Biometrics and Access Control in the Digital Age

The July 2000 elections in Mexico were historic for more reasons than the defeat of decades-long one-party rule. In a move ostensibly aimed at eliminating duplicate voter registrations and curbing electoral fraud, the country’s Federal Electoral Institute (IFE) contracted with MetaData, a Mexico City–based software integrator, and Visionics Corporation, a leading U.S. vendor of biometric identification technologies, to incorporate the Visionics FaceIt automated facial recognition system into the voter registration process. In their press release to the investor community, Visionics boasted that the IFE’s use of the FaceIt system was the first use of the technology on a national electorate.1 Since then, other electoral agencies in Latin America and the Caribbean have followed suit, adding biometrics to often-combined voter enrollment and national identity card systems. New adopters of biometrics include federal electoral bodies in the Dominican Republic, Haiti and Panama. These technologies are also being integrated into travel documents and large-scale border and immigration control systems in the United States and a growing number of countries.

But what exactly are “biometrics” and how are they being used in voter registration, border control and other identification systems? And is the increasing use of these technologies by state agencies and other institutional actors cause for concern?

Broadly, biometrics are new digital technologies designed to automate the process of recognizing individual human beings. Biometric systems determine individual identities in part by digitizing unique body parts, such as faces, fingerprints and irises. But digitized body parts alone reveal little about identity. In order to identify an individual, the digitized body must be connected to other information about identity. Biometrics use computer algorithms to translate an image captured of a live person into a smaller amount of information, sometimes called a digital template, which can then be compared against images stored in a database or to information stored on identification documents.

Applications are typically divided into two different types: verification and identification. Verification involves one-to-one comparisons of biometric templates in order to verify the identity of an individual, answering the question, “Is this person who she claims to be?” Identification involves one-to-many searches against a database of images when the identity of an individual is unknown or in question, answering the question, “Who is this person?” The Mexican IFE used the FaceIt system primarily in the latter capacity, to search photographs of new voters against a database of already registered voters, as a means of preventing people from registering to vote under more than one name. Similar techniques are being applied to registration systems for driver’s licenses, national ID cards, visas, passports and other identification documents in Latin America, the United States and elsewhere.

The potential uses of biometrics, however, extend beyond preventing duplicate registrations for identification documents. In the case of voter enrollment, for example, biometrics could be used to keep records on how individuals have voted. In fact, electoral authorities in Venezuela recently announced that they would abandon plans to use digital fingerprinting machines at polling sites, after criticism that the machines would allow government officials to do just that.2 More broadly, the biometrics industry has been touting the great benefits of their newly commercialized products for a wide range of applications. Not only do proponents of biometrics suggest that they can rein in electoral fraud and make the voting process more democratic, they also posit that the technologies are capable of protecting financial transactions, monitoring employee time and attendance, securing borders, safeguarding computer networks and facilities, and identifying criminals and terrorists. Understanding the causes for concern about biometrics requires knowledge of the range of their current and potential applications, as well as the extent to which they represent a new development in identification systems.

Biometrics represent the latest innovation in a long history of technological efforts on the part of states and other social actors to identify and keep consistent records on their constituents, be they citizens, customers or employees. A parallel effort of state and especially law enforcement actors has involved distinguishing between “legitimate” and “problem identities,” with considerable attention directed toward excluding or otherwise targeting criminals, immigrants, political subversives, and other identities deemed threatening or deviant.

Since the latter part of the nineteenth century, several innovations have been applied to identification techniques, including photography, anthropometry, fingerprinting and standardized identification documents. As James Rule explained in his study of five bureaucratic surveillance systems in the late 1960s and early 1970s, the anonymity of large-scale societies, the mobility of persons within such societies and the time lapses in encounters between agencies and clients necessitated the proliferation of documentation, the crucial function of which was to “link people to their pasts.”3 Indeed, modern societies are characterized to a significant extent by a “culture of identification” in which individuals are assigned official identities and routinely asked to verify those identities in a wide range of everyday transactions.

While the impulse of state agencies and other social actors to apply identification techniques as a means of managing their constituents is not an entirely new development, biometrics can potentially offer significant advancements. The sheer quantity of transaction data and other information about individuals that is generated and stored has increased exponentially in recent years, and biometrics promise to automate the process of binding that data to specific bodies. Whereas conventional identification documents required some measure of expertise and authority on the part of human agents responsible for reading the documents, machine-readable biometric identification documents delegate that authority to computer systems. In addition, conventional identification techniques did not involve real-time access to archives of information beyond identifying data stored on an identification document, and they were not as readily amenable to creating audit trails. The capacity for computers to read an identification document in many cases depends upon access to databases of information collected about individuals. Each time a computer scans a document and compares it to a live person, information about that transaction is created and can be stored in an individual’s record, enabling more meticulous tracking of people’s transactions and movements. Thus biometrics are fundamental components in the increasingly cybernetic quality of bureaucratic surveillance, enabling feedback loops of data collection and record keeping that remain bound to specific embodied identities.

Currently, there are about 400 players in the biometrics industry, including technology companies, resellers, original equipment manufacturers, system integrators and consultants.4 By one estimate, the industry is poised to bring in $2.08 billion in revenues in 2006 and $3.8 billion in 2008, thanks in large part to massive deployments of biometric systems, such as the U.S.-VISIT entry-exit system and the worldwide move to biometric passports—mainly, at the insistence of the United States. Three types of technologies dominate the market: digital fingerprinting (48% of the market), facial recognition (14%) and iris recognition (10%).5 Other types of commercially available biometrics include voice recognition, signature recognition and hand geometry. Digital fingerprinting and iris recognition systems have the highest accuracy rates, and facial recognition, while technically challenging, is thought to be more acceptable to subject populations because on the surface it seems to merely render existing, “natural,” and widely accepted techniques of identification—such as the use of photographic portraiture—into a new, more “hi-tech” form. Before the September 11, 2001, terrorist attacks, the U.S. Departments of State, Energy, Justice and Defense had already invested about $50 million in research and development for automated facial recognition technology alone, mainly through grants to universities and private companies. In addition, since 1996, the Defense Advanced Research Projects Agency (DARPA), a research arm of the Department of Defense, has been dispersing funds for an initiative called “Human ID at a Distance,” which aims to fuse multiple biometrics into one system, including voice, face and gait (an individual’s distinctive stride) recognition. The FBI has also had a controlling interest in the development of digital fingerprint technology.

Proponents of biometrics saw a major opportunity to capitalize on the emerging “homeland security” era, and in fact participated in the very construction of the strategies and programs that would define “homeland security.” Moreover, the interests of biometrics industry brokers to push their technologies after 9/11 translated well into the prevailing public policy and press response to the attacks, characterized by the frenzied turn to so-called “security experts” to speculate about the source of security failures and to provide recommendations for “stopping the next one.” The biometrics industry readily answered the call for expert knowledge of security issues and technologies, recommending their identification systems as the solution to the new terrorist threat. The spokespeople of the biometrics industry worked feverishly to promote biometrics as central components in new security systems and to situate themselves and their companies as “moral entrepreneurs” taking charge in a moment of national crisis. Industry brokers issued press releases, appeared in the press on a regular basis and testified before Congress on the benefits of their products. Most impudently, proponents of facial recognition technology repeatedly suggested that such systems could have prevented at least one if not all of the hijackings. But while 9/11 helped fuel deployments of biometric systems, interest in and development of these technologies precedes those events and extends beyond strictly defined state security applications.

Although biometrics have been in development since the 1960s (and in some cases before), they were relatively obscure technologies before 9/11. The U.S. response to the attacks was quickly realized as a boon for the biometrics industry, and the information technology (IT) sector in general. As the enthusiastic response of IT brokers clearly demonstrated, post-9/11 U.S. security provision would involve ventures aimed at maximum profitability, and the business of security would overlap considerably with the business of information technology. In fact, even before 9/11, the information and security sectors were so tightly integrated as to be virtually inseparable. Major players in the IT sector were hard at work developing different types of security systems, and both state and private-sector entities conventionally understood as security providers had long since integrated IT into all manner of security systems, leading an industry observer from Intelligent Enterprise to optimistically predict: “Homeland security spending will help fuel an IT recovery. IT solution providers may some day look back on the War on Terror and be grateful for the opportunities born out of turmoil.”6 Such pronouncements not only articulated the overlapping dimensions and priorities of security and IT, but also expressed the self-evident logic of privatization that would define “homeland security” and the “War on Terror” in the United States.

Before terrorism became the main motivating force behind state pursuit of biometrics in the United States, immigration and border control vis-à-vis its neighbors to the south played a central role in making a case for the overwhelming need for the technologies. The integration of biometrics into state identification systems for border and immigration control began in the early 1990s with the development of IDENT—the biometric fingerprint system of the U.S. Immigration and Naturalization Service (INS). IDENT was aimed at the so-called revolving door phenomenon of undocumented border crossings by workers from the south. In 1999, U.S. federal authorities began integrating IDENT with the FBI’s Integrated Automated Fingerprint Identification System, the largest criminal identification system in the world, containing approximately 40 million fingerprint records.

The INS also began to institute biometric systems for identifying legal visitors to the U.S. during the 1990s. In 1996, the INS commenced the voluntary INSPASS hand-scan system for frequent business travelers. INSPASS, short for INS Passenger Accelerated Service System, was instituted as a voluntary service available to businesspeople traveling to the United States three or more times per year, with citizenship from Bermuda, Canada, the United States or one of the participating “Visa Waiver” countries—most of them Western European. In contrast, federal legislation made mandatory the use of biometrics with non-immigrant temporary visas issued to Mexican citizens, who have been subject to enrollment in the mandatory Border Crossing Card (BCC) program. In compliance with immigration reform legislation passed in 1996, mandatory temporary visas, or BCCs, are now issued to eligible Mexican citizens for temporary trips to the United States. The new “laser visas,” as they are sometimes called, contain individuals’ biographical data, a facial image, two digital fingerprints and a control number, and have been issued to over four million Mexican citizens. In addition to storing the information and images on the card, the U.S. State Department has developed a database of mug shot images of laser visa holders that was recently used as the test sample in a federally sponsored evaluation—the “Facial Recognition Vendor Test 2002”—of state-of-the-art facial recognition systems in “real-world” situations.7

After 9/11, of course, the large-scale deployment of biometrics gained unprecedented momentum. Every major piece of post-9/11 U.S. federal “security” legislation included provisions for the adoption of biometrics, including the USA Patriot Act, the Enhanced Border Security and Visa Entry Reform Act, the Aviation and Transportation Security Act and the Homeland Security Act, which officially established the Department of Homeland Security and its duties. The Enhanced Border Security Act, in particular, mandated a number of significant changes to U.S. immigration and border control systems. Major components of the Act included the establishment of an automated entry and exit system for non-U.S. citizens traveling to and from the United States, and the integration of biometrics into border and immigration control systems. The Act also required visitors to the United States—starting with those from the U.S. “Visa Waiver” countries—to begin carrying with them machine-readable, biometric passports by October 2004 (a deadline that has since been deferred).

In response to this and other legislative mandates, the U.S. Department of Homeland Security (DHS) launched U.S.-VISIT in early 2003. Short for “Visitor and Immigrant Status Indication Technology,” U.S.-VISIT is the signature program of the newly established DHS, and is allegedly designed, in the words of then-Secretary Tom Ridge, “to keep terrorists out without compromising the welcoming mat.”8 This new so-called welcoming mat would involve gathering digital photographs and fingerprints from all incoming non-U.S. citizens. In January 2004, the process of photographing and fingerprinting visitors to the United States began in earnest. Since then, the DHS has moved forward incrementally with the deployment of U.S.-VISIT, at great cost to taxpayers and a great profit to Accenture, the systems integrator that was awarded the contract to build the infrastructure along with a team of subcontractors. The U.S. General Accounting Office projected the U.S.-VISIT program will cost in the range of $10-20 billion over 10 years.9 In addition to incorporating biometric enrollment and screening at ports of entry, the State Department has begun integrating the technologies into the visa application process at consular offices abroad.

In the most visible international statement of contempt for U.S.-VISIT, a Brazilian court order subjected all U.S. citizens entering Brazil to the same process. The Brazilian judge issuing the order considered the process “absolutely brutal, threatening of human rights, violating human dignity, xenophobic and worthy of the worst horrors committed by the Nazis.”10 Despite the contempt with which it was ordered, Brazil’s response was an early indicator of the increasingly global adoption of biometrics, driven by U.S. “homeland security” policy. U.S. “Visa Waiver” countries are moving forward to integrate biometrics, including digital fingerprints and facial templates, into new, machine-readable passports, and some countries, like the United Kingdom, are incorporating iris templates in their ePassports as well. The International Civil Aviation Organization has developed the technical standards for ePassports. While the documents themselves look similar to conventional passports, they contain an embedded microchip on which biometric and other data are stored. The chip uses radio frequency identification technology, communicating with passport readers without having to be swiped or directly scanned, although according to the technical standards, the chip has to be within 10 centimeters of the sensor to be read. The State Department insists that the ePassports “will not permit ‘tracking’ of individuals.”11

While there are ways to limit the tracking potential of biometric technologies, there is a clear impulse toward the use of these technologies to create ubiquitous surveillance and identification. One biometric application with considerable potential to advance institutionalized forms of social control involves the integration of computerized facial recognition with video surveillance, or closed-circuit television (CCTV). This would enable areas covered by surveillance cameras to be monitored by automated systems for recognizing faces stored in databases. This convergence of technologies, known as “smart surveillance” or “smart CCTV,” is still at a relatively experimental stage. Developers have attempted to deploy “smart CCTV” in a handful of urban centers, airports, casinos, and other privatized and militarized spaces, but with limited or no success. Nonetheless, the vastly growing use of CCTV systems by state security, private sector and law enforcement actors has created a clear need for automated surveillance in the eyes of law enforcement, military and private security actors. Expanding uses of video surveillance systems have created a situation where “the volume of data (in terms of video screens, alarms, tracks, etc.) is far outstripping the number of operators available to monitor the data.”12 And while “smart surveillance” systems have yet to be proven workable, government agencies, research universities and private interests continue to invest in the research and development of automated image processing techniques.

These efforts to merge biometrics with more complex automated vision technologies, as well as with the increasingly cybernetic quality of administrative surveillance, complicate debates about the social and political implications of these technological transformations. Most discussions of their implications point to the potential of the new technologies to enable more intense infringements on individual privacy; not least because biometrics take aim at the human body. However, biometrics are “privacy-invasive” not so much because they reveal something about the inherent qualities of human bodies; even DNA identification technologies reveal little in this regard. Rather, biometrics are “privacy-invasive” because they are a critical component in larger networks, or assemblages, for the ubiquitous identification of individuals. Identification is always both an individualizing and classifying process, and thus biometrics are at once an individualizing and a classifying technology.

“Privacy” has come to have a central place in virtually every discussion about the deployment of biometric systems, whether for border security, law enforcement, e-commerce or other types of applications. But “privacy” is never an absolute right, nor does it address the question of social classification inherent in identification practices. Corporate Web sites are replete with “privacy guidelines” that ostensibly govern how biometrics systems should be configured and used. The biometrics industry itself has recognized the need to address privacy issues, albeit in their efforts to secure “public acceptance” and to avoid restrictive state regulation. What the biometrics industry does not seem to value, however, beyond its own self-interest, is a fundamental and inviolable right of individuals and groups to be free of the structural inequalities and forms of differential access that biometric systems are largely designed to support. Unfortunately, the value of privacy is deeply tied to liberal tenets of individualism, and thus it is a wholly compromised way of addressing these structural inequalities. It is easily incorporated into the biometrics industry’s own neoliberal framework of self-regulation.

In an interview with ID World, one biometric industry representative was asked why Latin American countries were so readily embracing biometric technologies. He replied, “It has a small population of people who are the ‘haves,’ and a large population who are the ‘have nots.’ The ‘haves’ are willing to pay for security.”13 As this statement unabashedly reveals, biometric identification systems are being designed to support and maintain existing social inequalities. Facial recognition and other biometric technologies for automatically binding bodies to identities are playing a central role in the effort to expand and govern information networks in the service of global capitalism. They represent the latest attempt to systematize the documentation of individual identity, this time to serve the identification and access control needs of the expanding networks of transnational capital. The aim is to automate the process of connecting bodies to identities and to distribute those identified bodies across computer networks for specific purposes—namely, to control access to the benefits of citizenship, to the national territory, to information, to computer networks themselves, to transportation systems, and to specific spaces of consumption and safety.

The technologies are designed to create greater ease of access for some, and more difficulty of access for others, depending on their location in “the pyramid of entitlement claims” of the information society.14 The access-privileged classes on the top of the pyramid, including a global elite of business and tourist/consumer citizens, enjoy greater convenience, mobility and security along with the widespread deployment of new surveillance and identification technologies. Those on the bottom—a vastly larger number of people, heavily represented by those from the global south—are further inconvenienced, immobilized and insecure.

Notes
1. “Mexican Government Adopts FaceIt® Face Recognition Technology to Eliminate Duplicate Voter Registrations in Upcoming Presidential Elections,” Identix press release, May 11, 2000. Visionics was renamed Identix after a merger.
2. Juan Forero, “Chávez’s Grip Tightens as Rivals Boycott Vote,” New York Times, December 5, 2005.
3. James Rule, Private Lives and Public Surveillance (London: Allen Lane, 1973), p. 28.
4. “2004 Market Review,” Biometric Technology Today, January 2005, p. 9.
5. International Biometric Group, in “2004 Market Review” Biometric Technology Today, January 2005, p. 9.
6. Seth Grimes, “Shared Risk, Shared Rewards,” Intelligent Enterprise, September 1, 2003, p. 28.
7. P. Jonathan Phillips, Patrick Grother, et al., “Face Recognition Vendor Test 2002: Overview and Summary,” March 2003. See p. 2, third paragraph: “The images were provided from the U.S. Department of State’s Mexican non-immigrant Visa archive”; and p. 14, under “Acknowledgements”: “The authors extend their thanks to: The Department of State, specifically Travis Farris for allowing NIST to use the Mexican nonimmigrant visa images for FRVT 2002…”
8. Philip Shenan, “New Devices to Recognize Bodily Features on Entry into the U.S.,” New York Times, April 20, 2003.
9. Patience Wait, “GAO Sees Rising Risks in U.S. Visit,” Washington Technology, October 10, 2003.
10. Elaine Sciolo, “World Opinion is Fragmented on Tighter Security for Visitors,” New York Times, January 7, 2004.
11. U.S. Department of State, “Public Notice 5208: Electronic Passport,” October 20, 2005.
12. U.S. Homeland Security Advanced Research Projects Agency, “Broad Agency Announcement 04-05: Automated Scene Understanding, Proposer Information Pamphlet,” April 12, 2004, p. 4.
13. “Latin America Does the Identification Card Tango,” ID World, Vol. 1, No. 8, January 2000, p. 38.
14. James Boyle, Shamans, Software, and Spleens: Law and the Construction of the Information Society (Cambridge, MA: Harvard Univ. Press, 1996), p. xiii.

About the Author
Kelly Gates is an assistant professor in the department of media studies at Queens College of the City University of New York (CUNY).