[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                  THE CURRENT AND FUTURE APPLICATIONS

                       OF BIOMETRIC TECHNOLOGIES
=======================================================================



                             JOINT HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON RESEARCH &

                       SUBCOMMITTEE ON TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                         TUESDAY, MAY 21, 2013

                               __________

                           Serial No. 113-29

                               __________

 Printed for the use of the Committee on Science, Space, and Technology


       Available via the World Wide Web: http://science.house.gov




                  U.S. GOVERNMENT PRINTING OFFICE
81-193                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001




              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas                 ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois
    Wisconsin                        DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
PAUL C. BROUN, Georgia               DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida
MO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois             SCOTT PETERS, California
LARRY BUCSHON, Indiana               DEREK KILMER, Washington
STEVE STOCKMAN, Texas                AMI BERA, California
BILL POSEY, Florida                  ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky              MARK TAKANO, California
KEVIN CRAMER, North Dakota           ROBIN KELLY, Illinois
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS STEWART, Utah
VACANCY
                                 ------                                

                        Subcommittee on Research

                   HON. LARRY BUCSHON, Indiana, Chair
STEVEN M. PALAZZO, Mississippi       DANIEL LIPINSKI, Illinois
MO BROOKS, Alabama                   ZOE LOFGREN, California
STEVE STOCKMAN, Texas                AMI BERA, California
CYNTHIA LUMMIS, Wyoming              ELIZABETH ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
                                 ------                                

                       Subcommittee on Technology

                  HON. THOMAS MASSIE, Kentucky, Chair
JIM BRIDENSTINE, Oklahoma            FREDERICA S. WILSON, Florida
RANDY HULTGREN, Illinois             SCOTT PETERS, California
DAVID SCHWEIKERT, Arizona            DEREK KILMER, Washington
                                     EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas


                            C O N T E N T S

                         Tuesday, May 21, 2013

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Larry Bucshon, Chairman, Subcommittee 
  on Research, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................     6
    Written Statement............................................     7

Statement by Representative Daniel Lipinski, Ranking Member, 
  Subcommittee on Research, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     8
    Written Statement............................................     9

                               Witnesses:

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology
    Oral Statement...............................................    11
    Written Statement............................................    14

Mr. John Mears, Board Member, International Biometrics and 
  Identification Association
    Oral Statement...............................................    27
    Written Statement............................................    29

Dr. Stephanie Schuckers, Director, Center for Identification 
  Technology Research
    Oral Statement...............................................    43
    Written Statement............................................    45

Discussion.......................................................    54

             Appendix I: Answers to Post-Hearing Questions

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology.....    64

Mr. John Mears, Board Member, International Biometrics and 
  Identification Association.....................................    66

Dr. Stephanie Schuckers, Director, Center for Identification 
  Technology Research............................................    68

            Appendix II: Additional Material for the Record

Submitted statement of Representative Frederica S. Wilson, 
  Ranking Member, Subcommittee on Technology, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    72


                  THE CURRENT AND FUTURE APPLICATIONS



                       OF BIOMETRIC TECHNOLOGIES

                              ----------                              


                         TUESDAY, MAY 21, 2013

                  House of Representatives,
                                 Subcommittee on Research &
                                    Subcommittee Technology
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 10:06 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Larry 
Bucshon [Chairman of the Subcommittee on Research] presiding.

[GRAPHIC] [TIFF OMITTED] 81193.001

[GRAPHIC] [TIFF OMITTED] 81193.002

[GRAPHIC] [TIFF OMITTED] 81193.003

[GRAPHIC] [TIFF OMITTED] 81193.004

    Chairman Bucshon. Good morning, everyone. This joint 
hearing of the Subcommittee on Research and the Subcommittee on 
Technology will come to order.
    Welcome to today's joint hearing entitled ``The Current and 
Future Applications of Biometric Technologies.'' In front of 
you are packets containing the written testimony, biographies 
and Truth in Testimony disclosures for today's witnesses.
    Before we get started, since this is a joint hearing 
involving two Subcommittees, I want to explain how we will 
operate procedurally so all Members understand how the 
question-and-answer session period will be handled. As always, 
we will alternate rounds of questioning between the majority 
and minority Members. The Chairmen and Ranking Members of the 
Research and Technology Subcommittees will be recognized first. 
Then we will recognize Members present at the gavel in order of 
seniority on the full Committee and those coming in later after 
the gavel will be recognized in order of arrival. I now 
recognize myself for five minutes for an opening statement.
    I would like to welcome everyone to this morning's hearing 
on the current and future applications of biometric 
technologies. I look forward to our witnesses' testimony on how 
this technology is developing and the ways biometrics might 
better the lives of my constituents and every American.
    Many of us have been introduced to biometric technologies 
by way of movies and TV shows, James Bond-style spy thrillers 
and the ever-present mega-vault secured with iris and palm 
scanners. While these examples portray a high-tech, futuristic 
technology that has little application to the average person, 
the reality is that biometric technologies have been utilized 
over the past two decades in many industries and fields. 
Whether being used to enhance security by controlling physical 
access to facilities or preventing fraud by controlling 
electronic access to computer networks, these practical 
applications affect everyone on an individual and collective 
scale. This includes safeguarding our international borders and 
protecting financial transactions, which is essential as 
technology rapidly advances and our world becomes more 
dependent on cyber infrastructure.
    Just last week, the Department of Homeland Security 
released a solicitation seeking information on commercially 
available live scan fingerprint systems for possible use by 
federal, state, and local law enforcement agencies. 
Additionally, they are researching ways for quicker 
identification by developing tablet-based technologies that can 
capture biometrics at the scene of a crime.
    Biometric research done by the National Institute of 
Standards and Technology, known as NIST, dates back to the 
1960s starting with fingerprint identification technology the 
FBI used to support law enforcement. Today, NIST continues 
their research in developing uses and enhancing different types 
of biometric technologies, including fingerprinting, face and 
iris scanning, voice recognition, and DNA testing.
    Biometric technologies are often touted as a democratic 
approach to identity management, because no language, gender, 
age, race, financial status, or literacy rate impedes their 
use. Because of this, many see biometrics playing a major role 
in fixing the so-called ``identity gap'' many developing 
countries face. For example, India has implemented a robust 
biometric identification program with the hopes of reducing 
fraud and corruption, ensuring credible elections, and 
improving national security.
    Additionally, biometric supporters point to the consumer's 
convenience of using biometric technologies. Many ask, why must 
we continue to carry key fobs, reMember passwords, and enter 
personal identification numbers when we can use uniquely 
personal physical patterns in place of additional items. 
Researchers at the University of California-Berkeley are 
developing a biometric security that uses brain waves to 
replace passwords, calling them passthoughts. That is pretty 
interesting.
    But with praise also comes concern such as, how can we 
ensure biometric data is secure and being used appropriately? 
My colleagues and I are looking forward to learning about the 
positive impacts biometric technologies might have in 
increasing convenience in our everyday lives and improving our 
personal and national security, while having an open discussion 
about policy implications and addressing the concerns that some 
might have. We have an excellent panel of witnesses ranging 
across industry, academia and government to lead our 
discussion.
    I would like to extend my appreciation to each of our 
witnesses for taking the time and effort to appear before us 
today. We look forward to your testimony.
    [The prepared statement of Mr. Bucshon follows:]

 Prepared Statement of Subcommittee on Research Chairman Larry Bucshon

    Good morning, I would like to welcome everyone to this morning's 
hearing on the current and future applications of biometric 
technologies. I look forward to our witnesses' testimony on how this 
technology is developing and the ways biometrics might better the lives 
of my constituents and every American.
    Many of us have been introduced to biometric technologies through 
by way of movies and TV shows --James Bond-style spy thrillers and the 
ever-present mega-vault secured with iris and palm scanners. While 
these examples portray a high-tech, futuristic technology that has 
little application to the average person, the reality is that biometric 
technologies have been utilized over the last two decades in many 
industries and fields. Whether being used to enhance security by 
controlling physical access to facilities or preventing fraud by 
controlling electronic access to computer networks, these practical 
applications affect everyone on an individual and collective scale. 
This includes safeguarding our international borders and protecting 
financial transactions, which is essential as technology rapidly 
advances and our world becomes more dependent on cyber infrastructure.
    Just last week, the Department of Homeland Security released a 
solicitation seeking information on commercially available live scan 
fingerprint systems for possible use by federal, state, and local law 
enforcement agencies. Additionally, they are researching ways for 
quicker identification by developing tablet-based technologies that can 
capture biometrics at the scene of a crime.
    Biometric research done by the National Institute of Standards and 
Technology, also known as NIST, dates back to the 1960's--starting with 
fingerprint identification technology the FBI used to support law 
enforcement.
    Today, NIST continues their research in developing uses and 
enhancing different types of biometric technologies, including 
fingerprinting, face and iris scanning, voice recognition and DNA 
testing.
    Biometric technologies are often touted as a democratic approach to 
identity management, because no language, gender, age, race, financial 
status, or literacy rate impedes their use. Because of this, many see 
biometrics playing a major role in fixing the so-called ``identity 
gap'' many developing countries face. For example, India has 
implemented a robust biometric identification program with the hopes of 
reducing fraud and corruption, ensuring credible elections, and 
improving national security.
    Additionally, biometric supporters point to the consumer's 
convenience of using biometric technologies. Many ask, why must we 
continue to carry key fobs, remember passwords, and enter personal 
identification numbers when we can use uniquely personal physical 
patterns in place of additional items? Researchers at the University of 
California-Berkley are developing a biometric security that uses brain 
waves to replace passwords--calling them ``passthoughts.''

    Chairman Bucshon. I now recognize Mr. Lipinski for his 
opening statement.
    Mr. Lipinski. Thank you, Chairman Bucshon. I want to thank 
you and Chairman Massie for holding this joint hearing to 
examine the use of biometric technologies. I also want to thank 
our witnesses for being here. I just want to know first, who is 
James Bond here?
    Right now, biometric technologies are used mostly by 
federal, state and local governments to identify criminals and 
to ensure our national security. Most people equate biometrics 
with fingerprints. This is because fingerprints have been used 
for more than a hundred years and automated recognition systems 
have been commercially available since the 1970s. In fact, the 
FBI has 110 million fingerprint records, the Department of 
Defense has 9.5 million, and the Department of Homeland 
Security has 156 million fingerprints in their database.
    But the landscape for biometric technologies is changing 
and other technologies are being rapidly deployed in other 
countries. For example, India is in the process of collecting 
biometric information for every single resident. They have 
already enrolled more than 300 million people and they are not 
just collecting fingerprints, but also iris scans. Efforts such 
as these could help combat fraud and waste, but also raise 
significant civil liberties concerns. Advances in facial 
recognition are being driven largely by companies such as 
Facebook and Google who are using facial recognition algorithms 
to ``tag'' people on social media.
    All of these technologies have their own advantages and 
disadvantages. For example, a suspect won't leave their iris 
scan behind at the scene of a crime as they would a 
fingerprint, but it appears that the characteristics of the 
iris remain more stable over a person's lifetime.
    The bottom line is there is enormous potential for these 
technologies, but there are also a number of research gaps. 
There are many questions and gaps of a scientific or technical 
nature. For example, as I mentioned earlier, it appears that 
the characteristics of the iris are fairly stable over time, 
but biometric technologies rely on the distinctiveness of an 
individual and there is a need to build up our fundamental 
understanding of how biometric traits vary not only between 
people, but as an individual ages.
    There are also many research questions related to the 
social and cultural aspects of biometrics. As I am sure we will 
hear today, a biometric system is only as good as the quality 
of data it collects. Even when a person is a willing provider 
of their biometric data, there is variation in the quality of 
that information, let alone when a person is noncompliant or 
they are actively trying to deceive the technology. 
Understanding how a person interacts with a biometric sensor 
and what impact social or cultural beliefs have on that 
interaction is key to obtaining quality data. For example, a 
person may be reluctant to touch a sensor out of a fear of 
germs or their religious beliefs may not permit them to show 
their face in public.
    As my colleagues are well aware, I have been passionate 
about the need to secure cyberspace. I often comment on the 
fact that most people use a few passwords for all of their 
online activities from banking to streaming movies. We all know 
that using the same password is not what we should do, but we 
do it anyway because it is just easier. Unfortunately, that 
password can be forgotten, guessed or stolen. Let me just say, 
I don't use the same password. I don't want to suggest that and 
give anyone ideas.
    Biometric technologies hold the potential to significantly 
increase cybersecurity because it is much more difficult to 
steal someone's fingerprint or a scan of their iris and you 
generally don't forget your finger at home, but these 
technologies are not widely deployed in the private sector.
    The National Institute of Standards and Technology is 
trying to address this through the National Strategy for 
Trusted Identities in Cyberspace, but there is a lot of work to 
be done. Part of this is because most biometric systems cost 
too much for commercial applications and there is no compelling 
business case for such an investment. Also, I, like most 
Americans, have some concerns about how the use of biometric 
technologies affects my privacy. I hope to ask the witnesses 
some questions about the security and privacy of biometric 
technologies later this morning. I am especially interested in 
learning more about the sharing of biometric data and the 
potential for secondary uses of these technologies.
    Mr. Chairman, I believe the potential of biometric 
technologies to enhance our security is great and worth 
pursuing, but I also believe we need to make certain that there 
are appropriate safeguards in place so these technologies are 
not abused.
    Thank you again for holding this hearing, and I yield back 
the balance of my time.
    [The prepared statement of Mr. Lipinski follows:]

             Prepared Statement of Subcommittee on Research
                     Ranking Member Daniel Lipinski

    Good morning. I want to thank Chairman Bucshon and Chairman Massie 
for holding this joint hearing to examine the use of biometric 
technologies. I'd also like to thank our witnesses for being here 
today. I'm looking forward to your testimony.
    Right now, biometric technologies are used mostly by federal, 
state, and local governments to identify criminals and to ensure our 
national security. Most people equate biometrics with fingerprints. 
This is because fingerprints have been used for more than a 100 years 
and automated recognition systems have been commercially available 
since the 1970s. In fact, the FBI has 110 million fingerprint records, 
the Department of Defense has 9.5 million, and the Department of 
Homeland Security has 156 million fingerprints in their database.
    But the landscape for biometric technologies is changing and other 
technologies are being rapidly deployed in other countries. For 
example, India is in the process of collecting biometric information 
for every single resident. They have already enrolled more than 300 
million people and they are not just collecting fingerprints, but also 
iris scans. Efforts such as these could help combat fraud and waste, 
but also raise significant civil liberties concerns.
    Advances in facial recognition are being driven largely by 
companies such as Facebook and Google who are using facial recognition 
algorithms to ``tag'' people on social media.
    All of these technologies have their own advantages and 
disadvantages. For example, a suspect won't leave their iris scan 
behind at the scene of a crime as they would a fingerprint, but it 
appears that the characteristics of the iris remain more stable over a 
person's lifetime.
    The bottom line is there is enormous potential for these 
technologies, but there are also a number of research gaps. There are 
many questions and gaps of a scientific or technical nature. For 
example, as I mentioned earlier, it appears that the characteristics of 
the iris are fairly stable over time, but biometric technologies rely 
on the distinctiveness of an individual and there is a need to build up 
our fundamental understanding of how biometric traits vary not only 
between people, but as an individual person ages.
    But there are also many research questions related to the social 
and cultural aspects of biometrics. As I am sure we will hear today, a 
biometric system is only as good as the quality of data it collects. 
Even when a person is a willing provider of their biometric data, there 
is variation in the quality of that information let alone when a person 
is non-compliant or they are actively trying to deceive the technology. 
Understanding how a person interacts with a biometric sensor and what 
impact social or cultural beliefs have on that interaction is key to 
obtaining quality data. For example, a person may be reluctant to touch 
a sensor out of a ``fear of germs'' or their religious beliefs may not 
permit them to show their face in public.
    As my colleagues are well aware, I have been passionate about the 
need to secure cyberspace. I often comment on the fact that most people 
use a few passwords for all of their online activities from banking to 
streaming movies. We all know that using the same password is not what 
we should do, but we do it anyway because it is just easier. 
Unfortunately, that password can be forgotten, guessed or stolen.
    Biometric technologies hold the potential to significantly increase 
cybersecurity because it is much more difficult to steal someone's 
fingerprint or a scan of their iris and you generally don't forget your 
finger at home, but these technologies are not widely deployed in the 
private sector.
    The National Institute of Standards and Technology is trying to 
address this through the National Strategy for Trusted Identities in 
Cyberspace, but there is still a lot of work to be done. Part of this 
is because most biometric systems cost too much for commercial 
applications and there is no compelling business case for such an 
investment.
    Also, I, like most Americans have some concerns about how the use 
of biometric technologies affects my privacy. I hope to ask the 
witnesses some questions about the security and privacy of biometric 
technologies later this morning.
    I am especially interested in learning more about the sharing of 
biometric data and the potential for secondary uses of these 
technologies.
    Mr. Chairman, I believe the potential of biometric technologies to 
enhance our security is great and worth pursuing, but I also believe we 
need to make certain that there are appropriate safeguards in place so 
these technologies are not abused.

    Chairman Bucshon. For the record, I don't use the same 
password for all my things either, partially because of this 
type of stuff. Thank you, Dan, for those comments.
    If there are Members who wish to submit additional opening 
statements, your statements will be added to the record at this 
point.
    Chairman Bucshon. It is now time to introduce our panel of 
witnesses. Our first witness is Dr. Charles Romine, the 
Director of the Information Technology Laboratory at the 
National Institute of Standards and Technology. ITL is one of 
six research laboratories within NIST and conducts research 
addressing measurement challenges and information technology as 
well as issues of information and software quality, integrity 
and usability. ITL is also charged with leading the Nation in 
using existing and emerging IT to help meet national 
priorities. Dr. Romine holds a B.A. in mathematics and a Ph.D. 
in applied mathematics from the University of Virginia. 
Welcome.
    Our second witness is Mr. John Mears, a Board Member of the 
International Biometrics and Identification Association. He is 
currently the Senior Fellow for IT and Security Solutions at 
Lockheed Martin. Mr. Mears has worked on program performance 
segment strategy and technology plans for biometric 
identification and verification applications supporting the 
homeland security, defense and law enforcement communities. He 
holds both bachelor's and master's degrees in electrical 
engineering from the University of Florida. Welcome.
    Our final witness is Dr. Stephanie Schuckers, the Director 
of the Center for Identification Technology Research, or CITeR. 
She is currently Professor in the Department of Electrical 
Engineering, Computing Engineering at Clarkson University. Her 
research focuses on processing and interpreting signals which 
arise from the human body. Dr. Schuckers received her doctorate 
degree in electrical engineering from the University of 
Michigan.
    As our witnesses should know, spoken testimony is limited 
to five minutes after which Members of the Committee have five 
minutes each to ask questions. Your written testimony will be 
included in the record of the hearing.
    I now recognize our first witness, Dr. Romine, for five 
minutes.

          TESIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,

               INFORMATION TECHNOLOGY LABORATORY,

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

    Dr. Romine. Chairman Bucshon, Chairman Massie, Ranking 
Member Lipinski, Ranking Member Wilson and Members of the 
Subcommittees, I am Chuck Romine, Director of the Information 
Technology Lab at NIST, and thank you for the opportunity to 
appear before you today to discuss our role in standards and 
testing for biometrics.
    NIST has nearly five decades of experience in proving human 
identification systems. NIST responds to government and market 
requirements for biometric standards by collaborating with 
Federal agencies, academia and industry to support development 
of biometric standards, conformance testing architectures and 
tools, research advanced biometric technologies, and develop 
metrics for standards and interoperability of electronic 
identities.
    NIST research provides state-of-the-art technology 
benchmarks and guidance to U.S. government and industry. To 
achieve this, NIST actively participates in Federal biometric 
committees and national and international standards-developing 
organizations.
    Biometric technologies can provide a means for recognizing 
individuals based on one or more physical or behavioral 
characteristics. These can be used to establish or verify 
personal identity of enrolled individuals. By statute and 
Administration policy, NIST encourages and coordinates Federal 
agency use of voluntary consensus standards and participation 
in the development of relevant standards and promotes 
coordination between public and private sectors in the 
development of standards and conformity assessment activities. 
NIST collaborates with industry to develop a consensus standard 
that is used around the world to facilitate interoperable 
biometric data exchange. The standard is evolving to support 
law enforcement, homeland security, forensics, and disaster 
victim identification.
    Internationally, NIST leads development of biometric 
standards that have received widespread acceptance. Use of 
these standards is mandatory by large international 
organizations for identification and verification of travelers 
at border crossings.
    In response to the Homeland Security Presidential Directive 
12, NIST developed a standard to improve the identification and 
authentication of Federal employees and contractors for access 
to Federal facilities and IT systems. NIST is updating the 
standards and guidelines for iris and facial images and 
private-enhancing on-card comparison. NIST leads the 
development of conformance test suites for implementations of 
national and international biometric standards.
    At the request of DHS, NIST assisted with conformance 
testing for Transportation Worker Identification Credential 
specifications resulting in TSA issuing a smart card with the 
worker's fingerprint for identity verification. To assist in 
qualifying products to TWIC specifications, three independent 
testing laboratories have been accredited by NIST and card 
reader products from about 20 vendors have passed testing.
    Understanding capabilities and improving performance of 
biometric technologies requires a robust testing 
infrastructure. For more than a decade, NIST has been 
conducting large biometric technology challenge programs to 
motivate the global biometric community, to dramatically 
improve the performance and interoperability of biometric 
systems, foster standards adoption, and support global 
deployment, and achieve an order of magnitude or better 
accuracy gains.
    NIST is also working to advance biometrics through the 
National Strategy for Trusted Identities in Cyberspace, or 
NSTIC, a White House initiative focused on catalyzing the 
private sector to create an identity ecosystem. Two NSTIC 
pilots involve biometrics for authentication, one based on the 
use of a signature, a second based on smartphone voice and 
facial recognition.
    The NSTC National Biometrics Challenge 2011 report included 
a few key challenges to the future application of biometrics 
technologies including research in the privacy and usability of 
biometrics. For privacy, NIST is collaborating to advance 
technical methods to safeguard and control the use of 
biometrics through methods such as liveness detection and 
biometric template protection.
    Usability is a priority for deploying biometric systems 
within the Federal Government. NIST was identified in a recent 
National Academies report as one of only two organizations 
addressing usability in biometric systems. NIST has applied its 
usability expertise to several studies involving biometric 
systems. As a result of one study, all of the fingerprint 
scanners at U.S. ports of entry are now angled to improve the 
collection process.
    In summary, NIST has a diverse portfolio of activities 
supporting our Nation's biometric needs. With NIST's extensive 
experience and broad array of expertise, both in its 
laboratories and in its collaborations with U.S. industry and 
other government agencies, NIST is actively pursuing the 
standards and measurement research necessary to deploy 
interoperable, secure, reliable and usable biometric systems.
    Thank you for the opportunity to testify on NIST's 
activities in biometrics, and I would be happy to answer any 
questions that you may have.
    [The prepared statement of Dr. Romine follows:]
    [GRAPHIC] [TIFF OMITTED] 81193.005
    
    [GRAPHIC] [TIFF OMITTED] 81193.006
    
    [GRAPHIC] [TIFF OMITTED] 81193.007
    
    [GRAPHIC] [TIFF OMITTED] 81193.008
    
    [GRAPHIC] [TIFF OMITTED] 81193.009
    
    [GRAPHIC] [TIFF OMITTED] 81193.010
    
    [GRAPHIC] [TIFF OMITTED] 81193.011
    
    [GRAPHIC] [TIFF OMITTED] 81193.012
    
    [GRAPHIC] [TIFF OMITTED] 81193.013
    
    [GRAPHIC] [TIFF OMITTED] 81193.014
    
    [GRAPHIC] [TIFF OMITTED] 81193.015
    
    [GRAPHIC] [TIFF OMITTED] 81193.016
    
    [GRAPHIC] [TIFF OMITTED] 81193.017
    
    Chairman Bucshon. Thank you for your testimony.
    I now recognize our next witness, Mr. Mears, for five 
minutes.

                  TESIMONY OF MR. JOHN MEARS,

             BOARD MEMBER, INTERNATIONAL BIOMETRICS

                 AND IDENTIFICATION ASSOCIATION

    Mr. Mears. Thank you. Chairman Bucshon, Chairman Massie, 
Ranking Member Lipinski, Members of the Committee, good 
morning, and thank you for inviting the International 
Biometrics and Identification Association to this hearing. The 
IBIA is a nonprofit trade group that advocates and promotes the 
responsible use of technologies for managing human identity.
    As the Committee is well aware, biometrics is not new, 
unproven or radical. People have developed means throughout 
recorded history to uniquely identify themselves starting with 
the first handprint signatures of authors of cave paintings on 
walls 31,000 years ago. In fact, I think it is an injustice 
that the first caveman wasn't given prior art credit by the 
Patent Office for what has evolved into modern hand geometry 
and palm print biometrics. And as a serious aside, I would note 
that in the last week, the FBI has added a national palm print 
capability to its Next-Generation Identification system.
    My written testimony addresses the Committee's questions in 
detail. In my oral comments this morning, I want to highlight 
some key points about biometric identification that do not 
always receive the attention they should. From an industry 
perspective, biometric technology is real and working today. 
There are successful U.S. government programs that prove this; 
for identification, IAFIS, NGI, U.S. VISIT, DOD ABIS; for 
verification, HSPD-12 PIV, DOD CAC, TWIC.
    Biometrics have evolved from custom development to 
integration of commercial components. An example is the 1999 
first implementation of IAFIS versus the 2013 version of Next 
Generation Identification, which in large part uses COTS 
algorithms, commercial off-the-shelf algorithms. Biometric 
systems have improved sharply in accuracy. I can cite IAFIS at 
92 percent versus NGI at 99.6 percent accuracy.
    Biometrics provide greater security and privacy than 
alternate means of identification including IDs and passwords 
which are vulnerable and becoming obsolete, as the Chairman 
observed; and biographics, which are subject to error, spoofing 
and identity theft. New applications will develop in the 
private sector in health care and finance, and perhaps 
significantly, mobility and smart consumer devices will 
probably in large part drive the acceptance and the need for 
the security and convenience that biometrics provide.
    The common thread from 31,000 years ago is that it matters 
who I am. No matter the period of history, identifying 
ourselves is an important function, so much a part of our lives 
that we sometimes take it for granted. In practice, we identify 
ourselves by our biometrics, our biographics and our behaviors 
as illustrated in figure 1 in my written testimony. A biometric 
is a measurable biological or anatomical and physiological or 
behavioral characteristic that can be used for automated 
recognition. The figure shows a sampling of biometric types, 
and we are all familiar with the most common of these since 
they include things like fingerprints, faces, irises, our 
voices and DNA.
    There are in fact a number of others that are shown in the 
figure including some that are emerging in future applications. 
The most useful of these exhibit permanence. They can be easily 
observed, measured and automated, and the best ones are very 
discriminating to the individual and are hard to spoof or 
reproduce.
    Biographics are descriptors that are assigned by others or 
that we attribute to ourselves but can change over time as we 
live our lives. These include things like our names, our 
addresses, our public records, our Social Security numbers. 
Biographics are useful for identification but are generally 
less accurate because they do change over time and can be 
publicly discovered and spoofed, for instance, in the case of 
identity theft, and public records sometimes contain errors 
that are problematic, for instance, name misspellings versus 
watch lists or errors in credit reports, which actually has 
happened to me.
    Behaviors are descriptors of our actions over periods of 
time. Group behavior can be observed, for example, in postings 
on social networking sites, through online transactions, phone 
records, emails and affiliations. Individual behavior includes 
such things as handwriting composition style, keystroke 
dynamics, walking gait and online behavior. Many of these 
individual behaviors can be difficult to capture and analyze at 
present but are potentially very useful, particularly for 
logical and cyber security. In practice, many techniques for 
authentication and identification use a combination of 
descriptors of identity. However, if you have to single out one 
technique, biometrics are the most convenient, reliable and 
secure means available today.
    Biometrics are, by their definition, personal for all of 
us. It matters who we are, both to ourselves and to the people 
with whom we have personal and transactional relationships. 
With the advancement of sensors and computing capability to 
digitally represent and process biometrics, our lives can be 
made more secure and more convenient on an individual level as 
well as for our society. Biometrics are proven and effective 
when managed properly.
    Thank you for your time and consideration today. I look 
forward to your questions.
    [The prepared statement of Mr. Mears follows:]
    [GRAPHIC] [TIFF OMITTED] 81193.018
    
    [GRAPHIC] [TIFF OMITTED] 81193.019
    
    [GRAPHIC] [TIFF OMITTED] 81193.020
    
    [GRAPHIC] [TIFF OMITTED] 81193.021
    
    [GRAPHIC] [TIFF OMITTED] 81193.022
    
    [GRAPHIC] [TIFF OMITTED] 81193.023
    
    [GRAPHIC] [TIFF OMITTED] 81193.024
    
    [GRAPHIC] [TIFF OMITTED] 81193.025
    
    [GRAPHIC] [TIFF OMITTED] 81193.026
    
    [GRAPHIC] [TIFF OMITTED] 81193.027
    
    [GRAPHIC] [TIFF OMITTED] 81193.028
    
    [GRAPHIC] [TIFF OMITTED] 81193.029
    
    [GRAPHIC] [TIFF OMITTED] 81193.030
    
    [GRAPHIC] [TIFF OMITTED] 81193.031
    
    Chairman Bucshon. Thank you.
    I now recognize our final witness, Dr. Schuckers, for five 
minutes.

              TESIMONY OF DR. STEPHANIE SCHUCKERS,

    DIRECTOR, CENTER FOR IDENTIFICATION TECHNOLOGY RESEARCH

    Dr. Schuckers. Thank you very much for the opportunity to 
testify to you today.
    There is a need to establish a trusted relationship between 
individuals and between individuals and organizations in order 
to support e-commerce, worker and employer interactions, 
delivery of benefits, movement of individuals, social 
connections and health care, and as the other testimonies 
pointed out, there are many ways to establish a trusted 
relationship, and they include what you have like credit cards 
and passports; what you know, passwords, PINs, mother's maiden 
name; and who you are, biometrics, the topic today.
    Transactions in the past have primarily rested on what you 
have and what you know. The addition of biometrics adds another 
dimension of security. Emerging is the use of biometrics as 
part of authentication to support transactions over the 
Internet, including mobile payments. With weaknesses in 
passwords alone, combining authentication with a biometric 
reduces the amount of private information that would need to be 
revealed repeatedly in order to reestablish a trusted 
relationship. Depending on the transaction, levels of trust can 
be created by combinations of different forms of 
authentication. This is supported by the National Strategy for 
Trusted Identities in Cyberspace, NSTIC, and is included in my 
recommendations in my written testimony.
    Creating and enabling those trusted relationships makes it 
more difficult for those who seek to destroy that trust through 
cyber crime, terrorism and identity theft. Similarly, in our 
counterterrorism efforts, knowledge of the individual is a 
critical aspect in sorting out those minority of individuals 
who seek to do us harm where biometrics is a critical tool in a 
large toolbox of ways to identify those individuals.
    To support these efforts, I highlight two recommendations 
in my written testimony. The first recommendation: invest in 
fundamental research for enhancement of privacy within 
biometric systems and develop policies which encourage the 
inclusion of privacy-preserving techniques. As with other 
personal information, biometric information must be protected 
and remain confidential. One example of methods in the research 
community and in some of the commercial sectors is something 
called template protection. This is where biometric matching is 
performed in an encrypted domain such that biometric 
information is not disclosed at any point. Another is liveness 
detection. This protects vulnerability when an attacker creates 
and uses an artificial biometric--James Bond. Continuous 
attention is required in order to stay one step ahead of those 
who seek to defeat those security mechanisms. Privacy and 
security are often spoken in terms of tradeoffs, giving up 
privacy in order to achieve security. The research goal is to 
actually change the paradigm where we can look to maximize both 
privacy and security with some of these methods.
    Recommendation two: invest in fundamental research 
challenges in biometrics through the cooperation of government, 
industry and academia. Investment in fundamental research is 
needed to provide the foundation for biometrics in the future. 
It includes such things as studying uniqueness and the 
permanence of biometrics traits that have been mentioned in 
some of the other comments.
    Other related recommendations in my written testimony have 
to do with enhancing data sharing to support research and 
increasing our cybersecurity workforce, including those who 
have expertise in biometric systems.
    As a unique structure for pursuing research, I would like 
to highlight the Center for Identification Technology Research, 
CITeR, of which I am the Director. CITeR is a National Science 
Foundation industry-university cooperative research center, and 
it focuses on biometrics. CITeR functions as a cooperative of 
industry such as system integrators, technology providers, 
small businesses, and government organizations such as the FBI, 
DHS and DOD. Projects are defined by faculty through 
interfacing with that community and integrating their research 
needs. Outcomes include creating workforce trained in the 
industry and government needs but also promoting innovation 
through translation of research to commercial products and 
creating jobs.
    In summary, research, close collaboration between industry, 
government, academia and investment in education will continue 
to make the United States the best in the world. In biometrics, 
this investment can reap benefits for improving our security in 
cyberspace, protecting our national security and stimulating 
our economy as a leader in the technology of the future. Thank 
you very much.
    [The prepared statement of Dr. Schuckers follows:]
    [GRAPHIC] [TIFF OMITTED] 81193.032
    
    [GRAPHIC] [TIFF OMITTED] 81193.033
    
    [GRAPHIC] [TIFF OMITTED] 81193.034
    
    [GRAPHIC] [TIFF OMITTED] 81193.035
    
    [GRAPHIC] [TIFF OMITTED] 81193.036
    
    [GRAPHIC] [TIFF OMITTED] 81193.037
    
    [GRAPHIC] [TIFF OMITTED] 81193.038
    
    [GRAPHIC] [TIFF OMITTED] 81193.039
    
    [GRAPHIC] [TIFF OMITTED] 81193.040
    
    Chairman Bucshon. Thank you, and I thank the witnesses for 
their testimony, reminding Members that Committee rules limit 
questioning to five minutes. The Chair at this point will open 
the round of questioning. I recognize myself for five minutes.
    Just an overriding question for all three of the panelists, 
why isn't biometric technology being more quickly integrated 
into our everyday lives? Is there financial barrier, a security 
barrier, a privacy barrier? And if so, where do you think the 
bottleneck comes from? Does it come from research and 
development or application or deployment, or where? Dr. Romine?
    Dr. Romine. Yes, I would like to take that. I think there 
are a number of possible reasons, and one of the reasons for 
establishing the National Strategy for Trusted Identities in 
Cyberspace is to try to catalyze greater adoption of identify 
management technologies broadly speaking. At NSTIC, some of the 
grant activity goes to trying to explore the use of biometrics 
as part of that ecosystem. I think a lot of it also is sort the 
maturity of the technology. So I think one of the roles that 
NIST has to play with industry is trying to advance the state-
of-the-art in a way that we get greater confidence.
    Mr. Mears. One of the observations that industry would make 
is that we sometimes see quantum advancements in technology as 
a result of what we call a ``killer app.'' That is, there is a 
compelling application that is popular with masses of people, 
perhaps consumers, that drives adoption of a particular 
technology. We think that in the realm of mobility, the 
proliferation of smart devices, the drive for convenience and 
personalization of these devices and the need to hold those 
devices securely will drive adoption of biometrics into 
consumer devices, which will drive volume and in fact drive 
acceptance generationally over time that we think will allow us 
to permeate--allow it to permeate other industries and 
applications.
    Dr. Schuckers. I guess I would agree with the other two. I 
think it is looking to get that perfect storm. As many of us 
have, we have a fingerprint reader on our laptops. It doesn't 
do anything besides get us into the laptop. I think that is 
where the mobile devices come in. As we use our mobile devices 
as a form of payment, now there is a value associated with 
those mobile devices, and that is that killer app that we are 
talking about. And then it comes to the convenience of it. It 
is frustrating, as we talked about, to have to remember long, 
secure passwords, or we use simple passwords that we use in 
multiple places. By making the convenience of a simple swipe or 
a face on your mobile phone, that is where the demand comes 
because you want your phone protected because it pays for 
things. An enabling thing is NSTIC, National Strategy for 
Trusted Identities in Cyberspace. That provides that 
interoperability and standards such that when you do that 
authentication, it goes somewhere, and it gives you that 
process such that you have that secure transaction.
    Chairman Bucshon. Thank you. I am going to make an 
editorial comment and then I will have some other questions. I 
was in health care before this, and I did a lot of my training 
and practice trauma-related-type things, and I can tell you, at 
medical centers, the number of people who come in unidentified 
is fairly significant, and biometric technology used in that 
application would be extremely helpful to identify people for 
family notification or other reasons.
    That said, is there one area that maybe all of you can 
comment on that you think that this could really revolutionize 
how we live our everyday lives? Is there a game-changing area 
that you think potentially that we should focus on first maybe 
or, you know, a few that would really make a revolutionary 
change in the way we live our everyday lives. For example, in 
my view, you know, online purchasing security or some other 
thing, and what ones maybe we are close to being able to apply 
broadly that would change people's lives. Dr. Romine?
    Dr. Romine. Well, I think you have probably hit on one, 
which is that acceptance is going to be driven by providing 
added value to the customer, and the customer in this case is 
going to have to be sort of the American citizen perhaps rather 
than government-only applications. For that, the usability of 
these systems is absolutely crucial. There has to be both value 
added and a good customer experience that adds to the 
efficiency of the transaction, the effectiveness of the 
transaction, and satisfaction for the user.
    Chairman Bucshon. I am running out of time, so if you could 
be brief. Mr. Mears?
    Mr. Mears. Okay. I will just add on what I said before. So 
the rumors in the industry are the Apple 5S iPhone is scheduled 
to come out this summer with a fingerprint reader, and we think 
this is going to be an enabling technology. It allows that 
platform to do a number of different applications, and we think 
it will launch from there once the platform is enabled by 
biometrics.
    Chairman Bucshon. Dr. Schuckers?
    Dr. Schuckers. I agree with what the other two Members have 
said that are testifying today. I think the killer app is the 
mobile payment system, and I think the driver is the customer 
who wants their phone to recognize them when they are holding 
it, essentially.
    Chairman Bucshon. Thank you. I now recognize Mr. Lipinski 
for his questions.
    Mr. Lipinski. Thank you, Mr. Chairman. What you are talking 
about here, I don't know if I should start going down this road 
but I am going to quickly do it.
    Why have we not gotten there yet? I think most people feel 
like they would pay something extra. If I didn't have to 
remember all my passwords, I would pay something extra for that 
if I could use a fingerprint, if I could, you know, go purchase 
something, plug it in the USB port, use my fingerprint. How 
come it hasn't happened yet up to this point, if you can be--if 
anyone has a very brief answer to why to this so we can move 
on. Mr. Mears?
    Mr. Mears. One of the things I would observe is that many 
applications are kind of stovepiped, that is the applications 
that you access on a daily basis, and they don't share 
application data from one to the next, and so there is no real 
uniform way of communicating between those. So it leads to this 
stovepipe approach that doesn't lend itself to what we look for 
what we call unitary logon, the convenience of having one logon 
with security including biometrics that gives you access to 
multiple different types of applications. In government 
services, the migration to the cloud, cloud computing, actually 
helps security and helps that convenience because it puts those 
apps within a cloud community that has a security structure 
that is amenable to unitary logon, and so you are going to see 
advancements as a result of that. But I think in short, that is 
the reason.
    Mr. Lipinski. Okay. When Apple comes out with this 
fingerprint reader on the new iPhone, how does that get past 
that issue?
    Mr. Mears. Well, certainly for the apps that we all know 
and love on our mobile phones, it can be an enabler that will 
be accessed for those apps. My comment was more to the large IT 
systems that reside elsewhere, perhaps in government service, 
but for the app side, it will definitely drive convenience.
    Mr. Lipinski. Okay. I am going to move on. Dr. Schuckers, 
do you want to add something quickly?
    Dr. Schuckers. Well, I was just going to say that NSTIC is 
also creating this independent, private identity broker, and 
through that brokerage, you can be--that can be your interface 
to all of those places where you need to provide that password, 
and so that is an enabler essentially to get at what you want. 
So the phone can provide it but really you also need that 
broker who can to say to this application, yes, that this is 
the right person to get access without giving all the 
information away, right? They--you authenticate with them like 
a PayPal but an expanded sort of PayPal.
    Mr. Lipinski. How far are we away from that?
    Dr. Romine. Well, the NSTIC program is relatively new. The 
grants that have gone out are in their first year of full gear-
up, but I would say we are optimistic that the program, which 
is slated to be essentially a five-year program, will actually 
catalyze a lot of what Dr. Schuckers was talking about with 
regard to establishing that ecosystem that is interoperable 
with the pillars of privacy, transparency, usability and so on 
as a driver.
    Mr. Lipinski. Thank you. Another question, Dr. Schuckers. 
You talked about in your testimony that biometrics provide 
uniqueness and permanence. You also state that much of the 
funding for biometrics is focused on near-term implementation 
challenges, and more research is needed to provide a foundation 
for biometrics. Can you describe the foundational research that 
is needed, and which biometric traits are more stable over 
time, which are more unique? How do you find that balance?
    Dr. Schuckers. Thank you. So we think of biometrics as all 
being equal. You know, you hear people say, look, this is a 
biometric, X is a biometric, and really, biometrics isn't that 
way because it has these two fundamental properties, which you 
highlighted: uniqueness and permanence. And so uniqueness has 
to do with your ability to distinguish an individual in a 
thousand individuals, a million individuals, and so if we talk 
about the uniqueness aspects, we think of DNA as kind of one 
echelon. Then the next echelon would be finger where 10 
fingerprints is better able to distinguish people than one 
fingerprint. Look at iris. An iris would be equivalent to a 
fingerprint--two irises, to multiple fingerprints. And then we 
have other levels of things like voice recognition and face 
recognition and all of the emerging biometrics, and so this is 
where the research is to understand what the capability is and 
how it fits into the application. If you are doing a one-on-one 
transaction on your phone, for the most part your phone only 
sees you on a regular basis and you want to protect--you might 
not need one-in-a-billion kind of accuracy. You may be 
satisfied with one in a thousand because you get more 
convenience.
    The other aspect is the permanence, and the permanence has 
to do with, does the biometric vary over time. We all know our 
face varies over time. So that is the other kind of studies. 
Essentially, the biometrics are changing. We want diversity in 
the biometric market to look at different applications of 
biometrics but we need to understand what its capabilities are 
so we can weigh them, depending on the application.
    Mr. Lipinski. Thank you.
    Chairman Bucshon. Thank you. I now recognize Mr. Massie for 
his line of questioning.
    Mr. Massie. So my first question deals with the possibility 
of mission creep here. When Social Security numbers were 
created, they were ostensibly to tract retirement benefits but 
now you need a Social Security number and you need to provide 
it to purchase even health insurance, and there has been recent 
interest in using biometrics, I think, to curb immigration 
violations. But at some point it seems as if we might need to 
provide proof of self to check out a library book or to rent a 
house or even just to attend a sporting event or log on to the 
Internet. How is industry ameliorating these concerns, these 
privacy concerns, right now? Mr. Mears?
    Mr. Mears. Yes, I will address that. One of the things that 
we believe is that for every application, there must be a 
privacy policy. If there is something related to personally 
identifiable information that is going to facilitate that 
application, it has to be transparent, published, it has got to 
specify what data is taken, when, under what circumstances, 
with whom will it be shared, how long will it be retained, and 
in fact, there have to be sufficient hooks in the application 
such that you can verify the application conforms to the 
policy, and in the best case, an independent ability to audit 
the policies implemented for that particular application. That 
is what we believe constitutes good privacy, and we would like 
to see that across every application that requires the 
provision of personally identifiable information, and certainly 
the government does that now. We would like to see that in 
industry as well.
    Mr. Massie. So my concern becomes when you take a new 
technology and it intersects a new piece of legislation. So for 
instance, in the House we just passed the Cyber Intelligence 
Sharing and Protection Act where companies, private companies, 
are now absolved of any liability in private contracts with 
their consumers if they share that information with the 
government. And so it seems to me as if this biometric 
information once it is ones and zeros would be part of that 
sharable set of data. Dr. Schuckers, do you have any comment on 
that?
    Dr. Schuckers. Yes, I do agree that we need to treat a 
biometric just like we treat the other information about 
ourselves, and I think that we are grappling with this 
explosion of data about ourselves. It is not just biometric 
data, it is all the biographical data we are talking about, but 
it is also our movements, our shopping habits, where we have 
been. There is this explosion of data and there is an explosion 
of data in the commercial sector. The government has 
limitations on what they can do with data and particular 
biometric data. Where is the equivalent on the commercial side? 
And so I think that we are wrestling with this as a society. 
Biometric is one piece of information but it is in the context 
of a lot of other information that is collected about us. And I 
do think that we need to, along the lines of the things you 
said, give the ownership of the data to the person such that 
they know what data is stored about them and where it is stored 
and give them access to be able to pull data and to give them 
control, and that is where NSTIC can come into place, control 
of their own data as best we can.
    Mr. Massie. I appreciate those comments. Speaking of 
control over your own data, outside of criminal investigations, 
we have all heard of DNA being used, are there any industrial 
applications for DNA as an identifier?
    Dr. Schuckers. DNA--well----
    Mr. Massie. It is kind of, as you mentioned, it is the 
upper echelon data that doesn't change about a person over 
their lifespan. It is a little more intrusive to perhaps 
collect than a facial recognition when you walk by a camera, 
but give us an example of a DNA application outside of the 
criminal aspect.
    Dr. Schuckers. I do think there is the positive claim 
aspects of it so if a person wants to emigrate, suppose they 
have a familial relationship, this is an example of making a 
positive claim of a relationship. The DNA can confirm that 
claim in a way that is less hassle than trying to produce 
documents, than interviews, and the other aspects of it. So 
that is not commercial, that is still government, so I was 
trying to struggle a little bit. I think you were asking----
    Mr. Massie. No, that is actually the sort of answer I was 
looking for, so it is a great answer. Thank you very much. I 
yield back my time.
    Chairman Bucshon. And I will recognize Ms. Wilson for 5 
minutes.
    Ms. Wilson. Thank you, Mr. Chair.
    Dr. Schuckers, in your testimony, you mentioned a case 
where a woman from South Korea used a special tape on her 
fingers to spoof or fool a fingerprint recognition system at a 
Japanese airport. I can also imagine a scenario where someone 
else uses a photo or video to convince a camera that they are 
indeed the person associated with an access card. As I 
understand it, research into these vulnerabilities is termed 
``liveness detection.'' Can you please describe how the 
research community is attempting to detect false or fake 
biometric traits, and how can we ensure someone is who they 
claim to be when a biometric system is unattended?
    Dr. Schuckers. Great. Thank you. This is some research that 
I am doing in my laboratory and also being done at the Center 
for Identification Technology Research. So essentially we 
talked about what you know and what you have and that 
biometrics is what you are, this kind of other dimension. But 
as with all these other security mechanisms, it has 
vulnerabilities, and this is the--one of the vulnerabilities we 
need to be aware of. What we have to understand is if we are 
utilizing biometrics in an application, there is a purpose for 
recognizing someone's identity in that application, and so does 
the biometric go towards improving the security that we need 
with the caveats that we talk about. So we need to not throw 
the baby out with the bathwater, essentially. I believe that 
the biometric information can be very useful for some 
applications because it is complimentary to the other ways we 
identify people.
    That being said, we know it is a vulnerability, therefore, 
we need to do research in that vulnerability. That is one of 
the things we do in our laboratory. I have a fake finger here 
if anybody wants to see it afterwards. We are interested in not 
faking but what we are interested in is building those 
technologies that make it difficult for people to fake the 
biometric. The word ``liveness'' is about recognizing that that 
biometric was measured at that time. So even if your face is 
not secret, knowing that I just took a picture of your face and 
that you are physically there at that time, that tells you that 
it is not a fake biometric. So that is the kind of research we 
need to do is to build those.
    You asked about what technologies are in place. There are 
software methods that can recognize when someone is faking a 
biometric. There are hardware methods, things that use light to 
recognize a finger, for example, as a real finger, and so those 
are the things that we need to continue to research and put in 
place.
    Ms. Wilson. Dr. Romine, what is NIST doing? What are their 
efforts in liveness detection?
    Dr. Romine. Well, I am pleased to say that one of the 
efforts that NIST undertook was to provide a grant to Dr. 
Schuckers to do research in this area.
    Ms. Wilson. That is great.
    Dr. Schuckers. Thank you very much.
    Dr. Romine. We are also engaging--NIST is not currently 
conducting internally in our intramural program liveness 
detection research, although we understand, as Dr. Schuckers 
mentioned, this is a vulnerability that we need to pay 
attention to. We are engaging the international community in 
the standards arena around trying to develop standards for this 
kind of liveness detection, or anti-spoofing. So that is the 
extent of our current activities, but we were pleased to be 
able to provide support to a top scientist.
    Ms. Wilson. Thank you. Dr. Romine, as you know, almost 
everyone has a smartphone. They have gone from devices used to 
call friends and family to being used to purchase coffee at 
Starbucks or deposit checks, which raises privacy and security 
concerns. In your testimony, you discuss several challenges 
including compression and limited bandwidth communication 
channels that need to be addressed before biometrics can be 
fully implemented on mobile devices. Can you please speak to 
what you are doing at NIST to help address the use of mobile 
devices and privacy and security concerns?
    Dr. Romine. Certainly. The use of biometrics is a very 
context-dependent thing, and the idea of accepting a certain 
vulnerability with the benefit that you accrue for using the 
biometric is sort of an individual choice. But one of the 
things that I would say that is very important is the idea of 
ensuring encryption is done whenever biometric data or indeed 
any personally identifiable information is transmitted through 
mobile devices. I think without using that kind of encryption 
or some other privacy-preserving technology, I think the 
vulnerability is considerably larger.
    Ms. Wilson. I will give back the balance of my time, which 
is zero.
    Chairman Bucshon. I now recognize Mr. Schweikert for his 
questioning, five minutes.
    Mr. Schweikert. Thank you, Mr. Chairman.
    Have you ever wanted to start to engage in a conversation 
with something like this but you are fearful you have watched 
too much sci-fi in the past? But let us actually jump down the 
line here. First off, fingerprint scanning technology is, what, 
two generations ago? I mean, we may be still working on some of 
the protocols and the security and mechanics but, I mean, we 
were playing around with that in the early 1990s, if I reMember 
one of my classes. So where are we at technology today? How 
good is facial, body, human recognition getting through a 
camera, and why don't we start down the right and work our way 
over. Where are we at right now? What is cutting edge today?
    Dr. Schuckers. Thank you. So I think a lot of the things 
that we have brought up already are important, even 
fingerprint, the issues are the scaling, you know, when you are 
looking at using fingerprints in large-scale applications, 
those are some of the challenges. Certainly, the security and 
privacy side of a fingerprint----
    Mr. Schweikert. But can you cite some of the challenge of 
the box we are in of what is the most cutting-edge thing you 
hear that is on the horizon right now?
    Dr. Schuckers. I think the one area that could be 
interesting is the mobile device knows you, right? So you want 
to say cutting edge, so this isn't available now, but you can 
see it in the near-term future if we do investment and research 
but you don't necessarily have to do something very deliberate 
for the mobile device to know who you are. So I think that 
could be an area that we could invest in and it makes it easy 
for people to authenticate.
    Mr. Schweikert. Mr. Mears?
    Mr. Mears. So if you are looking for cutting-edge 
technology, and I would refer you to figure one of my written 
testimony, there are a number of biometrics that are emerging, 
many of them out of biomedical research. I will give you an 
example of the evolving biometrics. One of them is scent, for 
example. We have all known for years that dogs track us based 
on our scent, which is genetically determined with a dietary 
overlay.
    Mr. Schweikert. That explains a lot of things at home.
    Mr. Mears. Well, wouldn't it be great if you could reduce 
that to a digital format and be able to reacquire that same 
scent in multiple sensors. Dogs can't communicate to each other 
once they communicate a scent. That is an example. Another one 
is standoff technologies in general, being able to acquire 
biometrics at a great distance for face, for iris, for 
fingerprints, for example, but have not normally been done at a 
distance.
    Mr. Schweikert. Well, you are actually hitting to one. Back 
in December, I reMember coming across an article that was 
saying that experiments to enable to read iris at a distance. 
True?
    Mr. Mears. Yes, sir. Some of the commercial technology has 
been on the order of 2 meters standoff that is commonly 
available in our industry.
    Mr. Schweikert. So literally I can be at a grocery store 
register and it would be able to----
    Mr. Mears. Potentially, and that is commercially available 
today. There is research at Carnegie-Mellon, for example, that 
is several tens of meters research, and I am seeing in the 
laboratory more than that, and I can't say more than that. But 
those are types of technologies for standoff iris.
    Mr. Schweikert. Doctor, what is cutting edge out there? 
What is on the horizon?
    Dr. Romine. Well, I would revisit Dr. Schuckers' sort of 
hierarchy of different biometrics, and as you point out, 
fingerprints are widely understood, I think, or largely 
understood, DNA even more so. All of the biometrics 
technologies that range from fingerprints, iris, face 
recognition, even gait, how someone walks, how someone types, 
signatures, all of these things are improving as the technology 
improves, the capabilities of technology and computation 
improve.
    Mr. Schweikert. Now, in the private-sector world, am I 
heading towards a time where I walk into my grocery store and I 
am going to pay with cash because I don't want it on the 
database that I have a small Haagen-Dazs problem, and yet 
somehow my Haagen-Dazs problem gets attached to my file because 
I paid with cash but it picked up my gait, it picked up my 
facial recognition, it picked up my iris, and where are we 
going now in that type of data using biometrics to attach to 
our personal data files that ultimately end up tagging the fact 
I have high cholesterol and my insurance rate. Where are we 
right now in that interlinking?
    Dr. Romine. So I think this is the challenging intersection 
between what the technology makes possible and what the policy 
apparatus makes permissible, and I think from NIST's 
perspective, at least, we focus entirely on the technology 
side, measuring the capability of the technology, providing 
testing infrastructure so that the community can improve its 
technology. The policy apparatus is going to get increasingly 
challenging, I think.
    Mr. Schweikert. Mr. Chairman, I yield back, but, you know, 
there does become sort of that future cascade effect, 
particularly with health care and many of the other things out 
there, these attachments. So thank you, Mr. Chairman.
    Chairman Bucshon. I would agree with that, especially the 
DNA analysis obviously is not an area that you can escape that. 
You might detect that somebody is going to get Huntington's 
chorea, for example, or some other thing that might identify 
them as being not insurable or other issues. So we have got 
challenges but it is a very exciting field.
    At this point I would like to thank the witnesses for their 
valuable testimony and the Members for their questions. The 
Members of the Committee may have additional questions for you, 
and we ask that you just respond to those in writing. The 
record will remain open for two weeks for additional comments 
and written questions from Members.
    The witnesses are excused and the hearing is adjourned. 
Thank you very much.
    [Whereupon, at 11:03 a.m., the Subcommittees were 
adjourned.]
                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by Dr. Charles H. Romine
[GRAPHIC] [TIFF OMITTED] 81193.041

[GRAPHIC] [TIFF OMITTED] 81193.042

Responses by Mr. John Mears

[GRAPHIC] [TIFF OMITTED] 81193.043

[GRAPHIC] [TIFF OMITTED] 81193.044

Responses by Dr. Stephanie Schuckers

[GRAPHIC] [TIFF OMITTED] 81193.045

[GRAPHIC] [TIFF OMITTED] 81193.046

                              Appendix II

                              ----------                              


                   Additional Material for the Record




       Submitted statement of Representative Frederica S. Wilson,
              Ranking Member, Subcommittee on Technology,
              Committee on Science, Space, and Technology,
                     U.S. House of Representatives

    Thank you, Mr. Chairman for holding this hearing on biometrics and 
thank you to our witnesses for being here this morning.
    Biometric technologies can offer a number of benefits. They can 
increase security here at home by identifying terrorists or they can 
provide those in the developing world with an ``official identity'' 
that will allow them to open a bank account, buy a home, or receive 
public services. But there are also a number of privacy concerns 
surrounding biometrics, especially in the context of facial 
recognition.
    Facial recognition raises special concern because the nature of the 
technology allows it to be used without a person's knowledge or 
consent. To be honest this offers an advantage from a security 
standpoint, but it also raises a number of concerns.
    There is a fear that remote surveillance will happen on a much 
broader scale, not just in the airport, but that individuals will be 
``tracked'' as they run their day to day errands.
    This technology still has its limits. Facial recognition failed to 
identify the two Boston bombers even though both had Massachusetts 
driver's licenses and one was in an FBI database. But surveillance 
cameras did help to ID the bombers. And the use of surveillance 
sensors, both on the street and on-line, is increasing dramatically. As 
biometrics technology improves how it is used will expand dramatically. 
We have already begun to see the increased use of this technology by 
corporations such as Google, Apple, Facebook, and others. In the future 
this technology will not just be used to verify who you are, but who 
you are with, your family and friends, where you shop and what you buy. 
These coming biometric applications present serious privacy concerns 
that have not been well addressed.
    The simple fact is that for many of us our face and name are 
already publically available online and taking that information to re-
identify us in our offline activities is not that big of a step.
    You may recall a 2011 study where researchers at Carnegie Mellon 
University were able to deduce portions of a person's social security 
number from just an online photo.
    The use of facial recognition technology beyond public safety--and 
even how this technology is used in the context of public safety--need 
to be carefully considered. I look forward to hearing from our 
witnesses about the current and future uses of biometric technologies 
and how we can reap the benefits of biometrics while also ensuring our 
privacy.
    Thank you, Mr. Chairman and I yield back the balance of my time.

                                 
