Unwrapping the Biometric Present
Congressional funding for a biometric system to track potential terrorists isn’t likely to have much impact on the bad guys. But it will likely help the government keep track of you.
Congress gave a sizable Christmas present to the nations biometrics industry last month.
The word biometrics appears 35 times throughout the National Intelligence Reform Act of 2004, and it establishes the use of biometrics for aviation security, creates a biometric center of excellence, expands an FBI biometric system for criminal background checks, requires friendly visa waiver countries to add a biometric to their passports, and mandates the collection of biometric exit data for people leaving the United States.
Signed into law by President George W. Bush on December 17, the legislation also allocates $20 million to the Transportation Security Administration for research and development of an advanced biometric system that has applications to aviation security, including mass identification technology. That includes a requirement that airports adopt biometrics in their access control systems, and it requires that the Attorney General create a law enforcement officer travel credential with a biometric identifier for all federal, state, local, tribal, and territorial government law enforcement agencies.
Biometrics refers to a range of technologies that use physical measurements of the human body to identify individuals. Fingerprints are one of the best known biometrics, but they are by no means the only. Foot and palm prints have been used throughout the years as well.
Todays interest in biometrics, though, is driven by efforts to fight terrorism and secure the nations borders. According to the report of the 9/11 Commission, a standard technique used by Islamic terrorists to defeat so-called watchlists is for the person on the list to lose or destroy their passport, then to obtain a new passport with a slightly different English spelling of their name.
The current lack of a single convention for transliterating Arabic names enabled the 19 hijackers to vary the spelling of their names to defeat name-based watchlist systems and confuse any potential efforts to locate them, notes the report.
But the real future in counter-terrorism identification technology is not standardized spelling, the Commission noted, but a unified national system that uses biometric technology to detect and weed out the terrorists when they try to enter the United States or gain access to a secure facility. Travelers are repeatedly screened.
Each of these checkpoints or portals is a screening – a chance to establish that people are who they say they are and are seeking access for their stated purpose, to intercept identifiable suspects, and to take effective action,” the Commission states in the report.
Hence the interest in biometrics.
The theory is simple: if the fingerprints of every known terrorist are recorded in some databank, then all we need to do is to fingerprint every person as they enter the United States, walk through the front door of a court house, or try to pick up radiological waste at a medical facility. Since people cant change their fingerprints, sooner or later this massive identification procedure will catch all of the terrorists, and then the war on terrorism will be over.
This is, of course, a caricature of the governments position. But it nevertheless represents the hopes of those who authored the Intelligence Reform Act.
The nations identification system is in shambles. Although there is a single national identification document – the U.S. passport – fewer than seven million Americans are issued passports each year, and those who do have them rarely carry it on a daily basis.
Instead, the ubiquitous identification document that Americans carry is the state-issued drivers license. While the American Association of Motor Vehicle Administrators has adopted nationwide standards for what information should be on each license, it is still very difficult to pick up an out-of-state license and discern from looking at it if the license is legitimate or an outright fake.
Policymakers in Washington know that its going to be a huge battle to get Americans to accept a national identification card. In the meantime, theyre systematically increasing the use of biometrics at home and abroad.
One could charitably argue that this is a way of testing out the technology on increasingly larger populations in increasingly diverse conditions. On the other hand, one could argue that our government is pushing an unpopular surveillance technology on people who cant fight back — with the hope that the technology will eventually slide down the slippery slope into the general population.
The U.S. forces in Iraq have deployed a biometric identification system in Fallujah designed to identify all Arab males of gun-toting, suicide-bombing age. Each male will have their finger printed and their iris scanned. They will then be given an ID card. To enter or leave the city, theyll need to present the card and be scanned again. In theory, the terrorists wont be issued ID cards, and biometrics will prevent them from borrowing a card from a friend who looks the same.
Here in the United States, the government has started fingerprinting foreigners entering the country as part of the US-VISIT program. Travelers applying for a visa at a U.S. embassy or consulate have a digital photograph snapped (a biometric) and both index fingers electronically scanned (two more biometrics). When the traveler shows up to enter the United States, they are scanned again and if the fingerprints dont match, then entrance is denied.
In the future, the State Department will be able to search databanks using these biometrics to discover if, for example, the person who is now seeking a visa under one name was denied a visa when they applied three years ago using a different name.
Other countries are moving to biometrics as well — frequently thanks to prodding from the United States. Canadian Customs, for instance, has adopted a system called CANPASS. Truck drivers can be fingerprinted so that they can travel between the the United States and Canada quickly. In major airports, frequent flyers can have their iris scanned so that they can quickly travel through customs and immigration.
Privacy activists are usually quite suspect about biometrics. In part, this is because totalitarian states use strong identification techniques as a way of identifying and singling out the trouble makers who are interested in things like petty reforms, democracy, and freedom. A system properly designed to ensure the security of the borders should not provide the basis for routine identification within the United States, notes the Electronic Privacy Information Center in its report on the 9/11 Commission.
Biometric technology is inherently individuating and interfaces easily to database technology, making privacy violations easier and more damaging, echos the Electronic Frontier Foundation on its report on biometrics.
There is a distinction, though between the uses of biometrics to verify identity from those that are designed for primary identification.
It’s a good idea to add fingerprints and digitally-signed photographs to passports and visa applications. Nobodys interest is served by having weak identification schemes on our passports: such systems actually increase the chances that passports will be stolen, altered, and fraudulently used. Indeed, the 9/11 Commissions report details a factory that Al Qaeda had created in Afghanistan for doing just that with captured passports.
At the same time, it’s a bad idea to start using biometrics to pick individuals out of a crowd — that is, to use them for primary identification – since it’s notoriously inaccurate and far more subject to abuse.
There also needs to be clear rules about what uses of this information is appropriate and what uses are not. For example, bars in Boston are prohibited from serving alcohol to people under the age of 21, so its entirely appropriate to demand to see a drivers license or identification card before letting in a potential patron. On the other hand, its inappropriate for the bar to swipe the patrons drivers license through a card reader and capture the patrons name – as some bars around the country have started doing. This can happen when technology is deployed by the government without regulations that governs the technologys use.
But there are bigger dangers in our deployment of biometrics – dangers that arise from the very nature of identification technology and the theories that underpin it.
The accuracy and reliability of biometrics is frequently viewed in terms of the biometric recording itself, rather than the entire process. Fingerprints and iris scans may be exceedingly accurate and hard-to-fake, but entries in the databank themselves may nevertheless be vulnerable. If the system really does provide foolproof identification, then it will be that much more rewarding to the bad guys to get fake entries inserted. And it will be that much harder for a person, falsely identified as a terrorist, to prove that they arent one.
Such mistakes are likely to be compounded if biometric information is shared with other countries.
Another problem is this notion that the government can identify all of the terrorists — or at least a subset of them. Although some of the 9/11 terrorists were on watch lists, many others were not. There are people who are not terrorists today but who may turn to terrorism tomorrow.
This is the fundamental problem with watch lists, whether they are biometric or not: the people that you really need to worry about are not the known terrorists, but the unknowns.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today