It’s the showroom of the International Biometric Group, a research and consulting firm, with rows of exotic hardware that read everything from fingerprints and voice patterns to the shape of your face and the way you tap a keyboard. Somewhere among these is probably the device that, in a few years, will identify every citizen of the United States and anyone else in the world who wishes to enter the country. “There are very few technologies that undergo an overnight change,” says Raj Nanavati, one of IBG’s co-founders. “But that’s what happened to biometrics after September 11.”
Specifically what happened was Federal legislation: the Patriot Act, the Enhanced Border & Visa Entry Reform Act, and the Aviation & Transportation Security Act, all of which mandate some kind of biometric identifier to enhance public safety. The Visa Entry Reform, for example, not only requires biometric identifiers on every visa by 2004, but also on the passports of other countries from which the US doesn’t require a visa. That by itself creates the need to identify several hundred million visitors a year. Add legislative mandates for things like a “trusted traveler” identification system and biometric access control for all airport employees-plus vastly heightened security concern in the private sector-and biometrics looks like a business ready to explode.
Yet a few weeks earlier I’d attended a New York trade show called BiometriTech and found it curiously quiet and small-scale, with a few dozen exhibits, some almost Mom-and-Pop level. Even the New York Police Department was there with a folding table, handing out information on preventing identity theft and detecting letter bombs. It seemed remarkably sedate and low-key for an industry at the center of national security. Later, at his downtown offices, Nanavati explained: “There’s no 800-pound gorilla, no Microsoft, in this business yet.”
While venture capitalists are sniffing around, and some big names-Motorola, Fujitsu, Sony, Panasonic-are getting involved, the biometrics market is still in a curious state of anticipation. Groups like IBG, the National Institutes of Standards and Testing, and coalitions of academic institutions are all testing various kinds of hardware and software, as multiple government agencies mull what will work best for everything from passports to drivers’ licenses. At the same time, civil liberties groups and privacy advocates are urging caution. Regardless, at some point in the next year or so, some monster-sized contracts are likely to be awarded.
So what kinds of biometrics will we see in wide use by mid-decade? The most likely options are fingerprint, hand, iris or facial recognition. Fingerprint recognition is by far the most developed technology, with various competing methods for scanning your digit, some of which even work through latex gloves for medical or industrial applications. Fingerprint biometrics are already used to check welfare eligibility in California, Texas and New York, and some governments-the Philippines, Argentina, Hong Kong-are creating national ID programs with the technology. And dozens of Fortune 500 companies already use fingerprint scans for network or PC access.
Hand-shape scans-where you put your whole hand on a flat plate-are newer and while not as accurate as fingerprints, neither do they have the latter’s slightly criminal taint. People who don’t want their fingerprints taken lest it reveal some unsavory personal history are more amenable to hand-scans, although that may not be the best recommendation for the technology. In any event, Israel uses hand-scans in trusted traveler kiosks at Ben Gurion International, and at Disney World your hand identifies you as a season pass holder.
Iris scans are the descendant of retinal scans; the latter looks at the patterns on the inside rear of your eyeball, which means you have to stick your eye right up against a lens-sufficiently daunting that they’re used primarily in extremely high security situations like nuclear power plants. Iris scans, on the other hand, look at the pattern in the colored part of your eye. Thus iris scans can be done from six inches to a foot away; you just look into a camera while a computerized voice gently tells you to move left or right if necessary.
Facial recognition is one of the newest and oldest biometrics. Oldest, because when someone compares the picture on your driver’s license with your face, that’s human-powered biometrics. Newest, because now computers are getting smart enough to do it themselves. Facial scanning, while expensive and new, has one big attraction for some agencies: almost everyone is already “enrolled”-that is, thanks to drivers licenses and passports, almost everyone has a picture on file somewhere that can be scanned into a recognition system. The downside is that it’s more accurate if the machine that’s supposed to recognize you does the scan in the first place.
Of course, none of this new data makes much difference if it’s easily fooled. Toward that end, biometrics manufacturers are now devoting far more resources toward how to defeat frauds and “spoofs.” “It’s hard, but you can still spoof some of these with homemade materials,” says Nanavati. “You don’t need an FBI lab to do it.” In one case, for example, a fingerprint scanner was fooled by a finger made of Gummi bears. The other piece is determining how the biometric information is carried on the ID card itself. Probably the best technologic solution is a smart card, in which an actual memory chip contains the data, making forgery or alteration quite difficult. More likely in the short term are sophisticated bar codes printed on licenses, visas and passports.
The next few years of biometrics progress will unfold within a remarkable stew of legal and social issues. Everyone from the ACLU and Congress to Microsoft, the INS and every drivers’ license bureau in the country has definite thoughts on how all this should proceed. In the end, an even bigger issue than how we are identified is how the information will be used: for example, will all of the states’ driver license bureaus be able to share information, creating what some see as a de facto national ID card?
But that, in some ways, is putting the cart ahead of the horse: at present there aren’t even accepted standards for how biometric data is recorded and transmitted. “Standards haven’t matured as they might naturally in a gradually growing market,” says Nanavati. “The legislation can’t require standards if they don’t exist.” In the meantime, standing amidst his hundreds of biometric devices, Nanavati clearly has his work cut out for him. He ends the discussion in order to go interview a job candidate: in the midst of the tech downturn, his 30-person firm is looking to hire an additional 10 researchers immediately.
