Biometric Technology Application Manual

Volume 2: Applying Biometrics [Draft Version]

Compiled and Published by:
National Biometric Security Project
Winter 2008

4/7/2008 1
 Biometric Technology Application Manual (BTAM)

VOLUME 2: Applying Biometrics

About the National Biometric Security Project ...................................................... 3

Abstract 4
FORWARD............................................................................................................. 8

Section 9 – Biometrics Applications..................................................................... 9

Section 10 – System Requirements and Selection................................................ 23
Section 11 – System Engineering, Integration, and Implementation.................... 64
Section 12 – Operations and Management ........................................................... 79
Section 13 – Maintenance, Services, and Warranties ........................................... 85
Section 14 – Training............................................................................................ 88

Case Studies
Case Study A – India: Ration Card Program ....................................................... 97
Case Study B – State of Illinois: Driver Licensing............................................ 103
Case Study E – University of Georgia: Student ID/Access Control.................. 115
Case Study F – St. Vincent Hospital: Desktop Computer Access..................... 118

Case Study G – Beaumont Hospital: Medical Records Security........................ 122

Case Study H – Pinellas County Sheriff’s Office: Arrestee Identification......... 127
Case Study I – U.A.E.: Iris Expellees Tracking and Border Control System... 133

Appendix A – Biometric Selection/Application Checklist................................. 138

Appendix B – Miscellaneous Resources............................................................. 139
Appendix C – Biometric Publications ................................................................ 146
Appendix D – Education/Training Resources .................................................... 170

Bibliography and References.............................................................................. 173

Acknowledgements............................................................................................. 176

4/7/2008 2
About the National Biometric Security Project

The National Biometric Security Project (NBSP) is a tax exempt, nonprofit 501(c)(3)
organization incorporated and headquartered in Washington, DC. Its mission is to
enhance the practice and effectiveness of identity assurance in government and the
private sector, through the application of biometrics, for the purpose of deterring and
detecting terrorist and criminal attacks on the national infrastructure. NBSP was formed
in the immediate aftermath of 9/11 and has been consistently supported by the Congress
to enhance government-wide use of biometrics and improve the capability of the
industrial base.
To reflect its expanded biometric application services, NBSP recently re-established its
Test, Research and Data Center under the new name Biometric Services International,
LLC (BSI). Located in Morgantown, West Virginia, BSI is a wholly owned, non-profit
subsidiary of NBSP and is the only laboratory, exclusively focused on biometrics, to
achieve the coveted ISO/IEC 17025:2005 accreditation for testing. BSI’s biometric
application services have been expanded to address biometric deployment considerations
such as requirements definition, articulation of program goals and objectives,
vulnerability assessments, application impact studies, life-cycle cost analyses and privacy
impact assessments just to name a few. NBSP BSI adds dimension to its biometric
application services with robust Testing, Training and Research capabilities.
BSI adds dimension to its biometric application services with robust Testing, Training
and Research capabilities. Performance Testing assures that biometric products under
consideration for an application will meet manufacturers’ claims and meet or exceed
published biometric performance metrics. Conformance Testing evaluates a biometric
product’s conformance to applicable, published ISO/IEC standards. Products that pass
the performance and the applicable conformance tests become part of BSI’s “Qualified
Products List”, which provides potential users with an independent source of evaluation.
Custom Testing includes, for example, vulnerability assessments, comparative testing,
algorithm testing, sensor testing, product development tests, and interoperability testing.

Our Introduction to Biometrics Course, Biometric Operations Course and Biometric

Technical Training Course provide a unique three-course curriculum. Additionally, all
students are eligible for Continuing Education Units (CEU) upon completion of any BSI
training course. BSI conducts research into the social impacts of biometrics, including
detailed analyses of U.S. and international privacy laws and their effect on the use of
biometrics. A semi-annual update of all published and emerging biometric standards is
also available as a resource to anyone interested in learning more about standards
progress.

NBSP’s permanent staff is efficiently supplemented, as required, by external

organizations contracted to perform substantive research and technical work, highly
specialized and experienced consultants, and research organizations focused on
biometrics or identity matters. These include West Virginia University and other
academic institutions associated with the Center for Identification Research (CITeR), as
well as other reputable U.S. and international sources.

4/7/2008 3
Abstract

About the Biometric Technology Application Manual (BTAM)

Published by the National Biometric Security Project (NBSP), the Biometric Technology
Application Manual (BTAM) is a comprehensive reference manual on biometric
technology applications. This reference book, in two volumes, has been compiled for
biometric technology users and for those who are evaluating biometrics as an enabling
technology within an integrated system or program for security and identification
assurance. The BTAM is intended to be a rational and practical tool for those who
specify, buy, integrate, operate, and manage biometric technology-based systems.

The experienced biometric practitioner will see much that is familiar in the BTAM. The
publication is not intended to provide all new (never before published) scientific
information. Rather, it is a compilation of published and experience-based information
designed to inform the rapidly growing community of new users, integrators, and
designers, and assist them in their search for practical application solutions. Hopefully, it
will prove to be the standard desktop reference on the subject of biometrics for all levels
of interest and experience.

Generally, this manual has been compiled and is intended for individuals and
organizations that have responsibility for protection of the civil infrastructure and related
applications. These include, but are not limited to:

• Civil infrastructure agencies

• Other government agencies
• Private sector organizations and businesses
• Academic institutions
• International organizations, businesses, groups, and governments
• Consultants and practitioners in biometrics
• Security and identity management administrators

There is a significant volume of valuable work on the subject of biometrics by many

authors. The BTAM was not published to replace that body of work, but rather to
compile some of the best of that content in an organized and focused product with
emphasis on the user. Equally important, the objective of the BTAM is to help solve the
issue of short shelf-life of biometrics publications in a rapidly evolving technology base
by including a process for regular updating of each volume.

In researching and compiling the BTAM, the authors relied heavily on secondary
research from published, public sources. For a list of the reference materials, authors,
publications, and other sources used and referenced in this compilation, please see
appropriate footnotes as well as the Bibliography.

4/7/2008 4
Purpose and Objectives

The BTAM is intended to assist the reader in:

• Comparing how various biometric technologies perform and have performed in

real-world applications (both successfully and unsuccessfully), and why.

• Providing a means to evaluate various biometric solutions based on specific

application parameters and requirements.

• Determining where, when, and why a biometric-based solution is a good fit, or

not.

• Supporting technology evaluation by defining the questions to ask, identifying

other considerations that may exist, and understanding the issues generated by the
need for interoperability.

• Answering such questions as: How do I write a requirement? How do I evaluate

various systems? How do I integrate/apply the technology? How do I use the
technology? What is the best technology for my application?

Summary Volume 1 – Biometrics Basics

Although the overriding purpose and objectives of the two-volume set are similar,
Volume 1 was developed to be more of a primer on biometrics as it presents and defines
biometrics on a fundamental level, including:

• Fundamentals of Biometrics An entire Section of Volume 1 provides an

introduction to biometrics so the reader has a basic foundation and generic
understanding of the science behind the technology. Beginning with the origins
of biometrics, and taking the reader through explanations of the terminology,
elements, and performance criteria, this Section provides a solid foundation for
those who are just learning about these technologies.

• Types of Biometric Technologies. Some biometric technologies (or modalities)

are better known than others, but this Section presents information about how 11
different technologies work. Presented both in text and easy reference matrix
format, it is an important Section intended to help readers understand why one
technology might fit their needs more than another.

• Biometric System Design. This Section presents guidance and insight as to how
system requirements should be defined and the appropriate performance
specifications documented. Issues such as technical requirements, operational
capabilities, performance expectations, architectural aspects, and other related
concepts are presented in this Section.

4/7/2008 5
 • Biometrics Standards and Best Practices provides an overview on biometrics
standards development. The development and adoption of standards is important
for the biometrics industry to become mainstream and more fully integrated into
our critical infrastructure. This Section provides the reader with information as
to the current state of standards development, enabling insight into the various
types of biometric technologies and their vendors – where they are in terms of
complying with industry-approved standards – and explaining why biometrics
standards are critical to integrating full-solution systems.

• Testing and Evaluation. Insight regarding testing protocols and system

evaluation is presented in this Section. Issues such as understanding system
performance, scalability, and usability, standards compliance, performance
measurement and comparison, and evaluations are discussed, providing the
reader with a very practical guide for evaluating various biometric solutions.

• Biometric Social and Cultural Implications. This Section presents

considerations on three key societal issues: legality, privacy, and user acceptance.
An appreciation for these issues is critical to successfully implementing a
biometric-based security and identification management solution. From the
legal perspective, an understanding of U.S. law and how it applies to the
application is just as important as understanding the laws of foreign countries,
particularly if the application will cross international lines. Privacy is a central
and current issue in the deployment of biometrics. Users and detractors are
rightly concerned about “big brother” and identity theft, and need to be certain
their personal information is adequately protected within the systems that purport
to safeguard it from external sources. Lastly, user acceptance is an often
overlooked, but extremely important factor in the success or failure of a
biometric system. If users do not accept and understand the system, they will not
use it. User education and the development of a work-around for those who
cannot or will not use a biometric are imperative for success.

• Trends and Implications. The final Section of Volume 1 presents some key
trends and implications for biometrics in general, and sets the stage for follow-on
information and additional detail in Volume 2.

Disclaimer

The National Biometric Security Project (NBSP) and the Biometric Technology
Application Manual (BTAM) do not and cannot provide any legal advice nor is the
BTAM a substitute for professional engineering design support. The information in this
publication is for general information purposes only. None of the information contained
in this manual, Volume 1 or Volume 2, is intended to be or should be relied upon as
specific or definitive to the design of a particular program, or system, or process, or legal
policy. The reader should obtain the advice of a suitably qualified engineer, attorney, or

4/7/2008 6
experienced practitioner before taking any action in the application and use of any of the
information contained in this publication.

Updates and Errata

NBSP intends to regularly update the BTAM with new and revised material from all
relevant sources. NBSP is also very interested in the comments and feedback of its
readers. Readers are encouraged to share their thoughts and impressions on the BTAM –
either Volume 1 or Volume 2 – as well as any suggestions for content corrections, typos,
or errors of omission. Please send feedback to:

National Biometric Security Project

Attention: BTAM Editor
601 Thirteenth Street, NW, Suite 390 South
Washington, DC 20005
btam@nationalbiometric.org

Every effort has been made to contact copyright holders for content and images used in
this manual. The publisher apologizes in advance for any unintentional omissions and
will insert appropriate acknowledgements in subsequent editions of this publication when
so advised.

4/7/2008 7
FORWARD

This Volume 2 of the BTAM continues the mission to provide a complete set of reference
tools that are readily available to the biometric community regardless of the reader’s
specialty or level of activity in the technology. Here, we examine “best practices” and
even “not so best” practices, recognizing therein that the deployment and operation of
biometrics systems is still a work in progress.

Lessons learned in earlier deployment of new security technology apply to biometrics as

well. One of the primary principles involves the “rising expectations” syndrome treated
partially in Volume 1. This relates to the fact that some prospective users of biometrics
will expect, even demand, that the technology perform to a level of accuracy or reliability
that was impossible to achieve with the identity management systems it replaced. While
this degree of confidence in new technology is admirable, it may not be realistic given the
unlimited capability of the human mind to thwart even the best technical design by
deliberate or accidental misuse. Statements such as “biometrics are not perfect” or “not
yet ready for prime time” or even that they can be “easily spoofed” are strong indicators
that the person quoted does not truly understand the practical realities of the technology
deployment process, the vulnerabilities introduced by improper human intervention or
use, the inevitable evolution of technical countermeasures arising from wider deployment
and improved practice, and the serious and incurable deficiencies that exist in all identity
management techniques that do not employ biometrics. A strong dose of reasoned and
practical understanding will do much to help the user/operator and practitioner more
effectively exploit the capabilities of biometric technology. Hopefully, this Volume 2 of
the BTAM will assist in reaching that level of understanding.

Finally, the reader is strongly encouraged to help make the BTAM a living and current
tool by recommending changes and improvements in any area. All such
recommendations will be carefully reviewed by NBSP Editors, and by an independent
review Board constituted as required to address controversial proposals for change.

4/7/2008 8
Section 9 – Biometrics Applications

A biometric device can be applied in virtually any scenario in which one might otherwise
use keys, identification cards, security cards, personal identification numbers (PINs), or
passwords to gain access to a physical facility, a virtual domain (information system), or
a process, or to determine eligibility for a privilege. The real value of biometrics is the
potential for use in applications where keys, ID cards, and passwords would be of no
value whatsoever: the “negative identification” applications. The application of
biometric technologies is increasing over a wide array of industries as organizations and
individuals look for higher levels of security and identity assurance. Advances in
biometric devices have made the technology more affordable and less intimidating for
applications where high security, which was a compelling reason initially, is not the
primary objective. More routine applications, such as access to school dining halls, are
now joining the traditional high security applications such as access to military resources
and nuclear power plants. In addition, with the advent of credible identification systems
(the one-to-many process of comparing a submitted biometric sample against all of the
biometric templates on file to determine whether it matches any of the templates), the
breadth of applications which can be achieved has expanded greatly. Today we are not
limited to applications where a claimant must provide a claim of identity such as a user
name, PIN, or password to facilitate the recognition process. Thus a new class of
applications such as refugee processing/control, watch lists, benefits eligibility
determination, duplicate checks, repudiation prevention, forensic identification, and
others not yet conceived or applied are available.

9.1. OVERVIEW OF APPLICATIONS

We have provided a classification of applications below. However, in the process, we

have concluded that such categorizations are largely arbitrary, and in the evolving field of
biometrics, subject to debate, dispute, and revision. We do not hold our classifications
out as the model, or the only logical way to classify applications. Indeed, Volume 1 of
this manual pointed out Dr. James Wayman’s classification system as a useful way to
analyze and better understand the functioning of biometric systems. Recall that
applications were categorized as overt or covert systems, voluntary or involuntary
systems, attended or non-attended systems, standard or non-standard operating
environments, public or private systems, physical security and access control, cyber and
computer/network security, and identification.

Nonetheless, it is easier and perhaps more meaningful to persons new to the science to
have some sort of organized structure with which to get an overview of the field – and so
a classification system has been developed that covers most of what is being fielded
today. It is important to point out that this classification is categorized by functional
application, and is not organized on the basis of whom or what entity initiates them. It
seems that categorizing applications as Federal, State, Local and Municipal government;
Commercial, Private, or Transportation Sectors; Financial Sector; Manufacturing Sector;
Healthcare Sector; Schools and Education; etc. was not particularly useful for persons
interested in exploring how biometrics can help them. It is certainly true that all of these

4/7/2008 9
entities and sectors provide the settings in which biometrics may and must be applied.
But it serves no useful purpose beyond identifying the policy, funding, and contractual
hoops and wickets that implementers must pass through on their journey to implementing
a biometric system. The important issue is how one functionally applies biometrics to
solve a problem, or improve an existing operation that requires positive human
identification.

Further clouding the issue of biometric classification is the opportunity to implement

multiple, different functional applications within the same “biometric system”. For
example, a biometric implementation in a facility may be categorized as a Physical
Access Control application if biometric readers are located at or near the perimeter of the
facility. It may also be an integrated system which uses the same server(s) for logical
(virtual), access to work stations or partitioned and controlled segments of proprietary
digital information. In a corrections environment as well, where the most important
objective is to positively identify inmates before movement or release, an integrated
system could be used to physically control access to spaces, cellblocks, etc. Likewise in
a Drivers License application, applicants may have their biometric feature compared to
the entire existing database of drivers in a 1:N search to determine their eligibility for the
benefit of license issuance before they can be enrolled. That is a combination of a watch
list and a benefits eligibility determination. Further, once issued a biometrically enabled
license, when the driver uses it as a proof of age for buying tobacco or alcohol it becomes
a Point Of Sale (POS) authenticator and may be used in a 1:1 application. The point is
that trying to categorize a biometric system as a single, simple application is not always
practical or realistic.

4/7/2008 10
 A Functional Classification of applications
(with generic examples)
Table 9-1

Application Sub-Type Examples

Type

Access Control Physical Access Control • National (border control)

• Area (campus control)
• Facility
• Room
• Container

Logical (Virtual) Access Control • Distributed information sys.

• Local Area Network (LAN)
• Stand-alone systems
• Other computer-based sys.
• Records
- Medical (HIPAA)
- Human resources
- Educational

Identity Watch Lists

Management
Corrections/Law Enforcement
Emergency/Disaster Response

Benefits Eligibility and Fraud Mitigation • Driver licensing

• Social Security benefits
• Welfare benefits
• Refugees

Non-repudiation • Classified documents

• Contracts
• Credit card fraud
• Check cashing
Forensics

Transactions Credit cards

Point of Sale (POS)

Other Credentialing systems • PIV

• TWIC
Time and attendance • Collecting employee time
• Preparing payroll

4/7/2008 11
Following are selected examples of biometric technologies in use today. This section is
not meant to be all-inclusive, but rather to present various biometric technologies in
different usage applications. These examples are further supplemented by more detailed
examples in the Case Studies section of this volume.

9.1.1. Access Control - Physical Access Control

Yeager Airport in Charleston, West Virginia, is using hand geometry, specifically

Recognition Systems’ HandReaders®, to control access to the control tower and sensitive
equipment. The control tower is accessed (on average) every five minutes around the
clock with hand readers that are networked to the airport's central security system
computer. Yeager Airport's tower previously required 24-hour police protection for
access control. This cost the airport $1,200 per day. The hand readers have eliminated
the need for guards, saving the airport a substantial sum on access control. No change.

San Francisco International Airport, the nation’s fifth busiest, uses hand geometry readers
to verify TSA employees identities to ensure only authorized individuals access sensitive
and secured areas. These hand readers are in addition to those previously employed at
SFO. Since 1991, San Francisco International Airport has employed biometric hand
geometry readers to secure its air operations area (AOA), allowing access to authorized
individuals only.

Additionally, in January 2006, a live test of e-passports, that contain contactless chips
with biographic and biometric information and the readers that are capable of reading
these e-passports began at Terminal G at SFO. This test was a collaborative effort
between the United States, Australia, New Zealand, and Singapore that ran through April
2006. The test was successful. A total of 1,398 e-passports were interrogated and the
systems’ performance pointed to significant progress in readability since the government
first started testing e-passports in 2004. The U.S. Department of Homeland Security used
the results of that test to determine which inlays (chips) to use in the e-passports issued to
U.S. citizens.

University of Georgia: see Case Studies section

Rotterdam Seaport has included biometric access control as part of a modernization

program. The seaport, the central hub for European commerce, handles more than 300
million tons of freight each year, accounting for 40% of all European cargo. Not
surprisingly, more than 40% of all European Union trucking companies originate in The
Netherlands. In 1999, a hand geometry system was deployed to control truck driver
access to the port. It has proven effective in expediting the movement of cargo from
marine vessels to the trucks, verifying the identities of “known” or trusted drivers and
providing a detailed electronic audit trail for cargo. Drivers access the system’s hand
recognition reader via their vehicle windows before they pass through the facility control
gate. Their identities are verified if their live hand geometry matches the enrollment
template stored on a radio frequency-activated smart card. The system serves more than
6,000 truck drivers and has successfully completed millions of transactions.

4/7/2008 12
A nuclear power plant in Japan has adopted a facial recognition system known as Face
VACS (Cognitec Systems) to replace an older, manual system of access control. The
advanced functionality allows employees to access high security areas in nuclear power
plants faster, at lower cost, and with greater accuracy. At the access point, the face of
every person is captured by a video camera, the facial features are extracted and
translated into a mathematical representation on a template. That template is then
compared in a 1:1 verification application with the enrolled template registered to the
person the entrant claims to be. No change.

9.1.2. Logical (Virtual) Access Control

City of Glendale, California: See Case Studies section

HealthTransaction Network(R) is creating the first-ever nationwide health care provider

network to connect health care providers and consumers using an electronic transaction
network system that quickly, securely and efficiently facilitates and processes
transactions between the parties. The Network includes a shared processing
infrastructure, consumer cards and a new electronic transaction terminal device located at
participating provider sites.
The cards incorporate biometric technologies to ensure patient identification (e.g.,
fingerprint and signature verification), and may also be used as a stored value card. The
types of services that will be available to consumers that subscribe to the Network
include preventive, wellness and routine services such as physicals, dental cleanings, eye
exams mammograms and x-rays. As of this writing two health systems in Western New
York have signed on as the Network's first provider participants. TLC Health Network
and Brooks Memorial Hospital will install Network transaction terminals at their many
locations and will offer routine medical services beginning in the second quarter of 2008.
HealthTransaction Network has plans to expand their electronic health care network in
the northeast and ultimately throughout the United States.

St. Vincent Hospital: See Case Studies section

The U.S. Office of Legislative Council, which is the legislative drafting service of the
U.S. House of Representatives, has deployed the SAF2000 enterprise biometric
authentication software (by SAFLINK Corporation) on its computers. SAF2000 supports
authentication through iris recognition, finger image identification, speaker verification,
and facial recognition. It offers an event log for recording enrollment, changes to user
profiles, workstation updates, and account deletions. The system supports multiple
databases and director service protocols for secure storage of user profiles, and offers
encrypted biometric algorithms designed to use the maximum number of available bits
from the operating system. The biometric-based system was deployed to help protect the

4/7/2008 13
files and working documents the Office of Legislative Council is working on for the U.S.
House of Representatives. No change.

9.1.3. Identification

UAE and Dubai: See Case Studies section

State of Illinois: See Case Studies section

The Port of Palm Beach, the 4th busiest container port in Florida and the 8th busiest in
the continental U.S., has implemented a biometrically based visitor management
program. The system logs entry and exit of 200-300 truck drivers as they bring goods in
and out of the port, and others visiting the port each day with fingerprints and
photographs using Cross Match Technologies' VisTrak(TM) and MV 100(TM) digital
fingerprinting systems. The port uses a hand-held fingerprint and photograph capture
system, with built in PDA, to log and transmit the data to a central database wirelessly. It
also captures biometric and biographic information from visitors and checks it against a
banned visitor list. The system enables the port to have an accurate audit trail of visitors,
including fingerprints, photos, time and date of arrival and departure, demographic
information, company, purpose and more, and provides visitors with temporary badges.

The State of Florida has a rule allowing visitors to enter the port a maximum of five times
within a 90-day period. The fingerprinting system automatically keeps track of frequency
and flags any violators. No change.

Lancaster County, PA: See Case Studies section

Sarasota County Florida demonstrates the capabilities of a 1:N iris recognition system
that can identify individuals in a large population without prior claim of identity. While
this specific example features a corrections-law enforcement application, it demonstrates
biometric use outside typical standard access control or information security applications.

Typical of many county jails, the maximum security Sarasota County Detention Center in
Sarasota, Florida, is the processing agent for more than 19,000 arrestees each year. The
facility processes criminals for every police station in the county and provides a
temporary holding place for people arrested for everything from open alcohol containers
to homicide. Once they reach the jail, inmates are segregated according to the severity of
the charges and are transported to the appropriate facilities. The facility itself is capable
of housing 750 inmates.

Under the old system, arrestees were escorted to the booking area where they gave their
name and other personal information and were fingerprinted and photographed. Though
the ID system was computerized, the fingerprints were taken manually, and physically
filed away. When inmates were released on work detail or on parole, prison personnel
relied on the inmate's ID badge and his or her personal knowledge, such as a Social

4/7/2008 14
Security number or birthday, for identification. Comparing fingerprints was inefficient
because positively matching inked fingerprints required calling in a forensic specialist.

With the new biometric system, arrestees are enrolled using iris recognition technology at
a central enrollment station. The active database of persons currently incarcerated at the
detention center is automatically searched in real time (1–2 seconds), and as processing
continues, the archived database of former inmates or arrestees is searched off-line. The
technology has the capacity and capability to search a 50-year history in seconds
(although iris records have only been available for the past several years). Once an
enrollment is in place, the system confirms the identity of all inmates who leave the
facility, whether for court appearances, work crews, or at the time of their release.

As a result, in the first year of operation alone, the detention center detected seven escape
attempts, most cases being inmates trading IDs to assume the identity of an inmate
legally scheduled for release. In one case, Sarasota discovered an arrestee attempting to
pretend to be his identical twin brother on commitment. He had been an inmate at the
detention center sometime earlier in the year and was enrolled in the iris recognition
system. After he was released, he went on a crime spree but was subsequently arrested
on a minor charge. Realizing that there were warrants for his arrest on some very serious
crimes, he attempted to pass himself off as his law-abiding brother. The system’s
automatic archival search identified him out of several thousand former inmates under his
true identity and he was prosecuted accordingly.

Such a recognition system also helps resolve disputes when released inmates are arrested
for a violation of their parole. When individuals are brought in on warrants, they often
claim there has been a case of mistaken identity. Names and Social Security numbers are
sometimes jumbled on warrants, which further confuses the issue. The iris recognition
system tracks the true identity of the individual, in one case establishing that police had
indeed detained the wrong person.

9.1.4. Benefits Eligibility and Fraud Mitigation

After the Afgan war, the United Nations High Commissioner for Refugees (UNHCR)
used a biometric recognition system capable of high speed search of large databases (up
to 1.5 million) to recognize returning refugees in Peshawar, Pakistan. The staff of the
Takhta Baig Voluntary Repatriation Centre (VRC) performed a check on Afghan
refugees who wished to return to their homeland. These refugees were entitled to a one-
time assistance package, provided they had not been processed through the program
before. The anonymous enrollment process in the iris recognition biometric system
ensured that returnees were making their first visit to the VRC and that they are therefore
legitimately entitled to the aid, by performing a near-instantaneous exhaustive search of
the enrolled database. No PINs were required in the recognition system and the process
was essentially a one-time procedure. Additionally, the system maintained the privacy of
the Afghan refugees, as the only data recorded was the digitized template record.

India Ration Card Program: See Case Studies section

4/7/2008 15
9.1.5. Commercial Transactions

A retail solutions manufacturer is using hand geometry to track the time and attendance
for 400 hourly employees at its facility in Austin, Texas. The readers eliminate the need
for an employee to carry a badge, thus eliminating the problem of lost or forgotten
badges. Biometric time clocks also eliminate “buddy punching,” the practice of
employees clocking in and out for each other. They provide more accurate information
about who is working at any given moment and help companies eliminate mistakes or
intentional fraud. Additionally, not requiring hourly employees to manually fill in their
time card each pay period results in cumulative cost savings. Before installing the
biometric solution, hourly employees completed paper timesheets, signing in and out
each day. At the end of the pay period, employees had to complete paperwork and give it
to their team leaders for verification prior to entering it into the payroll system. This
process took about 15 minutes per worker—time that could be better spent on the
manufacturing process.

Manufacturing costs are directly affected by the productivity of employees. With its 400
workers spread across four buildings at the Austin facility, the company needed a more
efficient method of collecting time and attendance records and readying the information
for payroll.

The biometric handreader system easily implemented the rules for labor collection and
supported rules that allow the company to allocate time for 15 minutes in the morning
and afternoon for breaks that could be charged directly to overhead, not to a product.
This enables tracking of labor efficiency accurately and developing efficiency reports for
accounting. The system can compare the amount of labor used to manufacture a product
against the forecasted costs, providing management with up-to-the-minute data on their
manufacturing process. This information helps the company plan its hiring, track
overtime usage, and determine the output per person in each area.

The final benefit of the handreader-based system is that it works over the company’s
existing Ethernet network, which eliminated the expense of having to install new wire.
No change.

The following tables provide partial listings of selected usage examples in various
application groups.

4/7/2008 16
 Driver License Programs
Table 9-2

4/7/2008 17
 State Benefit Programs
Table 9-3

4/7/2008 18
 Law Enforcement
Table 9-4

4/7/2008 19
 Schools
Table 9-5

4/7/2008 20
 Government Operations
Table 9-6

4/7/2008 21
 Casinos
Table 9-7

4/7/2008 22
Section 10 – System Requirements and Selection

If the need for positive identification is, or will be, a part of an organization’s normal
operations, then the basic requirement to define, design, and build a biometric component
or subsystem for integration into that operation may be established. Section 10 focuses
on development of a detailed requirements statement as a prelude to design of the
subsystem, as well as the primary issues that should be considered in that design process.
Section 11 and those that follow address the implementation process and long-term
management of the biometric component.

The BTAM is intended to provide guidelines for the design and build process, but will
obviously not, in itself, provide adequate training or resources to prepare an untrained
person to be a qualified practitioner/ designer, electrical engineer or systems integrator.
Sections 10 and 11 are intended to help a qualified engineer, security systems designer, or
technology practitioner include biometrics in program design and implementation.

10.1. DEFINING SECURITY NEEDS and PROGRAM OBJECTIVES

Operational/Program Requirements

When evaluating the use of biometric technology to meet operational needs for positive
identification, it is first necessary to determine which functions are most appropriate for a
particular operational need. It is important to look closely at what operating goals the
technology is designed to achieve or what problem(s) the technology is supposed to
solve, and then determine who will be using it, what interface the system will have with
other components, what the interoperability requirements are, and what the anticipated
scope and lifespan of the system are. Examples of basic operational/program
requirements, as described in previous sections, are:

• Security program component;

• Eligibility program component;
• Administrative (work force management) program component;
• Hybrid Application (designed for more than one function/application).

Risk/Vulnerability Assessment

Fundamental to defining one’s security needs and program objectives is performing a

comprehensive risk and vulnerability assessment. A good starting point is to describe the
“current operational concept” as discussed in BTAM Volume 1, Section 4. When
describing how the current security system/practices/procedures are structured, it is
useful to ask why the current system is the way it is. What asset is being protected?
People? Classified information? Customer personal information? Company proprietary
information? High value resources? Hazardous or toxic materials? Other?

If eligibility validation is the primary application or part of a hybrid operating

requirement; similar threat issues must be considered. These include: nature and volume

4/7/2008 23
of fraudulent attempts; denial of service issues; process vulnerabilities in the current
operation and so on.

It is also necessary to consider what or who threatens these assets and eligibility
programs. Is the operation subject to terrorist threat, competitors seeking knowledge of
intellectual property, recipes, simple theft from outsiders, employee theft, fraudulent
claims from authorized persons or non-authorized, etc.?

Another useful tool in a risk/vulnerability assessment is a consequence evaluation. What

are the consequences if an employee steals something? What are the consequences if
someone sabotages a manufacturing process, or steals a batch of material that will be sold
for subsequent construction? What are the consequences if an explosive device is
introduced into the work operation? What is the impact if someone hacks into the
network and gleans proprietary information?

The answers to these questions, condensed in a clear Risk Assessment Summary, will
help determine whether biometrics are only part of a solution, or are of critical
importance to that solution. Coupled with scope issues (e.g., how many biometric
readers will be necessary, how many persons will be enrolled in a biometric system),
these answers will also provide insight into the performance characteristics of a biometric
system and how much it may cost to integrate biometrics into an overall security or
eligibility program. The Risk Summary will also be helpful in doing periodic re-
evaluations of risks and threats to be sure that system performance is consistent with
changing situations and conditions, as well as calculating a cost/benefit ratio.

10.2. SYSTEM DESIGN CONSIDERATIONS

A. Design Goals

Seldom is a “biometric system” designed as a stand-alone objective. Normally, if one is

using biometric tools, one is designing or updating a specified security or risk
management, or eligibility system with biometric aspects or enhancements. Whether the
intent is for a physical access control system in which only biometric devices are used to
determine authority to enter a protected space, or one is designing a system using cards,
keys, cipher codes, armed guards, mantraps, and some biometrics, biometrics remain a
component of the larger system. Likewise, a welfare benefits program that uses
biometrics to verify authorized beneficiaries from those attempting fraud is still a benefits
system, not a “biometric system.”

B. Design Considerations

Regardless of the specific application to which one is applying biometric technologies,

the design approach should consider the implications of at least the following issues:

4/7/2008 24
 1. Functional
2. Operational
3. Legal
4. Environmental
5. Social
6. Business and Economic

At this stage of analysis, none of these is more important than any other. In each specific
case, however, it will often develop that one or another of these becomes the driving
force affecting the ultimate system design. The following discusses the key aspects of
these six issues.

B.1. Functional Issues

This aspect of system design asks a basic question regarding the overall purpose or
purposes of the system, a question often best answered by the journalistic questions:
who, what, when, where, and why. Who is going to be using the system for what purpose
at what time/day and at what location? What are the application considerations?

B.1.a. Physical Security Systems

At the simplest level, as noted above, one does not design a biometric security system,
but a security system with biometric components principally designed to improve access
control by enhancing the assurance of identity of and convenience for the persons
requesting entry. In access control applications, the biometric device augments or
replaces more traditional door control devices such as a cipher keypad or proximity card
reader. Electrically, the function of the biometric device is identical to other control
devices: Upon presentation of an approved credential, the device activates or causes the
activation of a relay that releases the door strike.

Referring to the following figure, in some system architectures, the biometric device
itself energizes the door strike (see Figure 10-1) while, in other designs, the biometric
device sends a captured biometric template to a central processor. If the template
matches that of an enrolled person, the central processor activates or energizes the strike
relay. A third variation is one in which an identity verification takes place at a remote
door control mechanism. An option for integrating biometrics into existing access
control systems is for the biometric device to communicate with an access control panel,
using the same communications protocol as non-biometric devices, such as card readers
or keypads.

4/7/2008 25
 Secure Access

Fig. 10-B

Secure Access Secure Access

Security Control

Fig.10-C Fig. 10-A

Figure 10-1

4/7/2008 26
Which of these basic design approaches is most appropriate depends upon the overall
system design and architecture, reliability and performance expectations, and budget and
legacy system constraints.

Examples of System Requirement statements that are typical of physical access control
functional issues include:

* I need to move 450 employees into my facility through three portals between the
hours of 0730 and 0830 each weekday morning. 80% of those employees use
Portal A, 15% use Portal B, and 5% use Portal C.

• Given the size of my workforce, and the ongoing cost and operational disruption
of maintaining our current card-based security system, I want to eliminate cards.

* Given the potential for a 30% expansion of the facility and employee population, I
want to be able to upgrade any biometric solution as circumstances dictate in the
future. This could include designation of additional secure areas within my
facilities with higher security requirements demanding different types of
biometric systems.

• I have to protect my critical resources whose loss would adversely affect my

ability to provide needed equipment to the U.S. Federal Government for national
security, so I cannot afford to have employees delayed getting to their work at a
greater rate than currently experienced with our card system (8%).

Design Implications of Physical Access Control Systems

In physical access control systems, the biometric device typically replaces a lock set,
cipher lock, card reader, human controller or some other device controlling one or more
doors. Architecturally, the primary security system design remains mostly unchanged
with just the symbols designating a biometric device being inserted for the previous
access control technology. There are issues that need to be resolved before the design
can be completed, however. Some questions include:

• Will the biometric device of choice operate in a stand-alone mode in which all
users are enrolled at the device. In this instance:

o Does the device control the door via a relay or does it send a signal to a
separate door control mechanism?
o Does the device record each entry for subsequent downloading?
o Does the device have a mechanism for backing up the enrollment database?

• If enrollment is centralized and new enrollments are distributed through a

network:

o Does the data flow into the primary security system or directly to a
proprietary door control?

4/7/2008 27
 o If biometric matching is performed at a central server, what happens when
the network crashes?

• Should biometric enrollment data be stored on a card carried by the employee,

such that the need for storing biometric data in a door reader or central biometric
database can be avoided?

• What are the power requirements and where are the power sources?

• What alarm reporting and response provisions does the system offer?

• Will the biometric be used in conjunction with a physical token/credential?

B.1.b. Logical Access Systems

The use of biometrics to control access to logical systems is not new, but not nearly as
mature as for physical access control. Most implementations are at the workstation level
in which the biometric control is integrated into the physical case and electronics of the
workstation, whether a “desktop” system or a “laptop.” Other systems use a plug-in
biometric device, typically a fingerprint peripheral connected to a USB port or by
embedding the fingerprint sensor directly in a laptop housing. Some time ago, a
manufacturer marketed a plug-in, table-top device using iris recognition as the biometric
of choice. Either integrated or USB plug-ins should be sufficient for most applications,
but it is suspected that the plug-in devices would not be able to satisfy the higher levels of
government secure computing protocols. Testing of the built-in or integrated devices by
a Common Criteria Testing Laboratory (CCTL) would be required to verify the
acceptability of these devices for high security computing.

In virtually all cases, the biometric device authenticates the person touching (or looking
at) it, and enables operation of the workstation. The computing system and anyone at a
remote terminal communicating with the “secured” workstation assumes (and this is a
very profound assumption to be aware of) that the keystrokes generated or the files
accessed following authentication are the actions of the authenticated person. Some
computing systems include a keystroke recognition sub-routine that portends to verify the
user as he/she types by measuring typing rhythm and style as a form of behavioral
biometric, once access is granted to the keyboard. In principle, this approach would
establish continuing authentication of the user, but this implies a consistent matching
accuracy level for keystroke dynamics yet to be independently validated. Another
approach to continuous presence monitoring would be to use a constant video assessment
confirming the presence of one person at the keyboard and that the person’s face or eye is
recognized by a facial or iris recognition biometric, respectively.

B.1.c. Authentication Systems

4/7/2008 28
Authentication systems can also verify or recognize the identity of an individual for some
useful purpose other than granting access to a physical or virtual asset. These include
three main uses:

• Communications
• Authorizations
• Non-repudiation

Communications
Biometric systems can be used in communications as part of the data encryption process
(a matter beyond the scope of this manual) and to authenticate users. As noted above, it
is one thing to successfully activate the biometric device by an enrolled user, but quite
another to ensure that the originally authenticated person is still operating the keyboard
and not an unauthorized person sending or receiving sensitive data. Biometric
identification alone, in this context, might not be sufficient for a truly secure system. At
the same time, non-biometric subsystems, including encryption products such as public
key infrastructure1 (PKI) are not a complete substitute for biometrics in identity
validation of the actual user.

Authorizations
The number of specific uses of biometrics for an authorization function is extensive.
Some examples currently using biometrics include processing and distribution of welfare
benefits, issuing and examination of drivers licenses, access to medical records (under
HIPAA), and validation of various government and private industry identification cards
and credentials. It is important to note the difference between “authentication” and
“authorization”. The role of biometrics is to support the latter by performing the former.

Non-Repudiation
In the areas of classified document production and control, financial transactions, and
legal contracts, it is important to be able to affirm that a certain person did, in fact sign
for or generate a particular document or transaction, thus providing a strong basis for
non-repudiation, barring the individual from denying they signed the contract, published
the document, removed it from secure storage, or participated in the transaction.

Design Implications of Authentication Systems

There are many different applications where biometrics may be used for authentication
systems, each with their own peculiar design requirements that amply illustrate the
guiding principle of design following function: much depends upon the specific purpose
or application. Consequently, the primary implication is that the designer needs to
understand very well the purposes for which the technology will be applied and to select
the technology best suited for that application, being sensitive to the context of the

1
A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet
to securely and privately exchange data and money through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a
digital certificate that can identify an individual or an organization and directory services that can store and,
when necessary, revoke the certificates

4/7/2008 29
application and the impact of its use. From past experiences, for example, the
participation rate in an essential welfare program was much lower than expected when a
new biometric system was adopted. On analysis, it was determined that the use of a
fingerprint system had deterred many eligible participants who feared the data would be
sent to law enforcement officials. In this case, a decision was made to use a hand
geometry device instead. Participation immediately and dramatically increased. On the
positive argument supporting reduced participation, the biometric-based system reduced
the number of double- and triple-dippers, thereby eliminating duplicate or triplicate
applications from a single person.

B.1.d. Other Functional Issues

To ensure most aspects of system design are addressed, it is worthwhile to return to the
basic questions regarding the overall design and purpose of the system mentioned earlier:
who, what, when, where, and why. Who is going to be using the system for what purpose
at what time/day and at what location?

A brief description of the ultimate system to be installed, addressing and including the
answers to those questions is fundamental to developing a clear view of what remaining
functional requirements one’s biometric system/component must perform.

Who? (Community Involved)

It is critical to identify who will be involved with the system, both as users and operators.
How knowledgeable will these people be? Which leads to: How much training and
supervision needs to be planned and implemented? The demographics of the user
population can affect many areas. For example, cultural issues and even how well a
given modality might work.

How many?
How many people will be using the system? The answer to this question will affect
which technologies should be used or considered. If only a few people are going to use
the system, then almost any biometric—all other issues being equal—will do. On the
other hand, if there will be a very large number of users, then there will be a number of
subsequent issues (see “Throughput”).

Age?
Age of the user population may be an important consideration depending on the type of
biometric equipment that will be used. Age can impact the incidence of Failure to Enroll
as well as cause training issues. The ability of some biometrics to function well is
sometimes a function of the age of the subject. For example, the skin on the hands of
older people tends to become very smooth and fine, making it very difficult for some
fingerprint sensors to acquire a well-defined image of the fingerprint ridge pattern, thus
making it difficult to enroll the subject into the system. Arthritis can also cause problems
for those using hand geometry readers. If this is a major concern, other biometric
technologies that feature easier enrollment and use (such as facial or iris recognition
systems) may be an appropriate alternative. Other technologies may require users,

4/7/2008 30
relatively speaking, to pay greater attention to detail and process (such as some
fingerprint and hand geometry systems) that involve precision in both finger or hand
placement and the entry of a PIN, a requirement that may overly tax persons with
declining physical and mental acuity.

Race and Gender?

As with age, race and gender may affect a person’s ability to enroll in some biometric
systems. Some technologies are sensitive to features or characteristics that are more
prevalent in one racial group than another. One example occurs in iris recognition in
which very dark irises or those occluded (covered) by the eyelid may be difficult to enroll
and authenticate. While these issues can usually be resolved, they should be considered.
Similarly, in some populations, there is some evidence that Asian females have
fingerprints that are very fine in their definition and may be difficult to acquire in some
low-resolution fingerprint sensors.

In all cases in defining Who, the issue is not whether the user group includes some
persons who may challenge the system, but whether the group includes a majority of
users who may challenge the system. It is important to understand that even if a majority
of a user group can use a system, a significant minority with usage difficulties can bring
the entire system down. An industrial plant may be assumed to provide shelter and work
for a wide range of ages and races, as well as an even split on gender. On the other hand,
a nursing home may compromise a number of users who will, unfortunately, challenge
certain technologies, suggesting that, in such instances, some other biometric technology
should be considered. If workplace protocol requires staff to always wear protective
clothing, such as latex gloves, then fingerprint technology might not be an appropriate
choice for routine authentication.

What?
What is the proposed technological solution of which the biometric device(s) are
expected to be a part, and what is the problem the solution is designed to address?
Additional “what” questions include:

Technology
In what sort of technical environment will the biometric devices be employed? Will the
biometric be the technical highlight of the system—such as in a benefits distribution
center—or will it be overshadowed by a significant application of other technologies for
identification, security, and other purposes?

The level of training is most likely to be a function of the technical aptitude and
experience of the operators and users, coupled with the complexity of the biometric
technology. Adequate training for biometric use must be provided regardless of the
overall complexity of the system, i.e. do not short-change biometric training simply
because it may be a relatively minor component of the total system.

4/7/2008 31
Process
In general, what is the system doing? Is it counting votes, distributing benefits, providing
public vehicular law enforcement, processing information, or performing some other
definable function?

Specifically, to what use will the biometric device be put in the context of the operating
system? Will it open doors? Will it allow access to information technology and/or
activate software applications? Will it permit access to or activation of a machine?

Even more specifically, what will the process be for the following biometric-related
functions:

Enrollment
How will users be enrolled? In one large group? Individually as users are registered into
the larger process? Will the enrollment function be distributed to geographic locations
close to the users? Will the user’s self-enroll or will the enrollment process be attended
by a trusted agent? How much time can be dedicated to pre-enrollment instruction on the
enrollment process and the subsequent everyday use of the technology? How much time
can be dedicated per person for the actual enrollment process? What is the expected
allowable Failure to Enroll rate for this technology and this population? What work-
arounds are to be provided for those who cannot be enrolled for one reason or another?
How does this work-around satisfy security requirements on a par with the biometrically
based solution? Just the logistics of enrollment can be daunting. It is important to
determine of enrollment will be supervised, self-enrollment, remote enrollment, etc.

User Training
What amount of user training will be provided? What is the purpose or intent of the
training? How often is this training to be offered?

Anticipated Problems
In addition to enrollment failures, what other problems or anomalies might be
encountered while using the biometric technology?

Termination of a User
What are the rules for how a user’s access privilege is to be removed from the system?
How does this process ensure a permanent removal and prevent the terminated user from
subsequently gaining access?

When?
What are the periods of operation and how often is the biometric to be employed? At
what week(s) of the month or day(s) of the week shall enrolled persons be required to use
the system? Is the use of the biometric component only required during periods of
elevated threat levels? At what time of day do permissions begin and end? The answers
to these questions relate to identifying biometric technologies that are appropriate to the
internal or external environment they must tolerate, an approximation of the level of use
required, and what sort of interaction with the control system is required.

4/7/2008 32
Time/Day
The time of day of expected use will determine whether consideration must be made for
the effects of ambient light or other environmental factors related to time. Many
biometric systems are basically imaging devices that can and will be adversely affected
by sunlight or bright overhead light shining on the image collection device. This is also
related to the more general issue of environmental conditions in which the device may be
installed outdoors. The day(s) of the week the device will be used also has an influence
on the determination of appropriate technologies. A system in which the device is used
only one or two days a week can be more fragile or less demanding than an application in
which the device is expected to function every day, 24 hours a day.

Excluded Period(s)/Location(s)
Often, access control systems will be programmable to enable the exclusion of otherwise
enrolled persons as a function of the time of day and/or the day of the week, month, or
year. Such system may exclude persons on holidays, evenings, and/or weekends. For
example, certain employees may have access on Monday through Friday from 8:00 a.m.
to 5:00 p.m., but should not be in the facility during the weekend.

The system should be configured or configurable to not only pass identification codes to
the processor – whether centralized or localized – where the final pass/reject decision will
be made, but also time and date information.

Where?
Environment: The system description should give the designer a meaningful sense of the
climate and weather conditions for the more challenging venues where the system will be
employed. It should also indicate whether the device(s) are to be mounted outdoors or
indoors as each of these factors affects the choice of technology. There are, of course,
other environmental factors besides weather , including the degree of ruggedization
required (i.e., shock and vibration) and sources of interference (background noise, etc.).

Scope: Scope is essentially a very straightforward, but necessary, issue, the answer to
which defines the size and impact of the installed system. Where, specifically, will the
system be deployed and how extensively? In one city at one location or multiple cities
and/or multiple locations? What is the total expected enrollment capacity? Is the system
scalable across multiple locations and can it grow as additional users are added? The
answers determine the capacities and communications requirements for the devices.
Some products are good for small standalone applications, but falter in large, distributed
systems. Other products are not effectively used unless they have thousands of enrolled
templates and operate in complex communications environments.

Why?
The answer to this question was addressed partially in applications issues above, but is
worthy of a revisit to ensure that all purposes intended for the system as a whole are
included in their varied form(s).

4/7/2008 33
 • To prevent welfare fraud
• To prevent unauthorized entry to a facility(ies) or area(s)
• To ensure only authorized drivers are on the streets
• To ensure known or suspected terrorists do not pass a border control point without
further screening
• To ensure only ticketed persons board the aircraft

… and so on.

This is a key question looking for an essential answer. Until the designer knows this
answer, it is not possible to determine whether a given design approach is correct or “off
the mark.” With this in hand, it is possible to evaluate a given design and determine
whether that design will satisfy its primary function in an optimum manner.

B.2. Operational Issues

There are, in this category, four main operational considerations:

a. Performance
b. Reliability
c. Facility
d. Training.

B.2.a. Performance
Performance includes several measures (metrics) of biometric systems. The end-user
needs to understand these metrics, be able to determine what they need to be given the
organizations security policies, and articulate them to the designer.

B.2.a.1 Accuracy.

The most commonly quoted performance rates in entry/access control applications

(physical or virtual), are False Accept and False Reject. In these applications they equate
to False Match Rate (FMR) and False Non-Match Rate (FNMR) and can be used
interchangeably.

False Accept Rate (FAR)

A False Accept occurs in an entry/access control application, when the biometric sample
from an unauthorized person erroneously (or falsely) matches the template of an enrolled
and authorized person, and the biometric system falsely accepts his premise that he is
authorized. Obviously, this is the most critical error, and precisely the error that
biometrics are intended to prevent. Acceptance of an imposter, either by deliberate
attempt or accidental occurrence is a critical failure of the biometric and should be a very
rare incident, and almost never repeatable.

In modern biometric access control systems, it is rare (but possible) that the right
combination of ambient light, humidity, temperature, feature or image position, etc., can

4/7/2008 34
combine to send an image to the processor that resembles an enrolled template closely
enough to produce a False Accept. Normally, however, that event and combination of
factors is virtually impossible to recreate closely enough to make it repeatable. For this
reason, those who would attempt to by-pass a biometric system do not rely on False
Accepts for access but a more deliberate attack, such as “spoofing”. It is difficult, if not
impossible, to accurately measure the number of False Accepts in an operational setting
(because, of course, the successful imposter is unlikely to report it), but it is possible to
estimate the statistical probability of False Accepts during a pre-operations scenario test
or technology test.

False Reject Rate (FRR)

A False Rejection Rate (FRR) is the measure of the likelihood that a biometric security
system will not match the template of an authorized user and thus falsely rejects an
entry/access attempt. A system’s FRR typically is stated as the ratio of the number of
false rejections divided by the number of identification attempts.

False Rejects are an administrative and operational nuisance in physical or virtual access
control applications, and do not directly cause or represent a security hazard. False
Rejections contribute to weakened security, however, if the rate of False Rejects is so
high that regular users start trying to find ways to circumvent the control—like leaving
the door propped open. High FRRs also weaken security if the users’ objections
influence the security manager to move an adjustable threshold to reduce the incidence of
False Rejects, thus increasing the likelihood of a False Accept.

The objective of the designer and the security manager is to select and use biometric
devices that minimize False Accepts to an optimum level without increasing False
Rejects to an unacceptable level.2

False Accept and False Reject rates are more fully discussed in Volume 1 of the
Biometric Technology Application Manual.

B.2.a.2 Spoof Resistance

While managers often worry about the FAR, they often do so more than they should. For
example, presume that the statistical probability of an imposter being able to randomly
match the biometric of a legitimate identity purely by coincidence is 1 in 100 (1% FAR).
Looked at from the other perspective, an imposter would have a 99% chance of being
thwarted - not very attractive odds. Thus a biometric system acts as an effective deterrent
to all but the most sophisticated and determined. As biometrics become more and more
sophisticated, the likelihood of hostile forces successfully exploiting a device’s implicit

2
FAR and FRR are inversely related. That is, an adjustment in the sensitivity of the device that decreases
the probability of a False Accept increases the probability of a False Reject. However, the relationship is
not necessarily linear (that a 5% increase in one factor results in a 5% decrease in the other), but it is a
performance factor that needs to be understood.

4/7/2008 35
FAR is very low. Managers should focus on direct attacks on the system, such as the
device’s vulnerability to spoofing.

There is a real and significant difference between a False Accept and an effective spoof.
A true False Accept occurs when, during the matching process, the characteristic or
feature that has just been presented and which is a faithful representation of that
unauthorized person’s real biometric characteristics so closely resembles an enrolled
person’s template that the system declares a match. It is an honest mistake properly
anticipated by the device’s computed FAR. It is a statistic that tells the technology buyer
what the chances are of the door being opened by a casual passerby (i.e., a zero effort
attack). As noted above, such events can happen but are not likely to be routinely
repeated, even seconds apart. A one-time accident/error does not constitute a useful tool
for those with bad intentions.

Spoofing, on the other hand, is a systematic and concerted attempt to fashion some sort of
disguise, artifact, or fake biometric (a mask, a fake finger, a rubber hand, etc.) in a willful
attempt to circumvent the biometric safeguards. It relates to the FAR in the sense that
both events result, if the spoof is successful, in the device being sufficiently convinced of
the similarity between the presented object and the enrolled template that it declares a
match and allows entry to an unauthorized person. What the security manager really
wants to know is to what extreme would a person have to go to purposefully fool or spoof
the technology and thereby routinely gain unauthorized (and even repeatable) access.
Theoretically, any system can be spoofed, provided enough time, labor, and money is
contributed to the attack method. The security manager wants to know how much time,
labor, and money is required to compromise the technology. If there were a convenient
way to characterize this “spoofability” into a simple number like a FAR or FRR, it would
readily become a key factor in product selection. At this time, we have no such magic
bullet, but work is underway to produce a useful estimator of “spoofability”. It should
also be noted that the biometric industry fully recognizes the exposure to spoofing
techniques and senor manufacturers are continually developing sophisticated counter
measures that would render many of the less sophisticated spoofing attacks ineffective.

B.2.a.3 Throughput rate

Throughput is the number of people who can be successfully processed and permitted to
proceed beyond the biometric checkpoint in a given period of time (e.g., six people per
minute). Throughput and False Rejects will often battle for the lead in user irritation in
operating biometric systems and are a major source of system failure. A biometric
screening device that works without errors of any type, but only allows 1 or 2 individuals
to pass the checkpoint per hour (or even per minute) would not be accepted and installed
in most applications. Consider also a user-sign-on application for a company with 10,000
employees who are logging on to their server system in the morning as they report to
work. The system must be able to handle thousands of access requests that come in
around the same time, otherwise there will be significant delays and False Rejects due to
inability to process.

4/7/2008 36
Ultimately, however, throughput, like False Reject Rates, is an administrative or
management issue. A low throughput rate or high reject rate is not, in and of itself, a
security breech. It is an institutional nuisance that, in the worst case, motivates people to
try to find ways to circumvent the irritant, such as propping the controlled door open all
day, a practice that would allow unauthorized persons into the protected space. The
“correct” value for throughput is subjectively established as a rate at least equal to one
more person per unit of time than the minimum rate that management finds acceptable.
The best achievable throughput is one in which there is no discernable delay in the
movement of people passing a biometric checkpoint regardless of the number of people
attempting simultaneous entry. A couple of factors will also impact throughput. These
include population and flow pattern.

Population Size
A major factor affecting the assessment of throughput is the total number of people who
must pass a biometric checkpoint in a specified period of time in a single file. If there are
five doors into a facility and 1,500 people need to enter the facility, then each checkpoint
device needs to process at least 300 people in the unit of time available for personnel
entry. If that limit is 30 minutes, then the throughput needs to be at least 10 people per
minute per portal. This example assumes that all 1,500 people will spontaneously
distribute themselves so that exactly 300 arrive at each of the five separate doors at the
same time – not a likely scenario. Therefore, when developing requirements that will
guide the design of a biometric system, it’s important to observe and know the real-world
flow pattern. For example, if only one of the doors is directly facing the primary parking
lot and the other four are administrative doors allowing access from other interior spaces,
then a primary door with a 10 person per minute throughput will only get 1/3 of the
workforce into the facility in the allotted time. A system designer must either find a
biometric device that processes 50 people per minute, or provide perhaps five biometric
devices servicing that one primary door.

Surge vs. Even Flow

There are two ways a given population can routinely approach a controlled facility: in a
surge of demand (often early in the morning), or in a constant flow throughout the day
and night. Naturally, the minimum acceptable throughput is the one calculated on the
normal or average number of entries at times other than “rush hour,” but a higher
standard is set by the magnitude of entry demand at peak usage times. Therefore, it is
important to understand the load distribution over time.

B.2.a.4 Other Related {Performance} Issues

Failure to Enroll (FTE)

Failure to Enroll is a problem common to all biometric technologies and it refers to the
fact that, for every technology there are at least a few individuals who lack sufficient
unique, stable, measurable features to be recognized by that technology. The problem is
compounded by the fact that many technologies impose higher quality criteria for
enrollment samples than for authentication samples to assure acceptable False Reject
performance. For example, a person without a voice cannot be registered or enrolled in a

4/7/2008 37
voice recognition biometric system. Likewise, a person with no hands cannot be enrolled
into a fingerprint-based biometric system. At a more subtle level, fingerprints may be
difficult to enroll from the elderly or from persons in certain racial, occupational, or
geographical populations whose fingers may be too dry, too fine, or too smooth, thus
offering poor input data. Individuals whose fingerprints are subject to extraordinary
occupational wear and tear (e.g., brick layers, chemical workers, etc.) are often hard to
enroll. Persons who simply cannot be enrolled in a given technology, however, may be
quite able to be enrolled in another. There will also be instances where a person cannot
interact with the device properly (e.g., a blind person is unable to focus his/her eye
properly in front of an iris recognition reader). Even in the event a marginal quality
enrollment is achieved, such an individual will experience more Failure to Acquire errors
and often be rejected from entry. In these cases, an appropriate work-around or
alternative identification mechanism should be provided.

Failure to Acquire (FTA)

There is a subtle, but very important, difference between a False Reject and a Failure to
Acquire. A false reject occurs when there are insufficient corresponding data points in a
reasonably clear and accurate live sample of a biometric and the enrolled template of the
same individual. This happens, most often, when an individual has biometric features
that are, for a given biometric technology, only marginally sufficient to be well-measured
and enrolled. For example, a person with very fine and smooth skin may be difficult to
enroll or capture accurately by a fingerprint system. A Failure to Acquire occurs when a
person who has been successfully enrolled, with a clear and useful enrollment record,
cannot be recognized due to some temporary data acquisition difficulty. This very
common error happens when the finger, for example, is moved on the platen during
imaging or there is contamination on the platen obscuring or blurring too much of the
current (presented) fingerprint. Another example is when a well-enrolled voice pattern
cannot be matched when that individual attempts identification in an environment with
disruptive background noise.

Another significant difference between False Rejects and FTA is that, with a
good re-enrollment, user re-training and re-orientation, and appropriate
reader device servicing and cleaning, the FTA rate may drop significantly,
almost completely eliminating rejection errors. Little, however, can be
achieved by using these techniques to sometimes reduce true False Rejects.
In theory, if the sensitivity of a device is set to its “equal error point” or
“Crossover Error Point,” (CEP) the FRR should equal the FAR. So, if the
system is set at a CEP equal to 0.01%, yet demonstrates a FRR of 5.00%, the
fair assumption is that FTA rate = 4.99% and FRR = 0.01%. As re-
enrollments are made, re-training is given, and devices are better serviced,
the remaining difference between theoretical FRR and observed rejection
rates should be the measure of the continuing FTA rate.

B.2.b. Biometric System Reliability, Availability and Survivability

4/7/2008 38
End users in operational environments sometimes contend that reliability is an issue of
greater importance than performance. They argue legitimately that reliability more often
determines the success or failure of a biometric installation than a few percentage points
difference in FAR and FRR discussed in the foregoing section. With equal validity, they
point out that FAR and FRR are measures of the population behavior in a particular
application environment, and thresholds can be set by the device administrator. Further,
performance factors are negatively affected by the improper use of the biometric
subsystem through poor quality enrollment, inadequate user training, environmental
interference (e.g., variation in lighting), and poor maintenance. Reliability, in contrast, is
largely inherent in the equipment, system design, and technology (modality), and thus
deserves as much if not more attention and care during the design process. The overall
term for this consideration is System Availability (SA). SA is a function of two main
values: Mean Time Between Failure (MTBF) and Mean Time To Repair (MTTR). In
more recent literature, discussions of System Availability have begun to include
references to System Survivability, referring to the ability of a system to recover from an
extraordinary event (such as a power outage) and continue functioning.

B.2.b.1 MTBF

The oldest, most familiar, and best-quantified measure of reliability is Mean Time
Between Failures (MTBF). Through testing, failure rates of individual sensors,
transmission means, servers, processors, human interfaces, and other components can be
documented and validated. System MTBF is another matter, and many biometric
vendors are seldom willing to make claims or commitments as to the system-MTBF and
historically in the biometrics industry have not done so. In addition, it may be nearly
impossible to quantify biometric system MTBF because of the mix of general –purpose
equipment and components in a typical system over which the vendor has no control.
Anecdotal research of existing systems may be the most practical way to derive data on
which to make decisions in the design and selection process.

B.2.b.2 MTTR

MTTR refers to the mean time to repair or recover from an outage or failure. This value
is even less frequently published, even if the manufacturer knows what it is. Biometric
devices are normally always a part of a larger system comprising several different,
unrelated components each with their own MTBF and MTTR. Often, it is much easier to
swap out a defective biometric reader or device than to shut that part of the system down.
Consequently, the effective MTTR is measured in just a few minutes, a trivial length of
time in most circumstances. Often, there is little an end user can do to repair the device,
requiring a return to the factory for repairs. With the availability of express courier
services, effective MTTR becomes, at worst, 24 hours, more or less, from the time the
device is determined to be defective and a replacement unit ordered from the vendor.

B.2.b.3 System Availability

Provided that we know both MTBF and MTTR, we can prepare an estimate of SA from:

4/7/2008 39
SA = MTBF / (MTBF + MTTR)

If MTBF = 1000 hours and MTTR = 10 minutes (.167 hours), then:

SA = 1000 / (1000 + .167) = 1000/1000.167 = 99.983%

In more complex systems, management may elect to perform periodic maintenance (M)
on the system, requiring the system to be taken out of service. This value is expressed as
a percent of the total operational time. If, for example, the system is to be shut down for
one hour every six months, then the value of M is 0.0002%. This value is added to the
foregoing equation that becomes:

SAm = MTBF /((1+M) x (MTBF + MTTR))

In the foregoing case, availability becomes:

SAm = 1000 / ((1+.0002) x (1000 + 0.167)) = 1000 / (1.0002 x 1000.167) = 1000/

1000.3670334 = 99.963%

Sophisticated buyers of biometric systems will often specify a SA of 95.0 to 99.9%. As

just demonstrated, these values may be difficult to attain and it is important to determine
just what level of availability is being sought, simple or one including periodic
maintenance.

B2.b.4 Survivability3
Survivability has been defined as “the capability of a system to fulfill its mission in a
timely manner, in the presence of attacks, failures, or accidents.” Survivability analysis
is influenced by several important principles:

• Containment. Systems should be designed to minimize mission impact by

containing the failure geographically or logically.
• Reconstitution. System designers should consider the time, effort, and skills
required to restore an essential mission-critical infrastructure after a catastrophic
event.
• Diversity. Systems that are based on multiple technologies, vendors, locations, or
modes of operation could provide a degree of immunity to attacks, especially
those targeted at only one aspect of the system.
• Continuity. It is the business of mission-critical functions that they must
continue in the event of a catastrophic event, not any specific aspect of the
system’s infrastructure.

B.2.c. Facilities and Systems

3
Ellison, R.J., et al. “Survivable Network Systems, an Emerging Discipline.” Technical Report CMU/SEI-
97-TR-013, 1997.

4/7/2008 40
Consideration needs to be given to the physical and virtual environment into which the
biometric components will be expected to function. This will either be done in the
context of a new or an existing system.

New System
New systems offer opportunity to prepare a well-considered design using the most
current and cost-effective components and procedures available. The downside to a new
system is that there is no baseline of performance for comparison and new systems often
fail to work the first time they are activated, resulting in considerable troubleshooting
activity before realizing success. One way to avoid unnecessary problems is to minimize
the level of innovation throughout the system and avoid reliance on new, unproven, or
untested equipment and technologies without a sound and rational reason. However, if
the need for new technology is compelling, implementation can be staged to test each
component of the technology in installation increments, or in phased pilot tests to
determine that each subsystem is functioning properly before moving on to another new
component or space.

Legacy System
As often as not, the addition of a new biometric component to an access control system
will be an integration into a well-established legacy system. This manual is not intended
to be a comprehensive tutorial on systems integration, but it is essential to have a
comprehensive understanding of the system into which the biometric technology will be
introduced. Most often, compromises will be required and it will be the new, biometric
addition that is expected to bend the most.

As an example, there was an assignment to integrate an advanced biometric technology

into a standard access control system providing protection to a new federal building
under construction. From the documentation prepared by the general contractor, every
element was considered and the conclusion was reached that the biometric technology
would work, especially since the head end control software was to be a state-of-the-art
access control system. However, the installer/integrator found two surprises.

1. The customer expected a combination proximity card/biometric solution and,

2. even later it was discovered, that the same customer had exercised its bargaining
power to acquire a control system that used a proprietary code approach.

In short order, there was a challenge to determine a way to configure the chosen
biometric technology to work with a proximity card. Fortunately, the manufacturer had
anticipated this possibility in applications and had included the necessary capability to
read proximity cards. The software, however, could not read the proximity card and
forward the appropriate information through the system. The manufacturer was so
committed to customer service and satisfaction that its lead software engineer spent 40-50
hours over a weekend rewriting the code to accommodate the proximity card information
and to perform the ‘AND’ function for access control.

4/7/2008 41
Later, after the new, combined solution was demonstrated, the customer announced its
credentials would no longer work since the code transmitted from its cards used a
proprietary code format, instead of the format common to most access control systems.
Fortunately, another software-adjustable feature allowed this latest surprise to be
accommodated.

The point here is that the system designer should not depend on the foresight and
willingness of the manufacturer (whether hardware or software) to provide such prompt
and face-saving solutions to even one problem, let alone several. Rather, sufficient
information must be collected from the owner regarding the existing system (as well as
any side procurements) so as to anticipate these problems and to engineer an appropriate
solution prior to committing the design to specification and order.

B.2.d. Complexity of User Interface as it Impacts Training

One factor having a significant input on the selection and performance of a particular
biometric system is the quantity and quality of training the using agency is able to
provide to both security system operators and system users in the proper method of
enrollment and daily use of the biometric. As discussed above, rejection, whether it is a
False Reject or a Failure to Acquire, along with the throughput rates, is one of the most
disconcerting negative aspects of the application of a biometric technology, but is subject
to significant improvement through effective operator and user training. Design of an
effective biometric system should include a discussion of the training appropriate to the
selected biometric technology and the proposed user population. Emphasis should be
placed on the description of operator responsibilities to ensure that enthusiastic, well-
trained operators conduct effective enrollments and user training to minimize poor
quality enrollments and the likelihood of Failure to Acquire errors.

See Section 14 of this manual for further information on training.

B.3. Legal Issues

Several legal aspects of the introduction of any security system must be anticipated and
considered in the final design. These include privacy issues, especially those related to
biometric systems, legislative issues and requirements, liability questions created by
security systems, and compliance with the ADA regulations.

Privacy Rights
Probably the most contentious aspect of biometric technologies is the question of whether
the biometric chosen for a particular application will somehow compromise an
individual’s privacy rights.

For most biometric solutions today, the answer to the privacy question in the United
States is that neither personal privacy compromise nor personal injury is a likely
consequence of using a given biometric technology. This is true not only because few
biometric technologies readily compromise personal information or represent a health

4/7/2008 42
threat, but because manufacturers have gone the extra step to build into their systems,
safeguards that prevent any compromise of physical safety or privacy. It is essential,
however, that security staff be trained in the technology, its operation, and the applicable
law, so they can explain to agency personnel and visitors the nature of the biometric
being used and why it should not compromise privacy and/or threaten personal health.
Some organizations may have a policy that requires a comprehensive privacy impact
assessment (PIA) for any proposed new system. Such an assessment should describe
how biometric data is collected, stored, shared, and protected as well as how errors are
addressed.

Regardless of the current state of privacy laws of the United States or other countries, the
general philosophy of NBSP and the biometric industry at large is to take the proactive
view that a person’s biometric information is “personal” because it is personally
identifiable information or unique to a person. Therefore, it is recommended that
“biometric information” be treated “as if” it were entitled to privacy protection regardless
of the applicable laws, which will vary from jurisdiction to jurisdiction. This approach
circumvents the issue of whether or not an individual’s privacy has been violated.
Similarly, even if the law of one jurisdiction does not treat a person’s biometric as private
today, social standards are likely to dictate changes in privacy laws, including new
legislation that could later mandate treating biometrics as private personal information
entitled to privacy protection. In conclusion, it is recommended that biometric systems
developed today be designed and engineered to safeguard biometric information privacy
so that they are in compliance with developing privacy laws and regulations.

Accordingly, it is recommended that companies managing biometric identification

systems should adopt policies and procedures in proper use and safeguarding biometric
identification. Such privacy policies should include such basic privacy principles as:

• notice to the individual about how their biometric information will be used,
• separation of the biometric information from other personally identifiable
information to prevent linkage,
• restrictions on access to biometric information,
• transfer or sharing of the biometric information only with the individual’s
consent,
• enforcement measures to ensure compliance with the foregoing, and
• possibly, an individual’s choice to opt out of the system.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a federal statute requiring that medical records be carefully protected and that
only authorized persons, having a need to know, be given access to personal medical
information. Biometrics have been especially useful in implementing and maintaining
compliance with HIPAA in that they can allow only authorized persons at authorized
times and dates to gain access to biometrically controlled healthcare information and
data. The control system can also record the date and time of access, thereby providing
non-repudiation evidence of the accessing person’s identity. Other regulatory
requirements such as Sarbanes-Oxley, Gramm-Leach Bliley Bank Modernization Act,

4/7/2008 43
Fair Credit and Reporting Act (FCRA), Federal Information Systems Security Act
(FISMA), 21 CFR Part 11 Regulations for Pharmaceutical Electronic Record Keeping,
etc. all have similar language to HIPAA that requires that system operators/owners take
appropriate steps to insure against unauthorized access to sensitive data. Any of the
organizations that fall under these regulatory controls should consider the benefits of
biometric authentication to control user access.

Liability – Duty to Care

Senior company or agency managers, as well as security managers, have a legal “duty to
care” for the personnel and assets under their control and supervision. Biometric access
control is an effective way to implement a security system and demonstrates recognition
of this duty. In a number of cases, this duty can be quantified in this equation:

I = Ploss x Asset Value

I = Insurance and Ploss = Probability of Loss]

That is, a sufficient recognition of the duty to care is more or less equal to an appropriate
investment in insurance or security systems equal to the probability of a loss of an asset
times the value of that asset. The goal of the security manager or executive manager is to
minimize both the likelihood of any threat and the value of the protected assets that might
be lost. The compromise of essential, classified national security information or
corporate intellectual property (e.g., the formula for Coca-Cola®), cannot normally be
covered by conventional insurance, so the difference is often covered by one or more
layers of manned and automated security solutions.

Implied Security
In some ways, the existence of a security system is a double-edged sword. On one side, a
security system is evidence of management’s recognition of its duty to care. The other
side of the issue is that employees may construe the existence of various security
products—access controls, video surveillance, entry controls—as absolute guarantees that
they are safe from criminal attack or other illegal behaviors, and ignore common
precautions.

ADA Compliance
The Americans with Disabilities Act (ADA) requires that most public buildings,
regardless of ownership, comply with an extensive list of rules governing building design
and equipment used, especially for doors and access control. For example, although new
biometric fingerprint readers are wall mounted more or less in the same location as
proximity card readers, they are ergonomically difficult for wheelchair-bound individuals
to reach and use properly. To be fair, those responsible for developing ADA standards
are not especially well-trained or experienced in modern biometric technologies and are
lagging along with the industry in promulgating meaningful standards outlining
appropriate expectations for system designs.

4/7/2008 44
Section 508 Compliance
Section 508, an amendment to the U.S. Workforce Rehabilitation Act of 1973, is a
federal law mandating that all electronic and information technology developed,
procured, maintained, or used by the federal government be accessible to people with
disabilities. The scope of Section 508 is limited to the federal sector, and includes
binding, enforceable standards, as well as compliance reporting requirements and a
complaint procedure. Section 508 does not apply to the private sector, nor does it
impose requirements on the recipients of federal funding. However, the U.S. Department
of Education requires states funded by the Assistive Technology Act State Grant program
(a grant program that supports consumer-driven state projects to improve access to
assistive technology devices and services) to comply with Section 508.

According to Section 508 criteria (1194.26 Desktop and portable computers), when
biometric forms of user identification or control are used, an alternative form of
identification or activation, which does not require the user to possess particular
biological [biometric] characteristics, shall also be provided.

Accessibility policies like Section 508 vary from country to country, but most countries,
including the European Union, have adopted standards based on the Web Content
Accessibility Guidelines of the World Wide Web Consortium.

The SAFETY Act

Homeland Security Subtitle G of Title VIII of the Homeland Security Act of 2002 – The
Support of Anti-Terrorism by Fostering Effective Technologies Act of 2002, Public Law
107-296

As part of the Homeland Security Act of 2002, Congress enacted the SAFETY Act to
provide risk management and litigation management protections for sellers of qualified
anti-terrorism technologies and others in the supply and distribution chain. The aim of
the Act is to encourage the development and deployment of anti-terrorism technologies
that will substantially enhance the protection of the nation.

Specifically, the SAFETY Act creates certain liability limitations for “claims arising out
of, relating to, or resulting from an act of terrorism” where qualified anti-terrorism
technologies have been deployed. The Act reflects the intent of Congress to ensure that
the threat of liability does not deter potential sellers from developing and
commercializing technologies that could significantly reduce the risk of, or mitigate the
effect of, acts of terrorism.

The SAFETY Act “Designation” and “Certification” protection classifications are

designed to support effective technologies aimed at preventing, detecting, identifying, or
deterring acts of terrorism, or limiting the harm that such acts might otherwise cause. All
forms of technology, including products, software, services, and various forms of
intellectual property, may qualify for SAFETY Act protection.

4/7/2008 45
If a technology has received a “Designation” as a Qualified Anti-Terrorism Technology
(QATT), the following legal protections are available in relation to claims arising out of,
relating to, or resulting from an act of terrorism:

• The manufacturer can be sued only in federal court

• Liability will be limited to the amount of insurance coverage required by the
Department of Homeland Security (DHS)
• No punitive damages will be allowed

If a technology has also received a “Certification” (described below), the following legal
protections for such types of claims are also available.

• A broad government contractor’s defense will be available, as a rebuttable

presumption
• Only a showing of fraud can defeat the government contractor’s defense

Designation. In determining whether to grant a Designation, DHS exercises discretion

and judgment in interpreting, weighing, and determining the overall significance of
certain criteria, which include but are not limited to:

• Prior U.S. Government use or demonstrated substantial utility and effectiveness

• Availability of the technology for immediate deployment in public and private
settings
• Existence of extraordinarily large or un-quantifiable potential third-party liability
risk exposure to the seller (or other provider of the technology)
• Substantial likelihood that the technology will not be deployed unless SAFETY
Act protections are extended
• Magnitude of risk exposure to the public if the technology is not deployed
• Evaluation of all scientific studies that can be feasibly conducted to assess the
capability of the technology to substantially reduce risks of harm
• Whether the technology would be effective in facilitating the defense against acts
of terrorism

A Designation is valid for five to eight years and automatically terminates if the Qualified
Anti-Terrorism Technology (QATT) is significantly changed.

Certification. Receipt of a Designation is a pre-requisite for Certification. Sellers may

apply for a Certification either in conjunction with or subsequent to an application for
Designation. In determining whether a QATT qualifies for a Certification, there are three
additional criteria against which the QATT is evaluated:

• It must perform as intended

• It must conform to the seller’s specifications
• It must be safe for use as intended

4/7/2008 46
The Department of Homeland Security, specifically the Under Secretary for Science and
Technology, is responsible for review and approval of applications for Designation and
Certification of QATTs. Companies wishing to be awarded SAFETY Act protections
must apply to the DHS using the forms provided by DHS, furnish all of the requisite
supporting data and information, and successfully demonstrate compliance with the Act’s
specific criteria. DHS will perform a comprehensive evaluation to determine eligibility
for SAFETY Act Designation or Certification. The evaluation process typically takes
about 120 days to complete.

As of the time of BTAM publication, over 100 technologies are covered under SAFETY
Act protection.

For questions or help with submission of an application under the SAFETY Act, contact
the Office of SAFETY Act Implementation at 1-866-788-9318 or email:
helpdesk@safetyact.com.

B.4. Environmental Issues

Biometric devices are not immune from weather conditions such as rain, snow, heat,
cold, and light. They are also subject to wear and tear in interior environments. The
following paragraphs examine a number of relevant environmental issues.

Indoor
Interior environment concerns are generally based on the wear and tear to which
biometric devices are subjected. Generally, the amount of direct contact with the device
will increase the “wear” factor. These concerns will also vary from installation to
installation.

Office
The most benign interior environment is the common office setting. Generally speaking,
this environment is reasonably (or, at least relatively) clean and quiet. For physical
access applications, the major issue is the volume of traffic through controlled
checkpoints; this is a key factor in determining throughput demand. Expected throughput
rate depends on the number of portals and employees, as well as the distribution of arrival
and departure times. With greater traffic volume there is an inevitable increase in
breakage and failures. Almost any biometric device manufactured should work well in
this environment, although it is important to note that some people who handle a lot of
paper can sometimes have issues with some fingerprint readers. Overhead or back
lighting can also sometimes be an issue.

Industrial
In manufacturing environments, there is a concern not only for devices that can provide
the throughput rate desired—a function of the number of people on staff—but on the
consistent and reliable acquisition of the biometric characteristic by the sensor device.
The hands and fingers are especially vulnerable to dirt, grease, injury, and loss; thus
rendering fingerprint systems more difficult to employ effectively and efficiently than

4/7/2008 47
some other technologies. Also, manufacturing floors can often be noisy, and sometimes
there is dust and other airborne particles in such environments.

Educational
School systems are beginning to adopt biometric access control for both the front door of
the school4 and the dining room or cafeteria5. The controls at the front door provide
security for both students and staff by admitting only those persons known to and trusted
by the school system. The cafeteria controls are designed to streamline the process by
which the students identify themselves as entitled to eat lunch and to access accounts
from which the meal is paid.

Hand geometry technology has been in use for food service applications at the University
of Georgia for more than 30 years. [See University of Georgia Case Study in this
BTAM.] The environment of a school is similar to a busy office building with many of
the same issues. Due to the relatively large numbers of people using the system daily, the
device of choice needs to be durable, quick, and reliable—the emphasis, perhaps, on the
quick and durable at the expense of reliable. There are also occasional parental privacy
concerns, most of which can be offset with a good parental orientation program on
biometrics. Fingerprint technology is also gaining popularity in elementary and
secondary school lunch programs. A number of school districts have implemented
fingerprint technology for school lunch programs. Because it is impractical to expect
young students to remember PINs or to carry ID cards, these fingerprint systems have
been implemented as ‘identification’ applications rather than one-to-one verification
applications. Each child presents their finger to the sensor and the system searches the
entire population of enrolled fingerprints to find a match candidate rather than indexing
to a specific enrolled record through a prior claim of identity as would be provided by an
ID card or PIN entry.

Recreational
Iris recognition has been in use by the military at the Pentagon to control entry not only
to highly classified briefings and restricted spaces, but to the gym, as well. Use is
reported in commercial gyms as well. By using a biometric, gym users do not need to
carry personal identification cards on them when they are dressed in their exercise
clothing. One advantage of iris technology is its extraordinary accuracy and its database
search-match speed. This means that a large database can be searched to determine
identity rather than requiring a prior claim of identity for a match against a single known
record.

4
Sullivan, Laurie. Iris Scanning for New Jersey Grade School. TechWeb. www.techweb.com January 23,
2006.
5
Adams, Mason. Cafeteria ID System Fingers Students. The Roanoke Times. December 10, 2005.

4/7/2008 48
Correctional
Biometrics have been used in correctional facilities for some time.6,7 but not without
resistance. Wardens and jailers tend to be technologically conservative. Few, if any
wardens have been promoted based on their innovative adoption of state-of-the-art
technology, but many have been relieved of duty for jail escapes. Hand geometry was
one of the first technologies to be used in jails and prisons. More recently, fingerprint
and iris recognition systems have been successfully employed. Due to its effectiveness
in performing 1:N searches for individual recognition, iris recognition is often used in
jails to prevent inadvertent and premature release of inmates exploiting identity confusion
and theft.

In one instance8, an arrestee with outstanding warrants was caught during booking
attempting to use his identical but law-abiding twin brother’s name. [See Lancaster
County Prison Case Study in this BTAM.]

The foregoing example notwithstanding, the principal applications of biometrics in a

correctional facility are to prevent escapes, control the movement of inmates within their
facilities from one area to another, and to access controlled documents or medications.

Despite the utility of biometrics in prison, the environment includes several unusual
hazards. In most environments protected by biometrics, the users are willing participants
and cooperate with the technology as a condition of employment and as a means to
safeguard themselves and their work. Consequently, they treat the equipment with a
reasonable amount of respect and care. In jails, inmates are constantly challenging
anything that complicates their desire to be anywhere but in jail. A major East Coast
correctional facility using fingerprint technology investigated iris recognition technology
when they discovered inmates were using their fingernails to scrape away at the bar code
on their wrist bands that contained their biometric template. If the technology could not
read the bar code, then the staff had to use some other means to verify their identity prior
to the inmate being allowed to pass certain check points. This resulted in excessive staff
time and materials costs. Any lens type of surface, whether a fingerprint platen or an iris
imaging lens, will be subject to repeated efforts to scratch and obscure the lens rendering
the device useless until repaired.

Outdoor
Biometric technologies are often challenged when employed in outdoor environments,
normally the exterior door to protected buildings.

6
Cohn, Jeffrey P., Miles, Christopher A. Tracking Prisoners in Jail with Biometrics: An Experiment in a
Navy Brig. National Institute of Justice Journal. NIJ Journal No. 253. January 2006.
7
Biometrics in Corrections. National Law Enforcement and Corrections Technology Center. TechBeat.
Fall 2000.
8
Anderson, Teresa. The Eyes Have It. Security Management magazine.

4/7/2008 49
Climate
There are few climate zones free from challenges to biometrics. At some time of the
year, almost all regions are subject to extremes in temperature and humidity. The
performance of electromechanical devices begins to deteriorate significantly in extreme
cold or heat. When cold, moving parts tend to slow down and critical timings are often
affected. In extreme heat, electrical circuits begin to fail. Likewise, although biometrics
are usually not affected by the extremely low humidity in desert environments, blowing
sand that often accompanies such conditions will prematurely age devices left exposed,
as well as impair reader performance.

Likewise, biometric devices are no different than other electromechanical systems when
exposed to the elements. Prolonged exposure to sunshine will result in the degradation
and ultimate disintegration of plastic cases and keypads. Exposure to any sort of
moisture, especially wind-blown seawater, accelerates the corrosion of metal
components. Melting snow, is another source of moisture contamination. As mentioned
above, blowing sand will eventually degrade exposed devices. For biometric technology
to function adequately in outdoor weather-exposed environments, it must be housed and
protected from the elements in accordance with appropriate standards for such use.

Neighborhood Environment
Whenever biometric equipment is installed outdoors, the history of criminal in
surrounding neighborhood should be examined. Is it a location with a high crime rate,
including vandalism and other petty property crimes, or is it a relatively benign area?

B.5. Social Issues

Biometric technologies have been and continue to be ‘hot topics’ of discussion

throughout society with the emphasis on religious, financial, and legal implications.

Religious Concerns
Some fundamentalist groups continue to challenge technology in general and biometrics
in particular with references to the “mark of the beast”, as found in the Book of
Revelations in the Bible, and the assignment of record numbers in access control
databases. Why these groups do not realize that any type of access control system
(biometric-based or not) does the same kind of database assignment is not clear. Perhaps
it is just the relative novelty of biometrics.

Another concern affecting the use of biometrics is the issue of the proscription of making
“graven images.” In such cases, facial recognition systems or any other imaging system
recording a recognizable image of the individual would be challenged. Whether imaging
only portions of the individual, such as the fingerprints, eyes, ears, etc., constitutes
graven images or not is a matter of local practice and culture and defies generalization. It
is a question, however, the designer must address before proceeding with a particular
biometric technology.

4/7/2008 50
Financial
There is occasional resistance to the use of biometrics in financial applications, and it can
be extremely strong, if not widespread. Identity theft in a financial context is different
than in an access control context. In access control if someone steals my identity it’s not
so personal. Sure, they can get access to my workplace, gym, or medical records, but 1)
they then have to engage in some second tier, undefined skullduggery, 2) it may only
affect my employer’s assets, or someone else and not me personally, and 3) the impact
may be minimal such as a tightening of security procedures, or re-enrolling or getting
another PIN. Stealing my identity in a financial context, however, could have an
immediate and devastating impact on my entire financial well-being.

There is often a basic misconception of how biometrics work as well, and thus unrealistic
fears for identity theft. A persistent concern is the inherent, intrinsic nature of one’s own
biometric(s) and the inability of an individual to revoke, change, or re-issue his/her
biometric feature (10 fingers give the fingerprint modality an edge here).

In truth, the use of biometrics can be a substantial deterrent or countermeasure to identity

theft. For example, even though the biometric data cannot be easily revoked like a PIN,
the two situations are not completely equivalent. The threat posed by the compromise of
a PIN or stolen ID card is significantly greater than the compromise of a biometric simply
because it is so easy to exploit. All the criminal has to do is enter the PIN and/or swipe
the card in the reader and he has all the privileges of the rightful owner. If the criminal
obtains the biometric data, however, he still has the non-trivial problem of how to exploit
it.. In other words, the biometric sensor does not have the equivalent risk of the PIN pad
or card reader. The biometric sensor is built to capture a specific type of information
directly from the human body or based on the unique behavior of the individual. The
compromised biometric data is, by definition, not in a form that can be entered into the
system through the normal operation of the biometric sensor. In order for the situation
with the stolen biometric data to result in equivalent vulnerability for the protected
system, the criminal would have to have a way to submit the compromised data into the
biometric processing path. This is much more difficult than entering a stolen PIN or
presenting a stolen ID card to a reader.

Additionally the potential for someone to “hack” into a system and obtain a biometric
template has been overblown – not impossible, but simply overemphasized as both a
threat and potential consequence. There are a multitude of IT security tools and practices
available such as hashing, encryption, and even third-party anonymous authentication,
that a properly-designed biometric system should possess. More fundamental is the
irreversible nature of the mathematical representation of the biometric inherent in the
template that prevents creation of an image from a template.

Thus, a properly designed, constructed, and protected biometric system poses no greater
threat in the financial context than in any other, and indeed, a much reduced threat when
compared to the more traditional and pervasive PIN, card, and password systems in use
today.

4/7/2008 51
Implications of Technology
Biometric systems do not travel without some ‘baggage’ that needs to be recognized and
accommodated. These generally have historical, criminal, or privacy issues associated
with them.

Historical Context
A difficult aspect of designing and installing any new technology, including biometrics,
is the experience and expectation users bring with them to meet the new technology.
Prior to the introduction and use of retina scanning technologies, the public had been
sensitized to the existence and perceived use of lasers for industrial applications. They
were also sensitized to the potentially harmful effects of lasers on eyes. With the arrival
of retina scanning, which did not use lasers, there was considerable user pushback based
on an unfounded concern that using retina scanning would somehow place the user’s eye
in jeopardy. The fact that the technology used a very low power infrared LED (light
emitting diode) technology to illuminate and scan the retina blood vessel pattern was not
well understood by the public and concerns about the safety to the eye became a major
factor in the failure of the technology to become a successful, mainstream biometric
technology.

For years following the introduction of iris recognition, even these products met with
considerable mistrust and apprehension out of concern for the potential risk to the organ
of sight. A part of this was enormous confusion between the retina and iris (the colored
area around the pupil), which still persists today. Slowly, the public has come to
understand that iris recognition technology is based on a very benign video image of the
iris illuminated, but not scanned, by unfocused infrared light.

The lesson of all this, for the designer, is to be mindful of the historical path any product
may have followed and to anticipate any concerns users may raise.

Criminal
Due to its long forensic association with crime and criminals, fingerprint-based systems
often elevate user concerns that submitting their fingerprint(s) images into a system will
somehow subject them to identification to or investigation by law enforcement officials.
This is a real and serious issue. From a technical perspective, it is entirely feasible that a
law enforcement official could acquire a company’s fingerprint database and examine the
enrolled templates in a search for fugitives. The employee’s safeguards are not technical,
but procedural. It is company policy, practice, and legal due process that stand between
this exposure and a third-party search of the database. Persons designing applications
that rely upon fingerprint technology should recognize this concern and develop
meaningful policy safeguards and procedures to ensure that such searches can only take
place in a lawful and strictly controlled manner (e.g., under subpoena).

This user concern has contributed to the adoption of alternative non-fingerprint systems,
such as iris, or hand geometry-based technologies, since these technologies do not
currently relate to traditional law enforcement investigative tools like fingerprints.

4/7/2008 52
Other than face, none of the non-fingerprint technologies is used in large, central,
criminally-oriented databases.

Perceptual Concerns
There are a variety of concerns that people raise in opposition to the use of biometrics.
The extent to which these are true beliefs of the objecting persons or simply excuses for
avoiding something new is undeterminable, and not necessarily germane when
implementing a biometric system. The issue is to be prepared to address these concerns
in a positive and sincere way to elicit a cooperative, rather than forced support of an
impending biometric system. Some of these concerns and an appropriate response are
itemized9,10 in the following table:

9
Blackburn, Duane and Turner, Allan. Biometrics: Separating Myth From Reality. Reprinted from the
December 2002 issue of Corrections Today, Vol. 64, No. 7
10
Misplaced Fears Impede Biometric Adoption. www.findbiometrics.com

4/7/2008 53
 Table 10-2
Technology Concern
Biometrics in ƒ Biometrics work in real-life just
general like they do in spy novels and
movies
ƒ Biometric technologies will work
for everyone
ƒ Companies and organizations
store biometric images.
ƒ My movements can be tracked
through my biometrics.
Fingerprint ƒ Fingerprints can be used to
access personal law enforcement
information.
ƒ Fingerprints are used in law
enforcement to find criminals.
ƒ Fake fingers can fool a fingerprint
authentication system.
Iris ƒ An examination of the iris will
Recognition reveal health-related information.
ƒ The laser beams that go into my
eyes will cause damage.
4/7/2008 54
Reality
ƒ Not usually, since the bad guy is often
able to beat the biometric system in the
movies; this task is far more difficult – if not
impossible – in reality.
ƒ Not every biometric technology will work
for every person. Some people are
missing hands and fingers, for example.
Or their fingerprints are difficult to read.
ƒ Not true. Biometric templates are not
“images”, but binary code that cannot be
reverse-engineered. And, not all
biometrics are image-based.
ƒ Not true. Biometrics track only the
access of a person, who is knowingly
enrolled, in a system or facility.
ƒ True, but only with an appropriate
authorization and link to local or federal
records.
ƒ True, but there are many non-law
enforcement applications in use today.
ƒ Not generally true. Today’s technology
uses algorithms that can detect 3-D
structures so photocopies, transparencies,
or latent images are not accepted. Mature
technologies are adding various tests for
liveness detection that are increasing the
technologies’ protection against artifacts.
ƒ Not true. Despite Iridologists claims to
the contrary, iris recognition does not
reflect current health conditions or
diseases. No current iris biometric device
has any integrated diagnostic capability.
ƒ No lasers are used for illumination in any
iris biometric system. Illumination is
provided by extremely low-level,
unfocused near IR, proven safe in
scientific studies.
Technology Concern Reality

Hand ƒ I don’t want to touch a surface ƒ A hand geometry platen is no different

Geometry touched by others than touching doorknobs, escalator
handrails, countertops, or keyboards. We
ƒ Hands are not distinct enough to are all exposed to these risks hundreds of
provide high security. times daily.

ƒ The PIN required to claim identity is

another layer of security that makes hand
geometry suitable for most medium
security applications.

Facial ƒ I don’t want my face to be made
Recognition available for law enforcement or
other legal purposes.
ƒ This concern is focused on general and
unannounced capture of facial images.
This is an issue that should be carefully
addressed before a covert application is
approved.

Signature ƒ I don’t want my signature to be ƒ Signatures are not on file. The

Dynamics on file because it might be stolen technology records dynamic movements
and misused by someone. and stores them in mathematical form. It
does not store images of signatures that
would be usable.

B.6. Business Issues

It is sometimes difficult to make an effective business case for the use of biometrics in
security applications on the basis of traditional business criteria such as cost trade-offs or
Return on Investment (ROI). Biometric systems may cost more than conventional card-
based systems, although some savings may be realized through avoiding card
replacement and (in user authentication systems) resetting passwords and PINs. In
biometric time and attendance applications, the cost difference can be rapidly made up
through increased payroll accuracy. The use of biometrics in eligibility applications may,
however, be a very different matter.

A case for the adoption of biometrics is better made on the basis of increasing security to
protect people and assets, avoid property loss, and improve business operations. An
intangible benefit is the degree to which management has fulfilled its responsibility to
stakeholders by introducing security improvements. There is no guarantee that
implementation of a biometrically based access control system can or will prevent all

4/7/2008 55
incidents, accidents, and losses. There is, however, a presumption that doing something
positive is evidence that management is forward-thinking and has the good of the
employees and stakeholders as a high priority.

Additionally, the economic aspects of biometrics are and will be constantly changing;
consequently, it is not possible to state definitively and forever that a given biometric
technology is or is not cost-effectively suited for a particular application. The best we
can do is outline an approach for evaluating the cost-effectiveness and investment returns
as the result of adopting a biometric solution for access control.

Not many years ago, the application of a biometric solution to an access control problem
was not generally cost-effective due to the acquisition and installation cost of biometric
equipment. Conventional access control equipment, as recent as 5-10 years ago, would
normally cost about $2,000 per door in a large facility. To add biometric devices at these
doors would often add $5,000 to $15,000 to each door, depending on the technology
adopted. To justify such an expense, security managers would often have to demonstrate
that the cost to the company or the nation, should security be compromised, was far
greater than the cost of the security equipment and that this difference was not just
marginally greater, but greater by orders of magnitude.

When people would elect not to install a reliable biometric door control at their personal
homes, they would often say that it would be “technical overkill” to do so. In fact, the
real reason was more likely to be an economic one. At a point in time where a common
but quality door lock and key solution is $50-75/door, there is little justification for an
automatic system costing $5,000 to $15,000 to implement. With the passage of time,
however, the cost of reliable biometric solutions has fallen to a point where an effective
front door lock and integrated biometric control is now less than $500-800 at retail.
Within a few years, it is quite likely this solution will be available at a price comparable
to the old key and lock solution. At this point, solution selection criteria cease to be
either technical or economic, but a question of relative reliability and aesthetics.

Cost/Benefits
The decision to install and use biometric technologies is both a security and investment
decision and one complicated with many facets. It is one thing to collect the cost data
and do a comparative analysis with an existing solution for a snapshot in time. It is far
more difficult to factor in and account for the rapid decline in biometric prices, an
increase in product reliability, and the fundamentally vague nature of the value of assets,
especially intellectual property assets or the value of living assets such as rare animals or
distinguished human personalities.

For example, it is relatively easy to determine the appropriate duty to care if the protected
asset is a valuable piece of jewelry: duty to care is satisfied if the cost of the protective
actions (e.g., insurance, physical security, etc.) is some function of the value of the
jewelry times the likelihood of a theft. The former is a matter of professional appraisal
and the latter might be an estimate based on the historical crime rate in the vicinity of the
jewelry.

4/7/2008 56
It is quite something else, however, to determine the proper level of the duty to care if the
asset is the life of the President of the United States, the president of a university, or the
manager of a day care center. Of course, we would not expect the investment for
personal safeguards for the day care center operator to be the same as for the President of
the United States. First, the likelihood of a serious personal attack is normally far greater
for the latter. Second, the level of national disruption in the event of a successful attack
on the day care operator is likely to be far less than a similar attack on the President.
Nevertheless, by how much are the two scenarios different? Intuitively, it is understood
and accepted that there is a difference and that it is not insignificant, but to quantify that
is subjective, and nearly impossible.

The valuation issues notwithstanding, the purpose of this section is to examine the
various aspects involved in performing a meaningful return on investment (ROI) analysis.

Analysis
One approach to cost and ROI analysis is to start with known values and actual current
data points. Once a baseline has been established, several alternative solutions should be
modeled to help analyze the more difficult assumptions. The analysis then considers
these factors in several biometric applications.

Life-cycle Cost Analysis

There are several costs for doing nothing. The first is the original cost to acquire and
install the existing security solution [A]. (Do not forget the cost of labor in the
installation component.) Next, there is a replacement cost of existing equipment as it
ends its useful economic life [R]. Even good padlocks need to be replaced from time to
time. This cost may be the same as the original equipment, it may be some appreciated
amount recognizing inflation and product enhancements, or it may be a lesser cost
recognition competitive pressures in the market and/or the lower cost of production.

The life-cycle period in years [P] will be somewhere between the manufacturer’s
warranty period and the length of time the IRS will impose for a useful life-cycle.
Typically, the warranty period will be short (this protects the manufacturer from having
to pay for normal wear and tear) and the IRS depreciation period will normally be long
and the device will likely be ready for replacement before that time. For the purposes of
this analysis, it is suggested that the sanctioned depreciation period be used.

The third cost is the annual cost to maintain the device(s) throughout its life cycle [M].
This may be as simple as an annual dusting and lubrication, or it may involve a more
frequent visit from a locksmith for disassembly, cleaning, and reassembly. Finally, there
is the cost or value of the asset [V] if lost or compromised, times the likelihood or
probability of loss or compromise [L]. This value says that, if custody of an asset is
retained for a sufficient time, it will be stolen or compromised. Given the previous
discussion, the life-cycle cost [LCC] to install and maintain a particular safeguard may be
calculated from:

4/7/2008 57
 LCC = A + R + PM + VL and the annualized value is = LCC/P.

(In this model, the legal ‘duty to care’ is more or less equal to VL and the remaining
values represent steps taken to discharge that responsibility. So, it follows that VL will,
in theory, at least, be less than or equal to A + R + PM, so LCC could be approximated
by 2VL. But as the value of V becomes more and more subjective, the 2VL relationship
becomes more speculative and loses its utility.)

Cost/Benefits Trade-Off Analysis

The financial argument for adopting a new (presumably biometric), security solution
(LCCnew) is that in the long run, it will be less expensive than the current solution
(LCCold), including the cost to remove the old system and to install the new system [N].
The security rationale is that, regardless of cost, due to the increased probability to detect
and thwart an attack, the likelihood of the successful theft or destruction of the asset (VL)
becomes smaller and smaller. Algebraically:

LCCnew <= LCCold + N

In the case where LCCnew => LCCold + N, the decision to upgrade to the new system
nonetheless would be rationalized by an expectation of a significant increase in M (the
cost to maintain the old), and/or a likelihood that L (probability of loss) is, for some
reason, expected to increase significantly in the near future.

Factors Affecting Analysis

A key factor that will affect this analysis is the falling cost of existing biometrics. Due to
advances in manufacturing technology, increased demand for many biometric products,
and increasing competitive pressures, the costs to acquire many biometric technologies
are also falling. Along with the falling prices of equipment, there is also an increase in
the reliability of these devices.

ROI Analysis11
The computation of the return on investment (ROI) of security products is complicated
by the absence of a direct revenue stream resulting from the investment. For this reason,
middle management often views these investments as operating costs to be minimized, an
approach which leads to a false sense of economy. One perspective is that middle
management is preoccupied with the income statement portion of the corporate books
that concentrates on revenues and expenses, the cost to acquire security equipment being
one of the many costs to be managed. The benefits of investments in security, however,
do not appear on the income statement.

Senior management and the shareholders, however, are more involved with the balance
sheet portion of the corporate books and it is here that upward changes or growth in net
worth reflects the benefits of investments in security. It is on this part of the financial

11
“The biometric technologies business case: a systematic approach,” Richard A. Riley Jr, Virginia Franke
Kleist, Information Management & Computer Security, Apr 2005 Volume: 13 Issue: 2 Page: 89 – 105.

4/7/2008 58
report the company will see its return for investing on security technology in the growth
of net assets because of reduced theft or pilferage.

The second problem with assessing the return aspect of investments in security, in
ordinary industrial security applications, is to isolate that portion of increased net worth
that can be attributed to security and not some other corporate action. Likewise, in a
company with falling net assets due to non-security activities, it will be difficult to
identify the loss diversion benefits without which the net worth losses would be even
greater.

In other applications, such as welfare fraud prevention, it may be possible to credit the
application of new, biometrically based security with the reduction in the incidence of
duplicate claims. Even in this case, though, there is an implicit assumption, not
necessarily well-defended, that what is being measured is based only on what has been
detected.

ROI can be forecast to some degree with assumptions identifying current loss levels and
the degree of security enhancement afforded by the new technology. These projections
should be validated post-facto, however, to ensure expectations are being met. The
analysis required to do this validation is useful not only for the peace of mind of the
designer, but to identify any anomalies in the new system. Significant negative
deviations from expected results will signify either a serious misstatement of the
assumptions or an incorrect installation of the new system.

Integration of the Issues

The art and science of designing effective applications with biometric components
requires the ability to skillfully integrate the six major issues that were explained
previously in this Section:

1. Functional
2. Operational
3. Legal
4. Environmental
5. Social
6. Business

Ultimately, compromises may need to be made, but the goal is to specify a system that
equitably recognizes owner’s security expectations; users’ physical limitations, legal
concerns and social expectations; the operational environment; and the system’s
interoperability requirements.

Once designed, the system should be reviewed, briefly, as many as seven times in a
complex design. During each of the initial reviews, the organization and the
designer/integrator should ‘walk through’ the design from the perspective of each of the
six main design factors. The first review, for example, should consider each design

4/7/2008 59
decision in the context of “Does this recognize the functional requirements of the
system?” The second review should just concern itself with the question “Does this
recognize the operational requirements of the system?” Etc., etc. The seventh review
considers the system as an integrated whole. (See Design Process that follows.)

10.3. DEVELOPMENT OF THE STATEMENT OF WORK (SOW) AND

SYSTEM SPECIFICATION

A. Technical Specifications

Once the operational/functional requirements are sound and complete, technical

requirements should be defined for the SOW as a specification for vendors/integrators
who may bid on the project. To the extent possible, these technical requirements should
be specified in combination with technically oriented staff, the system designer and/or the
system integrator (often the same entity). Technical requirements are nothing more than
quantifiable expressions of the previously developed operational/functional requirements.
Examples of technical requirements that correspond to the operational/functional
requirements hypothesized previously are:

• The biometric system/device provided shall have a minimum throughput rate of 6

persons per minute (80% of 450 divided by 60 minutes – the throughput rate for
the most demanding portal).

• The biometric system/device provided shall be an identification (1:N) system, and

not require card, PIN, password, or token for entry.

• The biometric system, including servers, sensors, and remote units shall be sized
to accommodate an expansion to a minimum of 585 persons and meet the
previous throughput requirements without purchase of new equipment.
Additionally, the biometric system shall be BioAPI12 and CBEFF13 compliant and
meet the following criteria for interoperability:

The biometric system shall not exceed a .01% FAR while

maintaining a FRR of ≤ 5%. [an example, not a standard]

B. Vendor/Supplier Evaluation and Selection as it Impacts the SOW

By the time one has completed the foregoing tasks and the preparation of procurement
documents is underway, one should have a reasonably good idea which technologies and
systems will meet the described functional and technical requirements. Technology and
product performance analyses should be a fundamental and parallel part of the processes
described above. In some cases, enough information will have been analyzed to specify
the biometric technology (modality) that will meet the stated functional and technical
requirements. In other cases, more than one technology might be suitable, or
12
See BioAPI Consortium for more information. www.bioapi.org
13
Common Biometric Exchange File Format. See CBEFF (NISTIR 6529-A).

4/7/2008 60
procurement policy may dictate that procurements must be open to all technologies. In
the latter case, the SOW and specification(s) should be written broadly enough to
accommodate a variety of technologies and systems. In those cases a formal technology
and product performance analysis can proceed when proposals have been received.

Unfortunately, the biometric industry has not evolved to the point where this is a simple
and straightforward process. There are test data available from a variety of sources,
however it varies in credibility and reliability. Vendor claims are prone to be overly
optimistic, not solely because of a profit motive, but also because the tests are generally
conducted in the most optimum conditions, by the most knowledgeable people. Other
testing as mentioned in BTAM Volume 1, Section 6, Testing and Evaluation is more
rigorous, but is often conducted for a specific application which may be (but probably
will not be) exactly the same as any other given implementation of a biometric program.
(Please refer to Section 6 for more detailed information.)

Should a technology and product performance analysis be conducted, the results should
be provided to an independent system designer or integrator that has no formal affiliation
with any particular technology or vendor to be assessed and evaluated.

C. Need for Periodic and Final System Design Parameters/Reviews

Throughout the foregoing processes the professional services of the referenced system
designer or integrator should be sought, coupled with frequent formal reviews as the
functional requirements are translated to technical requirements and system
specifications. The primary purpose of these frequent reviews is to ensure the system
design parameters accurately and adequately reflect the initial functional requirements.

When including, making, or refining cost estimates in the SOW, there is value to
understanding all the cost components of a biometric system and making some
reasonably accurate estimates of the costs in order to facilitate trade-off decisions and
budgeting. Potential designers, consultants, vendors, and suppliers should be aware of
both direct and indirect costs associated with a biometric system.

Direct costs:

• Biometric capture hardware and software

• Back-end processing power to maintain the database
• System design costs
• Infrastructure modification and upgrades
• Installation costs, including current system integration costs
• Costs associated with collecting user identification data (enrollment)
• System maintenance costs, including ongoing enrollment and training
• Licensing (site or per-seat) costs

Indirect or less obvious costs:

4/7/2008 61
 • Research, planning, system evaluation, and selection costs
• Implementation planning costs
• IT staff training costs
• User education and training costs
• Cost of lost productivity during implementation learning curve.
• Security administration, including exception processing (“work-arounds” for
persons unable to use the chosen biometric.)
• Implementation of new exception handling procedures for false rejects
• Revocation costs incurred should the system have to be shut down due to
inadequate planning.

D. Specifying Assistance in the SOW for Training Program Development and

Implementation

End-User training

The end-user population (employees, contractors, temporarily assigned personnel) must

be trained sufficiently to enable them to use the biometric equipment effectively once the
system is activated. Time between training and actual use of the system (or some portion
thereof) should not exceed a week. This may be challenging when end-user populations
are very large and may require multiple trainers and training sessions, or other innovative
schemes such as operating the biometric system in parallel with a current existing system,
staggering activation of the system, and/or setting up multiple scanners near entry points
to enable end-users to practice authentication upon entry.

Such training should include expectations for and limitations of the system/devices and
provision of documentation regarding the system itself. Such documentation includes,
but is not limited to:

• User’s manual
• Policies governing the use of the technology
• Policies governing the use of biometric templates

Manuals should be short, simple, and to the point. Positive user acceptance will yield
greater success the more confident and secure they are in their knowledge of how the
biometric-based system works and why it was deployed.

Adverse reactions and resistance to a new biometric system can often be traced to lack of
knowledge and even embarrassment because of poor initial performance on the devices.
Supervised walkthroughs and trial-runs will help increase the comfort levels of users and
decrease the pressure placed on them. Such simulations will also help decrease the error
rates in the future when the users will not have someone with them while using the
system.

4/7/2008 62
Proper training and education should always be part of the implementation plan for any
new installation or modification of an existing biometric system. Users will prove
cooperative and supportive of system use if they:

• Receive proper and comprehensive training in the use of the system.

• Are guided carefully and unhurriedly through the enrollment procedure.
• Are invited to ask questions about the system in general.
• Have received some reference documentation with help/inquiry line details
included.
• Are trained within a comfortable, unchallenging environment.

Please see Section 14: Training for more comprehensive information regarding training.

4/7/2008 63
Section 11 – System Engineering, Integration, and Implementation

Having examined in some detail in Section 10 the various considerations and issues that
drive the design process, we now turn our attention to the system engineering process that
implements that design and the important steps that should be addressed.

This section addresses System Engineering from two fundamental perspectives; the
issues that arise in developing a detailed system architectural design, and the process that
will result in a detailed system architecture design. The Engineering and Integration
Issues portion identifies and discusses issues peculiar to biometric technologies, while the
Engineering Process portion focuses on procedures common to biometric sub-systems,
including integration.

The implementation portion of this section addresses procurement and installation. While
the biometric application discussed in this section is physical access control, it should be
recognized that the processes and design issues described are applicable to other types of
biometric installations as well, such as workstation access or network access. In addition,
physical access is not limited to access to a building or room, but may include access to
other physical areas or objects, such as a drug cabinet, bank safety deposit box, etc.

11.1 ENGINEERING AND INTEGRATION ISSUES AFFECTING THE SYSTEM

ARCHITECTURE PROCESS

A. General
In general, the System Engineering and Integration of the biometric components of an
access control system are shaped by three main factors. The first is the definition of
security needs and program objectives developed in Section 10.

The second is the design of the overall control system, not just the biometric sub-systems.
As noted elsewhere in this Section, there is really no such thing as a ‘biometric system’,
per se. Rather, there are a wide variety of primary systems that rely upon biometric
devices for identity assurance. These range from physical security access control
systems to welfare fraud prevention systems. It is the function of the primary application
that will define the physical and logical boundaries within which the biometric must
function. Consequently, many of the system’s architectural and functional design
decisions have often been made by the time the biometric sub-system design engineer sits
down to work.

The third factor is whether the design is for a new a system or improvements to a legacy
or existing system. A completely new system offers the opportunity to make correct
design decisions throughout the whole system for optimum performance. On the
downside, a new system is subject to design error at all places within the system, not just
the points where new biometric components are added to an existing, but otherwise
functional, system. This complicates the commissioning process and prolongs the
achievement of operational readiness. While a legacy system offers the advantage of a
working system in which the existing components are likely to be working as designed,

4/7/2008 64
the choice of new biometric components may be constrained by the existing technical
configuration.

B. Specific Issues

System Design and Architecture

The overall system design will play a major role in the selection of biometric products to
be employed. A small system not requiring central enrollment or management may
require only a low-cost stand-alone biometric device. One such device is an electric door
handle and latch arrangement with a low cost fingerprint device integrated into the
handle. Capable of storing fewer than 500 templates, the door control costs about $500-
800 and is subject to a fair degree of errors. On the other hand, a distributed security
system controlling access to facilities on a regional or national level (and perhaps
globally distributed) and requiring very low error performance will limit the product
selection to a few technologies and expensive devices and communications systems.
Other constraints that must be addressed at the beginning of the design process include
processing distribution, expansion, database design, and the overall security system IT
design components.

Distributed vs. Centralized Processing

Figures 10-A through 10-C illustrated the three main alternatives for decision venues: at
the portal, at a central control point, or at some intermediate location. In the first, stand-
alone scenario, authorized personnel are enrolled at the portal. In some technologies,
there is a nominal database that records who has activated the device and at what time
and date. This data is downloaded periodically by a wire or wireless link between the
device and a portable data collection platform; however, in less expensive products, there
may be no enduring record of transactions.

In a central control process, enrollment information is collected and stored at a central

location. Massive databases for the entire enterprise can be maintained at the central
location. Biometric templates collected at portals are transmitted to this location for
processing, image comparison, and decision-making. This mode offers an improved
degree of security and significant system oversight and overall awareness of activity in
the facility. System efficiency, however, is dependant upon sustained network
communications. In the event of a power or communications failure, no portal activity
can continue, effectively locking employees out of their offices or labs and, in some
special security applications requiring a biometric request to exit, locking these
employees in their work space. Fire and safety codes normally require security systems
to fail safe (but not secure) in the event of a power interruption which may pose an
additional security peril to operations , even if power has not been lost at the local level.

These functional concerns led to the development of remote door control units (DCU).
DCUs function much the same as a central control in that they have capacity for a large
number of enrolled templates, but are not affected by loss of power at the central control.
When a person is enrolled in the enterprise system, necessary template and administrative

4/7/2008 65
information is transmitted to each door in the enterprise through which that person is
authorized to pass. The main design consideration is the location of the DCU so that it is
protected from outside attack and tampering. For ease of installation, unfortunately,
many DCUs are placed directly in the plenum just above the protected door. This fact
can and has been exploited by informed adversaries to by-pass the system’s safeguards.

Expansion Requirements
The choice of technology for a security system is influenced in part by the population of
authorized persons it has to monitor and accommodate. While the current population
value must be known at the start of the design process, it is even more important to know
what the projection is for future population expansion over the next 5-6 years14 of the
enterprise’s life. The resulting system design must account for this expansion to avoid
costly retrofitting 2-3 years (or even 3-4 months in the case of rapidly growing offices) in
the future.

Secure and Privacy-compliant Database Design and Accessibility

The nature of the enterprise operations and functions may have a significant impact on
system design. A health organization with a substantial employee base and hundreds of
clients will be confronted with difficult HIPAA access control issues and requirements.
A public school system employing biometrics at its doors will need to examine local,
state, and federal laws affecting the collection and storage of biometric information.

System IT Security Design (Physical, Electronic, Encryption)

Just as the security system secures the enterprise, security planning must be applied to the
security system itself that, for the most part, is the security communications network.
Indeed the language for IT security is often the same as for physical security applications:
intruder detection, intrusion detection, deterrence, entry denial, and so on. As in the
physical world, biometrics can play a significant role in safeguarding IT systems,
providing protection of both the physical space (entry control to rooms containing vital
IT technology) and the information system itself. Biometrics can also be incorporated
with and contribute to effective encryption techniques.

Reliability and Performance Expectations

Regardless of end-user expectations, no control system solution is absolutely perfect in
achieving zero false accepts, false rejects, no failures to enroll, and no delays affecting
throughput. All control systems have some degree of error. Further, the technologies are
normally subject to adjustment so that false accepts or falser rejects can be modified to
force the system to adjust to the using agency’s operational preferences.

Design Presumptions
Underlying the decision to establish a new security system or to renovate a legacy
security system with biometrics is an assumption that the biometric technology will

14
This horizon is appropriate considering the pace of new technology development and the expected
obsolescence of the current design. Considering the impact of Moore’s law (estimating the rate of
microchip capacity enhancement), a 6-year application life ends with the current system 3-4 generations of
chip technology behind.

4/7/2008 66
afford a higher level of personal identification useful for a more efficient and reliable
satisfaction of security objectives. It helps in the assessment and validation of this
assumption if there is a current and actual or anticipated level of security compromise in
the existing system that can be quantified. For example: “Today, we experienced a loss
to pilferage from our storerooms greater than $10,000 per month as the result of the theft
or misuse of keys issued to certain employees. By installing some form of biometric
identification, we can reduce this loss to nearly zero.”

Budget constraints
Naturally, all system designs are subject to budget constraints and these will often limit
the choice of biometric system to be employed. A biometric device may satisfy
performance expectations, but not within the project budget constraints. An affordable
device may not be able to satisfy performance expectations. Ultimately, this impasse
requires a management/owner design decision relaxing performance expectations,
increasing the project budget, or both. In any event, this is a management issue, not a
design question.

Integration
Integration is the process by which two or more sub-systems are brought together for
physical, electrical, and logical interfacing with other components. It is also a process in
which the logical processes and activities of the various components are introduced to the
larger system for proper functioning. In some cases, the manufacturer has anticipated
these requirements, but, in other cases, the integration is the responsibility of the system
integrator. There are at least three main systems with which a new biometric sub-system
will have to work: security, power, and building management.

C. Integration with Prime Systems

Security or Authentication Systems

Sub-systems designed to work with access control or authentication systems need to be
integrated seamlessly with the prime system in a manner consistent with the design
philosophy of that system. In many cases, the biometric sub-system will be expected to
provide the same services as the existing system, such as proximity card tools, while
delivering improved performance in terms of accuracy and durability.

Power
The biometric sub-system needs to be compatible with the facility’s power system in
terms of voltage type, current, frequency, and distribution plan. Experience has proven
the value of a robust back-up power solution such as heavy duty uninterruptible power
source (UPS) devices at critical nodes.

Building Management
In a number of applications, the biometric system will provide useful inputs to the
security system, but also to the facility’s building management system, turning on lights,
activating elevators, and performing other identity-specific tasks.

4/7/2008 67
 Multi-modal Design Considerations
Underlying the concept of multi-mode applications is the thought that, if one biometric is
good, two (or more) biometrics would be better. There is a certain truth to this, but a
multi-modal solution is not without its problems. Essentially, if the probability of a false
accept in one system is PFAR1 = 0.001% and the probability of a false accept in a second
system is PFAR2 = 0.01%, then the PFAR1+2 = PFAR1 x PFAR2 = 0.001 x 0.01 = 0.00001%.

The offside of this relationship is that the improvement in false accept is paid for by an
increase in false rejects. The calculation for this side of the issue is:

P(FR) = 1-[1-PFRR1][1-PFRR2]
= PFRR1 + PFRR2 - PFRR1 PFRR2

in which case, for example P(FR) = 0.001 + 0.01 – (0.001 x 0.01)

= 0.011 - 0.00001 = 0.01099

where both devices are set at their equal error rate.

Dr. John Daugman (The Computer Laboratory, Cambridge University) has examined this
issue in a brief paper entitled “Combining Multiple Biometrics.”15 In it, he says:

“…There is a common and intuitive assumption that the combination of different tests
must improve performance, because "surely more information is better than less
information." On the other hand, a different intuition suggests that if a strong test is
combined with a weaker test, the resulting decision environment is in a sense
averaged, and the combined performance will lie somewhere between that of the two
tests conducted individually (and hence will be degraded from the performance that
would be obtained by relying solely on the stronger test)

”There is truth in both intuitions. The key to resolving the apparent paradox is that
when two tests are combined, one of the resulting error rates (False Accept or False
Reject rate) becomes better than that of the stronger of the two tests, while the other
error rate becomes worse even than that of the weaker of the tests. If the two
biometric tests differ significantly in their power, and each operates at its own cross-
over point, then combining them gives significantly worse performance than relying
solely on the stronger biometric.” [Emphasis added.]

He concludes:

“…A strong biometric is better alone than in combination with a weaker one...when
both are operating at their cross-over points. To reap benefits from decision
combination, the equations above show that the operating point of the weaker
biometric must be shifted to satisfy the following criteria: If the "OR" Rule is to be
used, the False Accept rate of the weaker test must be made smaller than twice the
15
Daugman, John. Combining Multiple Biometrics. The Computer Laboratory, Cambridge University.

4/7/2008 68
 cross-over error rate of the stronger test. If the "AND" Rule is to be used, the False
Reject rate of the weaker test must be made smaller than twice the cross-over error
rate of the stronger test.”

The second issue is the relatively prosaic question of the increased cost of a system using
two or more components instead of just one. One biometric system with outstanding
performance values costs about $8,000-10,000 for an initial installation of 1-2 doors. Its
operational performance is approximately FAR ≈ 0.000001 and FRR (+FTA) ≈ 0.05.%.
Another technology offers comparable performance features, but adds another $4,000-
6,000 to the cost of the integrated system for only a questionable improvement in overall
performance. In an operating environment where there are, for example, 250 people
enrolled, it is not clear what real or practical value has been gained by improving FAR
fractions of errors in the 1:1,000,000 range and nearly doubling the cost. From a
fiduciary perspective, multi-mode combinations seem to make more sense in applications
where two or more relatively inexpensive devices can be combined, or in those instances
in which the quality of input templates may not be high.

To be sure, there are instances or operating environments in which a combined multi-

mode biometric system makes good sense and enhances the overall operational security.
Multiple biometric technologies are often required to accommodate persons with high
FTE rates with specific technologies. Multi-mode biometrics should not be presumed to
be the design of choice, but is a solution best arrived at by careful evaluation of the
various factors that need to be addressed and satisfied. For further reference there has
been extensive work done by experts, such as Anil Jain and Rick Lazarick, on fusion of
multiple biometrics.

Biometric Fusion16
The use of multi-biometric fusion techniques offers a potential solution to some of the
inherent issues associated with the implementation of biometric technology for access
control. One difficulty with single-modality biometric access control is that even a low
failure to enroll or failure to acquire rate can correspond to large numbers of people in
very large deployments. An alternate method of access security then needs to be
implemented for these exception users. Multi-biometric fusion is one such alternate
approach. It entails additional system components and/or complexities, so careful
analysis of the costs and benefits is essential to effective implementation of such an
approach.

The techniques surrounding the use of multiple biometrics have been the subject of
significant academic research to develop the concepts and to quantify the benefits.
Experts in this field communicate these ideas and results, sometimes developing new
expressions and terms needed to convey the findings.

In an attempt to promote clarity and understanding of the advances in multiple biometric

systems, the following material provides a basis in the form of terminology, description
of computational aspects, and a framework for describing the processing. Hypothetical
16
Content on Biometric Fusion provided by Rick Lazarick of CSC.

4/7/2008 69
examples are provided to illustrate the use of the terminology and concept in
recognizably airport access control situations.

Multi-biometric Terminology
The first challenge is to establish an agreeable set of terms and definitions to assist in the
accurate and efficient discussion of the field of multi-biometrics. The initial motivation
for addressing terminology is the inconsistent and therefore misleading use of the term
“multi-modal” in the literature. Biometrics specialists came to realize that the term multi-
modal should only be used to describe combinations of two different biometric
modalities, such as face and fingerprint. A new definition established “multi-biometric”
as the broadest term, encompassing any operation that utilized two different biometric
captures or computations, and fused the information in some way to make a single
identity decision.

Within multi-biometric, a distinction was drawn about the differences between systems
using multiple modalities, multiple algorithms, multiple sensors (for the same modality)
and multiple instances of a biometric trait. Thus the agreed upon set of terms for multi-
biometric and its components are:

• Multi-biometric - the use of multiple biometric modalities, instances within a

modality, sensors and/or algorithms prior to making a specific
verification/identification or enrollment decision.
• Multi-modal - the use of multiple different biometric modalities. (Example: face
and hand geometry).
• Multi-algorithmic - the use of two or more distinct algorithms for processing the
same biometric sample. (Example: facial geometric structure and skin texture)
• Multi-instance - the use of two or more instances within one modality for an
individual. (Examples: Iris (left) + Iris (right), Fingerprint (left index) +
Fingerprint (right index))
• Multi-sensorial - the use of two or more distinct sensors for sampling the same
biometric instance. (Examples: for face: infrared spectrum, visible spectrum, 2-D
image, and 3-D image; for fingerprint: optical, electrostatic, multi-spectral
subsurface imaging, and acoustic or ultrasound sensors)

Additional terminology useful to explain and understand the concepts of multi-biometrics

are included here as well.

• Modality - the human body part, body part characteristic, or behavioral

characteristic that can be sensed and used for human identification/verification.
Example: iris, fingerprint, or walking gait
• Simultaneous - the subject perceives that all biometric samples are captured
during a single event
• Sequential - the subject perceives different biometric samples being captured as
separate events

4/7/2008 70
 • Cascaded - pass/fail thresholds of individual biometric captures are used to
determine if additional biometric data is required to be processed to reach an
overall decision
• Layered - individual biometric scores are used to determine the pass/fail
thresholds of other biometric data processing
• Hybrid - indicates the combination of more than one multi-biometric concept in a
particular application.

Multi-biometric techniques can be applied at different “levels”, typically defined as

decision, score, feature and sample level fusion. For usage with airport access control
systems, the discussion is limited to the more popular and simpler levels of decision and
score levels.

D. Normalization and Fusion

The following sections pertain primarily to score level fusion approaches. The concepts
of score normalization and score level fusion are summarized at a high level.

Score normalization
Different biometric devices generate their matching statistic in different (and proprietary)
ways. Some may produce a similarity score (high being a good match) or a dissimilarity
score (such as a hamming distance). There is also no uniformity in the range or scale of
these scores, hence the need for normalization prior to combining the scores.

Score normalization maps scores into a domain (for example 0.0 to 1.0) where they
possess a common meaning in terms of biometric performance. Thus score normalization
adapts the parameters of the matching score distributions to the outputs of the individual
matchers, such that the normalized matching score distributions exist in a common
domain. Score normalization is closely related to score level fusion since it affects how
scores are combined and interpreted in terms of biometric performance. Due to these
reasons, scores are generally normalized prior to fusion into a common domain. (Note
that some fusion methods use probability density functions (PDFs) directly and do not
require normalization methods.)

Score fusion methods

When individual biometric matchers output a set of possible matches along with the
accuracy (quality) of each match (match score), integration can be done at the match
score level. This is also known as fusion at the measurement level or confidence level.
The match score output by a matcher contains the richest information about the input
biometric sample in the absence of feature level or sensor level information. Furthermore,
it is relatively easy to access and combine the scores generated by several different
matchers. Consequently, integration of information at the match score level is the most
common approach in multi-biometric systems. In the context of verification, there are
two approaches for consolidating the scores obtained from different matchers: (a) the
classification approach, and (b) the combination approach. The more common

4/7/2008 71
combination approach takes on several forms, such as simple sum, maximum score,
weighted matchers, and user weighting along with many other more complex approaches.

E. Hypothetical Examples

The following examples are provided to assist in understanding the concepts of multi-
biometrics, described using the terminology introduced above. These are not intended to
represent any specific known application, but are rather theoretical designs that may be
recognizable as suitable for airport access control applications. Each example outlines
the application, describes the technical approach, and then reflects on the strengths
(advantages) and weaknesses (disadvantages) anticipated for such a system.

Example 1: Multi-modal, decision level fusion with sequential sampling

Application: Attended Physical Access Control. Typical of an airport access control for
identity verification of cooperative, enrolled end users at intended points of entry,
monitored by a security agent or guard.

Technical Description: Fingerprint and Iris Recognition modalities. All end users are
processed for enrollment in both modalities, attempting to enroll one or two fingers and
one or two irises per person. Airport enrollment policy permits either iris or any finger
that can be successfully enrolled, both modalities if possible. Identity verification is
performed using the individual pass/fail decisions of each modality in the “OR” logic
form of decision level fusion. The order of biometric presentation is fingerprint first
(because it is faster and easier to use). If the fingerprint verification passes, then no iris
sample is required.

Advantages: This system design is well suited to accepting a very high percentage of
users for enrollment based on the liberal enrollment policy and the multi-modal nature of
the design. Using the “OR” logic promotes a potentially very low false rejection rate.
Employing the sequential sampling technique along with the “OR” logic, and choosing
the fingerprint first as the faster sampling modality, provides for a very low transaction
time (or high throughput) which is highly desirable in many airport high volume
applications.

Disadvantages: The design calls for both fingerprint and iris sensors at all access points,
which incurs additional acquisition, installation, enrollment, license and maintenance
costs. The use of “OR” logic, while minimizing false rejection rate does amplify the
potential for false acceptance. (This can be mitigated by proper selection of the
individual decision thresholds for each modality.) Depending on the level of anti-
spoofing countermeasures provided by the vendor, “OR” logic is subject to attack with
device “spoofing” techniques (such as “fake fingers” or iris-replicating contact lenses)
since only one modality is needed to pass. In this scenario, obvious and elaborate
spoofing techniques are impractical since the access point is attended by a security agent.

Example 2: Multi-instance, score level fusion with sequential sampling

4/7/2008 72
Application: Low-cost Unattended Logical/Physical Access Control. This application is
suitable for a moderate to large scale deployment with distributed access points that
requires a relatively high degree of security for logical (e.g. computer network) and/or
physical access. Because of the number and geographic distribution of the access points,
this application is not attended by a security agent.

Technical Description: Multiple Fingerprints. To achieve the low-cost objective, the

fingerprint sensor is a single-digit variety. All users must enroll multiple fingerprint
instances (different fingers) with the minimum number set as an enrollment policy
(minimum 2, prefer 4 or more). Identity verification requires the user to present multiple
different enrolled fingers for sampling, along with identification of the specific finger for
each sample to allow 1-to-1 comparisons. (The number of fingers is determined by the
application’s verification policy.) Each sample produces a similarity score based on the
1-to-1 matching processing. These scores are fused using the “Sum Rule” and a
verification decision is based on a single threshold for acceptable similarity. Note that
for higher security applications, a query-response variation could be incorporated to
prompt the user to present specific fingers at the time of attempted access, with
randomness used across attempts to deter spoofing.

Advantages: This design stresses the low-cost, high security combination for a
distributed access application. Employing score level fusion of multiple instances of a
user’s fingerprints promotes potential for lower false rejection rates at a given acceptable
level of false acceptance rate. The sensor and license costs could be very low.

Disadvantages: Due to the requirement for multiple sequential samples, this design may
incur higher transaction times, so as to be not well suited to high volume access points.
Because the system employs only the fingerprint modality, there typically is a fraction of
the user population who will not be able to enroll (due to fingerprint quality or wear
factors). More generally, because the approach uses multiple samples of only one
modality, if an enrollment problem occurs in one sample, then compared to the multi-
modal approach there is a higher likelihood that a problem will also occur in additional
samples.

Example 3: Multi-sensorial, multi-algorithmic hybrid fusion with simultaneous

sampling

Application: Token-less Identification for Privileged Access. Suitable for VIP facility
access or other high volume applications geared to user satisfaction. The users are not
required to identify themselves to the access system after enrollment, and are also not
highly restricted with regard to positioning relative to the sensors.

Technical Description: Face Recognition using distinct sensors. This design employs
conventional video imagery for 2-D face image capture as well as stereoscopic (or other
technique) face imagery for 3-D face modeling. Each user is enrolled with both sensors
(not necessarily simultaneously) at several pose angles (and possibly variation in

4/7/2008 73
lighting). At the time of verification, the video imagery from each sensor is processed
through multiple matching algorithms (as dissimilar in approach as possible). This
stream of processing generates ranked lists of candidates (one list for each sensor-
algorithm pair), or best matching scores when compared with the enrollment database.
The decision logic is based on the “Weighted Sum Rule” with personalized thresholds,
combined with a “Voting Scheme”. Ideally, the user will be correctly identified, and
their identity will appear near or at the top of each candidate list. It is also possible that
the same identity will appear several times on the candidate list due to matches at
different pose angles or lighting variations. This situation is conducive to very accurate
voting scheme logic.

Advantages: The user convenience/acceptability aspects of this design are maximized,

with no demand for a claim of identity (no tokens to remember or present), no physical
contact (good hygiene perceptions), tolerance to pose and lighting variations, and no
rigorous training requirements. Few if any users would be expected to fail enrollment.
This design is conducive to high throughput, possibly even allowing the user to not even
stop for biometric sampling. Potentially very high accuracy matching decisions based on
the wealth of information provided to the fusion process (relative to uni-biometric face
recognition).

Disadvantages: The enrollment time needed to enroll in both sensors and at the required
range of conditions could be high. The processing logic is still developmental, is
complex and will require careful attention and tuning. Also, the system may use rather
costly sensors and significantly powerful processors, so hardware costs will be high.

11.2 ENGINEERING PROCESS

A. Pilot Design

It is in the context of these various considerations and issues that the pilot design can
start. The objective of this phase is to provide an inventory of components to be
procured, a preliminary graphic illustration of the relationship of the various components,
and an assessment of the time required to integrate, install, and commission the system.

Based on Operational Requirements as Expressed in SOW

The initial design begins with the receipt and analysis of the customer’s statement of
work (SOW). This document will outline the customer’s expectations for the delivered
system. It is toward these objectives that the system will be designed. As in most
projects of this type, however, unless the customer has retained the services of a
professional engineering firm experienced in these systems, the customer is likely to be
the least qualified to know what the optimum design solution should be. He/she may not
know what to expect from modern technology and, consequently, the initial SOW may
not be complete or accurate in its description of the solution to the customer’s real
objectives. It is the function of the professional designer to communicate effectively with
the customer to learn what these primary objectives are and to ensure the SOW is
modified to reflect these points.

4/7/2008 74
Conceptual System Design
The initial engineering architectural design is prepared in pilot form following a detailed
analysis of the SOW and an analysis of the current operational environment. If a
Conceptual Design was prepared as part of the detailed analysis recommended in Section
10, that conceptual design should not be accepted blindly as a mandate for further
engineering without detailed analysis of the SOW and operational environment.

New System
New systems have the advantage of being unencumbered by existing components and
architecture. They offer the easiest way to ensure the application of state-of-the-art
technology and products. The disadvantage is the element of risk new technology might
introduce into an otherwise sound design.

Legacy System
Legacy system modifications require attention to existing architectures and processes,
some of which may conflict with a sound application of the new technologies. The initial
design needs to attend to these considerations in detail:

♦ Develop an inventory of components to be procured.

♦ Prepare a preliminary graphic illustration of the relationship of the various

components (system architecture).

♦ Prepare an assessment of the time required to integrate, install, and

commission the system.

♦ Develop an Initial Operational Capability (IOC) Planning and

Implementation Schedule. With the completion of the Pilot Design, an
implementation schedule can be developed and IOC date can be estimated.
The details of the implementation schedule are beyond the scope of this
manual.

♦ Perform the focused reviews listed in the paragraph “Integration of the

Factors” in Section 10. These reviews should establish the proposed
engineering design’s ability to comply with the security needs, program
objectives, and design issues of Section 10.

♦ Complete the Initial Detailed System Design

♦ Perform a seventh and final review considering the system as an integrated

whole.

4/7/2008 75
B. Final Engineering Design

The final design is achieved after a review process in which all responsible offices
involved with the funding, installation, and use of the new or modified system have
evaluated relevant sections of the design. After the first review, non-trivial changes to
the design will require a second and, perhaps, a third round of design reviews before the
system design is finalized.

11.3. IMPLEMENTATION

The most technically challenging part of a biometric project is the Engineering Design
phase. This is not to suggest that the implementation of biometric devices is trivial, but
careful attention to the design issues of Section 10 and the engineering/integration issues
just discussed will go a long way toward simplifying the implementation. This Section
assumes the reader has available the trained and qualified service technicians required to
integrate and install the system in a professional manner. No effort is made to instruct on
these techniques in any great detail in this manual.

There are five components that remain:

Procurement
Installation
Training
System Support
Final Deployment and Roll-out

11.3.1. Procurement
Often neglected in design planning, procurement is an essential activity requiring
attention to detail to ensure the right components arrive at the appropriate location in a
timely manner. Some items need to be delivered to the eventual job site, but not until
security is in place to prevent pilferage. Other components need to be delivered to the
contractor’s staging site for pre-integration into larger sub-systems.

11.3.2. Installation
Although the BTAM is not a technical manual designed to provide instructions for
terminations, cable routing, or other aspects of installation work, it can illustrate the
utility and significance of sound installation practices. The installation process is a key
element in establishing and maintaining effective customer relations. Foremost among
the essential aspects of professional installation work are adherence to schedule, budget,
and workmanship. The customer expects the system to arrive and be operational
according to the agreed-upon schedule. The customer expects there will be no surprises
either in schedule or cost. In terms of workmanship, the typical customer expects that the
system will work when it is powered up, the installation will appear neat and tidy, and
that the trash and debris associated with the installation will be carried away.

4/7/2008 76
What the customer does not normally expect, but what makes a great impression, are the
installations where the technician doing the wiring and terminations takes a few extra
moments to minimize slack or surplus wiring and to lay out the cables and wires in neat,
angular turns or curves and arrangements. It suggests to the customer that the installing
company—as well as the design company—has really paid attention to detail and that
they have received a quality system. As a customer, the reader should expect this level
of service. As an installer, the reader should be prepared to deliver this standard of
service.

Pre-Commissioning
Prior to transferring ownership of the new system to the customer, all primary features
and functions must be demonstrated in a satisfactory manner and the owner’s staff
trained in its operation.

Acceptance Testing
Typically, the formal demonstration takes the form of an acceptance test. Presumably,
the system design was based on a customer-prepared statement of work and performance
objectives. The acceptance test should be organized to reflect the structure and content of
the statement of work. Copies of the test protocol are distributed. Each step provides a
place for the customer and lead or commissioning engineer to place their initials
indicating that step was demonstrated satisfactorily, or annotated to indicate what
problems or shortfalls were observed. Any problems should be documented in an issues
list that describes each problem, categorizes its severity, and documents its final
resolution and retesting.

When all items have been properly demonstrated, both parties sign off on the test
document and the owner assumes responsibility and control of the installed system.
Also, this is an appropriate moment for the system warranty to begin, although, on some
projects, title and warranty transfer upon delivery of goods at the job site. This point
should be made clear in the basic work contract.

11.3.3. Training
Training is such a vital part of implementation of any biometric system that we have
devoted an entire section (Section 14) to it. For our purposes in these earlier sections, it
is important to note that provisions for training management, system operators, and
especially end users should be an integral part of the system design, integration and
implementation phase. It must be defined, scheduled and completed by the time of
system acceptance so as to be ready for application as the acceptance testing is completed
and the system comes on line. As the time and resources expended providing after-sale
warranty services are inversely proportional to the quality of the design and installation,
so is the quality of the training provided the new operators and end users. The more
informed and better prepared they are to assume responsibility for effective
implementation of the new system, the fewer phone calls and requests there will be for
service. Please refer to Section 14 for more detail.

11.3.4. System Support

4/7/2008 77
Whether provided by the installing sub-contractor, the systems integrator, or another
contractor, on-going support will be required to provide periodic preventive maintenance,
and emergency system restoration. In very large systems, the owner will often have
sufficient staff and resources to provide in-house (proprietary) maintenance, but, often, it
will be more cost-effective to retain the system integrator or installer to provide these
services.

11.3.5. Final Deployment and Roll-out

A phase of the implementation process that is often ignored (and usually with disastrous
results) is the deployment phase. Deployment and roll-out of the biometric-based system
is a critically important component of the overall implementation plan. In fact, it should
be part of the first rough outline of the implementation plan and should become more and
more prominent as decisions on the other phases of implementation are made. The major
conceptual features of the implementation plan should be included with the contract
documents that go to potential bidders on the installation contract. The plan should be
thoroughly fleshed out very soon after contract award to re-emphasize its importance to
the vendor/installer/integrator.

Components of the final deployment and roll-out plan should include:

• Provisions for continuing operations during the installation phase of the project.
• Provisions for comprehensive system testing and validation prior to turnover.
• Provisions for “Training the trainers”, including specifics such as the vendor or
integrator-provided trainers monitoring the in-house trainers as they begin to train
end users.
• Provisions for training end users and keeping them practiced and current pending
initialization of the system.
• Provisions for exception processing or “work-arounds” during the transition
period.
• If feasible, provisions for operating an existing system in parallel with the
biometric system during the transition period.
• Schedules for all phases of the deployment and roll-out.
• Provisions for alerting the work force to changes in schedule and other
information critical to deployment.

4/7/2008 78
Section 12 – Operations and Management

12.1. OPERATING PLANS

This section moves the focus of the BTAM from the requirements, design, and
engineering functions to initial and long-term operation of the biometric system or
subsystem. One of the primary concerns of any management team implementing a new
system or policy, is that the new concept or system be fully functional, have employee
support, resolve a problem that affects company performance, and minimize conflict
with the remnants of the prior program (if any) that remain in place. Once again, there is
no real substitute for a plan that assumes responsibility for operations at turnover and
fully exploits the advantages offered by the new technology.

People, by nature, tend to be wary of something they do not understand or that is foreign
to the day-to-day processes with which they are familiar. Planning, documented in the
form of an Operating Plan, defines the process from initial introduction into the facility
to the eventual steady-state process of day-to-day functionality. If an Operating Plan for
the facility already exists in the form of a security plan or some other document, than the
operating management entity needs to consider and address the impact of the biometric
subsystem on that existing operating document. If such a plan is not in place, then a new
one that covers the issues to be considered for biometric usage should be prepared. In
such cases, it may be an opportunity to more fully address the overall integrated system
as well as the biometric component.

When it comes to developing an Operations Plan for both routine and non-routine
operations of a biometric identification system, there are no fixed definitions as to what
must be included. The security manager for the organization or his/her equivalent, with a
modicum of training, can define all of the operating issues that will need to be addressed.
As an alternative, an experienced practitioner can be engaged to develop the Operations
Plan for the organization, with the significant input and participation of the manager who
will live with the final product. For the most part, a logical Operations Plan would
consist, as a minimum, of the following elements. These should be addressed in as much
detail as possible to ensure that all stakeholders in the system have a reference for what is
expected of the biometric component, and how it is intended to support the overall goals
of the organization.

Mission, Organization, and Roles of Key Personnel

System description and its functional role in overall operations
Enrollment requirements/schedule
Initial
Long-term
User orientation
Dis-enrollment procedures
Description of the normal/routine operating environment
Equipment and performance
Personnel performance, response, and problem resolution

4/7/2008 79
 Support and supply requirements
Description of operations and procedures (planned or emergency) in a
non-normal or non-operating environment.
Catastrophic failure
Partial failure
Work-around procedures
Exception handling
Testing the system
Organizational/Corporate Support
Interface with external organizations
Security/police
State and local government
Training
Maintenance and Service
Routine and Preventive
Emergency and response
Resources and Budgeting

While this is not an attempt to cover all of the details that should be addressed in each of
these suggested areas, the following comments are offered for focused consideration.

12.1.1. Mission, Organization, and Roles of Key Personnel

Since the biometric identification system will have an impact on all segments of an
organization, expected impact and desired responses for all involved need to be defined,
as well as possible, in a Statement of Mission, Organization, and Roles. This need not be
complex. The mission or purpose of integrating the technology in the organization should
be clearly defined, and expectations should be reasonably stated as to what results are
anticipated. Any changes to the organization structure necessary to manage the new
resource should be identified, and the roles and key assignments related to those changes
should be explained as well. Personnel who will play an important role in start-up as
well as long-term operations should be comfortable with their responsibilities and
assignments, and additional training should be provided when necessary.

When developing the roles or functions for each identified person involved in the
operating system , nothing should be assumed. It is extremely important to the success of
the mission and the overall effectiveness of the operation that everyone perceives their
function clearly. All plans need to be flexible, adjusting to results as they occur during
the action phase of implementation.

12.1.2. System Description and Its Functional Role

Describe how the system will work and when and how it will be initiated in the
organization. Describe the enrollment process (supported by manufacturers/integrators
information), schedule and how users will be oriented in its use. Explain the reasons for
dis-enrollment.

4/7/2008 80
12.1.3. Description of the Normal Operating Environment
Speak to how the system fits in the organization’s security or other application program,
describing the process and the normal encounter that each user can expect. Describe the
function of operating personnel and their interface with both the system and the users.
Cover operation of the equipment to the extent that user and operator intervention or
contact is involved. Discuss issues that could occur and how they will be resolved.
Address supply or operating maintenance issues (like cleaning).

12.1.4. Description of Procedures in Other than Normal Operations

Describe planned downtime and the procedures for work-arounds when the system is not
available. Cover unplanned system failure in both partial and large-scale incidents and
the procedures that operating personnel and users are expected to follow. The procedure
for how routine exceptions will be handled (e.g., false rejections, lost card, etc.) should
also be described.

12.1.5. Testing
Discuss plans for testing the system on a scheduled and unscheduled basis to periodically
evaluate performance (machine and personnel) and to maintain confidence in system
operations.

One of the major functions of a biometric identification system is to perform a required

task on a sustained basis at levels well-above those that can be attained with a manual or
human-based system. However, even though the acquired system may have met
performance requirements at the time of installation and turnover, there is no assurance
that the system will continue to perform at those levels throughout its lifetime. As with
most electronic or electro-mechanical systems designed to perform a security function, a
biometric technology-based application should be the target of routine audits to ensure
continued performance at the required levels. The audit should be accomplished by a
third party so as to preclude cover-up of system problems that have been ignored or
operator performance that is less than required. This function is normally accomplished
by the technical staff, if one exists in-house, or by an outside contractor who is both
competent and professional in performing such functions. Certainly, this is one situation
where the “lowest bidder” is not always the best or even an acceptable alternate solution
because of the potential for increased risk to the company.

Operating audits need to be accomplished on a regular, non-scheduled basis to ensure

valid data collection and system assessment. Audits, in a sense, are the determination of
system performance, including the human element, after the fact. Audits, per se, are not
designed to determine hardware failures, but instead to review the resultant effect of a
hardware failure on the ability of the system to provide the desired functionality and the
cost of doing so.

Like all audits, there is a sense of one group of individuals (the auditors) being cast in the
role of the “black hats” while those being audited are perceived to be the “white hats”
who are targeted to determine performance shortfalls. In reality, both groups, the
auditors and those being audited, should be working toward the common goal of

4/7/2008 81
identifying system abnormalities and identifying corrective actions to ensure required
system performance. Since audits tend to have a major impact on company operations in
that they are disruptive of the daily routine and are normally performed during operating
hours so that those responsible for performing a function are available to respond to
auditor’s requests for data, audits should not be performed more than once a year unless
problems dictate otherwise.

Similarly, system tests are intended to determine performance of the biometric system
against operational requirements, but on a real-time basis. The system level testing
should be designed to evaluate and determine performance of both the hardware and
personnel, both the user and the operator. A system level technical test, if designed
properly, would include not only an evaluation of the hardware performance but also the
ability of the maintenance personnel to restore the system to required operational levels
in the event of a failure.

This being said, there are many levels of testing that can be developed in order to
determine the status of the system. Testing can be designed to evaluate and document
only the human component of the system, only the hardware element, or both. Test and
evaluation of the human element should include such functions as:

• Competency of the operator(s) to perform enrollments

• Ability to develop reports using the data produced by the system as the result of
daily operation
• Ability to react to system problems and failures.

Hardware testing should be accomplished to determine if reliability specifications are

maintained and maintainability requirements are confirmed. The implementation of
emergency plans by all designated personnel involved should be tested on a routine basis
to determine the adequacy of response in the event of system degradation, be it a
catastrophic failure or merely a component degradation wherein the system does not
perform up to specification to the required level.

System hardware elements can be designed to execute required equipment tests either
manually or automatically, with the results documented in a report to management.
Ideally, all elements of the system – operator, user, hardware, and maintainer – should be
subjected to combined testing on a routine basis with a report to management of the test
results and recommendations for correction of deficiencies in system performance. To do
otherwise is to create a situation of false security where security is assumed to be
adequate but, in reality, the facility is highly vulnerable.

12.1.6. Organizational and Corporate Support

The backing and support of corporate management, including participation on the
individual level, is absolutely required for successful operation of the system. Procedures
or deviations that allow corporate managers to by-pass the system for their personal
convenience will destroy the purpose and value of the installation.

4/7/2008 82
Legal Department/Advisor
For the reasons described in Volume 1 as well as earlier in this volume, it is important to
have legal assistance available in reviewing the Operating Plan. Employees concerned
with their personal rights related to system use or concerned about personal identity
issues should have recourse to advice and have the procedure covered in the Operating
Plan. Also, a redress procedure should be defined to ensure prompt correction of any
incorrect information or data that has been entered into the system.

Personnel or Human Resources

Participation by the Personnel or Human Resources department in the operational
planning process is considered a very important requirement. They need to be aware of
the impact of operational planning on resources, to prepare documentation that is
required to inform employees of their rights and obligations in the use of the system, and
to assist the employees in transitioning to the new operation. In large organizations,
Personnel/Human Resources will most likely be expected to perform the following
functions during the implementation:

ƒ Develop informational brochures to inform existing and new employees about the
technology.

ƒ Establish and schedule an employee training program, in conjunction with the

Security Department to ensure employees receive adequate information about the
system.

ƒ Follow-on assessment of user acceptance needs to be met by the Personnel

Department, with the support of the technical staff, either the in-house
organization or the system integrator/vendor responsible for installation of the
system.

Facilities Manager/Maintenance Organization

In most instances, the Facilities Manager or equivalent individual/organization will play a
major role in the acquisition, installation, and maintenance of the new system. This will
carry-over to long-term operations as well.

Primary functions that can be addressed in the Operating Plan and are usually within the
purview of this organization/corporate area are:

1. identifying necessary modifications to the physical structure; and

2. providing for the availability of power, lighting, ingress/egress features,

troubleshooting services, routine preventative maintenance and corrective
maintenance functions to ensure the system maintains specified performance
throughout its life.

4/7/2008 83
If the resources are not inherent in the company organization, the Facilities Manager will
be required to provide the necessary support using contracted services for the duration of
the system operation.

See also Section 13 for more detail on this matter.

12.1.7. Interface with External Organizations

The Operations Plan should identify the critical relationships with outside agencies such
as local police, fire, and other emergency response agencies and specify clearly when
they are notified and to what purpose.

12.1.8. Training
One of the key functions that the implementing organization must perform in the
introduction of the biometric technology into the organization is development and
execution of a well-structured training program for users. The training sessions should
include the following:

• A basic description of the technology involved, how it works (and does not work)
• Benefits being provided to the company and the individual employee through the
implementation of the biometric system
• Expected impact on everyone’s daily routine
• Address the expected concerns and fears the employees may have about the
technology such as: privacy issues, health issues (is there any possible damage to
their body), etc.
• Ensure the collected data will be protected, will not be provided outside of the
company, and will be limited to the intended application (security, time and
attendance, payroll, etc.)
• Address the process for enrollment and identification
• Address any religious concerns (use of facial images, iris images, etc.)
• Process for data integrity—will it be destroyed should the employee terminate
employment?
• Accommodation of individuals with disabilities and alternative solutions if
required by the employee demographics.

The training program should be structured to address not only the technical aspects of the
planned system, but also the personal concerns that employees may have.

For a more in-depth discussion about training, see Section 14: Training

12.1.9. Maintenance and Services

See Section 13 for information on Maintenance, Services, and Warranties.

12.1.10. Resources and Budgeting

The Plan should be specific in spelling out the annual costs for operating and maintaining
the biometric system, as well as the overall system, addressing all of the categories
described in this section.

4/7/2008 84
Section 13 – Maintenance, Services, and Warranties

13.1. MAINTENANCE SERVICES

The biometric portion of a system, like any other electromechanical system, requires
periodic maintenance to minimize failure (and/or disruption of service) for the want of
cleaning, lubricating, or adjusting. This is especially true with, but not limited to, moving
parts and components, such as door-strikes and sensor alignment mechanisms. Any
surface routinely touched by persons using the biometrics, such as fingerprint platens,
hand geometry platens, etc., require periodic cleaning not only for continuing high
performance, but for the sake of good hygiene as well. Such surfaces are normally no
more a health threat to individuals than doorknobs, but a device that is routinely cleaned
encourages continued use and lowers user resistance to such technologies.

Vendors should be required to provide documented maintenance and calibration

procedures, recommended spare parts list, and other appropriate maintenance
documentation.

13.2. PRODUCT WARRANTIES

Manufacturers are often required by law to offer product warranties. Additionally,

certain warranties may be deemed to exist unless expressly disclaimed. The information
contained in this chapter should not be construed or relied upon as legal advice. It is
provided for general informational purposes only and applies only to products sold in the
United States. Legal counsel should be consulted regarding product warranties to
determine how the law specifically applies to various applications and to particular
products.

General Requirements
The following is a list of some matters typically addressed by a written warranty.

• What the warranty covers or does not cover. The manufacturer should
disclose what the warranty covers and, if necessary, what it does not cover. For
example, if there are certain components or aspects of the device or system not
covered, then the manufacturer has to describe in detail what those exceptions are.
The warranty should also disclose to whom the warranty is extended and if it is
limited to the original purchaser.

• Period of coverage. The manufacturer should disclose for what period of time
the warranty is active. This part of the warranty should also indicate when the
warranty commences (e.g., on purchase, upon installation, etc.) and under what
circumstances, other than the defined period of coverage, the warranty may
become void (e.g., sale of product to a third party, failure to maintain, etc.).

• What the manufacturer will do to correct problems covered by the warranty.

The manufacturer should describe what it will do in the event of a problem with

4/7/2008 85
 the product (e.g., repair, replace, refund, etc.). The warranty should also tell
customers where to obtain warranty service and how to reach those persons or
companies. Additionally, the warranty should provide information on the
availability of any informal dispute resolution. The manufacturer should also
explain what it will not do under the warranty program. This explanation may set
forth expenses it will not cover, such as labor, and provide limitations on damages
for defective products, such as an exclusion for consequential damages, etc.
Some states do not allow such exclusions. This is the reason many exclusions are
accompanied by the following statement: “Some states do not allow the exclusion
of or limitations on relief such as incidental or consequential damages, so the
above limitation or exclusion may not apply to you.” Each organization should
determine its own limitations or exclusions as they apply in specific states.

• Limitations on Duration. The manufacturer may include a disclosure of any

limitations on the duration of implied warranties. This is the reason many
warranties are accompanied by the following statement: “Some states do not
allow limitations on how long an implied warranty lasts, so the above limitation
may not apply to you.”

• How state law may affect customer's rights under the warranty. The warranty
should answer this question because implied warranty rights and certain other
warranty rights vary from state to state. Thus, the following statement should be
included: “This warranty gives you specific legal rights, and you may also have
other rights which vary from state to state.”

13.3. IMPLIED WARRANTIES

In the absence of a written disclaimer of warranties, the manufacturer may be bound to

respect the terms of an “implied warranty.” Implied warranties are created by state law
and all states have them. These implied warranties generally have several common
features. Among them:

• A warranty of merchantability. This means the product will do what it was

advertised and put forward to do. A potato peeler will peel potatoes, a pen will
write, etc.

• A warranty of fitness for a particular purpose. If the kitchen appliance

salesperson knows that you are going to be using the peeler in a large commercial
kitchen, then the peeler he/she recommends should be suitable for that
environment

• Period of coverage. The period of coverage under an implied warranty may vary
considerably from state to state.

4/7/2008 86
 • As is. A number of states permit manufacturers to avoid the “implied warranty”
provisions by marking them as to be sold “as-is.” Several states do not permit
“as-is” sales.

13.4. COMMON INDUSTRY PRACTICES

The NBSP surveyed 65 manufacturing and integrating companies within the biometric
industry to determine common industry practices with regard to warranties. While the
length of warrantees offered ranged from three to 120 months, all but two offered a
standard 12-month warranty on parts and labor. Eighty-three percent (83%) of
respondents indicated they offer extended warranties for an additional fee. All but one of
the companies requires a Product Return Authorization (PRA) before they would accept a
package submitted for repair service.

4/7/2008 87
Section 14 – Training

14.1. ORGANIZATIONAL TRAINING PLAN

A training program should be established, implemented, and managed to assure that

adequate training is provided for all internal and external personnel who require or
request biometric training. The training plan can be a component of the Operating Plan
described in Section 12, or a separate document if managed by another part of the
organization.

14.2. NEEDS ASSESSMENT

A needs assessment is an essential element in determining an organization’s training

requirements. It is important to understand that training needs should be periodically
assessed as technology, processes, procedures, legal requirements, etc. change. Training
needs should be reviewed annually, at a minimum, by both the security and personnel
departments.

Needs assessments can be conducted in various ways. Some suggestions are:

• Interviews/conversations with key groups and organizations (i.e., managers and

key staff)
• Organizational surveys
• Analysis of metrics related to training, such as what the trainee must demonstrate,
or the level of performance required to be trained
• Review of current training completed in comparison to current required job tasks
• Brainstorming sessions
• Analysis of events that illustrate a need for training
• Study of trends

14.3. EXTERNAL TRAINING SOURCES

Introductory Level Courses

Limited training in biometrics is available in several forms to those contemplating use of
biometrics (see Appendix). For those exploring the possibility who have not yet
committed to a biometric system there are symposia, conferences, and short courses
available to give a broad overview of biometrics, highlighting different technologies (or
“modalities”), applications, and the pros and cons of each. These courses are often
attended by functional managers, senior managers, and decision makers.

The National Biometric Security Project offers a variable length (1-hour to 1-day)
Introduction to Biometrics course. This course is open to anyone and can be tailored to
fit organizational need.

4/7/2008 88
 Suggested Course Content – Introductory Level

History of Biometrics First uses – Industrial Age – Early Forensics – Modern Biometrics

Foundations of Biometrics Definitions – Properties of a Good Biometric – Templates – How

Biometrics Work – Biometric Errors

Biometric Modalities Fingerprint – Hand Geometry – Iris Recognition – Facial

Recognition – Emerging Technology – Other Technologies

Biometric Applications Access Control – Authorizations – Other Applications

Technology Adoption Needs Analysis – Constraints – Considerations – Life-cycle Cost

Analysis – Biometrics Life-cycle – Compatibility

Spoofing Attacks – Countermeasures – Fingerprint – Iris – Hand – Face –

Data Integrity

Biometrics Standards Definition – Purpose and Goal – Benefits – Standards Bodies –

Development Groups – NBSP Role

Other Issues/Concerns Privacy – Legal – Societal Issues

Future View Trends

Intermediate Level Courses

For those organizations that have decided to implement biometrics or that want more
detail, there are longer and more in-depth courses available to provide more detail
relative to technology selection, pros and cons, and implementation and deployment.
These courses are typically attended by middle managers, project officers, members of
the IT staff, and, in some cases, IT or biometric technicians. Such courses are designed
to run for three to five days. The National Biometric Security Project is currently
developing a course to fill this need. A sample course curriculum follows.

4/7/2008 89
 Suggested Course Content – Intermediate Level

History of Biometrics First uses – Industrial Age – Early Forensics – Modern Biometrics

Foundations of Biometrics Definitions – Properties of a Good Biometric – Templates – How

Biometrics Work – Biometric Errors

Biometric Modalities Fingerprint – Hand Geometry – Iris Recognition – Facial

Recognition – Emerging Technology – Other Technologies

Biometric Applications Access Control – Authorizations – Other Applications

Technology Adoption Needs Analysis – Constraints – Considerations – Life-cycle Cost

Analysis – Biometrics Life-cycle – Compatibility

Spoofing Attacks – Countermeasures – Fingerprint – Iris – Hand – Face –

Data Integrity

Biometrics Standards Definition – Purpose and Goal – Benefits – Standards Bodies –

Development Groups – NBSP Role

Other Issues and Privacy – Legal – Societal Issues

Concerns

Future View Trends

Application Strengths and Fingerprints – Iris – Facial – Hand

Vulnerabilities

Installation Requirements Technical Specs for Each Type of Application

Time Required to Install Installation Time and Equipment Speeds – Testing Time –
System Down-time

System Testing How to Test – Basic Troubleshooting

System Work-arounds Installation Issues – Putting the System Together

Lessons from the Field Case Studies and Examples

Testing and Evaluation of Accuracy – Enrollment – User Acceptance – Perceived

the System Invasiveness – Ease of Use – Deployability – Scalability – Speed
– Technology Maturity – Technology Performance Comparison

Deployment and Roll-out Cost Comparison – Time to Implement – Staff Training Required
– Training and Operational Tips

System Maintenance Vendor Contracts – Typical or Scheduled Maintenance – History

of Existing Systems

End-user Training Training Programs and Best Practices

Role of Program Managers Operational Personnel – Biometric Technicians

4/7/2008 90
Advanced Courses
For academics and those who want to know details of algorithms, the matching process,
statistical basis for matching, and testing and evaluation, the NBSP is developing an
extended length course (5-10 day). Currently, there is one pre-eminent specialized short
course of five days offered through the UCLA extension system. A growing number of
universities are also offering one or two semester courses. A sample curriculum for a
multi-day advanced level biometrics course follows.

Suggested Course Content – Advanced Level

Day One Introduction to Biometrics

Day Two Science, Mathematical Basis, Theories, and Algorithms of

Various Biometric Technologies

How and Why Various Biometric Technologies Work – Data

Collection, Storage, and Usage Issues

Day Three Testing Results and Protocols – Large-Scale System

Performance – Legal/Sociological Issues – Vulnerability
Assessment

Day Four Introduction to Fingerprinting – Traditional Identification

Processes – Legal Issues

Day Five Applying Biometrics in Homeland Defense – Biometrics

Standards – Large-scale System Acquisition Issues

14.4. INTERNAL TRAINING

Gaining user acceptance with efficient and correct operation of the biometric security
system is paramount to its success. Successful implementation, initialization, and
operation of a biometric system require managers to understand user concerns and
societal implications of biometrics. Such understanding provides the means to treat and
deal with important privacy issues that can smooth a transition to a new process and gain
user acceptance.

Initial Pre-activation Training

Training programs should focus on general orientation, operator/user training, and offer
certified technician training for IT staff. The training program should also include
reference materials in hard copy, hands-on activities, and possibly web-based versions of
materials to maintain ongoing support and provide updates to current information
regarding the biometric system.

4/7/2008 91
Proper and continued training is of equal importance for all users, including program
managers, IT specialists, and end users. Users of a biometric system must be taught
proper procedure for the system to perform optimally. Users of a biometric system must
also have access to documentation regarding the system itself. Such documentation
includes, but is not limited to:

• User’s or student manuals, which should be clear and concise

• Procedures for using the technology in the form of walkthroughs and trial runs,
which will help users gain confidence in their knowledge of and ability to use a
system
• Policies protecting users and the organization
• Policies governing system use
• Policies governing the use of biometric templates
• Procedures for what to do in case of system error, failure, or building emergencies

When training program managers and IT specialists, keep the following in mind:

• These users need the same information as end users, targeted appropriately to
their level of knowledge
• The field of biometric identification is changing rapidly, so advanced users of
such systems need continued training on technological developments, security
issues, and changes in social/legal issues

Manuals should be short, simple, and to the point. The acceptance rate of the users will
be higher because they feel confident and secure in the knowledge of the biometric-based
system. Walk-throughs and trial-runs will help increase the comfort levels of users and
decrease the pressure placed on them. Such simulations will also help decrease the error
rates in the future when the users will not have someone with them while using the
system.

Proper training and education should always be part of the implementation plan for any
new installation or modification of an existing biometric system. Personnel who receive
proper and comprehensive training in the use of the system will prove cooperative and
supportive of system use. They should be guided carefully and unhurriedly through the
enrollment procedure and should be invited to ask questions about the system in general.
As mentioned, they should receive some reference documentation with help/inquiry line
details included as well. These things should be provided in a comfortable, non-
challenging environment.

The three basic levels of training include:

1. End User — Knowledge-based training: "What is biometrics?", Instructional

training: "How do I enroll and use the system in my daily activities? What
happens if the system doesn’t allow my access?” First level trouble-shooting.
Actions when that fails.

4/7/2008 92
 2. Administration — Instructional training: technical installation, system
management, and maintenance issues
3. Organization — Knowledge-based training: “Why Biometrics is our best
solution”, "Will my fingerprints be stored?"

This particular training program focuses on the end users.

End Users
The end-user population (employees, contractors, temporarily assigned personnel) must
be trained sufficiently to enable them to use the biometric equipment effectively once the
system is activated. Time between training and actual use of the system (or some portion
thereof) should not exceed a week. This may be challenging when end-user populations
are very large and may require multiple trainers and training sessions or other innovative
schemes, such as operating the biometric system in parallel with a current existing
system, staggering activation of the system, and/or setting up multiple readers near entry
points to enable end-users to practice authentication upon entry.

Initial user training should include the following:

• Introduction and general overview of biometrics (what they are, how they work)
• Overview of privacy issues, how biometric information will be controlled, end-
user options, and completion of informed-consent forms where deemed
appropriate.
• Detail on the technology (modality) of the specific system to be deployed.
• Demonstration of equipment use and the enrollment process.
• Actual enrollment of each end-user.
• Practice by each end-user on actual equipment.
• Overview of how the system will be implemented, including need for
daily/weekly practice between training and system activation, dates and structure
of staggered implementation, and/or dates and structure of overlap schemes.
• Sources of potential problems with the biometric system and things to avoid (use
of hand cream before using fingerprint platen, use of reflective sunglasses,
expressions in facial systems, etc.)
• Initial actions or troubleshooting by end-users when first encountering a problem
(wiping the platen, taking glasses off, speaking in normal voice, etc.).
• Work-arounds and actions of end-users when troubleshooting fails.
• Actions if system experiences catastrophic failure.
• End-user practice opportunities between training and system activation.
• A repeat of earlier student practice with instructor observation of each end-user.

Continuing Training after Deployment

An initial training capability will have to be maintained for new employees, contractors,
etc. Depending on the volume of new end-users, initial courses may have to be
conducted daily, weekly, monthly, or on an ad hoc basis. Refresher training, usually the
result of continuing problems encountered by specific end-users, can often be given
simply by a trainer observing the person and offering corrective advice or suggestions.

4/7/2008 93
Where this is not a long-lasting solution, end-users may be integrated into the periodic
initial training for a second time.

A how-to guide for instructors helps ensure uniformity and consistency with the format
used to teach the course using various trainers. Because biometrics are technical in
nature, the organization may adopt policies for use of the technology.

Users tend to be more cooperative and supportive of a security system being adopted if
they:

• Receive proper and comprehensive training in the use of the system.

• Are guided carefully and unhurriedly through the enrollment procedure.
• Are invited to ask questions about the system in general.
• Have received some reference documentation with help/inquiry line details
included.
• Are trained within a comfortable, unchallenging environment.

14.5. PRACTICE USING THE BIOMETRIC TECHNOLOGY

Immediately following a comprehensive training program that introduces users and

administrators to the biometric technology, ample time should be provided for practice.
The more users engage with system functionality, the more comfortable they will begin
to feel performing the techniques.

As part of the overall system deployment plan, calculate the number of persons to be
trained, the length of time that will be required, and the length of time between classroom
training and system implementation. Based on that, write into the vendor or system
statement of work (SOW) the requirement to provide some number of sample sensors to
install at entry control points to allow end users the opportunity for “no-penalty” practice
on a daily basis. Ensure that such sample sensors provide pass/fail or go/no-go feedback
to end users. Stress in the classroom training the need to practice and become familiar
with the approaching biometric equipment/system before the implementation date.
Encourage end users to report problems immediately and take steps to re-enroll if re-
training is not adequate to get them thoroughly familiar with the system.

14.6. RESOURCE MATERIALS FOR TRAINERS

The following content provides a detailed explanation of the more popular biometric
methods, why each is useful for security, and how-to steps and techniques for users to
apply to a given situation where the technology is in use.

Train only the modality (or biometric technology) that has been selected for the particular
installation and augment that material with material provided by the specific vendor of
the equipment to be installed in the facility or facilities. This may require a provision
spelled out in the SOW.

4/7/2008 94
There are a variety of biometric technologies that are available. Some include those used
for facial recognition, fingerprint identification, hand geometry, iris recognition, and
voice recognition. Some examples of these technologies are described in the chart that
follows.

4/7/2008 95
 Table 14-1
Picture Name of Website Weight Applications
System (lbs)

Time and
HandPunch
http://www.compumatictime.com/biometric/index_hp4000.html 6 Attendance
4000

Physical Access
HandKey II http://www.safe-mart.com/hk2.html 6 Control

Transportation
Security, Laboratory
Security,
Infrastructure
Security, Public
LG IrisAccess
http://www.quicksitemaker.com/members/fephila2/iris.html 8 Safety and Justice,
3000
Border Control, Data
Center Security,
Time and
Attendance

Transportation
Security, Laboratory
Security,
Infrastructure
Security, Public
OKI IrisPass-
http://www.oki.com/jp/FSC/iris/en/iriswg.html 13.2 Safety and Justice,
WG
Border Control, Data
Center Security,
Time and
Attendance

Physical Access
MorphoAccess Control; Multi-layer
MA300 http://www.bioservice.ch/english/physical.html# 1.6 Verification for Low-
to-High Security

Time and
FINGER007/P http://kor.idteck.com/product/product_list.php Attendance Access
1.20
?cateANum=1&cateBNum=1&cateDepth=1&prdCateA=1 Controller

Physical Access
FACE007/P Control
http://kor.idteck.com/product/product_list.php 1.25
?cateANum=1&cateBNum=1&cateDepth=1&prdCateA=1

"Face in a Crowd"
Surveillance;
Enables 2D and 3D
ActiveID
http://www.geometrix.com/products/biocamera.html 1.5 Measurements for
Forensic Criminology
Applications

Access Control
System www.magen.ca/.../photos/ N/A Physical Access

Controls different
Mercedes
aspects
voice control - www.whnet.com/4x4/vrm.html N/A
Of the car
Linguatronic

4/7/2008 96
Case Studies

Case Study A – India: Ration Card Program

Problem

The government of Andhra Pradesh, India, needed a program to control and manage the
distribution of nearly 80 million state-issued food ration cards. These ration cards
provide citizens with necessities – ranging from electricity to petrol to food – and the
program, historically, has been laden with fraud. The Government of Andhra Pradesh
wanted a solution to eliminate fraudulent cards and theft of goods and services, and to
reduce costs and ensure its citizens are receiving the entitlements they are qualified to
receive. Andhra Pradesh is the fourth largest state in the area, and the fifth largest by
population.

In addition to providing access to goods and services, the ration card is also a pseudo
national ID card for the citizens of Andhra Pradesh. These cards help citizens get
passports, admission into college, and other privileges. All families of the state receive
ration cards. White cards represent those in or near poverty who need assistance; pink
cards are given to those who can afford to buy what they need, whereby the card is used
primarily for identification.

Source: Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006

The identification solution was also envisioned to be the foundation for an extensive e-
government program. Long-term plans are for using the identification solution as a
means of proving citizenship, as well as for other authentication/identification
applications in the future. The government intends to provide electronic communication
access in every village, including PCs and broadband connectivity, and believes
automated ID authentication is a cornerstone to a successful and pervasive e-government
platform.

4/7/2008 97
The government of Andhra Pradesh also provides a hostel-education program to the
needy children of the state. The identification solution selected for the ration card
program would also be used to confirm the identities and populations of the nearly 4,000
child hostels across the state to reduce fraud and skimming perpetrated by unscrupulous
hostel managers (one might claim, for example, that he has 150 children in the hostel
when, in fact, he has only 50, keeping the extra supplies for himself or selling them on
the black market).

Access to low-income houses and housing subsidy programs for 28,000 families who
apply for housing assistance will also be integrated into the chosen identification
solution. The biometric-based solution will be used to identify citizens to make sure
those who are entitled to such support receive it, and that those who are trying to defraud
the system do not. Historically, the government has learned citizens who have
fraudulently applied and reapplied for low-income housing support, or others who have
applied to receive more than one house.

The government was in need of a solution for administrative control in the allocation of
approximately 9,000 affordable homes in the Guntur District, Andhra Pradesh. Under the
Rajiv Gruha Kapla – affordable housing program for the urban poor – initiated by the
Department of Housing in the State of Andhra Pradesh, an initial stock of affordable
homes in Guntur District would be made available, with an enrollment process that
incorporates iris recognition of applicant couples to prevent duplicate housing
applications.

Prior to implementation of the iris code-based ration card program, most ration cards
were issued to Andhra Pradesh households up to 20 years ago. Since that time, many
more new families have been added to the ration card system, so the new program must
be flexible and scaleable to account for an ever-expanding population.

Process

The state of Andhra Pradesh sought a biometric-based identification solution to help

eliminate fraud in its various benefits and citizen support programs. Several different
biometric technologies were tested. It was determined that iris recognition was the ideal
biometric technology for this application since other technologies did not provide the
results they required.

After testing both iris recognition and fingerprint technologies, the state of Andhra
Pradesh issued an RFP in June 2005 for the use of iris recognition technology in the
ration card program. Some key challenges faced by the implementation team were; a
widely dispersed population – a combination of small villages, several large cities, and a
broad spectrum of people – and varying degrees of education of the citizens, thus the
solution had to be very easy to use. Additionally, the government needed to integrate the
biometric solution into its existing legacy system, while also enhancing the state’s ability
to add additional capabilities and programs in the future.

4/7/2008 98
The other technology that was considered – fingerprints – caused difficulties for many
citizens due to the ubiquity of farmers, trades-people, and others who labor with their
hands and rub off their fingerprints or render them difficult to read.

After significant testing, the government selected iris recognition technology as the best
solution for its current and future needs. They found enrollment to be easy and very fast,
and the technology to be highly accurate in a one-to-many search mode.

In discussing the selection of the technology in a press release initiated by LG Electronics

dated September 8, 2005, the Managing Director of Andhra Pradesh Technology Services
commented, “We looked at several different technology options. While enrollment ease
and recognition speed and accuracy all count, there are many other reasons iris
recognition and the robustness of the platform made it impossible in the end to choose
anything else. That the technology works equally well on adults of all ages as well as on
children – who as household members are also being enrolled in the ration card program
– it requires only a single enrollment in a lifetime (barring trauma). This makes iris
recognition ideal for our long-term needs as the government plans to follow this program
with a variety of new service offerings that will be based around the ability to use the
new ration card as a valid government-issued identity credential.”

Solution

The iris recognition technology provider (LG Electronics – Iris Recognition Division)
worked closely with an India-based integrator (Andhra Pradesh Technology Services), a
technical services arm of the state government. The development of the RFP, design,
integration, and deployment of the system were all managed in-country by APTS.

It took approximately three weeks for the iris recognition-based solution to become fully
integrated and functional, and incorporated into the citizens’ daily lives. It is anticipated
that, by the end of 2006, the entire 80 million population of Andhra Pradesh will be
enrolled and actively using the iris recognition-based ration cards.

A basic description of how the iris recognition-based ration card enrollments are
accomplished . . . the family members participating in the ration card program go to one
of the several hundred enrollment stations across the state, provide their demographic and
biographical information to the enrollment officer, and look into the iris recognition
imager to have their iris patterns recorded. This iris pattern is linked with the person’s
biographical information and stored in a central database, as well as embedded into the
ration card.

The initial cost of the solution was certainly a concern for the Andhra Pradesh
government, but they viewed the overall long-term savings and efficiencies offered by
the iris recognition-based solution to be higher. Long-term plans for an e-government
platform and identification authentication were key issues in the decision about which
technology and solution to deploy.

4/7/2008 99
The government of Andhra Pradesh would not disclose the budget or cost for this system.

Results

To date, there has been no push-back from the Andhra Pradesh citizens regarding the use
and implementation of the iris recognition-based solution. In fact, indications are that the
citizens are willing to participate, since they cannot receive their benefits if they do not.
As of October 2006, over 20 million ration cards were distributed in a 16-month
timeframe17 with bogus cards being eliminated in tandem.

Enrollment. The state turned over the running of over 600 enrollment sites to private
entities who charge a fee (40 rupees per ration card) for enrollment into the ration card
program. The Andhra Pradesh government provides limited support to these enrollment
stations, as they are privately managed and run. The manager/owner of the enrollment
station keeps the profits and shares a portion of the ration card fee with the government.
As of October 2006, enrollments are 85% complete.18

Training. A centralized training program was developed prior to the deployment of the
system. The owners of the enrollment stations were trained in how to enroll and use the
iris recognition system and they, in turn, trained their personnel (train-the-trainer
concept). The training process took a matter of weeks and both LG Electronics and the
local integrator partner assisted in the program.

Cost Savings. Although there are no hard numbers available to calculate the cost savings
the iris recognition-based ration card program has provided to the government of Andhra
Pradesh, the state anticipates that 60%-70% of fraud will be eliminated merely by
deploying the technology, since potential fraudsters will be discourage to attempt fraud
with the accurate identification technology now being used.

Initial calculations in some Andhra Pradesh districts indicate the government has already
benefited from substantial savings by deploying the technology, in terms of reduced fraud
and subsidies, which extends beyond the primary ration card application into district
stores, youth hostels, and low-income housing. Helping the government save money by
reducing or eliminating fraud provides a real service to the Indian citizens who are in
need.

As of March 2006, this deployment in India is the largest known deployment of iris
recognition technology in the world. Between initial implementation in July of 2005
and February 2006, approximately 8 million people had been enrolled in the iris
recognition-based ration card program. As of October 2006, over 20 million ration

17
Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
18
Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006

4/7/2008 100
cards were distributed in a 16-month timeframe19 with bogus cards being eliminated in
tandem, and 80 million individuals have been enrolled in the iris ration card program.

Within weeks of deployment in the Guntur District, the iris recognition-based affordable
housing application program uncovered at least two known cases of ineligible
applications.

In a press release initiated by LG Electronics dated September 8, 2005, a senior Andhra

Pradesh government official commented “ . . . is envisioned as the technology foundation
for a variety of social services initiatives the government has planned and believes are
important. There are, of course, financial benefits realized simply by ensuring that
services and subsidies are delivered properly to those people entitled to receive them and
who need them most. But there are numerous consumer benefits including enhanced
convenience that are part of the ration card management program and these represent just
the beginning of things we can do to make things better for the people of this state who
deserve help and improved services from their government.”

What would they do differently next time? Lessons learned . . .

One of the most important things for those making biometric-based technology
implementation decisions is to look at each technology on its own merit, and don’t let
cost alone drive the decision. Look at the utility and functionality of the biometric
technology, disengage from pricing and from legacy system issues, and determine the
true usefulness of the technology on its own merit.

It is also important to involve the various technology vendors before the RFP process.
Engage them in a consultative process and leverage their knowledge. Use vendors as
partners in the RFP, review, selection, and deployment process, rather than just as
providers of hardware or technology.

Sources and resources for this case study:

- Interview with Mohammad Murad, Director, Sales and Business Development, LG

Electronics USA – Iris Technology Division – February 23, 2006
- “LG Electronics lands huge iris scan program in India.” Government Security News.
September 2005.
- “Iridian Technologies facilitates affordable housing program in Andhra Pradesh,
India; Iris Recognition system validates identification to ensure equal opportunity.”
www.zdnetindia.com/news July 13, 2005
- “LGE Iris Tech Win in India Redefines Biometric Scalability.” LG Electronics press
release dated September 8, 2005.
- “India eyes Iridian.” Optics Report. July 12, 2005
- “Indian housing plan uses local technology.” Passage to India Business Weekly.
July 2005.

19
Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006

4/7/2008 101
- Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra
Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October
2006

4/7/2008 102
Case Study B – State of Illinois: Driver Licensing

Problem

Identity theft is a fast-growing crime that has become a major problem for both law
enforcement and victims. A survey conducted by the U.S. Department of Justice (DOJ),
found the costs associated with identity theft are greater than $6 billion annually and has
affected millions of individuals and families. Driver’s licenses and identification cards
are by far the most common form of identification used in the U.S. A prime target of
would-be identity thieves are agencies that issue credentials like driver’s licenses and
passports. Maintaining the integrity of these forms of identification is extremely
important. Once an identity thief has obtained a license or identification falsely, it is
relatively easy to assume another’s identity and gain access to their finances.

Each year, the Secretary of State for the State of Illinois is responsible for issuing driver’s
licenses and identification cards to residents of Illinois. The Office has issued over 8.6
million driver’s licenses and 3.2 million identification cards at over 130 different motor
vehicle facilities within the state of Illinois in the last year. The cards are issued in an
over-the-counter manner where the cards are distributed to the individual at the time of
the visit. Eight thousand to 12,000 images are captured on any given day.

Prior to 1998, the Illinois Secretary of State would rely on its employees to review
documentation (typically a primary and secondary form of identification) and
demographic information provided by an individual seeking a driver’s license or
identification card to verify the identity of the individual. If the demographic information
and documentation matched, as verified by an employee, the applicant would then have a
film picture taken and a license and/or identification card would be issued on the spot.
One of the issues faced by the agency was that not all of the primary and secondary forms
of identification included a photograph of the individual. This made it challenging at
times for the employees to validate the applicant’s identity, which left opportunity for
error. The other issue with the film system was that the Office did not retain copies of all
the photographs taken. This was not possible with film photography.

Upholding the integrity of the identification system in Illinois is the responsibility of the
Secretary of State. In 1997, the Illinois Secretary of State was in the process of
transitioning the film-based photograph system used for taking driver’s license pictures to
a digital-based photo system. This created an opportunity to improve their current system
with added tools. There were two initial objectives in evaluating potential systems:

ƒ The cards issued could not be easily altered or forged

ƒ To ensure that the person holding the card is authorized to have it, is uniquely tied
to it, and is who the card says he or she is

If the system could decrease the potential for card tampering and increase the accuracy in
the identification system, there would be the potential to reduce the incidence of identity

4/7/2008 103
theft and fraud and increase public safety. All this needed to be done without
compromising the privacy of the individual cardholder.

Process

The state of Illinois sent out a request for proposal for a digitally based photograph
driver’s license/identification card (DL/ID) system for the Secretary of State’s driver’s
license photos. The original proposal did not require a face recognition system, but
included it as an option for inclusion as part of an image system that could accommodate
the large number of photos in a database. Only one vendor submitted a proposal that
included the option, and they were the overall successful bidder. The biometric system
would be a component of the larger system. Soon after the contract for the larger system
was executed, the Secretary of State’s Office decided to pursue this option.

Facial recognition seemed like a logical conclusion for this application. Facial
recognition requires a digital photo of the individual, something that was already part of
the DMV process. This allowed for passive, non-intrusive data gathering that had
minimal effect on the customers and minimal effect on facility operations. The customers
expected to get their picture taken when acquiring or renewing a driver’s license and
there were no additional requirements of the DMV employees. Facial recognition
technology could be applied to a piece of data that DMV was already using: The photo.
In addition, no new legislation would be needed to implement the system. The facial
recognition system was compatible with imported photos from other states so that it
could potentially be used for law enforcement.

An important component of the biometric system was that it could handle a one-to-many
(1:N) environment versus a one-to-one (1:1) environment. A one-to-one match is where
an individual presents his/her biometric sample and it is compared to the one he/she
presented at enrollment in the system, to ensure he/she is the same person. A one-to-
many matching environment is one when the individual’s identify is verified by
presenting his/her biometric sample and comparing it to many others in the database. In
the case of the Illinois Secretary of State, the system would be required to determine if
the person is known to the system (with or without a claimed identity) by comparing the
presented biometric sample and resultant template with all other known references in the
database for the purpose of finding any cases where the same person was enrolled more
than once, and had established multiple identities using different demographic data. This
type of system screens driver’s license applicants to make sure that the person is not in
the system under a different. Because of the large number of photos that would be
captured, it was critical that the system could be scalable to a very large database.

How the system actually works on a daily basis is an individual comes into the Secretary
of State office to obtain or renew a driver’s license or identification card. The individual
provides his/her name and a primary and secondary form of identification to the
employee. The information is input into the database. The individual then has a digital
photograph taken to be used as input into the facial recognition technology, as well as for
use on the actual driver’s license or identification card. Unless there are discrepancies in

4/7/2008 104
the primary and secondary data sources provided, suspicious documents presented, or in
the other verification systems used (such as Social Security On-Line Verification), the
individual is printed a driver’s license or identification card on the spot.

Results using the facial recognition technology are not immediate. The digital image is
sent to the central database each evening and is then compared against the more than 20
million images in the system, scanning for any duplicate entries. The facial recognition
technology does this by placing a grid or graph over the individual’s face identifying
specific nodal locations. The nodal points identify local feature information and this is
compared to other samples using a weighted sum of node similarities. To put this in
layman’s terms, the face is broken down into specific features and those features are
compared to all the other digital photos in the central database.

Solution

The State of Illinois decided to implement the facial recognition technology into its
overall system because it had significant advantages and would work effectively with the
new digital photo system that was being installed.

There were several issues that needed to be addressed in implementing the new system.
First and foremost was how the State would pay for the system and what infrastructure
was needed to support the system. The State recognized it would need some assistance in
funding the project; the cost was too high. The State was proactive in soliciting other
agencies to help bear the burden of the cost. The State focused on agencies that would
benefit from the technology and data that could be provided. The Illinois State Police
chose to assist in funding. This created a new challenge in how to design a system that
would be compatible with two agencies and determining what it would take to meet both
organizations’ needs. The system actually was quite compatible and did ultimately
interface well within the organizations although, as with any new system, it had its
growing pains.

Although the system seemed to fit quite well for this application, there were still many
unknowns. Since the Secretary of State’s office was the first to use the technology in a
high volume, one-to-many environment, there was nowhere to go for guidance. The
impact on operations was largely unknown. The technology was relatively new and there
were questions on how well it would perform. Sending a large number of photos across a
network also prompted security and privacy concerns.

It took the State of Illinois close to three years from the original RFP to design and
implement the entire new and improved overall system. The biometric component was
the last part of the overall system to be installed.

Results

The facial recognition technology has been an overwhelming success for the State of
Illinois. When the system was implemented by the State, there were no other benchmark

4/7/2008 105
systems that could be used to gain insight. Facial recognition technology was being used,
but typically on a much smaller scale. The technology has enabled the State of Illinois to
accomplish its objective of improving the integrity of driver’s licenses and identification
cards.

Although there were certainly some growing pains in the process, the implementation
was relatively easy because it dovetailed into the current operating system the challenge
was more on the back-end than the front-end. The gathering of the data was very
consistent with what typically occurred, however, the processing of the data was complex
and developing the procedures if a fraud case was identified through this mechanism was
something new to the office. The State now had to deal with new tasks like daily review
of potential multiple identity cases, increased number of fraud cases to investigate, and
use of a new technology as part of the evidence used in the criminal justice system when
cases were pursued. It was a major change in how the organization operated. One of the
results of its use was establishment of an ID Crimes Unit to focus resources on this new
technology and the growing rate of identity crimes it could help uncover.

“Both the use of face recognition and the use of stored images in the proofing process
have resulted in early detection and prevention of fraud that would have otherwise gone
unnoticed, maybe for years,” stated Beth Langen from the Illinois Office of the Secretary
of State. To date, the facial recognition technology has identified over 3,100 cases of
fraud. This included over 2,700 individuals with two identities and over 300 cases three
or more identities. As a result, the DMV has cancelled over 9,700 licenses.

What would you do differently next time? Lessons learned………

The Illinois Secretary of State’s office began the process of implementing the facial
recognition system in 1997. The original Request for Proposal (RFP) was to upgrade the
DMV film photography system to a digital based system. The original RFP included the
option for face recognition and it was exercised. This system best fit their application.
Other biometric technologies were not considered or evaluated. The Secretary of State
chose the facial recognition system and was successful; however, there were many
lessons learned.

The first lesson learned was to ensure the integration of the system was in line with
current business practices. When adopting the facial recognition biometric, the existing
business processes needed to be re-evaluated to make sure that the processes would
adequately support the biometric and determine if there were process changes required.
One example of the importance in re-examining business process involved the timing of
the issuance of identification cards or licenses. Cards are issued at the time the individual
visits the office. However, the facial recognition process currently requires sending the
photo image to a central database where it is processed overnight. If multiple identities
are detected, the individual has already been issued a card and would need to be located.
As part of a business processes review, the office will soon be evaluating many business
processes, and that will include processes for face recognition and card issuance.

4/7/2008 106
It is also important to consider the human factor – even though a biometric is being used
for determining if there are multiple identities in the system, it is still the responsibility of
an employee of the Secretary of State’s office to make the final decision if there is fraud.
A trained staff with the appropriate skill set is critical. There are instances of false
positive matches that are not fraud, but occur because an individual has more than one
legitimate record in the system or may look a great deal like another person, in the case of
identical twins, for example.

Another important lesson learned was that the system selection, design, testing, and
evaluation take a significant amount of time and effort. Having the resources that can
devote the appropriate amount of time is important. It is also very difficult to test a
system outside of the anticipated production environment and see the shortfalls. Only
when a system is up and running in the actual environment can shortcomings or
performance issues be accurately identified. Therefore, it is important to continue to
evaluate the performance of the system on an on-going basis after it has been installed.
Upgrades can be made and have the potential to significantly improve the overall
performance.

Managing expectations is extremely crucial. There is the belief that a biometric is

foolproof; that it can detect any type of fraud. This is not the case and people are still
ultimately responsible for the success of the system.

When installing a biometric system, it is vital to consider how the public and customers
will react. The reaction to facial biometrics in Illinois was positive. This was primarily
due to the fact that it was a non-invasive method for the purpose of preventing identity
theft and fraud and associated crimes, not a system of surveillance that is typically
associated with privacy concerns. In this respect, it is protecting identities. The system is
only accessible by Secretary of State employees and law enforcement personnel.

The environment that the system is operating in should also be considered. For a facial
recognition system, proper lighting, camera locations, etc. can affect the overall quality of
the image and thus affect the performance of the system. If the image taken is not of a
reasonable quality, the accuracy of the system has the potential to be reduced.

Sources and resources for this study

ƒ Interview with Beth Langen, Illinois Office of the Secretary of State

• Biometric Summit Winter 2006 Proceedings
ƒ Viisage press release “Illinois Secretary of State Partnering with Viisage to
Prevent Identity Theft – Digital Driver’s License with Face Recognition”
www.viisage.com

4/7/2008 107
Case Study C – The City of Glendale, California: Desktop Computer Access

Problem

The City of Glendale is the third largest in Los Angeles County. In 2001, the city was
under pressure from auditors to maintain high security standards for sensitive
information. At the same time, the Federal Privacy Act was requiring higher access
security. Passwords that were easy for users to remember were not secure enough. The
city needed to use randomly generated eight-digit alpha-numeric passwords that were
changed every 60 days. As a result, the city’s 2,000 employees were writing their
passwords down on or near their workstations. Ninety-five percent (95%) of users failed
to change their passwords within the time allotted, and became locked out. Forty-five
percent (45%) of help desk calls were from locked out users, costing the city roughly
$50,000 per year just in password administration costs.

Glendale’s municipal employees are located all across the city in 300-400 different
offices working for diverse agencies including public works, power, finance, and
administrative services.

The city implemented a single password for multiple uses, which proved to be of little
use when 1,900 users were locked out of their systems every 90days, requiring at least
two hours of work per day from the help desk staff. Because most of the calls came in
clusters, employees experienced significant unproductive time as well.

Process

A member of the City Council saw a demonstration of biometric keyboard authentication

at a city fair and requested an investigation. Multiple options were considered by the IT
department, and Digital Persona fingerprint reader was selected. The price, then roughly
$150 per unit, was a factor, but because the vendor allowed small numbers of units to be
purchased at a time, the city was able to test a few stations without a significant initial
financial commitment. The units were popular. Over time, additional departments
enrolled and received fingerprint readers as funds became available.

Solution

The device was a UareU® 2000 Pro Workstation Package with sensor and software. The
initial installation required having the software installed on each participating machine.
The USB device is smaller than a mouse and contains a sensor. Most users primarily use
their thumb, though multiple fingers and the entire thumb are initially registered into the
database.

The system generates a computer password and synchronizes it with the user’s
fingerprint. Users do not have to remember anything. Scott Harmon, the City’s Assistant
Director of Information Services says, “Just bring your finger”. There are exceptions

4/7/2008 108
though. For example, temporary workstations do not yet employ the fingerprint reader
biometric.

The city has since upgraded to the 2004 version of the software, where it can be installed
and upgraded centrally. Other new options and newer versions are server-based, allowing
users to log into any networked computer and access their own files. Glendale would like
to upgrade to this system in the future, though it would increase the costs.

Results

User Acceptance. To date, there has been no push-back from any employee. Generally,
users are very pleased at the ease of use of the system compared to the past. There have
been no civil liberties issues that have come to the attention of the IT staff.

User Rejection. Glendale has one employee whose fingerprints do not register. Other
than this, there have been no documented cases of false acceptances. Rejections are rare.
Subsequent to contact with swimming pool chemicals at his home, one employee
experienced a temporary change in his fingerprints. Other employees have had cuts on
their fingers or slammed fingers in a car door, causing temporary changes. As a
precaution, the city registers multiple fingerprints and the entire thumb.

Enrollment. The systems are incorporated into daily activity immediately since there is
no learning required of the end user. “All they have to do is put their finger on there and
go,” says Harmon. Most employees are comfortable with the concept, which they have
experienced at the local Department of Motor Vehicles. Registering a new fingerprint
and setting up a new account is not difficult and has become easier over the last few
years.

Maintenance and Training. To date, all maintenance for the systems has been handled by
the in-house IT staff, which spends considerably less time on the fingerprint access
system than they did with forgotten passwords. Newer reader models that have come
along in the last few years are slimmer and easier to work with. Harmon considers
Digital Persona’s field technicians to be quite competent. His staff calls with questions,
and most issues are resolved over the phone.

Cost Savings. Glendale has not tracked the cost savings of the fingerprint keyboard
access systems in terms of increased employee productivity and fewer required help desk
resources. In 2001, the cost per workstation was roughly $150. Today, that cost is
reduced to approximately $100 per workstation. For a city the size of Glendale to roll out
a new system today would cost approximately $200,000.

4/7/2008 109
What would they do differently next time? Lessons learned . . .

The only drawback to the system, according to Harmon, is that is does not accommodate
remote users. RSA’s portable, key-sized devices are better for people who work in the
field, telecommute, or want to check-in over the weekend. When employees want remote
access, they must call the help desk for a remote reset, which must be re-synchronized
when the employee returns to the office.

Anyone rolling out a new system today would have easier maintenance than Glendale
had during its system launch. For example, Active Directory is a new feature that allows
uploads to the domain controller that houses a central repository of all fingerprints and
passwords. “It would be much easier to maintain. At the time a few years ago that wasn’t
in place. That’s why we are in stand alone mode now,” comments Harmon.

In the future, Glendale also wants to enable employees to be able to access their files
from any workstation.

Sources and resources for this case study:

- Interview with Scott Harmon, Assistant Director, Information Services, and Steve
Richmond Security Analyst, City of Glendale, CA March 8, 2006.
- “Glendale, CA Goes with Biometrics”, Biometrics in Human Services, User Group
Newsletter number 27, Volume 6, March 2, 2002. State of Connecticut, by David
Mintie
- “Glendale Locks Down PCs with Digital Persona Biometrics”, by Lynn Haber,
October 18, 2001, Ziff Davis http://techupdate.zdnet.com
- City of Glendale, Case Study Digital Persona. Digital Persona
http://www.digitalpersona.com/docrequest/pdf1?pdf=18

4/7/2008 110
Case Study D – Lancaster County Prison: Inmate Identification

Problem

Although the mistaken release of prisoners was not a common occurrence at the
Lancaster County Prison, one high profile incident in 1993 resulted in an unprecedented
innovation. An accused murderer walked out of the front door by impersonating another
inmate. The prisoner was subsequently caught and convicted of the murder.

At the time, the prison employed a standard release protocol that consisted of human-
based facial recognition (i.e., the guards looking at the prisoner’s face) and a series of
specific questions relating to the inmate’s incarceration experience and pre-prison life.
“There were checks and balances and everything had to go wrong for this to happen and
everything went wrong,” says Luther Schwartz, Training Officer and Department
Network Administrator for the prison.

Process

In the wake of the incident, Moorestown, New Jersey-based Iridian Technologies

arranged a demonstration of its IriScan iris recognition device with Warden Vincent A.
Guarini. Later that day, Guarini saw a program about the new technology on cable
television’s Discovery Channel, which convinced him it was something that would be
useful for the prison. “The price seemed reasonable so I thought we’d give it a shot,”
commented Guarini. The Lancaster County commissioners approved a grant application
with the state Commission on Crime and Delinquency for $7,712 to fund the purchase of
an IriScan® iris recognition reader, which was subsequently approved by the state
commission.20

Solution

The first application was a DOS version, which was upgraded to Windows after roughly
24 months. Hardware currently consists of one server and two clients. The server is in an
office near the systems administrator. Clients are located in the commitment and
visitation areas where they are used by 30 or more staff members on a regular basis.

There are two processing phases in the prison system: enrollment and verification. In the
former, the eye is digitally photographed. Over 400 points are mapped into a 512-byte
code. The iris map is stored in the database along with other information about the
inmate, which is taken from identification documents. Lancaster County Prison uses
fingerprints in conjunction with iris scanning for all inmates.

The iris recognition software is used primarily in the facility commitment area. By using
the iris technology on its 1,180 prisoners, the prison feels it can definitely determine that

20
http://www.naco.org/cnews/1996/96-06-24/17eye.htm Lancaster County Prison uses new ID to keep eye
on prisoners

4/7/2008 111
the same person with the same name who was committed is released under the same
name.

A secondary use is in the visitation area. As of March 2006, Lancaster County Prison
processed hundreds of visitors per day, amounting to tens of thousands of visits each
year. First-time visitors must produce multiple forms of positive identification, which is
entered into the system along with the iris scan. Return visitors may be admitted with
just an iris scan. Upon discharge, inmates are not allowed to return as visitors for six
months. Within a few seconds, the system can tell if the visitor has been incarcerated at
the Lancaster County facility.

Results

Errors. While the technology itself is very exact, human errors can be made in data
processing. Incorrect categorization of inmates has resulted in false identification.
Administrator Schwartz safeguards against this problem by occasionally looking through
the database for possible input errors, which he feels a trained individual can easily
recognize.

Cooperation. Lancaster County Prison has not experienced any compliance issues.
Because most people are used to having their pictures taken, the process is natural and
comfortable. It is also considered very safe and sanitary, since no direct contact is
necessary between the subject and the guard or the equipment. The scan takes just a few
seconds. When inmates and visitors express reluctance to participate, reminders that
visitation and release are contingent upon compliance has been made the program
effective.

Support. Third-party vendors provide hardware and support. Support requirements have
been minimal and routine. Most incidents are handled over the telephone. Repairs have
been handled by shipping extra parts. Installation is straightforward.

Training. All of the prison employees in both commitment and visitation use the iris
recognition-based system. There are in excess of 30 officers or more who use it on a
regular basis. Training has been conducted by colleague observation, which is estimated
by Officer Schwartz to take roughly 15 minutes.

What would they do differently next time? Lessons learned . . .

Overall Satisfaction. Officer Schwartz states that Lancaster County is pleased with the
system’s ease of use and precision. Lancaster County Prison would go the same route if
they had to revisit their decision today. Regarding the cost, he replied “How do you put a
price on the safety of the community?”

Software Licensing Costs. Criticisms center on software licensing fees. “Because the
technology is so limited, the fewer suppliers there are, the higher the price. “ Mainstream
software, such as that used in fingerprint recognition can be less expensive.

4/7/2008 112
Database Integration. Because iris scans are a fairly new technology, there is not a large
iris database in existence to leverage or integrate with other law enforcement authorities.
Fingerprints, which have been introduced at Lancaster County Prison for other
applications, can be checked against FBI and National Crime Information Center, whose
databases include years and years of input. “The AFIS system goes out and gathers
information and brings back a criminal history on the individual… with the iris, you
don’t have that kind of resource available,” says Schwartz. Lancaster County Prison’s iris
database is maintained at the prison and is not shared with other entities.

Sources and resources for this case study:

- Interview with Luther Schwartz, Training Officer and Department Network

Administrator, March 30, 2006
- Interview with Frank Fitzsimmons, President and Chief Executive Officer, Iridian
Technologies, April 6, 2006
- http://www.naco.org/cnews/1996/96-06-24/17eye.htm Lancaster County Prison uses
new ID to keep eye on prisoners
- “Body Language: Using biometric Technology” March 1, 2002, American City &
County, http:/www.printthis.clickability.com/pt/cpt
- “IriScan’s Leader Looks Secure”, Business Week Online , July 5, 2005 Olga Kharif
- New York Times Technology Review, April 5, 2006,
http://tech2.nytimes.com/mem/technology/techreview.html?res=9B04E1DA163CF93
1A3575BC0A9679C8B63

4/7/2008 113
Case Study E – University of Georgia: Student ID/Access Control

Problem

The first hand geometry system that was installed in the University of Georgia dining hall
in 1972 to verify meal plan participants has since grown to a fully integrated solution that
secures three different types of facilities on the school’s extensive campus. In addition to
the continued use of hand geometry in the dining hall, the system was expanded to
include student housing – to verify a student lives in the building – and to the student
recreational center – to verify membership in the sports facility.

With a student population of 32,000, the University needed an access control system that
was fast, easy to use, and foolproof. To provide a safe, secure campus, the school
wanted to identify students entering residential halls and athletic facilities and to limit
dining hall access to those students who had paid for a meal plan.

A fourth application for hand geometry that is currently being considered by the
University is to identify students prior to exams, to be sure the right student is taking the
test.

Process

The University of Georgia has been a pioneer in adopting biometrics, implementing one
of the first wide-scale applications of hand geometry in the U.S. When it was time to
upgrade the school’s old (1972) hand readers in 1990, the administration evaluated
various biometric technologies, such as facial, hand, fingerprint, iris, and signature
devices.

With a large, diverse, and active student population, the University needed a solution that
did not require cards (students lose, forget, or loan them) or a typed passcode (students
forget or loan them). Biometrics offered a token-less solution, and hand geometry
technology met the school’s requirements for ease of use, functionality, and cost. A
signature-based biometric was evaluated, as well as other technologies, but was found to
be too time consuming for students accessing the dining hall and housing facilities.

Initially, the University relied on outside consultants and integrators to assist with
evaluation, selection, and integration. As the system grew over the years, the University
brought this function in-house and is now self-managing the hand geometry system
through two fulltime employees.

Solution

Initially, the 1972 systems were two-dimensional hand geometry readers placed at dining
hall entrances to verify that students who paid for meal plans were the same students that
actually entered at mealtime. Students who require a work-around (i.e., students without
a right hand), can type in a passcode for access.

4/7/2008 114
The 1972-1990 system required a card to be inserted with no other option. The 1990-
1994 system required a card to be swiped. All of the data was held on the card until first
use, then stored in reader memory. The current system allows for either a card swipe or
the number from the card to be entered into the HandKey reader. In order to do a one-to-
one match, the University requires that the unique number be entered. This versatility is
one reason the system has a high level of acceptance among students.

In the dining hall, the system averages 1,700 attempts per day per reader (with two
installed readers), translating to over 3 million valid accesses per year during the school
year.

Based on the system’s success in the food service area, the university installed a similar
system to control access to the Ramsey Center, a recreational sports facility. The
Ramsey Center includes six readers, averaging 2,500 authentication attempts per day
(translating into 870,000 accesses per year). The University controls its false rejection
rate to about 1.5-2%.

Next, the school added the biometric security solution in the housing facilities, replacing
magnetic stripe-only readers with hand geometry readers. Across the dorms, there are
450 access attempts per reader per day, translating to over 2 million accesses per school
year. (In September 2005 alone, there were 300,675 valid accesses.) The hand readers
for the housing system are unmanned, but there are security cameras at each entry point
for additional safety.

Today, the 70-reader system controls access for 32,000 users to select facilities all over
the campus, from dining halls to recreational centers, dormitories to testing rooms.
According to Donald Smith, coordinator of the University of Georgia (UGA) Card
Services department, “The number of cards typically lost in a year is a good reason for
not utilizing a card-based system, so biometrics just made more sense.”

Enrollment into the hand geometry system happens when a student initially gets his/her
campus ID. The University enrolls the right hand of every student and the process
typically takes about 1-1.5 minutes. During the enrollment process, the students are also
trained in how to use the system for access to the various locations where it is used.
Currently, the University is storing about 90,000 hand images on its central server.
Identification time through the various turnstiles averages 1-2 seconds.

Results

Since 1972, use of the hand geometry technology for student identification and access has
saved hundreds-of-thousands of dollars in terms of personnel time and materials for
replacing lost student access cards. This initiative was important to reduce the number of
IDs the students had to manage.

4/7/2008 115
In total, the University of Georgia has spent over $250,000 on its biometrics program
spread out over a 5-year period – approximately $2,000 for each of the indoor models and
approximately $3,000 for every outdoor model. Costs are greater for the outdoor readers
because they require steel enclosures to protect them from weather. From initial
deployment, it took approximately four years for the system to become fully integrated
into students’ daily use across campus.

The vast majority of students are enthusiastic about the hand geometry systems. “They
think its cool,” commented Donald Smith. “It is future technology. We don’t get many
complaints from students.” Occasionally the University receives objections based on
religious beliefs. There are workarounds for these students, as well as for handicapped
persons or those missing a finger or hand. There are about 84 students requiring
workarounds (out of a 32,000 population).

What would they do differently next time? Lessons learned . . .

The initial deployment of hand geometry back in 1972 still relied on cards, which housed
the students’ biometric data and passcode for the one-to-one verification. Transitioning
the biometric data to a centralized server not only reduced the number of cards processed
each year, but also reduced the total number of servers required to operate the campus-
wide system, saving the University a significant amount of money. Additionally,
authentications are done in real time and are much more efficient.

It is important for those considering a biometric-based identification system to study how

other organizations similar to yours are using such technology. There is no single
biometric technology that is right for every application. Make sure the solution that is
chosen is the best one for your application. Look at all the various options.

Lastly, remember to get the users involved, as best you can. Introduce them to the
concept, allow them to be part of the decision-making, and explain the reasons for
transitioning to a biometric-based solution. Most importantly, explain how the system
will benefit them in the long run. Users will tend to be more cooperative if they
understand how the system works and why it is needed.

Sources and resources for this case study:

- Interview with Donald Smith, University of Georgia – March 16, 2006

- “University of Georgia Secures Campus with RSI HandReaders” press release from
IR Recognition Systems
- Floyd, J. Michael. “Biometrics-The Future Competitive Edge” FE&S. January 2003
- “University of Georgia Migrates Recognition Systems HandReaders Campus-wide”
press release from IR Recognition Systems. July 30, 1999
- Kiernan, Vincent. “Show Your Hand, Not Your ID” The Chronicle of Higher
Education-Information Technology. December 2, 2005

4/7/2008 116
Case Study F – St. Vincent Hospital: Desktop Computer Access

Problem

St. Vincent Health is an Indiana-based healthcare provider with a network of 16 hospitals

and a number of health services locations. St. Vincent is a member of Ascension Health,
which includes more than 70 healthcare facilities. Although St. Vincent is one of the
largest healthcare providers in the Indianapolis region, attracting and retaining physicians
is extremely competitive and the hospital must continually seek ways to enhance its
attractiveness to area physicians and surgeons by ensuring its facilities are state-of-the-art
and easy to work in.

In 2000, looking to gain a competitive advantage in the Indianapolis region, the

management of St. Vincent Health embarked on a program to improve physician
satisfaction with the hospital, improving their overall experiences with referring their
patients to and working in St. Vincent hospital over other healthcare options in the area.

One part of the overall “physician satisfaction program” included the need for improved
and more efficient access to the hospital’s electronic patient information, health records,
and other computer-based systems used by the hospital’s physicians and nursing staff.
The goal was to increase ease-of-access to information while also improving data
protection. The hospital’s computer network serves 8,000+ users and operates 24 hours
per day, seven days per week, so a solution that is fast, secure, easy to use, and extremely
reliable was required.

Part of the problem was that, as the hospital’s information and computer system grew, in
conjunction with a growing number of physicians, surgeons, nurses, and other medical
staff working at the facility, St. Vincent experienced problems with multiple physician
passwords. Up to 500 active St. Vincent doctors were accessing four to 10 different
applications every day, all with different passwords. “Physician access to our systems
had always been a problem and it was becoming more of a problem as we added
advanced systems and additional required passwords,” commented Bruce Peck,
Information Security Officer at St. Vincent. “Patient records are completely electronic
and physicians were having difficulty accessing charts and signing off on medical
records, causing more administrative work than was necessary.”

Time-crunched physicians were having to request password resets, which delayed patient
record access and frustrated the doctor, the hospital IT department, and the nursing staff.

Process

St. Vincent needed an efficient and highly secure system for healthcare workers to access
patients’ electronic medical records, while complying with the government’s Health
Insurance Portability and Accountability Act (HIPAA) privacy rules that became
effective in 2003.

4/7/2008 117
After extensive research and review of various biometric technologies, St. Vincent’s IT
team determined that a single sign-on (SSO) solution in combination with biometric
authentication would enable them to eliminate the most critical log-in challenge –
forgotten passwords. They conducted a competitive pilot program to fully test a variety
of available solutions. The hospital determined it needed to replace the one single sign-
on password with a fingerprint authentication solution.

Solution

In the decision-making process, system support for multiple biometrics was a key
decision factor. The system had to be “biometric agnostic.” Although St. Vincent is
currently using fingerprint technology, iris recognition is being considered for system
access where users may be gloved and masked. Problems are anticipated in
implementing a biometric solution in clean rooms, such as surgical areas, where
protective clothing is required. Surgical personnel cannot use fingerprint scanners while
wearing latex gloves. The design of certain intensive care areas required the hospital to
install special wall-mounted PCs, which posed an additional challenge.

The sterile environment of a hospital also presented a unique challenge in that nursing
stations, for example, are wiped down with cleaning products that are not normally
compatible with computer keyboards and fingerprint scanners. As a result, a special
silicon seal was developed for the fingerprint reader to prevent liquid from seeping inside
the casing, and the hardware OEM ensured its chip coatings would stand up to cleaning
solvents used in a hospital setting.

A very small number of users have difficulty with a fingerprint reader. For these
individuals, a password work-around is in place.

Currently, St. Vincent uses 1,500 workstations with one fingerprint reader at each.

Results

The fingerprint-based single sign-on solution implemented by St. Vincent allows many
clinical users to quickly share workstations without the time consuming requirements of
logging in to the network operating systems (Novell and Windows NT). “With the
biometric-based SSO, we have the assurance that a person logging into the system is
really that person, for increased accountability that didn’t previously exist,” commented
Bruce Peck.

With the government’s HIPAA privacy rules, it is an added bonus that biometric
authentication solutions provide St. Vincent’s healthcare staff and doctors with a more
efficient and more highly secure system for accessing patient electronic medical records,
ultimately combining St. Vincent’s “physician satisfaction” objectives with HIPAA
compliance.

4/7/2008 118
When the fingerprint-based SSO system was first initiated, the hospital was fortunate to
have strong support from the nursing director. Once the rollout was underway and other
clinical areas saw the benefits of biometric authentication, the hospital’s IT department
had difficulty keeping up with the inquiries.

Enrollment into the fingerprint-based system was simplified and streamlined to

accommodate the hectic and time-crunched schedules of the doctors. Enrollment had to
be flexible and adapted to the people as nurses cannot be absent from the floor and
physicians come and go depending on patient rounds and surgery schedules.

Rather than hosting set times for enrollment during a conventional 9 to 5 workday, the
enrollment program was multi-phased and capitalized on the places within the hospital
that staff and physicians tended to frequent, such as the cafeteria and lounges. One-on-
one enrollments were held at a variety of times to catch healthcare workers on swing and
night shifts. The personal interaction between an IT staff member and the physician or
healthcare worker helped advance the project because they could immediately address
questions on privacy and safety, as well as train the doctors and nurses in system use.

To manage the entire enrollment process, St. Vincent hired two fulltime staff people for
eight months. After five years of deployment, the fingerprint-based SSO system
identifies over 3,000 individuals with 1,500 fingerprint readers.

What would they do differently next time? Lessons learned . . .

The cost and time required for enrollment was not thought-through at the beginning. The
multi-phase approach and addition of two fulltime staff who concentrated only on
enrolling healthcare workers and doctors into the biometric system was necessary, but
unanticipated. The “catch as catch can” enrollments made it difficult to predict how long
it would take from initial deployment to full enrollment and participation.

The cost for future upgrades of hardware and software should also be considered in any
biometric deployment, as technology is continually advancing. Technology flexibility
was a critical requirement for St. Vincent so that various fingerprint reading devices from
different vendors can be used, if needed. The hospital wanted to avoid getting locked in
to using only one vendor.

St. Vincent realized after a few months of deployment that they should have forced
people to use the fingerprint-based SSO system at the onset, rather than allow users to
continue with the password-based system. Stragglers and late adopters were slow to
enroll (due to their demanding and non-conventional schedules) so the hospital
eventually had to lock-down the systems to force users to enroll in the biometric-based
solution.

The healthcare environment at St. Vincent causes dry skin because users constantly wash
their hands. It was important to experiment with fingerprint readers from various vendors
to identify which could best accommodate a dry skin environment. Those looking to

4/7/2008 119
implement a biometric-based system, particularly one that requires touch, should closely
examine the users’ environment to identify such factors and take them into account at the
onset.

Sources and resources for this case study:

- Interview with Bruce Peck, Information Security Officer for St. Vincent Health
- “Biometrics and SSO: Helping in Healthcare” Powerpoint presentation from St.
Vincent Health
- “Hospital Adopts Biometric Security Solution for Workstations”.
www.findbiometrics.com
- Peck, Bruce. “Rx for Password Headaches” Health Management Technology
magazine. January 2003
- “St. Vincent’s Hospital and Healthcare Center” client profile from Saflink
Corporation
- “St. Vincent Solves Security Challenges with CA’s eTrust Single Sign-on” client
profile from Computer Associates
- Verton, Dan. “Hospital Taps Biometrics for Single Sign-on” ComputerWorld.
October 2001.

4/7/2008 120
Case Study G – Beaumont Hospital: Medical Records Security

Problem

William Beaumont was a surgeon in the U.S. army and was renowned as the “The Father
of Gastric Physiology” based on his research performed on the human digestive system.
In 1956, the William Beaumont Hospital was opened in Royal Oaks, Michigan in honor
of Dr. Beaumont. Today, Beaumont Hospital is a corporation that consists of two
locations, Royal Oaks and Troy, Michigan. Both hospitals are community hospitals with
full in-patient and out-patient services. The Royal Oak facility currently has 1,061 beds,
8,500 employees, and 1,760 physicians. The Beaumont Hospital in Troy was opened in
1977 and is considerably smaller than the Royal Oak facility with 254 beds, 2,800
employees, and 900 physicians on staff. The Troy emergency room saw over 60,000
patients in 2005.

In 1994, Chris Hengstebeck was in charge of the hospital security system for the Troy
facility. The security for any hospital includes the protection of in-patients, out-patients,
employees, and visitors. This is extremely challenging because of the shear number of
individuals (employees, inpatients, outpatients, emergency room patients, and visitors)
that enter the facility everyday, 365 days a year. The other challenge in hospital security
is the transient nature of the individuals who visit due to the continuous patient turnover.

There are different levels of security for different hospital areas. The areas in Beaumont
that required higher levels of security were the narcotic storage areas and the
OB/Maternal Child Health area.

The objective was to improve the accountability in the distribution of controlled

substances and better control access to the OB/Maternal Child Health wing of the
hospital. At the time, card access was the method used by employees to access restricted
areas in the hospital. This provided a level of security, but it did have its problems.

Theft of narcotics in hospitals is a significant problem. With distribution of controlled

substances, the current hospital system was able to identify individuals entering the room
where the narcotics were stored, however, there was no method to determine the actual
narcotic that was taken from the cabinet. Also, magnetic identification cards can be
shared, stolen, or lost. That meant that although there was a record of the card used to
access the area, there was no guarantee the appropriate person actually used the card to
gain access.

In addition to attempting to improve access to certain areas, there were also issues with
employees carrying their identification card on a consistent basis. Doctors were the
primary source of the problem because many would forget or misplace their identification
cards.

4/7/2008 121
The goal of Mr. Hengstebeck was to improve the overall security in the hospital. Cost
was an important consideration. The magnetic system’s average cost per card reader was
$225. The hospital employees were very comfortable with this system and changing that
had the potential for resistance and may require a significant level of effort.

Biometrics was initially considered purely out of Mr. Hengstebeck’s curiosity.

Biometrics was not widely used and there was concern if the technology was advanced
enough to use in this type of application. It was even difficult to determine if there were
any hospitals utilizing a biometric technology. Hand geometry was the biometric system
most widely used at the time. A typical hand geometry scanning unit was $1800. This
was significantly higher than the magnetic system the hospital currently employed.

Process

The hospital sent out a request for proposal for a hand geometry-based biometric system
to determine if it was a feasible cost effective solution for the hospital. Hand geometry
seemed like the natural solution since it would utilize the same equipment that their
existing magnetic card reader system utilized. The requirements for a hand geometry
system (wiring, door hardware, etc.) were consistent with their existing system and the
units could be placed exactly where the card reader units were and they were similar in
size.

The hand geometry system would need to be user friendly and able to accommodate
typical scenarios experienced in hospitals. An initial concern would be if the system
would be usable if was someone wearing surgical gloves. In addition, hand washing is a
common practice in hospitals. Hands can become extremely dry and many hospital
employees use lotion to combat the dry skin. Would the system be affected if someone
had lotion on his/her hands? Although it was important to limit access to restricted areas,
there needed to be an override mechanism in case of emergency.

The price per unit of $1800 was a deterrent to installing a biometric system throughout
the hospital. The hospital contemplated installing three hand geometry units in the
narcotics storage area. This is where the hospital believed it would yield the greatest
benefits and would be more willing to incur the cost. The units, if installed, would be a
trial case to validate the effectiveness of such a system in a hospital setting.

Solution

Beaumont Hospital decided to implement a hand geometry system, from Recognition

Systems, in the narcotics storage area. Three units were installed initially by Electronic
Security Systems. The hand geometry system would measure the length, width,
thickness, and surface areas of an individual’s fingers and hands. The data is then sent to
a central security data base where it is monitored. An employee would identify
themselves to the system by entering an identification number (ID) then by placing
his/her hand on the reader, the system then verifies that the employee is who he says he
is. Initially, there was a concern regarding the usability of the system with surgical

4/7/2008 122
gloves. This did not become an issue due to the fact that surgical gloves are typically
removed after each procedure and are not required in the narcotics area.

The added benefits of the hand geometry system were that the hospital would be able to
identify who entered the controlled access areas. For the narcotics storage area there
would be complete accountability. The hospital would know who entered the room and
the specific narcotic that was taken. This was a substantial improvement over their
current system. On a daily basis, hundreds of employees access the narcotics storage
room and the drugs stored in this area were highly desirable and could be sold for a
significant amount of money on the black market if they fell into the wrong hands with
potential deadly consequences.

Results

The hand geometry unit was an overwhelming success at Beaumont Hospital in Troy.
Currently, there are over 60 readers in the hospital. The readers are located in nursing
areas of the hospital that includes medical surgical and critical care. The readers were
phased in over a 12 year period and were typically installed in areas that were undergoing
redesign or renovations. All the readers are supplied by the same manufacturer. This
allows for ease of compatibility.

Enrolling employees in the system is relatively straight forward and consists of assigning
an ID number to the employee and scanning the employee’s hand in the hand reader. The
ID number is used for both the card access areas as well as the biometric access.

In order for an employee to gain access using the biometric system, the assigned ID
number needs to be input into the reader. The employee then places his/her hand on the
scanner three times. The system either verifies the individual’s identity or rejects the
individual.

The error rate in the system is extremely low and is typically the result of either inputting
an incorrect identification number, poor hand placement, or not following the instructions
on the prompter. Another issue that may effect system use is the frequency an individual
utilizes the system. If someone has not used the system in a considerable amount of time,
the sensitivity level may not recognize the user. Significant changes in hand size may
cause the system to yield a false identification match. This could be from swelling from
some type of hand injury. Bandages may also affect the ability of the equipment to
identify the individual. These occurrences are rare and require the individual to re-enroll
to re-establish his/her identity. There is only one individual to-date who is not compatible
with the system.

The actual readers are very similar in appearance with the magnetic card readers. The
maintenance of the actual hand readers is minimal. Occasional re-calibration and/or
cleaning are the extent of the maintenance. Feedback from the employees notes that the
hand readers are very user friendly.

4/7/2008 123
For the narcotics storage area, there is a hand reader to gain access to the area as well as a
hand reader to access the storage cabinet. In addition, there is a software system called
Pyxis that is used to identify the specific medication and amount that is being dispersed.
The Pyxis system is standard in most hospitals for use in dispensing of narcotics. Each
employee has to enter their unique user name and password in addition to a thumbprint
biometric in order to access the system. The type of narcotic as well as the dosing
information is input into the Pyxis software system. Even with all of these security
measures, there is the potential for employees to input false information into the Pyxis
system or to not disperse the narcotic to the patient however with frequent audits these
types of breeches are kept to a minimum and extremely traceable.

The system has also been used to assist in theft investigations and time fraud
investigations.

What would you do differently next time? Lessons learned………

This system works extremely well for the Troy facility, but the Royal Oaks facility has
not yet installed any biometric technology. The initial investment in a biometric system in
such a large facility would be millions of dollars and the Royal Oaks hospital at this time
cannot justify the expense.

It is important to investigate all types of biometrics before deciding on one type. There is
the potential that there are other biometric technologies that are much more affordable
when considering the overall system cost. Facial recognition is supposed to be less
expensive and could have worked well in the hospital, however, at this point the high
switching cost, going from hand to a different biometric technology, would be
prohibitive.

It is also important to verify that the organization yields the greatest value in use for the
biometric. There are many applications for biometrics in a hospital setting. Currently,
hospitals are utilizing biometrics to manage access patient health records (HIPAA
compliance), identify patients, control access to controlled/restricted areas, and assist in
employee time management.

A biometric system, although has a high upfront cost, has the potential to save money for
many organizations in the long run. When implementing a system, it is important to think
through the ways that it can save the organization money. One example at Beaumont is
the reduced cost of theft investigations due to the improved access control and
identification accuracy.

Recent Developments

There has been an industry shift from the use of hand gels for hand cleaning to foam hand
washes due to the longevity and fire retardant properties. There is preliminary evidence
that the use of these foam hand gels inhibits the performance of the hand scanners. Most
employees wash their hands before and after entering the nursing areas. Residual residue

4/7/2008 124
from the foam hand wash may still be on the employees hand and is then left on the hand
scanner, leaving their impression on the device. The employees most affected are ones
with smaller hands. This is still under investigation and no conclusions have been
reached.

Sources and resources for this study

ƒ Interview with Chris Hengstebeck, Director of Security, Parking and Safety at

William Beaumont Hospital, Troy, Michigan
ƒ Biometric Summit Winter 2006 Proceedings

4/7/2008 125
Case Study H – Pinellas County Sheriff’s Office: Arrestee Identification

Problem

Like other law enforcement agencies around the country, the Pinellas County Sheriff’s
Office (PCSO) found it was burdened with a cumbersome manual booking, release, and
criminal investigation (identification) process. During the arrest process, it is common
for law enforcement officials to be confronted with people who lack proper identification,
such as a driver’s license, or who may present an alias ID to avoid identification.
Sometimes, the individual is incapable of telling officers his/her name.

The manual process that was used by the PCSO caused delays in information collection
and analysis, sometimes letting suspects get away with providing false identification,
hampering law enforcement, or sidetracking investigations. With annual bookings
exceeding 60,000 per year and a 60%-70% recidivism rate, the Pinellas County Sheriff’s
Office needed a more automated and reliable way to identify suspects, convicted persons,
and others coming into and out of the jail system. Additionally, the technological
solution that was to be selected had to be user friendly and straightforward enough for the
3,300 PCSO personnel who would be interacting with it on a daily basis.

Process

In 2000, Sheriff Everett Rice looked into various technology alternatives for the PCSO
and was awarded a federal grant from the Office of Community Oriented Policing
Services (COPS) at the U.S. Department of Justice to implement biometric technology.
The goal of the funding was to demonstrate the use of facial recognition technology for
Florida law enforcement.

A major portion of project scoping included the integration of nearly 12 years of photos
and images of people who had been through the PCSO system, as well as data and
images from many other Florida law enforcement agencies who would cross-share image
and data information.

This was a huge application for facial recognition technology, with many moving parts in
a complex system. For project and system design, there was more to consider beyond a
basic plug and play application. For example: How would the solution be integrated
across other operations and departments? How should users interact with the system? To
help address these and other issues, PCSO encouraged end-user involvement in the
decision process by engaging a cross-section of personnel from various departments –
patrol, intake, operations, release, etc. – garnered input from the very people who would
be using the system on a daily basis, and provided guidance to the technology vendor
who could tailor system design to PCSO’s specifications. For a system this complex that
would eventually extend across the state, the vendor needed to fully understand and
appreciate the processes and business flow of the organization.

4/7/2008 126
With the project scope defined, PCSO selected Viisage facial recognition technology
since it planned to build a large state-wide database with potentially millions of images
that would be shared among multiple law enforcement agencies. Viisage’s prior success
with driver license applications also provided credibility for both the company and this
particular facial recognition algorithm.

The timeframe from initial system design to implementation was about 6-8 months, with
a review session held after about 4 months to recommend any additional changes before
the final system was delivered, installed, and deployed. Total cost for the complete
system was approximately $10 million, which included design, deployment, training, and
other elements.

Solution

Since this is a law enforcement application, finger print technology was considered and
reviewed. Because it can be difficult or impossible to get readable fingerprint images
from uncooperative suspects, the facial recognition technology was selected. Although
the department has kept a digital fingerprint file since 1995, it has also maintained images
of arrestees for over 12 years. Ultimately, the facial recognition system does not replace
the use of fingerprints, but it is an important complement to fingerprints, which are still
used and required by the court system. In 2000, when the PCSO’s 7-year-old proprietary
mug shot system was due for replacement, officials decided to try facial recognition to
identify prisoners at booking.

The full facial recognition system that was designed and deployed for PCSO is a multi-
faceted solution, comprising intake and booking at the jail, mobile identification in patrol
cars, watch list identification at the airport, visitor identification at the jail and
courthouse, and cross-jurisdictional sharing of facial images and data amongst the
Florida-based law enforcement community. Facial recognition has allowed the sheriff’s
office to quickly access important identity information and retrieve records, allowing
officers to correctly identify even the most uncooperative suspects and to conduct more
efficient investigations.

Mobile System. The technology allows deputies in patrol cars to capture a person’s
facial image with a digital camera, place the camera into a docking station in the patrol
car, and via wireless communication to the image databases of the PCSO and other
jurisdictions, conduct a facial recognition search to determine if the individual has been
previously arrested. By using the facial recognition technology, patrol officers can know
immediately if the individual in question has a PCSO criminal record, including previous
offenses. Officers who encounter suspects on the street who have no or unverifiable
identity information can, within 20-30 seconds, have a gallery of photos presented in the
patrol car and use these to make a positive identification.

As directed by the Department of Justice grant, the PCSO has partnered with other state
and local agencies in Florida to maximize the effectiveness of the system. Agencies
participating in the facial recognition program include: Florida Department of

4/7/2008 127
Corrections, Florida Department of Law Enforcement (FDLE), seven Florida Regional
Terrorism Task Forces, Hillsborough County Sheriff’s Office, Orange County Sheriff’s
Office, and Miami-Dade, Broward, Leon, and Duval counties.

Intake and Booking. When a suspect enters the PCSO facility, his/her photograph is
taken and compared against the database of images to determine if he/she has been
through the system before. With more than 60% of those arrested being repeat offenders,
the PCSO identifies hundreds of people each year using only their faces. With
information about the arrestee’s criminal history, the officer can handle each case with
appropriate care and caution. When a match is made, the suspect’s basic demographic
data is automatically entered, regardless of any alias name he/she may have given, and
the new record is linked to previous bookings, creating a more efficient and thorough
process.

Release. Before being released from the Pinellas County jail, facial recognition is used
again to confirm the individual’s identity. This additional check compares a photograph
taken at the time of release with the formal booking image, providing a side-by-side
comparison of the two photos for the officer to review, along with a green, yellow, or red
rating based on the facial recognition results, helping to ensure release of the right
inmate. Since the facial recognition system was installed in 2002, PCSO has not had a
single incorrect release.

Airport System/Watch List. In partnership among the PCSO, St. Petersburg-Clearwater

International Airport, and the America Trans Air (ATA) Airlines, facial recognition
technology was implemented to improve passenger security. Facial images of ticketed
passengers are checked against a 5,000-record database of Federal, State, and local
violent and wanted criminals as part of regular security procedures. The facial
comparisons are done in real-time and compare a passenger’s face to a select universe of
wanted persons’ images.

This system, which was provided by the PCSO with funding from the U.S. Department of
Justice, is located at two departure security checkpoints in the airport. Since the PCSO
was implementing the same facial recognition technology for its own use in suspect
identification and inmate booking, law enforcement felt it necessary to deploy the same
technology at the airport for a watch list application.

Results

The PCSO’s application is believed to be the largest facial recognition-enabled law

enforcement tool in the U.S., with nearly 4.5 million records in the database.

“Since implementing Viisage’s fused face recognition technology, we have noted marked
increases in the accuracy and speed of identifying and verifying arrestees,” commented
Lt. Jim Main of Pinellas County Sheriff’s Office.

4/7/2008 128
Commenting on the value derived from the mobile system alone, Lt. Main said, “The
deployment of the Mobile Identification System has added an entirely new dimension to
law enforcement practices of our field deputies. Many of our daily encounters involved
individuals who lack acceptable identification or provide false information. This system
has provided our deputies with a tool that complements their training and judgment and
reduces costly delays that can occur when attempting to ascertain an individual’s true
identity. Furthermore, this solution helps improve deputy safety and public safety by
providing instant information on the suspect in question and ultimately taking criminals
off the streets.”

Training

Intake and Booking. Prior to installation of the final system, a “test and training”
environment was created, in which the old legacy system was kept online to assure
continuity and provide two levels of verification during the transition period.
Approximately 800 people participated in the initial training program, each receiving a
minimum of 4 hours of training on the new facial recognition-based booking system.
Every station was emulated and scenarios were run – from intake and receiving to
booking to release. All personnel learned what facial recognition was and what it was
not, and popular myths were dispelled. Education and training were a key component to
combating any negative perceptions about the use of biometric technology in general or
facial recognition technology in particular.

The PCSO followed a framework for training that revolved around both classroom
learning and in-use training. After installation, typically 8-20 people were included in a
training session, complete with handouts and bound copies of the system user manual.
Scenarios were used to build system proficiency and comfort in using it. Time was
allotted after formal training for personnel to practice, review, and apply what they had
learned.

Users ran through the various components to familiarize themselves with the system.
They were taught how to pick out key elements of a person’s face, and learned how and
why the facial image gallery could be completely different than what they might initially
expect. For example, race and gender are not considered by the algorithms.

Next, the operational components of the facial recognition system were taken into
account. Personnel were placed into different groups and taken through the various
operational components – in 4-hour shifts for about one month. Supervisors were
included in this training program to “train the trainers” and took the lead in training the
PCSO staff and answering questions.

Once all personnel were trained in using the facial recognition system, a live switch over
from the legacy system to the new biometric-based system was completed. It was noted
that this transition from the old procedures to the new process was the smoothest one ever
for the PCSO.

4/7/2008 129
Continuing support and training for PCSO personnel in use of the facial recognition
system include training materials and handouts, users’ manuals, email contact and
technical support, online support, and a “cheat sheet” that resides at each station.

Airport System/Watch List. The investigative component of the facial recognition

system is in use at the St. Petersburg/Clearwater Airport, jail visitation center, and
courthouse. During personnel training, PCSO had to address up front why and how to
use the system since this application is different from the jail application. In this usage
scenario, screeners are only concerned with persons who are actively “wanted” with
outstanding warrants.

The investigative screening training required 4-hour blocks of time for in-lab or
classroom training, which included an overview on facial recognition – what it is and
what it is not to dispel popular myths about biometrics. Users were allowed to bring in
various photos and images they wanted to test on the system. The I-Browser
(investigative browser) Challenge became a critical component in the training program.
This involved a test of 10 different images of people known to be “in the system” in
which the user had to identify them based on the gallery of images returned.

Mobile. Fifty out of 550 marked patrol cars are equipped with the mobile facial
recognition capability. When first deployed, several groups, each containing 6-8 officers,
were trained about facial recognition technology and system usage. The I-Broswer
Challenge was used, as well as scenario-based training that comprised a beta car with the
facial recognition system installed for practice.

New users receive about 4 hours of one-on-one training with sessions held monthly.

User acceptance. The in-depth training program for all aspects of the facial recognition
system along with inclusion in the initial design process were critical to overall user
acceptance and buy-in. There is a broad spectrum of personnel associated with the PCSO
– some more technically savvy than others, and some more open to new processes and
ways of doing things. The system was tailored to meet the needs of those who had been
with the organization the longest so they would be comfortable with it. Multiple methods
of working with the system were designed-in to meet the varying comfort levels, styles,
and preferences of the users. Personnel can navigate and interact with the system based
on their own styles.

What would they do differently next time? Lessons learned . . .

Due to careful and thoughtful planning of the system at the outset, there were really no
surprises or hidden costs associated with the deployment of the facial recognition system.
The system was well-designed from the beginning thanks to close collaboration among
the vendor, system end users, and PSCO decision makers.

Looking back on the training program and continual turnover of personnel, more “train
the trainers” would have been prepared initially. As personnel advanced into new

4/7/2008 130
positions or left the PCSO, many of the initial “train the trainers” moved on, so there
became a critical need for additional people able to take this role. PCSO would have
increased the ratio of trainers in training vs. end users in training during the initial
training cycle.

Additionally, a closer look would have been taken at the actual people being trained.
Ultimately, everyone was trained on system usage, but not everyone perhaps should have
been. From a cost perspective (both time and money), PCSO could have saved some
overtime costs by excluding those individuals who would not interact with the facial
recognition system. Other personnel could perhaps have been trained less intensively.

Ultimately, the facial recognition system deployed by PCSO has changed law
enforcement in Florida for the better. Advice for another law enforcement agency
looking to deploy a biometrics-based system is: be sure to look at the various
technologies that are available and do your homework on the vendors. One reason the
PCSO implementation was so smooth was because the vendor was willing to listen
carefully and create real solutions. Be sure to work directly with the vendor and
integrator to define exactly what the need is and how the biometric-based system will be
used, and fully understand the scope of the project and the timing, based on precise needs
and goals.

Sources and resources for this case study:

- Interview with Scott McCallum, PCSO – May 25, 2006

- Facial Recognition: The Pinellas County Sheriff’s Office Experience.
Presentation provided by Scott McCallum
- “Facial Recognition in Action.” Government Security. August 1, 2004.
- “Who’s Who: Piece by puzzle piece, FL county checks suspects’ identities.”
Government Computer News. August 2, 2004.
- “Pinellas County Invests in Face-Recognition Technology.” Tampa Bay Business
Journal. October 8, 2002
- “St. Petersburg-Clearwater International Airport Deploys Viisage Technology
Facial Recognition Security”. Viisage press release. January 22, 2002.
- “An Arresting Case for Biometrics.” Biometric Technology Today. May 2005
- “Viisage Awarded $2.4 Million Facial Recognition Contract from Pinellas
County.” Viisage press release. October 8, 2002.
- “Pinellas County Sheriff’s Office Deploys New Mobile Identification Solution.”
Government Technology. June 18, 2004.

4/7/2008 131
Case Study I – United Arab Emirates: Iris Expellees Tracking and Border Control
System

Problem

Combined, the seven emirates that make up the United Arab Emirates amount
geographically to the size of the U.S. state of Maine, but what it lacks in territory, it
makes up for in wealth and unprecedented population growth.

Because the UAE depends heavily on an outside workforce, a steady influx of expatriates
has boosted the population in recent years to more than four million, out of which only
20% are UAE citizens. Foreign workers pour in from the region, as well as from every
other continent. Having to deal with a daily onslaught of immigrants and visitors, the
UAE adopted advanced technology to strengthen its border control and identify potential
terrorists.

The UAE is one of the first countries to use an iris recognition system at most points of
entry.

Process

The biometric technology selected for the border-crossing and expellee identification
solution was required to:

• Identify a single person from a large population of people

• Rely on a biometric feature that does not change over time
• Use biometric features that can be acquired quickly
• Be easy to use
• Respond in real-time for mass transit applications (i.e., airports)
• Be safe and non-invasive
• Scale into the millions and maintain top performance
• Be affordable

Solution

First begun in 2000, iris recognition systems were installed at three major jails across the
country. The project was expanded to ports and airports in 2002. For example, at the
Dubai airport, one of the busiest in the world, all arriving passengers have to wait in line
to have their eyes scanned.

In the UAE application, the information obtained from the iris scan is sent via distributed
communications network to the Central IrisCode® Repository located at the Abu Dhabi
Police General Headquarters. After an offender has his irises enrolled, the iris templates
are placed in the database. Subsequently, the offender simply looks at the iris recognition
reader that checks the iris in just over one second. With the strong support of H.R.H.
Sheikh Saif Bin Zayed, Minister of Interior, the UAE acquired the technology and license

4/7/2008 132
for the iris recognition system from Iridian Technologies, which custom-developed a
system that suited the country’s requirements.

The UAE iris recognition system is a synthesis of three core components: iris cameras
with autofocus and autozoom, developed by LG Iris; iris recognition algorithms; and a
networked distributed server and communications architecture called “IrisFarm”,
developed by IrisGuard. It allows simultaneous enrollments into the central database
without interrupting parallel searching queries from multiple distributed stations, and
offers almost unlimited scalability to national populations of registered persons and
travelers without reduction in execution speed.

Iris enrollment stations consisting of 49 cameras are located in 22 deportation centers

around the country. A total of 81 cameras are installed in “Iris Finder Workstations” at
35 points across the UAE, including Abu Dhabi International Airport, Al Ain
International Airport, the two terminals of Dubai International Airport, Sharjah
International Airport, Fujairah Airport, Ras Al Khaimah International Airport, residency
departments and sea ports nationwide, and a number of police stations, prisons, and
deportation centers.

This figure shows the distributed and fully networked “IrisFarm” architecture
(IFA®) used for the UAE border crossing and expellee tracking system.

4/7/2008 133
Results

As of December 2006, iris recognition systems installed at checkpoints nationwide had

detected around 107,000 deportees attempting to re-enter the country over the last four
years. “These illegals attempted to return to the country after they changed their names,
passports, and obtained job or visit visas,” commented Colonel Ahmad Nasser Al Raisi,
Director of the Central Operations at Abu Dhabi Police. In the first quarter of 2006,
11,360 deportees were detected, including 3,277 in Abu Dhabi, 3,977 in Dubai, 3,882 in
Sharjah, 168 in Fujairah, 29 in Umm Al Quwain, and eight in Ras Al Khaimah. This
averages out to about 126 people caught per day, which is more than last year’s daily
average of 90-95 people. The system supports approximately 1,000 new enrollments
each day. The central database contains approximately 1,050,000 enrollments, and can
be searched at the rate of 650,000 templates per second.

In this application, it is claimed that about 2 trillion random comparisons between images
of irises from people from various nationalities have been made over the past three years.
Colonel Al Raisi comments the system “is absolutely accurate in detecting forgery and
impersonation attempts.” “It also helps prevent expelled foreigners from returning and
prevents wanted criminals from leaving the country, regardless of the identification
documents they use. The system also tracks movements of prison inmates.”

Although the iris recognition system was designed to prevent illegal immigrants and
former expellees from entering a country using fraudulent travel documents, by
comparing the iris biometric of all arriving passengers against a “negative watch list” of
detainees, all aspects of the IrisFarm architecture, cameras, and the core iris recognition
algorithms are equally suited for “positive” applications in which the main goal is to
enhance the convenience, speed, and efficiency of border-crossing formalities for
legitimate travelers.

The General Headquarters of Abu Dhabi Police has begun deploying new iris cameras
developed by IrisGuard, which offer higher resolution and smaller size than the cameras
originally acquired. Eventually, all existing cameras will be replaced with the newer
generation ones.

A future initiative involves installing “e-gates” at all airports, which would speed up
entry and exit procedures. This system is already in place at the Dubai airport. For about
US$40, passengers can have their passports scanned, fingerprints and photo taken, and
have all this information stored on a card no bigger than a U.S. driver’s license. The card
is valid for two years. As of November 2005, approximately 200,000 e-cards had been
issued, which has also spawned commercial tie-ins. For example, travelers can combine
the e-card with an Emirates Airlines Skywards frequent-flyer card. Global banking group
ABN AMRO lets users get an e-card for about US$36 when they obtain a credit card
from the bank.

Cardholders do not have to wait in the long passport control lines and can have cards
scanned by turnstile machines similar to those at any U.S. subway station.

4/7/2008 134
Additionally, the UAE is working on an identification card project that will serve the
“same purpose as the U.S. social security number.” The smart card will hold a person’s
entire information, including date of birth, fingerprints, driver’s license, health card,
employment authorization, picture, and passport information. Readers currently exist for
these cards, using fingerprint recognition. Eventually, this system will be expanded to
iris recognition.

Some statistics from the UAE application include:

• The UAE’s database holds over 1,050,000 iris codes
• There are:
- 3.3 million searches per year
- 2 trillion comparisons
- 9,000 average searches per day
- about 125 people caught per day
• Speed of search: 2 seconds
• 30 million people traveled to the UAE in 2005

What would they do differently next time? Lessons learned . . .

UAE officials had to adopt new security methods to detect if an iris has been dilated with
eye drops before scanning. Expatriates who were banned from the UAE started using eye
drops in an effort to fool the government’s iris recognition system when they try to re-
enter the country. A new algorithm and computerized step-by-step procedure has been
adopted to help officials determine if an iris is in normal condition or an eye-dilating drop
has been used.

People are typically the weakest link in any security system.

Those considering adoption of a biometric-based identification system must remember to

consider system scalability, performance, vendor reliability and track record, and
interoperability of the biometric system with legacy systems and procedures.

It is imperative that the end-user organization, vendors and suppliers, integrators, and all
involved with the design and deployment of a biometric-based system fully understand
the problem(s) to be solved, analyze it thoroughly from different points of view, assess
the situation and need(s), do a pilot test of the new technology, make changes, then
implement to full deployment

Sources and resources for this case study:

- Presentation by Lt. Mohammed Almualla, Head of Security, Abu Dhabi Police

General Headquarters to U.S. Biometric Consortium 2005 regarding UAE Iris
Expellee Tracking System. September 2005
- Kanellos, Michael. “Passports passé in United Arab Emirates”. CNET News.com
November 17, 2005

4/7/2008 135
- Daugman, John; Malhas, Imad. Iris Recognition Border-crossing System in the UAE.
International Airport Review, Issue 2, 2004
- Hilotin, Jay B. Deportees caught with eyes wide open. Gulfnews.com April 2, 2006
- Tiron, Roxana. “Biometrics Systems Help Strengthen Border Security in Persian
Gulf Nation” National Defense magazine. June 2005
- “Iris scanner blocks 62,000 illegals”. Gulfnews.com May 3, 2006
- Malhas, Imad. Personal communication, December 2006.

4/7/2008 136
Appendices

Appendix A – Biometric Selection/Application Checklist

Item Target Start Date End Date Other

Date
Develop concept plan
Risk/vulnerability assessment
Current operational concept
Vulnerable resources
Threat sources
Threat scenarios
Consequence analysis
Proposed concept or action
Rough Order of Magnitude costs
Business case, ROI assessment
Develop Implementation plan
Operational/Functional requirements
Develop Statement Of Work (SOW)
Develop technical requirements
Evaluate potential providers
Provide for system design reviews
Identify direct costs
H/W & S/W
Processing power
System design
Modifications & upgrades
Installation cost
Licensing cost
Identify indirect or less obvious costs
Research, planning, selection costs
Implementation planning costs
IT staff training costs
End user education & training costs
Collecting data costs
Lost productivity costs
Security administration costs
System maintenance costs
Define & develop training program
Develop deployment & roll-out plan
Continue operations during installation
Train the trainers
Training end users
Exception processing during transition
Parallel access control systems
Schedule
Alerting workforce

4/7/2008 137
Appendix B – Miscellaneous Resources

Advanced Biometric Research Center (ABRC)

Website: http://bmsildb.snu.ac.kr/sub.htm
Description: The ABRC works in collaboration with the Seoul National University,
Seoul, Biomedical Signal and Information Laboratory (BMSIL). The primary focus of
the research with BMSIL is on applications of biological signals and information for the
diagnosis of diseases and monitoring of individual’s health status.

AIM Global
Website: www.aimglobal.org
Description: AIM is a global trade association comprising providers of components,
networks, systems, and services that manage the collection and integration of data with
information management systems. Serving more than 900 members in 43 countries, AIM
is dedicated to accelerating the growth and use of Automation Identification and Data
Collection) AIDC technologies and services around the world.

American Society for Industrial Security (ASIS)

Website: http://www.asisonline.org
Description: ASIS International is the largest international organization for professionals
responsible for security, including managers and directors of security.

Australian Biotechnology Association (Aus Biotech, Ltd.)

Website: http://www.ausbiotech.org
Description: The Australian Biotechnology Association is a hybrid organization with a
mixture of a traditional scientific society and an industry trade association. One of its
major aims is to link technical people in companies with public sector researchers.

AVIOS Inc.
Website: www.avios.com
Description: AVIOS which stands for Applied Voice Input/Output Society is a 23 year
old, not for profit professional membership organization founded as the American Voice
Input/Output Society, with the name later changed to reflect growing international
participation. Their goals are to provide resources to the speech community that will help
create quality applications of advanced speech technology, including applications of
speech recognition, speech synthesis and speaker authentication.

BioAPI Consortium
Website: http://www.bioapi.org/
Description: The BioAPI Consortium was formed to develop a widely available and
widely accepted API that will serve for various biometric technologies. The intent is to
work with industry biometric solution developers, software developers, and system
integrators to leverage existing standards to facilitate easy adoption and implementation,
develop an OS independent standard, and make the API biometric independent. Version
1.1 of the BioAPI specification has been published as ANSI/INCITS 358-2002. BioAPI
Version 2.0 has been published as ISO/IEC 19784-1: 2006.

4/7/2008 138
The Biometric Consortium
Website: http://www.biometrics.org/
Description: Biometric Consortium serves as a focal point for research, development,
testing, evaluation, and application of biometric-based personal identification/verification
technology.

Biometric Digest
Website: http://www.biodigest.com/
Description: Offers a variety of biometric and related e-newsletters.

The Biometrics Catalog

Website: http://www.biometricscatalog.org/ or www.biometrics.gov
Description: The Biometrics Catalog is a U.S. Government-sponsored database of
information about biometric technologies, including research and evaluation reports,
government documents, legislative text, news articles, conference presentations, and
vendors/consultants.

Biometrics EnAbled Mobile Commerce (BEAM) Consortium

Description: BEAM Consortium is focused on developing biometrics based technological
solutions to the security problem faced by the users of future mobile commerce. The
purpose is to bring together interested parties in both industry and academia, to jointly
develop solutions that are capable of providing a personalized, easy to use and secured
transaction method.

Biometric Foundation
Website: www.biometricfoundation.org
Description: The Biometric Foundation, founded in August 2000, is dedicated to a
systematic program of research and education to reduce impediments to wide adoption
and use of all biometric technologies. The Foundation will address technical, societal,
and legal aspects of biometric technologies and their applications. Accordingly, the
Foundation's agenda will include studies of public attitudes toward uses of biometrics;
demonstration and evaluation of alternative biometric technologies; inquiry into
biometric standards issues; development of formal educational curricula that encourage
students to enter the field of biometrics as a professional career choice; and conferences
and seminars about the most effective uses of biometrics in key applications.

Biometrics Institute Ltd

Website: www.biometricsinstitute.org
Description: The Biometrics Institute is an independent not-for-profit membership
organization based in Australia and founded in July 2001. Its primary members are
government and business users of biometric services and products, with other
membership categories for vendor. Initial members are from Australia however members
are welcome from the wider Asia Pacific region.

Biometrics in Human Services User Group – Connecticut Department of Social

Services

4/7/2008 139
Website: http://www.dss.state.ct.us/digital.htm
Description: The focus of BHSUG is providing a platform for sharing ideas and
innovations, distributing findings, identifying best practices, recommending and creating
useful standards for both human services users and technology developers for this
market.

The Biometric Interoperability, Performance and Assurance Working Group

Website: http://www.nist.gov/bcwg
Description: This organization supports the advancement of technically efficient and
compatible biometric technology solutions on a national and international basis. It
consists of over 90 organizations representing biometric vendors, system developers,
information assurance organizations, commercial end users, universities, government
agencies, national labs and industry organizations.

Biometric Security Consortium (BSC)

Website: http://www.bsc-japan.com/en/
Description: The BSC promotes the formation of a coalition between the industry-
government-academia, whose main objective is to propose effective business models,
enhance the growth of biometrics technologies for the next generation industrial
infrastructure and improve global competition.

Biometric Testing Services (BIOTEST)

Description: A European project aimed at developing standard metrics for
measuring/comparing performance of biometric devices and establishing testing services

Biometric Watch Newsletter

Website: http://www.biometricwatch.com
Description: A 10-issue per year, subscription-based biometric industry newsletter that is
e-mailed to subscribers.

BioPrivacy Initiative
Website: http://ww.bioprivacy.org
Description: Recognizing that biometric technologies are seeing increased usage in the
public and private sectors, International Biometric Group’s BioPrivacy Initiative defines
best practices as well as deployment and technology guidelines for maintenance of
personal and informational privacy in biometric deployments.

BioSec Biometric Security

Website: http://www.biosec.org
Description: BioSec is an Integrated Project (IP) where Biometrics and security play
together to leverage the trust and confidence in a wide spectrum of everyday applications.
Partners from nine countries constitute a critical mass in the Biometric area including
large companies, biometric HW/SW producers, prestigious universities and subject
matter experts.

Canadian Advanced Technology Alliance (CATA) Biometrics Group

4/7/2008 140
Website: www1.cata.ca/biometrics/
Description: The Canadian Advanced Technology Alliance formed the CATA Biometrics
Group (CBG) to ensure that Canadian companies – those within the sector and those
using the technology- are equipped to thrive from an expanding market for biometric
technologies. A partnership of Manufacturers, Developers and Customers. It is a focused
advocacy initiative backed by Canada's largest technology association. CATA
Biometrics Group works to create public acceptance of biometric technologies and to
speed the adoption of biometric solutions.

Center for Identification Technology Research

Website: http://www.citer.wvu.edu/about/mission.php
Description: CITeR is dedicated to serving the needs of their members by advancing the
performance of biometric systems through cross-cutting research for new enabling
technologies, interdisciplinary training of scientists and engineers through its biometrics
research, and the facilitation of the transfer of new biometrics technology to the private
and government sectors through its membership.

Communications-Electronics Security Group (CESG)

Website: http://www.cesg.gov.uk/
Description: CESG is the Information Assurance (IA) arm of the UK Government
Communications Headquarters (GCHQ) and is based in Cheltenham, Gloucestershire,
UK. The organization is the UK Government’s National Technical Authority for IA,
responsible for enabling secure and trusted knowledge sharing to help their customers
achieve their business aims.

COST 275
Website: http://www.fub.it/cost275/pages/_home_main/index.htm
Description: COST means Cooperation in the Scientific and Technological research,
focusing in part on biometrics-based recognition of people over the Internet.

DoD Biometric Management Office

Website: www.biometrics.dod.mil
Description: In December of 2000, DoD established the Biometrics Management Office
and the Biometrics Fusion Center and directs the Secretary of the Army, as DoD
Executive Agent, to "ensure that biometric technologies are integrated effectively into
information assurance systems, physical access control systems, best business practices,
and other DoD applications."

European Biometrics Forum (EBF)

Website: www.eubiometricforum.com
Description: The Forum is composed of some of Europe’s leading privacy, technology
and usability experts who are focused on establishing a realistic vision for the future of
the biometric industry in Europe in the context of a fast developing international market.
The objectives of this organization are to formally establish a roadmap for the EU
Commission which will investigate and advice on the likely commercial application of

4/7/2008 141
biometrics over the forthcoming 10 years and to carry out clearly focused research into
key biometric areas

Financial Services Technology Consortium (FSTC) (biometric fraud prevention)

Website: http://www.fstc.org
Description: Formed in 1993, FSTC is a consortium of leading North American-based
financial institutions, technology vendors, independent research organizations, and
government agencies. It brings forward, tests, proves, and validates the next generation of
critical financial services technologies.

ID Newswire
Website: http://www.cardtechnology.com/idnewswire.html
Description: A bi-weekly, four-page, electronic newsletter focused on developments and
trends in personal identification and biometric technologies.

International Association for Biometrics (iAfb)

Website: http://www.iafb.org.uk
Description: The iAfB, formerly the Association for Biometrics, provides a forum for the
European and wider International Biometrics Community to promote the development
and implementation of Biometric technologies, standards and applications through
education and awareness programs and the gathering and dissemination of best practices.

International Association for Identification (IAI)

Website: http://www.theiai.org
Description: The oldest and largest forensic organization in the world, providing a forum
where forensic specialists can interact.

International Biometric Industry Association (IBIA)

Website: www.ibia.org
Description: The International Biometric Industry Association (IBIA) is a trade
association founded in 1998 in Washington, D.C. to advance, advocate, defend and
support the collective international interests of the biometric industry. IBIA is governed
by and for biometric developers, manufacturers and integrators, and is impartially
dedicated to serve all biometric technologies in all applications.

International Center for Disability Resources on the Internet (ICDRI)

Website: http://www.icdri.org/biometrics/biometrics.htm
Description: Site includes papers and guidance for adapting biometric-based systems to
accommodate special needs users.

International Biometric Society (IBS)

Website: www.tibs.org
Description: The IBS is an international society promoting the development and
application of statistical and mathematical theory and methods in biosciences, including
agriculture, biomedical science and public health. Biologists, mathematicians,
statisticians, and others interested in its objectives are invited to become members.

4/7/2008 142
International Civil Aviation Organization
Website: http://www.icao.int/
Description: Six strategic objectives of the Organization have been developed. They are:
Safety, Security, Environmental Protection, Efficiency and Regularity, Legal Framework
and Effectiveness. The strategic objectives are action oriented and present a range of
activities which include development, implementation and technical support.

Korea Biometric Association (KBA)

Website: http://www.biometrics.or.kr/eng/default.htm
Description: With increase of information oriented e-business, necessity for strong user
authentication was brought out as an important issue. The Association is required to
activate domestic biometric industry, present vision of biometrics field through exchange
between biometrics related industry-university research institute and promote various
cooperative activities.

National Biometric Security Project (NBSP)

Website: http://nationalbiometric.org
Description: The NBSP is designed to perform an independent public service in support
of anti-terroist and homeland security objectives. That service provides unbiased support
regarding application of biometric technology, from development of standards to focused
testing, research, training, and education for all levels of government and the private
sector that have responsibility for security of the civilian national infrastructure.

National Biometric Test Center

Website: http://www.biometrics.org/html/testcenter.html
Description: Although no longer active, the National Biometric Test Center was
established at San Jose University in the spring of 1997 by the Biometric Consortium to
establish a set of standards against which the performance of biometric technologies
could be evaluated and ranked.

Office of Law Enforcement Technology Commercialization

Website: http://www.oletc.org
Description: The Office of Law Enforcement Technology Commercialization (OLETC)
is a program of the National Institute of Justice (NIJ). OLETC assists in the
commercialization of innovative technology for use in law enforcement and corrections.
Their many successes are a direct result of OLETC’s ongoing commitment to assisting in
providing law enforcement, corrections and public safety professionals a safer and more
effective environment in which to conduct their daily operations.

Security Industry Association

Website: http://www.securitygateway.com
Description: Formed in 1969, the Security Industry Association (SIA) provides its
members with a full-service, international trade association promoting growth, expansion,
and professionalism within the security industry by providing education, research,
technical standards, representation, and defense of their members. SIA has over 300

4/7/2008 143
member companies representing manufacturers, distributors, service providers,
integrators and others. SIA members are involved in several market segments such as
CCTV, access control, biometrics, computer security, fire/burglar alarms, and home
automation, just to name a few. Members work together to address issues facing the
industry and develop programs to enhance the environment in which they sell products
and services.

Swedish National Biometric Association (SNBA)

Website: http://biometricassociation.org
Description: SNBA has as its goal to strengthen the national knowledge about biometrics
in Sweden and be a focal point for knowledge transfer about biometric news, research
and commercial applications

UK Biometrics Working Group

Website: www.cesg.gov.uk/technology/biometrics
Description: The UK Biometrics Working Group (BWG) co-ordinates the Office of the e-
Envoy (OeE) Biometrics Programme, the goal of which it to enable the use of biometric
authentication technology to support the OeE e-government aims and to facilitate the
adoption of biometrics in support of wider government business.

4/7/2008 144
Appendix C – Biometric Publications

Books

Access Control and Personal Identification Systems

Author: Dan Bowers
Publisher: Butterworth-Heinemann, 1998

Advances in Fingerprint Technology

Author: Henry C. Lee, et al
Publisher: CRC Press, 1994

A renowned group of leading forensic, identification, and criminology experts present, in

this valuable work, exciting progress in fingerprint technology. Advances in Fingerprint
Technology covers major developments in latent fingerprint processing, including
physical, chemical, instrumental, and combination techniques. In addition to an
explanation of numerous methods and procedures of fingerprint technology, a renowned
group of leading forensic, identification, and criminalogy experts provides a concise
history of fingerprinting and briefly discuss Live-Scan and Image Transmission
networks. The book also includes an essential chapter on effective presentation of
fingerprint evidence in court.

Audio- and Video-based Biometric Person Authentication

First International Conference, AVBPA ’97, Crans-Montana, Switzerland
March 12-14, 1997
(Lecture notes in Computer Science, Vol. 1206)
Author: Gerard Chollet, et al
Publisher: Springer Verlag

This book constitutes the refereed proceedings of the First International Conference on
Audio- and Video-based Biometric Person Authentication, AVBPA'97, held in Crans-
Montana, Switzerland, in March 1997. The 49 revised papers presented were carefully
reviewed and selected by the program committee for inclusion in the book; also included
are four invited contributions. The papers are organized in sections on facial features
localization, lip and facial motion, visual non-face biometrics, face-based authentication,
text-dependent speaker authentication, text-independent authentication, audio-video
features and fusion, and systems and applications.

4/7/2008 145
Audio- and Video-based Biometric Person Authentication
Third International Conference, AVBPA ’01, Halmstad, Sweden
June 6-8, 2001
Author: Josef Bigun, et al
Publisher: Springer Verlag

This book constitutes the refereed proceedings of the First International Conference on
Audio- and Video-based Biometric Person Authentication, AVBPA'01, held in Hamstad,
Sweden, in June 2001.

Authentication: From Passwords to Public Keys

Author: Richard E. Smith
Publisher: Addison-Wesley, 2001

Gives readers a clear understanding of what an organization needs to reliably identify its
users and how the different techniques for verifying identity are executed.

The Auto ID Book

Author: Glenn Lee
Publisher: Informatics, Ltd.

This comprehensive, but straight-forward book wipes away the myth that bar codes are
complicated and difficult to implement. It begins by explaining how bar codes can help
improve productivity, accuracy, and timeliness of information in different environments.
To illustrate how bar codes have now become a universal practice, the book covers a
wide range of applications such as inventory, work in progress, point of sale, accounts
receivable, time and attendance, marketing and many others. You will find how these and
other applications relate to your work environment, and how they can easily be
implemented to increase productivity.

4/7/2008 146
Automated Biometrics: Technologies and Systems
(The Kluwer International Series on Asian Studies in Computer and Information Science)
Author: David D. Zhang
Publisher: Kluwer Academic Publishers, 2000

Introduces the relative biometric technologies and explores how to design the
corresponding systems with in-depth discussion. Engineering applications of biometrics
to personal authentication and Chinese medicine are covered. The issues addressed in
this book are highly relevant to many fundamental concerns of both researchers and
practitioners of automated biometrics in computer and system security.

Automatic Fingerprint Recognition Systems

Author: Nalini Ratha, et al.
Published 2003

For intermediate to expert biometrics professionals and developers. It contains an

excellent collection of technical chapters written by authors who are experts on the
chapter's topic. Contrary to perhaps common belief, even after several decades of
research, automatic fingerprint recognition is not a solved problem. New fingerprint
sensing technologies, algorithmic advances, and abundant computing power continue to
drive advances in this area and to open up new realms of possibility.

Bantam User Guide: Biometric and Token Technology Application Modeling

Language
Author: Julian Ashbourn
Publisher: Springer Verlag, 2002

Basic Latent Print Development

Author: James P. Mock
Publisher: Lightning Powder Company, 1993

This book can be used as a training text for new employees or can be read by beginners.
Many instructors use it as a primer for basic latent print development college classes.
Sections cover: How latent prints are deposited, Investigating the Crime Scene, Which
powders to use, How to lift and preserve the latent prints. There are simple to follow
sketches on how to powder a surface and how to tear and lift with tape.

4/7/2008 147
Biometrics
Author: Nanavati
Publisher: John Wiley & Sons

Biometrics
Author: John D. Woodward, Jr., et al
Publisher: McGraw-Hill Osborne, 2002

Discover how to make biometrics -- the technology involving scanning and analyzing
unique body characteristics and matching them against information stored in a database --
a part of your overall security plan with this hands-on guide. Includes deployment
scenarios, cost analysis, privacy issues, and much more.

Biometrics: Advanced Identity Verification: The Complete Guide

Author: Julian D.M. Ashbourn
Publisher: Springer Verlag, 2000

An in-depth grounding in biometrics, specifically those applied to individual identity

verification. Serves as a reference for the academic researcher or student of biometrics,
and even has something to offer the non-technical reader. The CD-ROM contains
interesting utilities for Microsoft Windows environments.

Biometrics and Network Security

Author: Paul Reid
Publisher: Prentice Hall PTR, 2003

Covers a variety of biometric options, ranging from fingerprint identification to voice

verification to hand, face, and eye scanning. Approaching the subject from a practitioner's
point of view, Reid describes guidelines, applications, and procedures for implementing
biometric solutions for your network security systems.

Biometric Authentication: International ECCV 2002 Workshop

Author: Massimo Tistarelli, et al
Publisher: Springer Veralg, 2002

4/7/2008 148
Biometric Authentication: A Machine Learning Approach
Author: S.Y. Kung
Publisher: Prentice Hall, 2004

As they improve, biometric authentication systems are becoming increasingly

indispensable for protecting life and property. This book introduces powerful machine
learning techniques that significantly improve biometric performance in a broad spectrum
of application domains. Three leading researchers bridge the gap between research,
design, and deployment, introducing key algorithms as well as practical implementation
techniques. They demonstrate how to construct robust information processing systems for
biometric authentication in both face and voice recognition systems, and to support data
fusion in multimodal systems.

Biometrics: Identity Verification in a Networked World

Author: Samir Nanavati, et al
Publisher: John Wiley & Sons, 2002

An in-depth look at biometrics, focused on critical issues such as accuracy, privacy,

technology capabilities, and cost-effective deployment. Written by leading industry
authorities.

Biometrics for Network Security

Author: Paul Reid
Publisher: Prentice Hall, 2003

Network security has become the latter-day equivalent of oxymoronic terms like "jumbo
shrimp" and "exact estimate." Newspaper headlines are routinely peppered with incidents
of hackers thwarting the security put forth by the government and the private sector. As
with any new technology, the next evolution of network security has long languished in
the realm of science fiction and spy novels. It is now ready to step into the reality of
practical application. The book covers a variety of biometric options, ranging from
fingerprint identification to voice verification to hand, face, and eye scanning.
Approaching the subject from a practitioner's point of view, the author describes
guidelines, applications, and procedures for implementing biometric solutions for
network security systems.

4/7/2008 149
Biometric Inverse Problems
Author: Svetlan Yanushkevich
Publisher: Taylor & Francis Group, 2005

Biometrics in Agricultural Science

Author: Shu Geng, et al
Publisher: Kendall/Hunt Publishing Company, 1997

Biometrics: Personal Identification in Networked Society

Author: Anil Jain, et al
Publisher: Kluwer Academic Publishers, 1999

General principles and ideas of designing biometric-based systems and their underlying
tradeoffs. Identification of important issues in the evaluation of biometrics-based
systems. Integration of biometric cues, and the integration of biometrics with other
existing technologies. Assessment of the capabilities and limitations of different
biometrics. The comprehensive examination of biometric methods in commercial use
and in research development. Exploration of some of the numerous privacy and security
implications of biometrics. Also included are chapters on face and eye identification,
speaker recognition, networking, and other timely technology-related issues.

4/7/2008 150
Biometric Solutions for Authentication in an E-World
Author: David Zhang, et al
Publisher: Kluwer Academic Publishers, 2002

Biometric Solutions for Authentication in an E-World provides a collection of sixteen

chapters containing tutorial articles and new material in a unified manner. This includes
the basic concepts, theories, and characteristic features of integrating/formulating
different facets of biometric solutions for authentication, with recent developments and
significant applications in an E-world. This book provides the reader with a basic concept
of biometrics, an in-depth discussion exploring biometric technologies in various
applications in an E-world. It also includes a detailed description of typical biometric-
based security systems and up-to-date coverage of how these issues are developed.
Experts from all over the world demonstrate the various ways this integration can be
made to efficiently design methodologies, algorithms, architectures, and implementations
for biometric-based applications in an E-world. Biometric Solutions for Authentication
in an E-World meets the needs of a professional audience composed of researchers and
practitioners in industry and graduate-level students in computer science and engineering.
Researchers and practitioners in research and development laboratories working in fields
of security systems design, biometrics, immigration, law enforcement, control, pattern
recognition, and the Internet will benefit from this book.

Biometric Systems: Technology, Design, and Performance

Author: James Wayman, et al
Publisher: Springer Verlag, 2004

Focuses on the technologies of fingerprint, iris, face, and speaker recognition, how they
have evolved, how they work, and how well they work. Examines the challenges of
designing and deploying biometrics in people-centered systems, and concludes with
discussions on the legal and privacy issues of biometric deployments from both European
and US perspectives.

Computational Algorithms for Fingerprint Recognition

Author: Bir Bhanu, et al
Publisher: Kluwer Academic Publishers, 2003

Cutaneous Biometrics
Author: Doris A. Schwindt, et al
Publisher: Plenum PR, 2001

4/7/2008 151
Department of Homeland Security
Author: Michael Kerrigan, et al
Publisher: Mason Crest Publishers, 2003

Dynamic Vision: From Images to Face Recognition

Author: Shaogang Gong, et al
Publisher: Imperial College Press, 2000

This book describes the latest models and algorithms that are capable of performing face
recognition in a dynamic setting. The key question is how to design computer vision and
machine learning algorithms that can operate robustly and quickly under poorly
controlled and changing conditions. Consideration of face recognition as a problem in
dynamic vision is perhaps both novel and important. The algorithms described have
numerous potential applications in areas such as visual surveillance, verification, access
control, video-conferencing, multimedia and visually mediated interaction.

Enhanced Methods in Computer Security, Biometric, and Artificial Intelligence

Systems
Author: Jerzy Pejas
Publisher: Springer, 2004

This book contains over 30 contributions from leading European researchers showing the
present state and future directions of computer science research. In addition to other
topics, the book covers three important areas of security engineering in information
systems: software security, public key infrastructure, and the design of new cryptographic
protocols and algorithms.

Fingerprint Detection with Lasers

Author: E. Ronald Menzel
Publisher: Marcel Dekker, 1999

Discusses laser fingerprint detection, which is, in its essence, the general application of
photoluminescence methodology to physical evidence examination, representing a new
paradigm in criminalistics.

4/7/2008 152
Fingerprint Science: How to Roll, Classify, File, and Use Fingerprints
Author: Clarence Gerald Collins
Publisher: Cooperhouse Publishing, 1994

This work covers almost all areas of fingerprinting and identification.

Guide to Biometrics
Author: Ruud Bolle, et al
Publisher: Springer Verlag, 2004

This is a complete technical guide aimed at presenting the core ideas that underlie the
area of biometrics. It explains the definition and measurement of performance and
examines the factors involved in choosing between different biometrics. It also delves
into practical applications and covers a number of topics critical for successful system
integration. These include recognition accuracy, total cost of ownership, acquisition and
processing speed, intrinsic and system security, privacy and legal requirements, and user
acceptance.

Handbook of Fingerprint Recognition

Author: David Maltoni, et al.
Publisher: Springer Professional Computing, 2003

Reference on automatic fingerprint recognition providing in-depth coverage of the most

recent advances and practices; including sensing, feature extraction and matching,
synthetic fingerprint image generation, indexing, and multi-modal systems. For biometric
security professionals, researchers, developers, and systems administrators.

Handbook of Information Security Management

Author/Publisher: International Information Security Systems Certification Consortium,
1993

Homeland Security Law Handbook

Publisher: Government Law Institutes, 2003

4/7/2008 153
Homeland Security Statutes 2003
Publisher: Government Institutes Research Group

Homeland Security Office

Author: Edward Lipton
Publisher: Nova Science Publishers, 2002

Homeland Security v. Constitutional Rights

Author: Ted Gottfried
Publisher: 21st Century Books

In this time of increased terrorism, how can we balance civil liberties with the risk to
American lives and property? Is criticism of the president unpatriotic? Can torture ever
be morally justified? Beginning with a detailed account of the 9/11 attack and its
aftermath, Gottfried addresses these questions as he discusses the recent history of
American war and defense, including the controversial Patriot Act.

How to Prove Yourself. Practical Solutions to Identification and Signature

Problems
Advances in Cryptology—Crypto ’86, Volume 263
Author: A. Fiat, et al
Publisher: Springer Verlag, 1987

4/7/2008 154
Human Identification: The Use of DNA Markers
Author: Bruce S. Weir
Publisher: Kluwer Academic Publishers

The ongoing debate on the use of DNA profiles to identify perpetrators in criminal
investigations or fathers in paternity disputes has too often been conducted with no regard
to sound statistical, genetic or legal reasoning. The contributors to Human Identification:
The Use of DNA Markers all have considerable experience in forensic science, statistical
genetics or jurimetrics, and many of them have had to explain the scientific issues
involved in using DNA profiles to judges and juries. Although the authors hold differing
views on some of the issues, they have all produced accounts which pay due attention to
the, sometimes troubling, issues of independence of components of the profiles and of
population substructures. The book presents the considerable evolution of ideas that has
occurred since the 1992 Report of the National Research Council of the U.S.

Implementing Biometric Security

Author: John Chirillo, et al
Publisher: John Wiley & Sons, 2003

Guide provides explanations and hands-on examples needed to understand, implement,

and apply security authentication methods that rely on fingerprints, retinal scans, speech
patterns, and facial thermography. Provides the basics and real-world uses for setting up
and maintaining a biometric security system in a LAN, WAN, or wireless infrastructure.

Implementing Homeland Security for Enterprise IT

Author: Michel Erbschloe
Publisher: Digital Press, 2003

This book shows what IT in organizations need to accomplish to implement The National
Strategy for the Physical Protection of Critical Infrastructures and Key Assets and The
National Strategy to Secure Cyberspace which were developed by the Department of
Homeland Security after the terrorist attacks of September 2001.

4/7/2008 155
Intelligent Biometric Techniques in Fingerprint and Face Recognition
Author: L.C. Jain, et al
Publisher: CRC Press, 1999

A wide range of experts have contributed to this collection of articles discussing

established and emerging applications and techniques for face and fingerprint recognition
systems. The book includes literature reviews, discussions of neural network approaches,
methods of recognizing human faces, and intelligent fingerprint processing for minutia
and pore feature extraction and matching. This book would be most useful to researchers
and engineers interested in developing fingerprint and face recognition systems for a
variety of applications.

Multimodal Biometrics: Human Recognition Systems

Author: Arun A. Ross
Publisher: Springer, 2005

Consistent advances in biometrics help to address problems that plague traditional human
recognition methods and offer significant promise for applications in security as well as
general convenience. This book provides an accessible, focused examination of the
science and technology behind multimodal human recognition systems, as well as their
ramifications for security systems and other areas of application. It also describes the
various scenarios possible when consolidating evidence from multiple biometric systems
and examines multimodal system design and methods for computing user-specific
parameters.

The Myth of Homeland Security

Author: Marcus Ranum
Publisher: John Wiley & Sons, 2003

Text reveals the truth about 'feel-good' security policies and spending programs that mask
real threats and do nothing tangible to improve public safety.

Nondestructive Detection and Measurement for Homeland Security

Author: Steven R. Doctor
Publisher: SPIE – The International Society for Optical Engineering, 2003

4/7/2008 156
Practical Biometrics: From Aspiration to Implementation
Author: Julian Ashbourn
Publisher: Springer Verlag, 2003

Containing a wealth of real world advice and written from an operational rather than
purely academic perspective, "Practical Biometrics" examines the many issues raised by
the application of biometric technologies to practical situations. This book concentrates
on the practical implementation of biometric verification techniques, with specific regard
to wide scale public applications. It acts as a practical guide to implementation,
identifying the associated issues around: * Scalability * Interoperability * Ethnicity *
Failure to enroll * User psychology * Features and Benefits. Highlights non device-
specific issues such as human factors, environment, privacy and data protection. Focuses
on the practical aspects of managing large-scale systems Provides an invaluable resource
to program managers, application developers and consultants working in this area

Preparing the U.S. Army for Homeland Security: Concepts, Issues, and Options
Author: Eric Larson, et al
Publisher: Rand

Homeland security encompasses five distinct missions: domestic preparedness and civil
support in case of attacks on civilians, continuity of government, continuity of military
operations, border and coastal defense, and national missile defense. This report
extensively details four of those mission areas (national missile defense having been
covered in great detail elsewhere). The authors define homeland security and its mission
areas, provide a methodology for assessing homeland security response options, and
review relevant trend data for each mission area. They also assess the adequacy of the
doctrine, organizations, training, leadership, materiel, and soldier systems and provide
illustrative scenarios to help clarify Army planning priorities. The report concludes with
options and recommendations for developing more cost-effective programs and
recommends a planning framework that can facilitate planning to meet homeland security
needs.

4/7/2008 157
Secrets and Lies: Digital Security in a Networked World
Author: Bruce Schneier
Publisher: John Wiley & Sons, 2000

Internationally recognized computer security expert Bruce Schneier offers a practical,

straightforward guide to achieving security throughout computer networks. Schneier uses
his extensive field experience with his own clients to dispel the myths that often mislead
IT managers as they try to build secure systems. This practical guide provides readers
with a better understanding of why protecting information is harder in the digital world,
what they need to know to protect digital information, how to assess business and
corporate security needs, and much more.

The Practical Intrusion Detection Handbook

Author: Paul E. Proctor
Publisher: Prentice-Hal, 2001

Security, ID Systems, and Locks: The Book on Electronic Access Control

Author: Joel Konicek
Publisher: Butterworth-Heinemann, 1997

Written by the President of a leading manufacturer of access control systems. However, it

is not biased towards his own company at all. It is an excellent introduction to Electronic
Access Control and the only worthwhile book on the subject. If your business needs, or
might need, an electronic access control system, this book will tell you everything you
need to know to buy and manage one.

U.S. Department of Homeland Security Handbook

Author: USA International Business Publications, 2003

Voice and Speech Processing

Author: Thomas Parsons
Publisher: McGraw-Hill, 1987

4/7/2008 158
Voice Recognition
Author: Richard Klevans
Publisher Artech House, 1995

This revised scholarly work on voice recognition technology outlines cutting-edge

research in this exciting area of computer science. The book begins with a readable
historical introduction to speech synthesis, speech recognition, and speaker classification.
(According to the authors, Alexander Graham Bell was actually working on the problem
of speech synthesis when he invented the telephone.)

When To Use Biometrics

Author: Hagai Bar-El, 2003

Biometrics systems have become common over the years. Their ease of use for the end
user and their perceived security make them seem to be the best solution to any problem
involving user authentication. Although biometric systems can provide fast and secure
user authentication with minimal user intervention, they have several inherant limitations
making them inappropriate for most environments where authentication is used. The
focus of this paper is not the possible use-cases of biometry, but rather it is those
limitations that are neither biometry type-specific nor implementation-specific and that
make biometric measures limited in their scope of possible users.

Who Are You? The Encyclopedia of Personal Identification

Author: Scott French
Publisher: Biblio Distribution

4/7/2008 159
Market and Technology Reports

The 2003-2004 Directory of Homeland Security

Author: Northern Virginia Technology Council
Publisher: Tech Wire Media Group

Comprehensive organizational chart for the new Department of Homeland Security;

detailed descriptions of offices and initiatives associated with the new Department of
Homeland Security; list of homeland security responsibilities for federal departments and
agencies; FY2004 budget information for federal departments and agencies; listings for
national organizations working on homeland security; and helpful resources on selling
products to the federal government

Army Biometric Applications: Identifying and Addressing Sociocultural Concerns

Author: John D. Woodward
Publisher: RAND, 2002

With concern about its information assurance systems and physical access control
increasing, the Army has undertaken an assessment of how it can use biometrics to
improve security, efficiency, and convenience. This report examines the sociocultural
concerns that arise among soldiers, civilian employees, and the general public when the
military mandates widespread use of biometrics. The authors see no significant legal
obstacles to Army use of biometrics but recommend that the Army go beyond the
provisions of the Privacy Act of 1974 to allay concerns related to this emerging
technology. This report should be of interest to those responsible for access control as
well as anyone concerned about privacy and technology issues.

The Army and Homeland Security: A Strategic Perspective

Author: Antulio Joseph Echevarria
Publisher: Strategic Studies Institute, U.S. Army War Co., 2001

4/7/2008 160
Biometrics and Smart Cards
Author/Publisher: International Biometric Group, 2003

Smart cards and biometrics are strongly synergistic technologies whose acceptance in the
U.S. market are being driven by the desire in many applications for token-based as
opposed to centralized biometric functionality. Increased opportunities are present for
large-scale biometrics and smart card usage in public sector ID applications. However,
various competing and proprietary technologies in both the biometric and smart card
markets pose problems for institutions interested in large-scale deployment, as there is
risk of technology obsolescence or over-reliance on a single vendor. This report identifies
challenges that deployers and vendors face in adopting and developing this technology.
Exclusive analysis in this report leverages years of hands-on experience testing and
deploying biometrics and smart card technologies, years of interaction with leading
vendors, and extensive evaluation of the technology for large-scale applications.

The Biometrics Industry Report: Forecasts and Analysis to 2006

2nd Edition
Author: Mark Lockie
Publisher: Elsevier Advanced Technology

The second edition of The Biometrics Industry Report - Forecasts and Analysis to 2006
examines the current use and future growth of biometrics. It analyses the trends in
markets, technologies and industry structure and profiles the major players. The report
provides key market statistics and forecasts essential for companies to plot their future
growth strategies.

4/7/2008 161
Biometrics: A Look at Facial Recognition
Author: John D. Woodward, et al
Publisher: RAND, 2003

During the 2002 Virginia General Assembly, Delegate H. Morgan Griffith sponsored
legislation setting legal parameters for public sector use of facial recognition technology
in Virginia. The Virginia State Crime Commission, a standing legislative commission of
the Virginia General Assembly, is statutorily mandated to make recommendations on all
areas of public safety in the Commonwealth of Virginia. RAND analyst John D.
Woodward, Jr. presented this briefing to the Virginia State Crime Commission Facial
Recognition Sub-committee in September 2002. It does not make specific policy
recommendations, rather defines biometrics and discusses examples of the technology,
explaining how biometrics may be used for authentication and surveillance purposes.
Facial recognition is examined in depth, to include technical, operational, and testing
considerations. It concludes with a discussion of the legal status quo with respect to
public sector use of facial recognition.

Biometric Market Report: 2003-2007

Author/Publisher: International Biometric Group

The industry’s most comprehensive, extensive, and authoritative analysis of biometric

technologies, applications, and global markets. The report provides post-9/11 market
data and real-world guidance to biometric technology deployers, developers, investors,
and researchers.

Biometrics and Privacy: Assessing Deployment and Technology Risks

Author/Publisher: International Biometric Group, 2003

For organizations not yet prepared to execute a full privacy impact assessment of a
biometric deployment or technology, this report provides a framework for understanding
privacy issues in biometric technologies. With a review of framing legislation, discussion
of information and personal privacy issues, and detailed evaluation of the application-
specific and technology-specific risks posed by biometric technology, this report is
essential due diligence for any biometric deployer in the commercial, civil, or
employment sector.

4/7/2008 162
Biometric Systems: Worldwide Deployments, Market Drivers, and Major Players
December 2002
Author: John Chang
Publisher: Allied Business Intelligence

"Numerous industries will accelerate their biometric deployments as the advantages of

deploying biometrics outweigh the capital expenditures in the technology. Furthermore,
biometric vendors will establish operational support systems necessary to offer an
efficient and scalable network by the third quarter of 2003", said John W. Chang, ABI
Senior Analyst and author of the report. "All the major airports within North America,
Europe, and Asia will have multiple biometric technologies implemented within the
airports, including facial recognition for criminal surveillance, iris recognition for
frequent traveler check-in, hand geometry for time and attendance verification of airport
employees, and fingerprint scanning for secured physical access."

Biometric Technology Standards for Iris Technology

Author/Publisher: International Biometric Group, 2003

Biometric Technology Standards for Fingerprint Technology

Author/Publisher: International Biometric Group, 2003

Biometric Technology Standards for Border Entry and MRTDs

Author/Publisher: International Biometric Group, 2003

Biometric Technology Standards for Performance Testing

Author/Publisher: International Biometric Group, 2003

Biometric Technology Standards for Facial Recognition Technology

Author/Publisher: International Biometric Group, 2003

4/7/2008 163
Face Recognition: Cognitive and Computational Processes
Author: Sam S. Rakover, et al
Publisher: University of Haifa/Oakland University, Michigan, 2001

Provides an original approach to criminological applications. The book discusses

original ideas on conceptualizing face perception and recognition in tasks of facial
cognition, developing the schema theory and the catch model, and introducing a
discovery of the proposed law of face recognition by similarity.

Homeland Security: State of the Industry Assessment 2002

Author: Acclaro Growth Partners
Publisher: MarketResearch.com, 2002

The objective of this report is to analyze the market opportunity for homeland defense-
related products and services. It is intended to help interested investors make timely
investment decisions; assist current market participants in devising expansion plans, and
advise potential participants in evaluating market opportunities. The assessment is based
on the perspective of a variety of industry executives, including manufacturers,
distributors, end-users, and a wealth of third party and secondary research sources. This
report includes fact and opinion-based information and is presented with charts,
discussion, and analysis that describes and assesses the raw data. The information in this
study pertains to the US market for homeland defense-related products and services.

Homeland Security: Best Practices for Local Government

Author: Roger L. Kemp
Publisher: Intl City/County Mgt. Association, 2003

Homeland Security: Biometrics

October 2003
Author/Publisher: Foster Bryan Ltd.

A comprehensive analysis of how biometrics, including iris recognition, fingerprint

analysis, and eight other technologies may be used in homeland security applications.

4/7/2008 164
Industry Insight: President Gives Homeland Security the Green Light but Vendors
Should Proceed with Caution
Author/Publisher: IDC

This IDC Flash analyzes the newly approved Department of Homeland Security's impact
on IT spending.

Market Opportunities in Homeland Security

Author: Richard K. Miller & Associates
Publisher: MarketResearch.com, 2003

This is a comprehensive analysis of public- and private sector business opportunities in

the rapidly expanding $100 billion homeland security marketplace. Topics include
critical infrastructure, first responders, public health preparedness, corporate programs,
risk and vulnerability assessments, physical security and detection technology. Market
opportunities are assessed for each market sector, including aviation, banking, border
protection, chemical processing, energy, food, ports, postal, surface transportation, and
water utilities. Included in the handbook are profiles of 170 companies involved in the
homeland security market place which will introduce you to potential new partners for
business ventures and provide you with a competitor analysis. The reference sections of
the handbook provide a complete guidebook to federal agencies, programs of all 50
states, periodicals, trade associations, academic programs and other market research
sources.

Multimodal Biometrics
Author/Publisher: International Biometric Group, 2003

International Biometric Group is at the forefront of multimodal biometrics (or multiple

biometrics) research. As part of IBG's involvement in the Information Technology
Standards (INCITS) Technical Committee M1, Biometrics, IBG is actively involved in
multimodal biometrics research. Multimodal biometric systems are those that utilize
more than one physiological or behavioral characteristic for enrollment, verification, or
identification. This report defines the basic variables and categories of variables involved
in multimodal biometric systems, addresses the current body of knowledge regarding
these systems, and surveys the market for current and emerging multimodal biometric
solutions.

4/7/2008 165
National Strategy for Homeland Security
Author: George W. Bush
Publisher: Diane Publishing Co., 2003

Review and Evaluation of Biometric Techniques for Identification and

Authentication: Final Report
May 1999
Author: Dr. Despina Polemi

Includes an appraisal of the areas where various biometrics are most applicable.

Use of Biometric Technologies in MRTD Issuance and Border Entry/Exit Systems

Author/Publisher: International Biometric Group, 2003

This report provides essential material gathered from a number of IBG deliverables, and
is the culmination of IBG’s work to date on the complex topic of biometrics in border
control, immigration, and MRTD (machine readable travel document)/visa issuance. It is
designed to help agencies mitigate risks and gain an up-to-the-minute understanding of
performance, technology, policy, privacy, and standards issues involved in the use of
biometrics in MRTD and border entry applications.

Secure Human Identification Protocols

Author: Nicholas J. Hopper, et al
Publisher: Computer Science Dept., Carnegie Mellon University

An important challenge is providing secure authentication and identification for

unassisted humans. There are a range of protocols for secure identification that require
various forms of trusted hardware or software, aimed at protecting privacy and financial
assets. But how do we verify our identity, securely, when we don’t have or don’t trust
our smart card, palmtop, or laptop?

Science and Technology for Army Homeland Security: Report 1

Author: Committee on Army Service and Technology for Homeland Defense
Publisher: National Academy Press, 2003

4/7/2008 166
State of Biometric Technology Standards
Author/Publisher: International Biometric Group, 2003

Designed for vendors, integrators, and deployers, the "State of Biometric Technology
Standards" report provides critical information on standards relevant to biometric
products, applications, and deployments. Standards addressed include BioAPI, BAPI,
CDSA/HRS, CBEFF, X9.84, M1 activities and SC37 activities (including interoperable
template formats, interoperable data formats, biometric performance testing, biometric
security evaluations), ANSI/NIST ITL 2000, ANSI B10.8, ICAO (SC17), biometrics and
card technologies, and biometrics and cryptographic systems (x.509). This report is
absolutely essential for organizations looking to use biometrics in government or
financial services applications.

State of Fingerprint Technology

Author/Publisher: International Biometric Group, 2003

This report provides a detailed assessment of fingerprint recognition from an industry and
technology perspective. The report leverages years of hands-on experience testing and
deploying fingerprint technology, years of interaction with leading fingerprint recognition
vendors, and extensive evaluation of the technology for large-scale applications.

State of Facial Recognition Technology

Author/Publisher: International Biometric Group, 2003

This report provides a detailed assessment of facial recognition from an industry and
technology perspective. The report leverages years of hands-on experience testing and
deploying facial recognition technology, years of interaction with leading facial
recognition vendors, and extensive evaluation of the technology for large-scale
applications. The report profiles key facial recognition vendors, including Identix,
Viisage and Cognitec, and provides facial recognition market projections through 2007. It
also examines significant facial recognition deployments and the impact of facial
recognition’s incorporation in machine readable travel document applications. The report
offers an in-depth analysis of facial recognition performance tests such as FRVT 2002,
discusses the use of facial recognition in multimodal biometric applications, and details
relevant facial recognition standards. The report also examines the emergence of 3D
facial recognition technology and details the landscape of the 3D facial recognition
marketplace, profiling vendors such as 3Dbiometrics, A4Vision, Geometrix,
Neurodynamics and Genex Technologies.

4/7/2008 167
State of Iris Recognition Technology
Author/Publisher: International Biometric Group, 2003

This report provides a detailed assessment of iris recognition from an industry and
technology perspective. The report leverages years of hands-on experience testing and
deploying iris technology, years of interaction with leading iris recognition vendors, and
extensive evaluation of the technology for large-scale applications.

4/7/2008 168
Appendix D – Education/Training Resources

Introductory Level Biometrics Courses

For those exploring the possibility who have not yet committed to a biometric system
there are symposia, conferences, and short courses available to give a broad overview of
biometrics, highlighting different technologies (“modalities”), applications, and pros and
cons of each.

• Biometric Technology: Web-based training course available for anyone sponsored

by the American Society for Industrial Security (ASIS) at
http://www.stamhost.com/asis/

• Biometrics Technology: Web-based training course available for anyone

sponsored by Security Products Online at
http://www.stamweb.com/spo/Biometrics.html

Medium Level Biometric Courses

For those organizations which have decided to implement biometrics, or who want more
detail, there are longer courses available to provide more detail relative to technology
selection, pros & cons, and implementation details. These courses can be attended by
middle managers, project officers, members of the IT staff and in some cases IT or
biometric technicians.

• The Biometric Knowledge Center (BKnC) at West Virginia University

• Biometric Systems Laboratory (University of Bologna, Italy)
• Center for Identification Technology Research (CITeR)
• Clarkson University Biomedical Signal Analysis Laboratory21
• Michigan State University Biometrics Research Homepage
• Purdue University Biometrics Standards, Performance and Assurance Laboratory
• San Jose State University's Biometric Identification Research Effort
• St. Lawrence University SABER
• Student Society for Advancement of Biometrics (SSAB) at West Virginia University
• National Biometric Test Center Collected Works 1997-2000, San Jose State
University, Edited by: James L. Wayman, Director, Version 1.3, August 2000
• The Biometrics Institute22

21
Center for Identification Technology Research (CITeR). www.citer.wvu.edu/links.php
22
http://www.itl.nist.gov/div893/biometrics/

4/7/2008 169
 • The Center for Automatic Identification, Ohio University
• The Speech Recognition Group, Rutgers University23
• University at Buffalo Center for Unified Biometrics and Sensors (CUBS)
• West Virginia University/FBI Forensic Identification Degree Program

Advanced Biometric Courses and Biometric Certificate Programs24

For academics and those who want to know details of algorithms, the matching process,
statistical bass for matching, and testing and evaluation or individuals interested in
earning a certificate in biometrics.

Consultants and Systems Integrators25

Consultants and systems integrators can provide needed guidance when evaluating the
need and implementation of biometric systems. Following is a list of selected providers,
according to The Biometric Consortium.

• Acuity Market Intelligence

• Biometric Technology, Inc.
• East Shore Technologies
• EyeIT.com, Inc.
• FingerPrint USA
• Fulcrum Strategic Partners, Inc.
• Higgins & Associates, International
• ID Technology Partners
• IDynta Systems, Inc.
• Info Data, Inc.
• Integrated Biometrics
• International Biometric Group (IBG)
• J. Markowitz, Consultants
• Justice Technology Information Network (JUSTNET)
• National Information Assurance Partnership (NIAP)
• Metrics Group
• MITRE
• Mitretek Systems - Biometric Identification
• NIST's Computer Security Resource Center (CSRC)
• Romsey Associates, Ltd.
• SyntheSys Secure Technologies, Inc.
• The Extranet for Security Professional (ESP)
23
http://www.itl.nist.gov/div893/biometrics/
24
Biometric Consortium, http://www.biometrics.org/html/links_to.html
25
from The Biometric Consortium

4/7/2008 170
 • Trans Biometric Technologies
• Transecure, Inc.

4/7/2008 171
Bibliography and References

In researching and compiling the BTAM, the authors relied heavily on secondary
research from already-published, public sources. The following sources and resources
represent works from which information and knowledge was used and referenced, and
for which the authors are acknowledged and thanked for sharing this knowledge.

Adams, Mason. Cafeteria ID System Fingers Students. The Roanoke Times. December
10, 2005.

“An Arresting Case for Biometrics.” Biometric Technology Today. May 2005

Anderson, Teresa. The Eyes Have It. Security Management magazine.

Biometric Information Directory. Grey House Publishing. www.greyhouse.com

• Biometric Summit Winter 2006 Proceedings

• “Biometrics and SSO: Helping in Healthcare” Powerpoint presentation from St.

Vincent Health

Biometrics in Corrections. National Law Enforcement and Corrections Technology

Center. TechBeat. Fall 2000.

Blackburn, Duane and Turner, Allan. Biometrics: Separating Myth From Reality.
Reprinted from the December 2002 issue of Corrections Today, Vol. 64, No. 7

“Body Language: Using biometric Technology” March 1, 2002, American City &
County.

City of Glendale, Case Study Digital Persona. Digital Persona

http://www.digitalpersona.com

Cohn, Jeffrey P., Miles, Christopher A. Tracking Prisoners in Jail with Biometrics: An
Experiment in a Navy Brig. National Institute of Justice Journal. NIJ Journal No. 253.
January 2006.

Daugman, John. Combining Multiple Biometrics. The Computer Laboratory, Cambridge

University.

Facial Recognition: The Pinellas County Sheriff’s Office Experience. Presentation

provided by Scott McCallum

“Facial Recognition in Action.” Government Security. August 1, 2004.

4/7/2008 172
Floyd, J. Michael. “Biometrics-The Future Competitive Edge” FE&S. January 2003
“University of Georgia Migrates Recognition Systems HandReaders Campus-wide” press
release from IR Recognition Systems. July 30, 1999

Haber, Lynn. “Glendale Locks Down PCs with Digital Persona Biometrics”, October
18, 2001, Ziff Davis http://techupdate.zdnet.com

“Hospital Adopts Biometric Security Solution for Workstations”.

www.findbiometrics.com

Immigration and Naturalization Service Passenger Accelerated Service System Pilot

Program. Audit Report 95-8, (3/95). Prepared by the Office of the Inspector General,
Audit Division.

“India eyes Iridian.” Optics Report. July 12, 2005

“Indian housing plan uses local technology.” Passage to India Business Weekly. July
2005.

“Iridian Technologies facilitates affordable housing program in Andhra Pradesh, India;

Iris Recognition system validates identification to ensure equal opportunity.”
www.zdnetindia.com/news July 13, 2005

Kiernan, Vincent. “Show Your Hand, Not Your ID” The Chronicle of Higher
Education-Information Technology. December 2, 2005

Kharif, Olga. “IriScan’s Leader Looks Secure” Business Week Online. July 5, 2005

“Lancaster County Prison uses new ID to keep eye on prisoners.”

http://www.naco.org/cnews/1996/96-06-24/17eye.htm

“LG Electronics lands huge iris scan program in India.” Government Security News.
September 2005.

“LGE Iris Tech Win in India Redefines Biometric Scalability.” LG Electronics press
release dated September 8, 2005.

Mintie, David. “Glendale, CA Goes with Biometrics”, Biometrics in Human Services

User Group Newsletter number 27, Volume 6, March 2, 2002. State of Connecticut

Misplaced Fears Impede Biometric Adoption. www.findbiometrics.com

New York Times Technology Review. April 5, 2006

“Partnering with Viisage to Prevent Identity Theft”

4/7/2008 173
Peck, Bruce. “Rx for Password Headaches” Health Management Technology magazine.
January 2003

“Pinellas County Invests in Face-Recognition Technology.” Tampa Bay Business

Journal. October 8, 2002

“Pinellas County Sheriff’s Office Deploys New Mobile Identification Solution.”

Government Technology. June 18, 2004.

Riley, Jr., Richard A.; Kleist, Virginia Franke. “The biometric technologies business
case: a systematic approach” Information Management & Computer Security, Apr 2005
Volume: 13 Issue: 2 Page: 89 – 105.

Sullivan, Laurie. Iris Scanning for New Jersey Grade School. TechWeb.
www.techweb.com January 23, 2006.

“St. Petersburg-Clearwater International Airport Deploys Viisage Technology Facial

Recognition Security”. Viisage press release. January 22, 2002.

“St. Vincent’s Hospital and Healthcare Center” client profile from Saflink Corporation

“St. Vincent Solves Security Challenges with CA’s eTrust Single Sign-on” client profile
from Computer Associates

“The National Biometrics Challenge” National Science and Technology Council (NSTC)
Subcommittee on Biometrics. August 2006

“University of Georgia Secures Campus with RSI HandReaders” press release from IR
Recognition Systems

Verton, Dan. “Hospital Taps Biometrics for Single Sign-on” ComputerWorld. October
2001.

“Viisage Awarded $2.4 Million Facial Recognition Contract from Pinellas County.”
Viisage press release. October 8, 2002.

“Who’s Who: Piece by puzzle piece, FL county checks suspects’ identities.”

Government Computer News. August 2, 2004.

4/7/2008 174
Acknowledgements
A special thank you to the following individuals and organizations that contributed their
time and expertise to the development of this volume.

James Cambier
Valerie Evanoff
Eizen, Fineburg, and McCarthy, LP
Gates and Company
Walter Hamilton
Scott Harmon
Chris Hengensten
C.B. Boots Kuhla
Beth Langen
Scott McCallum
Mohammad Murad
Bruce Peck
Russ Ryan
John Siedlarz
Donald Smith
Samir Tamer
Cathy Tilton
Dr. James L. Wayman
Jerry Williams
Bill Wilson

4/7/2008 175