Bureaucratic Battles Bog Down Biometrics

Biometrics may be the wave of the future, but it's off to a slow start.

w

atching Tom Cruise slowly descend by his ankles into a secure area at CIA headquarters could take anyone's breath away. But true technophiles appreciate the bits of Hollywood spectacle in the 1996 movie Mission: Impossible not for their portrayals of aerial acrobatics and cunning espionage, but for their showcase of cutting-edge biometric technology.

A scene in the film depicts Cruise and his crack spy team outsmarting a series of biometric security devices that limit access to a top secret computer-machines that read palm prints, eye shapes and voice patterns. The adventure is pure fiction, but the technology it depicts is real and, in fact, is used by some federal agencies to restrict access to information or to secure the nation's borders. Agencies have used biometric devices for several years, but before the Sept. 11 terrorist attacks, the technology was considered too expensive and remained largely in the pilot phase. Now, some agencies are asking whether using biometrics might be one way to tighten domestic defenses. But while the technology they want is the stuff of reality, they're finding that making it do what they want it to do is nearly an impossible mission.

The Great Disconnect

A few agencies have experimented with biometrics, but political turf wars and technological inefficiencies have hampered any development of a governmentwide biometric security strategy. The attacks on the World Trade Center and the Pentagon have spurred lawmakers and the administration to call for a broad homeland security plan that requires agencies to start sharing their giant databases. However, as agencies turn to biometrics to fortify security, they're finding that old habits die hard.

Testing at the State Department's Bureau of Consular Affairs and the Defense Department has yet to yield tangible proof that biometrics are effective in the bureaucratic morass in which they must operate.

The State Department has tested facial recognition technology to read photographs on visa applications, but so far only at posts in India and Nigeria because bureaucracy and the debate over the need for the technology have stymied its wider implementation. The Defense Department has made inroads with the technology, but its biometrics program is limited to controlling entry doors and access to Web portals. Defense has plans to test biometrics for its common access card, which is used for in-person and online identification. Biometrics could serve as a pillar for the Immigration and Naturalization Service's role in homeland security. Since 1998, the INS has issued 5 million border-crossing cards encoded with biometric information to Mexican citizens. Bearers may travel for no more than three days and no more than 25 miles into the United States, usually to visit family or to shop.

Unfortunately, the biometric features of the cards are useless because the agency has never installed the systems to read them. Rather, INS officials at the Mexican border still visually match a card to a face. INS spokeswoman Kimberly Weissman says "the card readers have not been deployed to the ports of entry." Weissman says Congress denied the agency's fiscal 2001 budget request to fund the readers. However, some close to the project are skeptical about INS' commitment to biometrics. The government has missed a critical opportunity by not installing the card readers, says Paul Collier, executive director of the Biometric Foundation in Washington, which sponsors research on biometric technology. "The use of biometrics in the border entry application process would significantly augment security when compared to current lookout list systems," he told the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information in October.

Several agencies maintain such lists, which contain the names of terrorist suspects. "Databases such as fingerprints and photographs already exist worldwide. And coding biometric data in passports, visas, identification cards and other travel documents can provide positive identification of the bearer and speed the entry process," Collier told the senators.

That's where the stumbling block to biometric security lies, experts say. Unless databases that contain tremendous amounts biometric information are linked together and connected to biometric readers, the nationwide net is just a leaky sieve.

Knowledge may equal power, but in the government, databases equal budget. Agencies are more inclined to protect their valuable information than share it. "If you give up control of your database, you lose part of your budget," former National Security Adviser Samuel R. "Sandy" Berger said at an October e-government conference in Washington. True to his roots, Berger is cautious about the benefit of agencies swapping sensitive information. "How much data can the CIA really share?" he said, adding that too much sharing can often jeopardize ongoing criminal investigations.

Perhaps no existing biometric database is as large and perhaps as valuable as the Federal Bureau of Investigation's Criminal Master File, which contains more than 43 million sets of fingerprints. The bureau uses the Integrated Automated Fingerprint Identification System to run checks on 42,000 prints each day on behalf of more than 18,000 state and local law enforcement agencies, as well as the Defense Department, the Office of Personnel Management and the INS, says Mike Kirkpatrick, assistant director in charge of the criminal justice information services division.

Many point out that cross-checking databases such as INS' IDENT system, which contains more than 400,000 records of immigrants with criminal and deportation histories, against the FBI's master files would be a good way to tighten security and share information across agencies. But that capability isn't in place today. Kirkpatrick says the FBI has been planning for a year to link its fingerprints database with IDENT, although it remains unclear which agency would control the data.

The Bureau of Consular Affairs has tried for years to gain access to the FBI's master file to view criminal records on foreigners applying for nonimmigrant visas. But it has met with resistance, according to Mary Ryan, assistant secretary of state for consular affairs. She testified along with Collier at the Senate hearing in October.

Kirkpatrick says agencies mistakenly believe that the FBI's database contains more useful information than it actually does. For example, he says, if someone has never traveled to the United States, chances are that the person wouldn't have a fingerprint record in the system.

The type of investigation determines how much access an agency has to the Criminal Master File and the fingerprint identification process, Kirkpatrick explains. The FBI reveals more information for criminal inquiries than for those that are noncriminal. The routine issuance of visas hasn't justified a criminal inquiry in the past, Kirkpatrick says.

Industry experts say reliable biometric products are on the market today, but that technological and political barriers have left the government ill-prepared to use them on a wide scale.

The Defense Department issued an open call to technology companies and inventors in late October to suggest new counter-terrorism technology, even if the products haven't been manufactured. But with its plea, the agency has shown its cards, vendors say. "It tells me that they don't have anything," says Jon Clements, a national accounts representative at Stromberg LLC, a Lake Mary, Fla., company that sells fingerprint readers for use in employee time clocks. "They don't have an answer for this problem."

Many vendors question the value of biometric devices to prevent terrorist attacks. Unless someone was listed in a government database as a suspect or a convicted criminal, biometrics would give no indication that the person should be stopped from entering the country or boarding an aircraft. If foreign visitors enter the United States on valid visas, as the State Department says was the case with 15 of the 19 Sept. 11 terrorists, "you're just going to have a record that they've come through," says Eric Zidenberg, vice president of Orion Scientific Systems, a Newport Beach, Calif., defense contractor that manufactures intelligence-gathering software for use with biometric readers.

Biometrics does have promising attributes, Zidenberg says. If a warning were issued to detain a person using a particular name attached to a unique feature such as a fingerprint, the technology could prevent that person from slipping through security.

However, manufacturers and government officials note that to do that, multiple databases must be tied together. So far, that hasn't happened.

A New Market

Manufacturers are quick to point out the holes in the nation's underdeveloped biometric security scheme. But those very shortcomings have caused vendors to flock to the government market.

The Sept. 11 attacks have let loose a flood of firms seeking to sell biometric devices to security-hungry agencies. Vendors that don't traditionally do business with the government report they've had a high volume of calls from agencies, primarily the State and Defense departments and the INS. Clements says Stromberg has received more inquiries from all levels of government-federal, state and local-than ever before.

Vendors were given even more incentive to speed up development of biometric technology and sign contracts with the government when President Bush signed the Aviation Security Act in mid-November. The law requires the Federal Aviation Administration to consider using biometric security devices in at least 20 airports and to set up pilot programs to test the technology.

The new biometrics market affects the strategies of longtime government contractors, as well. Long before Sept. 11, says Edward Hogan, vice president of global public sector at systems integration firm Unisys Corp., the company decided to leave the biometrics business to an eager band of upstarts in the market. Unisys would put the products in place on behalf of its wide stable of government clients and leave costly research, development and manufacturing to the specialists.

Unisys tested that strategy in October when it formed a partnership with facial recognition device manufacturer Viisage, headquartered in Littleton, Mass. Piggybacking on the business of an established and trusted government contractor is the ticket into the booming federal technology market for newcomers like Viisage, many market watchers say. Those companies are eager to get in on the government's spending spree, especially as the commercial technology market collapses.

Viisage's chief executive officer, Thomas Colatosti, didn't respond to requests for an interview, but Hogan says Unisys will strike similar deals with other biometrics manufacturers. He believes that pilot biometric programs, still largely in the research and development phase, have been moved to the front burner at several agencies. "There's a very quickly unfolding marketplace," he says. Database software manufacturer Oracle, which counts the federal government as its premier customer, has made a bold move to drum up new business in the biometrics and information security market. In mid-November, it launched an information assurance lab to test and demonstrate new security products to its customers.

Biometric device manufacturers can build and demonstrate their products, but they're not connected to a database, says Tim Hoechst, senior vice president of technology for Oracle Service Industries. Oracle will provide manufacturers with access to its database products to show potential agency buyers how a biometric security system might work.

The move is one of a series in Oracle's post-Sept. 11 push to take the company to the forefront of the information and identity security market. In October, Chief Executive Officer Larry Ellison said he pitched a new national identification card that would contain biometric information to Attorney General John Ashcroft and officials at the CIA and FBI in Washington.

NEXT STORY: Disaster and Recovery