Challenges in Using Biometric Technologies
GAO-04-785T, May 19, 2004
One of the primary functions of any security system is the control of people moving into or out of protected areas, such as physical buildings, information systems, and our national border. Technologies called biometrics can automate the identification of people by one or more of their distinct physical or behavioral characteristics. The term biometrics covers a wide range of technologies that can be used to verify identity by measuring and analyzing human characteristics--relying on attributes of the individual instead of things the individual may have or know. Since the September 11, 2001, terrorist attacks, laws have been passed that require a more extensive use of biometric technologies in the federal government. In 2002, GAO conducted a technology assessment on the use of biometrics for border security. GAO was asked to testify about the issues that it raised in the report, the current state of the technology, and the application of biometrics to aviation security.
Biometric technologies are available today that can be used for aviation security. Biometric technologies vary in complexity, capabilities, and performance, and can be used to verify or establish a person's identity. Leading biometric technologies include facial recognition, fingerprint recognition, hand geometry, and iris recognition. The Federal Aviation Administration (FAA), and subsequently, the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA), has been examining the use of biometrics for aviation security for several years. TSA has three current pilot projects that will study the use of biometrics to enhance aviation security: the Transportation Worker Identification Credential (TWIC), registered traveler, and an access control pilot program designed to secure sensitive areas of an airport. It is important to bear in mind that effective security cannot be achieved by relying on technology alone. Technology and people must work together as part of an overall security process. Weaknesses in any of these areas diminish the effectiveness of the security process. The security process needs to account for limitations in biometric technology. For example, some people cannot enroll in a biometrics system because they lack the appropriate body part. Similarly, errors sometimes occur during matching operations. Exception processing that is not as good as biometric-based primary processing could be exploited as a security hole. Further, non-technological processes for enrollment are critical to the success of a biometrics-based identity management system. Before a person is granted a biometric credential, the issuing authority needs to assure itself that the person is eligible to receive such a credential. We have found that three key considerations need to be addressed before a decision is made to design, develop, and implement biometrics into a security system: (1) decisions must be made on how the technology will be used; (2) a detailed cost-benefit analysis must be conducted to determine that the benefits gained from a system outweigh the costs; and (3) a trade-off analysis must be conducted between the increased security, which the use of biometrics would provide, and the effect on areas such as privacy and convenience. Security concerns need to be balanced with practical cost and operational considerations as well as political and economic interests. A risk management approach can help federal agencies identify and address security concerns. To develop security systems with biometrics, the high-level goals of these systems need to be defined, and the concept of operations that will embody the people, process, and technologies required to achieve these goals needs to be developed. With these answers, the proper role of biometric technologies in aviation security can be determined.