Up to Standard

Bob Carter of De La Rue described international efforts to create worldwide biometrics standards in advance of a specific US deadline for implementing this identification technology. "9/11 has changed the world forever," said Carter, "and will soon impinge on all travellers."

By 26 October 2004, domestic American legislation now means that all countries within the US visa waiver programme – including the UK – must have procedures in place to enable the issue of all new passports containing biometric data for reading at US border control points (eg airports). The measures are contained within the USA Patriot Act and the Enhanced Border Security and Visa Reform Act 2002.

That said, this strengthening of US Homeland security in the wake of the September 11 2001 attacks is but one move involving biometrics.

A global biometrics standard
As chair of the British Standards Institution Committee IST 44 – a UK group that 'shadows' the work of International Standards Organisation Committee SC37 – Bob Carter revealed that current efforts towards the creation of global biometrics standards are "at an advanced stage". Indeed, it's hoped that several such standards will be introduced as early as next Spring.

Describing the scope of work involved, Carter stressed that efforts are focused on aspects such as the "standardisation of generic biometric technologies pertaining to human beings in order to support interoperability and data interchange among applications and systems."

Generic human biometric standards include common file frameworks, biometric application programming interfaces, the application of evaluation criteria to biometric technologies, methodologies for performance testing and reporting and biometric data interchange formats.

The latter of these is a brand new area of study being addressed by a Working Group that's looking into the likely practical use of finger patterns and images, facial recognition and iris recognition (the latter is already in use at Schiphol Airport to speed up the through passage of frequent flyers, regarded as 'low risk' passengers by immigration authorities).

In the UK, the British Airports Authority has conducted similar trials using iris recognition at Heathrow. Back in 2002 the SPT trial was operated in conjunction with BA and Virgin Atlantic.

Carter told the assembled hordes that the US wants to work towards the international standards currently being formulated, but if these aren't ready by October 2004 then in the meantime it's likely to adopt recommendations issued by the International Civil Aviation Organisation (ICAO) and NIST, the US technical standards body. US authorities may adopt fingerprint verification methods for visitors arriving as visa waiver country passport holders.

Outlining the timetable towards the global biometrics standard, Carter suggested that the next full meeting of ISO Committee SC37 will take place in September. Items on the agenda include two draft ISO standards: one is an interface standard, the other a file format standard.

"As an analogy," Carter told SMT after the conference session, "these are the railway tracks and stations infrastructure on which the actual trains, the biometrics themselves, will operate. Other ISO standards will also be produced, and they'll eventually all run in tandem as the overall biometrics standard."

Operating alongside ISO Committee SC37 are two other ISO Committees. SC17 is working on applying biometric technologies to cards and personal identification, such as credit and smart cards and machine-readable travel documents. It liaises in these efforts with bodies such as the ICAO. Meantime, Committee SC27 is examining how generic types of biometric technology might be protected using encryption or digital protection methods to prevent them from being 'hacked'.

Gerry Gardner – immediate past-chairman of the Association for Biometrics, a 50-member strong collaboration of users, suppliers, researchers, integrators, consultants and Government agencies – chaired the biometrics session. Asked by one delegate to name the best biometrics method, and the most accurate type of equipment, Gardner's response was interesting. He urged end users to initially define both what they are trying to achieve with the technology, and the problems they wish to resolve.

"A key issue is the performance of the biometric system," opined Gardner. "A 50% accuracy rate in terms of reading capability by the technology may actually be a viable business case if the system is user friendly within the operating environment involved. Don't miss certain solutions until you've considered all the variables, though."

Offering biometric assurances
Other session speakers included CESG biometrics programme manager Philip Statham, who examined the UK Government's approach to biometric security assurance.

When specifying biometrics for security, Statham pinpointed several central issues. "End users need to determine how biometric identification/verification can provide security for their applications," he stated. "How good does the identification/verification performance of the biometric system need to be to meet your security needs? End users must also assess how the security functionality could be undermined by an attacker, and provide appropriate counter-measures."

Professor Mike Fairhurst of the University of Kent – who chairs the Association for Biometrics' sub-committee on education – followed Statham with his paper on educating the public. Opinions on biometrics polarise at both ends of the spectrum, suggested Fairhurst, before stating that there's currently a "credibility gap" between public expectations and tangible, practical achievements for the technology.

How we bridge that gap lies partly in the level of knowledge among the general public as a path towards increased practical usage of biometrics-based systems.

"The public needs to know what biometrics can and can't do so that we might progress towards the wider, practical use of such systems," stressed Fairhurst.