Biometrics use human traits, such as the unique characteristics of an iris, to identify a person rather than easier to forge credentials like usernames and passwords. (Sgt. Michael J. MacLeod)
The stuff of science-fiction already is a reality at some agencies, where the use of biometrics — think iris scans, palm prints, voice identification — is either in place or under development. But are biometrics the answer to the identity management problems the government is struggling to solve?
Identity theft plagues the American public, most commonly through stolen fraudulently acquired credit or debit cards. But fraud and theft aren’t just commercial problems: At the Internal Revenue Service alone, more than $5.2 billion in erroneous tax refunds are sent out because of identity theft, according to an IRS official.
The pressure is on the federal government to find identity management solutions as citizens increasingly demand the same easy-to-consume, online services from agencies that they get from their banks or credit card companies. That pressure forces federal officials to strike a balance between opening themselves up to risk by putting sensitive information online and meeting citizen demand for access.
“If somebody steals your identity and then they file your tax return using that identity, that tax return is going to go to them. Identity theft is not the same for the IRS as it is for other agencies,” said Alan Duncan, assistant inspector general for security and IT services with the Treasury Inspector General for Tax Administration. “Identity management is really key if you’re talking about trying to [connect] every citizen who has an interest in talking to the IRS. If you want to check your payments, get a transcript to support your mortgage ... you should be able to do that just like you do with your bank account, when you look at your account and reconcile it and make sure everything is in order. That’s not possible today.”
Some say with biometrics that kind of access could be possible. Paul Hunter, deputy chief of the biometrics division of the Homeland Security Department’s Citizen and Immigration Services, points to DHS’ National Strategy for Trusted Identities in Cyberspace and Office of Biometric Identity Management, formerly US-VISIT, as prime examples of federal use of biometrics for citizen services.
“If you go back to where we used to be, pre-9/11 … the immigration process, naturalization process, you used to see lines around buildings of people trying to get their benefits. You don’t see that, and one of the reasons for that is we’ve really taken a look at and kind of segmented the establishment of identity, compartmentalized that out and made it a federal responsibility,” Hunter said. “You used to have to go to a kind of mom-and-pop store. Now we have across the country 137 application support centers that are really biometric enrollment stations. We service about 3.4 million people a year and we’re in every state. And basically we establish identity. That’s the answer: It’s biometrics.”
The need for identity management solutions goes beyond just making services easy and convenient for consumers. With billions in losses to identity theft continuing to mount, the IRS is actively looking for ways around the cumbersome processes required to get basic but sensitive information, such as when a tax refund was issued or financial transcripts required for mortgages.
“You can get [that information] now through the website if you provide all kinds of personal things: name, Social Security number, date of birth, filing status, street address from most recent return,” Duncan said. “All this personal information you have to communicate — there has to be a better way. So we’re continuing to look at that.”
Other agencies are pressing forward with biometrics initiatives. The FBI continues to build out its controversial Next Generation Identification program, a biometric database that will “will offer state-of-the-art biometric identification services and provide a flexible framework of core capabilities that will serve as a platform for multimodal functionality,” according to the FBI website. The program targets terrorism and criminal activities, as well as privacy and data protection. It’s also set to be used for both law enforcement and non-law enforcement purposes, and available to a variety of agencies and companies, according to the Electronic Privacy Information Center.
But the FBI’s NGI program — and the government’s use of biometrics writ large — raises serious concerns, particularly over privacy. Many of the biggest NGI worries center on the FBI’s use of facial recognition technology, but any biometric data can present an issue, especially if compromised — defeating the intended goals of agencies like the IRS.
“Biometric data is personally identifiable information that cannot be changed if it is compromised. Improper collection, storage and use of this information can result in identity theft, inaccurate identifications, and infringement on constitutional rights,” EPIC privacy advocates wrote on the organization’s website spotlighting NGI. “The increased centralization of biometric data through NGI and the increased standardization of biometric data collection increases the risk of security breaches and mission creep.”
Duncan admits public hesitance to hand over individual biometric data is a major hurdle — and citizens aren’t the only ones worried about having personal information put online.
“This all starts to make a question mark, and it’s on two sides: on the population and their acceptance of something like biometrics or some other type of identification, and on the agencies’ willingness” to take on the responsibility of biometric data, Duncan said. “On the security side there’s a reluctance on agencies’ part to [provide] this level of security if we’re going to open up your accounts to the Internet. That really becomes the question: How do we do that in a secure manner?”
It’s not just the IRS that must grapple with these issues. Across the government, many agencies are working to figure out if biometrics holds the key to their own identity management challenges; perhaps the biggest obstacle is finding a uniform approach.
“I do believe that we’re going to have to come together as a whole, maybe the CIO community coming up with a standard and agreed-upon way of moving forward. Maybe that’s biometrics; maybe that’s one-factor, two-factor, three-factor authentication; maybe that’s [personal identification number] codes; maybe it’s [information] that only I would know and that changes around ... maybe it’s things like that in combination together,” said Jim Jackson, deputy assistant inspector general for investigations at U.S. Treasury Inspector General for Tax Administration. “Every agency has their own fiefdom where the CIOs know how they want things to run and they think they have a good handle on things ... coming up with a standard mechanism is tough.”