Tag: biometrics

Stingray: A New Frontier in Police Surveillance

I’ve written previously on this blog regarding stingray devices: powerful surveillance tools which allow law enforcement agents to spy on the cell phones of unsuspecting Americans, often without judicial or legislative oversight.

For a deeper dive into the subject, I’ve put together a policy analysis detailing the past history, present issues, and future prospects of stingray devices and police surveillance more generally.

From the executive summary:

Police agencies around the United States are using a powerful surveillance tool to mimic cell phone signals to tap into the cellular phones of unsuspecting citizens, track the physical locations of those phones, and perhaps even intercept the content of their communications.

The device is known as a stingray, and it is being used in at least 23 states and the District of Columbia. Originally designed for use on the foreign battlefields of the War on Terror, “cell-site simulator” devices have found a home in the arsenals of dozens of federal, state, and local law enforcement agencies.

Technology Takes On the Big Problems

Take a look at how markets and technology are taking on some of society’s biggest problems and revolutionizing the way we live. 

Nanotech and clean drinking water 

The World Economic Forum recently reflected on nanotechnology’s potential to improve people’s lives by providing smaller yet more powerful batteries, and by speeding up the purification process for air and water, among other things. Nanotechnology could deliver clean drinking water to millions of people who currently lack it, furthering the current positive trend. Around 10 percent of the global population lacks clean drinking water, down from around 20 percent in 1990.

Biometrics—-and the Curious Relevance of Occupational Licensing

Yesterday, I testified (by remote communications) in the Alaska House of Representatives’ Health and Social Services Committee, which is considering a bill to heavily regulate the collection and use of biometrics. The bill is inspired by a man who was denied entry into the CPA exam when he refused to have his fingerprints scanned for that purpose. You can read more about his campaign at the PrivacyNOWalaska.org site.

I’m entirely sympathetic to his concerns about potential overcollection of biometrics in digital form, and what may happen to biometric data after it is collected. As I said in my testimony, “a digital record of a biometric can be stored indefinitely, copied an infinite number of times, and transmitted around the globe at the speed of light. This creates security and privacy concerns cutting against the use of machine-biometrics.” On the other hand, the CPA exam apparently has a problem with imposter fraud and faux test-takers who go simply to memorize questions and sell them on a test-prep black market.

Unfortunately, the bill is not callibrated to balance the competing interests at stake. It would create a “notice and consent” regime for biometrics collection, an idea that has failed to produce privacy protection in other areas. It would require massive and expensive re-tooling of data systems to provide consumers a right to amend or revoke their permission to use biometrics or order destruction of biometric data. And it would flatly outlaw marketing that uses biometric information—not just the stuff we learned to be spooked about in the film Minority Report, but knowingly agreed-to tailoring of discounts at the grocery store if we used a biometrically-secured payment system, for example.

I urged the Alaska legislators to ensure that biometrics collectors account for and prevent potential harm to Alaskans when they design and use their systems, but not to constrain biometrics so much that their security benefits never materialize.

There are a number of things Alaska and other states could do to help society callibrate the use of biometrics. They could ensure that biometrics collectors are liable and subject to jurisdiction in the state of collection when contract violations and harms arise from the use or misuse of biometric data.

Alaska could also establish that there is no “third-party doctrine” under its state constitution. A person sharing data under contractual or regulatory protections should maintain his or her search-and-seizure rights in that data. The government should not be able to access such data—though shared—without proper suspicion, warrants, and subpoenas.

Alaska has rejected the REAL ID Act, and it could do more to prevent the emergence of national identity systems by rejecting any E-Verify mandate. I encouraged the Alaskans to follow the lead of New Hampshire and bar state identity data from being shared with any national ID system.

The root of the problem in Alaska, though, may be the accountancy cartel. This is an area I know precious little about, but it appears that you must take the CPA exam to act as an accountant in the state. This positions the administrators of the CPA exam to make unreasonable, privacy-invasive demands for biometric data on a take-it-or-leave-it basis.

Oh what a tangled web we weave, when first we practise to … restrict the right to earn a living!

My testimony starts with a primer on biometrics. We have much to learn yet about biometric technologies, their uses, and their consequences. Banning them would deny the public many benefits. Using them promiscuously would have many costs.

Congress Pushes Biometrics

The Federal Trade Commission has no jurisdiction over government entities so when it looks with concern at the use of facial recognition technology, it’s looking at the private sector.

Facial recognition is only one of many biometric technologies, of course, and Congress is pushing hard for biometrics that can help track and control us for various purposes. If anyone should be looking with concern, it should be us looking at the federal government.

There are legitimate uses for biometrics, of course, and well-designed implementations will undoubtedly benefit us all. But biometrics programs implemented for the government will tend to prioritize hoovering up federal cash over striking delicate balances among cost, effectiveness, privacy, and civil liberties.

So let’s look at how Congress is pressing—and in one case insufficiently restraining—the rapid advance of biometrics.

H.R. 658, the FAA Reauthorization and Reform Act of 2011, has passed the House and awaits action in the Senate. It says that “improved pilot licenses” must be capable “of accommodating a digital photograph, a biometric identifier, and any other unique identifier that the Administrator considers necessary.”

H.R. 1690, the MODERN Security Credentials Act, establishes that air carriers, airport operators, and governments may not employ or contract for the services of a person who has been denied a TWIC card. “TWIC” stands for “Transportation Worker Identity Card,” the vain post-9/11 effort to secure transportation facilities from bad people. TWIC cards use biometrics.

The Army deploys biometrics. Public Law 112-10, the Department of Defense and Full-Year Continuing Appropriations Act, 2011 (cost per U.S. family: $13,500+) allowed spending on Army field operating agencies “established to improve the effectiveness and efficiencies of biometric activities and to integrate common biometric technologies throughout the Department of Defense.”

There are lots of biometrics plans in the immigration area. H.R. 1842 is an immigration bill called the Development, Relief, and Education for Alien Minors Act of 2011. (Senate version: S. 952) It would allow an otherwise qualified immigrant to get conditional permanent resident status only after submitting biometric and biographic data for use in security and law enforcement background checks. (Alternative procedures would be available for applicants unable to provide such data because of a physical impairment.)

S. 1258 does roughly the same thing with regard to any lawful immigration status. This bill is called the Comprehensive Immigration Reform Act of 2011, one of many attempts at comprehensive reform. In addition to requiring immigrants to submit biometrics, it also requires the government to issue “documentary evidence of lawful prospective immigrant status” that includes a digitized photograph and at least one other biometric identifier. The bill would also reinforce the use of biometrics in employer background checks and at the border.

H.R. 2463, the Border Security Technology Innovation Act of 2011, calls for continued study of mobile biometric technologies at the border. The Under Secretary for Science and Technology of the Department of Homeland Security would coordinate this research with other biometric identification programs within DHS.

H.R. 2895, the Legal Agricultural Workforce Act, would create a nonimmigrant agricultural worker program. In the program each nonimmigrant agricultural worker would get an identification card that contains biometric identifiers, including fingerprints and a digital photograph.

S. 1384, The HARVEST Act of 2011, is similar. In providing for the temporary employment of foreign agricultural workers, it calls for “a single machine-readable, tamper-resistant, and counterfeit-resistant document” that verifies the identity of the alien through the use of at least one biometric identifier.

There’s more than just immigration. Pursuing waste, fraud, and abuse, H.R. 3735, the Medicare Fraud Enforcement and Prevention Act of 2011, would establish a biometric technology pilot program. The five-year pilot program would use biometric technology seeking to ensure that Medicare beneficiaries “are physically present” when receiving items and services reimbursable under Medicare. How many biometric scanners would have to be out there for that to work?

S. 744, the Passport Identity Verification Act, calls on the Secretary of State to conduct a study into whether people applying for or renewing passports should provide biometric information, including photographs that facilitate the use of facial recognition technology. I bet the answer they get back is “Yes!” That’s how you build programs in the federal government: do a study, then a pilot program, and then—bingo—you’ve got a full-fledged, permanent drain on the public fisc.

Speaking of money, S. 1604, the Emergency Port of Entry Personnel and Infrastructure Funding Act of 2011, establishes a grant program in which the Department of Homeland Security would give cash out to state and local law enforcement for the purchase of various technologies including “biometric devices.”

I mentioned that there is a bill that would restrain biometrics insufficiently. H.R. 654 is the Do Not Track Me Online Act. It would direct the Federal Trade Commission to prescribe regulations regarding the collection and use of information obtained by tracking the Internet activity of an individual. The bill would treat unique biometric data, including fingerprints and retina scans, as “sensitive information” while allowing the FTC to modify its definitions.

And the FTC would have to modify the definitions because one’s face is unique biometric data, meaning that anyone who stores photographs online would be subject to regulation under the bill—oh, except the government.

The bill specifically excludes “the Federal Government or any instrumentality of the Federal Government, nor the government of any State or political subdivision of a State.” Too bad biometric sensors don’t pick up hypocrisy.

So there you have it. The Congress is quite engaged in pushing biometrics, including facial recognition. The one bill I found to restrain their use doesn’t apply to the federal government or the states. I’ll be keeping an eye on all this, while the government uses lasers and infra-red scanners to watch all of us….

Biometrics Collection = Risk Creation

Why shouldn’t the government collect biometric data unless absolutely necessary? Things like this can happen to it:

The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis—including children—and detailed health information on individual citizens.

It’s a good, short write-up from Fast Company. Read the whole thing and pass it along.

Does Risk Management Counsel in Favor of a Biometric Traveler Identity System?

Writing on Reason’s Hit & Run blog, Robert Poole argues that the Transportation Security Administration should use a risk-based approach to security. As I noted in my recent “’Strip-or-Grope’ vs. Risk Management” post, the Department of Homeland Security often talks about risk but fails to actually do risk management. Poole and I agree—everyone agrees—that DHS should use risk management. They just don’t.

With the pleasure of remembering our excellent 2005 Reason debate, “Transportation Security Aggravation,” I must again differ with Poole’s prescription, however.

Poole says TSA should separate travelers into three basic groups (quoting at length):

  1. Trusted Travelers, who have passed a background check and are issued a biometric ID card that proves (when they arrive at the security checkpoint) that they are the person who was cleared. This group would include cockpit crews, anyone holding a government security clearance, anyone already a member of the Department of Homeland Security’s Global Entry, Sentri, and Nexus, and anyone who applied and was accepted into a new Trusted Traveler program. These people would get to bypass regular security lanes  upon having their biometric card checked at the airport, subject only to random screening of a small fraction.
  2. High-risk travelers, either those about whom no information is known or who are flagged by the various Department of Homeland Security (DHS) intelligence lists as warranting “Selectee” status. They would be the only ones facing body-scanners or pat-downs as mandatory, routine screening.
  3. Ordinary travelers—basically everyone else, who would go through metal detector and put carry-ons through 2-D X-ray machines. They would not have to remove shoes or jackets, and could travel with liquids. A small fraction of this group would be subject to random “Selectee”-type screening.

He believes, and has argued for years, that dividing ”good guys” from “bad guys” will effectively secure. It’s certainly intuitive. Poole’s a good guy. I’m a good guy. You’re a good guy (in a non-gender-specific sense).

Knowing who people are works for us in every day life: Because we can find people who borrow our stuff, for example—and because we know that we can be found—we husband our behavior and generally don’t steal things from each other, we, the decent people with a stake in society.

Poole’s thinking takes our common experience and scales it up to a national program. Capture people’s identities, link enough biography to those identities, and—voila!—we know who the good guys are and who are the (potential) bad.

But precisely what biographical information assures that a person is “good”? (The proposal is for government action: it would be a violation of due process to keep the criteria secret and an equal protection violation to unfairly divide good and bad.) How do we know a person hasn’t gone bad from the time that their goodness was established?

The attacker we face with air security measures is not among the decent cohort whose behavior is channeled by identification. That attacker’s path to mischief is nicely mapped out by Poole’s proposal: Get into the Trusted Traveler group, or find someone who can get in it. (It’s easy to know if you’re a part of it. They give you a card! You can also test the system to see if you’ve been designated “high-risk” or “ordinary.”)

With a Trusted Traveler positioned to do wrong, chances are good that he or she won’t be subjected to screening and can carry whatever dangerous articles onto a plane. The end result? Predictable gnashing of teeth and wailing about a “failure to connect the dots.”

All this is not to say that Poole’s plan should not be adopted. If he can convince an airline of its merits, and the airline can convince its shareholders, insurers, airports, and their customers, they should implement the program to their heart’s content. They should reap the economic gain, too, when they prove that they have found a way to better serve the public’s safety, convenience, privacy, and transportation needs.

It is the TSA that should not implement this program. Along with what are significant security defects, it is the creation of a program that the government might use to control access to other goods, services, and infrastructure throughout society. The TSA would migrate toward conditioning all travel on having a government-issued biometric identity card. Fundamentally, the government should not be making these decisions or operating airline security systems.

A very interesting paper surfaced by recent public attention to this issue predicts that annual highway deaths will increase (from an already significant number) by between 11 and 275 because of people’s avoidance of privacy-invasive airport procedures. But what caught my eye in it were the following numbers:

During the past decade, terrorist attacks, with respect to air travel in the United States, have occurred three times involving six aircraft. Four planes were hijacked on 9/11, the shoe bomber incident occurred in December 2001, and, most recently, the Christmas Day underwear bomber attempted an attack in 2009. In that same span of time, over 99 million planes took off and landed within the United States, carrying over 7 billion passengers.

Especially because 9/11’s ”commandeering” attack on air travel has been essentially foreclosed by hardened cockpit doors and passenger/crew awareness, these numbers suggest the smallness of the chance that somone can elude worldwide investigatory pressure, prepare an explosive and detonator that actually work, smuggle both through conventional security, and successfully use them to take down a plane. It hasn’t happened in nearly 100 million flights.

This is not an argument to “let up” on security or to stop searching for measures that will cost-effectively drive the chance of attacker success even closer to zero.  But more thorough risk management analysis than mine or Bob Poole’s would probably show that accepting the above risk is preferable to either delaying and invading the bodily privacy of travelers or creating a biometric identity and background-check system.

National Research Council Takes Biometrics Down a Notch

Late last month, the National Research Council released a book entitled Biometric Recognition: Challenges and Opportunities that exposes the many difficulties with biometric identification systems. Popular culture has portrayed biometrics as nearly infallible, but it’s just not so, the report emphasizes. Especially at scale, biometrics will encounter a lot of challenges, from engineering problems to social and legal considerations.

“[N]o biometric characteristic, including DNA, is known to be capable of reliably correct individualization over the size of the world’s population,” the report says (page 30). As with analog, in-person identification, biometrics produces a probabilistic identification (or exclusion), but not a certain one. Many biometrics change with time. Due to injury, illness, and other causes, a significant number of people do not have biometric characteristics like fingerprints and irises, requiring special accommodation.

At the scale often imagined for biometric systems, even a small number of false positives or false negatives (referred to in the report as false matches and false nonmatches) will produce considerable difficulties. “[F]alse alarms may consume large amounts of resources in situations where very few impostors exist in the system’s target population.” (page 45)

Consider a system that produces a false negative, excluding someone from access to a building, one time in a thousand. If there aren’t impostors attempting to defeat the biometric system on a regular basis, the managers of the system will quickly come to assume that the system is always mistaken when it produces a “nonmatch” and they will habituate to overruling the biometric system, rendering it impotent.

Context is everything. Biometric systems have to be engineered for particular usages, keeping the interests of the users and operators in mind, then tested and reviewed thoroughly to see if they are serving the purpose for which they’re intended. The report debunks the “magic wand” capability that has been imputed to biometrics: “[S]tating that a system is a biometric system or uses ‘biometrics’ does not provide much information about what the system is for or how difficult it is to successfully implement.” (page 60)

Biometric Recognition: Challenges and Opportunities” is a follow-on to the 2003 National Research Council report, “Who Goes There?: Authentication Through the Lens of Privacy.” That was one of few resources on identification processes and policy when I was researching my book, Identity Crisis: How Identification is Overused and Misunderstood. (Mine is quite a bit more accessible than this new book, so if you’re interested in the field, you might want to start there.)

There is nothing inherently wrong with biometrics. They will have their place, and they will make their way into use. But the dream of a security silver bullet in biometrics is not to be. Identity-based security—using the knowledge of who people are for protection—is valuable and useful in day-to-day life, but it does not scale. National or world ID systems would not secure, but they would carry large costs denominated in both dollars and privacy.