[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
               ENSURING THE SECURITY OF AMERICA'S BORDERS
                 THROUGH THE USE OF BIOMETRIC PASSPORTS
                      AND OTHER IDENTITY DOCUMENTS

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON ECONOMIC
                        SECURITY, INFRASTRUCTURE
                     PROTECTION, AND CYBERSECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 22, 2005

                               __________

                           Serial No. 109-24

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________


                    U.S. GOVERNMENT PRINTING OFFICE
26-515                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½0900012005


                     COMMITTEE ON HOMELAND SECURITY

                 Christopher Cox, California, Chairman

Don Young, Alaska                    Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas                Loretta Sanchez, California
Curt Weldon, Pennsylvania            Edward J. Markey, Massachusetts
Christopher Shays, Connecticut       Norman D. Dicks, Washington
Peter T. King, New York              Jane Harman, California
John Linder, Georgia                 Peter A. DeFazio, Oregon
Mark E. Souder, Indiana              Nita M. Lowey, New York
Tom Davis, Virginia                  Eleanor Holmes Norton, District of 
Daniel E. Lungren, California        Columbia
Jim Gibbons, Nevada                  Zoe Lofgren, California
Rob Simmons, Connecticut             Sheila Jackson-Lee, Texas
Mike Rogers, Alabama                 Bill Pascrell, Jr., New Jersey
Stevan Pearce, New Mexico            Donna M. Christensen, U.S. Virgin 
Katherine Harris, Florida            Islands
Bobby Jindal, Louisiana              Bob Etheridge, North Carolina
Dave G. Reichert, Washington         James R. Langevin, Rhode Island
Michael McCaul, Texas                Kendrick B. Meek, Florida
Charlie Dent, Pennsylvania

                                 ______

   Subcommittee on Economic Security, Infrastructure Protection, and 
                             Cybersecurity

                Daniel E. Lungren, California, Chairman

Don Young, Alaska                    Loretta Sanchez, California
Lamar S. Smith, Texas                Edward J. Markey, Massachusetts
John Linder, Georgia                 Norman D. Dicks, Washington
Mark E. Souder, Indiana              Peter A. DeFazio, Oregon
Tom Davis, Virginia                  Zoe Lofgren, California
Mike Rogers, Alabama                 Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico            Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida            James R. Langevin, Rhode Island
Bobby Jindal, Louisiana              Bennie G. Thompson, Mississippi 
Christopher Cox, California (Ex      (Ex Officio)
Officio)

                                  (II)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman, Subcommittee on 
  Economic Security, Infrastructure Protection, and 
  Cybersecurity:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Loretta Sanchez, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Economic Security, Infrastructure Protection, and Cybersecurity     3
The Honorable Christopher Cox, a Representative in Congress From 
  the State of California, and Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     6
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................     8
The Honorable Donna M. Christensen, a Delegate in Congress From 
  the U.S. Virgin Islands........................................    32
The Honorable Norman D. Dicks, a Representative in Congress From 
  the State of Washington........................................    27
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island.................................    31
The Honorable John Linder, a Representative in Congress From the 
  State of Georgia...............................................    26
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California............................................    19
The Honorable Stevan Pearce, a Representative in Congress From 
  the State of New Mexico........................................    29

                               WITNESSES
                                Panel I

Ms. Elaine Dezenski, Acting Assistant Secretary, Director for 
  Border and Transportation Security, Department of Homeland 
  Security:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11
Mr. Frank Moss, Deputy Assistant Secretary, Consular Affairs, 
  Department of State:
  Oral Statement.................................................    12
  Prepared Statement.............................................    14

                                Panel II

Dr. Martin Herman, Information Access Division Chief, National 
  Institute of Standards and Technology:
  Oral Statement.................................................    42
  Prepared Statement.............................................    43
Mr. C. Stewart Verdery, Jr. Principal, Mehlman, Vogel, and 
  Castagnetti, Inc.:
  Oral Statement.................................................    46
  Prepared Statement.............................................    48
Mr. Gregory Wilshusen, Director of Information Security Issues, 
  Government Accountability Office:
  Oral Statement.................................................    55
  Prepared Statement.............................................    57


                   ENSURING THE SECURITY OF AMERICA'S
                  BORDERS THROUGH THE USE OF BIOMETRIC
                PASSPORTS AND OTHER INDENTITY DOCUMENTS

                              ----------                              


                        Wednesday, June 22, 2005

                          House of Representatives,
                 Subcommittee on Economic Security,
               Infrastructure Protection, and Cybersecurity
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 11:04 a.m., in 
Room 2257, Rayburn House Office Building, Hon. Dan Lungren 
[chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Cox, Linder, Souder, 
Pearce, Sanchez, Thompson, Dicks, Christensen, Lofgren, and 
Langevin.
    Mr. Lungren. [Presiding.] The Committee on Homeland 
Security, Subcommittee on Economic Security, Infrastructure 
Protection and Cybersecurity will come to order.
    The subcommittee is meeting today to hear testimony on 
ensuring the security of America's borders through the use of 
biometric passports and other identity documents.
    I would like to start by thanking the witnesses on both 
panels for being with us today and on relatively short notice.
    The purpose of today's hearing is to examine the current 
and future use of biometric technology in travel documents. The 
issues of document integrity and identity verification are key 
to our national efforts to enhance border security and combat 
terrorist travel.
    Today's hearing provides an opportunity to examine progress 
made in this area by reviewing two recent announcements by the 
Department of Homeland Security: Number one, the changes in the 
passport requirements for Visa Waiver Program travelers and, 
two, the pilot program to test the use of contact with chips in 
passports.
    On June 15, 2005, the Department of Homeland Security 
announced that Visa Waiver Program countries would be required 
to producer tamper-resistance digital photographs on newly 
issued passports, beginning on October 26, 2005. Within another 
year their passports would be required to have an integrated 
chip capable of storing biographic and biometric information.
    The announcement grew out of requirements enacted into law 
as part of the Enhanced Border Security and Visa Entry Reform 
Act of 2002, which required that each visa waiver country 
government certify by October 26, 2004 that it had established 
a program to issue tamper-resistance, machine-readable 
passports that incorporate a biometric identifier matching 
standards established by the International Civil Aviation 
Organization.
    Faced with the certainty that very few countries would meet 
the original deadline, last year Congress approved an extension 
of the deadline by an additional year to October of 2005. The 
announcement last week represents the Department's proposed 
compromise between the administration, the Congress and the VWP 
countries, many of whom would have still failed to meet the 
deadline had the Department of Homeland Security insisted that 
the Visa Waiver Program country passports actually contain a 
biometric chip as of the date, October 2005.
    I look forward to hearing from our witnesses about the 
rationale behind these decisions, how these new requirements 
will strengthen security and actually be implemented in the 
field and how they will be integrated with existing security 
programs, particularly US-VISIT.
    I also look forward to exploring the security limits of our 
strategy, as outlined to date, particularly with respect to the 
use of biometrics to actually help us confirm traveler identity 
and screen for potential terrorists, criminals and immigration 
law violators.
    With over 15 million Visa Waiver Program travelers entering 
the United States each year, travel facilitation is essential, 
as is ensuring that this program will not become an avenue for 
terrorists to gain entry into the U.S.
    The 9/11 Commission report released last year highlighted 
the issue of terrorist travel and terrorist exploitation of 
travel documents. The Commission report stated, in part, 
``Terrorists must travel clandestinely to meet, train, plan, 
case target and gain access to attack.'' In their travels, 
terrorists use evasive methods, such as altered and counterfeit 
passports and visas, specific travel methods and routes, 
liaisons with corrupt government officials, human smuggling 
networks, supportive travel agencies and immigration identity 
fraud.
    Strengthening document security and our ability to verify 
travelers' identity is essential if we are to prevent 
terrorists easy access to America. Information sharing between 
governments is thus a critical layer in our security system. 
The Department's announcement last week also contained new 
requirements for the Visa Waiver Program countries concerning 
lost and stolen passports, and that is extremely important.
    Having access to a list of potentially compromised 
passports will enable inspectors and consular officers overseas 
to have a greater ability to judge legitimate documents.
    Finally, this hearing will provide the subcommittee with an 
opportunity to examine where the field of biometrics is headed 
and how with proper privacy safeguards this technology can be 
used to strengthen our capabilities to intercept, disrupt and 
prevent terrorists from entering the U.S.
    Again, I thank the witnesses for being here and for the 
effort that went into their testimony.
    Again, I thank our witnesses for being here, and for the 
effort that went into their testimony.
    I now recognize the ranking member, the gentlelady from 
California, for any opening statement she may wish to make at 
this time.

        Prepared Opening Statement of the Hon. Daniel E. Lungren

    I would like to start by thanking the witnesses on both panels for 
being with us today, and on relatively short notice. The purpose of 
today's hearing is to examine the current and future use of biometric 
technology in travel documents. The issues of document integrity and 
identity verification are key to our national efforts to enhance border 
security and combat terrorist travel.
    Today's hearing provides an opportunity to examine progress made in 
this area by reviewing two recent announcements by the Department of 
Homeland Security (DHS):
        1. changes in the passport requirements for Visa Waiver Program 
        (VWP) travelers, and
        2. a pilot program to test the use of contactless chips in 
        passports.
        On June 15, 2005, the Department of Homeland Security announced 
        that Visa Waiver Program countries would be required to produce 
        tamper-resistant digital photographs on newly-issued passports 
        starting on October 26, 2005. Within another year, their 
        passports would be required to have a integrated chip capable 
        of storing biographic and biometric information.
    This announcement grew out of requirements enacted into law as part 
of the Enhanced Border Security and Visa Entry Reform Act of 2002, 
which required that each Visa Waiver Country government certify by 
October 26, 2004, that it had established a program to issue tamper-
resistant, machine-readable passports that incorporate a biometric 
identifier matching standards established by the International Civil 
Aviation Organization (ICAO). Faced with the certainty that very few 
countries would meet that original deadline, last year Congress 
approved an extension of the deadline by one additional year, to 
October of 2005.
    The announcement last week represents the Department's proposed 
compromise between the Administration, Congress, and the VWP countries, 
many of whom would have still failed to meet the deadline had DHS 
insisted that the VWP country passports actually contain a biometric 
chip as of October 2005.
    I look forward to hearing from our witnesses about the rationale 
behind these decisions, how these new requirements will strengthen 
security and actually be implemented in the field, and how they will be 
integrated with existing security programs, such as US-VISIT. I also 
look forward to exploring the security limits of our strategy as 
outlined to date, particularly with respect to the use of biometrics to 
actually help us confirm traveler identity and screen for potential 
terrorists, criminals, and immigration law violators.
    With over 15 million VWP travelers entering the United States each 
year, travel facilitation is essential--as is ensuring this program is 
not an avenue for terrorists to gain entry to the U.S. The 9/11 
Commission report, released last year, highlighted the issue of 
terrorist travel and terrorist exploitation of travel documents. The 
Commission report stated: ``Terrorists must travel clandestinely to 
meet, train, plan, case targets, and gain access to attack. . .In their 
travels, terrorists use evasive methods, such as altered and 
counterfeit passports and visas, specific travel methods and routes, 
liaisons with corrupt government officials, human smuggling networks, 
supportive travel agencies, and immigration and identity fraud.''
    Strengthening document security and our ability to verify 
travelers' identity is essential to preventing terrorists easy access 
to America. Information sharing between governments is thus a crucial 
layer in our security system. The Department's announcement last week 
also contained new requirements for VWP countries concerning lost and 
stolen passports. Having access to a list of potentially compromised 
passports will enable inspectors and consular officers overseas to have 
greater ability to judge legitimate documents.
    Finally, this hearing will provide the Subcommittee with an 
opportunity to examine where the field of biometrics is headed and how, 
with proper privacy safeguards, this technology can be used to 
strengthen our capabilities to intercept, disrupt, and prevent 
terrorists from entering the United States.

    Mr. Lungren. I now recognize the Ranking Member, the 
gentlelady from California, for any opening she may wish to 
make.
    Ms. Sanchez. Thank you, Mr. Chairman. First of all, let me 
thank you for holding this hearing. I think it is a very 
important hearing.
    And thank the witnesses for presenting for us today.
    I am pleased that we are holding this on biometric 
passports and other identity documents. I think these are two 
very specific passport initiatives. There are two very specific 
passport initiatives that I hope that our witnesses will 
address today. The first is the elimination of the Western 
Hemisphere passport exemption in the 9/11 bill, and the second 
is the Visa Waiver Program.
    I represent a district in California. It is based on a lot 
of tourism. We have Disneyland, we have Los Angeles Airport not 
too far from us, the port is the third largest entry port of 
cargo coming in. We have a border to the south of us, about an 
hour and a half drive from where we are. And if there is a 
threat to our country, California would be one of the first 
places that we would look at and some of the other border 
states. So this is a very important issue to us about how 
people get in to our country.
    I think we need to do everything we can to secure borders, 
but we have also got to understand that there is a lot of 
commerce that happens through the port, through the airport and 
across our land borders, and there is a lot of movement of 
goods and people. And it is critical for our economy, for our 
prosperity that we sort of get a handle on how we are moving 
things and how we are checking things come in.
    So I am interested in hearing what the Department of 
Homeland Security and the State Department are doing to ensure 
that the implementation of the Western Hemisphere travel 
initiative goes smoothly.
    And I would specifically to have you talk a little bit 
about what is happening or what you intend to happen at the 
security entry of travelers. We have SENTRI, we have NEXUS, we 
have FAST, which are all pre-enrollment programs, basically 
allowing expedited inspection in return for more information 
from the traveler.
    Now we have the passport initiative, and now I hear that 
the Department of Homeland Security may allow the TSA's 
registered traveler card to be used as an alternate document to 
the passport.
    So I want to know what impact all of these new initiatives, 
if any, will have on NEXIS, on SENTRI, on FAST. I have a lot of 
people in my area who have gone through extensive background 
checks, paid their money. I even know of some who have been 
denied because we have been looking at all of this. How is that 
going to affect the people who are already doing some of this?
    And, finally, with regards to the Visa Waiver Program, I 
think that the biometric passports are important and they are 
part of the solution, but I do not know that they are entirely 
the solution. I mean, first of all, what control do we have 
over an issuing country's vetting process for how it makes its 
passport decisions, for example? And perhaps an even greater 
concern is the fact that the Visa Waiver Program traveler can 
still get on a plane to the United States without first being 
checked against our watch list.
    So I think there are a lot of things here we need to get 
the details on, and there are some things we need to fix, Mr. 
Chairman, and I am looking forward to the testimony of our 
experts.
    Mr. Lungren. I thank the gentlelady.
    The Chair would now recognize the chairman of the full 
committee, the gentleman from California, Mr. Cox, for his 
statement.
    Mr. Cox. Thank you very much, Mr. Chairman. This is a very 
important hearing. I regret that we are in such a small room, 
because there is a long line of people outside who also want to 
be in here to observe these proceedings. So that is a 
testament, I think, to the importance of the topic that you put 
before the committee today.
    The impetus for today's hearing, of course, is the recent 
policy announcement by DHS, as you described, Mr. Chairman, 
regarding implementation of the biometric passports 
requirements in the Visa Waiver Program. But I hope that this 
hearing will quickly move us beyond this specific decision to a 
broader discussion of how our nation can, working with other 
countries around the world, develop a system that is fast, 
reliable and affordable, and protective of personal privacy 
that will instantly establish a genuine biometric link between 
individuals and documents in order to confirm traveler 
identity.
    At the same time, while we are making admirable progress in 
developing tamperproof IDs, we have got to focus renewed and 
redoubled attention on keeping official travel documents that 
are nicely tamperproof out of the hands of terrorists and other 
criminals. In this vein, we will discuss today the choice of 
facial recognition by the Department of Homeland Security in 
the form of a digitized photograph as the qualifying biometric 
for visa waiver country passports to meet the statutorily 
imposed deadline of October 26 of this year.
    I want first to begin by commending the Department of 
Homeland Security and the Department of State for exercising 
flexibility and good judgment and not insisting on a 
biometrically encoded chip for visa waiver country passports by 
this October, since doing so would have caused severe 
disruption to legitimate trade and travel with little security 
benefit in return.
    Now, I want to emphasize the importance of that connection. 
I think disrupting commercial activity if there is some 
security payback is at least worth discussing. But disrupting 
commercial activity without any appreciable security payback is 
not a wise decision.
    The digitized photograph requirement will, in the short 
term, provide some additional security benefits in terms of 
tamper resistance. But even when we move to encoding the 
digital photographs into the passport chip, as ultimately 
called for under the Department's policy and the biometric 
standards established by ICAO, we will still be relying on a 
Customs and Border Protection officer to perform a visual 
comparison of the person's digital photograph against the 
actual person presenting himself or herself at the port of 
entry.
    In other words, the use of digital photos on these visa 
waiver passports will only undergo a manual human verification 
of the passport holder's identity. It will not undergo a 
computerized check or any digital or authentically biometric 
check against either a database of photographs or a single 
photograph of the passport holder that was taken at the time of 
entry.
    So the biometric requirement under current law is, in 
essence, a tool to help reduce tampering and fraudulent 
alteration of passports. That in itself is of course useful. 
But as currently designed, this biometric encoding of passports 
simply will not help us to confirm travelers' identities 
through the use of technology, such as matching digitized 
photographs or, better yet, fingerprints stored in travel 
documents and national and international databases against 
those of the traveler seeking entry at our ports.
    We also need to focus on how terrorists can circumvent this 
biometric passport system through the use of false breeder 
documents, through the acquisition of lost and stolen passports 
or other ways and how we can make better use of all available 
information from our databases about known or suspected 
terrorists.
    In short, we need to clarify what the goal is that we are 
trying to achieve. Are we merely trying to verify that the 
person to whom the official travel document was issued is the 
same person who is using the document to gain entry into the 
United States or are we seeking to deploy a comprehensive 
border security system, which begins at the time the travel 
document is created and issued?
    I believe we should be moving toward an international 
system based on biometrics that screens people before they 
obtain travel documents so that we verify people are who they 
say they are and ensure that they are not suspected terrorists 
or criminals. The object, after all, is not to give terrorists 
or criminals tamperproof fake IDs.
    I am pleased to hear that the Department of Homeland 
Security recognizes that this biometric requirement for visa 
waiver country passports is a starting point and not the ending 
point of this important discussion on how to combat terrorist 
travel. Both these passports and our own U.S. passports will be 
equipped with computerized chips that are able to accommodate 
additional biometric identifiers such as fingerprints.
    I look forward to hearing from the Department of Homeland 
Security about its vision of border security through the use of 
biometric technology and how these passport requirements can 
ultimately be integrated with other programs aiming to achieve 
the same goal of ensuring secure and efficient travel, both 
within and across the U.S. borders, programs such as NEXIS, 
FAST, SENTRI, TWIC and Registered Traveler.
    I am also pleased the Department does not intend to change 
its policy that visa waiver travelers must enroll in US-VISIT 
when they arrive at U.S. ports of entry. This program affords 
us the opportunity to check travelers' fingerprints against 
available databases to help determine if the person has a 
terrorist connection or otherwise has violated U.S. criminal or 
immigration laws. If visa waiver passports were encoded with 
fingerprints, we would also be able to match with much greater 
precision the identity of the passport holder to the person to 
whom the travel document was originally issued. I hope we can 
explore this and other issues during today's hearing.
    I want again to thank our witnesses, I want to thank the 
chairman for scheduling this important hearing and the Ranking 
Member, and I of course yield back the balance of my time.

             Prepared Statement of the Hon. Christopher Cox

    Thank you, Chairman Lungren for holding this hearing today on the 
very important issue of combating terrorist travel through the use of 
biometrics. And I, too, would like to welcome and thank all of our 
witnesses for their testimony today.
    The impetus for today's hearing is, as Chairman Lungren described, 
the recent policy announcement by the Department of Homeland Security 
(DHS) regarding implementation of the biometric passport requirement 
for countries in the Visa Waiver Program--or VWP. But I hope that this 
hearing will quickly move us beyond this specific decision to a broader 
discussion of how our Nation can, working with other countries around 
the world, develop a truly secure system for confirming traveler 
identity and keeping official travel documents out of the hands of 
terrorists and other criminals.
    In this vein, we will discuss today the choice of DHS to use facial 
recognition, in the form of a digitized photograph, as the qualifying 
biometric identifier for VWP country passports to meet the statutorily 
imposed deadline of October 26, 2005. I want to first begin by 
commending the Department of Homeland Security and the Department of 
State for exercising flexibility and good judgment in not insisting on 
a biometrically-encoded chip for VWP country passports by this October, 
since doing so would have caused severe disruption to legitimate trade 
and travel--with little security benefit in return.
    The digitized photograph requirement will, in the short term, 
provide some additional security benefit in terms of tamper resistancy. 
But even when we move to encoding the digital photograph into the 
passport chip--as ultimately called for under the Department's policy 
and the biometric standard established by ICAO--we will still be 
relying on a CBP officer to perform a visual comparison of the person's 
digital photograph against the actual person presenting themselves at 
the port of entry. In other words, the use of digital photos VWP 
passports will only undergo a manual human verification of the passport 
holder's identity, but will not undergo a computerized check against 
either a data base of photographs or a single photograph of the 
passport holder taken at the time of entry.
    The biometric requirement under current law is, in essence, a tool 
to help reduce tampering and fraudulent alteration of passports. That 
is, in itself, important and useful. But as currently designed, this 
biometric encoding of passports will not help us confirm traveler's 
identities through the use of technology--such as matching digitized 
photographs or, better yet, fingerprints stored in travel documents and 
national and international databases against those of the traveler 
seeking entry at our port.
    We also need to focus on how terrorists can circumvent this 
biometric passport system through the use of false breeder document or 
through acquisition of lost and stolen passports, and how we can better 
make use of all available information from our databases about known or 
suspected terrorists.
    In short, we need to clarify what the goal is that we are trying to 
achieve: Are we merely trying to verify that the person to whom the 
official travel document was issued is the same person who is using the 
document to gain entry into the United States? Or are we seeking to 
deploy a comprehensive border security system, which begins at the time 
the travel document is created and issued? I believe that we should be 
moving towards an international system, based on biometrics, that 
screens people before they obtain travel documents, so that we verify 
people are who they say they are, and ensure that they are not 
suspected terrorists or criminals.
    I am pleased to hear that the Department of Homeland Security 
recognizes that this biometric requirement for VWP country passports is 
the starting point, and not the ending point, of this important 
discussion on how to combat terrorist travel. Both these passports and 
our own U.S. passports will be equipped with computerized ``chips'' 
that are able to accommodate additional biometric identifiers, such as 
fingerprints. I look forward to hearing from the Department of Homeland 
Security about its vision of border security through the use of 
biometric technology, and how these passport requirements can 
ultimately be integrated with other programs aiming to achieve the 
similar goal of ensuring secure and efficient travel both within and 
across U.S. borders--programs such as NEXUS, FAST, SENTRI, TWIC, and 
Registered Traveler.
    I also am pleased that the Department does not intend to change its 
policy that VWP travelers must enroll in US-VISIT when they arrive at 
U.S. ports of entry. This program affords us the opportunity to check 
travelers' fingerprints against available databases to help determine 
if the person has a terrorist connection, or otherwise has violated 
U.S. criminal or immigration laws. If VWP passports were encoded with 
fingerprints, we also would be able to match, with much greater 
precision, the identity of such passport holders to the person to whom 
the travel document was originally issued. I hope we can explore this 
and other issues during today's hearing.
    I again want to thank our witnesses and I yield back the balance of 
my time.

    Mr. Lungren. The Chair would now recognize the ranking 
member of the full committee, the gentleman from Mississippi, 
Mr. Thompson, for any statement he might make.
    Mr. Thompson. Thank you very much, Mr. Chairman and Ranking 
Member.
    I would like to also welcome our witnesses for this hearing 
today and associate myself with the chairman of the full 
committee's comments apologizing for the size of the room. I am 
sure we will work on that at some point.
    Mr. Lungren. We will. And I just might say we looked 
diligently to find a room that Mr. Dicks had never seen since 
he came with the building and we did find it.
    [Laughter.]
    Mr. Thompson. Thank you very much. I am pleased that the 
Department of Homeland Security is here to brief us on the 
status of the biometric passport requirements for the Visa 
Waiver Program.
    Congress has directed the Homeland Security Department to 
work with the State Department to ensure that visa waiver 
countries add biometric identifiers to their passport system. 
Last week, however, DHS announced that it would give the 27 
countries participating in the Visa Waiver Program another year 
to fully implement biometrics. I am concerned about this 
deadline extension and am hopeful that the witnesses today can 
explain in more detail why it was necessary.
    I ask this because in my experience when you keep pushing 
out deadlines, it is harder to be taken seriously. When I start 
to think about all the deadlines the Department has missed or 
moved, I feel like I am waiting for the cable guy to install my 
cable between the hours of noon and 5.
    [Laughter.]
    You do not know when he is coming, if he is coming or how 
many times you are going to have to call to get service. It is 
hard to tell when deadlines legitimately need to be extended 
and when the Department is just dropping the ball.
    I look forward to hearing any clarification as to how this 
extension may be different. At the same time, I understand that 
we need to make sure that we get biometric passports right.
    Last year, the DHS Inspector General issued a report that 
concluded that aliens applying for admission to the U.S. using 
stolen passports have little reason to fear being caught and 
are usually admitted into the country. This is simply 
unacceptable in the post-9/11 environment.
    There are a number of basic questions I look forward to 
having answered here today. Namely, on the resource side, do we 
have adequate infrastructure to implement a machine-readable 
biometric passport system?
    On the technology side, do we have a plan to make the 
various machines readable and biometric tools interoperable?
    On the privacy and security side, can we ensure that 
passengers' biometric information stored on a chip in a 
passport cannot be improperly scanned by terrorists or other 
criminals. There is enough identity theft issues we are dealing 
with these days in the U.S. The U.S. government should not be 
increasing the odds on this.
    On the big picture side, how much more security are we 
getting with the biometric passports if we are not checking 
passengers until they are already in flight to the U.S.?
    That is a real question, Mr. Chairman. It has been raised 
in a couple of statements by others, and I look forward to the 
answer, and I look forward to the testimony.
    Mr. Lungren. Thank you, Mr. Thompson.
    Other members of the committee are reminded that their 
statements may be submitted for the record.
    I ask unanimous consent that the gentlelady from the Virgin 
Islands, Dr. Christensen, who is not a member of this 
subcommittee but a member of the full committee, be able to 
participate in today's hearing, without objection.
    We are pleased to have two distinguished panels of 
witnesses before us today on this important topic.
    Let me just remind the witnesses that your entire written 
statement will appear in the record. We ask that due to the 
number of witnesses on our panels today, you strive to limit 
your oral testimony to no more than 5 minutes. We will also 
allow each panel to testify before questioning any of the 
witnesses.
    I would like to now call the first panel and recognize Ms. 
Elaine Dezenski, the Acting Assistant Secretary of the Border 
and Transportation Security Directorate for the Department of 
Homeland Security to testify.

STATEMENT OF ELAINE DEZENSKI, ACTING ASSISTANT SECRETARY OF THE 
                      BORDER AND TRANSPORT

    Ms. Dezenski. Thank you very much.
    Chairman Lungren, Ranking Member Sanchez, other 
distinguished members of the committee and subcommittee, I am 
very pleased to be here today to talk about the Visa Waiver 
Program biometric requirements and the broader vision within 
the Department for the use of biometrics.
    As you know, DHS is charged with the responsibility of 
securing our travel infrastructure and preserving the integrity 
of our borders. While at the same time, we need to keep the 
flow of legitimate travel and trade moving as efficiently as 
possible.
    In executing this mandate, we are always mindful to keep an 
appropriate balance between these two goals.
    Biometrics in particular play a critical role in managing 
this process. Within DHS, we are using biometrics to strengthen 
the integrity of travel documents, to verify identity as part 
of our entry and exit process and to assist with access, 
control and ID as part of our Transportation Worker Identity 
Program. These are but a few examples of how we are using 
biometrics.
    Today, I would like to talk just a bit more about our 
commitment to requiring biometrics in passports and 
specifically within the context of the VWP program.
    Last week, Secretary Chertoff announced a policy directive 
that clarifies the passport requirements for countries 
participating in the VWP. VWP allows for visa-free travel for 
citizens of 27 countries around the world. The policy ensures 
that the standards for biometric requirements, as set forth in 
the Enhanced Border Security Act of 2002, are clearly 
understood and adhered to by all countries in this program and 
that our security goals are met as quickly as possible.
    Under the policy, VWP countries will be required to adopt 
specific security and biometric standards. First, VWP travelers 
must be in possession of passports that are machine-readable. 
This requirement goes into full effect this coming Sunday, June 
26. A machine-readable strip on a passport is absolutely 
critical to ensuring that the biographic data in the passport 
can be confirmed as legitimate.
    The second requirement is the incorporation of a digital 
photograph into the data page of passports issued by VWP 
countries on or after October 26, 2005. Now, why is this 
important? It is important because a digital photo incorporated 
into the data page greatly reduces the likelihood of tampering 
with that photo.
    Our announcement last week also called on VWP countries to 
present a plan by October of this year outlining how they will 
produce what we refer to as the e-passport, one that contains 
an embedded, contactless, integrated circuit chip that stores 
both biographic information as well as biometric information, 
in this case which would be the digital photo. The chip allows 
us to electronically authenticate both biometric and biographic 
data associated with the travel document. VWP countries must 
achieve full implementation of these e-passport requirements no 
later than October of 2006.
    Now, in addition to these enhancements, we are also 
requiring VWP countries to help us tackle the important problem 
of lost and stolen passports. Many of these make their way to 
the black market and could end up in the hands of terrorists, 
and, certainly, this is something we need to stop.
    A condition of membership in VWP includes the reporting of 
lost and stolen passports to INTERPOL and to DHS no later than 
10 days after discovery. Most times it happens much sooner than 
that. Also, we are requiring countries to share with us any 
information they have on trends related to lost and stolen 
passports.
    One of the byproducts of the development of this e-passport 
policy is a unique international collaboration that continues 
to grow. Through ICAO, the International Civil Aviation 
Organization, we have been working with VWP countries over the 
last couple years to test and perfect technical requirements 
that will ultimately make it possible for e-passports to be 
interoperable with our readers at ports of entry.
    As Secretary Chertoff announced last week, we anticipate 
full deployment of our readers by October 2006, which is 
consistent with the full implementation of the e-passport 
requirements for VWP countries. As part of this development 
process, DHS will host a technical conference this summer with 
all VWP countries and ICAO to address technical and 
interoperability issues that remain.
    Beyond VWP, DHS is pursing biometrics on many fronts. One 
of the most important efforts is the expansion of the so-called 
Registered Traveler concept that I think was mentioned a bit 
earlier by the chairman. We believe there is significant 
opportunity to develop a RT-type card that could be used in 
multiple ports of entry and would serve in lieu of a passport 
at land borders where we are facing implementation of the 
Western Hemisphere travel requirements.
    We envision this card as being the same size as a driver's 
license, linked to a background check and with biometric 
capabilities, such as the contactless chip. I brought with me a 
sample of our Registered Traveler card which is currently being 
piloted in the U.S. It gives you an idea of what this card 
could look like and what we are already producing as part of 
that pilot.
    Again, thank you for the opportunity to be here today, and 
I look forward to addressing your questions on this important 
topic. Thank you.
    [The statement of Ms. Dezenski follows:]

                 Prepared Statement of Elaine Dezenski

    Chairman Lungren, Ranking Member Sanchez and other distinguished 
Members of the Subcommittee, it is a pleasure to appear before you 
today to discuss the approach that the Department of Homeland Security 
(DHS) is taking in our efforts to improve the security of the United 
States by the use of biometrics in travel documents.
    DHS is committed to secure travel and our recent decision to 
clarify the deadline for Visa Waiver Program (VWP) countries to produce 
``e-passports'' is emblematic of how the Department and the State 
Department (DOS) are working to keep our borders safe but open for 
legitimate travelers.
    Programs such as the VWP advance our shared goals of protecting 
travel and preserving the integrity of our borders--while stopping 
terrorists and those who mean us harm. DHS is committed to continuing 
the VWP while strengthening it by closing down vulnerabilities such as 
fraudulent passport use. One means to do this is through the 
requirement that biometric information be incorporated into travel 
documents.
    Biometrics are the way forward in enhancing security by helping us 
to deprive potential terrorists of a tool they use to threaten our 
country and other countries around the world: the ability to cross our 
borders using false documents and violate our immigration laws without 
detection. Biometric identifiers protect our visitors by making it 
extremely difficult for anyone else to assume their identities should 
their travel documents be stolen or duplicated. The use of biometric 
identifiers gives governments an increased security capability and a 
foundation it can build on over time. Properly used, biometrics have 
been shown to be highly effective in verifying identity.
    The U.S. Congress mandated in the Enhanced Border Security and Visa 
Entry Reform Act of 2002, as amended, that any passport issued on or 
after October 26, 2005, and used for VWP travel to the United States, 
must incorporate biometric identifiers that meet internationally 
accepted standards established by ICAO. The Administration's recently 
announced policy furthers the intent of the statute by providing for 
the adoption of biometrics and strengthening the overall management of 
this important program.
    More specifically, we, in consultation with Congress and the 
Department of State, have established policy that requires VWP 
countries to begin producing machine-readable passports with digital 
photographs on the passport's data page by October 26, 2005. Digital 
photographs provide more security against counterfeiting than 
traditional photographs. Digital photos can be electronically stored 
and accessed, making it easier to verify whether the individual 
currently presenting the passport is the same person to whom the 
passport was issued. In addition, DHS has established a policy 
requiring all VWP countries to produce passports with an integrated 
circuit chip, known as ``e-passports,'' capable of storing biographic 
information from the data page of a passport, a digitized photograph, 
and other biometric information no later than October 26, 2006. This 
information will allow us to achieve a new level of identity 
authentication.
    The effect of this policy is that VWP countries will be required to 
issue passports that have at a minimum a digital photo by this October 
and that a VWP traveler to the United States must present a machine-
readable passport which includes a digital photograph to enter the 
United States. These requirements apply only to passports issued on or 
after October 26, 2005. Valid passports issued before October 26, 2005, 
will still be valid for travel under the VWP, provided that they are 
machine-readable. We believe the vast majority of the VWP nations will 
be in compliance with the digital photo requirement by October.
    The Department recognizes that some countries are very close or 
have even launched their production of ``e-passports. Obviously, those 
countries will also be in compliance with the upcoming deadline. In 
order to facilitate compliance with e-passport requirements, we will 
work with each country on a bi-lateral basis with regard to biometrics 
as well as other security provisions required of VWP countries. 
Further, DHS will create a validation process for VWP countries to test 
their biometric passports prior to issuance. In support of this effort, 
DHS will host a technical conference this summer to address 
interoperability issues with reader technology and with U.S. passport 
technology. DOS is leading the U.S. effort in production of e-passport 
for our own citizens.
    In further steps forward on ``e-passports,'' DHS and DOS are 
conducting a ``live test'' with the governments of Australia and New 
Zealand. The ``live test'' began last week at Los Angeles International 
Airport and at the Sydney Airport in Australia, and will continue 
throughout the summer. Airline crew and officials from United Airlines, 
Air New Zealand and Qantas Airlines have volunteered to use the e-
passport when arriving at either airport. Their participation will 
enable DHS to further test operations, equipment and software needed to 
read and verify the information contained in an e-passport.
    Finally, VWP countries will be held to several measures concerning 
lost and stolen passports such as--reporting all lost and stolen 
passports to INTERPOL and DHS, as quickly as possible; sharing 
information on trends and analysis of lost and stolen passports; and 
providing detailed information on passport security features.
    The progress made toward the ``e-passport'' is a milestone in our 
global path to secure and streamlined travel for VWP nationals. We 
appreciate the cooperation of our international partners and the effort 
they have put forth in this very serious matter.
    Mr. Chairman and Members of the Subcommittee, I want to thank you 
for the opportunity to present this testimony today. I would be pleased 
to respond to any questions that you might have at this time.

    Mr. Lungren. Thank you, Ms. Dezenski.
    The Chair would now recognize Mr. Frank Moss, Deputy 
Assistant Secretary of Consular Affairs for the Department of 
State, for his testimony.

STATEMENT OF FRANK MOSS, DEPUTY ASSISTANT SECURITY OF CONSULAR 
                  AFFAIRS, DEPARTMENT OF STATE

    Mr. Moss. Good morning, Chairman Cox, Chairman Lungren, 
Ranking Member Sanchez, distinguished members of the committee.
    Good morning. I am pleased to be here today to discuss the 
efforts of the Department of State to introduce biometric 
elements into the U.S. passport, arguably the most valuable 
identity and citizenship document in the world. Without 
question, biometrics will strengthen U.S. border security by 
ensuring that the person carrying a U.S. passport is the person 
to whom the passport was issued.
    The United States adopted the facial image as the first 
generation of passport biometric identifiers. Our new passport 
includes a contactless chip in the rear cover that will contain 
the same data as that found on the biographic data page, 
including a digital image of the photograph. Looking to the 
future, we decided to require 64 kilobytes of writable memory 
on the contactless chip in the event that we subsequently 
decide to include additional biometrics. Should we decide to 
change the biometric requirements, we will, of course, vet this 
change through the Federal Register process.
    We are aware of concerns that data written to the 
contactless chip may be susceptible to unauthorized reading. 
Several members of the subcommittee have mentioned that this 
morning. To help reduce this risk, we will include anti-
skimming materials that prevent the chip from being read when 
the passport is closed or mostly closed. We are also engaged 
with technical experts in the private sector and our colleagues 
from the National Institute of Standards and Technology, both 
to assess the risk of unauthorized reading, and to evaluate the 
efficacy of our countermeasures.
    Finally, we are seriously considering adopting a technical 
process called Basic Access Control, to strengthen further the 
defenses of the U.S. passport against unauthorized reading.
    The bottom line is that the State Department will not issue 
biometric passports to the general public until we have 
successfully addressed these concerns.
    In addition to biometrics, two other aspects of the 
Department of State's passport program enhance U.S. national 
security: The adjudication process itself and the security 
features of the passport. By making certain that U.S. passports 
are only issued to American citizens, that they are more 
difficult to counterfeit, and that the bearer of the passport 
is the same person to whom the passport was issued, we are 
actively enhancing the security of this nation.
    Increased information sharing is one of the most effective 
ways of securing the adjudication process. We have long-
standing and effective data share programs with federal law 
enforcement agencies that target passport applicants of 
particular concern. Currently, there are nearly 50,000 names of 
fugitives or other individuals of interest to law enforcement 
in the passport lookout system. We are working to add to our 
lookout system an extract of FBI fugitive warrants from the 
NCIC wanted persons file.
    We also have an agreement with INTERPOL that allows us to 
share information about approximately 620,000 lost and stolen 
U.S. passport with INTERPOL member states. We have also 
implemented a cooperative relationship with the National 
Counterterrorism Center, NCTC, to provide that agency with 
direct online access to our database that includes images of 
the passport application for all valid passports. And we will 
also sign in the very near future an agreement with the 
Terrorist Screening Center that will add to our database 
information on American citizens who may have a nexus to 
terrorism.
    We have also undertaken a comprehensive review of our fraud 
prevention efforts to strengthen that aspect of the 
adjudication process. We have implemented a number of 
initiatives, including organizational improvements, enhanced 
training, regulatory changes, new tools and new programmatic 
activities with domestic and international partners.
    We enjoy excellent cooperation and support from the Bureau 
of Diplomatic Security at the Department of State, which has 
the responsibility for criminal investigations involving 
passport fraud, and our focus on fraud prevention is already 
paying dividends. So far in fiscal year 2005, Diplomatic 
Security has opened over 2,400 passport investigations and made 
nearly 400 arrests, a significant increase over prior years.
    We have recently completed the first cover-to-cover 
redesign of the United States passport in more than a decade in 
order to combat counterfeiting or the fraudulent use of lost or 
stolen passports. The passport includes a host of advance 
security features, including sophisticated new artwork, 
printing techniques used in the current generation of U.S. 
currency, and utilizing a variety of other techniques, many of 
which are visible only under ultraviolet light.
    I am happy to share with members of the committee samples 
of the new passport, and my written testimony includes 
additional elements about the enhanced technology we used to 
create it.
    To put the scope of our efforts in context, during the last 
fiscal year, the Department of State processed a record-setting 
8.8 million U.S. passport applications. Passport demand 
continues to rise and we are track to adjudicate more than 10 
million passports by the end of this fiscal year.
    Taking into account recent legislation concerning the 
documentary requirements for travel within the Western 
Hemisphere, we anticipate that passport applications will total 
about 12 million in fiscal year 2006. Projections beyond that 
date are admittedly less precise, but we are currently planning 
that U.S. passport demand will reach about 14 million in fiscal 
year 2007 and an estimated 17 million by 2008.
    Security must always be our first priority, but we must 
also recognize our responsibility to adjudicate passport 
applications in a timely and efficient manner to facilitate the 
travel of U.S. citizens. The free movement of people and goods 
is essential to U.S. national security, as is our international 
engagements through personal, commercial, educational and 
research activities with other nations.
    Mr. Chairman, integrating biometrics into U.S. passports 
will further protect the integrity of the world's most 
respected travel document. Together with our improvements to 
the adjudication process and the physical security of the 
passport itself, the Department's comprehensive passport 
program serves to enhance U.S. border security.
    At this time, I am happy to answer your questions. Thank 
you very much.
    [The statement of Mr. Moss follows:]

                  Prepared Statement of Frank E. Moss

    Chairman Lungren, Ranking Member Sanchez, Distinguished Members of 
the Subcommittee:
    I am pleased to have this opportunity to discuss with you the 
progress that the Department of State has made in introducing biometric 
elements to the U.S. passport. This innovation represents a significant 
enhancement to the security of our borders and international travel. In 
addition to the inclusion of biometrics in U.S. passports, two other 
aspects of the Department of State's passport program are critical to 
enhancing U.S. national security: the adjudication process, and the 
security features of the passport itself. Taken together, these 
elements constitute a comprehensive approach to passport security. By 
making sure that U.S. passports are only issued to American citizens, 
that they are more difficult to counterfeit and that the bearer of the 
passport is the same person to whom the passport was issued, the 
Department of State actively enhances the security of this nation.
    Today I would like to describe the many ways that the Department of 
State demonstrates its commitment to the important responsibility for 
providing passport services. The U.S. passport is arguably the most 
valuable identity and citizenship document in the world. We at the 
Department of State are certainly aware of how sought after this 
document is, not only by American citizens with legitimate travel plans 
but by illegal immigrants, as well as terrorists and others who would 
do this nation harm. As portable proof of identity and nationality, the 
U.S. passport literally opens doors around the world to American 
citizens who travel or reside abroad or may require assistance from an 
American Embassy or Consulate. The U.S. passport is also essential for 
many American citizens to enter the United States upon returning from 
international travel.
    During the last fiscal year the Department of State processed 8.8 
million U.S. passport applications. This set a record, exceeding the 
total from the previous year by more than one million applications and 
representing a workload increase of some 22 percent. This year, the 
Department of State forecast a 9 percent increase in passport demand, 
but is experiencing a 14 percent rise. As of today, the Department has 
already processed close to 7 million passport applications during this 
fiscal year and we are on track to adjudicate more than 10 million 
passports by the end of fiscal year 2005.
    The Intelligence Reform and Terrorism Prevention Act of 2004 also 
contains a provision addressing the documentary requirements for travel 
within the Western Hemisphere, referred to as the Western Hemisphere 
Travel Initiative (WHTI). The legislation requires that the Secretary 
of Homeland Security, in consultation with the Secretary of State, 
develop and implement by January 1, 2008 a plan to require U.S. 
citizens and non-U.S. citizens currently exempt from presenting a 
passport for travel within the Western Hemisphere to present a passport 
or other authorized documentation that denotes identity and citizenship 
when entering the United States. The Department of State, after 
analyzing the scope of WHTI and other projected growth in passport 
demand, expects that applications for passports will total about 12 
million in FY-2006, about 14 million in FY-2007 and reach a potentially 
sustainable annual demand of 17 million by FY-2008.
    As the Department of State develops plans to address the increase 
in demand for U.S. passports resulting from normal growth in 
international travel and the WHTI, we are dedicated to ensuring that 
security vulnerabilities are not inadvertently created by our efforts 
to address the increase in workload. While keeping security imperatives 
in mind, the Department of State also recognizes its responsibility to 
adjudicate passport applications in a timely and efficient manner to 
facilitate the travel of U.S. citizens. The free movement of people and 
goods is essential to U.S. national security, as is our international 
engagement through personal, commercial, educational and research 
activities with other nations. We are actively pursuing initiatives to 
improve the U.S. passport program designed to support both of these 
objectives.

Strengthening the Adjudicatory Process
    A key objective of the Department of State's Office of Passport 
Services in the Bureau of Consular Affairs is to ensure that U.S. 
passports are issued only to persons who are legitimately entitled to 
them. This is particularly important in an era when terrorists, 
transnational criminals and others seeking to enter the U.S. illegally 
view travel documents as valuable tools, and when improvements to the 
physical security of the U.S. passport, such as the use of a digital 
photograph of the bearer, make it increasingly difficult to 
counterfeit.
    One of the most effective ways to ensure that only those entitled 
to U.S. citizenship receive a passport is increased information 
sharing, both within the United States Government and beyond. The 
Department of State has actively worked to establish data exchange 
programs with other agencies in a manner that is mutually beneficial 
and that will keep U.S. passports out of the hands of those who are not 
eligible to receive them. For example, the Department has a partnership 
with the Department of Health and Human Services (HHS) that ensures 
that parents with child support arrearages, who are ineligible to 
receive passports, do not receive them. The incorporation of over 3 
million names in the HHS database into the Department's passport 
lookout system has also resulted in the recovery of more than $50 
million in delinquent child support.
    In April 2004, the Department signed a memorandum of understanding 
with the Social Security Administration (SSA) that would permit the 
Department to verify the SSNs of U.S. passport applicants with 
information in SSA's SSN database. This measure provides another 
verification tool for passport specialists and consular officials 
adjudicating passport applications by allowing them to correlate the 
data provided by a passport applicant with information in SSA's system 
and use this information to support decisions about an applicant's 
identity.
    The Department has a long-standing and effective working 
relationship with federal law enforcement agencies that targets 
passport applicants of particular concern. Today, we have nearly 50,000 
names of fugitives or other individuals of interest to law enforcement 
in the passport lookout system. Half of these were entered individually 
as a result of our outreach efforts. The other half of these entries 
are based on U.S. Marshals Service (USMS) federal fugitive warrants, a 
process that the Department took the initiative to obtain.
    To complement the USMS information, work is well underway to add to 
the passport lookout system an extract of FBI fugitive warrants from 
the NCIC Wanted Person File. To encourage information exchange with law 
enforcement officials at the state and local levels, the Assistant 
Secretary of State for Consular Affairs wrote to all the states' 
attorneys general.
    In 2004, the Department reached an agreement with INTERPOL to 
provide the Department's lost and stolen passport database to the U.S. 
National Central Bureau (NCB). The NCB shares the data with INTERPOL, 
which in turn makes this information available to all INTERPOL member 
states. The U.S. lost and stolen passport database currently contains 
the passport numbers of over 620,000 passports.
    The Department's Office of Passport Services is also currently 
working on an agreement with the Terrorist Screening Center that would 
provide information on American citizens who are either subject to a 
federal felony arrest warrant or who are considered persons of concern 
due to a nexus to terrorism or an ongoing investigation. This datashare 
program will enable the Terrorist Screening Center to learn of the 
passport application of an individual of interest and, under 
appropriate circumstances, take law enforcement action.
    In addition, the Department's Bureau of Consular Affairs has 
implemented a cooperative relationship with the National Counter 
Terrorism Center (NCTC) to provide that organization with direct online 
access to the Passport Records Imaging System Management (PRISM). This 
database includes images of the passport applications for all valid 
passports. The NCTC utilizes this information as a verification tool to 
support its terrorist watch list responsibilities.
    Another important element in safeguarding the adjudicatory process 
is maintaining an aggressive fraud prevention program. In that regard, 
the Department of State has undertaken a comprehensive review of its 
fraud prevention efforts and implemented a number of initiatives, 
including organizational improvements, enhanced training, regulatory 
changes, new tools, and new programmatic activities with domestic and 
international partners. All senior passport specialists now rotate 
through the fraud prevention office at domestic passport facilities to 
give them specialized experience in fraud detection. Regulatory changes 
have been implemented, for example, to require that both parents 
consent to the issuance of a passport for a child, and to require the 
presence of children under the age of 14 when passport applications are 
executed on their behalf, in order to combat fraud and international 
parental child abduction. We are making greater use, with the 
appropriate respect for privacy concerns, of commercial databases to 
assure that persons applying for passports are who they claim to be.
    The focus on fraud prevention is already paying dividends. 
Statistics for this fiscal year show an increase in referrals to fraud 
prevention offices, as well as an increase in the referral of 
presumptive fraud cases to the Department's Bureau of Diplomatic 
Security (DS) for further investigation. The Bureau of Consular Affairs 
enjoys excellent cooperation and support from DS, which has the 
responsibility for criminal investigations involving passport fraud. 
The statistics about the efficacy of joint Consular Affairs-Diplomatic 
Security efforts are compelling: so far in fiscal year 2005, DS opened 
2401 passport investigations and made 375 arrests, a significant 
increase over previous years.

Redesigning the Passport
    Efforts to strengthen the adjudication process and augment fraud 
prevention efforts would be less effective if we did not attend to the 
other key elements of passport security with equal fervor. Turning to 
the passport itself, the Department recently completed the first cover-
to-cover redesign of the document in more than a decade. The new 
passport includes a host of new security features, including 
sophisticated new artwork, adopting printing techniques used in the 
current generation of U.S. currency, and utilizing a variety of other 
techniques, many of which are only visible under ultraviolet light.
    Our objective in designing the new passport is to raise further the 
bar against counterfeiting or the fraudulent use of lost or stolen 
passports. Advances including color shifting ink, microprinting, latent 
image lettering and a security laminate over the biographic data page 
that includes optical variations, all serve to deter counterfeiters and 
forgers. The biographic data page has been relocated from the inside of 
the front cover to the first inside page for added security. The 
inventory control number for each book is now the same as the passport 
number. Imagery on the inside pages of the passport incorporates more 
colors, stylized depictions of iconic American scenes, and includes 
famous quotations from American history. The new passport, combined 
with security enhancements in the adjudication process, helps to ensure 
that only qualified applicants receive U.S. passports.
    I am happy to share with the members of the Subcommittee samples of 
the new passport.
    Beyond the physical content of the book itself, we scrutinize each 
step in the production and delivery process to eliminate 
vulnerabilities. In addition to improving the quality of the U.S. 
passport, the Department of State, building on an already excellent 
collaboration with the Government Printing Office (GPO), is working to 
secure further the delivery of blank passport books to domestic 
passport facilities by engaging armored truck service. This mode of 
delivery service is used by the Department of Treasury to move currency 
and other valuable documents around the country.

Biometrics
    This next generation of U.S. passport, the e-passport, includes 
biometric technology that will further support the Department's border 
security goals. Without question, biometrics will strengthen U.S. 
border security by ensuring that the person carrying a U.S. passport is 
the person to whom the Department of State issued that passport.
    Consistent with globally interoperable biometric specifications 
adopted by the International Civil Aviation Organization (ICAO) in May 
2003, the United States has adopted the facial image as the first 
generation of biometric identifiers. The new U.S. passport includes a 
contactless chip in the rear cover of the passport that will contain 
the same data as that found on the biographic data page of the 
passport, including a digital image of the bearer's photograph. This 
data includes the following information about the bearer: the 
photograph, the name, the date and place of birth, as well as the 
passport number and the date of issuance and expiration. Looking to the 
future, the Department decided to require 64 KB of writeable memory on 
the contactless chip in the event that we subsequently decide to 
introduce additional biometrics. Should the United States Government 
decide to change the biometric requirements, this change will be 
subject to vetting through the Federal Register process.
    On June 15, the Department, partnering with the Department of 
Homeland Security and in collaboration with Australia and New Zealand, 
launched an operational field test to measure the overall performance 
of the e-passport, issuing approximately 250 U.S. e-passports to select 
airline personnel employed by United Air Lines and who fly from Los 
Angeles to Australia and New Zealand. The Department of Homeland 
Security has developed separate lanes and installed e-passport readers 
to test their efficiency. Later this year we will expand this pilot 
program to include diplomatic and official passports, with national 
deployment of the e-passport scheduled for 2006.
    The Department of State is well aware of concerns that data written 
to the contactless chip in the e-passport may be susceptible to 
unauthorized reading. To help reduce this risk, anti-skimming materials 
that prevent the chip from being read when the passport book is closed 
or mostly closed will be placed in the passport.
    The Department is also seriously considering the adoption of Basic 
Access Control (BAC) technology to further strengthen the privacy of 
the data contained on the chip. ICAO recently identified BAC technology 
as a ``best practice'' for passport security. BAC technology will 
prevent the chip from being read until the passport is opened and its 
machine-readable zone is read electronically. This will serve to 
``unlock'' the chip and permit the chip and reader to communicate 
through an encrypted session. We are engaged with technical experts 
from the private sector and the National Institute of Standards and 
Technology both to assess the risk of unauthorized reading and to 
evaluate the efficacy of countermeasures. The bottom line is that we 
will not issue biometric passports to the general public until we have 
successfully addressed these concerns.
    The Department is confident that the new e-passport, including 
biometrics and other improvements, will take security and travel 
facilitation to a new level. Naturally, the Department will test 
comprehensively the operation and durability of the e-passport and work 
to resolve any issues as they occur. In fact, the Department of State 
is engaged in a continuous product improvement effort with regard to 
the U.S. passport. We will continue to monitor technical developments 
and help conduct research to ensure that we produce a passport that is 
highly secure, tamper resistant and globally interoperable.
    Mr. Chairman, I am grateful for the opportunity today to share with 
you the Department of State's comprehensive approach to enhancing U.S. 
border security by augmenting the security of all aspects of the U.S. 
passport program. The introduction of biometrics is an important 
advance in continuing to protect the integrity of the world's most 
respected travel document. At this time I am happy to answer any 
questions you, the Ranking Member and the other distinguished members 
of the Subcommittee might have about the Department's biometric 
passport program or the other facets of the U.S. passport program that 
I have discussed.

    Mr. Lungren. Thank you both for your testimony, and I will 
recognize myself for 5 minutes to begin the questions.
    Mr. Moss, what was the number you gave of lost and stolen 
U.S. passports?
    Mr. Moss. We have provided INTERPOL information on about 
620,000 lost U.S. or stolen passports. This is several years' 
worth of data, and that has to be compared, I would suggest, to 
the fact that we have roughly 63 million U.S. passports in 
circulation.
    Mr. Lungren. I guess I should know this but I do not. Is 
there any legal obligation on the bearer of the passport to 
report within a period of time if it is stolen or lost?
    Mr. Moss. There is no legal obligation. When we find out 
that most people have reported their passport stolen, it is 
either they realize it and tell us promptly or they go to use 
it, realize it is lost and then come to us. The other aspect, 
of course, is that people do lose their passports while 
traveling abroad, and we have processes to replace those rather 
quickly.
    Mr. Lungren. Do we have any estimate of how many are stolen 
or lost that we do not know about? I mean, is there any idea, 
estimate or study?
    Mr. Moss. I think we are dealing with one of the 
intangibles, what we do not know, we do not know.
    Mr. Lungren. Right.
    Mr. Moss. I would not even want to hazard a guess, really, 
sir.
    Mr. Lungren. Given that the fingerprint technology and 
fingerprint databases are much more readily available, that 
they are the cornerstone of our main border screening system, 
the US-VISIT Program, and that many other countries have that 
biometric, can each of you describe why the U.S. and ICAO chose 
facial recognition rather than fingerprint as the biometric 
standard for official travel documents?
    Ms. Dezenski. Sure. There are a couple key reasons. The 
first is that from a cultural and even from somewhat of a 
political perspective, the facial image is something that most 
people do not have privacy concerns over. It is much easier to 
obtain across the board when we are looking at documents like 
passports and visas.
    But it is important to keep in mind that even though the 
passport may not have fingerprints, we are using fingerprints 
as part of the enrollment process for both US-VISIT and of 
course to obtain a visa. So there is a visa biometric that 
involves fingerprints and utilizes those databases in the 
process of admitting foreigners to the U.S.
    Mr. Lungren. But the fingerprints are not part of the 
passport document itself.
    Ms. Dezenski. That is correct.
    Mr. Lungren. And you suggest that that is, I do not want to 
put words in your mouth, but my understanding of what you just 
said is that it is culturally difficult or politically 
difficult for us to get acceptance of fingerprints. Yet 9/11 
changed the world.
    And if we are serious about the terrorist threat, it seems 
to me we ought to be moving in the direction of that biometric 
which is going to most protect us. Perhaps what we ought to be 
doing is explaining that this is a superior biometric to at 
least any other that I am aware of, both because of the 
accuracy with which it conveys information and the universality 
of fingerprints as the identifier for various databases, 
particularly those that would, I assume, be the basis for watch 
lists of all sorts.
    How do both of you, or your departments, view the essential 
difference in degree of efficacy in the facial recognition 
versus the fingerprint identification?
    Ms. Dezenski. We do think there is value in the use of the 
digital image. I think it is important to put into context that 
when we talk about the biometrics features of the passport, it 
is going to an ICAO requirement or an ICAO recommended process, 
if you will, which has gone through a process via the 
international community. So there was actually a tremendous 
amount of discussion about what could be adopted in the short 
term, what would be the most efficient and what would allow us 
to get to the standard with the biometrics that many countries 
could work with.
    I think I would again emphasize that when it comes to our 
own processes, US-VISIT, for example, we are in fact using the 
biometric fingerprint process, and we feel that that is very 
important to ensure that we can check against relevant 
databases. The use of the biometric digital image in the 
passport, as part of the data page, which is what I defined as 
one of the requirements in the VWP Program, is, first and 
foremost, about being able to detect tampering with that 
document. If the digital photo is part of the data page, which 
is in fact our requirement, it is much more difficult to carve 
out that picture, affix a new picture, or otherwise tamper with 
the document.
    Ms. Lofgren. So goes the tamperproof nature of the document 
as opposed to me really knowing whether the person in front of 
me is the person he or she says he or she is.
    Ms. Dezenski. Well, that is the first point. The second 
point is that we need to link up that digital photo to the 
integrated circuit chip. Through the integrated circuit chip, 
we are actually able to write that biometric information within 
the passport along with the biograph data in the cover page, on 
data pages of the passport, and we can do a check to ensure 
that the person standing in front of us is in fact the same 
person whose image is coming up now on the screen in front of 
the inspector.
    So there is that link, and we do think that that gives us 
an added layer of security.
    Mr. Lungren. I have got a lot more questions, but my time 
is expired.
    The gentlelady is recognized.
    Ms. Sanchez. Thanks, Mr. Chairman, although you are the 
chairman, so if you--
    Mr. Lungren. We are going to have a lot questions here.
    Ms. Sanchez. We all have a lot of questions.
    I am looking at the passport you are passing around. Do you 
have chips in these or are we just pretending?
    Mr. Moss. No, Congresswoman, those passports have a chip 
embedded in the rear cover, and in fact the data that has been 
written to the data page has been copied to that chip. The chip 
is very small. Look at the passport you are holding, and turn 
to the passport's to the rear cover, it is in the upper left--I 
have got to think my own geography here--it is in the upper 
left corner.
    It is very, very small. It is approximately an eighth of an 
inch, [perhaps an eighth of an inch] square plus the antenna. 
It is designed to be small even though it contains a great deal 
of data so that it is not obvious to the individual.
    Ms. Sanchez. Okay. We just wondered.
    Mr. Lungren. Now it is.
    [Laughter.]
    Mr. Moss. Sir, we are not making it secret. We just do not 
want it to be bulging out of the back, if you would.
    Ms. Sanchez. That technology, do you think it will last for 
the 10 years of the issuance of the passport? Because, I mean, 
my passport goes in the back of my jeans, through the washing 
machine and God knows what else.
    Mr. Moss. I guess the first point I would make is that 
passports and water do not mix well, nor do electronic 
passports, water and chips mix well. The point, though, about 
overall durability, is that we have actually contacted with our 
colleagues at the National Institute of Standards and 
Technology to do extensive testing on the new passport, 
including looking at the issue of chip durability. That is one 
of the key factors as we assess proposals from vendors. We are 
certainly looking for a 10-year chip and the industry assures 
us that the chips will last for 10 years. We believe in ``trust 
but verify''. That is why we have hired NIST to help us do 
that.
    Ms. Sanchez. I have several other questions. The last one I 
have for you is these 600,000 passports that are missing in 
action. Are those invalidated? Do we keep a list? Can I come 
use my--
    Mr. Moss. We have actually changed our regulatory practice 
so that once you report a passport as being lost or stolen, it 
is invalid for international travel. We report it to INTERPOL, 
we share that data with our colleagues at the Department of 
Homeland Security, and I strongly urge anyone who loses a 
passport and then finds it and has reported it to the State 
Department, not to travel on it. It may not be a pleasant 
experience.
    But, yes, it is an invalid travel document.
    Ms. Sanchez. And to the Department of Homeland Security, 
this subcommittee has held on the Registered Traveler Program, 
and the estimate from the Department put the potential 
membership in that program might be up to 4 million United 
States travelers. TSA has yet to decide whether it is going to 
continue the program or what it is really going to look like. 
We just spent some time with them these past 2 weeks.
    However, it is my understanding that the Department is 
considering using the biometric registered travel card as an 
alternative to passports required under the Western Hemisphere 
travel initiative; is that correct?
    Ms. Dezenski. No. Actually, that is not the case. We are 
looking at a RT-type concept as part of the solution to meet 
the Western Hemisphere travel requirements, but we have not 
made a decision that the current RT pilot programs and the card 
that we are issuing as part of those pilot programs would be an 
acceptable form of identification and citizenship validation to 
meet the Western Hemisphere requirements. So I think we just 
need to make that distinction here.
    We think there are opportunities to take the RT-type 
concept and expand it to a border management process.
    And, Ranking Member Sanchez, you mentioned the SENTRI 
Program, the NEXUS Program and other programs that we have 
already that serve somewhat in that capacity, and it is our 
goal to take those programs and combine them as part of a 
global enrollment system within the Department.
    We want to get a handle on all of our registered travel 
type programs and link them into a system that is much more 
uniform and that allows for much more consistency in terms of 
background checks and requirements and what the card would look 
like and all those details that are associated with these type 
of programs.
    So when I mentioned that the Registered Traveler-type 
concept might be applicable, that is the vision that we have.
    Ms. Sanchez. So you are talking to the other pieces of the 
Department to make sure that as they are going along on theirs 
you might have interoperability between everything?
    Ms. Dezenski. Absolutely. And that is already happening. We 
have a tremendous amount of activity within the Department 
mainly involving US-VISIT, Customs and Border Protection and 
TSA. Those are the three entities that have some piece of the 
Registered Traveler issue, if you will, and we are already 
looking at those issues of interoperability.
    Ms. Sanchez. And then I have a question for both of you. 
How many places does the State Department currently issue 
passports? And how many places does DHS currently issue NEXUS, 
FAST, SENTRI cards, et cetera?
    Mr. Moss. The State Department has over 7,000 passport 
acceptance facilities around the United States. I should make 
it clear: They are not our offices but they are post offices, 
they are clerks of court, offices like this where people can 
apply for a U.S. passport. We also have 16, soon to be 17, 
passport agencies that handle essentially walk-in traffic. But 
the big issue is, we do have these 7,000 agencies. I can 
actually share with you a list of those in California. I think 
there are over 600 in California alone.
    Mr. Lungren. The gentleman from California, Mr. Cox, is 
recognized for 5 minutes.
    Mr. Cox. I want to thank you very much, both of you, for 
your testimony.
    We have been passing around up here on the dais some of the 
sample passports and this Registered Traveler pilot program 
card, which is also embedded with a chip. And I am struck in 
the case of the passports in this card and virtually everything 
else that we have been discussing here this morning with the, 
in my view, misuse of the term, ``biometric,'' to describe a 
photograph.
    In my view, biometric must include some measurement, that 
is the whole point. But the way that we are using the digital 
photograph, at least in the near term, is simply to have a 
human being, a government employee look at the picture, 
visually inspect the person who is presenting themselves and 
try and match the individual with the photograph. That is not a 
biometric identification, in my view. This is really no 
different than the Matthew Brady technology of the U.S. civil 
war. It is a picture, that is all it is.
    The chip, which may serve to frighten people across the 
country concerned about privacy, is really nothing more than 
information that could be written out inside the passport. It 
is data, which is information about the individual, place of 
birth, presumably, a whole lot of other things that you might 
seek to include, but there is no mysticism to it. It could be 
written out and enhanced as well as put on this chip.
    So talking about it as a biometric, we are talking about 
the length between the chip and the picture in a computer. I 
think masks the fact that there is no biometric identifier that 
is being used to connect the person to the document. We have to 
remember why we are here and what the point of all of this is, 
because it is supposed to be security. The purpose is to 
connect intelligence about terrorists to terrorist travel. So 
if a known terrorist were traveling under an unknown alias, we 
want to be able to stop him anyway.
    I am very concerned, Ms. Dezenski, about what you said, it 
is the first time I have heard the U.S. government say this in 
an official forum about fingerprints, that somehow facial 
recognition technology, which measures the bridge of my nose, 
the distance between my irises or an iris scan, which I have 
already subjected myself to as part of the Registered Traveler 
Program, is somehow less intrusive than getting a fingerprint.
    I do not think the U.S. government has any information that 
establishes that, that people believe that it is more intrusive 
to take a fingerprint than these other kinds of biometric 
measurements. But if you have data to support what you said, I 
would certainly like to know about it. Can you tell me what you 
are relying upon to make that statement?
    Ms. Dezenski. Certainly. The comments that I made earlier 
reflected the outcome of the ICAO process. As I mentioned, we 
have been working very closely with visa waiver countries and 
with ICAO to move toward the adoption of biometric 
requirements. And although I was not part of those discussions 
with ICAO, it is my understanding that in the process of this 
international collaboration, the decision was made that a 
biometric digitized photo would in fact meet the requirement of 
a biometric within the travel document and that that was the 
preferred biometric.
    Mr. Cox. That I understand, but you made a different 
statement which is that in your view there is cultural 
resistance to the use of a fingerprint as a biometric. What is 
the basis for stating that?
    Ms. Dezenski. Again, that is a reflection of the ICAO 
discussion where many countries came to the table and although 
in our country we may not have the same concerns about using 
fingerprints, obtaining fingerprints, providing those 
fingerprints, it is not necessarily shared with the rest of the 
world. And oftentimes there is the perception that if you are 
fingerprinting travelers, it is akin to booking someone on a 
criminal charge, for example. I mean, these are the kinds of 
perceptions that are out there in the international 
environment. I am not saying that that is necessarily what we 
believe here in the U.S.
    Mr. Cox. I think you need to be rather methodical about the 
way we go forward and not say that we simply cannot use 
biometrics. We are instead going to have a human being look at 
a picture, the same old rough justice form of identification 
that has been in use for years. What we do not want is for 
terrorists to be able to get good government documents because 
they have got fake breeder documents and they have got ways to 
essentially secrete themselves in the form of somebody else 
whose picture looks exactly like them, at least to the naked 
eye.
    If you will indulge me, Mr. Chairman, I will just remind 
our colleagues of a question that Eleanor Holmes-Norton asked 
at one of our hearings a few years ago. We were talking about 
Canadian truck travel across the northern border, and the 
Canadians had a card like this with a biometric, and we were 
all excited about the fact that this was going to much more 
rigorously identify who was coming across the border.
    And she asked during the hearing, ``At what point do we 
check the biometric? How does that work? When does the person 
slide this card through something or whatever to check the 
biometric?'' And the answer came back that only happens if the 
person in the booth thinks that the driver looks suspicious.
    So it was very clear that the lack of a biometric, the 
human interface, the judgment, the rough justice part of it 
introduced civil liberties concerns itself so that the crime of 
driving while looking suspicious turns out to be the way that 
we drill down into individual suspects rather than just knowing 
who we are dealing with.
    It would actually, in my view, it would be a big 
improvement from a civil rights, civil liberties standpoint to 
be able to say, ``You are you, we know that,'' reduce the size 
of the haystack. A lot of voluntary programs like Registered 
Traveler can help us do that.
    There is ubiquitous technology right now. You can touch 
your finger to open your laptop. I do not believe there is any 
cultural resistance to this whatsoever, and I also believe that 
the ubiquitousness of the fingerprint as an identifier with 
criminal detective work around the world means that we are 
going to be able to tap into a lot more useful information if 
we do that than if we take the fanciest technology that 
somebody tries to sell us in the form of facial recognition 
software, what have you.
    Thank you for allowing me that extra time, but, Mr. 
Chairman, I do think that the Department is making the right 
decision here, but I think that is because I think there is so 
little security payback from this whole system, even if we get 
to the intended destination.
    Mr. Lungren. I thank the gentleman for his comments.
    The gentleman from Mississippi, the Ranking Member 
Thompson, is recognized for 5 minutes.
    Mr. Thompson. Thank you very much. And I want to take off 
from the chairman's comments. What if someone steals the chip 
and puts it on the passport, and have we not altered the 
biometrics?
    Mr. Moss. Sir, in fact you have not. The technology that is 
being used is a technology that once the data is written to the 
chip by the United States or Germany or any other government, 
that data is effectively locked down. It can be read thousands 
of times, it can only be written to the chip once.
    And if the data is changed on the chip, we use a technology 
called [a version of] Public Key Infrastructure, which serves 
to authenticate that data. Literally, if one bit of data on the 
chip is changed, it will throw off a mathematical calculation 
and help to point out to the well-trained border inspector or 
consular officer at a post abroad looking at the same passport 
that something had been done to this passport. So just stealing 
the chip really does not do someone a lot of good.
    Mr. Thompson. Mr. Dezenski, in May of this year, we had two 
airlines diverted to Bangor, Maine, and it was said that en 
route the match on the name list indicated some problem. Why 
can't we do the match before the plane leaves?
    Ms. Dezenski. Well, that is exactly where we are heading. 
You may be familiar with what is called APIS data, Advance 
Passenger Information, data that we now receive from air 
carriers about 15 minutes after a flight takes off. It is 
essentially a manifest that is equivalent to the information on 
the data page of your passport. So the biographic information 
that is captured in the passport is generally the same as what 
is collected by the air carrier and what we call APIS data.
    We actually have two rulemakings that are related to this 
topic. The first was a rule that came out in early April 
requiring some additional data elements that fall under this 
category of APIS data. The second rule, which has not yet been 
released but is in the final coordination period within the 
Department and with OMB, is our APIS plus rule, which 
essentially will move that process back so that we are no 
longer receiving that information 15 minutes after the flight 
takes off.
    Because the rule is not final, I am not at liberty to talk 
about exactly what the timeframe will be, but I can tell you 
that we have had pretty intense discussions with the air 
carriers and other parts of the aviation community about how to 
get through the technical and operational challenges to 
receiving that information. Because we are working in pretty 
much a just-in-time environment within the airport, it is 
sometimes difficult to get that information well in advance.
    We are often asked the question, ``Well, what about the 
information that we receive or could be received at the point 
of purchase, for example, as a person buys their ticket, is it 
possible that we could get some of the data from that point 
onward? And it is very, very difficult to obtain that 
information from numerous sources if you think about how people 
buy their tickets these days. So we are really dependent upon 
the air carrier and when that person is checking in for their 
flight to get the full complement of APIS data that we need.
    Now, sometimes we have passengers that are transferring 
from other flights. Sometimes we have folks that are diverted, 
their flight is canceled, whatever the case may be. And so 
there will always be instances where we do not have all of the 
APIS data at the point where we would like to. So we are trying 
to come up with a solution that allows us to get as much of 
that data as possible, and our intent is to run those checks 
before that flight leaves so that we can deal with those 
potential threats before that flight takes off, and that will 
obviously help with reducing the number of diversions.
    Mr. Thompson. So are you now going to put an additional 
burden on the carriers to get additional information?
    Ms. Dezenski. There are two pieces. We asked for two or 
three additional data elements. That regulation already went 
into effect in April. We think that is fairly straightforward. 
We have not had a lot of major concerns coming up. The more 
problematic piece is the timeframe in which we asked for that 
information, and that is where we have had a lot of 
negotiations, a lot of discussions with affected parties about 
the viability of getting that information.
    And then, of course, we have to run our checks on that 
data. So it has to be early enough in the process that we can 
run it through our system and get the information back to, in 
this case, the carriers if in fact we do not want to have a 
particular person board the aircraft.

                  Supplemental Material for the Record


    Question: Can you tell me, what kind of extra data do you ask for? 
(Page 45, line 1034)
    Answer: We ask for the following information: country of residence; 
passport expiration date, if a passport is required; and address while 
in the United States (number and street, city, state, and zip code), 
except that this information is not required for U.S. citizens, lawful 
permanent residents, crew members, or persons who are in transit to a 
location outside the United States.

    Mr. Thompson. Can you tell me, what kind of extra data do 
you ask for?
    Ms. Dezenski. I cannot remember all of the elements. One 
was the destination address in the U.S. That was something we 
were not collecting beforehand, and we wanted to have a sense 
for where people were going. There were, I think, two other 
elements which I would be happy to get for you.
    Mr. Thompson. How can you prove where somebody is going?
    Ms. Dezenski. There is no 100 percent guarantee. It is 
another piece of information that we can add into our equation, 
but there is never a guarantee.
    Mr. Thompson. Well, I guess if you are putting the burden 
on the carrier to give you information that cannot be verified, 
it just looks like you are putting an additional burden on the 
carrier.
    Ms. Dezenski. Well, we believe that the additional data 
elements will in fact help us make a better risk assessment 
decision. Again, there is never 100 percent guarantee, but we 
do need to work with the carriers to get this type of 
information.
    Mr. Thompson. If I say I am going to Washington, D.C., and 
I am staying at the Hyatt on Capitol Hill, how can you verify 
that? If you are requiring the carrier to give you this 
information, are you now making the carrier policemen too?
    Ms. Dezenski. No. In fact, our goal with this APIS process 
is to take the process of checking information against our 
watch list in house. Right now, we are asking carriers to do a 
check against the no-fly list, for example. We want that 
process within the government. We want to own that process, we 
need to own that process.
    Mr. Thompson. Well, I think all of us want the process to 
be the best possible, but I cannot see the rationale for asking 
for information that cannot be verified.
    Well, lastly, what is the timeline on the rule for APIS 
Plus?
    Ms. Dezenski. We are looking probably over the next couple 
months to get that issued. It is difficult for me to predict 
with 100 percent certainty, given that we must complete OMB 
review and go through the final review process. But we are 
working as quickly as we can to get that out.
    Mr. Lungren. Thank you.
    The gentleman from Georgia, Mr. Linder, is recognized for 5 
minutes.
    Mr. Linder. Thank you, Mr. Chairman.
    How many other nations use digitized photos on their 
passports?
    Ms. Dezenski. Well, certainly, within the VWP Program, the 
vast majority do. I think about 25 of the 27 countries use 
digitized photos. Beyond the VWP group of countries, I am not 
sure.
    Mr. Moss. Digitized photos are widely used around the 
world. They are utilized by many countries. China uses them, 
Russia uses them, many others, because they have a tremendous 
security advantage over physical photographs. They have really 
eliminated the problem of photo substitution--of literally 
changing the photograph in the passport.
    Mr. Linder. Are you having a problem with people putting on 
makeup to make themselves look like the photo in the passport, 
have you?
    Mr. Moss. No, we have not, but that is of course one of the 
issues that having the data written to the chip and having the 
image there will help us with.
    Mr. Linder. How many visitors to our country that do not 
live here come with a passport from, say, Saudi Arabia with the 
fingerprints or a digitized photo?
    Mr. Moss. Any visitor from Saudi Arabia will of course 
require a U.S. visa. They will have been subjected to a 
thorough screening, including the collection in almost all 
cases of two fingerprints as part of the visa application 
process. The State Department then shares that data with our 
colleagues at the Department of Homeland Security and that data 
populates the US-VISIT database. And then when that traveler 
arrives with their Saudi Arabia travel documents, they are 
verified as being the same person who applied previously for 
the visa in Jeddah or Riyadh.
    Mr. Linder. By fingerprint.
    Mr. Moss. By fingerprint, yes.
    Mr. Linder. Why don't you do that for everybody?
    Mr. Moss. Well, sir, we in fact do that for all travelers 
who arrive here using a visa.
    Mr. Linder. But not for American passports.
    Mr. Moss. We do not include finger scans as part of the 
U.S. passport process.
    Mr. Linder. Why?
    Mr. Moss. The international community has focused on the 
issue of facial recognition as a globally interoperable 
biometric. That is what we have selected, I would emphasize,as 
our first generation biometrics. As we see what happens in 
terms of biometric standards and in terms of efficacy, we may 
make additional decisions. But right now we are looking at 
facial recognition as our first generation biometric.
    Mr. Linder. Do you disagree with Chairman Cox's definition 
of biometric?
    Mr. Moss. I never disagree with committee chairmen.
    [Laughter.]
    I would say, however, that in our experience in other 
aspects of the visa process where we have actually used facial 
recognition software in what are called, ``One to Many 
Applications,'' we have found some very, very impressive 
results from facial recognition software and its ability to 
match visa applicants against the same person applying 
literally using disguises or applying multiple times for the 
same benefit.
    Mr. Linder. This picture we saw is going to be judged by an 
individual standing there looking at it, not facial recognition 
software; is that correct?
    Mr. Moss. I think it is fair to say in the first generation 
of applications, even at the ports of entry, it will probably 
be producing on the inspector's screen, first of all, a much 
larger image. They will no longer be comparing a traveler to a 
one and a half-inch square photograph. It will be coming up as 
a large-size photograph. I think it is also fair to say that 
the Department of Homeland Security, in addition to its 
reliance on finger scans for US-VISIT, continues to have 
interest in the possible reliance on facial recognition 
software. That technology, though, is still evolving, and we 
will see where it goes over the next couple of years.
    Mr. Linder. Ms. Dezenski, did you see The Washington Post 
this morning on the US-VISIT Program?
    Ms. Dezenski. Yes, I did.
    Mr. Linder. Would you care to comment on the name matching
    Ms. Dezenski. Well, I think it is important to put that 
article into context. When we talk about 150 crew members that 
may have had some issues moving through the US-VISIT process, 
that is a very, very small fraction of the number of people 
that move through that program on a daily, weekly, yearly 
basis. We are talking about a very small fraction.
    Of the 150, I think, who were identified as having 
problems, only about half of those had a specific redress issue 
with the VISIT system. The others were hits on our IBIS 
database and were referred to secondary for additional 
screening and clearing, as needed.
    Mr. Linder. With fingerprints?
    Ms. Dezenski. Some of them were, yes. I do not know the 
specifics of any other cases.
    Mr. Lungren. Mr. Dicks is recognized for 5 minutes.
    Mr. Dicks. Our committee has been concerned that we made a 
mistake with the 2-finger system versus using 10 fingers, and 
it is 10 fingers. Now, I understand, obviously, that does cause 
a cultural concern. I mean, I think we have to recognize that 
other countries may not think that is--they feel that they are 
being treated like criminals. And so it does present a problem. 
So maybe the facial digital picture is something that was done 
through ICAO, which is our UN, United Nations, group of experts 
on travel. This may not be a bad outcome.
    The only other thing I would say is, I do not see anything 
wrong with having a person to have to put down where they are 
going to be. I think one of the questions we have had over the 
years is that people got into the country and we had no idea 
where they were. At least you have some place to start, and 
assuming that some people put legitimate information and I 
think most people would about where they are going to stay or 
what hotel they are going to be at, et cetera. I mean, it 
cannot be verified, but at least it is a start of collecting 
information about where these people are in the country. We 
need to get them out of here or find them. At least we have 
some place to start. So I feel that that ought to be 
considered.
    Again, I am having a real hard time understanding why we 
ever got ourselves into a system that allows a person to get on 
the airplane, fly to Maine for eight hours and then take them 
off the airplane. To me, that just does not make any sense. I 
am to glad to hear you are trying to go in a different 
direction, but why did we do this in the first place? I mean, 
it is so ridiculous on the face of it, I cannot understand why 
we ever got ourselves into this.
    Ms. Dezenski. We are living in the post-9/11 environment, 
and the parameters under which we operate are aviation systems, 
the parameters that we use to collect data, to accept risk and 
deal with that risk is much different than it was pre-9/11. And 
so I think what we are seeing here is the use of legacy systems 
and legacy approaches that now have to be updated based on how 
we want to manage our system, how we want to deal with our 
threats and vulnerabilities now.
    And it is not uncommon that we run into scenarios like this 
where we may have access to some data but not all data. We may 
get some data at the time we need it but maybe not all of it. 
And so as we go through the systematic review process and we 
respond to mandates like we have in the Intelligence Reform 
Act, for example, to get the safest data sooner in the process. 
We are going to make those course corrections, but I think we 
would fully agree with you that the old way of doing things and 
getting that data late in the game is not where we want to be 
to identify those threats and deal with those threats as 
quickly as possible.
    Mr. Dicks. Why didn't we set it up so you could check 
before the flight leaves rather than 15 minutes after it 
leaves? I mean, that is not that much of a time difference. Why 
was it done that way?
    Ms. Dezenski. I cannot speak to--
    Mr. Dicks. Isn't there a way it can be done technically? Is 
that what you were saying?
    Ms. Dezenski. Well, there are most certainly technical 
limitations to when we can get all the data. I think it is 
mostly a reflection, though, of the fact that in previous times 
perhaps the threat and vulnerabilities did not necessitate that 
that information be received any sooner in the process. And now 
we know that is not the case. We need to get it sooner, we need 
to deal with those issues.
    Mr. Dicks. Did you say this would be resolved?
    Ms. Dezenski. We are trying to get the rule out as quickly 
as we can. Now, it will go through a notice and comment period.
    Mr. Dicks. It does have a great record of keeping its 
commitments on reports or getting information back or doing 
things in a certain timeframe. How solid is this 2 months?
    Ms. Dezenski. Well, we are doing the best we can to get 
this one out. Again, I think I have alluded to a lot of the 
concerns that we have been dealing with in trying to come up 
with a timeframe that is reasonable and does not have a 
negative impact on the operations for air carriers. We have a 
lot of things to consider in this process, and the last thing 
we want to do is put a requirement out there that leads to an 
effect that is worst than what we started with. So we really 
need to do this right.
    Mr. Dicks. I can understand there might be a few last 
minute changes of people getting on this airplane that would 
then necessitate doing a check after the plane left. But there 
has got to be at least 95 percent of the people on that plane 
we know are going to be on that plane well before the plane 
takes off. So why couldn't they check it before it takes off, 
and then if they have to update it, update it. But at least do 
a check before the plane takes off.
    Ms. Dezenski. You are absolutely right, some of that data 
is available. Some people come to the airport three hours in 
advance of their international flight. That data is available. 
We could start to do those checks. But it is not the case for 
every passenger that we are dealing with, so we have got to 
figure out what is the shortest window in which we can operate 
where we can get the vast majority of that data and perform our 
check and be able to get back to the air carrier with that 
board or no-board decision for that list of passengers. And of 
course this happens thousands and thousands of times, every 
time a flight takes off. So there are a tremendous number of 
operational issues and technical issues to take a look at on 
implementation of this requirement.
    Mr. Lungren. The gentleman from Washington's time has 
expired. I just might say that I am constantly refreshed by the 
enthusiasm and intensity of your feelings on this, and I 
appreciate it. Now I know why you went to the Rose Bowl.
    Gentleman, Mr. Pearce, is recognized.
    Mr. Pearce. Thank you, Mr. Chairman.
    There seems to be questions whether or not fingerprints 
should be involved in a biometric passport. Briefly, do you all 
have an opinion?
    Mr. Moss. I think you have to recognize that any 
requirement that we would attempt to impose on other 
governments would then expect us to meet the same requirement. 
I think it is fair to say the administration has no position on 
the issue of fingerprinting American citizens as part of the 
passport process.
    Ms. Dezenski. I can tell you that we are looking very 
closely at the enrollment process for US-VISIT and our 
biometric standards across the board to determine whether we 
want to move, for example, from a 2-print enrollment process to 
a 10-print enrollment process. There is a lot of discussion 
about how to get to the best use of fingerprints. We would 
certainly defer to the State Department on any thoughts with 
regard to using fingerprints, catching fingerprints as part of 
the U.S. passport issuance process.
    I can tell you that some European countries are looking at 
adopting fingerprints, although I do not believe that any final 
decisions have been made, and they are looking at the use of 
those fingerprints within the E.U., not, for example, 
information that we could access.
    Mr. Pearce. Thank you. I think I am the only member in the 
committee with a border along the Mexican border, so I am very 
familiar with the WHTI and how it is supposed to aid in 
security along the border. I am also concerned that many 
residents in our district need to travel back and forth 
frequently, and so we worry about having a friendly border at 
the same time having a secure border, and that is a difficult 
balance.
    As far as the efforts to implement WHTI, what efforts to 
date have been made to implement the processes of that, and is 
it going to be implemented by December 2007?
    Mr. Moss. Thank you very much for the question. The first 
point I would bring up is that we have still not published the 
Advance Notice of Proposed Rulemaking. It is very close to that 
publication. It should happen in the next, I would say, couple 
of weeks.
    Elaine and I have traveled thousands of miles, literally, 
doing outreach. In fact, I was just last week in Arizona doing 
the same thing. We are trying to educate people, we are trying 
to make people understand that there is more than one phase to 
this program, that it does not all go into effect at one point.
    Both State and the Department of Homeland Security 
recognize that different travel documents work better for 
different uses. For example, if someone is getting on an 
airplane or getting on a cruise ship and going abroad, that 
really is travel for which almost exclusively the passport is 
the appropriate document. We all recognize that the land border 
is a huge challenge.
    In this regard, during the month of July, the State 
Department is contracting to have surveys done at 16 border 
crossing areas to help us get our handle on perhaps our key 
unknown piece of--
    Mr. Pearce. Will it be ready to go by 2007?
    Mr. Moss. That is what the law says, sir. [We are--]
    Mr. Pearce. Are the RT cards going to be allowed to be one 
of the documents used?
    Ms. Dezenski. We are looking again at the RT concept. We 
have a couple of frequent traveler type programs that are in 
existence, which we have referenced as part of our outreach on 
this. We are going to move toward global enrollment in uniform 
Registered Traveler type programs to facilitate at the land 
borders--
    Mr. Pearce. Are we going to have the program kickoff to 
make sure that we can sustain it?
    Ms. Dezenski. Absolutely.
    Mr. Pearce. Mr. Moss, what efforts is the State Department 
making to ensure that if we want to require passports to cross, 
that you can actually keep up with the load in a timely 
fashion? Again, these are my constituents who are going to be 
calling me asking me to call you, and I would like your home 
phone number as well if you have it.
    [Laughter.]
    Mr. Moss. I will provide it, sir. The reality is that we 
are making major investments in cooperation with the Congress, 
and we will be talking to you about certain aspects of that, 
because we do need to increase capacity. Right now, this year, 
we are already issuing 10 million passports a year, some of 
them are probably to WHTI-related travelers. But as we look out 
a couple of years, we think that number could get up into the 
range of 15 to 17 million a year. That is a big challenge for 
us, we have lots of initiatives underway, but we are going to 
need help from Congress as well.
    Mr. Pearce. Thank you, Mr. Chairman.
    Mr. Lungren. The gentleman, Mr. Langevin, is recognized for 
5 minutes.
    Mr. Langevin. Thank you, Chairman.
    I want to thank you both for being here testifying today.
    I wanted to turn my attention back to the durability 
lifespan of the biometric chip. I know the company that you are 
working with has assured us that it will last for the 10 years 
that it is expected to, according to what you just testified 
to, but one of the problems that I see is with a passport that 
has been somehow physically damaged, you can obviously see it, 
but if a chip has been damaged or we have all been in the 
situation where you are too close a magnetic source and the 
data on your credit card gets wiped off. And that is not going 
to be very obvious until the traveler gets to the airport.
    So what are you going to do in that case when a traveler 
gets to the airport and his or her passport is damaged, the 
data is gone off the chip and they are about to get on a plane?
    The second thing is if I am a potential terrorist and I 
know that they are going to look the other way or when I get to 
the airport they are going to let me on the plane, then they 
are going to do something to physically damage, intentionally 
damage the passport and the data chip and hopefully try to get 
on the plane without proper biometric screening. So can you 
address those questions for me?
    Mr. Moss. Certainly. I think the first point I would like 
to reassure you and others is that if the chip is damaged, as 
we say in our own rulemaking we will replace a passport with a 
damaged chip at no cost to the bearer. But the other point is, 
just as is the case right now, at the end of the day the 
default, if you will, security mechanism in the chip is 
actually the data page itself. As long as the data page is 
intact, you as a legitimate traveler will be able to board that 
aircraft.
    You may, I would add, be subjected to some additional 
scrutiny, either entering the United States or entering another 
country without an operational chip, but I think you will be 
able to travel. [You will be able to travel, there is no 
``think'' about it.]
    I think on the point of deliberately damaging the chip and 
things of this nature, it is another issue. Clearly, I think 
part of the answer to that is data share. I talked a little bit 
about that before, about trying to identify [mollified] 
terrorist travelers before they travel.
    I also think it is important to note in that regard that in 
some cases the only biometric we ever have on a truly dangerous 
traveler is in fact a photograph that has been acquired in some 
cases, getting back again to the value of a photograph.
    Damaged chip, admittedly, they could do that, but we think 
that the chip is going to be very durable unless it really is 
deliberately attacked, and that will probably leave some 
evidence which would make an inspector or an airline official 
somewhat suspicious about the traveler.
    Mr. Langevin. Now, on that point, with respect to a chip 
potentially being damaged or if technology changes so quickly, 
have you thought about the issue of reducing the timeframe from 
10 years down to 5 years, both to allow us to incorporate new 
technology or to ensure that the information is current or the 
chip is not damaged?
    And within that, have you also factored in, even if you 
leave it over 10 years, you factored in data migration issues? 
As a former Secretary of State, we were always grappling with 
the issue of the new machines being able to read the old 
technology, and that is something that I would like you to 
address?
    And can the State Department handle the additional 
production costs and associated activities that would go into 
reducing that timeframe?
    Mr. Moss. [Okay.] Let me see if I can deal, first of all, 
with the validity period, because I think that deals with two 
or three of the other issues. We have looked at the validity 
period issue, sir, and if we were to take our projected demand 
of 12, 15 million passports a year and go from a 10-year book 
to a 5-year book, it would not exactly double but it would 
probably go up by about two-thirds.
    So now we would be back here with Congress looking for 
resources to build a passport system that could sustain 25 
million passport adjudications or replacements a year. That 
would be a daunting challenge, I think. It certainly would be 
for State. [I think DHS would agree with me, the same way.]
    In terms of technology, what we have tried to do is two 
things. One is, as I said in my earlier testimony, we have 
considerable unused capacity on the chip, so we are trying to, 
in one case, future-proof the technology so that if we decide, 
for example, to go with iris scans as a second biometric, 
additional photographs, finger scans, something of this nature, 
we do not have to change our technology.
    The third point is, as technology evolves, one of our 
baseline objectives will be that it is always backwardly 
compatible so that the DHS passport reader in 2012 will be able 
to read passports issued in 2012 as well as in 2006. That is 
why the State Department is paying a lot of very bright people 
in the private sector, at NIST and at the Government Printing 
Office to help ensure that we can do that.
    Mr. Lungren. The gentleman's time has expired.
    The gentlelady from Virgin Islands, Dr. Christensen, is 
recognized for 5 minutes.
    Mrs. Christensen. Thank you, Mr. Chairman.
    I am sure you know we are heavily dependent on tourism for 
our economic livelihood. Because so many of our visitors come 
from the U.S. mainland, I am going to be extremely concerned. 
Just yesterday I answered one question to the press on that, 
and I want your assurance today that my constituents and myself 
will not have the requirement imposed on us as it has been 
posed on the other countries in the Western Hemisphere.
    Mr. Moss. I would certainly invite you to make that comment 
as part of our advance notice of proposed rulemaking process, 
but I can assure you on both the State Department and DHS' 
side, we both recognize your constituents are U.S. citizens and 
people traveling to the Virgin Islands or Puerto Rico from the 
United States are also U.S. citizens. We have no concept 
whatsoever, no thought whatsoever of imposing essentially an 
internal passport requirement on travel between U.S. 
territories and the United States, the main ones, I should say.
    Mrs. Christensen. Music to my ears.
    [Laughter.]
    I am also concerned about the rest of the Caribbean as well 
and the impact of the initiative on my neighboring Caribbean 
islands. And in December of this year, the passport or other 
executive document, as you will determine, will be required for 
all travelers to or from the Caribbean, Bermuda, Central 
America and South America.
    You have just extended the time on the Visa Waiver Program, 
and there is a lot of concern in the Caribbean. What is the 
possibility that you would extend the time on the Western 
Hemisphere another year as well?
    Ms. Dezenski. As I think we mentioned earlier, the advance 
notice of proposed rulemaking on the Western Hemisphere 
Initiative is still in the process of being cleared by the 
Department, both State and DHS, and ultimately OMB. We have 
most certainly taken into consideration the concerns that have 
come up about travel to and from the Caribbean, and we do 
understand that there are potential implications. We have 
looked at a couple different ways to phase in these options.
    One of the reasons why we are doing this as an advance 
notice of proposed rulemaking is precisely because of some of 
these concerns and that we need to consider them as early in 
the process as possible. So although we have not issued 
specifics on what the proposed implementation date may be, we 
are certainly looking at some flexible requirements.
    Mrs. Christensen. What is in place for the visa waiver 
countries to prevent someone from fraudulently obtaining a 
passport overseas in another country, who is not on a watch 
list or in our databases, and entering the U.S. under the 
assumed identity based on their biometrics?
    Mr. Moss. I think I actually have some rather good news for 
you in that regard. The countries that are in the Visa Waiver 
Program have to meet a variety of requirements, but one of the 
things we also look at is the integrity of their passport 
system. These are all very sophisticated countries. Quite 
honestly, many of them have database access, for example, 
national registries of births and deaths and things of this 
nature, which do not exist in the United States.
    I am very confident in the integrity of the way the U.S. 
passport is adjudicated. I certainly share that feeling about 
the way passports are adjudicated in the other visa waiver 
program countries as well.
    Mr. Lungren. Thank you. There has been a request to have a 
short second round before we go to the next panel.
    Let me just ask this, and we may be beating this to death, 
but it is very important for us in terms of a homeland security 
perspective, to make sure that the person standing before us is 
the person he or she purports to be. And some of us got excited 
about the terminology, ``biometrics,'' but I share the 
chairman's concern that what we are really doing is looking at 
a picture. The picture may be embedded in the chip so that you 
can see it come up in a comparison, but that is recalls you all 
are doing. It is not any sort of software analysis of the face.
    Fingerprints are ubiquitous, and I understand the E.U. is 
more than thinking about it, I understand the decision is made 
that they are going to put fingerprints in their passports. But 
is the problem that if they put fingerprints in their passport, 
we cannot read them technically or that we will not be granted 
permission to utilize that against any database that they have?
    Ms. Dezenski. My understanding at this point is that they 
would only be considering the use of those fingerprints within 
the E.U. proper. So, for example, if they are stored on the 
biometric chip, we would not be able to access that information 
when we scan that passport at the U.S. port of entry.
    Mr. Lungren. Does that mean we would not be able to read it 
or we would not be able to read it and then access their 
database for identification purposes?
    Ms. Dezenski. Well, actually, both. We would not be able to 
read that information on the chip, and there would be no link 
back to an E.U. or a member country database for any type of 
check.
    Mr. Lungren. I understand the concerns you are expressing. 
My thought is, and I do not know if it is shared by other 
members of the panel, but that we ought to be in the vanguard 
of creating identifiers which will really answer the question, 
who is it in front of me, to the greatest extent possible.
    For the life of me, I do not see anything better than 
fingerprints. I share Mr. Dicks' thoughts that if we are going 
to do that, we ought to go to 10 prints rather than 2. We ought 
to be in advance of that and then work our way in the 
diplomatic circles to try and get others to understand why it 
is important for us to have access. It is in their interest, it 
is in our interest if we are in a worldwide battle against 
terrorism.
    That is why I understand what you are saying. I am not 
trying to harp on you, but my feeling is we ought to be in the 
vanguard, we ought be presenting it, we ought to be making the 
case for why this is the way to make sense. As the chairman has 
said many times, we are looking for needles in a haystack, and 
right now we are looking at the largest haystack possible, 
whether it has gone through passports or whether it is forcing 
people to go through checks.
    And I have always thought, in terms of law enforcement and 
everything else that the idea is to limit the scope of the 
suspects that you are looking for. And to the extent we do not 
do that or give ourselves the tools to do that, we are making 
it more difficult for ourselves and we are making it far more 
expensive for ourselves.
    So just sort of an expression of frustration that I have.
    The gentlelady from California, if she has any more 
questions.
    Ms. Sanchez. I would agree with the chairman. I am just 
amazed that we would require another country to put a chip in 
their passports and then when they come to our country we do 
not really use that. I mean, why are we putting those 
requirements on them if we are really not going to have any 
access to it?
    Ms. Dezenski, I want to go back to the last question you 
did not get to answer. Could you answer that question for me, 
how many places currently issue NEXUS cards, how many issue 
FAST cards, how many issue SENTRI cards? And how many places do 
you believe your Department is going to plan to issue 
Registered Traveler cards?

                  Supplemental Material for the Record

    Question: Could you answer that question for me, how many places 
currently issue NEXUS cards, how many issue FAST cards, how many issue 
SENTRI cards? And how many places do you believe your Department is 
going to plan to issue Registered Traveler cards? (Page 68, line 1613)
    Answer: Cards for NEXAS, FAST and SENTRI are issued by CBP at local 
(port of entry) enrollment center. The Current totals for each are as 
follows:




NEXUS--5 (Plus NEXUS Air Pilot)
        Enrollment Centers                            Crossings
                Blaine, WA                           Peace Arch
                                                Pacific Highway
                                                  Point Roberts
               Buffalo, NY                         Peace Bridge
                                                 Rainbow Bridge
                                     Whirlpool Bridge (NEXUS-only)
               Detroit, MI                    Ambassador Bridge
                                         Windsor/Detroit Tunnel
            Port Huron, MI                    Blue Water Bridge
             Champlain, NY                            Champlain
                                          Highgate Springs (VT)



NEXUS Air Pilot is operational at Vancouver International Airport, BC.

FAST--17




         Southwest Border Locations:           Northern Border Locations:
           Brownsville, TX           Belleville, New Brunswick (Houlton
                                                            ME)
              Calexico, CA                         South Derby Line, Vermont
               El Paso, TX                        Champlain, NY
                          Laredo, TX Fort Erie, Ontario (Buffalo, New
                                                          York)
             Otay Mesa, CA           Windsor, Ontario (Detroit,
                                                      Michigan)
                 Pharr, TX                       Port Huron, MI
               Nogales, AZ                Pembina, North Dakota
                                           Portal, North Dakota
                                            Sweetgrass, Montana
                                                     Blaine, WA






                     SENTRI--2
            Enrollment Centers                         Crossings
                 Ca--Otay Mesa                         Otay Mesa
                                                      San Ysidro
TX--El Paso--Ysletta Port of Entry      El Paso--Stanton Street Bridge


    With regard to the Registered Travel (RT) program, TSA's RT pilot 
tests are operating at five airports across the country: Minneapolis 
St. Paul (MSP); Los Angeles Internation (LAX); Houston George Bush 
Intercontinental (IAH); Boston Logan (BOS); and Reagon National (DCA). 
A new pilot at Orlando has been launched to assess the feasiblity and 
effectiveness of using a public/private sector business model to 
implement RT.

    Ms. Dezenski. I do not have the specific numbers with me, 
but I can certainly follow up for the record to get those 
enrollment sites for you.
    I can tell you that it is fairly limited. I think it is 
important to keep in mind that NEXUS and FAST and SENTRI were 
never envisioned as alternatives to passports. We think they 
are tools that can be useful in meeting Western Hemisphere 
requirements, but the way that the enrollment process is set up 
for these types of programs, it is normally at our busiest 
crossings and caters to those folks who cross very frequently. 
So we, again, have focused on those ports of entry where we 
have the highest volume.
    Now, we are expanding all of those programs over the next 
couple years, but I think it is important to get back to this 
idea of the Registered Traveler concept, because we need to 
look more broadly at how to encompass into some type of global 
process that would facilitate some type of card, particularly 
at the land borders.
    As far as the RT Program goes, we are in of course the 
pilot phase. We have agreed to extend that pilot I believe 
through September, and then we will make some determinations at 
the Department level about how we continue that program.
    So decisions about the number of enrollment centers, for 
example, will be linked into the broader discussion within the 
Department about where we want that program to go. So there is 
no specific decision on that right now.
    Ms. Sanchez. And then, Mr. Moss, when I was younger I used 
to live in Italy and I had an American passport, and during my 
stay there, during one of the years my passport expired and I 
went down to the embassy and I redid it. Compared to what was 
issued here, it was pretty much hand-done, it seemed to me, at 
the embassy.
    My question for you is two-pronged. When you lose your 
passport in a place like Italy and you go to the embassy, do 
you get a temporary passport to go back or do you get issued a 
new passport?
    At that time, I had a new passport issued within 3 days, 
for example, which was a re-up of another 7 years or 10 years 
or whatever the time was at the time.
    So under the two cases, if I lost it or if I was living in 
a different country and I needed to go and get it renewed, 
would I even get the same kind of passport that I had issued 
with the embedded chip and everything from an outpost like 
Rome, Italy, versus if I am in Uzbekistan or some other place?
    A load of questions there, but I am trying to understand 
what do we really have in hand?
    Mr. Moss. Let me deal with the case of someone who is 
living in Italy or living in Uzbekistan and their passport is 
about to expire. They live there, they contact our embassy, 
they turn in their old passport, we do data entry, scan the 
photograph and that data then moves electronically back to one 
of our production facilities in the United States. They make 
the passport the same day, and it comes FedEx, as of July 5, 
back to the embassy abroad. In a place like Rome, Italy, you 
will usually have it within 3 or 4 days after you walk in the 
embassy.
    In the case of someone who is traveling abroad and may be 
in Italy today and in Germany tomorrow, we will issue a 1-year 
temporary passport. When you return to the United States after 
your trip, you turn that into us and you then get a full 10-
year validity passport, paying for it only once.
    We went to the decision, by the way, of repatriating the 
production back to the United States because it gave us the 
security system. We make the same passport that is available in 
Rome as is available in New York or Washington. More 
importantly, it was also a good use of money.
    Placing this highly sophisticated passport production and 
personalization equipment overseas [just] simply is not a good 
use of the taxpayers' money.
    Ms. Sanchez. What is the difficulty having 120 different 
countries that--
    Mr. Moss. Actually, I think you can get a passport at I 
think it is 240 different posts around the world.
    Ms. Sanchez. There are only 120--okay. Thank you.
    Mr. Lungren. The chairman of the full committee, Mr. Cox, 
is recognized for 5 minutes.
    Mr. Cox. Thank you, Mr. Chairman.
    I want to begin by again thanking our witnesses. You are 
working on some very important matters here.
    I also want to see if I can peel down a little bit further 
on this question of where we are going, why and what is the 
purpose of all of this. I hope that our purpose is data 
security to the extent that we are imposing new requirements on 
travelers, our allies and other countries around the world, and 
that it is not an exercise, it is not something for its own 
sake. So I think it is a fair question to always ask, `what is 
the security payback'?
    My judgment is that there is little to no security payback 
in the so-called biometrics that is the subject of the 
Department's recent decision, and that is why I think it is 
fine to put if off. Because, quite honestly, when it is all in 
place, there is still no real additional security or at least 
it is of marginal value.
    I do agree, for example, that looking at a bigger picture 
on the screen instead of looking at a little picture is a 
marginal improvement. It has been commented on several times 
during this hearing that we are still just looking at a 
picture. That is all we are doing.
    I am struck that the mandatory biometric of facial 
recognition is essentially useless in finding known terrorists 
because there is no existing database. The same is true for 
iris scans or all the other fancy things that we might, as 
Americans, subject ourselves to.
    As Chairman Lungren was pointing out, there are 
international databases of criminals' fingerprints that someday 
we might reach some international understanding to share a 
little bit more broadly.
    I have to say that putting the chip on the card, linking 
the chip to the photo, with all of its shortcomings, sent me 
down a path that I am even less comfortable with than the 
fingerprints. I do not know what is going to go on the chip. It 
is a rather elaborate undertaking to avoid doing the obvious, 
which is checking a real biometric, such as a fingerprint, for 
a passenger, a traveler through the airport just by touching 
something.
    But to be very explicit about it, my privacy interest in 
the distance between the ridges on my fingertips compared to my 
privacy interest in my tax records, my credit card usage, the 
library books I read, my medical history, my employment history 
and so on, all of which I think we would all agree in this room 
ought not to find its way into the chip on this card, is 
negligible.
    I do not want the government to know what I am reading, I 
do not want the government to know anymore than it needs to 
know about my medical history or all the other things that make 
me Chris Cox. I do think that something that establishes that I 
am Chris Cox and not Tom or somebody else around here so that I 
can go through the airport and proceed on my way is a help to 
me.
    So the point that we are trying to establish here is what 
is it going to take to find these terrorists? And if the iris 
scan that I have subjected myself to as a participant in the 
Registered Traveler Program is not going to produce a database 
that has terrorists in it, it is of relatively less value. I do 
think the chairman's right that we can reduce the size of the 
haystack that way, so it is a voluntary program, the Registered 
Traveler is, and maybe that is fine.
    But for most people who may not want to participate in such 
a voluntary program, the question is, how are we going to not 
focus on them in the most efficient, cheap, fastest way if they 
are not terrorists? And it seems to me that that question is 
put very neatly by your predecessor who is going to testify on 
the next panel, Stewart Verdery, and I just want to quote from 
his testimony and ask you to react.
    He says, ``I recommend that the United States match the 
bold steps of the European Union to include fingerprints in 
passports. The U.S. should advocate for fingerprints as a 
mandatory biometric in passports at ICAO,'' and of course that 
underscores the fact that that is not the U.S. position.
    And, Mr. Moss, you said there is no administration position 
on this one way or the other, I believe, a moment ago. So we 
are not leaving it in ICAO, we are just simply saying that they 
have adopted fingerprints as a secondary way to do this after 
facial recognition, and we are just going along with the flow.
    Quoting from Mr. Verdery, ``At a time when we are going to 
great lengths to build antiterrorism and law enforcement 
systems based on fingerprints, we will never be able to fully 
engage other countries if we decline, ourselves, to do what is 
needed.''
    So I would just ask for your reaction to that?
    Ms. Dezenski. I think my former colleague makes some good 
points. I want to go back to something Frank Moss said a while 
ago, which is we are at the beginning stages of using 
biometrics. We are really just starting, and I think we are 
going to see the evolution of the use of biometrics, we are 
going to see more interoperability between databases, we are 
going to see more cooperation on the international front.
    But we have got to start somewhere, and I think if I want 
to leave you with one message it is not to think that we are 
somehow not utilizing fingerprints. It seems to be the focus of 
where you want to go, and the use of fingerprints starts very 
early in the process.
    If you need to obtain a visa, if you are outside of the 
Visa Waiver Program countries, when you apply to the U.S. 
consulate, you are required to give 10 fingerprints. It is used 
to run a check against what is called IDENT and IAFIS, which 
contains extracts of criminal records and what not. So that 
process happened when we are issued a visa.
    If you are in a Visa Waiver Program country, not only do 
you have the biometric requirements that we talked about in the 
past, but you are also enrolling on your first time entering 
the U.S. End of the program using your fingerprints. Right now 
it is two. We may at some future time look to expand to a 10-
print, but those fingerprints are captured and when you come 
back for your subsequent visits you are checked against that 
fingerprint database.
    Again, we are at the beginning stages but there are 
multiple layers in this process that utilize biometrics in 
different types of ways. And there are two issues: One is 
verifying you are who you say you are, and the second piece is 
being able to run a test to ensure that you are clean. So we 
use biometrics to achieve both of those objectives.
    Mr. Cox. I am glad that that is where we were headed. I 
think it is manifest that we are not there now, and I hope we 
will increasingly see our way clear to doing these things.
    Mr. Lungren. The gentleman from Washington, Mr. Dicks?
    Mr. Dicks. I want to make sure I got this straight. You 
said that for visa waiver countries, countries that are in the 
Visa Waiver Program, you check two fingerprints, right? Why 
can't you, if the person who has got the passport, can that 
same person check the--if this person says he is this person 
and he is from a Visa Waiver Program, can he check the 
fingerprints at the same time?
    Ms. Dezenski. Can the inspector check the fingerprints?
    Mr. Dicks. Yes.
    Ms. Dezenski. Yes. Let me walk you through the process of 
someone traveling from a VWP country, enters the U.S., and 
let's assume that they have e-passport, so it has the digital 
photo and the biometric chip. When that person enters at the 
U.S. port of entry, their passport would be scanned in and read 
by our reader.
    It would look at the biographic data and would compare that 
to what is in the passport, and this chip would be unlocked, if 
you will, to display the picture that is encoded, which should 
match with the person standing in front of them and with the 
digital photo embedded in the actual passport.
    The second part of this process is the use of fingerprints 
for that VWP traveler. If it is their first time into the 
country under the US-VISIT requirement, we do an enrollment 
process which checks their fingerprint against numerous 
databases and ensures that they do not have some terrorist 
link. And as they come in for subsequent visits, they are again 
asked for their fingerprint. We also take a photo, by the way, 
but they are asked for their fingerprint, and we do another 
check to make sure that the fingerprint in fact matches the 
record that we have on file for that person. So it is a two-
part process.
    Mr. Dicks. And that is done right there when the person 
comes through.
    Ms. Dezenski. At primary.
    Mr. Dicks. But it is not part of the passport. You have to 
go into the U.S.?
    Ms. Dezenski. The fingerprint is not encoded on the 
passport.
    Mr. Dicks. Right. We know that.
    Ms. Dezenski. Right. That is right.
    Mr. Dicks. But you have to use the US-VISIT system in order 
to use it.
    Ms. Dezenski. That is right, but it is all integrated into 
the reader.
    Mr. Dicks. On non-visa waiver countries, you use 10 
fingerprints. Now, in the testimony it says if you get into the 
question of quality of fingerprints, you are much better off to 
have 10. Why did we not do 10? I know there was a big rush to 
get something deployed, but the 10 is so much more effective. 
And if we did it for the non-Visa Waiver Program countries, why 
didn't we do it for visa waiver countries?
    Ms. Dezenski. There are a couple of reasons. One, of 
course, is the facilitation piece. When you apply for a visa, 
there is more time in the process. You can take 10 prints, you 
could run that check if it takes 20 minutes or 30 minutes, 
usually you are still in the consular office.
    Mr. Dicks. That is whether it is a visa country or a non-
visa country, right?
    Ms. Dezenski. Well, you are only applying for a visa if you 
are outside of the VWP. So this would affect travelers coming 
from--right. So that is a different scenario than when you are 
at the port of entry standing in line along with thousands of 
other people, and we need to facilitate you through US-VISIT. 
There is no doubt, a 2-print process is much quicker, but I 
will tell you that there has been a lot of discussion about 
whether we move to a 10-print enrollment versus a 2-print. The 
initial decision was made to use a two-print process. We will 
be looking at that as we move forward to determine whether or 
not we need to revise that policy.
    Mr. Moss. Mr. Dicks, I would just like to clarify just so 
that we do not leave you with a misunderstanding. At this 
point, though, even in the visa waiver traveler situation, we 
are still only collecting two fingerprints from the traveler at 
this time. Our goal over the next couple of years, as not only 
State and DHS ramp up, but so do the agencies that have to read 
these prints ramp up their capacity, is to migrate towards 10. 
But right now, if you are applying, as someone asked me in 
Saudi Arabia, we are taking your two index fingers at this 
point in time.
    Ms. Dezenski. I stand corrected.
    Mr. Dicks. Well, okay. That is important to know because 
you would wonder why if you are doing 10 there, why wouldn't 
you do 10 in the other situation? That is the only question I 
had.
    Thank you, Mr. Chairman.
    Mr. Lungren. Before we let you go, let me just ask one last 
question here. You say in this program not only do you have 
your embedded passport and you run it through the scanner or 
reader once we have the readers in place, but then a separate 
action is to capture the two fingerprints. And on the first 
occasion the person comes in you run those fingerprints against 
our watch list database, correct? But, obviously, we are not 
running them against any European database.
    Ms. Dezenski. We are not, but we do receive information 
from INTERPOL, for example, that is routinely put into our 
system and used for those types of checks. So although we do 
not have a real-time link to INTERPOL, we do get information 
from those sources and put that into our system.
    Mr. Lungren. So even if the E.U. passport had embedded in 
it fingerprints, we could not read that, so there would be no 
way for us to check the fingerprint of the person who is 
actually presenting themselves with the fingerprint that is 
embedded in the European passport at some time when they have 
that as captured.
    Ms. Dezenski. We would only be able to read it if they 
allowed us to do so. So they would have to put the information 
on the chip and give us permission to read it.
    Mr. Lungren. I understand. I understand. What you are 
saying is when we check it against our watch list, if they are 
not on our watch list, they get a pass on that. And then you 
are saying when they come back, we match their prints with the 
previous prints given so that we just make sure they are using 
the same alias they used before.
    Ms. Dezenski. That is correct, but there is also a 
continual vetting process. So as we get new information--
    Mr. Lungren. No, I understand that.
    Ms. Dezenski. --we are checking our files.
    Mr. Lungren. It just strikes me that in the law enforcement 
and in the criminal justice community, we know how many 
mistakes are made with facial identification. Eyewitness 
testimonies are often times thrown out or are wrong and so 
forth. I know we are going to have trained people looking at it 
and they have got the one picture and the other picture. But 
you have got someone with fingerprints, you have got them dead 
to right. That is why I am just saying our whole experience has 
been that fingerprints are the way to go.
    I appreciate it, and I just want to thank you for your 
testimony. It has been very, very helpful for us. We appreciate 
the work that you are doing.
    Other members may have other questions they might submit in 
writing to you, and we would ask if you would respond to that 
in a timely fashion.
    And we appreciate the work you are doing. Thanks.
    Ms. Dezenski. Thank you.
    Mr. Lungren. I now call the second panel.
    I would tell the other members that are here, we are 
expecting a vote around 1 o'clock. We are supposed to have a 
15-minute vote, followed by a 10-minute debate, followed by a 
15-minute vote, followed by a 5-minute vote. It would be my 
thinking that when we have the first vote called, go back and 
vote then and then come back here because we have about a 30-
minute period of time if you look at the two 15-minute votes 
and the 10-minute debate, and resume.
    I appreciate the indulgence of the second panel, having sat 
through the first bit of testimony. As I explained, we will 
have a vote momentarily. My expectation is that we will go over 
there and vote, come back for perhaps a half hour, then go back 
for the last two votes and then return.
    I recognize at this time Dr. Martin Herman, the information 
access division chief for the National Institute of Standards 
and Technology, to testify.
    And, again, I would just mention that your full written 
testimony will be placed in the record in its entirety, and we 
would ask you to try and limit your opening remarks to 5 
minutes. Thank you.

  STATEMENT OF DR. MARTIN HERMAN, INFORMATION ACCESS DIVISION 
     CHIEF, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

    Mr. Herman. Thank you, Chairman Lungren, Ranking Member 
Sanchez and members of the subcommittee. And thank you for the 
opportunity to testify today about the biometric activities at 
the National Institute of Standards and Technology, which will 
help secure Americas' borders.
    Under the USA Patriot Act and the Enhanced Border Security 
and Visa Entry Reform Act, the Attorney General and the 
Secretary of State, through NIST, were directed to make 
recommendations for means of verifying the identity of 
travelers entering the United States with visas.
    These recommendations were made in a joint report to 
Congress dated February 2003. Since this report was issued, 
NIST has continued to conduct an extensive biometric research 
and evaluation program.
    NIST, in close collaboration with the Department of 
Homeland Security, Justice, Defense and State, has performed 
many tests of fingerprint and face recognition systems in 
support of its statutory mandates. Fingerprint tests have been 
performed at NIST on the FBI's Integrated Automated Fingerprint 
Identification System, or IAFIS, on DHS' IDENT system, which is 
of course part of the US-VISIT system, and we have also done 
tests on many commercial vendor systems.
    In the face recognition area, we have done tests on many 
commercial as well academic systems.
    To support these tests, NIST has acquired very large sets 
of data, including 128 million fingerprint images taken from 18 
million subjects by several federal, state and county agencies.
    NIST Patriot Act recommendations are as follows: For one-
to-one verification matching, NIST recommends the use of one 
face image and two index fingerprints, and all three biometrics 
should be stored in image form.
    For one-to-many identification matching, NIST recommends 
the use of 10-slap fingerprint images, and these 10 would be 
used for enrollment and checking of large databases.
    For both recommendations, the fingerprint images should 
conform to the ANSI/NIST 2000 standard. This standard, is also 
used in law enforcement for the electronic exchange of 
fingerprint images and is used to exchange fingerprints between 
the FBI and INTERPOL as well as with FBI and United Kingdom's 
home office.
    Face images are not recommended by NIST for large-scale 
identification applications if fingerprints can be used.
    For verification matching, NIST tests have shown that 
contemporary fingerprint systems are substantially more 
accurate than face recognition systems in operational 
environments. However, this should be qualified by the fact 
that any advances in face recognition technology since the last 
NIST face test, which occurred in the year 2002, any advances 
in technology have yet to be evaluated. And we do believe there 
have been improvements in face recognition since then.
    The two fingerprint accuracy for the US-VISIT two 
fingerprint matching system is 99.6 percent with a one in 1,000 
false positive rate. This means that one in 1,000 imposters 
will falsely be permitted to pass the checkpoint. The best 2002 
face recognition accuracy using a single-face image with 
controlled illumination was only 90 percent when one in 100 
imposters are allowed through.
    When outdoor illumination, which of course is totally 
uncontrolled, was used in 2002, the best accuracy was 54 
percent.
    Currently, in the US-VISIT system, illumination is 
uncontrolled when face images are obtained using the US-VISIT 
cameras. Clearly, for the current US-VISIT implementation, two 
fingerprints are a much better solution than a single 
uncontrolled face image.
    For identification matching, expensive testing by NIST of 
commercial fingerprint systems has confirmed the requirement of 
10-slap fingerprints. For all systems tested, the accuracy 
increases as the number of fingers increase. So the accuracy of 
searches using four or more fingers was higher than the 
accuracy of two finger searches, which is higher than the 
accuracy of single finger searches.
    For the US-VISIT fingerprint matching system, the overall 
accuracy using index finger pairs is 96 percent. For low-
quality fingerprint data, the accuracy falls to 53.6 percent, 
while for high-quality data, the accuracy is 99.6 percent.
    The only tested method for improving matching accuracy for 
databases with lower image quality, or lower fingerprint 
quality, is to increase the number of fingers used. When 10 
fingers are used, the accuracy for the most accurate commercial 
system tested exceeded 99.95 percent.
    Iris recognition is a potentially valuable technology that 
needs considerably more testing to determine its accuracy in 
operational environments. NIST is planning an iris data 
collection effort using 10,000 individuals over the next year 
and will perform iris tests over the next 2 years.
    Thanks for the opportunity to testify, and I would be happy 
to answer any questions.
    [The statement of Mr. Herman follows:]

                Prepared Statement of Dr. Martin Herman

    Chairman Lungren, Ranking Member Sanchez, and members of the 
Subcommittee, thank you for the opportunity to testify today about the 
biometric activities of the National Institute of Standards and 
Technology (NIST) that will help secure America's boarders.
    Under the USA Patriot Act (Public Law 107-56) and the Enhanced 
Border Security and Visa Entry Reform Act (Public Law 107-173), the 
Attorney General, and the Secretary of State, in consultation with NIST 
were directed to make recommendations for means of verifying the 
identity of travelers entering the United States with visas. These 
recommendations were made in the joint report to Congress entitled 
``Use of Technology Standards and Interoperable Databases with Machine-
Readable, Tamper-Resistant Travel Documents,'' dated February 2003.
    Since this report was issued NIST has continued to conduct an 
extensive biometric research and evaluation program. In particular, 
NIST is studying three types of biometric technologies: fingerprints, 
facial recognition, and iris recognition. These three biometrics were 
specified for international travel documents by the International Civil 
Aviation Organization (ICAO). ICAO has specified face biometrics as 
required for such documents, while fingerprints and iris are optional.
    NIST, in close collaboration with the Departments of Homeland 
Security, Justice, Defense, and State has performed many tests of 
fingerprint and face recognition systems to support its statutory 
mandates. Fingerprint tests have been performed on the FBI's Integrated 
Automated Fingerprint Identification System (IAFIS), used to perform 
criminal background checks; DHS's Automated Biometric Identification 
System (IDENT), used as part of the US-VISIT system; and many 
commercial vendor systems. Face recognition tests have been performed 
on many commercial and academic systems.
    To support these tests, NIST has acquired very large sets of data. 
For example, NIST has obtained 128 million fingerprint images taken 
from 18 million subjects by several Federal, State and County agencies. 
This data includes rolled, slap, and flat fingerprints captured either 
from paper using ink or from live-scan readers. A rolled fingerprint 
involves capturing the full finger image as it is rolled from one edge 
of the fingernail to the other. Slap fingerprints involve capturing the 
four fingers of a hand placed together on a flat surface, followed by a 
separate capture of the thumb. A flat fingerprint captures the image of 
only a single finger placed on the surface.
    NIST has performed tests of both verification matching and 
identification. Verification is a one-to-one comparison in which the 
biometric system attempts to confirm an individual's claimed identity. 
The individual's biometric information is submitted and compared to an 
existing template. In US-VISIT, this occurs during the time of border 
crossing when the system determines whether the person holding the 
travel document is the same person to whom the document was issued.
    Identification is a one-to-many comparison where the biometric 
system attempts to determine the identity of an individual. An 
individual's biometric information is collected and compared to all the 
templates in a database. In US-VISIT, this occurs during the time of 
enrollment when a person is checked against a watchlist derived in part 
from the FBI criminal database as well as the IDENT databases. First a 
database is checked to determine whether the person is on the 
watchlist. Second a database is checked to ensure that the person has 
not been previously enrolled in the database under a different name.
    NIST's activities require substantial financial and logistical 
support from external agencies, whom we are fortunate to collaborate 
with. For example, research and evaluation activities are coordinated 
through the National Science & Technology Council's Subcommittee on 
Biometrics. NIST has also been actively working with several standards 
development organizations in development of fingerprint, face, and iris 
standards. These organizations include the International Organization 
for Standardization (ISO), the International Committee for Information 
Technology Standards (INCITS), and the American National Standards 
Institute (ANSI).

PATRIOT ACT RECOMMENDATIONS
    For one-to-one verification matching, NIST's Patriot Act 
recommendation is to use one face image and two index finger prints. 
All three biometrics should be stored in image form. The face image 
should conform to the ANSI/INCITS 385-2004 standard. The fingerprint 
images should conform to the ANSI/NIST-ITL 1-2000 standard with 500 
dots per inch (dpi) scan resolution.
    For one-to-many identification matching, NIST recommends the use of 
ten slap fingerprint images stored in type 14 ANSI/NIST-ITL 1-2000 
formatted records. These 10 fingerprints could be used for enrollment 
and checking of large databases. This ANSI/NIST standard, entitled 
``Data Format for the Interchange of Fingerprint, Facial, & Scar Mark & 
Tattoo (SMT) Information,'' is also used for the electronic exchange of 
fingerprint images, and is currently used for law enforcement purposes 
to exchange fingerprints between the FBI and Interpol as well as with 
the United Kingdom's Home Office.
    Face images are not recommended by NIST for large scale 
applications.
    It is important to note that NIST's process for arriving at these 
recommendations and therefore the recommendations themselves, do not 
take into account likely impacts of implementing these recommendations 
on the U.S. economy, international reaction or contemplate the 
resources necessary to implement.
    Again these recommendations were issued in a joint report to 
Congress. Since this report was issued, NIST has conducted extensive 
testing of biometric systems that continue to support these 
recommendations.

VERIFICATION
    To verify a person's identity, NIST tests have shown that 
contemporary fingerprint systems are more accurate than face 
recognition systems in operational environments. However, this should 
be qualified by the fact that NIST has not tested facial recognition 
since the 2002 Face Recognition Vendor Test (FRVT). We believe there 
have been improvements in facial recognition since then. Department of 
State, for example, reports having success with facial recognition, 
both in one-to-one and one-to-many verification, with its Diversity 
Visa Program and in certain nonimmigrant visa applications. Also the 
Face Recognition Grand Challenge, a development effort funded by 
multiple federal agencies and managed by NIST, aims to reduce the error 
rate by and order of magnitude over these levels. Preliminary results 
show that the community has met this goal in laboratory environments, 
but a definitive answer will not be available until completion of FRVT 
2005.
    Based on what we found in 2002, the two-fingerprint probability of 
verification (or true accept rate, TAR) for the US-VISIT two-
fingerprint matching system is 99.6 while the best 2002 face 
recognition probability of verification was 90 percent using a single 
face image with controlled illumination. (Controlled illumination 
involves controlled light sources that illuminate the face while taking 
the picture). Additional FRVT 2002 results show that face recognition 
performance decreases significantly under uncontrolled conditions; the 
best probability of verification was 54 percent when using outdoor 
illumination. Currently in the US-VISIT system, illumination is 
uncontrolled when face images are obtained. Based on the 2002 data, 
even under controlled illumination, the error rate of face recognition 
is 25 times higher than the two-fingerprint results. Clearly, for the 
current US-Visit implementation, two fingerprints are much better 
solution than a single uncontrolled face image.

IDENTIFICATION
    For identification applications, extensive testing by NIST of 
commercial fingerprint systems has confirmed the requirement for ten 
slap fingerprints. During the Fingerprint Vendor Technology Evaluation, 
2003, again funded by multiple federal agencies and managed by NIST, 
eighteen different companies? products were tested, and thirty-four 
systems were evaluated. Different data subtests measured accuracy for 
various numbers and types of fingerprints, using operational 
fingerprint data from a variety of U.S. Government sources. 48,105 sets 
of fingerprints (393,370 distinct fingerprint images) from 25,309 
individuals were used for analysis.
    For all systems tested, the accuracy increases as the number of 
fingers increase. The improvement is both large and consistent. 
Although the actual benefits were found to vary by dataset and by 
system, the general trend was quite consistent. The accuracy of 
searches using four or more fingers was higher than the accuracy of 
two-finger searches, which was higher than the accuracy of single-
finger searches.
    These results are strongly dependent on fingerprint image quality. 
For the US-VISIT fingerprint matching system, using Department of State 
(DOS) Mexican visa Border Crossing Card (BCC) data, the probability of 
identification (or true accept rate, TAR) using index finger pairs is 
independent of background database size over the range from 100,000 
entries to 6,000,000 entries. Using the operational thresholds, the 
probability of identification is 96 percent. If, however, fingerprint 
quality rather that database size is the controlling factor, then for 
low-quality data, the probability of identification falls to 53.6 
percent. With high quality fingerprint images, the probability of 
identification is 99.6 percent. Image quality is important since the 
fingerprint quality of most archival law enforcement databases is lower 
than the quality of the data presently being collected by US-VISIT and 
will remain so for some time into the future. The only tested method 
for improving matching accuracy for databases with lower image quality 
is to increase the number of fingers used. When 10-fingers are used, 
the probability of identification for the most accurate commercial 
system tested exceeded 99.95 percent, with a false accept rate (FAR) of 
0.01 percent.
    Details for all the results described here can be obtained at 
http://www.itl.nist.gov/iad/894.03/pact/pact.html.

IRIS
    Iris recognition is a potentially valuable technology that needs 
considerably more testing to determine its accuracy in operational 
environments. A recent non-NIST study of iris recognition has shown 
failure-to-enroll rates of about 2 percent. This means that 2 percent 
of the time, the system cannot perform an iris match. Fingerprints have 
close to zero failure-to-enroll rates. NIST is planning an iris data 
collection effort using 10,000 individuals over the next year to obtain 
a vendor-neutral data set in operational environments. This plus other 
large-scale data sets will then be used to perform iris recognition 
tests over the next two years.

CONCLUSION
    As the Committee can see, NIST, in close partnership with federal 
sponsors and partners, has a vibrant biometrics program in the areas of 
fingerprint and facial recognition, and is also planning activities in 
the area of iris recognition. NIST tests have demonstrated that 
fingerprints are significantly more accurate than facial recognition 
for current US-VISIT applications, while iris recognition needs further 
assessment.
    Thank you for the opportunity to testify. I would be happy to 
answer any questions the Committee might have.

    Mr. Lungren. Thank you very much, Dr. Herman, for your 
testimony.
    Now, the Chair would recognize Mr. Stewart Verdery, Jr., 
principal at Mehlman, Vogel and Castagnetti, to testify.

 STATEMENT OF STEWART VERDERY, PRINCIPAL, MEHLMAN, VOGEL, AND 
                       CASTAGNETTI, INC.

    Mr. Verdery. Thank you, Mr. Chairman and Ranking Member 
Sanchez, members of the committee. Thank you for the 
opportunity to return to your committee to talk about how we 
should be using biometrically enhanced documents to secure our 
borders.
    As you mentioned, I am at Mehlman, Vogel, Castagnetti. I am 
also Adjunct Fellow at the Center for Strategic and 
International Studies.
    As was mentioned by Chairman Cox during the prior round, I 
was Assistant Secretary for Border and Transportation Policy 
the first few years of the Department, and I am excited to have 
the chance to be here, along with my former colleagues, Frank 
Moss and Elaine Dezenski. We had a great relationship with 
State, you can see all these programs are working together, and 
Elaine is doing a great job of following in our footsteps and 
moving the ball forward on a number of these key issues.
    During my time at DHS, the Department deployed 
revolutionary uses of biometrics to secure our borders and 
transportation systems, and the most famous of these was US-
VISIT and it seems it is now getting a lot of, I believe, 
misplaced criticism for not yet encompassing 100 percent entry-
exit systems.
    Secretary Ridge took the bold step of being willing to 
build a system in increments, because for many, many years 
before nobody could figure out how to do it all at once, 
essentially, and so nothing happened. And so he took the steps 
that we are going to airports and seaports, we are going to do 
exits, we are going to land borders in stages, in increments. 
And because of that decision, we now have 100 percent biometric 
review of all foreign visitors at air and seaports, of all visa 
holders at certain land ports of entry and of certain visitors 
departing the country at designated air and seaports.
    And I might just mention the 9/11 Commission took a very 
hard look at US-VISIT and basically said that DHS was on the 
right track, just to do it faster and better.
    The announcement last week by Secretary Chertoff concerning 
the Visa Waiver Program I believe was an appropriate one. As 
has been mentioned today, the original and worth goal of the 
Enhanced Border Security and Visa Entry Reform Act of 2002 was 
to bring biometrics to the border and to leverage ICAO to make 
that happen. The decision by ICAO to mandate a digital facial 
image, which could be compared to the person presenting the 
passport, could represent a marginal increase in security by 
detecting persons with forged or stolen passports.
    However, as my colleague just mentioned, the software that 
would allow effective comparisons in actual field environments 
without generating unacceptable numbers of false positives is 
still under development. Allowing an additional year until 
October of next year to ensure interoperability of documents 
and document readers and enhancements to the facial recognition 
software is a wise one.
    As Mr. Moss outlined, biometrics will soon play a key role 
in the security of passports issued to U.S. citizens. It is 
clear that a well-designed U.S. passport program is essential 
to securing our own borders to detect foreign imposters and 
perhaps even those entitled to a U.S. passport with ties to 
terrorism or serious criminal behavior.
    It is more important to deploy an effective program, 
utilizing the best technology and procedures and privacy 
protections than to rush pilot projects out the door.
    Moving forward, biometrics can provide significantly 
greater benefits to securing our borders and facilitating 
international travel, and my testimony goes into a number of 
these, I will mention a couple here briefly.
    I do agree that DHS needs to go move to an 8-or 10-print 
solution as opposed to 2-print. This was in our original 
proposal that when it was announced that we would migrate to 
this because of the reasons mentioned of the overload of the 
IDENT and the possibility that some latent prints might not be 
picked up under the two-print system but no one should think 
that that means we should get rid of IDENT. The IAFIS system is 
incapable of operating as a real-time system, so the system has 
to built on 10 prints in IDENT, not IAFIS.
    Second, as Chairman Cox mentioned, the United States has 
never advocated mandatory collection of fingerprint information 
in foreign passports, in part, because we have never required 
our own citizens to provide fingerprints in our passport 
applications. And the United States the larger world community 
then are essentially building out two elaborate but somewhat 
conflicting border management systems.
    In one, governments are going to great lengths to collect 
fingerprints, to share those amongst their own agencies, to 
share them internationally through INTERPOL and other 
mechanisms. In the second system, we are building out elaborate 
systems of tamper-resistance passports and travel documents and 
readers of those documents capable of doing biometric 
comparisons. However, the mandatory biometric of facial 
recognition cannot be utilized to find a known terrorist or 
criminal from the database because there is no such database.
    And I agree with the chairmen, both Chairman Lungren and 
Chairman Cox, and others, the historical resistance of 
government to fingerprint law-abiding citizens, not only in the 
U.S. but in Japan and Australia and other places, is weakening. 
The collective weight of 28 million successful enrollments in 
US-VISIT without privacy violations, without slowing down 
commerce, without horror stories is huge.
    People are now becoming more willing to put aside 
nervousness about fingerprints aside to cut off the lifeblood 
of terrorists and that is mobility across borders. I recommend 
that the U.S. match the bold step of the European Union to 
include fingerprints in passports and that we should go back to 
ICAO and advocate it as a mandatory biometric.
    Talk for just a second about how biometrics can help on the 
land border, an issue that came up earlier. It is absolutely 
critical that Congress aggressively fund US-VISIT, that land 
border implementation is not delayed. Travel documents have to 
be retrofitted or reissued to include information capable of 
being read wirelessly. Travel lanes have to be constructed or 
altered to allow that connectivity.
    The exit feature is no less daunting. A reasonable goal 
over the next couple of years is construction of a system that 
would tell us when people have left, whether or not they have 
abided by the terms of their visa. The air side is also tricky. 
I think they are now ready to make decisions on how the air 
component is going to work with biometrics.
    Recently, I had a great example in Texas of finding a 
sexual predator trying to get on a plane, went to check out, 
US-VISIT caught him, law enforcement officials got him before 
he got on the plane, and he is now in jail.
    In my prepared testimony, I talk for a bit about what a 
guest worker program should look like, the use of biometrics to 
secure that. Just three quick recommendations: Any new 
applicant for a guest worker program should be required to 
submit 10 fingerprints for an IDENT/IAFIS review for terrorism 
and criminal activity; any new entrant should have a unique 
biometrically enhanced identification card that can serve as a 
travel document and an employer verification document. I will 
skip over the part about international registered traveler; 
absolutely critical to have that done.
    The last thing I would mention, it is very important that 
DHS and the rest of the government, the State Department 
increase their engagement with the international community. 
That means bilateral negotiations on fingerprint sharing and 
other biometric and biographic information sharing to make 
those checkpoints useful. We only can do what we do, and 
sharing information is absolutely critical.
    It is absolutely imperative to begin negotiations now with 
the European Union to make interoperability between US-VISIT 
and our bio-visa program, on one hand, and their visa 
information system that is being developed, on the other hand, 
interoperable. People are not going to accept the fact that 
they know something we do not and vise-versa, and we have to go 
back and work with them.
    With that, I will be happy to answer any questions, and I 
thank you for the opportunity to be here today.
    [The statement of Mr. Verdery follows:]

             Prepared Statement of C. Stewart Verdery, Jr.

INTRODUCTION
    Chairman Lungren and Ranking Member Sanchez, I thank you for the 
opportunity to return to your committee to discuss the use of 
biometrically-enhanced documents to secure our country's borders. I am 
currently a principal at the consulting firm Mehlman Vogel Castagnetti, 
Inc. I also serve as an Adjunct Fellow at the Center for Strategic and 
International Studies, although the views in this testimony are my own 
and do not represent CSIS which does not take policy positions.
    As you know, following confirmation by the Senate in 2003, I served 
as Assistant Secretary for Border and Transportation Security Policy 
and Planning until my resignation from the Department of Homeland 
Security in March of this year. In this capacity, I was responsible for 
policy development within the Border and Transportation Security 
Directorate, reporting to Under Secretary Asa Hutchinson and Secretary 
Tom Ridge. BTS coordinated policy development and operational 
activities in the fields of immigration and visas, transportation 
security, law enforcement, and cargo security which largely were 
carried out in the field by BTS agencies--U.S. Customs and Border 
Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and 
the Transportation Security Administration (TSA).
    I am excited to have the opportunity to appear after the Committee 
has heard from the Department of State's Deputy Assistant Secretary for 
Passport Services Frank Moss and Acting Assistant Secretary for BTS 
Policy Elaine Dezenski. I am proud of the extremely productive 
relationship DHS formed with the State Department during my tenure and 
especially of the many initiatives I was privileged to pursue with Mr. 
Moss. And both as my former deputy and as my successor as Assistant 
Secretary, Ms. Dezenski has demonstrated great skill in tackling 
difficult public policy issues such as those being discussed today.

BACKGROUND
    During my time at DHS, the Department deployed revolutionary uses 
of biometrics to better secure our borders and domestic transportation 
systems. Most famous of these success stories was the US-VISIT program. 
This initiative, discussed in full below, has come under criticism in 
recent months for not yet encompassing a 100% entry-exit system. These 
criticisms fail to recognize the necessity of deploying US-VISIT in 
manageable stages to ensure success. Before Secretary Ridge took the 
bold step of allowing an entry-exit system to be built in increments, 
year after year went by with no deployment because nobody could figure 
out how to deploy a universal system that would actually find unwanted 
criminals and terrorists without crippling international trade and 
sparking outrage among the business persons, students, and tourists we 
need to attract to our country. Under the incremental system, we now 
have biometric review of all foreign visitors except diplomats, 
children, and the elderly at our air and sea ports, all visa holders at 
our busiest land ports of entry, and certain visitors departing the 
country at designated air and sea ports.
    In addition to US-VISIT, DHS has utilized biometrics to facilitate 
secure travel across our northern and southern borders with the NEXUS 
and SENTRI programs. An even more ambitious international registered 
traveler program was announced by Secretary Ridge in January of this 
year to expedite known international travelers through immigration and 
customs processing.
    An important and overdue integration of biometric systems occurred 
over the past year when CBP reached full integration of its Border 
Patrol facilities utilizing the IDENT fingerprint booking system with 
the FBI's IAFIS fingerprint system. This capability, reached ahead of 
schedule, means that CBP will be aware of any undocumented immigrants 
detained by the Border Patrol whose fingerprints reside in the IAFIS 
system because they have a prior criminal conviction or outstanding 
warrant, or left a latent fingerprint at a crime scene. CBP can thus 
make more informed decisions as to whether to detain such an individual 
or allow him or her to accept voluntary departure due to overcrowding 
in ICE detention space.
    While these programs are aimed at foreign visitors, biometrics will 
soon play a key role in the security of passports issued to American 
citizens. Under the electronic passport program being developed by the 
Department of State and the Government Printing Office, U.S. passports 
will include a biometric facial image and biographic information which 
will be read via a contactless chip by passport readers deployed by 
DHS. The United States, like many countries around the world developing 
biometric passports, has seen deployment of this round of e-passports 
delayed while technical issues have been ironed out in international 
organizations and privacy concerns have been addressed. It is clear, 
however, that a well-designed U.S. passport program is essential to 
securing our own borders to detect foreign imposters and perhaps even 
those entitled to a U.S. passport with ties to terrorism or serious 
criminal behavior. It is more important to deploy an effective program 
utilizing the best technology and procedures available than to rush 
pilot portions of the program out the door. I have great faith in the 
Department of State team to navigate these difficult issues and produce 
this necessary result.
    Also, while not the subject of this hearing, TSA has been building 
our biometrically-based systems to support the Registered Traveler 
program, to conduct background checks of HAZMAT drivers and foreign 
flight crews, and to secure access to sterile areas of transportation 
facilities through the Airport Access Control program and the 
Transportation Worker Identification Card. And, of course, numerous 
agencies have been improving their use of biometrically enhanced 
identification documents for employees and contractors, a process that 
will improve significantly with the full implementation of Homeland 
Security Presidential Directive 12 issued by the President in August of 
2004.

    US-VISIT
    For many years after it was technologically possible, the United 
States lacked an automated entry and exit system that would allow us to 
know when foreign visitors arrive and when they depart. Following the 
bombing of the first World Trade Center in 1993, Congress demanded that 
an entry and exit system be installed at our ports of entry, but it did 
not happen, and none was in place on 9/11. Remarkably, on that date INS 
continued to rely on a paper system, and employees literally hand-keyed 
in departure information into a database weeks after the fact. With no 
exit system, and only a minimal, unreliable entry system, our entry and 
exit data was spotty at best, and criminals were able to come and go 
across our border, some of them dozens of times under different 
aliases, without detection.
    But in 2004, DHS rolled out the entry-exit system known as ``US-
VISIT''. We improved on the Congressional plan by adding a biometric 
requirement to the system. To capture biometrics, US-VISIT 
electronically scans a visitor's index fingers and takes a digital 
photograph at a kiosk--all in the space of seconds. The biometrics 
captured by US-VISIT allow consular and immigration officials to 
confidently tie travelers to the visas and passports they are carrying, 
and permit the development of an internationally uniform standard for 
identifying travelers.
    As of May 31, 2005, DHS has enrolled 28,169,895 travelers in US-
VISIT, with each watchlist check taking an average of 6 seconds. US-
VISIT has allowed DHS to unravel the assumed identities of hundreds of 
foreign nationals attempting to unlawfully enter the United States. For 
example, an individual sought admission after flying into Newark 
International Airport. Everything appeared normal until his 
fingerprints were scanned. It turns out that the man was traveling 
under an alias and was in fact a convicted rapist. He had previously 
been deported from the United States, and had a traveled here before, 
using 9 different aliases and 4 dates of birth. US-VISIT has helped us 
to identify and to reject over 600 other undesirable individuals. These 
cases have utilized information originally collected in many different 
settings: by DOS during visa applications into the Consolidated 
Consular Database; by FBI during crime investigations into the IAFIS 
database; by foreign governments into Interpol; and by intelligence 
services. It is not possible to know how many terrorists or criminals 
have been frightened away from attempting to enter our country because 
of US-VISIT, but I have no doubt that the number is substantial.
    However, certain analyses of the program, most notably a major 
piece in May 23's Washington Post, have misunderstood the program and 
the decisions that led to its staged deployment.
    The article insinuates that key decisions made concerning US-VISIT 
were made by a handful of program officials and government contractors. 
Nothing could be further from the truth. Nearly all aspects of the 
program have undergone exacting scrutiny from the White House Office of 
Management and Budget and the Homeland Security Council, following 
robust debate and interaction with other key departments including 
Justice, State, and Commerce. During my tenure at DHS, Secretary Tom 
Ridge, Under Secretary Asa Hutchinson, Customs and Border Protection 
Commissioner Robert Bonner, and many others were intimately involved in 
developing policy guidance, interacting with other federal agencies and 
foreign governments, and supervising operations. The US-VISIT program 
team, led by Director Jim Williams, deserves great credit for 
effectively managing the program but they have done so under tight 
direction from the DHS leadership.
    The 9/11 Commission took a hard look at the US-VISIT and basically 
said that DHS was on the right track, just to deploy the system more 
quickly. As the program tackles difficult increments ahead, the public 
should know that its public servants have, despite immense 
technological and political challenges, deployed a system that truly 
has enhanced our security without destroying the attractiveness of the 
United States as a place to study, conduct research or business, or see 
friends or family. In short, US-VISIT is a government program that 
actually works.

    VISA WAIVER PROGRAM
    As it is the most recent development in this area, the announcement 
last week by DHS Secretary Chertoff concerning the application of the 
statute requiring biometric identifiers established by the 
International Civil Aviation Organization for travelers utilizing 
passports issued after October 26, 2005 for travel to the U.S. under 
the Visa Waiver Program merits discussion. I believe the outcome 
announced by DHS is an appropriate one. The original, and worthy, goal 
of the Enhanced Border Security and Visa Entry Reform Act of 2002 was 
to leverage the international nature of ICAO to bring biometrics to the 
border. The decision by ICAO to mandate a digital facial image which 
could be compared to the person presenting the passport could represent 
a marginal increase in security by detecting persons with forged or 
stolen passports. However, the software that will allow such effective 
comparisons in actual field environments without generating 
unacceptable numbers of false positives is still under development. 
Allowing an additional year until October of 2006 to ensure 
interoperability of documents and document readers and enhancements to 
the facial recognition software is a wise decision. In addition, the 
damage to our economic relations and to the willingness of VWP 
countries and the European Union to work cooperatively on border 
management issues that enforcement of this year's deadline would have 
caused hardly would have been worth the marginal improvements in 
security possible this year. It is also very important to remember that 
when the EBSVERA was enacted, there was no US-VISIT program to find 
terrorists or criminals about whom we have biometric information. Thus 
a reinterpretation of a somewhat vague statute to reflect changed 
circumstances is a reasonable resolution of a looming crisis.

NEXT STEPS FOR USING BIOMETRICS TO SECURE OUR BORDERS
    However, while the programs described above represent effective use 
of biometrics, this technology can and should provide significantly 
greater benefits to securing our borders and facilitating legitimate 
travel. Among the key recommendations I would like to provide the 
Committee to best put biometric technology to work include:

 Transition to 10-Fingerprint Collection
    It appears to have been somewhat forgotten amid the success of the 
2-fingerprint system utilized by US-VISIT, but DHS promised from the 
beginning that a transition to 8 or 10 prints would be necessary at 
some point to address two separate weaknesses with the 2-print program. 
First, leading scientists at NIST and elsewhere have long believed that 
an IDENT database populated by millions of 2-print records would 
eventually begin to generate unacceptable levels of false matches. 
While I am not aware that this scenario has begun to occur, it must be 
tackled ahead of a crisis. Second, I understand that a small but 
potentially important number of latent fingerprints collected from 
crime scenes or terrorist investigations may elude matching in IDENT if 
they come from different digits, such as from thumbs, than are 
collected under US-VISIT. Deploying 10-print readers to consular posts 
abroad and U.S. ports of entry is a necessary transition over the next 
several years.
    While many have discussed this issue in the context of the relative 
merits of the IDENT and the FBI's IAFIS fingerprint databases, the need 
for DHS and DOS to capture 10 fingerprints should not lead one to 
conclude that our border management systems could be based on the IAFIS 
system. IAFIS was not designed to run on a real-time basis, meaning it 
is an unlikely candidate to serve as the platform for an entry-exit 
system. DHS requested fingerprints held in IAFIS to load into IDENT and 
has received increasing cooperation from DOJ in this regard, but it is 
critical to remember that the overwhelming majority of IAFIS prints are 
of U.S. citizens who do not register with US-VISIT. The linkages 
between the systems need continued improvement but it would take a 
major overhaul of IAFIS to even consider utilizing it for real-time 
entry-exit purposes.

 Collection of Fingerprints in U.S. Passports
    The United States has never advocated mandatory collection of 
fingerprint information in foreign passports, in part because it has 
never required that U.S. citizens provide fingerprints in their own 
passport applications. This decision needs to be reexamined. In part 
due to this decision, the United States and the larger world community 
are building out two elaborate but conflicting border management 
systems. In the first, governments are going to great lengths to 
collect terrorist fingerprints along with biographic information, to 
share such information with other governments, and to ensure that 
agencies within their government are sharing relevant fingerprints. 
Within the U.S. government alone, massive efforts have been expended to 
ensure sharing of relevant biometric information between agencies. In 
the second system, countries are building elaborate systems of tamper-
resistant passports and passport readers capable of doing biometric 
comparisons; however, neither the mandatory biometric of facial 
recognition nor one of the optional biometrics, iris scan, can be 
utilized to find a known terrorist or criminal from a database, because 
such databases do not exist.
    The historical resistance of governments to fingerprint law-abiding 
citizens, not only in the U.S. but in Japan, Australia, and numerous 
other nations, is weakening. The collective weight of the 28 million 
enrollments in US-VISIT is huge. The program applies to all 
nationalities and races, has generated no privacy complaints, and has 
not impacted the speed of border crossings. At a time when terrorists 
have killed large numbers of people in Asia, Europe, Africa, and other 
areas of the globe, in addition to North America, people are 
understandably willing to put aside nervousness about fingerprinting in 
order to cut off the lifeblood of terrorists--mobility across borders.
    Thus I recommend that the U.S. match the bold step of the European 
Union to include fingerprints in passports and that the U.S. should 
advocate for fingerprints as a mandatory biometric in passports at 
ICAO. At a time when we are going to great lengths to build anti-
terrorism and law enforcement systems based on fingerprints, we will 
never be able to fully engage other countries if we decline ourselves 
to do what is needed. Taking this step for U.S. citizens who travel 
internationally might also allow us to avoid a national identification 
card that many believe is appropriate for border security purposes.
    Of course the U.S. government could attempt to build a regime to 
allow one-to-one biometric check between the person who applied for a 
passport and the person appearing for reentry to the U.S. based on an 
iris, hand geometry or facial recognition match. Such a system, 
however, leaves extensive fingerprint information unutilized and denies 
us the ``bully pulpit'' to ask ICAO and other governments to march down 
the fingerprint path. It is also worth noting that current policy does 
not allow U.S. applicants to be vetted biometrically against criminal 
or terrorist databases before they are issued passports, meaning we may 
miss potential imposters or home-grown terrorists or criminals. Nor are 
we in a strong position to ask other countries to vet their applicants 
against watchlists they maintain or have rights to access. I am 
encouraged by the strong efforts of DOS to vet applicants against name-
based databases such as the Terrorist Screening Center and certain 
lists of persons with outstanding warrants, but a fingerprint 
capability would augment those efforts considerably.

 Biometrics Are The Solution at Our Land Ports of Entry
    The next handful of years will see a convergence of major 
initiatives affecting how traffic flows across our land borders with 
Mexico and Canada: the deployment of US-VISIT to primary lanes of our 
land ports of entry and exit; the requirement that U.S. citizens, 
Canadians, and residents of certain Caribbean nations present a secure 
travel document to enter or reenter the U.S.; and the possibility of a 
new guest worker program to ensure that foreign workers able to pass a 
security check are allowed to work for willing employers in the U.S. 
These three issues need to be considered in conjunction as border 
management systems are developed.
    First, it is absolutely critical that the Congress aggressively 
fund US-VISIT so that land border implementation is not delayed. This 
project is extremely difficult but essential. Travel documents for 
Mexican nationals, most significantly Border Crossing Cards used for 
millions of trips a year, must be retrofitted or reissued to include 
information capable of being read wirelessly at land ports of entry. 
Entry traffic lanes must be constructed or altered to allow for 
wireless connectivity to identify watchlist or criminal hits in time 
for an inspector to refer a potential entrant to secondary processing. 
While it may not be feasible to conduct a one-to-one check on all 
applicants (i.e., is the person holding the identification card the 
same person to whom it was issued), a one-to-many check (i.e. does the 
information on the card indicate a watchlist hit) should be feasible.
    The exit feature of the land borders is no less daunting as we 
currently have no exit infrastructure at all. A reasonable goal over 
the next several years is construction of a system that will inform DHS 
whether persons departing the U.S. have complied with the terms of 
their entry, with relationships built with Mexican and Canadian 
authorities to assist with the very rare case of a departing individual 
who needs to be apprehended immediately.
    In addition, I understand that maintaining current levels of 
funding for US-VISIT may delay full implementation of the exit 
component at air and sea ports. DHS has had enough pilot testing done 
on a variety of biometric exit models involving kiosks, departure 
receipts, and gate confirmation to make decisions on the best system to 
deploy. It is time to round out that aspect of our entry-exit system to 
identify those who violate the terms of their visa and the occasional 
but important instances where a known terrorist or violent criminal is 
attempting to depart the country. US-VISIT's recent identification of a 
sexual predator seeking to leave the country in Texas is a great 
example of an exit enforcement capability. I also believe that having a 
robust exit system may allow the country to consider changes to the 
current statutory standard that visa applicants prove that they are 
unlikely to overstay their visas.
    Lastly, US-VISIT's end state will include a ``person-centric'' 
inventory of all relevant enforcement and immigration services 
information. When fully-funded and implemented, the program should put 
an end to the unwieldy and confusing system of records maintained 
regarding travel and immigration and will result into better service to 
legitimate travelers and students, and better enforcement tools as 
well.
    Second, the passage of the Western Hemisphere Travel Initiative 
last year as part of the intelligence bill means that millions of U.S. 
citizens returning the U.S. and many Canadians and nationals of certain 
Caribbean nations will be required to produce a secure travel document 
such as a passport or SENTRI or NEXUS card beginning in 2008. I 
congratulate the Congress for this important security enhancement, but 
recognize that the law will create immense workload challenges for DOS 
and lifestyle changes for border residents. This increased workload 
makes the challenges to deploy US-VISIT and next generation passports 
all the more important.
    Third, discussion about a temporary worker program has intensified 
since President Bush's 2004 request that Congress enact such a program 
in line with his immigration principles. Some commentators have 
presented the issue as a choice between a new worker program and 
enhanced border security. Such analysis is wrong. It is the passage of 
a properly developed guest worker program that will bring massive 
improvements in border security and thus homeland security. Millions of 
undocumented aliens have crossed the border illegally in search of work 
who present no risk of terrorism or organized criminal activity. Border 
Patrol agents in the field, however, have no way to differentiate 
between the individuals that make up this flood of human migration and 
the small but crucial number of potential terrorists or criminals that 
attempt to blend into the masses. Providing those who want to work and 
have no prior criminal or terrorist record a means to enter the country 
legally through ports of entry will make it much more likely that the 
Border Patrol will be able to locate and arrest the criminals and 
terrorists who will lose their cloak of invisibility that the current 
situation offers.
    However, those who are skeptical of this argument have 
understandable reasons for this view. For decades, enforcement tools to 
combat illegal immigration went underutilized, underfunded, or 
unsupported by the employer community. While DHS has made substantial 
progress in enforcing the current regime, deploying a new guest worker 
program will require significant new resources for border and employer 
enforcement and for port of entry operations and facilities, 
development and issuance of tamper-proof identification documents, 
streamlining of the legal regimes that adjudicate the status of border 
crossers and undocumented aliens, and new avenues of cooperation 
between the U.S. and Mexican government.
    All of these enhancements to our current enforcement posture should 
support a basic motto of any new legislation: ``deter and reward.'' 
Those who are seeking to enter our country to work must be faced with a 
reality that crossing our borders illegally or attempting to work 
without proper certifications will be detected and punished with long-
term consequences for violations. In contrast, those that follow the 
rules on applying for work, passing a security check, and crossing the 
border legally should be able to work and receive retirement and travel 
privileges.
    Among the specific recommendations I would like to provide the 
Committee concerning the proposed temporary worker program related to 
biometrics are the following:
                 Interview and Criminal History Background 
                Checks: Any new applicant should be required to submit 
                ten fingerprints for a IDENT and IAFIS review to 
                demonstrate, in addition to any employment criteria 
                designed to ensure that the entrant's employment is not 
                likely to be filled by a U.S. worker, that he or she 
                has no ties to terrorism or history of prior criminal 
                behavior other than non-violent illegal entry to the 
                U.S.;
                 Use of Biometrically-Enhanced Identification 
                Documents: Any new entrant should be required to obtain 
                a unique, biometrically-enhanced identification 
                document that can serve as a document for entry under 
                US-VISIT at a port of entry and as an employment 
                verification document;
                 Employment ``Insta-check'': Employers should 
                only be able to hire new temporary workers from outside 
                the U.S. after DHS and fellow agencies have developed 
                and deployed a ``insta-check'' system pulling biometric 
                information off travel documents to verify eligibility 
                for employment and reviewing Social Security and 
                driver's license numbers from new workers asserting 
                U.S. citizenship;
    These proposals address the machinery by which new entrants, legal 
and illegal, should be handled. Of course, any new temporary worker 
program also must be structured to allow existing undocumented workers 
to apply for employment. The security imperative for this class of 
aliens is that they undergo a vetting for ties to terrorism and 
criminal behavior before they are authorized for further employment in 
the U.S. Understanding that a principal reason for the program is to 
continue an adequate supply of workers for current jobs, there is no 
reason that this security review cannot be conducted while the worker 
remains in the U.S. However, just as one of our bedrock principals of 
our overseas visa process is collection of biometrics by a trained U.S. 
government official to ensure that the applicant is not an imposter, 
consideration should be given to requiring provision of biometrics by 
this population to a U.S. government official, especially if the 
resulting document will be utilized for international travel.

 International Registered Traveler Programs
    A key component of continuing to attract foreign travelers to the 
U.S. should be an international registered traveler program. This 
program would build on the existing CBP NEXUS and SENTRI programs for 
land and air travel between the U.S., Canada, and Mexico and bring to 
life the vision of Secretary Ridge's January 2005 announcement of such 
a pilot operating between the Netherlands and the U.S. While it would 
be beneficial to travelers who undergo enhanced vetting to receive 
preferential treatment at a foreign departure airport, the main use of 
biometrics would be to exempt IRT enrollees from normal immigration and 
customs processing at U.S. ports of entry. Enrollees would simply have 
their travel documents scanned at a kiosk, provide fingerprints to 
ensure a match to the documents, and proceed to pick up their luggage. 
This system will require construction of real-time connectivity to the 
IRT kiosks. On the front end, enrollees would need to be vetted for any 
connection to inadmissible behavior, including terrorism, criminal 
behavior or prior immigration violations. Especially for Visa Waiver 
Program travelers who have not been required to undergo a terrorism 
check because they did not apply for a visa, such a scrub will need to 
be thorough and include an interview by a trained U.S. inspector. If 
done correctly, the program would be an excellent example of risk 
management to enable CBP to focus on riskier visitors. It would also 
send a strong signal to the customers, clients, and coworkers of the 
world, whose travel we need to be able to expedite, that the U.S. is 
open for business.

 International Cooperation
    By definition, border management systems involve international 
cooperation, and the effectiveness of our use of biometrics will depend 
greatly on our ability to operate effectively in the bilateral and 
multilateral environments. Negotiating information-sharing agreements 
or playing a leading role in international standards-setting bodies may 
not be as sexy as deploying new high-tech biometric equipment but both 
are crucial to our success.
    Developing information-sharing agreements with foreign partners is 
a laborious process that has to deal with varying privacy regimes, 
technical challenges, and concerns about revealing sources and methods 
of intelligence. However, we know that terrorists and other criminals 
must use international travel to develop their plots and the 
development of robust sharing agreements of biometric and biographic 
watchlist information should be a high priority. Especially with allies 
like the United Kingdom and Canada, these types of agreements 
dramatically increases the odds of using travel checkpoints to find 
those who need to be detected.
    I would make a special mention of the European Union's Visa 
Information System due to come on-line in the next several years. 
Having negotiated the treaty on airline passenger data with the EU last 
year, I know how difficult it may be to build interoperability between 
the VIS and our BioVisa/US-VISIT program. Now is the time to begin to 
tackle that challenge as our citizenries should expect these systems to 
share valuable intelligence when they are both operational.
    In addition, DHS needs to increase dramatically its engagement with 
foreign governments and international standards setting bodies such as 
ICAO. The proposed merging of the BTS Policy office, the DHS Office of 
International Affairs, and other policy entities in DHS into a robust 
policy office is a necessary first step. DHS needs to develop a cadre 
of country specialists and DHS attaches to represent the department in 
key international locations and to ensure that DHS policymaking does 
not stop at the water's edge.

CONCLUSION
    I congratulate the Committee and Subcommittee for its continued 
cooperation with and oversight of DHS and its component agencies. I 
thank you for the opportunity to appear before you today and look 
forward to your questions.

    Mr. Lungren. Thank you very much, Mr. Verdery, for your 
testimony.
    The Chair will now recognize Mr. Gregory Wilshusen, the 
director of information security issues for the Government 
Accountability Office.
    And at the end of the testimony of our entire panel, I 
would suggest we go over and vote and then come back. We will 
have about a half-hour period before the next vote.

  STATEMENT  OF  GREGORY  WILSHUSEN,  DIRECTOR OF INFORMATION 
       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY  OFFICE

    Mr. Wilshusen. Thank you, Mr. Chairman, Ranking Member 
Sanchez and members of the subcommittee. I am pleased to be 
here today to present a summary of GAO's work on radio 
frequency identification, or RFID, technology. As requested, I 
will present a brief overview of RFID technology and discuss 
the security, privacy and other considerations associated with 
its implementation. My testimony today is based upon GAO's 
recently issued report on this topic.
    RFID is an automated data capture technology that can be 
used to electronically identify, track and store information 
contained on electronic chip or tag. A radio frequency reader 
scans the tag for stored information and transmits the 
information to a database or display device using wireless 
communications.
    Several federal agencies have already begun testing and 
using this technology, including the State Department, which 
plans to use it in its electronic passport. The proposed U.S. 
electronic passport is to have an embedded contactless chip. 
The chip is to store the same information printed on the data 
page of the passport and will include a digital photograph.
    Several security issues are associated with federal and 
commercial use of RFID technology. These issues relate to 
protecting the confidentiality, integrity and availability of 
the information on the tags and in the databases.
    In particular, key security considerations include ensuring 
that only authorized readers or personnel can access or read 
the information on the tags and in the databases, maintaining 
the integrity of that information, ensuring that critical data 
is fully available when needed and protecting against attacks 
such as skimming, which is the surreptitious reading of 
electronic information without the holder's knowledge, and 
eavesdropping, the interception of information from the tag 
while it is being read by another reader.
    Without effective security controls, data on the tag can be 
read by any compliant reader, data transmitted through the air 
can be intercepted and read by unauthorized devices, and data 
stored in the databases can be accessed by unauthorized users.
    Information security tools and practices are available to 
address these issues. Complying with a risk-based framework 
mandated by the Federal Information Security Management Act of 
2002, or FISMA, and employing encryption and authentication 
technologies can help agencies achieve a stronger security 
posture.
    Among the key privacy issues are using the technology to 
obtain or process information about an individual without that 
individual's knowledge or consent, tracking an individual's 
movements and profiling an individual's habits, tastes or 
predilections.
    The Privacy Act of 1974 limits federal agencies' use and 
disclosure of personal information, and the privacy impact 
assessments required by the E-Government Act of 2002 provide a 
framework for agencies to follow in assessing the impact on 
privacy when implementing RFID technology.
    Additional controls are proposed to mitigate privacy 
issues, such as using as the deactivation mechanism on the tag 
and incorporating blocking technology to disrupt transmission 
are in progress.
    In addition to security and privacy, there are other issues 
to consider when implementing this technology. These include 
the interoperability and reliability of the tags and readers, 
the placement and orientation of the tags and the cost and 
benefits associated with implementation.
    To summarize, the use of RFID technology can provide many 
benefits; however, security, privacy and other considerations 
need to be adequately addressed in any implementation of this 
technology.
    Mr. Chairman, this concludes my statement. I look forward 
to your questions.
    [The statement of Mr. Wilshusen follows:]

    [GRAPHIC] [TIFF OMITTED] T6515.001
    
    [GRAPHIC] [TIFF OMITTED] T6515.002
    
    [GRAPHIC] [TIFF OMITTED] T6515.003
    
    [GRAPHIC] [TIFF OMITTED] T6515.004
    
    [GRAPHIC] [TIFF OMITTED] T6515.005
    
    [GRAPHIC] [TIFF OMITTED] T6515.006
    
    [GRAPHIC] [TIFF OMITTED] T6515.007
    
    [GRAPHIC] [TIFF OMITTED] T6515.008
    
    [GRAPHIC] [TIFF OMITTED] T6515.009
    
    [GRAPHIC] [TIFF OMITTED] T6515.010
    
    [GRAPHIC] [TIFF OMITTED] T6515.011
    
    [GRAPHIC] [TIFF OMITTED] T6515.012
    
    [GRAPHIC] [TIFF OMITTED] T6515.013
    
    [GRAPHIC] [TIFF OMITTED] T6515.014
    
    [GRAPHIC] [TIFF OMITTED] T6515.015
    
    [GRAPHIC] [TIFF OMITTED] T6515.016
    
    [GRAPHIC] [TIFF OMITTED] T6515.017
    
    [GRAPHIC] [TIFF OMITTED] T6515.018
    
    [GRAPHIC] [TIFF OMITTED] T6515.019
    
    [GRAPHIC] [TIFF OMITTED] T6515.020
    
    [GRAPHIC] [TIFF OMITTED] T6515.021
    
    [GRAPHIC] [TIFF OMITTED] T6515.022
    
    Mr. Lungren. I thank the panel for their statements.
    We are going to recess now to go over and vote. I am coming 
back. I hope some other members can come back. It is one vote. 
Well, it is one vote, then a 10-minute debate, then 15-minute 
vote--oh, they changed it now.
    Well, if the gentlemen would like to start, I will let him 
start then.
    Mr. Dicks. Let me ask you, Mr. Herman and Mr. Verdery, one 
of the things I was concerned about was when the decision was 
made by DHS to use in the US-VISIT Program 2 fingerprints 
versus 10 fingerprints. Now, NIST did a big study on this, and 
one of the concerns they had was that here you have got the FBI 
system that is built on 10 fingerprints and it would be much 
better if we had a consistent system.
    And everybody on Capitol Hill was trying to tell this to 
the administration. We had Asa Hutchinson up here for a private 
meeting to explain to him that the technology with 10 is much 
better, and the only answer we got back was, ``Well, we have to 
do this incrementally.'' This is Mr. Verdery's position. But if 
it is wrong and it is less effective and it is going to have to 
be redone, why do it? Why didn't we do it right the first time?
    Dr. Herman, do you have any wisdom on this?
    Mr. Herman. Well, this is certainly what we recommended in 
that 2003 report.
    Mr. Dicks. Mr. Verdery, why did the administration against 
all of this advice go the opposite direction, which could be 
extremely costly if we have to redo this system?
    Mr. Verdery. A couple of things. One, it is not costly. The 
amount of money that went out for the readers is a pittance 
compared to the overall cost of the program. To deploy the 
little small fingerprint readers is a drop in the bucket 
compared to the budget of this program, much less the rest of 
the Department.
    Second, we would have no program if we had waited to do a 
10-print deployment because it would require retrofitting 
overseas of all the consular posts at the little windows. There 
is no way to put a 10-print reader there without retrofitting 
those offices. And also the connectivity required to build out 
10-print.
    Now, the things is I think people will get confused 
sometimes. The 10 prints has nothing to do with the fact the 
FBI has a 10-print system. It is more data that reduces the 
chance of making a mistake. But it is not because the FBI has 
10, it is because you have more data.
    Mr. Dicks. Yes, but you get that database, right. If you 
had 10 fingerprints, you would get--
    Mr. Verdery. You cannot, because IAFIS cannot work on a 
real-time basis. It can only work when they give us prints 
ahead of time and we load them into IDENT. And that is what 
they have been giving DHS is prints that are built into IDENT. 
There is no real-time connectivity at IAFIS because it does not 
work that way. It takes days to get an answer from IAFIS.
    Mr. Dicks. Mr. Herman, do you have any comments on this?
    Mr. Herman. Well, just that if IAFIS were to be used for 
background checks, there is certainly the real-time issue, I 
agree, but if it were to be used for background checks, it 
would have to be 10 fingers because IAFIS will not accept two 
fingers. The only way to use the FBI criminal database for 
background checks is to use 10 fingers.
    Mr. Dicks. So by going with two fingerprints, we, in 
essence, eliminated the ability to use IAFIS.
    Mr. Verdery. No, no, because we requested and got 
cooperation slowly from the FBI to build in the prints of 
foreign-born criminals and people with outstanding warrants and 
a number of other classes into IDENT so you get that 
capability. It does not check on a real-time basis against all 
43 million IAFIS prints, most of which are U.S. citizens 
because that is just not possible. If we were trying to run it 
as a real-time system against IAFIS, people who landed at 
Dulles--
    Mr. Dicks. All these experts who said it was possible, all 
kinds of companies said it could be done, that this was a major 
mistake.
    Mr. Verdery. I have never seen--sorry.
    Mr. Dicks. Well, we have got SAGEM Morpho, a French company 
who has done a number of countries, said this could have been 
done, 10 fingers was the right way to go, and this was a major 
mistake that would wind up costing a lot of money to fix later.
    Now, maybe you are wrong on this but this was certainly 
called to the Department's attention, and to me I am still--I 
am glad to hear all these different views. I am still trying to 
find out just exactly why the Department did what it did.
    Mr. Verdery. There are separate questions. There is the 2 
versus 10, which I agree, we should move to 10, but we would 
still be waiting to do 10 now. We would have had no system the 
last 2 years, this town over 600 people. We would be just doing 
nothing.
    So that is the question, do you want the 2-print system 
that has a great record or nothing while you are building out 
the 10-print system is the first question? And the second 
question is, can IAFIS work as a backbone of a 10-print system, 
and the answer I have never seen anyone say anything but no. 
But I agree with you, we do need to go over 10 prints over 
time, as it is feasibly possible. Otherwise, you have nothing.
    And just in terms of how this happened, under the law, the 
Attorney General, the DHS Secretary and the Secretary of State 
all had to agree on the two-print system and that was agreed to 
by Attorney General Ashcroft--
    Mr. Dicks. They did not go a very good job of explaining 
back up here on the Hill why they felt--the effort was pretty 
minimal in terms of trying to explain it to us about all these 
facts. I am glad you explained it better.
    [Recess.]
    Mr. Lungren. I will just reconvene the subcommittee.
    I am sorry, we have had some unexpected votes that are of a 
procedural matter, and we do not know how long that is going to 
go on, so rather than have you just sit here, I thought I would 
come back and at least get one round of questions in before I 
have to go back for the next vote.
    Dr. Herman, according to studies by the NIST and others, 
various biometrics show promise in identification capabilities, 
the iris biometrics versus the fingerprint one; however, as far 
as I know, there is no existing repository of data on irises. 
So what is the utility of that for which we are investing in 
those kinds of technologies?
    Mr. Herman. Well, iris could be used for the on-to-one 
match. So you mentioned some programs, Registered Traveler. It 
can be used where checking against the terrorist database is 
one thing, checking to see whether you are the same person 
issued a travel document is different. And iris can certainly 
be used in that. Those are the kinds of applications that most 
people are think gin about for iris.
    Mr. Lungren. Mr. Verdery, what do you say about the 
application of iris? Because in the back of my mind on all of 
this is how practical are these things, how do we make them 
work effectively and efficiently? It just seems to me 
fingerprints seem to be the most capable of being utilized for 
various different identification and matching purposes.
    Mr. Verdery. Well, a couple things. And you always have to 
think of what is the point of what you are trying to do, and, 
usually, this means trying to conduct a one-to-one match, as 
was just mentioned. Is the person standing in front of you the 
person that they claim they are? And also a one-to-many match 
is the person standing in front of you, no matter who they 
claim to be, are they a problem based on the terrorist database 
or other database? And in some cases, you are not quite as 
worried about the second one, access to a facility where you 
have got other layers of security, where you might not be as 
worried about a one-to-many check every time. So an iris could 
work in those circumstances.
    But also as a good backup there are a small but when you 
load up the numbers a decent amount of people whose 
fingerprints cannot be read due to historical factors and the 
like, and so having a backup is very good in those kinds of 
cases. That is why it was done during the Registered Traveler 
pilot as a backup in some cases.
    So, no, it is not good for finding a terrorist out of the 
group, but it can be used in certain specialized situations.
    Mr. Lungren. Do you have any sense or have you seen any 
surveys or was there any research done on whether there is some 
cultural reluctance for American citizens to submit to 
fingerprint as opposed to iris identification?
    Mr. Verdery. I am not aware of any scientific research. I 
am sure there is some, but I am not privy to it. Again, I felt 
a little bad for my colleague, Ms. Dezenski, sitting here 
answering these questions when, in all actuality, the decision 
to go to ICAO and advocate for facial recognition as a 
biometric standard in documents was not DHS, it was the rest of 
the government. It actually occurred just before DHS came into 
existence in early 2003, and the State Department carried that 
message, but it was a U.S. government decision. It was not DHS' 
decision.
    The question is now should we go back and try to reverse 
that position, and I think, again, as I testified, I think it 
would be a wise move, although I would not want to lead anyone 
into thinking that it would be met with easy success.
    Mr. Lungren. Mr. Wilshusen, what are the privacy concerns 
considering RFID technology? And what has been done to improve 
the security of these chips?
    Mr. Wilshusen. Well, there are several privacy issues, and 
these include using the technology to obtain or process 
information from an individual without that individual's 
knowledge or consent. That could be, for example, done by 
skimming. Also, just--
    Mr. Lungren. How do you do that? I mean, practically, if I 
have got a card myself, what would--
    Mr. Wilshusen. Well, one would need for an individual, or 
unauthorized user, if you will, would need to have a reader 
pick up the radio frequency emitted by that particular chip or 
tag and be able to access the data on that tag.
    Mr. Lungren. Is that difficult technologically?
    WILSHUSEN; No, not necessarily, no. It would be the same 
type of readers and available that are used for legitimate 
purposes, but it would have to be compliant and meet the same 
standards that are set up for that application.
    Mr. Lungren. Do you have to be in close proximity, physical 
proximity?
    Mr. Wilshusen. Generally, so, yes. How close is a matter or 
function of what type of chip and what radiorequency is being 
used in that application.
    Mr. Lungren. So, obviously, it is whatever information is 
there. The information is merely the name. Okay. So name, 
address, birth date, which could just be as easily printed on 
there and someone could read it themselves.
    Mr. Wilshusen. That is correct.
    Mr. Lungren. What is the durability of these devices? Do we 
have to be concerned about how readily they can be interfered 
with or destroyed or through accidental exposure to water or 
something that renders them inoperable?
    Mr. Wilshusen. In terms on the e-passports?
    Mr. Lungren. Yes.
    Mr. Wilshusen. Well, our particular review was at a 
government-wide level where we looked at and identified 
initiatives across the different agencies. We did not do an in-
depth review of e-passports specifically but how long the chips 
can last, depends upon, their use. I will actually defer to the 
gentleman from NIST on how long they may last. I think there 
might have been a question earlier.
    Mr. Herman. That is outside of my area of expertise. There 
is a different part of NIST, and I guess it needs to be 
explained. We do the work in the biometrics area. There is a 
different part of NIST that does work on RFID chips. And we 
could certainly get information for you if you want, but that 
is just outside my area of expertise.
    Mr. Lungren. My thought is that we ought to know that. I 
mean, I do not know. I do not have any idea. I would hope that 
whatever we move to is going to last as long as the passports 
we have or if there is a need for us to update--I am trying to 
think whether there would be a need for us to update 
information on a regular basis, probably not.
    This is just basic information, Mr. Verdery; is that 
correct?
    Mr. Verdery. That is right. That is right. And also, I 
mean, it is worth pointing out that even outside the 
government's fears, as important as it is, the topic of today's 
hearing, the commercial sector is exploding with uses of RFID, 
your EZ Pass and your Smart Tag at the gas station and a 
zillion other uses. So they are going to lead the way in the 
technology standards and durability for purposes outside the 
government perspective, and it is a huge industry, domestic 
suppliers, foreign suppliers, and that is going to lead the 
agenda here on durability and other factors.
    Mr. Lungren. Can you tell me why it takes so long for us to 
develop these things? I mean, if in fact you are talking about 
how the private sector takes the lead on this and we have these 
technology changes and so forth, they seem to come with such 
rapidity, is it because of the privacy concerns that we have 
that it takes us such a long time to really kind of put these 
things in train and start them moving?
    Mr. Verdery. Well, I think there are a lot of different 
factors. I mean, when Congress passed the law in late 2002 
asking for ICAO to come up with the standard, they began the 
motions to do that. ICAO is your typical international 
organization. It moves as quickly as it can but it is bringing, 
whatever, 187 countries into general consensus with difficult 
technical standards. They were moving as quickly as they can. I 
think the program, if Frank Moss was still here, has now been 
held up for some period of time due to the privacy concerns 
outside of kind of the ICAO process.
    Mr. Lungren. Were you involved in the ICAO process before?
    Mr. Verdery. Tangentially. The US-VISIT staff that was 
within our directorate led our efforts kind of on the technical 
level in Montreal and other places to try to build up that 
technical level.
    Mr. Lungren. Do you have any insight into why the E.U. has 
reluctance to share their fingerprints with us?
    Mr. Verdery. Well, I think it is a very fair question. My 
guess is if they were here, they would say, ``Well, what are 
you going to share with us?'' We have nothing to share with 
them, we do not take fingerprints. And so they have taken the 
step of--
    Mr. Lungren. But we have--
    Mr. Verdery. Not in passports.
    Mr. Lungren. Not in passports.
    Mr. Verdery. So they are building out fingerprints in their 
internal documents for the E.U. purposes.
    Mr. Lungren. Right.
    Mr. Verdery. And they have said that they are currently 
planning on keeping that E.U.-only system a closed system. But 
that is all the more reason for us to be bold in doing it 
ourselves so we have something to negotiate with. Right now it 
would be a one-way trade.
    Mr. Lungren. The suggestion I thought I got from the 
previous panel was that we were not doing it because the 
European countries would not share with us but we do not have 
anything, as you suggest, to share with them.
    Mr. Verdery. We can share US-VISIT.
    Mr. Lungren. Right, I understand that, but in terms of our 
passport.
    Mr. Verdery. That is right. If you travel overseas, there 
is nothing for them to access in our passport fingerprint-wise 
because it is not there.
    Mr. Lungren. Well, let me just ask you this then: What 
security benefits would you see coming out of us putting 
fingerprints on our passports beyond the US-VISIT Program?
    Mr. Verdery. Well, the benefits for us doing it on our own 
are a couple. One, if we ran checks of people at the time of 
application, you might be able to find imposters or other 
criminals or terrorists at the time of application and State is 
doing a lot now on the biographic side, as Frank testified to, 
but that does not catch the biometric hits that would come up.
    Second, we could run those people through US-VISIT when 
they travel back and forth. That currently is not done. So that 
would again find those types of imposters or criminals if we 
wanted to do that.
    And, third, is I think the point I was getting at before, 
it would allow us to offer other countries who are worried 
about Americans, legitimately or not, coming into their shores, 
allow us to build out an international system of 
interoperability built on travel documents.
    Mr. Lungren. The compatibility of the fingerprint system 
with most of these countries around the world is not repeated 
with any other mechanism of identification. I mean, we have our 
fingerprint system for our criminal justice programs, they have 
their fingerprint system. I mean, fingerprint system started in 
England, for goodness sake.
    Mr. Verdery. You have INTERPOL as a kind of repository of 
that trade. But, again, that is of criminals, not of just your 
average tourist who has not shown up on a terrorist database.
    LUNGREN; We have another vote going on there. I think I am 
finished with all my questions, but if you can stick around a 
little bit longer, I have got to find out whether my Ranking 
Member is coming back. Do we know? Maybe we can check. 
Otherwise, I might be able to let you go.
    Mr. Verdery. Sir, if I could, while we have open mike day.
    Mr. Lungren. Open mike, right here, open mike Friday, but 
it is on Wednesday.
    Mr. Verdery. It does not happen very often, but I am not 
sure I actually responded to your question about kind of the 
cultural issues.
    Mr. Lungren. Yes.
    Mr. Verdery. Again, I think the experience of world 
travelers coming to US-VISIT, travelers or all nations, all 
races, all everything, except for kids and old people and 
diplomats, basically having no problem with the system, takes 6 
seconds. Some people think it is actually kind of cool, it is 
kind of neat. I think it is producing a sea change around the 
world as to, ``Hey, look, this is no big deal.''
    And the other thing is that fingerprints can differentiate 
people who otherwise might get caught up in some kind of 
biographic confusion. John Smith, the terrorist, causing all 
the other John Smiths traveling some travel problems. The 
biometrics would clear that person, essentially.
    And, so, again, I think there is a sea change underway. We 
have been leading that, I think we need to continue to lead 
that. But this is the first worldwide use of biometrics, and I 
think it has been a great experience and hopefully has 
convinced travelers and governments around the world that that 
is the way to go.
    Mr. Lungren. And who are excepted from that? You say 
children and--
    Mr. Verdery. Under 14, I think over 79 or maybe it is 69 
and diplomats.
    Mr. Lungren. And the reason for the first two being 
exempted from that?
    Mr. Verdery. Initially, it was a workload issue. We did not 
want to overload the system, and the odds of these folks being 
terrorists, I think, were considered to be low or visa 
overstayers. And so I think that was the reason. And diplomats 
obviously for reciprocity concerns.
    Mr. Lungren. That is what I keep telling TSA about 
secondary checks of my 2-year-old granddaughter. I do not think 
there is much chance of her being a terrorist.
    I want to thank the witnesses for appearing. I understand 
no one else is coming back. And I would just say for the record 
that some members may want to submit some written questions to 
you, and if they do, if you could respond in a timely fashion.
    I thank you for your testimony.
    And this subcommittee hearing stands adjourned.
    [Whereupon, at 2:06 p.m., the subcommittee was adjourned.]

                                 
