Biometrics Need a Measure of Security

n 2002, moviegoers were treated to a stark vision of the future. In the science fiction thriller Minority Report, filmmakers depicted a world in which human identity had been boiled down to the shape of an eye. In the most mundane places-the subway, the market-computers scanned people's retinas, staying constantly aware of their movements and habits by linking people's identities to their unique pair of eyes.

Every person has a distinct retina, fingerprint and voice pattern, and collectively those forms of identification are known as biometrics. Today, biometrics are being used primarily as a means of controlling access to buildings or computer systems. The technology required to electronically verify biological signatures has become cheaper and easier to use.

The government is among the front-runners in adopting biometric authentication for a variety of purposes, and several agencies plan to rely on biometrics even more as they roll out homeland security initiatives. By the end of this year, for instance, the Homeland Security Department plans to launch a sweeping border control program that will collect biometric readings from visitors to the United States whenever they cross the border. The State Department plans to place biometrics on identification cards issued to some foreign visitors.

The Defense Department has embraced biometrics to control access to restricted facilities and computers. The Pentagon's Biometrics Management Office is working with a biometrics research and development organization, as well as industry, government and academia to form international standards for reading the human identifiers. The management office handles all biometrics-related policy, planning, budget and acquisition matters for Defense.

Biometrics could hold great promise for security, but there's also a dark side, exemplified in a particularly hair-raising scene of Minority Report: The protagonist tries to conceal his true identity from the police by having his eyes surgically removed and replaced with someone else's.

While the act of pilfering biometrics in real life may not be as gruesome as in the movie, the possible theft of fingerprint, retinal or voice print data isn't fiction. And as federal agencies expand their use of biometrics, they'll have to ensure that a Hollywood vision doesn't become a nightmarish reality.

SECURING SECURITY

A March report by the Computer Science and Telecommunications Board of the National Academies of Science grapples with the complex and unnerving issues surrounding protection of biometric data, both in terms of ensuing personal privacy and also security.

The report notes that the biggest reason biometrics are vulnerable to misuse is that, unlike computer passwords or bankcard PIN numbers, they're not secret. Biometrics are unique human qualities that anyone can see and even steal, given the proper tools. For example, a modestly industrious wrongdoer could lift someone's fingerprint off a glass or window, much the same way crime scene analysts do, and use the print to gain access to a facility or proprietary information.

The financial services industry has considered the major security threat and the vulnerability posed by biometric banditry. Ted Claypoole, an attorney who has counseled Internet service providers and banks, says he addressed the risk in a meeting with executives of a large bank who toyed with the idea of installing fingerprint readers at cash machines.

In order to ensure thieves can't use biometrics, whether in replicated or real form, the sensitivity of the device reading the biometric data must be increased, Claypoole explains. In the case of a fingerprint scanner at a cash machine, that might mean requiring the human digit bearing the print to be presented at a certain temperature-specifically, 98.6 degrees Fahrenheit. Claypoole had already envisioned how to foil such a security stopgap, and painted a grim picture of the outcome for the bank executives. "I said . . . the day some guy shows up at an ATM with a little old lady's thumb that he's kept warm on the dashboard of his car, we have a major publicity problem," Claypoole says.

The National Academies of Science report noted that various biometrics are verified differently, complicating the security issue. Passwords or magnetic stripes on access cards are easily validated, because the encoded information they contain matches a master record kept in a central database. But biometrics can produce false readings. For example, says Claypoole, if someone is running a fever, a fingerprint reader sensitive to temperature might be thrown off. Also, if someone were suffering from a cold or laryngitis, it's conceivable a voice reader would have trouble recognizing that person.

False readings could trigger frustration, even outright hostility, among those being scanned. Using the example of the Homeland Security Department's foreign visitor tracking program, someone mistaken for a wanted criminal when trying to cross the U.S. border might not respond well to the mix-up.

Despite these pitfalls, biometrics have some innate security features. For starters, guessing a biometric code isn't as easy as guessing someone's password or using a computer program to randomly generate PIN numbers until the right one has been found. In order to use someone's biometric information, a thief would need the original or an exact copy.

That's why, in addition to the risk posed by someone swiping a fingerprint, there's also a security trapdoor lying in the databases that hold the copies used to validate the real identifiers. If those massive caches were ever compromised, it wouldn't take a Hollywood screenwriter to imagine the great liability an agency would have on its hands.

LOCK THE KEYS

Gaining access to a repository of biometric data is not only possible, it's conceivably not that hard to do. The best way to keep a database from being hacked is to keep it separated from an electronic network that could be easily accessed. However, again using the foreigner tracking plan as an example, if agencies intend to use biometrics at border crossings, points of entry where scans are performed would have to be linked to each other or to a central data repository. The more locations are added to the biometric network, the more vulnerable that network becomes. Hacking a biometric database isn't a major threat right now, because the technology isn't that widely used. But as biometrics systems become more prevalent, the risk will grow.

The National Academies of Science study recommended that biometrics should not be used for remote authentication; in other words, scans should not be sent over a network and to a central location for validation. That would mitigate the risk of the biometric code being captured in transit.

Claypoole says it would be far more damaging to compromise a database of biometrics than, for instance, a cache of PIN numbers. If PIN numbers are confiscated, they can be canceled, and their owners can choose new ones. But "once someone has stolen your biometric signature, we can't just ask you to change it," Claypoole says. Anyone who steals the electronic version of a fingerprint or retina has "a digital derivative of your actual, physical being," he says. It can't be replaced.

The other great obstacle to wider use of biometrics is society's acceptance of being tracked in an intimate way that might result in losing a degree of individuality by being summed up in an electronic scan.

Stephen Kent, the chairman of the committee that wrote the National Academies of Science report, touched on the broad implications of identity protection when he connected privacy to the proper functioning of government. "The ability to remain anonymous and have a choice about when and to whom one's identity is disclosed is an essential aspect of a democracy," he said when the report was released.

Kent also connected the importance of security to privacy protection. "The technology a system uses, whether scanning a face or using [an identification card], is less important in maintaining privacy than the way the system is designed and the scope of the system," he said. He added that these considerations were "particularly relevant to ongoing policy debates such as those about national identity cards and frequent traveler cards" to monitor airline passengers, two controversial proposals that were floated in reaction to the Sept. 11 terrorist attacks as ways to enhance security.

Ultimately, the wide use of biometrics may depend less on technical issues than personal comfort level. Until people can "get over some of the societal taboos" associated with monitoring or inspecting people, biometrics aren't likely to become commonplace, Claypoole says.