The technology has arrived.
The science of biometrics, the identification of a person through his or her physical characteristics, made great strides in the aftermath of 9/11.
Retina scans, voice imprints, 10-fingerprint readers have all benefited from digital technology, and are being used today, a panel of government experts said.
How to manage this information, protect the privacy of citizens and share information across federal agencies that have different regulations and reasons for collecting this data is the hard part, they
added.
“There is a lot of gray areas and unknown space as we move ahead,” Ben
Riley, director of the Rapid Reaction Technology Office in the Defense
Department, said at a Center for Strategic and International studies
panel discussion.
Biometrics is the science. What to do with all the data is referred to
as “identity management.”
The policies, laws and regulations, however, are lagging.
And it’s a technology that makes some members of the public squeamish.
There are laws on the books regulating what kind of data the government
can collect from its citizens. But the last major piece of legislation
spelling out these rules passed in 1974.
In a foreign battle zone where armed forces encounter non-U.S.
citizens, a soldier may have great leeway in collecting data such as
fingerprints from captured enemies, suspected insurgents or those
seeking employment on a forward operating base. The goal in this
scenario is simple: classify people as “friends,” “enemies” or
“neutrals,” said Tom Dee, director of defense biometrics at the Defense
Department.
“For non-U.S. citizens, it’s really fuzzy on what we have to do,” said
Dee. There is no such thing as a global privacy act. There are only
bilateral agreements.
When a person presents himself at a checkpoint in Afghanistan, for
example, he could be anyone from a “known or suspected terrorist” to a
CIA official with a high level security clearance.
As far as the military is concerned, “the more data you have, the
better off you are” in making the decision to let that person pass the
checkpoint or not, he added.
If someone is classified as an “enemy,” or has potential ties to
terrorism, ideally, the Defense Department should be able to pass the
name of the suspect on to the Department of Homeland Security where
immigration officers can call up his biometric information should he
attempt to enter the United States.
The Defense Department has made the Rapid Reaction Technology Office
the lead in ensuring all the services are on the same page as far as
sharing biometric data within the military community. Since it is a
relatively new technology, officials hope they can avoid the pitfalls
of the past when “stove-piped” information systems were created that
did not allow different users to share critical information in a timely
and efficient manner.
But when and how can the Defense Department share what it knows with
other agencies?
DHS, for example, has strict privacy laws. The department is under no
obligation to extend privacy protection to non-U.S. citizens when it
collects data of passengers traveling between nations, but does so
anyway in the name of smoothing over relations with allies, said
Patricia Cogswell, associate director of DHS’ office of policy.
DHS and the European Union have tussled in the past over what kind of
passenger data can be collected.
The department is on the forefront of the issue because its officers
are often the ones the public interacts with the most, she said.
Dee agreed that the challenges of biometrics are now “less and less
technical and more and more policy.”
There are many presidential directives demanding that agencies share
information seamlessly, said Peter Swire, an Ohio State University law
professor and senior fellow at the Center for American Progress. That’s
easier said than done.
Some liken the solution of linking different biometric databases to a
series of “switches.” When a policeman encounters a U.S. citizen and
wants to run a background check, only a few databases would be
“switched on.” A non-U.S. citizen here on a tourist visa might allow
for more databases to be opened up.
Gerald Epstein, senior fellow for science and security at the Center
for Strategic and International Studies, said federal agencies will
have a hard time employing the “different conditions, different
switches” paradigm.
There are three government communities gathering and using the data:
law enforcement, immigration and spy agencies.
They collect this data from U.S. citizens who are afforded rights under
the U.S. Constitution, those entering the nation from abroad who fall
under DHS’ purview and an intelligence gathering community “that
doesn’t care about the privacy rights of the people it spies on,” he
said.
In the long run, these three categories are going to be incompatible,
he said.
“We will have a system where we will choose our evils and we will live
with them. We are not going to have a system that we’re all going to
think is optimal,” Epstein said.
A federal effort to resolve these issues, nevertheless, is underway.
In June, President Bush signed National Security Presidential Directive
59, which established a framework for federal and executive departments
and agencies to use “mutually compatible methods” to collect, store,
use, analyze and share biometric information of individuals “in a
lawful and appropriate manner, while respecting their information
privacy and other legal rights under United States law.”
Duane Blackburn, the chief White House advisor on the biometrics and
identity management issue, said the directive was the result of several
years of work.
It has five thrusts: the rapid integration of existing technology to
meet critical needs; the advancement of future biometrics technology;
the further development of privacy regulations; and the elimination of
so-called stove-pipes of information that prevents different agencies
from sharing critical information.
The fifth and most important goal in his mind is to educate the
government and U.S. citizens on the capabilities of biometrics
technology and how and when it is appropriate to use.
Until 9/11, biometrics was considered “an interesting little niche
technology,” Blackburn said. The public knew nothing about it other
than what they had seen in highly imaginative movies.
Not only is the public misinformed, those in the industry are as well,
he said.
Technologists working on new devices have little knowledge of privacy
regulations, and the government lawyers and bureaucrats know little
about the technology, he said.
“It’s like one group is speaking French and the other is speaking
Spanish,” he added.
Blackburn unintentionally gave an example of the gray areas when he
referred to those classified as “national security threats” and those
who are “not legally classified as terrorist threats.”
When a reporter pressed him on whether he could provide an example of a
person “not legally classified as terrorist threat,” he declined to
answer.
“That is exactly what the presidential directive tells us to do.” Those
definitions are under discussion, he said.
Janet Boodro, senior analyst at the Department of Justice’s office of
the chief information officer, also mentioned a miscellaneous category
where a citizen could find his biometric data put in a file.
The Justice Department keeps lists of “known or suspected terrorists,”
wanted criminals and “other persons of special interest.”
When she was asked who these “other persons” could be, she also could
not define them.
“When that information is defined, it will be transparent,” she said.
An interagency task force comprising the Justice, State, Defense and
Homeland Security Departments as well as the Office of Director of
National Intelligence will have until June 2009 to complete its work
and define categories beyond “known or suspected terrorists.”
Meanwhile, there are about 56 million entries in the FBI Integrated
Automated Fingerprint Identification System database, which is located
at an underground facility in Clarksburg, W.Va. More than half are not
criminals, but presumably law-abiding citizens who have submitted to
criminal background checks because a job application requires it. Some
in the criminal database are those charged with a crime, but never
convicted.
The FBI last year gave Lockheed Martin a 10-year, $1 billion contract
to expand and update the database.
Despite this large number, six of seven U.S. citizens have never been
fingerprinted, some panelists pointed out. The government collecting
bodily measurements and storing them in an underground facility
understandably makes privacy advocates nervous.
Swire said the numbers of stakeholders in this debate is much larger
than the government agencies.
“It’s 300 million citizens. It’s a how biometrics are going to be used,
or compromised, or used well or badly in a huge range of domestic
functions.”
“What does that mean for voting in the United States, for immigration
in the United States or for how you pay at the bank in the United
States?” he asked.
“Data breaches can happen and fingerprints being compromised is a
problem,” he said.
If collecting fingerprints to verify an identity becomes the norm, what
if someone spoofs them or tampers with the data?
When an identity is stolen, it’s already a bureaucratic nightmare to
obtain a new Social Security number, he noted.
“It’s hard to get a new fingerprint,” he added.