Security News > 2006 > August > Unlocking Fingerprints

Unlocking Fingerprints
2006-08-28 05:04

http://www.washingtonpost.com/wp-dyn/content/article/2006/08/27/AR2006082700511.html By Griff Witte Washington Post Staff Writer August 28, 2006 The technology has been the stuff of movies for years: A secret agent runs his fingertip and an encrypted ID card over a pair of sensors. There's a match, and the door swings open. In the coming months, a wave of government initiatives could start making such high-tech methods of identification commonplace -- beginning with the replacement this fall of federal employee IDs. Similar cards are planned for transportation workers, first responders and visitors to the United States. Packed with biometric data such as fingerprints and containing a computer chip with room to expand the amount of information stored, the new IDs represent a potential boon to technology companies eyeing an estimated $8 billion in identity-related contracts. Firms such as BearingPoint Inc. and Lockheed Martin Corp. have set up showcase identity labs, pulling technology from different companies into turnkey operations. Hundreds of smaller companies, down to manufacturers of plastic cards, are vying for part of the market. The biggest business opportunity still looms: Driver's licenses, which are due for a retooling under new federal laws. "When you're talking about credentialing the federal workforce and contractors, you're talking about maybe 10 million people. When you're talking first responders, you're at 20, 30 or 40 million people," said Thomas Greco, a vice president at Herndon-based Cybertrust Inc. "But when you're talking credentialing all registered drivers in the United States, you're up to hundreds of millions of people. Nobody is losing sight of that." In an era of chronic concern over terrorism and anxiety over immigration, the business of determining who is who has become increasingly urgent. But it is not without controversy. Americans have long resisted the idea of a national ID card, for example. The growing sophistication of computer databases and networks has heightened privacy concerns -- as have data breaches, from the theft or loss of government computers to AOL's online posting of 36 million keyword searches conducted by hundreds of thousands of subscribers. If the pool of government programs using the new identity technology gets large enough and the amount of information collected gets detailed enough, "there will be a lot of pressure for these programs to converge," creating a de facto national identity system, said Barry Steinhardt, director of the technology and liberty project at the American Civil Liberties Union. Use of a new government standard may prompt the private sector to follow. The banking, retailing and health-care industries are monitoring the federal initiatives, ready to apply stricter identity standards when dealing with their employees and customers. In an online world, the technology could also be used to establish that two people who never meet in person really are who they say they are. Federal agencies are supposed to begin issuing their new ID cards in October, complying with a 2004 Bush administration directive requiring more stringent methods for tracking who gets access to federal facilities. The new cards must meet a rigorous federal standard that details -- down to the size of the typeface -- what the new cards look like and how they are used. At a minimum, the IDs will require fingerprints and possibly retinal scans or other forms of biometric identification, depending on the agency. The cards are also likely to incorporate magnetic strips, personal identification numbers and digital photos, as well as holograms and watermarks to deter forgery. Before employees and contractors can get their new credentials, they will have to submit to a thorough background check, if they have not already. By employing multiple methods of checking identity, officials hope to make it as difficult as possible for someone other than a card's owner to use it. Ultimately, the cards will determine not just who gets into buildings but also who receives access to computer applications and files. Because the information needed to verify an individual's identity won't take up much space on the computer chip in each card, plenty more can be added. An employee's skills, work hours, medical history and job evaluations, for example, could all be included -- much to the dismay of civil liberties advocates. Already, other federal programs are borrowing from the new standard for government workers. A program to issue credentials to all transportation workers to monitor who has access to air and seaports, for instance, will subject those workers to much the same process as federal employees. In addition, the Real ID Act, approved by Congress last year, aims to standardize security features on driver's licenses by mid-2008. The Department of Homeland Security has not yet set the standards that states will have to follow. It probably won't include the advanced biometrics the federal government is using for its employees, and states are pushing hard to avoid a complex reengineering of the ubiquitous, low-tech driver's license. Nonetheless, the companies that make the cards, the scanning devices and the software needed to run identity systems are closely watching the driver's license requirements. They say they understand the privacy concerns but also expect that security will remain a top priority -- with ID standards likely to get stricter, the technology more sophisticated, and the business more profitable. "No one's going to want technology that just exposes them to more risk," said Greco, whose company, Cybertrust, focuses on information security. At BearingPoint's McLean offices, the company has set up a room to show off a range of identity systems, including machines for taking fingerprints, scanning irises, recognizing faces or even differentiating between individuals based on the shape of a hand. "We think it's a terrific area of opportunity," said Gordon Hannah, who leads BearingPoint's efforts to win identity contracts. Earlier this month, the General Services Administration awarded BearingPoint a five-year deal worth up to $105 million to supply new IDs to any agency that wants them. Agencies that do not buy their cards through the GSA contract are holding their own competitions. That may be just the beginning. A recent study by the Stanford Washington Research Group and an expert in identity management put the value of the 10 biggest U.S. identity initiatives at $8 billion over the next five years, with an additional $14 billion coming from overseas. From those programs, identity businesses expect other opportunities to emerge. "One of the inhibitors has been the cost of the technology. But with the widespread adoption by the government, the cost of everything is going to come down," said Jon Rambeau, director of credentialing at Bethesda-based Lockheed Martin. State and local governments are considered major potential buyers. Among their needs are credentials for first responders so that officials can verify the identity of people who show up to help in the event of an emergency. On the commercial side, too, boosters of identity technology say the opportunities abound. Banks, for instance, may want secure cards that can guarantee that someone trying to cash a check really is the intended recipient. Hospitals are looking into using the identity systems for a more reliable way of accessing medical records. And retailers have been working on allowing consumers to make purchases with the swipe of a finger, instead of a card. Nor do the opportunities stop at the U.S. border. California-based contractor Computer Sciences Corp. has enrolled 40 million people in identity programs worldwide. But on a planet of 6.5 billion, the company thinks it has only scratched the surface. "Each country has exactly the same issues: How do you facilitate security, facilitate movement across borders and protect privacy all at the same time?" said Tim Ruggles, CSC's director of border and immigration solutions. "That's a tough one." Copyright 2006 The Washington Post Company _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/


News URL

http://www.washingtonpost.com/wp-dyn/content/article/2006/08/27/AR2006082700511.html