image: Mark Stroud

Terrorism and the Biometrics Hustle

Will biometrics really keep us “safe”?

Hours after a bomb went off in a dumpster in the Chelsea neighborhood of New York City on September 17, another threat was found nearby. It was a pressure-cooker, packed with explosives. In short order, according to news reports, police disabled the homemade bomb, found a fingerprint on it, and also retrieved surveillance video featuring a man who’d been near the Chelsea site before the dumpster bomb went off. By Monday morning—less than 48 hours after the first explosion—police had caught up with their suspect, 28-year-old Ahmad Khan Rahami. They arrested him after a shoot-out in Linden, N.J.

Was it routine police work that brought Rahami down? For public relations consultant David Menzies, it was more than that. Just after Rahami’s arrest, Menzies wrote a guest post on the industry website BiometricUpdate.com, noting the significance of that fingerprint and video surveillance image. Menzies’s LinkedIn profile indicates he has worked on behalf of Integrated Biometrics, which makes mobile fingerprint sensors that police departments throughout the country can use to tap into the FBI’s large archive of biometric identifiers, which includes not just fingerprints but also face images and DNA profiles. How, Menzies wondered in his blog post, might public attitudes toward the emerging biometric technology industry be shaped by news of foiled plots like the one in New York?

News reports didn’t reveal—nor did Menzies—exactly what facial-recognition methodology law enforcement used to zero in on Rahami. Still, Menzies, a former newspaper editor, took it as a given that “nobody in the general public is going to argue against using fingerprint, voice, iris, or facial recognition to catch bad guys.” His question for the industry is broader: How might people begin to appreciate “the many other things biometrics can do to make our lives easier and safer when you start talking about sharing biometric data”? Privacy is a legitimate concern, Menzies conceded. But the biometric sector could find ways to “pitch the concept of the public being in control of its biometrics, with an industry wanting to work with them, not against them.”

A lot of the forecasts in science fiction have proven to be off the mark; not so with the use of biometric identifiers. For example, we are at a point where the government wants to—and can—map the unique vascular composition of our hands. Aware that public opinion is against innovative intrusions, the biometrics industry is waging a campaign to soften the reputation of its new technologies. This summer, for example, the International Biometrics Industry Association (IBIA), summarized eleven surveys on public perception of biometric technology. They found that people were more willing to share their information if the technology was framed as a matter of convenience—using fingerprint scanners or voice recognition instead of passwords at the bank, for example—or as a one-time security measure, like submitting to biometric identification before boarding an international flight.

A true public education campaign would need to convey the vast scale on which biometric technology initiatives must operate in order to succeed.

Yet the lax privacy standards and secrecy about how biometric information is stored should be part of the discussion, too. Earlier this year, an agency in the Department of Commerce that oversees national telecommunications and information services, convened a meeting with the IBIA to establish a set of “best practices” for how companies should maintain transparency. The non-binding document they came up with suggests that companies inform subjects of when biometric data is being collected and of how long that information is archived. And, according to a disclaimer in the document, even these loose guidelines don’t apply when law enforcement is using biometric technologies. That matters because lucrative government contracts are the jewels of the security industry: Congress budgeted $282 million for the Office of Biometric Identity Management—a division within the Department of Homeland Security—for the 2016 fiscal year.

Among the surveys the IBIA analyzed, some may be skewed by self-interested parties. The corporate consultancy firm Accenture purported to have found that “the majority of citizens surveyed . . . in six countries” were willing to share their biometric information at border crossings. The IBIA also quotes Accenture technology architect Mark Crego, who marveled at the “huge change in public opinion” about engaging with biometric technology. But Crego and Accenture are far from neutral observers. In 2004 Accenture won a $10 billion contract from the Department of Homeland Security to build the US-VISIT program, a biometric initiative to track all non-citizens entering and leaving the country—and Crego was the program’s chief architect. The company was rewarded with another contract in 2011 to expand US-VISIT into the Office of Biometric Identity Management. And in 2012 it was assigned with the task of creating a pilot program for detecting national health emergencies by monitoring social media analytics.

A true public education campaign would need to convey the vast scale on which biometric technology initiatives must operate in order to succeed. Even the Government Accountability Office was concerned after it investigated the FBI’s Next Generation (NGI) system, which includes a two-year-old database that holds hundreds of millions of biometric records. In May, the GAO criticized the FBI for not publicly disclosing details about the system, including the fact that it contained driver’s license photos from registries in 16 states. This alone puts the FBI in possession of 173 million photos.

While the NGI registry is the largest domestic repository for citizens’ biometric information, non-citizens have had their information kept on file since the creation of US-VISIT in 2004. The program initially captured and stored fingerprints only from visiting foreign nationals, but by 2009 it was expanded to include all lawful permanent residents as well. Now the Office of Biometric Identity Management (OBIM) captures the facial data of all foreign nationals entering and leaving the country. This year, Customs and Border Patrol began to pilot iris scanners at the busy port of entry Otay Mesa border checkpoint connecting San Diego and Tijuana, where non-citizens’ ocular data is captured and stored in the OBIM’s database for cross comparison with the records of other federal, state, and local law enforcement agencies. This information, like all information stored in the OBIM, is easily accessible by agencies throughout the country. The power to match records across agencies—known internally as “interoperability”—is where the government sees the true potential of biometrics; thus the drive for ever-larger volumes of data.

Did such records play a role in the capture of Ahmad Khan Rahami? Law enforcement officials acknowledged to CBS News that Rahami’s identity was confirmed with a photo culled from an “immigration photo database,” which could possibly mean from the OBIM—though Rahami, as a naturalized citizen who wasn’t on the terror watch list, shouldn’t have been in that database. But if proponents of enhanced security have their way in the near future, it may be impossible to avoid the long reach of an ever-expanding national dragnet.

 

Aaron Cantú is a journalist based in New York City and a contributor to the forthcoming book Who Do You Serve, Who Do You Protect? Police Violence and Resistance in the United States (Haymarket, 2016).