs theutility of their own privacy by a different metric. For manyAmericans, the price of a little less biometric privacy might notbe too great if it resulted in a little more physical privacy incertain circumstances; for others, the opposite result might holdin that same instance. Reasonable people can disagree about whenbiometric technology should be used, but taking a position that anyuse of biometric technology is privacy invasive is like suggestingthat biometrics should be used in every transaction. The truepolicy challenge is in finding the most effective uses of thespecific biometric technology -- both for liberty and security -- notin labeling it as universally good or evil.
Inproperly determining how best to enhance both liberty and security,it is useful, therefore, to have some basic principles forassessing a particular biometric technology. Such a code ofprinciples ought to include the following:
Enrollment in biometric systems should beovert instead of covert. Before one is "enrolled" in a biometricprogram one should be made aware of that enrollment. Thus, we areskeptical of biometric programs, such as public facial recognition,that permit the surreptitious capture of biometric data.
Biometric systems are better used forverification rather than identification. In general, that is, theyare better suited for a one-to-one match assuring that theindividual in question is who he says he is and has the requisiteauthorization to engage in the activity in question. Biometrics areboth less practically useful, and more problematic as a matter ofpolicy, when they are used in a one-to-many fashion to pierce anindividual's anonymity without the justification inherent in, forexample, seeking access to a particular location.
Biometric systems should be designed tooperate with local storage of the data (e.g., on-card templates)rather than with central storage. Centralized storage of biometricdata raises privacy concerns and also tends to permit more readymission creep.Clearly for some technologies and applications local storage willnot be feasible -- but to the extent it is practicable, local storageshould be preferred.
Similarly, we should prefer biometricsystems that are "opt in" and require a person to consent, ratherthan those that are mandatory. By this we do not mean thatrequiring one to opt in cannot be made a condition of participation(e.g., if you want to enter the United States you must provide abiometric) since participation is ultimately voluntary. And we alsorecognize that certain biometric applications (e.g., DNA forconvicted terrorists) may need to be mandatory. Again, however,this should be an exception to the general rule ofvoluntariness.
For privacy and security reasons, oneshould prefer biometric systems that reduce the biometric to atemplate, rather than maintaining a stored image. Generically,templates are harder to falsify. Images, however, may be somewhateasier to encrypt. In the end, the choice will very much depend onthe application.
Similarly, where feasible, biometricsystems should consider the use of forms of verified pseudonymity,where the authorization for use by the identified individual isconveyed while the identity is concealed unless and until suitableauthorization for piercing the veil of anonymity is received.
Any biometric system should have strongaudit and oversight programs to prevent misuse. The Privacy Act of1974 addresses some of these concerns since it limits the abilityof federal agencies to collect, use, or disclose personalinformation like biometric data. There are, however, exceptions fornational security and law enforcement purposes. Recourse to thoseexceptions should be well-documented and subject to periodicreview.
Any biometric system is only as strong asthe initial enrollment system. An ideal way to evade biometricdetection is to be improperly registered as a legitimate user.Thus, in conjunction with the deployment of any new biometricsystem, one must take care to monitor, audit, and periodically testthe enrollment process. Enrolled data should also be subject toroutine secondary review to identify those mistakenly enrolled inthe first instance.
Similarly, a biometric system is only asstrong as its back-up alternative. The principle of layeredsecurity requires that those implementing biometric identificationsystems have in place a suitable secondary identification systemfor use when the primary biometric system fails or provides aninconclusive result, It will not do, for example, for the back-upto a biometric system to be a simple, insecure, signatureverification.
Inthe end, biometric technologies can be privacy-neutral. They canand should be designed with appropriate protocols to ensure privacybefore they are implemented. Those protocols can both be part ofthe hardware (and thus designed into the system) and enhancedthrough operational guidelines and systems oversight that addressprivacy concerns.
Advanced technology is a competitiveadvantage for the United States, and it must be used if the countryis to win its war on terrorism. Indeed, resistance to newtechnology poses practical dangers. As the Congressional JointInquiry into the events of September 11 pointed out in notingsystemic failures that played a role in the inability to preventthe terrorist attacks:
4. Finding: While technology remains oneof this nation's greatest advantages, it has not been fully andmost effectively applied in support of U.S. counterterrorismefforts. Persistent problems in this area included a lack ofcollaboration between Intelligence Community agencies [and] areluctance to develop and implement new technical capabilitiesaggressively ....
Thedevelopment and implementation of biometric systems withappropriate safeguards will help avoid repeating this mistake.
Theimplementation of biometric technologies for increasing national security raises numerous practical and policy questions. It iscritical that the right type of technology is chosen to meet thepurpose and privacy requirements of a specific use. In order forbiometric systems to provide security, it is necessary that peoplenot have a false sense of security about them. The weaknesses andflaws of the technologies must be acknowledged and countermeasuresneed to be considered. The systems cannot be seen as the ultimatesecurity tool, and thus the perfect solution. Rather biometrics (inone layer, or many) are simply another tool in a layered approachto security. They are not a panacea -- but they can play an importantrole in protecting America and should not be demonized asunacceptable technology.
Paul Rosenzweig is Senior Legal ResearchFellow in the Center for Legal and Judicial Studies at The HeritageFoundation and Adjunct Professor of Law at George Mason UniversitySchool of Law. Alane Kochems is an independent researcheraffiliated with The Heritage Foundation. Ari Schwartz is AssociateDirector of the Center for Democracy and Technology.