Share and Protect June 18th, 2009

Share and Protect

Biometric Information in the Information Sharing Environment
1
By Richard D. Newbold, JD, MBA, CIPP/G

The Information Age

As the global storehouse of information grows, confusion arises regarding the positive role of
biometrics in information assurance and identity management. The Information Age is a term
often used to refer to the present era and the global shift away from the production of physical
goods, as exemplified by the Industrial Age, toward the collection and use of information. Due in
part to the efforts of the Defense Advanced Research Projects Agency (DARPA) which led to the
creation of the Internet and, in 1989, the World Wide Web, there is more information available
today than at any time in history.

Many tend to think of the Information Age in terms of cell phones, digital music, high definition
television, digital cameras, email, computer games, and other relatively new products and
services that have come into widespread use. The pace of change brought on by such
technology has indeed been very rapid. However, information and information sharing have been
used by governments to help protect citizens since the creation of the nation-state.

Whether in digital form or hard copy, the government’s role of protecting the nation as outlined in
2
the Constitution and subsequent authorities means that federal agencies have a responsibility
and a mandate to share information within the appropriate legal parameters in order to protect
and defend the nation.

Personally Identifiable Information

Of all the information available in all formats, a subset is referred to as personally identifiable
information, or PII. This is information that can be used to locate or identify an individual, and
includes names, aliases, social security numbers, biometric records, and other personal
information that is linked or linkable to an individual. The federal government routinely collects,
stores, shares, and protects PII for many purposes, often in the context of receipt of a public
service or government benefit. For example, to receive a passport to travel abroad, individuals
are required to prove they are who they claim to be for the safety of the US, the host nation, and
fellow air travelers.
3
As the Government Accountability Office (GAO) rightly noted in a recent report to Congress , the
loss or misuse of such information could lead to identity theft or other fraudulent use of the
information—resulting in substantial harm, embarrassment, and inconvenience to victims. For this
reason, there are well-established policies to protect PII. Like all Americans, members of
Congress were concerned and acted to protect PII collected and handled across the federal
government. State and local law may provide additional protections.

Two primary laws, the Privacy Act of 1974 (as amended) and the E-Government Act of 2002, give
federal agencies responsibilities for protecting PII and ensuring its security. Additionally, the
Federal Information Security Management Act of 2002 (FISMA) requires agencies to develop,

1
Rick Newbold is a policy analyst supporting the Department of Defense Biometrics Task Force (www.biometrics.dod.mil)
and can be contacted at richard.newbold@us.army.mil. His views do not necessarily reflect those of the BTF.
2
The preamble references “domestic tranquility,” providing for the “common defense,” and promoting the “general
welfare” of the citizenry. These basic government mandates are reflected in statutes, federal court decisions,
administrative codes, etc., and are often mirrored at the state and local levels.
3
http://www.gao.gov/new.items/d08343.pdf

1
 Share and Protect June 18th, 2009

document, and implement agency-wide programs to provide security for their information and
information systems, which include PII and the systems on which it resides. The Act also requires
the National Institute of Standards and Technology (NIST) to develop technical guidance in
specific areas, including minimum information security requirements for information and
information systems.

The Office of Management and Budget (OMB) issued guidance in 2006 and 2007 reiterating
agency responsibilities under these laws, drawing particular attention to the requirements
associated with PII. In this guidance, OMB directed, among other things, that agencies encrypt
data on mobile computers or devices and follow NIST security guidelines regarding PII that is
4
accessed outside an agency’s physical perimeter .

PII comes in a variety of forms, and for purposes of secure authentication at a federal site or
network (to include remote login), the federal government often uses multi-factor authentication to
verify a person’s identity. Biometrics is one factor that is often used in multi-factor authentication.
Users biometrically authenticate via their fingerprint to a card or token and then enter a PIN or
password in order to open the credential vault.

Several federally sponsored programs exist, including the First Responder Authentication
Credential (FRAC), Transportation Worker Identity Credential (TWIC), and Airport Credential
Interoperability Solution (ACIS). Many other programs are in development with the same desired
goal of being technically interoperable and trustworthy in the Federal government Personal
Identity Verification (PIV) environment.

Homeland Security Presidential Directive 12 “Policy for a Common Identification Standard for
Federal Employees and Contractors,” mandated new standards for secure and reliable personal
identification for all federal employees and contractors. The Department of Defense (DoD) began
issuing the Common Access Card in October 2006. The Transportation Security Administration
(TSA) began issuing the Transportation Worker Identification Credential (TWIC) in October 2007.
Similar to other credentials, to obtain a TWIC an individual must provide biographic and biometric
information such as fingerprints, a digital photograph, and successfully pass a security threat
assessment (in this case conducted by TSA). The tamper-resistant credential contains the
worker's biometric (fingerprint template) to allow for a positive link between the card and the
individual.

Biometric Information

Biometric information, as a subset of PII and information generally, is used throughout the federal
sector to help manage the identities of individuals who interact with the federal government.
These individuals may be federal workers, contract support staff, servicemembers, etc. The
benefits they receive include access to a safe workplace (physical access) and access to
government networks (logical access) to enable efficient and effective performance of their work
on behalf of the taxpayer.

Neither biometrics not the use of biometrics by the state is a recent development. There are
notable early examples of biometric employment. European explorer Joao de Barros recorded the
first known example of fingerprinting in China during the 14th century. In 1890, Alphonse
Bertillon, a Parisian police officer, studied body mechanics and measurements to help identify
criminals.

Regarding public sector usage by the US federal government, the Army began using fingerprints
in 1905. Two years later the Navy started, and was joined the next year by the Marine Corps. In
1924, an act of Congress established the Identification Division of the FBI and, by 1946, the FBI

2
 Share and Protect June 18th, 2009

had processed 100 million fingerprint cards in manually maintained files, although many were
duplicates and contained both civil and criminal files.

There are several biometric modalities, some more effective than others depending on the
collection purpose and goals, equipment reliability in a given environment, collection time
5
constraints, agency budget, analytical capacity, and cultural sensitivity . Biometrics as a tool for
identification has grown into the field known as biometrics identity management (BIdM). The
technology implemented is new, but modalities like face, voice pattern, and gait (the way a
person walks) have always been used for human identification.

The Information Sharing Environment

With all the information available throughout the federal sector, there have historically been
6
problems sharing information among federal agencies. Reasons include legal restrictions ,
personality conflicts, budget constraints, and a lack of standards for data and/or information
exchange.
7
In response to the 9/11 Commission's recommendations , Congress enacted the Intelligence
8
Reform and Terrorism Prevention Act of 2004 , which called for the creation of an Information
9
Sharing Environment , defined as “an approach that facilitates the sharing of terrorism
information.” The law required the President to designate a Program Manager and establish an
advisory Information Sharing Council.

ISE, or the “Environment,” is a combination of policies, procedures, and technologies linking, as

appropriate, the resources (e.g., people, systems, databases, and information) of Federal, State,
local, and tribal governments, the private sector and, potentially, foreign allies to facilitate
information sharing, access, and collaboration among users to combat terrorism more effectively.
The Environment supports sharing and access to terrorism information, including information from
the intelligence, law enforcement, military, homeland security, and other communities.
10
The ISE Implementation Plan envisions a trusted partnership among all levels of government in
the United States, throughout the private sector, and among foreign partners in order to detect,
prevent, disrupt, preempt, and mitigate the effects of terrorism against the territory, people, and
interests of the United States by the effective and efficient sharing of terrorism and homeland
security information. It aligns and leverages existing information sharing policies, business
processes, technologies, and systems and promotes a culture of information sharing through
increased collaboration.

One of the stated goals of the ISE it to enable the federal government to speak with one voice on
terrorism-related matters and to promote more rapid and effective interchange and coordination
among departments and agencies as well as state, local, and tribal governments, the private
sector, and foreign partners, thus ensuring effective multi-directional sharing of information while
ensuring that procedures and policies in place protect information privacy and civil liberties.

5
Collection of some modalities are more intrusive (e.g., blood drawn with needles) or culturally unacceptable than others.
For example, stand-off iris collection has been more widely accepted in the Muslim world than other modalities.
Fingerprints are often associated with criminal behavior as a consequence of their early association with law enforcement.
6
The National Counterterrorism (NCTC) integrates and analyzes all intelligence pertaining to international
counterterrorism, while exclusively domestic terrorist activity is under the purview of the FBI.
7
http://www.9-11commission.gov
8
Section 1016 of IRTPA supplements section 892 of the Homeland Security Act of 2002 (Public Law 107 296), Executive
Order 13311 of July 29, 2003, and other Presidential guidance, which address various aspects of information access.
9
http://www.ise.gov
10
http://www.ise.gov/docs/ISE-impplan-200611.pdf

3
 Share and Protect June 18th, 2009

Sharing Biometric Information

Biometric information such as a fingerprint card in a filing cabinet in the corner of a warehouse
has more limited utility than a searchable interoperable system for the purpose of identifying
those individuals meaning to do harm to the nation. To facilitate sharing and exchange of
biometric data, various repositories are in use across the federal space to include the DoD
11
Automated Biometrics Identification System (ABIS) and the Terrorist Identities Datamart
12
Environment (TIDE) .

Legal authority for the sharing of biometric information with a nexus to terrorism information was
13
established in the Homeland Security Act of 2002 and Section 1016 of the Intelligence Reform
14 15
and Terrorism Prevention Act of 2004 (IRTPA) . Prior to these statutes, the USA PATRIOT Act
required the federal government to devise a method to verify the identity of anyone entering the
16 17
US to confirm their identities and facilitate background checks . Additional authority exists with
the combined effect of directing federal agencies to implement comprehensive and coordinated
procedures for collecting and integrating information (including biometric information) on terrorists
18
and to use that information to the full extent permitted by law .

Protecting Biometric Information

Biometric information is protected in a manner similar to other pieces of PII within the information
assurance context of a biometric template stored on a government hard drive, for example.
However, unlike a social security number or bank account number written on a napkin and left
behind by a restaurant patron, individuals leave a veritable bread crumb trail of biometrics
wherever they go, thus making this particular type of PII more accessible in the physical sense
than other types of PII.

After leaving the same previously referenced restaurant, fingerprints can be lifted from the glass,
DNA can be recovered from the silverware, and hair strands may also be recovered. In other
words, it is impossible to protect biometrics in the traditional sense of securing it and locking it
away to make it accessible to only those with a privilege or need to know. An individual’s
biometrics automatically reveal themselves similar to our restaurant patron wearing a name tag
while announcing his or her social security number to a table full of guests.

A digital biometric template should be securely stored within a system for comparison with a live
sample of a fingerprint, palm print, etc. The power of biometrics lies in the fact that they are freely
exuded as a function of nature and cannot be “controlled” in the traditional sense. This has also
been a criticism of their use—especially in the context of privacy.

11
Next Generation ABIS was officially launched by the DoD Biometrics Task Force on February 24, 2009. Now referred
to as DoD ABIS externally to the BTF, it is the central, authoritative, multi-modal biometric data repository for DoD. The
system operates and enhances associated search and retrieval services and interfaces with existing DoD and interagency
biometrics systems. The repository interfaces with collection systems, intelligence systems, and other deployed biometric
repositories across the federal government.
12
The Terrorist Identities Datamart Environment (TIDE) is the federal government’s central repository of information on
international terrorist identities. For more information, see http://www.nctc.gov/docs/Tide_Fact_Sheet.pdf.
13
6 U.S.C. § 122, Pub. L. No. 107-296, 116 Stat. 2135 (2002).
14
6 U.S.C. § 485, Pub. L. No. 108-458, 118 Stat. 3638, 3825-3832 (2004).
15
For more on the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (Public Law 107-56), see http://www.lifeandliberty.gov/highlights.htm.
17
These authorities include Homeland Security Presidential Directive-6 (HSPD-6) “Integration and Use of Screening
Information” (September 16, 2003) and HSPD-11 “Comprehensive Terrorist-Related Screening Procedures” (August 27,
2004).
18
Caddell, Jeffrey L., The Bureau of National Affairs Privacy and Security Law Report “DoD Biometrics in the Age of
Terrorism” (2008).

4
 Share and Protect June 18th, 2009

Thus, a distinction should be highlighted between a biometric template in digital form stored on a
19
secure government server versus a live biometric (often in conjunction with breeder documents )
collected at time of enrollment against which one repeatedly confirms his or her identity (e.g.,
accessing an installation daily) through comparison against a previously created template. There
is much confusion regarding live biometrics and how securely stored templates are compared
and matched. This is due in part to the often proprietary nature of matching algorithms and the
“science” behind the matching. Such a lack of transparency has only served to fuel the rhetoric of
those who oppose the use of some if not all biometrics in the context of federal prosecutions.

Fingerprint template (courtesy of ERCIM News)

The capability exists to spoof a biometric using a gummy finger or pre-recorded voice message,
but a given individual is still the very same individual when attempting to access a network or
enter a building. No one can replicate us in carbon form and has the ability to present a live iris,
fingerprint, vein pattern, etc., for comparison against a trusted stored template. An effective
government must have the ability to manage the identity of the population to perform a variety of
legitimate functions easily tied to federal requirements to include distribution of benefits to the
appropriate individual without the possibility of fraud, identifying terrorists at airports and border
crossings, and screening individuals for criminal backgrounds for positions of public trust within
the government. For purposes of identity verification for any of these reasons, the “something you
are” (i.e., the biometric) should usually be used in combination with “something you know” like a
PIN or password and/or “something you have” like a key or USB dongle.

If an identity verification scale existed, a fingerprint reader at an unmanned checkpoint would rank
low on the scale because of the known possibility of spoofing the reader. A higher rating would
involve not only presenting a legitimate fingerprint, but adding cameras or live personnel at the
gate or requiring the individual to enter a PIN and present a badge or be escorted by a trusted
traveler. Generally, the greater the risk of potential harm, the more resources an agency devotes
to ensuring that only those individuals who should have access actually gain access. Some would
argue that this scenario might violate the privacy rights of those seeking access. However, on the
expectation of privacy scale, access to a military installation would fall just above access to a
nuclear facility, meaning that there is a very low expectation of privacy for those seeking access
to DoD facilities, installations, and networks. Access for purposes of employment, for example, is
a privilege and not a right.

So if biometric information is plentiful, easily collected, subject to spoofing, and is not necessarily
secure without use in combination with passwords and tokens, why bother spending money to
collect, store, or use biometrics? There are several reasons. Compared to a flash badge, for
example, biometrics can and do effectively aid in the screening and capture of those intent on
destroying the country and are useful as one of several elements of identity verification within a
comprehensive identity management system. Biometrics in its many forms (modalities) is
19
The Social Security Administration defines breeder documents as those used to obtain other documents used for
identity (e.g., a birth certificate is used to obtain a drivers license which is then used as an identity document.)

5
 Share and Protect June 18th, 2009

something that everyone has the ability to produce at point of encounter and is an effective thread
that runs throughout a well managed identity management system to bind an identity and seal it.
After that, it is a matter of verifying the identity at subsequent points of encounter.

Better than Standalone Alternatives

There are many ways to identify individuals, but consideration should be given to scalability.
When attempting to rapidly verify the identity of 1000 (or 100,000) individuals, it is more efficient
to have a biometric-based identity management system in place than to require two forms of
identification, a friend to vouch for you, and a note from your mother.

Consider systems currently in place with a thread running throughout. Perhaps an account is
accessible by means of an assigned account number, as in the case of a water bill. Tax records
are accessed by means of a social security number. Pizza delivery is often associated with an
address.

Social security numbers, account numbers, passwords, and PINs can all be used to link an
individual to an account. But comparing a live biometric to a securely stored biometric template is
an attractive alternative or complement to an existing identity management system, especially in
the face of rising identity theft related to misuse of the SSN and other pieces of PII. Within DoD,
20
for example, there are initiatives to reduce reliance on the SSN , but passwords are often written
down and “hidden” under the keyboard, thereby making the environment significantly less secure.

While PIN numbers can be compromised through brute force attacks or random guessing, they
are often ascertained by shoulder surfing or by informed guessing (e.g., date and month of birth,
favorite pet.) Since biometrics cannot be shared or lost, they are much less susceptible to
compromise than a four-digit PIN code, for example. As part of a comprehensive identity
management system, then, legally and properly sharing trusted biometric templates for
comparison with real live individuals seeking access to federal installations and networks is
mandated, works effectively for a variety of appropriate purposes, and just makes common
sense.

20
On March 28, 2008, the Under Secretary of Defense for Personnel and Readiness issued Directive-Type Memo 07-015
“DoD Social Security Number (SSN) Reduction Plan” that established guidance for reducing the unnecessary use of the
SSN.