Defense Department Under Pressure to Share Biometric Data
Military police in the Middle East who are manning checkpoints or sifting through job applicants for local hires can use the same technology.
Biometrics — the science of identifying a person through his unique body measurements such as fingerprints, iris scans, voice prints or even DNA — has come into its own. Operations in urban areas against enemies who don’t wear uniforms make identifying friends and foes more important than ever.
Technologies that allow investigators to identify suspected terrorists have been sped into the field, but these efforts are not being well coordinated, and that can lead to critical information gaps, and so-called stovepipes, the common term for information and communication systems that cannot link to each other, experts at the Biometrics Consortium conference said.
There are signs that progress is being made, government officials said. A presidential directive that was signed last year will help federal agencies sort out who does what in terms of identity management. The Naval Post Graduate School announced that it will begin a master’s level program in identity management. And Customs and Border Protection is now collecting 10 fingerprints from visitors arriving from foreign countries.
But is all this enough?
“We are still in the throes of a paradigm shift,” said Donald Loren, deputy assistant secretary of defense for homeland security integration.
When he walks into the Pentagon, he still flashes an ID badge with a mug shot.
“That’s identification. That’s not identity management,” he said.
Biometrics is the science behind the larger issue of “identity management.” Collecting a fingerprint is fine, but how should the government store, secure and share — when necessary — the biometric data it collects?
Along with the military services, entities such as the State Department, the Coast Guard, Customs and Border Protection, the Department of Justice and its law enforcement arms such as the FBI — are involved in collecting biometric data.
“The Defense Department is still in the discovery phase of interagency, international and civil support activities” when it comes to biometrics and identity management, said Loren.
“We have to continue to work out the problems,” he added.
The release of National Security Presidential Directive 59 outlined the steps the federal government must take to coordinate all these efforts.
The Defense Department has also set up several working groups and committees to tackle the problem. The National Science and Technology Council subcommittee on biometrics and identity management and the Defense Department’s biometrics readiness group are among them.
“We don’t have a single belly button for biometrics in the Defense Department,” said Tom Dee, who is the point man for the field in the Director of Defense Research and Engineering office. He is charged with keeping an eye on all these programs and ensuring there is a “unity of effort.”
The deputy secretary of defense signed a directive in February defining roles and responsibilities in the Defense Department. The Army remains the executive agent for biometrics, even though that doesn’t mean it is buying systems for the Navy or other services, Dee said.
Two recent Government Accountability Office reports called into question the effectiveness of these Defense Department efforts.
“While [the Defense Department] has stated some general goals for biometrics, such as providing recognized leadership and comprehensive planning policy, it has not articulated specific program objectives, the steps needed to achieve those objectives and the priorities, milestones, and performance measures needed to gauge results,” said the report titled “DoD Needs to Establish Clear Goals and Objectives, Guidance and a Designated Budget to Manage its Biometrics Activities.”
As the title suggests, the Defense Department needs a designated budget for biometrics — a “program of record” — that links resources to specific objectives and provides a consolidated view of the resources devoted to such activities, the report said.
So far, the Pentagon is relying on initiative-by-initiative requests for supplemental funding, the report said.
A second report, “DoD Can Establish More Guidance for Biometric Collection and Explore Broader Data Sharing,” gave a clear example of how the lack of a cohesive strategy for the use of biometrics can undermine military operations.
U.S. forces encountering hostile individuals in Iraq and Afghanistan collect different biometric data. It’s up to the battlefield commanders to decide whether they want to collect fingerprints, iris scans or both. “Allowing for this flexibility results in the collection of different data that are not necessarily comparable to each other,” the October report said.
“Broader national security implications can arise, such as military personnel’s inability to identify someone who has harmed or attempted to harm U.S. or coalition forces,” the report added.
Despite a memo declaring the Defense Department would share all its unclassified biometric information in the spirit of interagency cooperation in the war on terrorism, the Department of Homeland Security complains that it is not receiving regular updates of data it could use, the report said.
Al Miller, a consultant to the office of homeland defense and America’s security affairs, said at the conference that the FBI spent one year trying to track down who in the Defense Department could sign off on a biometrics information sharing agreement.
In written responses to the September GAO report, the Defense Department said it is moving toward making its biometrics efforts programs of record, although not all technologies will neatly fit into one line in the budget. It expects this to happen in the fiscal year 2010 budget request.
As for a lack of data sharing, the Defense Department maintains its own watch list, and said it is sending all the information in it to DHS when the law allows.
Meanwhile, the fight to rid Iraq of roadside bombs is showing how effective biometrics can be in an insurgency, said Konrad Trautman, director of intelligence at Special Operations Command.
Biometric tools, when used on raids on suspected bomb makers’ safe houses, have helped to kill or capture individuals who are involved in the construction of improvised explosive devices at the average rate of two per day for the last two years.
“How many bombs would have been made by those individuals if they were still on the battlefield?” he asked.
The goal is to rapidly exploit the evidence found on a raid site including everything the suspects have touched. There might be five men who claim to be innocent bystanders on the scene. But one might be the operation’s paymaster. All that has to be sorted out as soon as possible, Trautman said.
Collector ID kits are used to gather fingerprints and mugshots. Those records are sent via a small satellite dish to three databases at the Defense Department’s biometrics fusion center, the Army’s national ground intelligence center, and the FBI’s automated fingerprint identification system.
The Defense Department has about 2.2 million files, and the FBI has another 58 million.
Through September, special operations forces have sent 28,000 submissions, with 8,000 matches coming back. And 1,722 of them positively identified the subject as part of an IED cell.
The goal is to receive a response back within 15 minutes. In fact, the usual response time is much quicker — about four and a half minutes, Trautman said.
Other tools, such as link analysis software, can begin to build pictures of a bomb-making network. If intelligence officers can establish a link to another suspect, and they know where he lives, the goal is to launch a second raid within an hour, Trautman said.
This all works great in Iraq where U.S. forces have a free hand, and there isn’t an American Civil Liberties Union lawyer in sight. They can collect biometric data — even their DNA in some cases — from about anyone they encounter from a known or suspected terrorist, a job applicant or a petty thief.
But when operating in other nations, U.S. forces cannot count on having this kind of freedom.
There are no international treaties covering such matters, said Dee.
There are “shady areas” when it comes to collecting biometrics, he admitted. It will depend mostly on bilateral agreements. “It would be up to the host nation for what we’re permitted or not permitted to do,” he said.
Two advocacy groups, Human Rights Watch and Privacy International, wrote a joint letter to Defense Secretary Robert Gates in July 2007 questioning the collection of biometric data from ordinary Iraqi citizens, who aren’t suspected of breaking any laws.
“We recognize the strategic military importance of identifying threats to American military personnel,” the letter said. “However, these tactics also strip away a substantial privacy measure for Iraqi citizens in the midst of a conflict that flows from deep religious and ethnic division.”
The letter questioned what would happen if the data were turned over to Iraqi authorities and then later misused.
“The massive aggregation of secret files on Iraqis, linked to permanent biometric identifiers, creates an unprecedented human rights risk that could easily be exploited by a future government,” the letter said.
William Gravell, special adviser to the secretary of the Navy for identity management, and several other Defense Department officials, acknowledged that if privacy is not protected, then public acceptance for biometrics will evaporate. It will become one of those technologies that works well, but is not acceptable to use.
“Strong identity management does not necessarily mean weak privacy,” he said.
Capt. John Boyd, the Navy’s program manager for identity management capability, said the Navy during the last two years has collected only a few hundred mugshots and fingerprints.
The rules for what the Navy can do when boarding a foreign vessel “are totally different from Iraq or Afghanistan,” he said.
Trautman said that having the right policies, techniques and procedures in place for partner nations will become vital.
“The policy allows us to lash that together, not just for the domestic intelligence concerns but international policy as well or bi-national policy,” he said.
Miller said the United States has bi-lateral agreements to share biometric data with about 25 countries. Every time a foreign leader has visited Washington during the last few years, the State Department has made sure they sign such an agreement.
He expressed some concern that the momentum for identity management within the federal government, and the efforts to sign these agreements, will falter with the change in administration in 2009.
“Today’s policies are stressing the negative — who are the bad guys,” Miller added.
“We have to look at some goodness at what we are doing — protecting those on bases and their families with biometrics.”