05-19-2004

TABLE OF CONTENTS(Click on Section)

PURPOSE

BACKGROUND

WITNESSES

The purpose of this hearing is to discuss the use of biometric technologies to improve aviation security, including the status of efforts to develop operational and technical standards for biometrics.

Currently, each airport is responsible for securing its perimeter against access by unauthorized persons and vehicles. In addition, each airport must control access to both "sterile" areas and "Secure Identification Display Area" (SIDA) areas within the airport. The sterile areas are the areas of the terminal beyond the passenger screening checkpoints where properly screened passengers and properly credentialed employees are allowed to be. The SIDA area is primarily the "airside" of the airport but also includes those areas of the terminal where no passengers are allowed.

Each airport has a badging office that issues "sterile badges" to personnel requiring access to the sterile areas (e.g., employees of businesses located beyond the screening checkpoint) and SIDA badges to personnel requiring access to the SIDA areas (e.g., airline employees and employees of companies that service aircraft). Flight crews typically carry multiple SIDA badges, one for each airport in which they work.

Federal law requires a criminal history record check to be performed before sterile or SIDA badges are issued to an individual. In addition, there are Federal requirements that a security feature, such as a hologram, be incorporated into the sterile and SIDA badges. Local jurisdictions have in some cases chosen to adopt additional security requirements. For example, at least one airport performs a name-to-social security number check before issuing sterile or SIDA badges.

The Federal Aviation Administration's air traffic control facilities are often located within the SIDA area. The FAA is responsible for controlling access to those facilities, and issues an additional badge to its employees to authorize access to the air traffic control tower. Therefore, FAA employees need to carry both a SIDA badge and an FAA badge.

SIDA and sterile badges are often used in conjunction with other security features such as a pin number that must be entered before a controlled access door will open, but typically are not used in conjunction with biometrics.

Biometrics could be used to improve employee identity verification and access authorization, passenger identity verification, and flight crew identity verification. Adding biometrics to existing access control systems and security procedures could potentially protect against unauthorized access using lost, stolen, or forged badges; a terrorist on watch list attempting to obtain a credential using an assumed identity; and impersonation of a pilot, other flight crew member, or air traffic controller, by a terrorist.

There are many different types of biometric systems, including facial recognition, hand geometry, iris recognition, retina recognition, and speaker recognition¹. Each of these systems involve similar processes that can be divided into two stages: (1) enrollment and (2) verification or identification.

Enrollment

In enrollment, the person provides an identification document to prove his or her identity. The biometric will be linked to the identity specified on the identification document. Therefore, if the identification document does not specify the individual's true identity, the reference template will be linked to a false identity. The quality of the identifier presented during the enrollment process is key to the integrity of a biometrics system.

After presenting an identification document, the person then presents the biometric (e.g., fingertips, hand, or iris) to an acquisition device. One or more samples are acquired, encoded and stored as a reference template for future comparisons. How biometric systems encode and store information in the template is based on the system vendor's proprietary algorithms. Templates can be stored remotely in a central database, within a biometric reader device itself, or on smart cards.

Since small changes in positioning, distance, pressure, environment, and other factors influence the generation of a template, each time an individual's biometric data are captured and a new template is generated, that template is likely to be unique. Therefore, a person may need to present biometric data several times in order to enroll. The reference template may then represent an amalgam of the captured data, or several enrollment templates may be stored. In addition, because biometric features can change over time, people may have to reenroll to update their reference template. Some technologies can update the reference template during matching operations.

Verification

In verification systems, the goal is to verify that a person is in fact who he or she claims to be. After a person presents his or her identification document and biometric, the system captures the biometric data and generates a trial template. It then compares the trial template with the person's reference template, which was stored in the system during enrollment, to determine whether or not there is a match.

Verification is often referred to as "one-to-one" matching. Even though the system's database may contain millions of reference templates, only one needs to be compared to the trial template. Nearly all verification systems can render a match/no-match decision in less than a second.

Identification

In identification systems, the goal is to identify who the person is. Unlike verification systems, no identification document is necessary. Instead of locating and comparing the person's reference template against his or her presented biometric, the trial template is compared against the stored reference templates of all individuals enrolled in the system. For this reason, identification systems are referred to as "one-to-many" matching.

There are two types of identification systems - positive and negative. Positive identification systems determine whether a person seeking access can be identified as having been enrolled in the system. Negative identification systems are designed to ensure that a person's biometric information is not present in a database. For example, a negative identification system may be designed to identify people on a watch list.

Biometric systems cannot identify individuals with 100 percent accuracy. No match is ever perfect in either a verification or identification system, because every time a biometric is captured, the template is likely to be unique. In addition, the longer the period of time since the individual enrolled in the system, the less accurate the system may be, since biometric features may change over time.

The key performance metrics related to accuracy are false match rate, false non-match rate, and failure to enroll rate.

False Match

A false match occurs when a system incorrectly matches an identity. In verification and positive identification systems, a false match could result in unauthorized people being granted access they should not be granted. In a negative identification system, a false match could result in an authorized person being denied access that they should be granted. False matches may occur because there is a high degree of similarity between two individuals' characteristics.

False Non-Match

A false non-match occurs when a system rejects a valid identity. In verification and positive identification systems, a false non-match could result in authorized people being denied access they should be granted. In negative identification systems, a false non-match could result in an unauthorized person being granted access that should not be granted. False non-matches occur because there is not a sufficiently strong similarity between an individual's enrollment and trial templates, which could be caused by aging or injury.

Failure to Enroll

The failure to enroll rate (FTER) measures the probability that a person will be unable to enroll in the system. Failure to enroll may be due to an insufficiently distinctive biometric sample. For example, the fingerprints of people who work extensively at manual labor often are too worn to be captured. Alternatively, failure to enroll may be due to a system design that makes it difficult to provide consistent biometric data. For example, a high percentage of people are unable to enroll in retina recognition systems because of the precision such systems require. In addition, between one and three percent of the general public does not have the body part required for using any one biometric system.

Match/No-Match Decision

Since biometric systems are not 100 percent accurate, they are usually set to make a match or no-match decision based on a predefined threshold that establishes the acceptable degree of similarity between the trial template and the enrolled reference template. After the comparison, a score representing the degree of similarity is generated, and this score is compared to the threshold to make a match or no-match decision. Depending on how low the threshold is set, it is possible for several reference templates to be considered matches to the trial template, with the better scores corresponding to better matches.

A trade-off exists between the false match rate and the false non-match rate, which translates into a trade-off between risk and convenience. The greater the risk entailed by a false match, the lower the tolerable FMR is, and the higher the threshold score will be set. Systems that integrate two or more biometrics could allow the false match rate to be lowered without increasing the false non-match rate, and could also lower the number of individuals who fail to enroll.

Exception Processing

Procedures must be developed to handle situations in which there is a failure to enroll, a false match, or a false non-match. Exception processing that is not as good as biometric-based primary processing could be exploited as a security hole.

To fully realize the benefits of biometric technologies, comprehensive technical and operational standards are necessary to ensure that the systems are interoperable, effective, reliable, and secure. Progress in this area is being made, but more work remains to be done.

National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST) played a significant role in the development of the BioAPI (Application Programming Interface) specification and the approval of this specification as a formal national standard. The development of the BioAPI standard promotes interoperability among applications by defining a generic way of interfacing to a broad range of biometric technologies. In addition, NIST also led, in collaboration with the National Security Agency, the development of a Common Biometric Exchange File Format (CBEFF). The CBEFF is a "technology-blind" common biometric format that facilitates the exchange and interoperability of biometric data from all types of biometrics, independent of the particular vender that generates the biometric data. The development of this single approach for a biometric data structure assured biometrics companies and their potential customers that different biometric devices and applications could exchange information efficiently. This specification is being incorporated into U.S. government and international requirements, such as the technical specifications drafted by ICAO.

International Civil Aviation Organization

The International Civil Aviation Organization (ICAO) has been working for several years to establish international biometric standards for Machine Readable Travel Documents. A Machine Readable Travel Document (MRTD) is an international travel document (e.g., passport or visa) containing eye- and machine-readable data. In June 2002, ICAO's Technical Advisory Group on Machine Readable Travel Documents endorsed the use of face recognition as the globally interoperable biometric for machine assisted identity confirmation with machine-readable travel documents. While digital facial image was endorsed as the primary biometric, the Technical Advisory Group stated that ICAO Member States may elect to use fingerprint and/or iris recognition as additional biometric technologies in support of machine assisted identity confirmation.

In March 2003, the Technical Advisory Group provided three key clarifications to the June 2002 resolution. First, digitally stored images (rather than templates) will be used, and these will be "on-board," i.e., electronically stored in the travel document. Storage of the image, rather than a template created from the biometric feature by a proprietary algorithm, is important to ensure global interoperability. Second, these images are to be standardized. For example, ICAO has issued standards on the degree to which an image may be compressed and/or cropped. Third, high capacity contactless integrated circuit (IC) chips will be used to store identification information in MRTDs. These chips will provide the additional data storage capacity necessary to incorporate compressed images of one or more biometrics into MRTDs.

US VISIT will utilize internationally recognized standards, such as those developed by NIST and ICAO, as provided for in section 303 of the Enhanced Border Security and Visa Entry Reform Act of 2002 (P.L. 107-173).

US-VISIT Program

Biometrics are now being used more extensively for border control through the United States Visitor and Immigrant Status Indication Technology (US-VISIT) Program, which is being implemented by the Department of Homeland Security. The USA Patriot Act of 2001 required the Attorney General and Secretary of State jointly, through NIST, to develop a technology standard that can be used to verify the identity of a person applying for a U.S. visa or seeking to enter the U.S. pursuant to a visa. NIST subsequently recommended the use of face and fingerprints, since they were the only biometrics with available databases large enough for operational testing. Specifically, NIST recommended the use of 10 fingerprints for "identification" functions (e.g., initial background check and enrollment in the system), and a combination of facial image and two fingerprints for "verification" functions. Based on NIST's recommendations, US-VISIT is using a live-capture digital photograph and fingerprints for identity enrollment and verification. However, the exact number of prints required for identity enrollment is still a subject of internal debate within the Administration.

In addition, the Enhanced Border Security Act of 2002 requires that, by October 26, 2004, the visas and other travel and entry documents issued by the U.S. to aliens must be machine-readable and tamper-resistant, and must use biometric identifiers. The Act also requires each visa waiver country to certify, by October 26, 2004, that it has a program to issue to its nationals machine-readable passports that are tamper-resistant and incorporate biometric and document authentication identifiers that comply with ICAO standards. In addition, equipment and software must be installed at all ports of entry to allow the biometric comparison and authentication of all U.S. visas and other travel and entry documents issued to aliens and machine-readable passports. Secretary Ridge recently requested an extension of the certification deadline for visa waiver countries to November 30, 2006, not only to give such countries more time to convert their new passports to ICAO biometric standards, but also because the U.S. will not have the equipment deployed by October 2004 to read the new passports.

Transportation Worker Identification Credential (TWIC)

The Transportation Security Administration (TSA) is developing a system-wide common credential, which will incorporate biometrics, to be used across all transportation modes for personnel requiring unescorted physical and/or logical (i.e., computer) access to secure areas of the national transportation system, such as airports, seaports, and railroad terminals. TWIC is an identity management system, not an access control system. A TWIC card by itself will not grant access to any secure area. The decision to grant or deny access to a secure area would continue to be made by each transportation facility. However, TWIC is a tool that could be used in conjunction with a facility's existing access control system to improve security by providing a uniform background check and a credential that is difficult to forge. In addition, if the facility's access control system incorporates biometric readers, TWIC could further improve security by verifying that the individual seeking access is who they claim to be.

According to TSA, adding biometric identity authentication to an existing access control system is simple. A biometric reader can be added to an existing airport access control system card reader. When the person uses their finger, iris, or other selected biometric technology for a match, the card reader is activated and then used as normal to grant access. The door would not open unless the biometric template on the card matched the biometric presented by the cardholder and the user has been granted access privileges in the airport's access control system.

On May 10, 2004, TSA issued a Request for Proposals to participate in a seven-month prototype evaluation as part of Phase 3 of the TWIC pilot program. Under this RFP, each prototype TWIC system must capture at least fingerprint or iris scan biometric data, and conform to technical standards developed by the National Institute of Standards and Technology. TSA expects to award contracts in July 2004, and conduct prototype operations from August through December 2004. A report evaluating the prototypes will be issued during the prototype phase, after which a decision would be made regarding whether or not to proceed to implementation.

Registered Traveler Program

TSA is also developing the Registered Traveler pilot program, which will test the concept of expediting airport security screening of passengers who meet eligibility criteria and who volunteer to undergo a security assessment, while at the same time maintaining or improving overall system security. The program will use biometrics (either fingerprints or iris scan) to authenticate each Registered Traveler's identity at the screening checkpoint.

Registered Travelers would be eligible to use designated and/or dedicated lanes at screening checkpoints, with the goal being expedited through-put. Registered Travelers would not be subject to random selection for secondary screening under CAPPS, although any alarms of the magnetometer would still be resolved. TSA is also in the early stages of working with airports and airlines to determine what additional benefits might be offered to encourage travelers to participate in the program, including frequent flier miles, access to club lounges, and close-in parking.

Beginning at the end of June 2004, TSA will conduct pilots at up to five airports, involving up to 10,000 travelers. The pilots will run for 90 days. By October 2004, TSA will have data on the extent to which the pilots were successful in expediting through-put while maintaining or improving security.

TSA plans to partner with the private sector for the Registered Traveler (RT) Pilot Program and has issued the first of a two-part Request for Proposals (RFP) to solicit proposals. The RT RFP focuses on four elements of support: program management, biometrics, tactical operations and systems integration. In addition, TSA is working with air carriers to have them "market" the program by inviting frequent travelers to participate in the pilot program.

Law Enforcement Officer Credentials

Part of the Registered Traveler Pilot Program will focus on improving Law Enforcement Officer (LEO) credentials. Currently, Federal LEO's can fly armed at any time, simply by presenting their agency's credential. In addition, LEO's from 18,000 separate State and local law enforcement agencies may fly armed if they present their agency's credential and a letter on their agency's letterhead stating that they have an official, work-related reason to fly armed. The use of so many different types of law enforcement credentials increases the risk that an unauthorized person could use a forged credential to carry a gun on-board. Under the Registered Traveler Pilot Program, LEO's who wish to fly armed at the five pilot airports will be issued a biometric identification card by TSA, which will prove that the individual seeking to carry a gun on-board is in fact authorized to do so by the LEO's parent agency.

Airport Access Control Pilot Program

On April 29, 2004, TSA announced that eight airports have been selected to participate in Phase I of TSA's Access Control Pilot Program, which is being implemented pursuant to section 106 of the Aviation and Transportation Security Act (ATSA). The pilot program will evaluate various off-the-shelf biometric technologies as well as Radio Frequency Identification (RFID) technology, Anti-Piggybacking technology, and advanced video surveillance technology for providing access control for secure areas of the airports. For example, Boise Air Terminal/Gowen Field Airport will test a system that combines fingerprint biometric and RFID technology to control vehicle access. Newark International Airport will test a system that uses fingerprint biometric technology to allow only authorized persons to enter secure areas of the airport. T.F. Green State Airport in Providence, Rhode Island, will control access to a secure area via an iris biometric recognition system.

Attachment A

Facial Recognition - Facial Recognition identifies people by analyzing features of the face not easily altered, such as the upper outlines of the eye sockets, the distance between the inner corners of the eyes, the areas around the cheekbones, and the sides of the mouth. Because facial images can be captured from video cameras, facial recognition is the only biometric that can be used for surveillance purposes. For example, it is used by the gaming industry at entrances to casinos in Las Vegas, Nevada.

Fingerprint Recognition - An image of the fingerprint is captured by a scanner, enhanced, and converted into a template.

Hand Geometry - Hand geometry technology takes 96 measurements of the hand, including the width, height, and length of the fingers; distances between joints; and shapes of the knuckles. Although the basic shape of an individual's hand remains relatively stable over his or her lifetime, natural and environmental factors can cause slight changes. Hand geometry is not highly distinctive and cannot reliably pick out an individual from among many (i.e., one-to-many matching). Therefore, it is most suitable for verification systems, not identification systems.

Iris Recognition - The iris has approximately 266 distinctive characteristics, including the trabecular meshwork, a tissue that gives the appearance of dividing the iris radially, with striations, rings, furrows, and freckles. Iris recognition technology uses about 173 of these distinctive characteristics. These characteristics reportedly remain stable throughout a person's lifetime, except in cases of injury.

Retina Recognition - Retina recognition technology captures and analyzes the patterns of blood vessels on the nerve on the back of the eyeball that processes light entering through the pupil. Retinal patterns are highly distinctive; even the eyes of identical twins are distinct. Although each pattern normally remains stable over a lifetime, it can be affected by disease such as glaucoma, diabetes, high blood pressure, and autoimmune deficiency syndrome. Because the retina is small, internal, and difficult to measure, capturing its image is more difficult than most other biometrics. An individual must position the eye very close to the lens of the retina-scan device, gaze directly into the lens, and remain perfectly still while focusing on a revolving light while a camera scans the retina through the pupil. Any movement can interfere with the process. Enrollment can easily take more than a minute.

Speaker Recognition - During enrollment, speaker recognition systems capture samples of a person's speech by having him or her speak some predetermined information into a microphone a number of times. This information is known as a passphrase. This phrase is converted to digital format, the distinctive vocal characteristics, such as pitch, cadence, and tone, are extracted, and a speaker model is established. A template is then generated and stored for future comparisons.