San Francisco Chronicle

Identity Politics:  The science of biometrics - in which your physical traits are the password- is stirring debate from Silicon Valley to Washington, D.C.

March 3, 2002
By Marianne Costantinou

So there you are on the Golden Gate Bridge, heading into the city. Sun's out. All's right with the world. You fork over your $3 toll. Then you flip up your sunglasses and give the tollbooth guy the eye. Right or left, it - doesn't matter. By the time you've slid your glasses back on, a camera has taken a picture of your eyeball, scanned your iris, and compared it to those of terrorists and criminals, known and suspected. If you get a green light, you can go on with your life. If it's red, well, get ready for sirens and a few questions.

It sounds like the stuff of futuristic novels and spy thrillers. But scenes like this are already happening every day, all over the world. Soon, it'll be happening here in the United States and, yes, even in our mellow Bay Area. And since the terrorist attacks of 9-11 - with the nation's obsession with security and ferreting out "the evil ones" among us - the push is in overdrive, with Congress and President Bush jumping on the bandwagon, passing laws and spending millions to make it a reality.

The Summer of Love is yesterday, baby. This is the 21st century, the Age of Biometrics.

It's a geeky name, biometrics. But just like computers, that other geek innovation, biometrics is going to change our daily lives, from opening real doors to opening virtual ones.

In case you have any doubt, just look in our own backyard. Silicon Valley is home to three of the world's biggest biometrics companies: Identix, based in Los Gatos, which does fingerprint scanning; Recognition Systems in Campbell, which measures hands; and Drexler Technology in Mountain View, which makes the optical cards that store the coded images. Since 9-11, company officials say, they've been besieged with calls - and sales. Little wonder the industry expects its revenues to quadruple this year, to $1.95 billion.

"The catalyst for the biometric industry was 9-11," says Prianka Chopra, an industry analyst for the San Jose office of Frost & Sullivan, a research and consulting firm. "Before that, they had no driving force. Each year they'd say 'This is the year when biometrics will become mainstream.' Each year, it didn't happen.

"The common man did not know what biometrics was. Now they see it on TV, read about it in the papers. The attack has done a spectacular PR job for the industry."

Biometrics is the science that uses your body as a password. Not your whole body, just the parts with patterns that are virtually unique: the patterns in your fingerprints and your iris, the geometry of your hand, the topography of your face, the inflection in your voice, the rhythm of your signature.

Proponents say that biometrics provide security and convenience by establishing either verification, also known as authentication ("Are you really who you say you are?"), or identification ("Who are you?"). But critics point out the technology is finicky and makes mistakes. And civil liberties advocates warn that biometrics could be a Pandora's box, threatening our privacy and smacking of Big Brother.

Whether it becomes convenient or oppressive, one thing's for sure: It will be pervasive. Credit cards, drivers licenses, passports, employee Ids... stadiums, shopping malls, airports, government building... computers, ATM machines, your workplace, your office parking lot. Anyplace you need a photo ID or a password, anywhere you go through a metal detector or even a door, any time your identity - and your background - has to be established, a biometric can within seconds prove that you're really you, and whether you're someone to worry about.

With biometrics, the days of taking someone's word, or even their password, will be a quaint memory.

You can't forge, lose or forget a biometric. Or, as folks in the biometrics world like to say: You can't leave home without it.

In fact, biometrics will even be in our homes, checking us out before we unlock our front doors and log on to our personal computers. Panasonic has just come out with an iris reader for desktop computers that does log-ons and videoconferencing, all for $239. Five years ago, it would have cost $5,000, and that's without his company's software, says Bill Voltmer, president and CEO of Iridian Technologies of Moorestown, N.J., which holds the patent on iris recognition. A desktop fingerscanner can be had for less than $50, and is on the mouse or keyboard of some new PC models.

A SHADOW SCIENCE

Biometrics has been around since the 1960s, but it's been a backwater technology, with personal computers and the Internet and digital gadgetry stealing the limelight. While its counterparts revolutionized how people lived, biometrics was seen merely as a niche player in the security business, its chief purpose to control people's physical access in such high-security areas as prisons and bank vaults. It just -wasn't sexy.

But as other technologies became more complex and biometrics' own technology improved, so did its possibilities. In recent years, biometrics began to be peddled as a tool to combat some of the problems endemic to its sexier counterparts, such as computer hacking, credit card fraud, identity theft and password overload.

Yet, even though interest from big companies and government agencies grew, and its revenues increased at a respectable clip, biometrics remained a shadow industry, little known to the public.

Then came the terrorist attacks on the World Trade Center and the Pentagon. Suddenly, biometrics became hot, intertwined with the magic words "homeland security."

"We always knew it would take some major event for biometrics to really become apparent to the world," says Damon Wright, spokesman for Identix.

The timing for biometrics -companies couldn't be better. A New York Times/CBS News poll after the attacks found that 8 in 10 Americans believed that they would need to give up some of their personal freedoms to make the country safe from terrorism.

Within weeks of 9-11, President Bush and Congress announced at least a half- dozen laws and directives to include biometrics at airports and border crossings, and on the passports and visas of foreign visitors. One law even recommends that U.S. citizens who fly be issued Trusted Traveler ID cards with biometrics. And several airports - including Fresno Yosemite International Airport - are experimenting with facial recognition systems, scanning the faces of travelers in hopes of snaring a terrorist.

Public transit systems like BART ordered finger-scanning equipment to check out employees' backgrounds and to monitor access to secure areas. San Francisco International Airport, which has been using hand scanners for a decade to control its 16,000 employees' access to secure areas, also bought the fingerprint devices to double-check backgrounds. In the first 3,000 checks against the FBI's vast criminal database, says airport spokesman Ron Wilson, 29 employees came up with felony records.

Interest has also spread to using biometrics in everyday life. State motor vehicle administrators, citing the universal use of drivers licenses as ID cards, recommend adding a "unique identifier" to them, and then linking state files to a national database. Silicon Valley honchos Larry Ellison of Oracle and Scott McNealy of Sun Microsystems have gone one step further, calling for biometrics to be added to what has been historically viewed as anathema to a democratic society: an official National ID card. Even Wall Street is sold. While the stock market nosedived after the attacks and has stayed gloomy, biometrics stock prices have soared.

So has the industry's cachet, with executives besieged with requests to spearhead conferences, conduct press interviews and even testify before Congress. Joseph Atick, the co-founder and CEO of Visionics, a facial recognition system based in Jersey City, N.J., and the industry's most visible spokesman, hopscotches across the country to spread the gospel of biometrics. He's become such a player that in January he was named one of the year's top seven entrepreneurs by Business Week, and was the subject of a New York Times profile.

GETTING TO KNOW ALL ABOUT YOU

Although still new to the American public, biometrics is widely used - and accepted - abroad. National ID cards with biometrics are carried in many countries, including Italy and Hong Kong. Iris scans are used to check workers commuting across the border between Malaysia and Singapore. Israel uses facial recognition to monitor activities along the Gaza Strip. Frequent air travelers who have had their backgrounds checked by Interpol and their irises photographed get to bypass immigration lines in the Netherlands. In Mexico and Uganda, voter registration cards include biometrics to prevent voter fraud.

In contrast, use in the U.S. has been discrete, relegated mostly to those viewed as marginal or powerless. For example, foreign-born residents have been issued Green Cards with digital photos and fingerprints. Mexican workers crossing the border need ID cards with fingerscan codes to verify their identities. Welfare recipients across the country have ID cards with biometrics to cut back on fraud. Casinos use facial recognition to look for known cheaters before they hit the gambling tables. Biometrics helps keep track of parolees and probationers. Factory workers check in at finger- scanning or hand geometry readers, replacing the old time-punch cards.

But attempts in the U.S. to impose biometrics on the general public have been met with resistance. That is, until 9-11.

At the 2001 Super Bowl in Tampa, stadium spectators had their faces scanned without their knowledge, using facial recognition software developed by Viisage Technology, based in Littleton, Mass. Officials and Viisage company executives later claimed the scans were used to look for terrorists. But the 19 matches were only of ticket-scalpers and pickpockets, proving to critics that the database was filled with more than just terrorists or even felons. Months later, Tampa set up Visionics' faceprint system in its nightlife district as a way to curb crime, becoming the first American city to openly conduct blanket police surveillance on public streets.

Unlike the Super Bowl experiment, the sidewalk surveillance was publicized and visible. But though no arrests were made in either instance, the use of facial technology to monitor ordinary citizens alarmed privacy groups.

To civil liberties experts, biometrics - especially facial recognition, which can be used clandestinely - is a threat to privacy and anonymity, hallmarks of a free society. They believe the technology can lead too easily to the dreaded surveillance society.

"We live in an era when information about us is being sucked up at an alarming rate, and is used in ways we had absolutely no idea… ," says Deirdre Mulligan, director of the Law and Technology Clinic at UC Berkeley.

"We take the ability to walk around with a degree of anonymity for granted. We -don't want everyone to know everything about us. We -don't want to be forced to wear a bar code on our head, so everything about our movements is recorded."

BUT IS IT READY FOR PRIME TIME?

The Tampa experiments also highlighted questions about the technology's accuracy and reliability.

The American Civil Liberties Union reviewed the results of the five-month project in Tampa's nightlife district, says Barry Steinhardt, the ACLU's associate director. They concluded that the system flagged an average of 1 in 500 pedestrians as matching a known or suspected criminal. In each case, says Steinhardt, the match turned out to be a mistake. What's more, the mismatches were often comical, with mature adults identified as juveniles and women mistaken for men. Though no arrests were made, Steinhardt says, "A lot of good people were stopped and hassled" by police following up on the matches.

Of all the biometrics, facial recognition is the most criticized as unreliable. Lab tests by two of the nation's biggest testing centers - the Biometrics Fusion Center in West Virginia, run by the U.S. Department of Defense, and the International Biometric Group, a research and consulting firm in New York City - show that the science is not there yet.

Facial technology is "very promising," says Paul Howe, deputy director of the Biometrics Fusion Center. "But it's not ready for prime time."

Testers at the two facilities concluded that, despite the face-recognition companies' assertions to the contrary, a whole slew of variables - sunglasses, hats, beards, age, the angle of the head, lighting conditions - can create a false positive or a false negative. At the Defense Department, says Howe, one guy with a beard kept getting recognized as a woman who worked there.

But all the biometrics have shortcomings, he adds: "There's no one best biometric."

The iris is accepted within the industry as the most statistically distinct, even more so than fingerprints. And it allows for the fastest comparisons against a database, checking 100,000 records of iris codes in two seconds, compared with 15 minutes for a finger-scan to do the same task.

But iris technology is fussy, says Samir Nanavati of the International Biometric Group. Glasses and colored contact lenses can skew the -results. And you have to stand a certain distance from the camera and hold still for it to get a good fix on your eyeball.

Meanwhile, hand readers can be affected by jewelry and weight gain. Voice recognition is skewed by background noise, and whether an analog or cell phone is used. Finger scans are influenced by the pressure and dryness of the finger on the scanner. And a woman in the Pentagon with long fingernails, says Howe, - couldn't get the machine to read her fingerprint.

Even if the technology were perfect, industry leaders admit biometrics is not a panacea.

"There is no technology in the world that could have prevented September 11, " says Voltmer of Iridian.

Sometimes, common sense, an old-fashioned photo ID, and instincts are enough.

"For a quarter of the customers who come through my door, I -don't recommend biometrics," says Nanavati. To protect his family at home, for example, he -wouldn't choose any of the biometrics.

"The truthful answer," he says, "is that I have a doorman and I happen to think that's very secure."

LEARNING TO LOVE SURVEILLANCE

Given its propensity for mistakes, critics feel the rush to biometrics is premature -- especially with the current absence of government regulations.

Privacy experts worry that linked databases will create dossiers of our personal lives and track our movements. Many also worry that the government might use the fight against terrorism as an excuse to build files on everyone, since anyone could ostensibly be a terrorist.

"Who decides who's a terrorist?" asks James Dempsey, deputy director of the Center for Democracy & Technology in Washington, D.C.

"How about 'suspected' terrorists and people 'suspected' of a crime? Could that be someone who shows up at a protest for peace in the Middle East or against U.S. involvement in Afghanistan?"

Even proponents of biometrics -can't deny its inherent dangers.

"Like any technology, you have the potential for good and for bad," says attorney John Woodward Jr., an analyst for the Rand think tank and a former CIA agent. "I -don't want to treat biometrics as a sort of technology heroin - '-Don't use it. It's bad.' "

Still, he admits, "It can be used for evil, no doubt about it. I think China or Iraq will be very interested in this technology, and not in a benevolent way."

Industry leaders feel the fears are misdirected.

"It's not the technology that's at fault," says Atick of Visionics . "If our government tries to keep track of people who protest against us, it's shame on us. It's our system of government. It's not the technology that makes evil."

Besides, much of the potential power of biometrics is already possible with the information age.

Visit a Web site and invisible "cookies" are left behind, recording your visit. And soon cell phones will include global positioning systems that not only can locate you in an emergency, but can track all your movements.

Commercial databases exist, used daily by journalists, that need only your phone number or birthdate to reveal your name, where you live now and where you have ever lived, the names of all the people who have ever lived with you, the names and phone numbers of your neighbors, what real estate you own and the amount of your mortgage loan, the type of car you drive and whether you own a plane or boat, whether you've been named in a criminal or civil suit, and sometimes even your Social Security number.

Though it might feel private, a biometric code of your iris, hand or fingerprint -can't reveal anything personal about you, says James Wayman, director of the National Biometric Test Center at San Jose State University.

"I'll be happy to send you my iris code. What are you going to do with that?" says Wayman, who has posted his hand-geometry code online. "There's no information in your eyeball. I -can't tell if you're a woman or a man, your age, nothing.

"But I -don't give out my phone number or my Social Security number. I - don't carry a cell phone on me. I keep it in the car and I -don't leave it on.

"People should be worried about privacy," Wayman adds. "But not because of biometrics."

Since starting a facial recognition project at Fresno airport in October, Ron Cadle says he's been besieged by calls from civil liberties groups and the press.

Cadle is a vice president of Pelco, the world's biggest video-surveillance manufacturer, based in Fresno. Name a mall, stadium, casino, government or office building, bank, airport, warehouse or parking lot, he says, and chances are his closed-circuit cameras are there, watching the interior - and the public streets around it. The cameras can zoom in to read a license plate two miles away.

To Cadle, getting all excited about comparing the faces of plane passengers against a database of less than 1,000 terrorists and FBI bad guys is a lot of brouhaha about nothing.

If surveillance and loss of privacy are your fears, it's too late.

"When you walk down the street, when you go into a store, when you go into a mini-mart, you're being videotaped," says Cadle. "Start looking up and you'll be surprised how many cameras you see, on ceilings, on the sides of buildings. Look up, it's all around you, everywhere, looking at you.

"It is a brand new, different way of life - but it's already here."

How you measure up

When you meet someone, you notice their looks. Height. Weight. Hair Color. Eye Color. Build.

Problem is, just describing someone as blonde or muscular or even 6'2" - doesn't always pick 'em out of a crowd. So, you look for distinct features: a scar, a tattoo, a limp, and so on. These help better identify someone.

That's what biometrics does. It picks the body parts and behavioral traits that are distinct to all of us, measures them mathematically, and assigns them a digital code that's put in a database, or on a Smart Card or optical card. So, next time you use your Visa card or try to get into a private office, you're not relying on the cashier to see if your photo ID or signature really match, or if the security guard recognizes you. And since you have to have your fingerprint, say, taken again when you try to get access and have it match the coded image on file, there's no fear that the card is stolen or forged and that you're a fake.

So far, scientists have decided that each person's fingerprints, irises, hands and faces have so many distinct patterns and dimensions - the distance between the nose and lip in facial recognition, for example, or the width of a thumb in hand geometry - that they can be used as a biometric. Irises, for example, have some 400 traits, making each iris so unique it's believed that in the history of mankind no two irises have been identical.

Biometric companies are also studying behavior such as voice recognition, which measures inflections, among other things. In signature recognition, scanners note how fast you write, how hard you press down, how you dot your i's, and when you cross your t's.