Some people really love stovepipes…

…otherwise there wouldn’t be so many.

Congress demands progress on advanced ID cards  (FCW)

“We’ve spent billions and we have nothing to show for it,” said Rep. John Mica (R-Fla.) at a June 19 hearing addressing lagging implementation of fingerprint and iris recognition technology. Mica, who chairs the House Oversight and Government Reform Committee’s Subcommittee on Government Operations, noted various examples of flawed federal biometric ID efforts, including the Transportation Workers Identification Credential, or TWIC card, and the Federal Aviation Administration’s new pilot’s license — which does not include a photo of the licensee.

“It’s mind boggling that we have nothing close to meeting with the intent of the 2004 law,” said Mica. “Is there any sense of urgency here?” asked Rep. Gerry Connolly (D-Va.), the subcommittee’s ranking minority member.

Witnesses included managers from the National Institute of Standards and Technology, FAA, Customs and Border Protection and the State Department.

It’s stunning that pilots licenses still don’t have photographs on them. Lots of good information awaits those who click the link.

Perspecitves on ID in earlier- vs. later-developing countries

The Government and the UK’s National Technical Authority on Information Assurance (CESG) have published new guidance on ‘identity proofing’ and verification. (Pinsent Masons)

“Within the UK there is no official or statutory attribute or set of attributes that are used to uniquely identify individuals across Government,” the joint Cabinet Office and CESG guidance document said. “Neither is there a single official or statutory issued document whose primary purpose is that of identifying an individual. Without such attributes or documentation it is difficult for any person to be absolutely certain of the identity of another.”

“This guide is designed to demonstrate how a combination of the breadth of evidence provided, the strength of the evidence itself, the validation and verification processes conducted and a history of activity can provide various levels of assurance around the legitimacy of an identity,” it said.

The whole piece is interesting.

The first quoted sentence above really jumps out, though.

The early industrializers/bureaucratizers typically developed their ID schemes in an ad hoc fashion. The church kept its records for its purposes. The military kept its records for its purposes. Schools, for theirs. Service providers, etc. The system generally works. In the end, error rates and whether or not the costs of the ID errors exceed what it would cost to fix them rule the day. Political and financial considerations factor in.

It is precisely this patchwork ID environment that later-developing countries are choosing to leap-frog with more centralized (United Arab Emirates) or ecosystem (India) approaches involving biometrics. Outside observers from the earlier developing countries are often surprised that their political perspective on government-backed ID isn’t universally shared while observers in later-developing countries may be equally surprised that the most developed countries in the world have such patchwork ID systems.

NIST seeks to refine standards for oral biometric modalities, among others

NIST Biometric Workshop Studies Voice, Dental, Oral Standards (Press Release via Thomas Net)

A working group of international dental and forensic experts has developed a draft dental and oral biometric data record that would ease identification of bodies in disasters such as an airplane crash. For instance, if bodies are burned beyond recognition, photographs or fingerprints might not offer practical means of identification; in such instances, forensic analysts turn next to dental and oral information. Developing this standard was challenging due to the variety of ways dentists around the keep dental records, but could offer an interoperable mechanism to exchange such information in the future.

“Oral” measurements and images include attributes such as lip prints and soft palate impressions. Lip prints can sometimes be linked to specific persons and may be found on objects at crime scenes.

The proposed Dental and Oral Supplement would enable the exchange of images and descriptions of pattern injuries on persons, some of which may resemble bite marks, and to allow transmission of imagery such as X-rays and sonograms.

The workshop also will collect information to develop recommended best practices for identifying disaster victims. A panel will discuss the use of various biometric data in identifying victims, including DNA, facial characteristics, tattoos, dental records and fingerprints. This project is in conjunction with the international Scientific Working Group for Disaster Victim Identification

More at the link above.

More information on the NIST Biometric Conformance Test Software

Are your biometrics up to snuff? Free suite tests for compliance (GCN.com)

The BioCTS suite checks that the record of an iris image or other piece of biometric data being used has the correct data and in the order called for by the standard, so that it can be sent to and received correctly and filed accurately by any user, from the Homeland Security Department to state and local police departments. The conformance testing provides programmers, users and product purchasers with an increased level of confidence in product compliance and increases the probability of successful interoperability.

The tests do not ensure interoperability of different products, however; only that they adhere to common standards, Podio said. “Conformance increases the probability of interoperability, but cannot ensure it because of all the possible implementations that can be included” in a product. Each developer can implement different profiles from the standard, depending on how the product will be used.

More good analysis and links at the GCN link above.

National Strategy for Trusted Identities in Cyberspace (NSTIC) Background and Progress Report

ID management: A matter of trust (Federal Computer Week)

In April 2011, the Obama administration launched a plan called the National Strategy for Trusted Identities in Cyberspace (NSTIC) to encourage the private sector to develop, with federal support and input, online ID and authentication systems that people could use and government agencies, other organizations and commercial players could accept without each needing to create their own vetting systems.

At this point, NSTIC supporters are making headway, though perhaps not in a headline-grabbing way. Earlier this month, the Identity Ecosystem Steering Group, a federally supported committee led by the private sector that will guide creation of NSTIC-style systems, met for the first time in Chicago to hash out plans for addressing privacy, standards, usability, contracts and other key components.

National Strategy for Trusted Identities in Cyberspace (NSTIC) is being run by National Institute of Standards and Technology (NIST) to encourage the development and adoption of standards for ID management. The recent Apple-Amazon hack points to why this is important.

In an environment where everyone has to create their own ID management system, it is inevitable that organizations will create exploitable gaps in the way they emphasize the importance of information. In this case, Amazon (like many other companies, just check your restaurant receipt) treated the last four numbers of a credit card as non-secure information, while Apple used the same information for logical access control.

Initiatives like NSTIC hope to facilitate companies and government agencies to work through ways to make this kind of thing less likely.

Michael D. Kirkpatrick FBI Assistant Director in Charge of Criminal Justice Information Services (Ret.) to Discuss Biometrics & Law Enforcement at July #BiometricChat

When: July 19, 2012 — 11:00 am EDT; 8:00 am PDT; 16:00 pm BST; 17:00 pm CEST; 23:00 pm SGT; 0:00 JST

Where: tweetchat.com (hashtag #biometricchat

What: Tweet chat on Biometrics and Law Enforcement with Michael D. Kirkpatrick (@MDKConsulting)

Topics: The past, present and future of biometric ID management applications in law enforcement, interoperability, modalities.

To send questions for the #BiometricChat:
Email: SecurLinx blog
Twitter: @SecurLinx, hashtag #biometricchat

When John at M2SYS asked me to guest host the July #BiometricChat, I immediately thought of Michael Kirkpatrick. I’m happy to announce that he’s agreed to join us. I offer my sincere thanks to both of them for the opportunity.

Michael Kirkpatrick

Michael D. Kirkpatrick, as the FBI’s Assistant Director in Charge of the Bureau’s Criminal Justice Information Services (CJIS) Division from January 2001 – August 2004, led the Division through profound IT changes especially relating to the application of biometric technologies to the challenges of law enforcement.

Back in the day (i.e. before 1999), fingerprint analysis for law enforcement purposes was a much different ball game. Everything was accomplished with paper, ink, and highly-trained, dedicated  fingerprint analysts. That made law enforcement biometrics pretty much the only biometrics game in town because there weren’t really any commercial applications for that type of set-up. Sure, some professions required criminal background checks, but the fingerprinting part was mostly there to make it easier to catch people in the event they committed crimes at some later date.

Presently, the FBI maintains the world’s largest collection of biometric data and facilitates information sharing between law enforcement organizations and a range of both public and private entities. The CJIS center handles more than 61 million ten-print submissions a year. Average response time for an electronic criminal fingerprint submission is about 27 minutes, Electronic civil submissions are processed within 72 minutes.

The successful transition from a paper system to an Integrated Automated Fingerprint Identification System (IAFIS), presented a range of technical, organizational and managerial challenges such as: What to do with all the paper records; What technical standards to apply to digitization; Determining what confidence level constitutes a match; How to receive input remotely and transmit results;  How to store the information securely; What policies to put in place; Determining whether current international agreements were adequate or forging new ones necessary. The list goes on and on.

Without the hard work sorting out these kinds of questions done by those at CJIS, biometric ID management applications, beginning with fingerprint biometrics, simply would not have nearly the impact in the public and private sectors that they do today. Michael D. Kirkpatrick was one of the many people who helped make it all possible.

Over the course of his career, Michael has done far too many interesting things in law enforcement and biometrics than can be listed here. Thankfully, he has posted a brief overview of some of his experiences at his site, here. He tweets at @MDKConsulting

We hope that you will spread the word among your colleagues and friends and join us Thursday, July 19 at 11am EDT.

Please send questions via:
Email: SecurLinx blog
Twitter: @SecurLinx, hashtag #biometricchat

We’ll publish the chat questions in an update to this post early next week.