Newsweek

'Very, Very Accurate'

A biometrics consultant argues in favor of the technology used to fingerprint and photograph visitors to the United States

January 7, 2004
By Brian Braiker

Visa-toting visitors to the United States were greeted this week with a new kind of a welcome: a demand for fingerprints and photographs. With little fanfare, the U.S. Department of Homeland Security kicked off its United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program to track the millions of people who come to the country every year on business, student and tourist visas--and to cull information in the fight against terrorism. The program is a direct result of federal legislation implemented in the aftermath of September 11: The Patriot Act, the Enhanced Border and Visa Entry Reform Act and the Aviation and Transportation Security Act all mandated some kind of biometric identifier to enhance public safety. The Visa Entry Reform, for example, will not only require biometric identifiers on every visa, but also on the passports of other countries from which the United States doesn't require a visa.

NEWSWEEK: You're a consultant in this field.

Raj Nanavati: As an organization, we provide biometric consulting and technical integration services as it pertains to the U.S. border-crossing project and US-VISIT. Because we have been working on behalf of the government, we cannot deploy the system. So on this particular project we are working on behalf of the government to help them evaluate the technology.

How reliable is this technology? Do these fingerprinting screens get smudged or difficult to read over time?
The reliability and accuracy issue can be fairly complex and encompasses a lot of different factors. At a high level, the fingerprint device themselves are very accurate. There is some degree of variance within the industry of different products. The better fingerprint devices are using the better algorithms [that] perform with error rates that are substantially less than 1 percent. They're very, very accurate in terms of making sure the correct person is who they say they are and not falsely identifying people.

But people are operating this technology, so there must be a component of human error.
In any kind of technology deployment there are secondary issues. For example: do they clean the [screens that read the fingerprints]; do people understand how to place their fingers correctly. And all those vary from application to application. Here you have a controlled usage, you have someone supervising the person placing their finger--they're not doing it at an unmanned kiosk. If the [screen] is obviously dirty, it can be cleaned very simply. For example, in New York City the people who get welfare benefits are fingerprinted and between its uses, they just wipe it off once. It takes half a second. No big deal. The devices have been designed specifically to accommodate for that, so they have certain materials on the surfaces themselves that don't attract dirt and debris building up on it and they work very, very well.

Do you know what the rate of false positives is on this recognition technology?
For better or worse I can't quote you one number, because I don't know that's it's been established exactly what's going on with these fingerprints once they're captured. And secondly, the rates can be modified. Given the business requirements of the application, I can set the false acceptance rate higher and the false rejection rate might drop a little bit and vice versa. Or I could say, I don't need as good an enrollment image because I want to make sure I capture everyone's fingerprint knowing that I might get more false matches later on, but everyone's enrolled into the system. So there are all those factors and then other quality checks and ancillary factors we talked about--how do people place their fingers and those kinds of things. But generally speaking, with the good quality fingerprint scanners and with systems that are monitored and used appropriately, you can get error rates below 1 percent for false matches and false acceptance. Substantially less than 1 percent.

What about facial recognition technology?
Facial-recognition technology is not as accurate as fingerprint. It works with standard photographs, so you don't necessarily need new hardware that's customized for the application. And in some people's eyes it has less of a privacy concern because it's not possible to tie in with any law enforcement databases. But as a counter to that, it's not as accurate for reasons that are somewhat intuitive. Your facial features change. Your fingerprint pattern doesn't really change. But if you grow a beard or you completely change your hairstyle or you're wearing glasses or you gained 50 pounds or the camera doesn't capture at the right angle ... If you place your finger correctly on the fingerprint device and you've got a decent fingerprint, it's probably going to capture a good print. With facial recognition, if you're looking at an angle of 15 degrees, the camera may not capture a good image, or there's a shadow on half of your face. And those things complicate the process.

Once they record your fingerprints and take a picture of your face, what are these devices searching for?
I'm not sure myself, and I'm not sure they've released it. Based upon what I've read, they're comparing it against a watch list of nondesirables. Whether that watch list specifically is terrorists or felons or whatever the case may be, I'm not certain. By way of example, the FBI has a database of 40-plus million images in it. If the police go to a crime scene and lift images, they can set it against the FBI database. It's not instantaneous, but it comes back within a relatively short time frame [allowing them to say] "OK, there is a match or it isn't a match against people in the database." So there is the ability of fingerprint technology to work in very large databases, but that factors into the time and the cost of the system. If it were to take, for example, even five minutes to respond, then it would slow down travel. So they're not matching it to the full 40 million-person FBI database, but maybe they have a database of felons--the top most-wanted, people who have outstanding warrants and terrorists they've captured in the past--and maybe it's a few thousand that are in that database and they're matching that quickly.

How vulnerable is the system to crashing or getting hacked into?
In terms of the technology, it's very simple to draw an analysis to any IT infrastructure out there. There's nothing unique with fingerprint technology or the camera face-recognition system in terms of how technology operates. If there's a power failure and they don't have backup, it's not going to work. But the same thing would have to happen at the reservation desk or the ticketing counter at an airport. It's no more or less likely to fail than those are. In terms of being able to hack into it, a similar rationale applies there also. I would imagine that they deployed appropriate standard IT protocols and firewalls and use encryption and make sure there isn't the raw images being processed through the Internet and things like that. The information is secured in a way that it is perfectly reasonable to be sending biometric data through their network. When you communicate with your bank, you are sending your account number and your password and all that stuff is going through the Internet and people seem to be very comfortable with that because precautions are in place. The same things are happening here.

Brazil has bristled at this policy and is retaliating by implementing their own fingerprint system.
I think the idea or reciprocity is understandable and acceptable. If we're requiring people from non-visa-waiver countries to be fingerprinted when they come into the United States, then requiring that U.S. citizens are to be fingerprinted when they come through their country in my eyes seems reasonable. They're not going through any unduly invasive process--you're placing your finger on a piece of glass for a second. Who cares? I think people have a knee-jerk reaction to this technology and perhaps may not be as familiar with exactly how it operates and the motivation and impetus for utilizing that system. We're not doing it to make life more difficult for Brazilians. We're doing because there is a very clear and understandable security concern that everyone in the world recognizes.

Is the technology they will be using in Brazil comparable to and on the same level as the technology used in airports here?
There are a variety of different fingerprint technologies. We have consultants for perhaps a dozen different countries who are considering using fingerprint or iris or facial recognition also, and generally they would operate in a similar fashion. Maybe instead of doing two fingers it would be four fingers, maybe it would be one finger. They general overall process would be somewhat similar, I imagine.

As part of the facial-recognition process, Muslim women are being asked to remove their veils in public. Is there a fuzzy line between respecting people's privacy, religious or otherwise, and national security? 
There is a balancing that has to go on between security and privacy concerns. I think the officials that are deploying the system took a careful look at specifically the issue of veils because obviously that touches upon parts of the world that have been associated with terrorism. They probably looked at the factor and said, "Well, they simply have to remove the veil for a few moments in order to be verified." Practically speaking, when the official looks at your passport, he needs to verify you manually that you're the right person holding that passport. You need to look at that person's face--there's no other way of doing it. It applies to everybody.

What will airports look like in 20 years time?
I still see there being a variety of technology because of different cultural and political attitudes in different countries, if you're talking in a global sense. For example in the United States, people get fingerprinted when they take the bar exam, if you work in the securities industry, if you're a teacher, if you're a hairdresser in some states you have to be fingerprinted. In Australia, you're essentially only fingerprinted if you're a criminal. So using fingerprint technology by the government there at airports for a civilian application is probably not going to be acceptable. In fact, they're focusing more on facial recognition. So different countries will pick different technologies that are more in tune with their own cultural values and norms. In terms of the process at any one given airport, I think biometrics will be part of the long-term permanent process as people become more familiar with the technology as part of being authenticated at airports. It's not a panacea and it's not designed for every single deployment in the world. But at airports [where] you need high security [and] where there's an infrastructure to support the use of this technology, it is a very good idea.