An eye for an aye
Australia is keeping pace with governments around the world with its use of biometric technology. But as Simon Sharwood discovers, we are currently operating in a policy vacuum with technology that is far from perfect.
Contents  Why biometric security? When to use biometrics? Interest and policy Sidebar: Loose lips sink ships? | ||||
"White" hackers -- security consultants paid to test an organisation's security by trying to break it -- have similar tactics. Some walk into the offices they are investigating wearing a boiler suit with "ACME computer removals" emblazoned across them. Few co-workers raise an eyebrow and their activities attract little or no attention, even though they literally carry PCs out of the building. The ease with which it is possible to accomplish such feats highlights the fragility of authentication tools based on simple safeguards such as passwords or ID cards.
Even more sophisticated solutions like proximity cards or magstripe cards used at many public sector installations are failing, according to John Genner, CEO of biometrics specialist BQT Solutions.
"Proximity and magstripe readers do not provide the security that is needed," Genner says. "These technologies have no encryption on the radio frequency link, no security, no purse, no biometric capability, no encrypted output; [and] no personal details can be embedded on the cards. Finally, data can be easily captured by a portable device, an emulator that behaves like a proximity card with a database of numbers stored in the emulator."
In the government sector, that spells trouble. Banks may guard our money and corporations may be charged with safeguarding our privacy, but in the public sector these requirements are more urgent because of the need to avoid the political fallout that comes with failure.
For the many government agencies with homeland security roles, the stakes are even higher as they maintain secret documents or operate facilities that must not be seen or accessed by unauthorised personnel.
Contents Introduction Why biometric security? When to use biometrics? Interest and policy Sidebar: Loose lips sink ships? | ||||
These requirements add up to a need for impregnable security, and biometrics is often put forward as the technology that can deliver.
The call for the adoption of biometrics is a reasonable one: it is far harder to fake a fingerprint or iris than it is to guess a password, fool a smart card system, or trick a filing clerk into issuing unauthorised documents.
"Biometrics is the only form of identification that positively identifies the user as being the person they say they are," Genner says. "The physical presence of the authorised person is required for authentication; the user of this is the password."
Genner's statements are typical of biometrics supporters' enthusiasm for the technology, but it is also important to realise that while biometrics holds great promise for the public sector, government is already a very heavy user, particularly in its use of scanning photographs with facial recognition software.
"Photos are the biometric you will use to recognise someone," says Terry Hartmann, director for homeland security and secure identification and biometrics within Unisys' public sector group.
"Don't ask for fingerprints, ask for a photo because photos are at the top of the list of acceptance and pervasiveness," says Hartmann, also a director for the Australian Biometrics Institute, member of the International Civil Aviation Organisation's (ICAO) New Technologies Working Group and a technical expert to the ISO on biometrics. Hartmann also chairs the ICAO ePassports Task Force and wrote the Biometrics Deployment Technical Report endorsed by ICAO in May 2004.
Evidence for his position on photography is acceptance and pervasiveness is easy to find in the photo ID drivers licenses and passports deployed to citizens.
| "If you are thinking about taking fingerprints so kids can borrow library books, that is overblown." |
While these solutions rely on the advancement of facial recognition software, their use of familiar and accepted photographs means they provide little community debate or concern.
"When considering a biometric security solution, you need to define a hierarchy of reliability, acceptance, and approval," Hartmann says. It appears that DFAT and DIMIA's extension of the familiar biometric of photographs with facial recognition software meet the last two criteria -- handy in the current security climate.
Contents Introduction Why biometric security? When to use biometrics? Interest and policy Sidebar: Loose lips sink ships? | ||||
"If you work in a high-security installation, then the business case is there for biometrics," Hartmann says. "But if you are thinking about taking fingerprints so kids can borrow library books -- that is overblown and raises all sorts of questions about what might happen to those prints and how they might be used."
Few such concerns are apparently evident in the US, where all incoming visitors are now fingerprinted -- a requirement that highlights how differing circumstances permit different biometric uses.
| "If you are thinking about taking fingerprints so kids can borrow library books, that is overblown." |
Internally, the Department of Prime Minister and Cabinet uses fingerprint readers to identify ministers and three staff they are allowed to allocate before they can access Cabinet documents under a system dubbed CABNET. Access to all documents with higher security ratings can be restricted according to each staffer's security clearance.
The NSW Department of Corrective Services offers another example of the technology at work. The department is trialling iris scanning at Sydney's Metropolitan Remand and Reception Centre (MRRC).
The MRRC is heralded as the state's most-visited jail because visitation rights are relaxed compared to those in jails for convicted criminals. However, it attracts many guests who attempt to smuggle contraband into the facility -- more than 700 such visitors a year are identified and blacklisted, often for this reason. Many later attempt to return using fake IDs or disguises to visit friends and family at MRRC or other jails.
To prevent blacklisted visitors succeeding in this attempt, all visitors to the MRRC are now subject to an iris scan on first visit. Whenever they return or visit a maximum security jail, their irises are again scanned, which calls up a record containing their personal details. These are shown to prison officers on a concealed monitor. The officers can then identify the visitor and, if he or she is banned, deny them entry to the facility.
The system is currently being trialled and the Department will review the success of the venture later in 2005.
Contents Introduction Why biometric security? When to use biometrics? Interest and policy Sidebar: Loose lips sink ships? | ||||
Hartmann says other departments are actively investigating the technology, but it will likely take a "trigger incident", in which a security breach or obvious potential for failure sparks investigation of a biometric replacement for other methods, before the technology will be considered seriously. "There's a lot of government agencies looking at the rest of the world. Australia is keeping pace and when biometrics is best practice abroad you'll see them adopt it here," he says.
For the time being, however, their assessments of the technology will take place in a policy vacuum. The Australian Government Information Management Office has not been asked to prepare advice on biometrics and their suitability for deployment in the public sector as yet.
Indeed, AGIMO's only statements on the subject are few, and can be seen in its draft national authentication framework where it is said biometrics are a useful enabling technology.
Privacy laws also do not specify different arrangements for biometric data. Further, agencies fear becoming casualties of hype, as biometrics at the moment are still seen as a far from a perfect science. For example, wax imprints of fingerprints have been known to be "appropriated" and printed images of irises have been held up to iris detectors -- and these exploits have succeeded.
To prevent this, Hartmann says: "We might have to look at measuring heat or reflectivity to increase the difficulty of spoofing the system."
"There is always going to be a leapfrogging game between the technologists and the criminals that are out there," he adds.
Contents Introduction Why biometric security? When to use biometrics? Interest and policy Sidebar: Loose lips sink ships? | ||||
It is hard to evaluate biometrics' penetration into government agencies, because many agencies' reliance on the technology makes them unwilling to divulge or even confirm the details of what they use or how they use it.
The Department of Defence, for example, would only reveal through a spokesperson to IT In Government that: "Defence uses biometrics at some locations as part of a suite of measures such as personal vetting, photographic passes, physical barriers and guards to restrict access to buildings holding particularly sensitive and classified information."
The department also stated that it considers that: "Biometrics offers a unique identifier for individuals and provides a highly effective barrier against unauthorised access," but would not let us know which biometrics it uses, or how.
Some facts that are known about Defence's initiatives include that the Defence Science and Technology Organisation has conducted research into facial recognition techniques.
ASIO also has an eye on the field. The Organisation's "T4" technical branch tests and certifies biometrics and other equipment for the Security Construction and Equipment Committee, an interdepartmental Committee that "selects security equipment to meet the physical security needs of the Australian Government", with findings included in a public annual publication.
This article was first published in IT in Government magazine, a supplement of Technology & Business magazine. Click here for subscription information.