Editor at Large

Many of the challenges the U.S. government will encounter in implementing a new biometrics identity system are the same ones that banks face. Both would be wise to study what other countries are already doing.

In the executive order temporarily banning travelers from seven countries, President Trump told the Department of Homeland Security to expedite the completion and implementation of a biometric entry-exit tracking system for all travelers to the U.S.

The U.S. already fingerprints foreign visitors with a system that has been in place since 1994. The upgrade is being handled by DHS's Office of Biometric Identity Management, which did not respond to multiple requests for interviews.

Fingerprint in a glass sphere.
Adobe Stock

The Canadian Border Services Agency's NEXUS program, which has been using iris recognition to identify people for about a decade, is one place DHS could look for guidance.

"It has collected a lot of data, seems generally well run, has made adjustments over time, and seems user-oriented," said Kevin W. Bowyer, chair of the Department of Computer Science and Engineering at the University of Notre Dame, who has studied reams of NEXUS data.

Canada's program is used by frequent travelers who register to have their irises scanned and undergo a background check in the hopes of a quicker border crossing. Hundreds of thousands of people use it.

One lesson learned from the Canadians is the effect of light on iris scans. Bowyer found that the systems were less accurate at matching scans in December than they were in September.

"We puzzled at this, then we figured out that it was because some of kiosks get a substantial amount of natural light," he said. Natural light is lower in winter. "Your pupil is more dilated, so there's less iris to see," he said.

There's also India's Aadhaar program, which has identified 1.2 billion citizens with iris and fingerprint scans. Though it's a national ID program, rather than a border-crossing program, it's another role model for the U.S., especially because of its large scale.

"They've figured out how to store and manage ten fingerprints and two irises from a billion people," Bowyer noted.

India should also serve as a role model to the U.S. because it has reached people in rural villages with low connectivity and incentivize them to participate with things like "no-frills" bank accounts, said Dakota Gruener, executive director of ID2020.

ID2020 is a United Nations initiative that aims to provide digital identities to everyone, especially the 1.5 billion people who don't have any form of identification, by 2030. It's also making biometrics part of its program.

The organization hasn't committed to a type of biometric -- it wants its platform to be flexible enough to support multiple solutions and to be future proof, so if a better technology emerges 10 years from now, they could switch to it.

Another country with a digital identity system worth watching is Estonia, Gruener said.

"They have done an incredible job of providing real utility to their citizens on the back of this digital identity system," Gruener said. "The first thing that happens to a child born in an Estonian hospital is they're issued their unique ID." All data is encrypted and stored in a system similar to a blockchain and consumers decide which entities may access their records.

In yet another program, BanQu provides digital identities to refugees in Africa and the Middle East using facial recognition. The company plans to sell its technology to banks, to help people get access to credit and other banking services.

Here are some of the problems that the government and banks will have to solve as they adopt biometrics:

Picking the right marker: Like banks, countries have had to test different forms of biometrics to see which ones work best for their constituencies. Of late, iris scans seem to be the chosen method, for their speed and accuracy.

You'd have to scan all ten fingers to approach the accuracy of an iris scan, Bowyer said. And comparing all ten fingerprints against full sets of fingerprints in a database takes a prohibitively long time.

Retina scans, another option floated by some ID programs, are more intrusive than iris scans.

"You have to get a light source and camera up close to the eye so you can shine light through the pupil and take a picture of the retina on the back of the eyeball," Bowyer said. "Most people don't want to do that. When you have to stare at a really strong light, it's inconvenient and awkward." While some vendors claim retina scans provide the most powerful method of recognition, Bowyer said the data to support that is lacking.

The threat of theft: Some people worry that a biometric could be stolen and used for ill purposes.

"Once your fingerprint has been stolen, you can't change it" the way you can change a password, said Joseph Carson, director of global strategic alliances at security software firm Thycotic.

There's the famous "gummy bear hack," in which cryptographers lifted a fingerprint off a surface using a gummy bear, pressed the candy to their finger, and opened an iPhone. There's also the story of the enterprising blogger who proved he could unlock his iPhone with a cat's paw.

In science fiction books and movies, characters have had eyes cut out and fingers cut off so their biometric identity could be used.

Such hacks are unlikely to work with border control agents and cameras watching. And most biometric systems have built-in "liveness" tests that ensure this wouldn't work and discourage criminals from trying.

But capturing biometrics of all travelers is sure to motivate people to find ways to steal in new ways no one has thought of before.

Making blots on records permanent: At the nonprofit Humanitarian Blockchain, CEO Julio Alejandro worries about something completely different: permanently linking people's identities to a biometric in a way that could harm them.

For instance, a teenager arrested for drug possession could have trouble getting a job, a mortgage, or even an apartment for the rest of their lives.

"They cannot reinsert themselves in a peaceful way in society, because government says, 'Beware of hiring this person, he has a criminal record,' " Alejandro said.

The same could be true, under the new regime, of someone who expressed extremist views online or who visited a Muslim country.

"If we use biometrics or a nation-state system to tie them to the body, it's more likely people would reassert into extremist views," he said. With a mutable, digital and reputation-based identity, a person could change and start a new life.

The baby problem: For babies, fingerprints might work best, but it is not necessarily the best method.

"If you fingerprint an infant, the fingerprints morph too much as they grow for that to be a useful thing," Gruener said.

Although fingers grow, the fingerprint pattern should stay constant, Bowyer said.

"The difficulty with a baby is the finger is tiny," Bowyer said. "The same number of ridges are there, but getting a usable picture on the same sensor you would use for adults can be an issue."

And they can't keep their eyes open long enough to do an iris scan, Gruener said. Newborns also can't look at a camera and focus on one point, Bowyer pointed out. And the iris can change during the first year of life.

"Biometrics for babies hasn't been cracked," Gruener said.

Slowdowns: Some fear that stopping all travelers at all borders will create tie-ups, especially at bridges and other land entry points. This parallels banks' challenge of wanting strong biometric-based authentication, but not wanting customers to get frustrated at the extra time and effort.

"I think the biggest concern with the program as proposed is that it requires biometric authentication of all travelers at exit as well as entry," said Julie Conroy, research director at Aite Group. "That has the potential for huge logistical issues. Think of the land-based border crossings between the U.S. and Canada and Mexico. This would be a traffic nightmare and would significantly impede the commerce between these countries, which could be part of the goal here as well, given this administration's protectionist leanings."

While banks might be able to provide the DHS with some guidance, they shouldn't expect to be able tap into the new biometrics system once it is done to better identify their customers.

"If you look at the existing databases held by the federal government, data and privacy protections have been key concerns that have prevented easy access to this kind of source data at an affordable cost, and at scale -- think Social Security data, for example -- or the existing set of biometric data that is held by the customs and immigration department," Conroy noted. "I don't think these hurdles will ease, especially in the current political climate."

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.