[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
THE CURRENT AND FUTURE APPLICATIONS
OF BIOMETRIC TECHNOLOGIES
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH &
SUBCOMMITTEE ON TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
TUESDAY, MAY 21, 2013
__________
Serial No. 113-29
__________
Printed for the use of the Committee on Science, Space, and Technology
Available via the World Wide Web: http://science.house.gov
U.S. GOVERNMENT PRINTING OFFICE
81-193 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR., DANIEL LIPINSKI, Illinois
Wisconsin DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
PAUL C. BROUN, Georgia DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi ALAN GRAYSON, Florida
MO BROOKS, Alabama JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois SCOTT PETERS, California
LARRY BUCSHON, Indiana DEREK KILMER, Washington
STEVE STOCKMAN, Texas AMI BERA, California
BILL POSEY, Florida ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky MARK TAKANO, California
KEVIN CRAMER, North Dakota ROBIN KELLY, Illinois
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS STEWART, Utah
VACANCY
------
Subcommittee on Research
HON. LARRY BUCSHON, Indiana, Chair
STEVEN M. PALAZZO, Mississippi DANIEL LIPINSKI, Illinois
MO BROOKS, Alabama ZOE LOFGREN, California
STEVE STOCKMAN, Texas AMI BERA, California
CYNTHIA LUMMIS, Wyoming ELIZABETH ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
------
Subcommittee on Technology
HON. THOMAS MASSIE, Kentucky, Chair
JIM BRIDENSTINE, Oklahoma FREDERICA S. WILSON, Florida
RANDY HULTGREN, Illinois SCOTT PETERS, California
DAVID SCHWEIKERT, Arizona DEREK KILMER, Washington
EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
C O N T E N T S
Tuesday, May 21, 2013
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Larry Bucshon, Chairman, Subcommittee
on Research, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 6
Written Statement............................................ 7
Statement by Representative Daniel Lipinski, Ranking Member,
Subcommittee on Research, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 8
Written Statement............................................ 9
Witnesses:
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology
Oral Statement............................................... 11
Written Statement............................................ 14
Mr. John Mears, Board Member, International Biometrics and
Identification Association
Oral Statement............................................... 27
Written Statement............................................ 29
Dr. Stephanie Schuckers, Director, Center for Identification
Technology Research
Oral Statement............................................... 43
Written Statement............................................ 45
Discussion....................................................... 54
Appendix I: Answers to Post-Hearing Questions
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology..... 64
Mr. John Mears, Board Member, International Biometrics and
Identification Association..................................... 66
Dr. Stephanie Schuckers, Director, Center for Identification
Technology Research............................................ 68
Appendix II: Additional Material for the Record
Submitted statement of Representative Frederica S. Wilson,
Ranking Member, Subcommittee on Technology, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 72
THE CURRENT AND FUTURE APPLICATIONS
OF BIOMETRIC TECHNOLOGIES
----------
TUESDAY, MAY 21, 2013
House of Representatives,
Subcommittee on Research &
Subcommittee Technology
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 10:06 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Larry
Bucshon [Chairman of the Subcommittee on Research] presiding.
[GRAPHIC] [TIFF OMITTED] 81193.001
[GRAPHIC] [TIFF OMITTED] 81193.002
[GRAPHIC] [TIFF OMITTED] 81193.003
[GRAPHIC] [TIFF OMITTED] 81193.004
Chairman Bucshon. Good morning, everyone. This joint
hearing of the Subcommittee on Research and the Subcommittee on
Technology will come to order.
Welcome to today's joint hearing entitled ``The Current and
Future Applications of Biometric Technologies.'' In front of
you are packets containing the written testimony, biographies
and Truth in Testimony disclosures for today's witnesses.
Before we get started, since this is a joint hearing
involving two Subcommittees, I want to explain how we will
operate procedurally so all Members understand how the
question-and-answer session period will be handled. As always,
we will alternate rounds of questioning between the majority
and minority Members. The Chairmen and Ranking Members of the
Research and Technology Subcommittees will be recognized first.
Then we will recognize Members present at the gavel in order of
seniority on the full Committee and those coming in later after
the gavel will be recognized in order of arrival. I now
recognize myself for five minutes for an opening statement.
I would like to welcome everyone to this morning's hearing
on the current and future applications of biometric
technologies. I look forward to our witnesses' testimony on how
this technology is developing and the ways biometrics might
better the lives of my constituents and every American.
Many of us have been introduced to biometric technologies
by way of movies and TV shows, James Bond-style spy thrillers
and the ever-present mega-vault secured with iris and palm
scanners. While these examples portray a high-tech, futuristic
technology that has little application to the average person,
the reality is that biometric technologies have been utilized
over the past two decades in many industries and fields.
Whether being used to enhance security by controlling physical
access to facilities or preventing fraud by controlling
electronic access to computer networks, these practical
applications affect everyone on an individual and collective
scale. This includes safeguarding our international borders and
protecting financial transactions, which is essential as
technology rapidly advances and our world becomes more
dependent on cyber infrastructure.
Just last week, the Department of Homeland Security
released a solicitation seeking information on commercially
available live scan fingerprint systems for possible use by
federal, state, and local law enforcement agencies.
Additionally, they are researching ways for quicker
identification by developing tablet-based technologies that can
capture biometrics at the scene of a crime.
Biometric research done by the National Institute of
Standards and Technology, known as NIST, dates back to the
1960s starting with fingerprint identification technology the
FBI used to support law enforcement. Today, NIST continues
their research in developing uses and enhancing different types
of biometric technologies, including fingerprinting, face and
iris scanning, voice recognition, and DNA testing.
Biometric technologies are often touted as a democratic
approach to identity management, because no language, gender,
age, race, financial status, or literacy rate impedes their
use. Because of this, many see biometrics playing a major role
in fixing the so-called ``identity gap'' many developing
countries face. For example, India has implemented a robust
biometric identification program with the hopes of reducing
fraud and corruption, ensuring credible elections, and
improving national security.
Additionally, biometric supporters point to the consumer's
convenience of using biometric technologies. Many ask, why must
we continue to carry key fobs, reMember passwords, and enter
personal identification numbers when we can use uniquely
personal physical patterns in place of additional items.
Researchers at the University of California-Berkeley are
developing a biometric security that uses brain waves to
replace passwords, calling them passthoughts. That is pretty
interesting.
But with praise also comes concern such as, how can we
ensure biometric data is secure and being used appropriately?
My colleagues and I are looking forward to learning about the
positive impacts biometric technologies might have in
increasing convenience in our everyday lives and improving our
personal and national security, while having an open discussion
about policy implications and addressing the concerns that some
might have. We have an excellent panel of witnesses ranging
across industry, academia and government to lead our
discussion.
I would like to extend my appreciation to each of our
witnesses for taking the time and effort to appear before us
today. We look forward to your testimony.
[The prepared statement of Mr. Bucshon follows:]
Prepared Statement of Subcommittee on Research Chairman Larry Bucshon
Good morning, I would like to welcome everyone to this morning's
hearing on the current and future applications of biometric
technologies. I look forward to our witnesses' testimony on how this
technology is developing and the ways biometrics might better the lives
of my constituents and every American.
Many of us have been introduced to biometric technologies through
by way of movies and TV shows --James Bond-style spy thrillers and the
ever-present mega-vault secured with iris and palm scanners. While
these examples portray a high-tech, futuristic technology that has
little application to the average person, the reality is that biometric
technologies have been utilized over the last two decades in many
industries and fields. Whether being used to enhance security by
controlling physical access to facilities or preventing fraud by
controlling electronic access to computer networks, these practical
applications affect everyone on an individual and collective scale.
This includes safeguarding our international borders and protecting
financial transactions, which is essential as technology rapidly
advances and our world becomes more dependent on cyber infrastructure.
Just last week, the Department of Homeland Security released a
solicitation seeking information on commercially available live scan
fingerprint systems for possible use by federal, state, and local law
enforcement agencies. Additionally, they are researching ways for
quicker identification by developing tablet-based technologies that can
capture biometrics at the scene of a crime.
Biometric research done by the National Institute of Standards and
Technology, also known as NIST, dates back to the 1960's--starting with
fingerprint identification technology the FBI used to support law
enforcement.
Today, NIST continues their research in developing uses and
enhancing different types of biometric technologies, including
fingerprinting, face and iris scanning, voice recognition and DNA
testing.
Biometric technologies are often touted as a democratic approach to
identity management, because no language, gender, age, race, financial
status, or literacy rate impedes their use. Because of this, many see
biometrics playing a major role in fixing the so-called ``identity
gap'' many developing countries face. For example, India has
implemented a robust biometric identification program with the hopes of
reducing fraud and corruption, ensuring credible elections, and
improving national security.
Additionally, biometric supporters point to the consumer's
convenience of using biometric technologies. Many ask, why must we
continue to carry key fobs, remember passwords, and enter personal
identification numbers when we can use uniquely personal physical
patterns in place of additional items? Researchers at the University of
California-Berkley are developing a biometric security that uses brain
waves to replace passwords--calling them ``passthoughts.''
Chairman Bucshon. I now recognize Mr. Lipinski for his
opening statement.
Mr. Lipinski. Thank you, Chairman Bucshon. I want to thank
you and Chairman Massie for holding this joint hearing to
examine the use of biometric technologies. I also want to thank
our witnesses for being here. I just want to know first, who is
James Bond here?
Right now, biometric technologies are used mostly by
federal, state and local governments to identify criminals and
to ensure our national security. Most people equate biometrics
with fingerprints. This is because fingerprints have been used
for more than a hundred years and automated recognition systems
have been commercially available since the 1970s. In fact, the
FBI has 110 million fingerprint records, the Department of
Defense has 9.5 million, and the Department of Homeland
Security has 156 million fingerprints in their database.
But the landscape for biometric technologies is changing
and other technologies are being rapidly deployed in other
countries. For example, India is in the process of collecting
biometric information for every single resident. They have
already enrolled more than 300 million people and they are not
just collecting fingerprints, but also iris scans. Efforts such
as these could help combat fraud and waste, but also raise
significant civil liberties concerns. Advances in facial
recognition are being driven largely by companies such as
Facebook and Google who are using facial recognition algorithms
to ``tag'' people on social media.
All of these technologies have their own advantages and
disadvantages. For example, a suspect won't leave their iris
scan behind at the scene of a crime as they would a
fingerprint, but it appears that the characteristics of the
iris remain more stable over a person's lifetime.
The bottom line is there is enormous potential for these
technologies, but there are also a number of research gaps.
There are many questions and gaps of a scientific or technical
nature. For example, as I mentioned earlier, it appears that
the characteristics of the iris are fairly stable over time,
but biometric technologies rely on the distinctiveness of an
individual and there is a need to build up our fundamental
understanding of how biometric traits vary not only between
people, but as an individual ages.
There are also many research questions related to the
social and cultural aspects of biometrics. As I am sure we will
hear today, a biometric system is only as good as the quality
of data it collects. Even when a person is a willing provider
of their biometric data, there is variation in the quality of
that information, let alone when a person is noncompliant or
they are actively trying to deceive the technology.
Understanding how a person interacts with a biometric sensor
and what impact social or cultural beliefs have on that
interaction is key to obtaining quality data. For example, a
person may be reluctant to touch a sensor out of a fear of
germs or their religious beliefs may not permit them to show
their face in public.
As my colleagues are well aware, I have been passionate
about the need to secure cyberspace. I often comment on the
fact that most people use a few passwords for all of their
online activities from banking to streaming movies. We all know
that using the same password is not what we should do, but we
do it anyway because it is just easier. Unfortunately, that
password can be forgotten, guessed or stolen. Let me just say,
I don't use the same password. I don't want to suggest that and
give anyone ideas.
Biometric technologies hold the potential to significantly
increase cybersecurity because it is much more difficult to
steal someone's fingerprint or a scan of their iris and you
generally don't forget your finger at home, but these
technologies are not widely deployed in the private sector.
The National Institute of Standards and Technology is
trying to address this through the National Strategy for
Trusted Identities in Cyberspace, but there is a lot of work to
be done. Part of this is because most biometric systems cost
too much for commercial applications and there is no compelling
business case for such an investment. Also, I, like most
Americans, have some concerns about how the use of biometric
technologies affects my privacy. I hope to ask the witnesses
some questions about the security and privacy of biometric
technologies later this morning. I am especially interested in
learning more about the sharing of biometric data and the
potential for secondary uses of these technologies.
Mr. Chairman, I believe the potential of biometric
technologies to enhance our security is great and worth
pursuing, but I also believe we need to make certain that there
are appropriate safeguards in place so these technologies are
not abused.
Thank you again for holding this hearing, and I yield back
the balance of my time.
[The prepared statement of Mr. Lipinski follows:]
Prepared Statement of Subcommittee on Research
Ranking Member Daniel Lipinski
Good morning. I want to thank Chairman Bucshon and Chairman Massie
for holding this joint hearing to examine the use of biometric
technologies. I'd also like to thank our witnesses for being here
today. I'm looking forward to your testimony.
Right now, biometric technologies are used mostly by federal,
state, and local governments to identify criminals and to ensure our
national security. Most people equate biometrics with fingerprints.
This is because fingerprints have been used for more than a 100 years
and automated recognition systems have been commercially available
since the 1970s. In fact, the FBI has 110 million fingerprint records,
the Department of Defense has 9.5 million, and the Department of
Homeland Security has 156 million fingerprints in their database.
But the landscape for biometric technologies is changing and other
technologies are being rapidly deployed in other countries. For
example, India is in the process of collecting biometric information
for every single resident. They have already enrolled more than 300
million people and they are not just collecting fingerprints, but also
iris scans. Efforts such as these could help combat fraud and waste,
but also raise significant civil liberties concerns.
Advances in facial recognition are being driven largely by
companies such as Facebook and Google who are using facial recognition
algorithms to ``tag'' people on social media.
All of these technologies have their own advantages and
disadvantages. For example, a suspect won't leave their iris scan
behind at the scene of a crime as they would a fingerprint, but it
appears that the characteristics of the iris remain more stable over a
person's lifetime.
The bottom line is there is enormous potential for these
technologies, but there are also a number of research gaps. There are
many questions and gaps of a scientific or technical nature. For
example, as I mentioned earlier, it appears that the characteristics of
the iris are fairly stable over time, but biometric technologies rely
on the distinctiveness of an individual and there is a need to build up
our fundamental understanding of how biometric traits vary not only
between people, but as an individual person ages.
But there are also many research questions related to the social
and cultural aspects of biometrics. As I am sure we will hear today, a
biometric system is only as good as the quality of data it collects.
Even when a person is a willing provider of their biometric data, there
is variation in the quality of that information let alone when a person
is non-compliant or they are actively trying to deceive the technology.
Understanding how a person interacts with a biometric sensor and what
impact social or cultural beliefs have on that interaction is key to
obtaining quality data. For example, a person may be reluctant to touch
a sensor out of a ``fear of germs'' or their religious beliefs may not
permit them to show their face in public.
As my colleagues are well aware, I have been passionate about the
need to secure cyberspace. I often comment on the fact that most people
use a few passwords for all of their online activities from banking to
streaming movies. We all know that using the same password is not what
we should do, but we do it anyway because it is just easier.
Unfortunately, that password can be forgotten, guessed or stolen.
Biometric technologies hold the potential to significantly increase
cybersecurity because it is much more difficult to steal someone's
fingerprint or a scan of their iris and you generally don't forget your
finger at home, but these technologies are not widely deployed in the
private sector.
The National Institute of Standards and Technology is trying to
address this through the National Strategy for Trusted Identities in
Cyberspace, but there is still a lot of work to be done. Part of this
is because most biometric systems cost too much for commercial
applications and there is no compelling business case for such an
investment.
Also, I, like most Americans have some concerns about how the use
of biometric technologies affects my privacy. I hope to ask the
witnesses some questions about the security and privacy of biometric
technologies later this morning.
I am especially interested in learning more about the sharing of
biometric data and the potential for secondary uses of these
technologies.
Mr. Chairman, I believe the potential of biometric technologies to
enhance our security is great and worth pursuing, but I also believe we
need to make certain that there are appropriate safeguards in place so
these technologies are not abused.
Chairman Bucshon. For the record, I don't use the same
password for all my things either, partially because of this
type of stuff. Thank you, Dan, for those comments.
If there are Members who wish to submit additional opening
statements, your statements will be added to the record at this
point.
Chairman Bucshon. It is now time to introduce our panel of
witnesses. Our first witness is Dr. Charles Romine, the
Director of the Information Technology Laboratory at the
National Institute of Standards and Technology. ITL is one of
six research laboratories within NIST and conducts research
addressing measurement challenges and information technology as
well as issues of information and software quality, integrity
and usability. ITL is also charged with leading the Nation in
using existing and emerging IT to help meet national
priorities. Dr. Romine holds a B.A. in mathematics and a Ph.D.
in applied mathematics from the University of Virginia.
Welcome.
Our second witness is Mr. John Mears, a Board Member of the
International Biometrics and Identification Association. He is
currently the Senior Fellow for IT and Security Solutions at
Lockheed Martin. Mr. Mears has worked on program performance
segment strategy and technology plans for biometric
identification and verification applications supporting the
homeland security, defense and law enforcement communities. He
holds both bachelor's and master's degrees in electrical
engineering from the University of Florida. Welcome.
Our final witness is Dr. Stephanie Schuckers, the Director
of the Center for Identification Technology Research, or CITeR.
She is currently Professor in the Department of Electrical
Engineering, Computing Engineering at Clarkson University. Her
research focuses on processing and interpreting signals which
arise from the human body. Dr. Schuckers received her doctorate
degree in electrical engineering from the University of
Michigan.
As our witnesses should know, spoken testimony is limited
to five minutes after which Members of the Committee have five
minutes each to ask questions. Your written testimony will be
included in the record of the hearing.
I now recognize our first witness, Dr. Romine, for five
minutes.
TESIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,
INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Dr. Romine. Chairman Bucshon, Chairman Massie, Ranking
Member Lipinski, Ranking Member Wilson and Members of the
Subcommittees, I am Chuck Romine, Director of the Information
Technology Lab at NIST, and thank you for the opportunity to
appear before you today to discuss our role in standards and
testing for biometrics.
NIST has nearly five decades of experience in proving human
identification systems. NIST responds to government and market
requirements for biometric standards by collaborating with
Federal agencies, academia and industry to support development
of biometric standards, conformance testing architectures and
tools, research advanced biometric technologies, and develop
metrics for standards and interoperability of electronic
identities.
NIST research provides state-of-the-art technology
benchmarks and guidance to U.S. government and industry. To
achieve this, NIST actively participates in Federal biometric
committees and national and international standards-developing
organizations.
Biometric technologies can provide a means for recognizing
individuals based on one or more physical or behavioral
characteristics. These can be used to establish or verify
personal identity of enrolled individuals. By statute and
Administration policy, NIST encourages and coordinates Federal
agency use of voluntary consensus standards and participation
in the development of relevant standards and promotes
coordination between public and private sectors in the
development of standards and conformity assessment activities.
NIST collaborates with industry to develop a consensus standard
that is used around the world to facilitate interoperable
biometric data exchange. The standard is evolving to support
law enforcement, homeland security, forensics, and disaster
victim identification.
Internationally, NIST leads development of biometric
standards that have received widespread acceptance. Use of
these standards is mandatory by large international
organizations for identification and verification of travelers
at border crossings.
In response to the Homeland Security Presidential Directive
12, NIST developed a standard to improve the identification and
authentication of Federal employees and contractors for access
to Federal facilities and IT systems. NIST is updating the
standards and guidelines for iris and facial images and
private-enhancing on-card comparison. NIST leads the
development of conformance test suites for implementations of
national and international biometric standards.
At the request of DHS, NIST assisted with conformance
testing for Transportation Worker Identification Credential
specifications resulting in TSA issuing a smart card with the
worker's fingerprint for identity verification. To assist in
qualifying products to TWIC specifications, three independent
testing laboratories have been accredited by NIST and card
reader products from about 20 vendors have passed testing.
Understanding capabilities and improving performance of
biometric technologies requires a robust testing
infrastructure. For more than a decade, NIST has been
conducting large biometric technology challenge programs to
motivate the global biometric community, to dramatically
improve the performance and interoperability of biometric
systems, foster standards adoption, and support global
deployment, and achieve an order of magnitude or better
accuracy gains.
NIST is also working to advance biometrics through the
National Strategy for Trusted Identities in Cyberspace, or
NSTIC, a White House initiative focused on catalyzing the
private sector to create an identity ecosystem. Two NSTIC
pilots involve biometrics for authentication, one based on the
use of a signature, a second based on smartphone voice and
facial recognition.
The NSTC National Biometrics Challenge 2011 report included
a few key challenges to the future application of biometrics
technologies including research in the privacy and usability of
biometrics. For privacy, NIST is collaborating to advance
technical methods to safeguard and control the use of
biometrics through methods such as liveness detection and
biometric template protection.
Usability is a priority for deploying biometric systems
within the Federal Government. NIST was identified in a recent
National Academies report as one of only two organizations
addressing usability in biometric systems. NIST has applied its
usability expertise to several studies involving biometric
systems. As a result of one study, all of the fingerprint
scanners at U.S. ports of entry are now angled to improve the
collection process.
In summary, NIST has a diverse portfolio of activities
supporting our Nation's biometric needs. With NIST's extensive
experience and broad array of expertise, both in its
laboratories and in its collaborations with U.S. industry and
other government agencies, NIST is actively pursuing the
standards and measurement research necessary to deploy
interoperable, secure, reliable and usable biometric systems.
Thank you for the opportunity to testify on NIST's
activities in biometrics, and I would be happy to answer any
questions that you may have.
[The prepared statement of Dr. Romine follows:]
[GRAPHIC] [TIFF OMITTED] 81193.005
[GRAPHIC] [TIFF OMITTED] 81193.006
[GRAPHIC] [TIFF OMITTED] 81193.007
[GRAPHIC] [TIFF OMITTED] 81193.008
[GRAPHIC] [TIFF OMITTED] 81193.009
[GRAPHIC] [TIFF OMITTED] 81193.010
[GRAPHIC] [TIFF OMITTED] 81193.011
[GRAPHIC] [TIFF OMITTED] 81193.012
[GRAPHIC] [TIFF OMITTED] 81193.013
[GRAPHIC] [TIFF OMITTED] 81193.014
[GRAPHIC] [TIFF OMITTED] 81193.015
[GRAPHIC] [TIFF OMITTED] 81193.016
[GRAPHIC] [TIFF OMITTED] 81193.017
Chairman Bucshon. Thank you for your testimony.
I now recognize our next witness, Mr. Mears, for five
minutes.
TESIMONY OF MR. JOHN MEARS,
BOARD MEMBER, INTERNATIONAL BIOMETRICS
AND IDENTIFICATION ASSOCIATION
Mr. Mears. Thank you. Chairman Bucshon, Chairman Massie,
Ranking Member Lipinski, Members of the Committee, good
morning, and thank you for inviting the International
Biometrics and Identification Association to this hearing. The
IBIA is a nonprofit trade group that advocates and promotes the
responsible use of technologies for managing human identity.
As the Committee is well aware, biometrics is not new,
unproven or radical. People have developed means throughout
recorded history to uniquely identify themselves starting with
the first handprint signatures of authors of cave paintings on
walls 31,000 years ago. In fact, I think it is an injustice
that the first caveman wasn't given prior art credit by the
Patent Office for what has evolved into modern hand geometry
and palm print biometrics. And as a serious aside, I would note
that in the last week, the FBI has added a national palm print
capability to its Next-Generation Identification system.
My written testimony addresses the Committee's questions in
detail. In my oral comments this morning, I want to highlight
some key points about biometric identification that do not
always receive the attention they should. From an industry
perspective, biometric technology is real and working today.
There are successful U.S. government programs that prove this;
for identification, IAFIS, NGI, U.S. VISIT, DOD ABIS; for
verification, HSPD-12 PIV, DOD CAC, TWIC.
Biometrics have evolved from custom development to
integration of commercial components. An example is the 1999
first implementation of IAFIS versus the 2013 version of Next
Generation Identification, which in large part uses COTS
algorithms, commercial off-the-shelf algorithms. Biometric
systems have improved sharply in accuracy. I can cite IAFIS at
92 percent versus NGI at 99.6 percent accuracy.
Biometrics provide greater security and privacy than
alternate means of identification including IDs and passwords
which are vulnerable and becoming obsolete, as the Chairman
observed; and biographics, which are subject to error, spoofing
and identity theft. New applications will develop in the
private sector in health care and finance, and perhaps
significantly, mobility and smart consumer devices will
probably in large part drive the acceptance and the need for
the security and convenience that biometrics provide.
The common thread from 31,000 years ago is that it matters
who I am. No matter the period of history, identifying
ourselves is an important function, so much a part of our lives
that we sometimes take it for granted. In practice, we identify
ourselves by our biometrics, our biographics and our behaviors
as illustrated in figure 1 in my written testimony. A biometric
is a measurable biological or anatomical and physiological or
behavioral characteristic that can be used for automated
recognition. The figure shows a sampling of biometric types,
and we are all familiar with the most common of these since
they include things like fingerprints, faces, irises, our
voices and DNA.
There are in fact a number of others that are shown in the
figure including some that are emerging in future applications.
The most useful of these exhibit permanence. They can be easily
observed, measured and automated, and the best ones are very
discriminating to the individual and are hard to spoof or
reproduce.
Biographics are descriptors that are assigned by others or
that we attribute to ourselves but can change over time as we
live our lives. These include things like our names, our
addresses, our public records, our Social Security numbers.
Biographics are useful for identification but are generally
less accurate because they do change over time and can be
publicly discovered and spoofed, for instance, in the case of
identity theft, and public records sometimes contain errors
that are problematic, for instance, name misspellings versus
watch lists or errors in credit reports, which actually has
happened to me.
Behaviors are descriptors of our actions over periods of
time. Group behavior can be observed, for example, in postings
on social networking sites, through online transactions, phone
records, emails and affiliations. Individual behavior includes
such things as handwriting composition style, keystroke
dynamics, walking gait and online behavior. Many of these
individual behaviors can be difficult to capture and analyze at
present but are potentially very useful, particularly for
logical and cyber security. In practice, many techniques for
authentication and identification use a combination of
descriptors of identity. However, if you have to single out one
technique, biometrics are the most convenient, reliable and
secure means available today.
Biometrics are, by their definition, personal for all of
us. It matters who we are, both to ourselves and to the people
with whom we have personal and transactional relationships.
With the advancement of sensors and computing capability to
digitally represent and process biometrics, our lives can be
made more secure and more convenient on an individual level as
well as for our society. Biometrics are proven and effective
when managed properly.
Thank you for your time and consideration today. I look
forward to your questions.
[The prepared statement of Mr. Mears follows:]
[GRAPHIC] [TIFF OMITTED] 81193.018
[GRAPHIC] [TIFF OMITTED] 81193.019
[GRAPHIC] [TIFF OMITTED] 81193.020
[GRAPHIC] [TIFF OMITTED] 81193.021
[GRAPHIC] [TIFF OMITTED] 81193.022
[GRAPHIC] [TIFF OMITTED] 81193.023
[GRAPHIC] [TIFF OMITTED] 81193.024
[GRAPHIC] [TIFF OMITTED] 81193.025
[GRAPHIC] [TIFF OMITTED] 81193.026
[GRAPHIC] [TIFF OMITTED] 81193.027
[GRAPHIC] [TIFF OMITTED] 81193.028
[GRAPHIC] [TIFF OMITTED] 81193.029
[GRAPHIC] [TIFF OMITTED] 81193.030
[GRAPHIC] [TIFF OMITTED] 81193.031
Chairman Bucshon. Thank you.
I now recognize our final witness, Dr. Schuckers, for five
minutes.
TESIMONY OF DR. STEPHANIE SCHUCKERS,
DIRECTOR, CENTER FOR IDENTIFICATION TECHNOLOGY RESEARCH
Dr. Schuckers. Thank you very much for the opportunity to
testify to you today.
There is a need to establish a trusted relationship between
individuals and between individuals and organizations in order
to support e-commerce, worker and employer interactions,
delivery of benefits, movement of individuals, social
connections and health care, and as the other testimonies
pointed out, there are many ways to establish a trusted
relationship, and they include what you have like credit cards
and passports; what you know, passwords, PINs, mother's maiden
name; and who you are, biometrics, the topic today.
Transactions in the past have primarily rested on what you
have and what you know. The addition of biometrics adds another
dimension of security. Emerging is the use of biometrics as
part of authentication to support transactions over the
Internet, including mobile payments. With weaknesses in
passwords alone, combining authentication with a biometric
reduces the amount of private information that would need to be
revealed repeatedly in order to reestablish a trusted
relationship. Depending on the transaction, levels of trust can
be created by combinations of different forms of
authentication. This is supported by the National Strategy for
Trusted Identities in Cyberspace, NSTIC, and is included in my
recommendations in my written testimony.
Creating and enabling those trusted relationships makes it
more difficult for those who seek to destroy that trust through
cyber crime, terrorism and identity theft. Similarly, in our
counterterrorism efforts, knowledge of the individual is a
critical aspect in sorting out those minority of individuals
who seek to do us harm where biometrics is a critical tool in a
large toolbox of ways to identify those individuals.
To support these efforts, I highlight two recommendations
in my written testimony. The first recommendation: invest in
fundamental research for enhancement of privacy within
biometric systems and develop policies which encourage the
inclusion of privacy-preserving techniques. As with other
personal information, biometric information must be protected
and remain confidential. One example of methods in the research
community and in some of the commercial sectors is something
called template protection. This is where biometric matching is
performed in an encrypted domain such that biometric
information is not disclosed at any point. Another is liveness
detection. This protects vulnerability when an attacker creates
and uses an artificial biometric--James Bond. Continuous
attention is required in order to stay one step ahead of those
who seek to defeat those security mechanisms. Privacy and
security are often spoken in terms of tradeoffs, giving up
privacy in order to achieve security. The research goal is to
actually change the paradigm where we can look to maximize both
privacy and security with some of these methods.
Recommendation two: invest in fundamental research
challenges in biometrics through the cooperation of government,
industry and academia. Investment in fundamental research is
needed to provide the foundation for biometrics in the future.
It includes such things as studying uniqueness and the
permanence of biometrics traits that have been mentioned in
some of the other comments.
Other related recommendations in my written testimony have
to do with enhancing data sharing to support research and
increasing our cybersecurity workforce, including those who
have expertise in biometric systems.
As a unique structure for pursuing research, I would like
to highlight the Center for Identification Technology Research,
CITeR, of which I am the Director. CITeR is a National Science
Foundation industry-university cooperative research center, and
it focuses on biometrics. CITeR functions as a cooperative of
industry such as system integrators, technology providers,
small businesses, and government organizations such as the FBI,
DHS and DOD. Projects are defined by faculty through
interfacing with that community and integrating their research
needs. Outcomes include creating workforce trained in the
industry and government needs but also promoting innovation
through translation of research to commercial products and
creating jobs.
In summary, research, close collaboration between industry,
government, academia and investment in education will continue
to make the United States the best in the world. In biometrics,
this investment can reap benefits for improving our security in
cyberspace, protecting our national security and stimulating
our economy as a leader in the technology of the future. Thank
you very much.
[The prepared statement of Dr. Schuckers follows:]
[GRAPHIC] [TIFF OMITTED] 81193.032
[GRAPHIC] [TIFF OMITTED] 81193.033
[GRAPHIC] [TIFF OMITTED] 81193.034
[GRAPHIC] [TIFF OMITTED] 81193.035
[GRAPHIC] [TIFF OMITTED] 81193.036
[GRAPHIC] [TIFF OMITTED] 81193.037
[GRAPHIC] [TIFF OMITTED] 81193.038
[GRAPHIC] [TIFF OMITTED] 81193.039
[GRAPHIC] [TIFF OMITTED] 81193.040
Chairman Bucshon. Thank you, and I thank the witnesses for
their testimony, reminding Members that Committee rules limit
questioning to five minutes. The Chair at this point will open
the round of questioning. I recognize myself for five minutes.
Just an overriding question for all three of the panelists,
why isn't biometric technology being more quickly integrated
into our everyday lives? Is there financial barrier, a security
barrier, a privacy barrier? And if so, where do you think the
bottleneck comes from? Does it come from research and
development or application or deployment, or where? Dr. Romine?
Dr. Romine. Yes, I would like to take that. I think there
are a number of possible reasons, and one of the reasons for
establishing the National Strategy for Trusted Identities in
Cyberspace is to try to catalyze greater adoption of identify
management technologies broadly speaking. At NSTIC, some of the
grant activity goes to trying to explore the use of biometrics
as part of that ecosystem. I think a lot of it also is sort the
maturity of the technology. So I think one of the roles that
NIST has to play with industry is trying to advance the state-
of-the-art in a way that we get greater confidence.
Mr. Mears. One of the observations that industry would make
is that we sometimes see quantum advancements in technology as
a result of what we call a ``killer app.'' That is, there is a
compelling application that is popular with masses of people,
perhaps consumers, that drives adoption of a particular
technology. We think that in the realm of mobility, the
proliferation of smart devices, the drive for convenience and
personalization of these devices and the need to hold those
devices securely will drive adoption of biometrics into
consumer devices, which will drive volume and in fact drive
acceptance generationally over time that we think will allow us
to permeate--allow it to permeate other industries and
applications.
Dr. Schuckers. I guess I would agree with the other two. I
think it is looking to get that perfect storm. As many of us
have, we have a fingerprint reader on our laptops. It doesn't
do anything besides get us into the laptop. I think that is
where the mobile devices come in. As we use our mobile devices
as a form of payment, now there is a value associated with
those mobile devices, and that is that killer app that we are
talking about. And then it comes to the convenience of it. It
is frustrating, as we talked about, to have to remember long,
secure passwords, or we use simple passwords that we use in
multiple places. By making the convenience of a simple swipe or
a face on your mobile phone, that is where the demand comes
because you want your phone protected because it pays for
things. An enabling thing is NSTIC, National Strategy for
Trusted Identities in Cyberspace. That provides that
interoperability and standards such that when you do that
authentication, it goes somewhere, and it gives you that
process such that you have that secure transaction.
Chairman Bucshon. Thank you. I am going to make an
editorial comment and then I will have some other questions. I
was in health care before this, and I did a lot of my training
and practice trauma-related-type things, and I can tell you, at
medical centers, the number of people who come in unidentified
is fairly significant, and biometric technology used in that
application would be extremely helpful to identify people for
family notification or other reasons.
That said, is there one area that maybe all of you can
comment on that you think that this could really revolutionize
how we live our everyday lives? Is there a game-changing area
that you think potentially that we should focus on first maybe
or, you know, a few that would really make a revolutionary
change in the way we live our everyday lives. For example, in
my view, you know, online purchasing security or some other
thing, and what ones maybe we are close to being able to apply
broadly that would change people's lives. Dr. Romine?
Dr. Romine. Well, I think you have probably hit on one,
which is that acceptance is going to be driven by providing
added value to the customer, and the customer in this case is
going to have to be sort of the American citizen perhaps rather
than government-only applications. For that, the usability of
these systems is absolutely crucial. There has to be both value
added and a good customer experience that adds to the
efficiency of the transaction, the effectiveness of the
transaction, and satisfaction for the user.
Chairman Bucshon. I am running out of time, so if you could
be brief. Mr. Mears?
Mr. Mears. Okay. I will just add on what I said before. So
the rumors in the industry are the Apple 5S iPhone is scheduled
to come out this summer with a fingerprint reader, and we think
this is going to be an enabling technology. It allows that
platform to do a number of different applications, and we think
it will launch from there once the platform is enabled by
biometrics.
Chairman Bucshon. Dr. Schuckers?
Dr. Schuckers. I agree with what the other two Members have
said that are testifying today. I think the killer app is the
mobile payment system, and I think the driver is the customer
who wants their phone to recognize them when they are holding
it, essentially.
Chairman Bucshon. Thank you. I now recognize Mr. Lipinski
for his questions.
Mr. Lipinski. Thank you, Mr. Chairman. What you are talking
about here, I don't know if I should start going down this road
but I am going to quickly do it.
Why have we not gotten there yet? I think most people feel
like they would pay something extra. If I didn't have to
remember all my passwords, I would pay something extra for that
if I could use a fingerprint, if I could, you know, go purchase
something, plug it in the USB port, use my fingerprint. How
come it hasn't happened yet up to this point, if you can be--if
anyone has a very brief answer to why to this so we can move
on. Mr. Mears?
Mr. Mears. One of the things I would observe is that many
applications are kind of stovepiped, that is the applications
that you access on a daily basis, and they don't share
application data from one to the next, and so there is no real
uniform way of communicating between those. So it leads to this
stovepipe approach that doesn't lend itself to what we look for
what we call unitary logon, the convenience of having one logon
with security including biometrics that gives you access to
multiple different types of applications. In government
services, the migration to the cloud, cloud computing, actually
helps security and helps that convenience because it puts those
apps within a cloud community that has a security structure
that is amenable to unitary logon, and so you are going to see
advancements as a result of that. But I think in short, that is
the reason.
Mr. Lipinski. Okay. When Apple comes out with this
fingerprint reader on the new iPhone, how does that get past
that issue?
Mr. Mears. Well, certainly for the apps that we all know
and love on our mobile phones, it can be an enabler that will
be accessed for those apps. My comment was more to the large IT
systems that reside elsewhere, perhaps in government service,
but for the app side, it will definitely drive convenience.
Mr. Lipinski. Okay. I am going to move on. Dr. Schuckers,
do you want to add something quickly?
Dr. Schuckers. Well, I was just going to say that NSTIC is
also creating this independent, private identity broker, and
through that brokerage, you can be--that can be your interface
to all of those places where you need to provide that password,
and so that is an enabler essentially to get at what you want.
So the phone can provide it but really you also need that
broker who can to say to this application, yes, that this is
the right person to get access without giving all the
information away, right? They--you authenticate with them like
a PayPal but an expanded sort of PayPal.
Mr. Lipinski. How far are we away from that?
Dr. Romine. Well, the NSTIC program is relatively new. The
grants that have gone out are in their first year of full gear-
up, but I would say we are optimistic that the program, which
is slated to be essentially a five-year program, will actually
catalyze a lot of what Dr. Schuckers was talking about with
regard to establishing that ecosystem that is interoperable
with the pillars of privacy, transparency, usability and so on
as a driver.
Mr. Lipinski. Thank you. Another question, Dr. Schuckers.
You talked about in your testimony that biometrics provide
uniqueness and permanence. You also state that much of the
funding for biometrics is focused on near-term implementation
challenges, and more research is needed to provide a foundation
for biometrics. Can you describe the foundational research that
is needed, and which biometric traits are more stable over
time, which are more unique? How do you find that balance?
Dr. Schuckers. Thank you. So we think of biometrics as all
being equal. You know, you hear people say, look, this is a
biometric, X is a biometric, and really, biometrics isn't that
way because it has these two fundamental properties, which you
highlighted: uniqueness and permanence. And so uniqueness has
to do with your ability to distinguish an individual in a
thousand individuals, a million individuals, and so if we talk
about the uniqueness aspects, we think of DNA as kind of one
echelon. Then the next echelon would be finger where 10
fingerprints is better able to distinguish people than one
fingerprint. Look at iris. An iris would be equivalent to a
fingerprint--two irises, to multiple fingerprints. And then we
have other levels of things like voice recognition and face
recognition and all of the emerging biometrics, and so this is
where the research is to understand what the capability is and
how it fits into the application. If you are doing a one-on-one
transaction on your phone, for the most part your phone only
sees you on a regular basis and you want to protect--you might
not need one-in-a-billion kind of accuracy. You may be
satisfied with one in a thousand because you get more
convenience.
The other aspect is the permanence, and the permanence has
to do with, does the biometric vary over time. We all know our
face varies over time. So that is the other kind of studies.
Essentially, the biometrics are changing. We want diversity in
the biometric market to look at different applications of
biometrics but we need to understand what its capabilities are
so we can weigh them, depending on the application.
Mr. Lipinski. Thank you.
Chairman Bucshon. Thank you. I now recognize Mr. Massie for
his line of questioning.
Mr. Massie. So my first question deals with the possibility
of mission creep here. When Social Security numbers were
created, they were ostensibly to tract retirement benefits but
now you need a Social Security number and you need to provide
it to purchase even health insurance, and there has been recent
interest in using biometrics, I think, to curb immigration
violations. But at some point it seems as if we might need to
provide proof of self to check out a library book or to rent a
house or even just to attend a sporting event or log on to the
Internet. How is industry ameliorating these concerns, these
privacy concerns, right now? Mr. Mears?
Mr. Mears. Yes, I will address that. One of the things that
we believe is that for every application, there must be a
privacy policy. If there is something related to personally
identifiable information that is going to facilitate that
application, it has to be transparent, published, it has got to
specify what data is taken, when, under what circumstances,
with whom will it be shared, how long will it be retained, and
in fact, there have to be sufficient hooks in the application
such that you can verify the application conforms to the
policy, and in the best case, an independent ability to audit
the policies implemented for that particular application. That
is what we believe constitutes good privacy, and we would like
to see that across every application that requires the
provision of personally identifiable information, and certainly
the government does that now. We would like to see that in
industry as well.
Mr. Massie. So my concern becomes when you take a new
technology and it intersects a new piece of legislation. So for
instance, in the House we just passed the Cyber Intelligence
Sharing and Protection Act where companies, private companies,
are now absolved of any liability in private contracts with
their consumers if they share that information with the
government. And so it seems to me as if this biometric
information once it is ones and zeros would be part of that
sharable set of data. Dr. Schuckers, do you have any comment on
that?
Dr. Schuckers. Yes, I do agree that we need to treat a
biometric just like we treat the other information about
ourselves, and I think that we are grappling with this
explosion of data about ourselves. It is not just biometric
data, it is all the biographical data we are talking about, but
it is also our movements, our shopping habits, where we have
been. There is this explosion of data and there is an explosion
of data in the commercial sector. The government has
limitations on what they can do with data and particular
biometric data. Where is the equivalent on the commercial side?
And so I think that we are wrestling with this as a society.
Biometric is one piece of information but it is in the context
of a lot of other information that is collected about us. And I
do think that we need to, along the lines of the things you
said, give the ownership of the data to the person such that
they know what data is stored about them and where it is stored
and give them access to be able to pull data and to give them
control, and that is where NSTIC can come into place, control
of their own data as best we can.
Mr. Massie. I appreciate those comments. Speaking of
control over your own data, outside of criminal investigations,
we have all heard of DNA being used, are there any industrial
applications for DNA as an identifier?
Dr. Schuckers. DNA--well----
Mr. Massie. It is kind of, as you mentioned, it is the
upper echelon data that doesn't change about a person over
their lifespan. It is a little more intrusive to perhaps
collect than a facial recognition when you walk by a camera,
but give us an example of a DNA application outside of the
criminal aspect.
Dr. Schuckers. I do think there is the positive claim
aspects of it so if a person wants to emigrate, suppose they
have a familial relationship, this is an example of making a
positive claim of a relationship. The DNA can confirm that
claim in a way that is less hassle than trying to produce
documents, than interviews, and the other aspects of it. So
that is not commercial, that is still government, so I was
trying to struggle a little bit. I think you were asking----
Mr. Massie. No, that is actually the sort of answer I was
looking for, so it is a great answer. Thank you very much. I
yield back my time.
Chairman Bucshon. And I will recognize Ms. Wilson for 5
minutes.
Ms. Wilson. Thank you, Mr. Chair.
Dr. Schuckers, in your testimony, you mentioned a case
where a woman from South Korea used a special tape on her
fingers to spoof or fool a fingerprint recognition system at a
Japanese airport. I can also imagine a scenario where someone
else uses a photo or video to convince a camera that they are
indeed the person associated with an access card. As I
understand it, research into these vulnerabilities is termed
``liveness detection.'' Can you please describe how the
research community is attempting to detect false or fake
biometric traits, and how can we ensure someone is who they
claim to be when a biometric system is unattended?
Dr. Schuckers. Great. Thank you. This is some research that
I am doing in my laboratory and also being done at the Center
for Identification Technology Research. So essentially we
talked about what you know and what you have and that
biometrics is what you are, this kind of other dimension. But
as with all these other security mechanisms, it has
vulnerabilities, and this is the--one of the vulnerabilities we
need to be aware of. What we have to understand is if we are
utilizing biometrics in an application, there is a purpose for
recognizing someone's identity in that application, and so does
the biometric go towards improving the security that we need
with the caveats that we talk about. So we need to not throw
the baby out with the bathwater, essentially. I believe that
the biometric information can be very useful for some
applications because it is complimentary to the other ways we
identify people.
That being said, we know it is a vulnerability, therefore,
we need to do research in that vulnerability. That is one of
the things we do in our laboratory. I have a fake finger here
if anybody wants to see it afterwards. We are interested in not
faking but what we are interested in is building those
technologies that make it difficult for people to fake the
biometric. The word ``liveness'' is about recognizing that that
biometric was measured at that time. So even if your face is
not secret, knowing that I just took a picture of your face and
that you are physically there at that time, that tells you that
it is not a fake biometric. So that is the kind of research we
need to do is to build those.
You asked about what technologies are in place. There are
software methods that can recognize when someone is faking a
biometric. There are hardware methods, things that use light to
recognize a finger, for example, as a real finger, and so those
are the things that we need to continue to research and put in
place.
Ms. Wilson. Dr. Romine, what is NIST doing? What are their
efforts in liveness detection?
Dr. Romine. Well, I am pleased to say that one of the
efforts that NIST undertook was to provide a grant to Dr.
Schuckers to do research in this area.
Ms. Wilson. That is great.
Dr. Schuckers. Thank you very much.
Dr. Romine. We are also engaging--NIST is not currently
conducting internally in our intramural program liveness
detection research, although we understand, as Dr. Schuckers
mentioned, this is a vulnerability that we need to pay
attention to. We are engaging the international community in
the standards arena around trying to develop standards for this
kind of liveness detection, or anti-spoofing. So that is the
extent of our current activities, but we were pleased to be
able to provide support to a top scientist.
Ms. Wilson. Thank you. Dr. Romine, as you know, almost
everyone has a smartphone. They have gone from devices used to
call friends and family to being used to purchase coffee at
Starbucks or deposit checks, which raises privacy and security
concerns. In your testimony, you discuss several challenges
including compression and limited bandwidth communication
channels that need to be addressed before biometrics can be
fully implemented on mobile devices. Can you please speak to
what you are doing at NIST to help address the use of mobile
devices and privacy and security concerns?
Dr. Romine. Certainly. The use of biometrics is a very
context-dependent thing, and the idea of accepting a certain
vulnerability with the benefit that you accrue for using the
biometric is sort of an individual choice. But one of the
things that I would say that is very important is the idea of
ensuring encryption is done whenever biometric data or indeed
any personally identifiable information is transmitted through
mobile devices. I think without using that kind of encryption
or some other privacy-preserving technology, I think the
vulnerability is considerably larger.
Ms. Wilson. I will give back the balance of my time, which
is zero.
Chairman Bucshon. I now recognize Mr. Schweikert for his
questioning, five minutes.
Mr. Schweikert. Thank you, Mr. Chairman.
Have you ever wanted to start to engage in a conversation
with something like this but you are fearful you have watched
too much sci-fi in the past? But let us actually jump down the
line here. First off, fingerprint scanning technology is, what,
two generations ago? I mean, we may be still working on some of
the protocols and the security and mechanics but, I mean, we
were playing around with that in the early 1990s, if I reMember
one of my classes. So where are we at technology today? How
good is facial, body, human recognition getting through a
camera, and why don't we start down the right and work our way
over. Where are we at right now? What is cutting edge today?
Dr. Schuckers. Thank you. So I think a lot of the things
that we have brought up already are important, even
fingerprint, the issues are the scaling, you know, when you are
looking at using fingerprints in large-scale applications,
those are some of the challenges. Certainly, the security and
privacy side of a fingerprint----
Mr. Schweikert. But can you cite some of the challenge of
the box we are in of what is the most cutting-edge thing you
hear that is on the horizon right now?
Dr. Schuckers. I think the one area that could be
interesting is the mobile device knows you, right? So you want
to say cutting edge, so this isn't available now, but you can
see it in the near-term future if we do investment and research
but you don't necessarily have to do something very deliberate
for the mobile device to know who you are. So I think that
could be an area that we could invest in and it makes it easy
for people to authenticate.
Mr. Schweikert. Mr. Mears?
Mr. Mears. So if you are looking for cutting-edge
technology, and I would refer you to figure one of my written
testimony, there are a number of biometrics that are emerging,
many of them out of biomedical research. I will give you an
example of the evolving biometrics. One of them is scent, for
example. We have all known for years that dogs track us based
on our scent, which is genetically determined with a dietary
overlay.
Mr. Schweikert. That explains a lot of things at home.
Mr. Mears. Well, wouldn't it be great if you could reduce
that to a digital format and be able to reacquire that same
scent in multiple sensors. Dogs can't communicate to each other
once they communicate a scent. That is an example. Another one
is standoff technologies in general, being able to acquire
biometrics at a great distance for face, for iris, for
fingerprints, for example, but have not normally been done at a
distance.
Mr. Schweikert. Well, you are actually hitting to one. Back
in December, I reMember coming across an article that was
saying that experiments to enable to read iris at a distance.
True?
Mr. Mears. Yes, sir. Some of the commercial technology has
been on the order of 2 meters standoff that is commonly
available in our industry.
Mr. Schweikert. So literally I can be at a grocery store
register and it would be able to----
Mr. Mears. Potentially, and that is commercially available
today. There is research at Carnegie-Mellon, for example, that
is several tens of meters research, and I am seeing in the
laboratory more than that, and I can't say more than that. But
those are types of technologies for standoff iris.
Mr. Schweikert. Doctor, what is cutting edge out there?
What is on the horizon?
Dr. Romine. Well, I would revisit Dr. Schuckers' sort of
hierarchy of different biometrics, and as you point out,
fingerprints are widely understood, I think, or largely
understood, DNA even more so. All of the biometrics
technologies that range from fingerprints, iris, face
recognition, even gait, how someone walks, how someone types,
signatures, all of these things are improving as the technology
improves, the capabilities of technology and computation
improve.
Mr. Schweikert. Now, in the private-sector world, am I
heading towards a time where I walk into my grocery store and I
am going to pay with cash because I don't want it on the
database that I have a small Haagen-Dazs problem, and yet
somehow my Haagen-Dazs problem gets attached to my file because
I paid with cash but it picked up my gait, it picked up my
facial recognition, it picked up my iris, and where are we
going now in that type of data using biometrics to attach to
our personal data files that ultimately end up tagging the fact
I have high cholesterol and my insurance rate. Where are we
right now in that interlinking?
Dr. Romine. So I think this is the challenging intersection
between what the technology makes possible and what the policy
apparatus makes permissible, and I think from NIST's
perspective, at least, we focus entirely on the technology
side, measuring the capability of the technology, providing
testing infrastructure so that the community can improve its
technology. The policy apparatus is going to get increasingly
challenging, I think.
Mr. Schweikert. Mr. Chairman, I yield back, but, you know,
there does become sort of that future cascade effect,
particularly with health care and many of the other things out
there, these attachments. So thank you, Mr. Chairman.
Chairman Bucshon. I would agree with that, especially the
DNA analysis obviously is not an area that you can escape that.
You might detect that somebody is going to get Huntington's
chorea, for example, or some other thing that might identify
them as being not insurable or other issues. So we have got
challenges but it is a very exciting field.
At this point I would like to thank the witnesses for their
valuable testimony and the Members for their questions. The
Members of the Committee may have additional questions for you,
and we ask that you just respond to those in writing. The
record will remain open for two weeks for additional comments
and written questions from Members.
The witnesses are excused and the hearing is adjourned.
Thank you very much.
[Whereupon, at 11:03 a.m., the Subcommittees were
adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Dr. Charles H. Romine
[GRAPHIC] [TIFF OMITTED] 81193.041
[GRAPHIC] [TIFF OMITTED] 81193.042
Responses by Mr. John Mears
[GRAPHIC] [TIFF OMITTED] 81193.043
[GRAPHIC] [TIFF OMITTED] 81193.044
Responses by Dr. Stephanie Schuckers
[GRAPHIC] [TIFF OMITTED] 81193.045
[GRAPHIC] [TIFF OMITTED] 81193.046
Appendix II
----------
Additional Material for the Record
Submitted statement of Representative Frederica S. Wilson,
Ranking Member, Subcommittee on Technology,
Committee on Science, Space, and Technology,
U.S. House of Representatives
Thank you, Mr. Chairman for holding this hearing on biometrics and
thank you to our witnesses for being here this morning.
Biometric technologies can offer a number of benefits. They can
increase security here at home by identifying terrorists or they can
provide those in the developing world with an ``official identity''
that will allow them to open a bank account, buy a home, or receive
public services. But there are also a number of privacy concerns
surrounding biometrics, especially in the context of facial
recognition.
Facial recognition raises special concern because the nature of the
technology allows it to be used without a person's knowledge or
consent. To be honest this offers an advantage from a security
standpoint, but it also raises a number of concerns.
There is a fear that remote surveillance will happen on a much
broader scale, not just in the airport, but that individuals will be
``tracked'' as they run their day to day errands.
This technology still has its limits. Facial recognition failed to
identify the two Boston bombers even though both had Massachusetts
driver's licenses and one was in an FBI database. But surveillance
cameras did help to ID the bombers. And the use of surveillance
sensors, both on the street and on-line, is increasing dramatically. As
biometrics technology improves how it is used will expand dramatically.
We have already begun to see the increased use of this technology by
corporations such as Google, Apple, Facebook, and others. In the future
this technology will not just be used to verify who you are, but who
you are with, your family and friends, where you shop and what you buy.
These coming biometric applications present serious privacy concerns
that have not been well addressed.
The simple fact is that for many of us our face and name are
already publically available online and taking that information to re-
identify us in our offline activities is not that big of a step.
You may recall a 2011 study where researchers at Carnegie Mellon
University were able to deduce portions of a person's social security
number from just an online photo.
The use of facial recognition technology beyond public safety--and
even how this technology is used in the context of public safety--need
to be carefully considered. I look forward to hearing from our
witnesses about the current and future uses of biometric technologies
and how we can reap the benefits of biometrics while also ensuring our
privacy.
Thank you, Mr. Chairman and I yield back the balance of my time.
�