US: Office of Personnel Management raises assessment of biometric hack to 5.6 million individuals

OPM: Stolen biometric data list grows by 4.5 million (Fedscoop)

The Office of Personnel Management underestimated the number of people who had their biometric data stolen in this year’s high-profile hack, with an additional 4.5 million people being affected.

In a Wednesday press release, an OPM spokesman said the subset of individuals whose fingerprints have been stolen has increased from approximately 1.1 million to 5.6 million. That number, according to the agency, comes after OPM and the Defense Department identified archived records containing additional fingerprint data that were not previously analyzed.

Assessing the damage related to fingerprints in hacked government database

How Much Damage Can OPM Hackers Do With a Million Fingerprints? (Nextgov)

Though the idea of hacked fingerprints conjures up troubling scenarios gleaned from Hollywood’s panoply of espionage capers, not much is currently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by officials to China. In fact, the agency said it didn’t even know yet specifically which personnel have had their prints compromised.

The linked article is really good in that it spends a great deal of analysis of the unknowns, and there are many.

While a collection of images of the fingerprints of US government employees — if that is an accurate description of that was taken — certainly has its uses, not all potential uses are equal or equally likely.

In terms of identity fraud, the 1.1 million government employees who had their fingerprints stolen may not be a whole lot worse off than the 20 million or so other government employees who had their personal information stolen minus the fingerprints, though that is cold comfort indeed to the victims. If the individuals whose information was stolen are given the precise details of the personal information that is now “out there” they will be able to make informed decisions about how they wish to manage their affairs going forward. That includes how they might interact with biometric ID management technologies in the future both in and outside of government applications.

The intelligence value of the fingerprints of government employees is different story. With time, money, and pictures of a million fingerprints, it is possible to build a fingerprint watch-list. Probably, not all of the pictures of fingerprints will be of a high enough quality to be enrolled in an automated system today but more time and more money could help. From there, the new watch-list could be accessed by a new or existing biometric ID technology deployment such as a checkpoint serving whatever purposes its owner has for it.

There is probably a lot the government still doesn’t know about what was stolen, and even more that hasn’t been shared with the public and more importantly with the individuals whose information has been compromised. It will also take some time for the stolen information to be put to use. The Office of Personnel Management has a lot of work ahead of it.

FBI’s Rap Back program will use biometrics to alert government agencies of felony arrests of their employees

D/FW Airport to be among first users of FBI criminal history tracking effort (Dallas Morning News)

D/FW Airport and Boston’s Logan International Airport were the two selected by the Transportation Security Administration to pilot the FBI’s Rap Back program. The program allows the TSA to continuously track employees for felony-level arrests, rather than relying on individuals to self-report their crimes.

Australia gearing up for huge biometrics tender

CrimTrac to extend national biometric identification database (The Financial Review)

CrimTrac, the federal biometric information repository, wants more freedom to flexibly access other databases, such as national location data, as the national broadband program gradually progresses towards a fully functional, nationally available high-speed data network.

It is looking for a specialist information technology supplier to tool up a more flexible, versatile operating installation which can incorporate a range of new techniques as they become available, and can cope with the ever-spreading list of mobile devices being deployed in the field by policing agencies.

US: Face recognition code of conduct confab loses privacy advocates

The National Telecommunications and Information Administration (NTIA) has convened a privacy multistakeholder process regarding the commercial use of facial recognition technology. On December 3, 2013, the NTIA announced that the goal of the second multistakeholder process is to develop a voluntary, enforceable code of conduct that specifies how the Consumer Privacy Bill of Rights applies to facial recognition technology in the commercial context.

Privacy Advocates Walk Out in Protest Over U.S. Facial-Recognition Code of Conduct (The Intercept)

“At a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement — and identifying them by name – using facial recognition technology,” the privacy advocates wrote in a joint statement.

The quoted article is full of links to NTIA online resources.

An “open letter” of resignation on the part of the named privacy advocates lists their concerns here.
Concluding paragraph:

We hope that our withdrawal signals the need to reevaluate the effectiveness of multistakeholder processes in developing effective rules of the road that protect consumer privacy – and that companies will support and implement.

Ultimately, of course, these are political questions rather than technological ones, but the focus on one type of technology (facial recognition) is a little difficult to understand. If it’s wrong for a private corporation to track an unsuspecting individual’s every movement, identifying them by name, why single out facial recognition (the means) rather than the tracking (the end)?

The privacy advocates, however, have a point in their favor. The effectiveness of confabs of privacy advocates, sub-cabinet-level administrators, and corporate executives in defining a society’s scope for privacy in public should be questioned.

Also mentioned in the article is the fact that the states of Texas and Illinois have passed laws limiting the use of facial recognition technology to identify individuals in public without their affirmative consent.

Forecast: Global Government Biometric Systems Market

The Global Government Biometric Systems Market 2015-2025 (Market Reports Store)

Key Findings
◾The global biometric systems market is estimated to value US$4.4 billion in 2015 and increase at a CAGR of 8.70% during the forecast period, to reach a peak of US$10.2 billion by 2025.

◾The market is expected to be dominated by North America, followed by Asia-Pacific and Europe.

◾Fingerprint recognition is expected to account for the largest share of expenditure in the global Government Biometric Systems market going forward, followed by facial recognition and Iris.

That Compounded Annual Growth Rate (CAGR) is probably one of the lowest I’ve ever seen in the biometrics sector. It, however, doesn’t come as much as a surprise. The number of government customers is pretty much capped at around 200. Governments were some of the earliest adopters of biometric solutions, so most of the 200 potential customers are already in the market. Prices paid by these customers, generally, should be falling or stable. So, there are a whole host of reasons for this low estimate for growth in the government biometrics sector.

Better late than never

US customs allocated funding to test biometric exit app (Security Document World)

A Department of Homeland Security (DHS) appropriations bill released on 9 January allocates US$3 million in funding for testing of a biometric exit app that would be used by Customs and Border Protection (CBP).

The funding will be used for a biometric exit mobile application demonstration at two airports, according to an explanatory note added to the bill.

The idea of implementing an exit system at all US ports of entry was first touted in 1996 as part of the “Illegal Immigration Reform and Immigrant Responsibility Act”.

Ghana streamlines payments to employees

GhIPSS hails National Service e-zwich agreement (Ghana Web)

The National Service Scheme announced a change in the mode of payment of allowances last week, saying from January 2015 payment of allowances to all national service personnel at post shall be effected through the biometric e-zwich platform.

This is to ensure that payments are made directly to national service personnel by cutting down on the existing long chain of effecting payments.

Large company CTO’s should read the DHS biometrics RFI

The Office of Biometric Identity Management (OBIM) of the Department of Homeland Security (DHS) stores and analyzes biometric data, digital fingerprints and photographs, and links that data with biographic information to identify/enroll identities and subsequently match or verify the established identities. OBIM is proactively addressing its next-generation architecture and capabilities for replacing the current biometric system. The vision for this activity represents a major investment to ensure that OBIM can continue to accommodate the expected growth of populations and new applications of multimodal biometric identity screening based on OBIM mission and our customers’ identity service needs.

Below are some of the things the government is interested in learning more about [warning: link downloads a .pdf file]. Reading through the items below, scalability, interoperability, accuracy and integration with other systems seem to be real priorities for DHS.

It’s also worth noting that while these issues have become pressing for this early adopter of large-scale biometric technologies, all large-scale biometrics deployments will have to meet some or all of these challenges eventually. Strategic planners in some of the larger organizations contemplating biometric solutions would be wise to consider the following as early in their development process as possible and to plan for the future.

A. Identity Deconfliction:
OBIM desires a system that has the ability to determine a person’s unique identity based on a combination of biometric and biographic traits and contextual data. Respondents should also detail the best approach to determine a level of confidence based on the combination of traits used in the identification, and should provide methods for continuous identity management, including enrollment of identities, splitting/merging of identities, and updating identity confidence levels based on new information.

B. Advanced Biometric Matching:
OBIM is requesting information on a system through the application of state- of-the-art techniques that can improve the accuracy and efficiency of its biometric services. Specifically, OBIM is interested in learning about:

1. Approaches and architectures for leveraging multiple biometric modalities in very large-scale systems to improve accuracy and identity assurance and to decrease failure-to-enroll rates. The provided information must address multimodal fusion techniques and include the known benefits and architectural limitations of such approaches.
2. Methods to reduce the computational requirements of biometric matching without decreasing accuracy. Examples of such techniques could include ways to decrease the need for full gallery searches (1:N), decrease the penetration rate of 1:N searches, and leverage multiple modalities to reduce computational intensity.
3. Approaches and architectures for decreasing operations and maintenance (O&M) costs for large-scale systems, including system virtualization, footprint, energy usage, and licensing costs.

C. Advanced Biographic Searching:
OBIM is requesting information on a system through the application of state- of-the-art techniques that can improve the accuracy and efficiency of its biographic pre-verify services. OBIM is interested in various approaches for using biographic information to assist in the deconfliction and disambiguation of identity information. The biographic information would typically contain various elements and combinations of biographic information, including name, birth date and location, gender, and citizenship. In particular, OBIM is interested in performance in terms of accuracy, speed, and other performance profiles and products in production or currently in technical readiness testing and evaluation to facilitate more 1:1 transactions.

D. High-Performance Transaction Processing:
OBIM requests information on the status, trends, and direction of large-scale biometric and biographic transaction processing systems and related technologies, including processing speeds and high-volume, high-reliability, and high- availability systems and architectures. Information should also be provided on demonstrated scalability and managing a high volume of transactions with varying response requirements.

E. Business Intelligence Capabilities:
Respondents should provide information on business intelligence architectures, techniques, and software where these capabilities provide better historical, current, and predictive analysis of available biometric and biographic information, including the analysis of both operational and content data.

F. Storage:
Respondents should provide information on current capabilities, trends and alternatives to store, index, and correlate structured and unstructured data in all formats regardless of type or size. In addition respondents should present their ability for organizing and retrieving large quantities of data and/or images (>109). This should also include hardware specifications. The Government is interested in industry’s experience and offerings for tiered and/or distributed storage and in minimizing processing and storage overhead, while maximizing input/output performance, the retrieval of data, application independence, portability, and data integrity.

G. Information Linking:
OBIM seeks information on the best methods and techniques to link data items to unique identities, and to maintain the linkage on an ongoing basis, including capturing additional links, removing links, and providing linkage information to stakeholders as permitted according to a predefined set of business rules. Linked information could be made available in a variety of ways, including publish/subscribe methods. It is assumed that the actual data would still reside in separate systems/databases within and outside DHS.

H. International Biometrics:
Respondents should provide information on developing an architecture capable of supporting and managing a federated international biometric and identity- verification schema with multiple stakeholders worldwide that ensures responsiveness while tailoring privacy, security, and person-centric data to individual stakeholder needs. An analogous business and technical construct might be the topology for international automated teller machines, banking, clearinghouses, and credit/debit cards.

More on India’s public employees time-and-attendance portal

Big Brother Modi is watching bureaucrats (Reuters)

“This is Big Brother stuff but very effective. It’s not just the central government. The state governments are trying to emulate this.”

The Prime Minister’s Office will also take part in the scheme, said Dash, although it was not clear whether Modi would be enrolled.

Project mastermind Sharma, who holds the rank of secretary at the government’s Department of Electronics and Information Technology, could not immediately be reached for comment. The Biometric Attendance System showed he had signed in at work at 13:55:16 p.m. on Thursday.

Screen grab: attendance.gov.in

Meet the man who built the awesome online attendance system for India’s government officials (Quartz India)

Now, 59-year old Sharma is building an attendance system for India’s central government employees that is inexpensive, publicly available on the internet—and potentially, a simple tool that could revolutionise governance in the country.

The entire system is searchable, down to the names of individual central government employees, and all the data is available for download. And with that single step—making the entire platform publicly accessible—the government has introduced a level of accountability and transparency that India’s sprawling bureaucracy is unaccustomed to.

India: Biometric time-and-attendance with a web portal

Indian government launches website to track attendance of government employees (Economic Times)

Using UIDAI, Prime Minister Narendra Modi-led NDA government has launched a Biometric Attendance System (BAS) for government employees. Attendance.gov.in has been launched to keep a track on the attendance records of employees.

Under the system, an organisation needs to register on the website. According to the website, “A back-end administrator will check the details of the organisation submitted and make the organisation active by assigning it a unique sub-domain which will be the first name of the website.”

This is similar to a system we designed for a customer serving an education ministry in West Africa, only much bigger.

Also, from Business Insider:

In a bid to ensure improved work culture in central government offices, the NDA government has taken a revolutionary step. It has introduced Aadhaar-based biometric attendance systems to monitor and track the work of Central Government employees. The attendance system is now up and running; and you know the best part is that it is accessible even to general public on attendance.gov.in.

Kenya government time-and-attendance

Biometric registration of public servants kicks off (Standard Digital News)

The Transition Authority has assured public servants that the Capacity Assessment and Rationalisation of Public Service exercise under the national and county governments would not lead to retrenchment.

Speaking yesterday when the exercise kicked off in Nakuru County, TA Commissioner Simon Pkiyach said the exercise would facilitate the transformation of public service for efficient service delivery.

India government time-and-attendance

Aadhar-Based Biometric Attendance For Employees of Central Government by September End (The Indian Republic)

The biometric attendance systems for employees of the central government, based on Aadhar cards, is set to be fully functional by the end of September.

Ram Sevak Sharma, the Information Technology Secretary, has told reporters that the biometric system of attendance will be fully functional by the end of the month.

Passwords vs. biometrics (GCN)

The password by itself actually is a pretty good tool. It is simple to use, easy to implement and can be reasonably strong. The problem is one of scale. For a user juggling passwords for multiple accounts and for administrators juggling many users, the system quickly becomes unwieldy, and strong security begins to break down. In addition, the steady growth in computing power erodes password security by making dictionary and brute force attacks more practical.

Biometrics – the use of physical traits such as fingerprints, irises, faces or voices to identify persons – is more complex, but is becoming more practical. It offers the promise of better security based on the premise that there is only one you.

Yet it has its drawbacks…

See also:
January 17, 2012 More on the Awesomeness of Passwords

FBI switches criminal ID information systems

FBI: Full Operational Capability of the Next Generation Identification System (FBI Press Release)

The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division announced today the achievement of full operational capability of the Next Generation Identification (NGI) System. The FBI’s NGI System was developed to expand the Bureau’s biometric identification capabilities, ultimately replacing the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) in addition to adding new services and capabilities.

The IPS [Interstate Photo System] facial recognition service will provide the nation’s law enforcement community with an investigative tool that provides an image-searching capability of photographs associated with criminal identities.

The transition appears not to have been completely smooth, but it also looks like normal service is being restored to those who rely upon the FBI’s ID infrastrusture.

National Instant Criminal Background Check System (NICS) reports problem-free weekend after a week of issues (Guns.com)

The system started experiencing problems Sept. 6, when the FBI implemented the Next Generation Identification system — a $1.2 billion biometric system that recognizes facial features, scans irises, and reads palm and fingerprints to identify criminals — to replace the single sourced Integrated Automated Fingerprint Identification System.