Biometrics Powers U.S. VISIT Program

You are your own ID card.

That's the underlying concept of biometrics: Wherever
you go, your fingerprint, your iris or the shape of your
head can be scanned to prove to others that you are who
you say you are.

The Department of Homeland Security (DHS) is putting
the concept to perhaps its biggest test ever with the U.S.
Visitor Immigration Status Indicator Technology system,
or U.S. VISIT, a biometric system that compares the
fingerprints of travelers entering this country. After a
major rollout of IT to support the new system, DHS's
Customs and Border Protection directorate launched U.S.
VISIT on New Year's Day at 115 airports and more than a
dozen seaports across the nation.

U.S. anti-terrorism policy requires that
citizens from all except 27 countries be
photographed and fingerprinted as they
enter the country. The exceptions—mostly
from European nations—may visit the
United States without visas for up to 90 days.

As foreigners holding U.S. visas arrive at
a point of entry and pass through Customs,
the U.S. VISIT system optically scans their
fingerprints and checks them against a
watch list in the Immigration and
Naturalization Service's (INS) fingerprint
database, the Automated Biometric
Identification System, called IDENT.

The system relies on the watch list to
quickly identify suspect travelers instead of
checking against all of the nearly 5 million
entries in the IDENT database, says Scott
Hastings, CIO for the U.S. VISIT program.

"We want security, but we don't want a
system that adds delays," he says. "If we
unduly slow travel, it creates an economic
problem."

It takes 15 seconds for Customs and INS
border agents to photograph a visa-holding
traveler, scan the person's index fingers and
check the fingerprints against a watch list.

Building a Human Backup

Although IDENT has been used for more
than a decade to collect fingerprint data on
illegal immigrants and to combat repeated
unlawful entry into the country, U.S. VISIT
will be its biggest real-time test.

INS agents can check immigrant IDs
against any or all of the three databases in
IDENT: a watch list of 240,000 people who
have either committed felonies or who are
considered a threat; a list of 300,000 people
who pose a possible safety concern; and a list
of more than 4 million people apprehended
by the INS and later allowed to depart the
country. According to a Justice Department
report, a query of all three of the databases
normally takes two minutes.

Aware that commercial travel needs a
swift turnaround for traveler identification,
Hastings says that any delays in the U.S.
VISIT system or suspect data results "will
trigger a secondary, human inspection."

The traveler is taken out of line so border
agents can check the person's ID against
other databases and conduct a more in-depth interview. This strategy helps prevent
lines at Customs and border entries from
backing up, and it also helps ameliorate the
technology's weaknesses.

Nevertheless, even the best biometric
systems have a failure-to-acquire rate, as no
scanner always gets a good read from the
subject, says Anil Jain, a Michigan State
University biometrics professor. Less than
optimum conditions during the scan or
physical characteristics of the fingerprint
account for a failure-to-acquire rate of
about 4 percent for fingerprints, Jain says.
"As you start to process lots of people, that
4 percent can get pretty large," he points
out.

The biometric technology used also can
produce false acceptances and rejections.
"You can trade off between those two errors,
but rarely can you cut back on both at the
same time," Jain says.

To counter vague readings, U.S. VISIT
has a round-the-clock Washington-based
team of human experts who can do more
thorough investigations when necessary.
"We don't want to rely on the technology
alone, so we've built in a human backup,"
Hastings says.

As problematic as biometrics can be, the
IT support for the real-time interface proved
every bit as challenging. New cameras, print
scanners and desktops had to be deployed at
all 115 U.S. airports and 12 seaports that
accept international travelers and use U.S.
VISIT. The devices had to run on a high-speed network, and a secure user directory
had to be established. Yet it was all done
within three months.

"It was a massive logistical effort in a
short amount of time," Hastings reports.

Deployment of U.S. VISIT along the
Canadian border is expected soon, he
says. As the numbers of checkpoints and
database files increase, the hardware and
real-time issues grow exponentially.
"Growing this program will take a lot of IT
support," he says.

Program funding has been boosted from
$328 million in 2004 to $340 million in
2005. By 2006, when the third and final
phase of the program begins, U.S. VISIT will
have been deployed at most of the nation's
seaports and busiest land entry points,
according to a Customs' timetable.

Expect growing pains, warns Anthony
Allan, a London-based consultant at
Gartner, an IT consultancy in Stamford,
Conn. The identification process becomes
more difficult to manage as the database
grows, he says.

"Then you have to start asking if you've
got the people you really need to worry
about on the watch list," Allan says. "It can
get complex and expensive."

The United States and other countries
already use biometric identifiers with smart
card systems to speed border crossings. The
U.S. version, called INS-PASS, uses hand
geometry. Canada's CANPASS system uses
iris scan technology to speed through those
who frequently fly in and out of the country.
A similar system is in use at Schiphol Airport
in Amsterdam.

These systems involve preregistering
individuals and issuing cards that contain
their biometrics, encoded for recognition by a
reader device at the airport. These passes let
travelers bypass many of the immigration
delays for incoming passengers.

About 2,400 people have registered for the
Canadian system, which costs $50 Canadian.
At the airport, instead of waiting in line at
Customs to be checked through, those people
may go to a Customs and Immigration kiosk
and swipe their smart card, which contains
their basic ID information. A camera takes a
picture of their eye, and if the system confirms
their identity, they're free to enter the country.

The service has been running smoothly,
says Katherine de Vos, a spokesperson for
the Canadian Border Services Agency. "We
haven't come across any technical hitches."

Iris scans offer a better acquisition rate
and fewer false positives than fingerprints.
However, "they require a high degree of user
cooperation," Gartner's Allan says. A benefit
of such self-service systems, he adds, is "they
free up the customs officials to pay more time
and more attention to the people who might
be suspects."

The United States may be headed in that
direction, according to U.S. VISIT's Hastings.
He likens the iris-scanning system to the
automated toll-taking systems for highways.
"We'd like to make the current system more
efficient," he says. "That's the goal."

At Baltimore-Washington International
Airport and the Miami Seaport, the U.S. VISIT
team has deployed a pilot version of a finger
scan kiosk for travelers leaving the United
States. "It's just as important to know if people
have left the country and not overstayed their
visas as it is to know that they've entered,"

Hastings points out.

A Big Ball of Wax

The Montreal-based International Civil
Aviation Organization advocates the use of
face recognition biometrics since travelers
must carry photo ID with them at all times.
The drawback, Gartner's Allan says, is that
two-dimensional face recognition "isn't very
effective, though 3-D systems show some
promise for the future."

Although the IDENT database is not
integrated with the FBI's 10-finger, ink-based
Integrated Automated Fingerprint
Identification System, Hastings says that he
doesn't envision any immediate change in
biometric technology for Customs.

"One of the reasons we chose fingerprints
is that there aren't a lot of watch lists that use
iris scans and facial recognition," Hastings
explains. Also, fingerprint biometrics and its
related technologies—such as public key
infrastructure encryption to keep the data
secure—are supported by more mature
international standards.

One option that holds promise, says Jain
of Michigan State, is a multi-modal biometric
system that uses fingerprints and iris scans, or
fingerprints and hand geometry. "If you fail to
acquire one, then you can catch the other. It
makes the system that much harder to fool."

One way to fool the system is what
Gartner's Allan calls the "Day of the Jackal"
approach, creating a completely false identity.

During the next 10 to 20 years, biometric
identification systems will likely become
commonplace, Allan predicts. However,
before that happens, security issues, such as
questions on widespread international use of
the data the systems collect, must be resolved.

Biometric systems, he says, could "create
opportunities for identity theft when shared
with countries with lax security. People
could also insert bogus credentials into the
system, so you have to be careful who you
partner with."

Privacy may be the thorniest issue with
biometrics and identification efforts. Civil
liberties groups in the United States and
abroad have voiced reservations about use of
national ID cards and the cataloging of every
citizen's comings and goings.

Says Hastings, "I probably spend as much
time with privacy and security issues as I do
with the tech issues," he says. "There aren't a
lot of CIO jobs where you can say that.

"This is the most fascinating policy arena
I've ever been in. Other nations are looking
at what we're doing, and that makes it even
more exciting."