Keesing's Journal of Documents

Biometrics in driver's licenses

Improving the security of driver's licenses in the US

January, 2004
By Kush Wadhwa

How to parallel park on a hill? When to yield to another driver on a round-about? Figuring out who has right of way at a 4-way stop? Passing your driver's test and getting your first driver's license is one of the great rites of passage for young people in many Western countries. Daunting though it is, each year hundreds of thousands of new drivers summon the courage to take the test. And now, it is becoming even more complicated.

In the US, where only about 20% of the population holds a passport document, the driver's license has become the de facto national standard of identification. As a consequence, the expectation that a driver's license provides secure and accurate information about the identity of its bearer has grown. In its capacity as a trusted form of identification, airlines use it to verify the identity of travellers bound for for domestic locations, and shopkeepers use it to enforce age-based restrictions on cigarette and liquor sales. The combination of a birth certificate and a US driver's license not only allows individuals to cross the US border from Canada, but also provides sufficient proof of identity in many forms of commercial transactions.

To meet expectations in terms of accuracy, growing attention is being paid to the development of driver's licenses that (i) contain accurate data and (ii) are difficult to counterfeit. As a consequence, the various issuing authorities are focusing on the addition of security features such as laser engraving, holograms, optical variable devices (OVDs), magnetic strips, smart-chip technology, and a growing range of biometric options.

Biometrics in driver's licenses - the lie of the land

In the US, the driver's license (DL) is issued at a state rather than federal level (this is unlike many countries, where one set of traffic laws prevails across the nation). The appearance and content of the license vary from one state to the next, as do the driving test and the license issuance process. It has been estimated that the state and local authorities issue as many as 240 types of driver's licenses, which makes it difficult for law enforcement professional to visually determine the authenticity of a license. The same applies to store clerks who accept payments in the form of personal cheques.

The form of identification required to obtain an initial license and the amount of information gathered about the applicant also vary between states. The majority of states now collect digital photographs and signatures, thus facilitating the future use of facial recognition biometrics, even where such programs are currently not in place. As is the acse for many government entitlement programs, the main reason for using biometrics to license drivers is to limit the possibility of people obtaining multiple licenses using different identities (based on different sets of personal particulars).

While less than half the states currently use biometrics, it is clear that biometrics provides significant value in fraud detection. In states where programs using biometrics have already been implemented, initial reviews of legacy databases have enabled investigators to identify individuals with multiple licenses. To give an example, the State of Illinois has used facial recognition technology to search its database of 13 million license-holders fro evidence of multiple license issuance -- so far, the search has turned up thousands of matching records, and one individual who held no less than eight different drivers licenses.

Legislation under consideration

During the past year, many states that had not previously used biometrics as part of their licensing programs have either considered its deployment, or passed legislation that will require or enable the use of biometrics.

• The State of Maryland recently launched a new USD 40 million licensing process. The new license incorporates several advanced security features, and includes a bar code that is designed to carry the holder's biometric data at a future stage.
• In Illinois, legislation is being considered that will introduce a fingerprint-based driver's license and identification card, which will complement the facial recognition biometrics used to locate fraudulent enrollees already in the system.
• In Oklahoma, the legislature is considering a bill that would make the use of fingerprints mandatory when determining the identity of new drivers and people who renew their license. The new system would detect attempts at duplicate enrolments and help to prevent identity theft.
• Although the Texas Senate is considering a bill that would allow a biometric identifier to be used to eliminate multiple enrolments, privacy concerns have slowed progress.
• New Jersey, one of the sates whose driver's licenses are considered comparatively easy to counterfeit, is rolling out a new program in December. Even though a specific biometric has not yet been identified, the program will require photographs to be collected. The new cards will facilitate the future storage of such information.

As additional state legislatures contemplate adding biometrics, the DL agencies must evaluate how biometrics will work within their own process and technology infrastructures. The figure below shows some of the key considerations that affect the use of biometrics. [Existing Information Systems, Level of Functionality, Privacy, Throughput, Accuracy, Technology Obsolescence, Existing Fraud Levels, Customer-Facing Processes, Security, Back-End Processes, Renewal and Issuance Cycles, and Core Technology]

Many of the state-mandated changes under consideration also look to address general weaknesses in the DL issuance process. This will increase enrolment screening and make counterfeiting more difficult. To give an example, New Jersey drivers will be asked to produce either two or three separate forms of identification when renewing their license. The new license will also include several security measures to prevent counterfeiting. According to a report on the subject of counterfeit identification -- released by the US General Accounting Office (GAO) on 9 September 2003 -- such efforts are long overdue. The GAO report details the ease with which federal investigators were able to obtain licenses, using blatantly fictitious documents. In one case, investigators were able to acquire three license under a single name over the course of two days.

However, there are still broad disparities in the standards applied to information gathering and identity confirmation. California legislators are currently contemplating whether or not to eliminate the need to verify the social security number of its license candidates. Should this requirement be dropped, it will allow the State of California to issue driver's licenses to many of the undocumented aliens who drive without either a license or insurance.

National Standards

The American Association of Motor Administrators (AAMVA) faces the task of eliminating this multitude of disparities. Legislation passed in the mid-80s opened the door to the inclusion of biometrics in driver licensing. Since then, the driver licensing agencies have been waiting for biometric technology to become economically and technically feasible before deploying it on a large scale.

Bearing in mind that a single nationwide database of license holders could grow to as many as 300 million records, AAMVA's Unique Identifier Task Group recently engaged International Biometric Group (IBG) to determine if a biometric can be successfully used to conduct a one-to-many match against a database of that size. Within this context, three of the most commercialised biometric technologies are listed below: face, fingerprint, and iris.

Face -- it would be reasonable to assume that because driver's licenses almost always include a facial image of the holder, facial recognition technology is the best biometric to improve the integrity of the license issuance process. However, it is important to consider the challenges of enrolling millions of license applicants in any biometric system, and the convenience of exploiting existing facial images may prove a compelling response to that challenge.

Iris -- the uniqueness of the pattern of the iris (even in the case of identical twins), makes it another key candidate for a one-to-many search application. To date, insufficient field tests have been conducted to determine the scalability of this technology. Moreover, using the iris would require the enrolment of every license holder (iris data has not been collected in the past). Gathering the requisite data would entail considerable costs.

Fingerprint -- the capture of fingerprint samples from millions of applicants will pose a similar logistical challenge. It could also prove extremely controversial on account of fingerprinting's close association with law enforcement and forensic processes. In addition, the largest fingerprint database contains in the order of 60 million records.

Multi-modal -- the ability of multi-modal biometrics to increase the performance of one-to-many searches of large populations was also evaluated. However, such applications would have to minimise the logistical overhead by, for example, obtaining both a facial and an iris scan during a single enrolment session.

Recent announcements by the AAMVA indicate that they are not yet willing to endorse the deployment of biometrics on the scale needed to implement a single national database (i.e. 300 million enrolled users). As its hesitance is primarily based on anticipated error rates, it is clear that a national initiative must be preceded by improved performance, evidenced by large-scale testing.

Privacy concerns

Not unexpectedly, privacy concerns present the greatest challenge. A challenge that must be overcome before a program can be successfully implemented at a state or national level. Although people want to be protected from unwanted intrusion by government organisations, they also want their government to protect them against identity theft and attacks by anonymous terrorists.

Determining (i) the amount of biometric data to include in/on a license (ii) the format to use (e.g., magnetic strip, bar code, contact chip, non-contact chip) and (iii) who will be able to access this data, will prove a difficult task. In some states, concerns about the use of biometrics have reached a point where the implementation of programs is being stalled. In Florida, where the new license was to include magnetic strip technology, it was discovered that vendors would be able to confirm the identity of the bearer before completing a transaction (making the license compatible with readers already present in commercial environments). Concerns about whether or not vendors would use the personal information on the license for marketing purposes have sent the program back to the drawing board.

Challenges for the future

Technology-based challenges may also impede the widespread adoption of biometrics. Some biometrics not only require a greater degree of interaction with the user, but also higher investments in operator training. As far as programs that instantly issue license via local facilities are concerned, lengthy database searches could present an additional burden, adding to existing queues. With some states issuing licenses for up to 10 years (an extreme example, most states stipulate a renewal period of four years), rapid development in the field of biometrics present another hurdle. after all, biometrics collected for the first driver to enrol may be incompatible with those collected for the last driver to renew his her license. Other public agencies dealing with broad-based civil ID programs (such as visa and passport issuance) face the same types of issues.

The efforts of focused working groups within the key standards boards such as INCITS (ANSI JTC1 / INCITS B10.8) and ISO (ISO JTC1/SC17/WG10) will help to address some of the challenges that pertain to driver's licensing. In addition, national legislation aimed at creating a standard across the states has been introduced during successive Congressional sessions. Little of this legislation has become federal law, and it is expected that the broader adoption of biometric technology in the DL arena will primarily be driven by the state agencies.

To be successful in these endeavors, the agencies must determine the problems that they want the technology to solve. While traditional cost/benefit analyses in public-sector projects such as these are more difficult to quantify, the agencies must determine whether the deployment costs are outweighed by the benefits they expect to reap. In addition to economic and logistical issues, trade-offs between increased security on the one hand and public concerns about privacy on the other must be evaluated. For now, the evolution of biometrics within the licensing arena appears to be driven by the commitment -- at state level -- to eliminate fraud and prevent identity theft.  

Kush Wadhwa is Director Europe Middle East and Asia of International Biometric Group. He has published numerous articles on the subject of biometrics and regularly lectures on related topics. Prior to joining IBG, Kush held various positions in high-technology industries, including product and project management, technology development, business development and corporate venturing. He has expertise in the areas of privacy and internet-based applications, enterprise systems and implementations.