[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS: PART II
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
JUNE 19, 2013
__________
Serial No. 113-37
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
81-804 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas MARK POCAN, Wisconsin
DOC HASTINGS, Washington TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming ROBIN L. KELLY, Illinois
ROB WOODALL, Georgia DANNY K. DAVIS, Illinois
THOMAS MASSIE, Kentucky PETER WELCH, Vermont
DOUG COLLINS, Georgia TONY CARDENAS, California
MARK MEADOWS, North Carolina STEVEN A. HORSFORD, Nevada
KERRY L. BENTIVOLIO, Michigan MICHELLE LUJAN GRISHAM, New Mexico
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Government Operations
JOHN L. MICA, Florida, Chairman
TIM WALBERG, Michigan GERALD E. CONNOLLY, Virginia
MICHAEL R. TURNER, Ohio Ranking Minority Member
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
THOMAS MASSIE, Kentucky MARK POCAN, Wisconsin
MARK MEADOWS, North Carolina
C O N T E N T S
----------
Page
Hearing held on June 19, 2013.................................... 1
WITNESSES
Mr. Charles H. Romine, Director of the Information Technology
Laboratory, National Institute of Standards and Technology,
U.S. Department of Commerce
Oral Statement............................................... 6
Written Statement............................................ 8
Mr. Steven Martinez, Executive Assistant Director of the Science
and Technology Branch, Federal Bureau of Investigation, U.S.
Department of Justice
Oral Statement............................................... 20
Written Statement............................................ 23
Mr. John Allen, Director of the Flight Standards Service, Federal
Aviation Administration
Oral Statement............................................... 30
Written Statement............................................ 32
Ms. Colleen Manaher, Executive Director of Planning, Program
Analysis and Evaluation, Office of Field Operations, Customs
and Border Protection, U.S. Department of Homeland Security
Oral Statement............................................... 37
Written Statement............................................ 40
Ms. Brenda Sprague, Deputy Assistant Secretary for Passport
Services, Bureau of Consular Affairs, U.S. Department of State
Oral Statement............................................... 48
Written Statement............................................ 50
APPENDIX
Biometric IDs for Pilots and Transportation Workers: Diary of
Failures....................................................... 74
FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS: PART II
----------
Wednesday, June 19, 2013
House of Representatives
Subcommittee on Government Operations,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 9:30 a.m., in
Room 2154, Rayburn House Office Building, Hon. John Mica
[chairman of the subcommittee] presiding.
Present: Representatives Mica, Meadows, Turner, Massie,
Issa, and Connolly
Staff Present: Alexia Ardolina, Majority Assistant Clerk;
Molly Boyl, Majority Senior Counsel and Parliamentarian; John
Cuaderes, Majority Deputy Staff Director; Linda Good, Majority
Chief Clerk; Ryan M. Hambleton, Majority Professional Staff
Member; Mitchell S. Kominsky, Majority Counsel; Mark D. Marin,
Majority Director of Oversight; Laura L. Rush, Majority Deputy
Chief Clerk; Scott Schmidt, Majority Deputy Director of Digital
Strategy; Peter Warren, Majority Legislative Policy Director;
Jaron Bourke, Minority Director of Administration; Adam
Koshkin, Minority Research Assistant; Safiya Simmons, Minority
Press Secretary; and Cecelia Thomas, Minority Counsel.
Mr. Mica. Good morning. I would like to call this hearing
to order and welcome everyone to the Subcommittee on Government
Operations. Mr. Connolly and I appreciate your being with us.
The topic of today's subcommittee hearing is Federal
Government Approaches to Issuing Biometric IDs, and this is
actually the second part. We had hoped to get everybody on one
panel and we discussed primarily the TWIC card and its
shortcomings at the last hearing. This hearing focuses on some
of the other Federal agencies that are producing identification
and credentialing, primarily for Federal workers and others in
transportation and others who seek access to what should be
secure areas or facilities.
So, with that being said on our topic today, welcome our
witnesses. We will hear from you in a minute. We will start
today's proceedings and the order of business will be, first,
opening statements by myself and Mr. Connolly and any other
members that join us. I see Mr. Massie has joined us too. Our
subcommittee will then hear from the witnesses. We will hear
from all the witnesses and then we will take some time to do
questions. We will wait until we have heard from all of the
witnesses to do that.
We have an important mission statement. I won't read the
whole thing today, but we have a responsibility to ensure that
the obligations to taxpayers are met; that we carefully review
the performance of various Government programs. You have
authorizers and you have appropriators, and they have their
mission. Early on in our Government they created this committee
and its predecessor to review how agencies and Government
entities were following through with both the intent of the law
and then the manner in which funds have been appropriated, and
that is the purpose of the Government Oversight and Reform
Committee, general purpose.
Again, today, having been involved in this whole process
since 9/11, the good Lord somehow put me in charge of aviation
back in 2001, early in the year, and little did we know what
would happen with 9/11 and all the aftermath of 9/11. I had the
obligation and responsibility to put together some programs and
try to make certain that we put in place mechanisms for the
best security possible.
One of the things that we looked at was credentialing and,
of course, when we started back in 2001, after creating TSA and
looking at some of the other needs, try to make certain that we
had exact identifications of those who were involved in
transportation and accessing secure facilities. We immediately
saw the need for some standards and it was back in 2004 that
President Bush actually issued a directive and set some
standards, and those are still in place today, it was Homeland
Security Presidential Directive 12, and the issuance of that
set standards that are supposed to prevail today.
Unfortunately, many agencies have not made significant progress
in implementing the biometric standards.
We are going to hear from the agency that actually sets
those standards. I am very concerned that time and time again,
and in previous hearings, I have been promised that the
standards are just about to be set, just going to be a matter
of months. In fact, maybe the staff can get me the last
commentary.
Now I am told that the last person that testified and told
me that it was just a matter of months before those standards
are set is now retiring from the Federal workforce, so probably
the first question I will have for her replacement is when do
you plan to retire. But, again, without those standards being
set, sometimes the agencies who are testifying before us are
left in the lurch without a standard set by the Federal
Government.
A dual biometric measure is something we have always sought
after, and that is in the form of both fingerprints and also
iris. If you have those two biometric measures, you can almost
guarantee that the person with the credentialing is that
person.
We will hear also from, I believe, one of the witnesses
about the ability to abuse credentialing and some of the
problems even with using fingerprints as a sole source of
identity.
We looked at the TWIC program, and let me run through some
of the programs that we have pretty quickly. I think Mr.
Connolly may recall some of the testimony. We spent over half a
billion dollars on a TWIC card. We have issued more than 2
million of them. Now we are reissuing some of them. The TWIC
card does not have full biometric dual capability; it has some
fingerprint capability. Unfortunately, it also does not have a
reader.
And most recently we got a request to maybe do away with a
requirement for readers. So we spent half a billion dollars on
a pretty expensive ID program that could have been done at a
fraction of the cost. It almost defies reason that we could go
this long, not produce a card that could be used, and still
don't have a biometric standard or incorporation of that
capability in the TWIC card, and we are on our second set of
issuing these expensive I call them college IDs, as any college
kid could produce probably the same thing off of his computer.
We have gone around and around with the FAA on a pilot's
license. Some of you may recall that in the past, in fact, in
law, we set a pilot's license, which used to be a little folded
piece of paper, we set in law that it had to be durable, it had
to have a biometric capability, and it had to have a photo of
the pilot on it.
Lo and behold, several years ago a pilot approached me and
said, have you seen the new pilot's license? Where is the new
pilot's license? And the pilot's license was durable. I have
one of these here. It was durable. The strip was not really
biometric capable. In fact, anything in your wallet, any credit
card would have better capability than the biometric capability
of the card.
You see the front of the card up there; I have the back of
the card. The only pilot photo on the card were Wilbur and
Orville Wright. This is not a joke; this is what we have for a
pilot's license. So we still don't have a credential for a
pilot, a commercial pilot. This is what we have.
Now, last week, when we did our hearing out in Dayton, you
weren't there, I actually had a chance to go to the Wright
graveyard.
Mr. Connolly. Believe me, I wanted to be in Dayton.
Mr. Mica. Yes. Well, I went to the Wilbur and Orville
Wright graveyard. Their tombs are here. Both of these pilots
are dead; I can confirm it. I have been to the site, quite
interesting, if you ever get out to Dayton. It is in Mr.
Turner's, who is a member of our committee, his district. But
the only pilots on this license produced to this date are
Wilbur and Orville Wright, certifiably dead.
So that is the pilot's license. And when you talk to FAA,
they say, well, DHS has to set the standards and TSA, and then
they point to, again, the National Standards Bureau, who hasn't
set a standard. And, again, that lady is retiring, so we will
talk about that in a few minutes.
We have 924,000 airport workers, all who have various forms
of credentialing; none of it standard, none of it, again, with
full biometric capability, maybe one or two of them may have
incorporated. We don't even know. TSA has started a pre-check
program and I have had an experience with that personally. I
was able to get on, my wife was not able to get on.
I don't want to complain about that, but I guess it is
based on the number of miles that you have. I understand they
have a pre-check lite, which is going to be interesting, so you
don't have to have quite as many miles. But even if you have
that capability, and it is encoded in your boarding pass, you
still do not have any credentialing, and you don't know for
certain who the person is who has the pre-checked clearance. I
could thwart the pre-check in a nanosecond, and anyone who is
intent on imposing a terrorist act could do the same.
Then, again, our own personal experience, and I have to
relay this to the committee, is my wife couldn't get in pre-
check, so they said go Global Entry. So after waiting a long
time and paying the fee, which we did, she finally got her
Global Entry. There are 734,000 people she has joined with
Global Entry.
And she got her card and proudly displayed it, but found
out that the form to apply was not properly crafted to get the
information needed, so her middle name, which is Evelyn, is on
her Global card, but it doesn't match her passport, which has
her maiden name. So, again, she has a card with fingerprints,
with no iris, and you have conflicting documents.
Of course, the passport, and I remember beating years ago
with the passport folks, trying to get them onboard to have
dual identity. They produced that without that capability. So
we have millions of passports issued, again, without dual
biometric capability.
We also have NEXUS with 850,000 people; no bio. We have
FAST; I guess it is a trucker and cargo program; 80,000, no
bio. We have dual bio. We have three quarters of a billion air
travelers to go through with various documents, driver's
license and any kind of public ID, most of which, again, can be
easily forged and used in an improper manner.
There is a little bit of good news. The private sector has
produced a CLEAR card. Do we have a CLEAR card? This actually
has a biometric. Now, it doesn't have a standard. I guess TSA
or somebody must have checked off on a CLEAR card, but it is
not the standard set by the Federal Government or a standards
agency, but it has a dual biometric capability.
One of our subcommittees visited, a year or so ago, Canada,
and since 2007 they have had, it is called RAIC, Restricted
Area ID Card, and all of their airports and airport workers,
personnel across Canada, 28 airports, about one-tenth of what
we have in size, but they all have dual biometric credentialing
and it also has different standards for entry and clearance;
and they have had that in place since 2007.
So that is a little bit of background. We have spent
billions of dollars on these credentialing. I think we have
left ourselves at risk. We don't know who is coming and going,
whether it is passengers, airport workers, transportation
workers, pilots. But we have spent an incredible amount of
money and it is absolutely mind-boggling that we do not have,
at this stage, proper credentialing or anything that even comes
close to complying with the intent of Congress or some of the
standards that were set back in 2004.
So a little bit of a long introduction, but some of the
information and background that I wanted to cover this morning.
Mr. Connolly?
Mr. Connolly. Thank you, Mr. Chairman, and thank you for
your passion on this subject, which is quite evident, and it is
important.
You referenced our first hearing on this subject and I
remember it quite visibly, and this is a topic that demands
much more attention. At our previous hearing we talked about
the failure of the TWIC program and we talked about programs
that worked. The chairman just cited the CLEAR card in the
private sector, but in Afghanistan and Iraq millions of
contractors and civilian personnel have been issued ID cards
that work; very few of the incidents of people being able to
misuse those cards and breach security.
If we can do it in the theater of war, why can we not
replicate that, or at least the best elements of that, here at
home? And the failure to do so is an ongoing source of
distress, I hope for you and certainly for us up here.
So I really want to have a dialogue this morning, Mr.
Chairman, about what can we do to ramp this up and make it
efficacious. Something that doesn't violate people's privacy or
civil liberties but, on the other hand, protects the Country
and is more efficient than the current systems we have of
screening mass members of citizens and transport modes
throughout the Country, including airports.
So I am looking forward to your testimony and I very much
want to hear ideas. I will say, parenthetically, the chairman
noted that we had a witness who made assurances about deadlines
being met and things happening. She had to know she was
retiring. She had to know that she wouldn't be accountable
after that hearing.
And that is disappointing because this is about the
Nation's security and we are all actually on the same team
trying to get at what works and what doesn't, and, frankly,
that kind of behavior is most disappointing, if not
disingenuous, and I would hope it would be avoided in the
future.
Anyway, with that, I look forward to the testimony this
morning and working with our colleagues in the executive branch
to try to resolve this issue for the sake of security of the
Country.
Thank you, Mr. Chairman.
Mr. Mica. Thank you, Mr. Connolly.
All members may have seven days to submit opening
statements for the record.
Now we will go to our first panel. I guess we have two
panels today. Oh, it is all one? Okay. You are the first and
only.
Mr. Charles Romine is the Director of Information
Technology Laboratory with the National Institute of Standards
and Technology; Mr. Steven Martinez is the Executive Director
of the Science and Technology Branch with the Federal Bureau of
Investigation; Mr. John Allen is the Director of the Flight
Standards Service with the Federal Aviation Administration; Ms.
Colleen Manaher is Executive Director of Planning, Program
Analysis, and Evaluation with Customs and Border Patrol; we
have Ms. Brenda Sprague as the Deputy Assistant Secretary for
Passport Services in the Department of State.
Now, part of this committee's work, or most of this
committee's work is investigative. We do, as part of our
procedure, swear in our witnesses, so the first thing we are
going to do is ask you to stand, raise your right hand.
Do you solemnly swear or affirm that the testimony you are
about to give before this subcommittee of Congress is the whole
truth and nothing but the truth?
[Witnesses respond in the affirmative.]
Mr. Mica. All of the witnesses answered, the record will
reflect, in the affirmative.
Well, welcome today. We are going to start with Mr. Charles
Romine, Director of Information Technology Laboratory at the
National Institute of Standards and Technology.
Mr. Connolly, Mr. Romine is the replacement for Ms. Cita
Furlani, and she testified before the House Transportation and
Infrastructure Committee on April 14th, 2011, but by the end of
that year, in fact, there is a question here, it says by the
end of the year she would have the standards available, and she
said, oh, yes, yes. Now, I guess I can't hold her in contempt
since she is retired, but we have Mr. Romine here today to
update the committee on not only this time was I told that
these standards were right around the corner, but several other
times, and we can document that.
This will be made part of the record. Without objection, so
ordered.
Mr. Mica. So we will hear from you first, sir. Welcome and
you are recognized.
STATEMENT OF CHARLES H. ROMINE
Mr. Romine. Chairman Mica, Ranking Member Connolly, and
members of the subcommittee, I am Chuck Romine, Director of the
Information Technology Laboratory at NIST. Thank you for the
opportunity to appear before you today to discuss the NIST role
in standards and testing for biometrics.
NIST has nearly five decades of experience in proving human
identification systems. NIST responds to government and market
requirements for biometric standards by collaborating with
Federal agencies, academia, and industry to support development
of biometric standards, conformance testing architectures and
tools, research advanced biometric technologies, and develop
metrics for standards and interoperability of electronic
identities.
NIST research provides state-of-the-art technology
benchmarks and guidance to U.S. Government and industries. To
achieve this, NIST actively participates in Federal biometric
committees and national and international standards developing
organizations.
Biometric technologies can provide a means for recognizing
individuals based on one or more physical or behavioral
characteristics. These can be used to establish or verify
personal identity of enrolled individuals. By statute and
administrative policy, NIST encourages and coordinates Federal
agency use of voluntary consensus standards and participation
in the development of relevant standards, and promotes
coordination between the public and private sectors in the
development of standards and conformity assessment activities.
NIST collaborates with industry to develop a consensus
standard that is used around the world to facilitate
interoperable biometric data exchange. The standard is evolving
to support law enforcement, homeland security, forensics, and
disaster victim identification.
Internationally, NIST leads development of biometric
standards that have received widespread market acceptance. Use
of these standards is mandatory by large international
organizations for identification and verification of travelers
at border crossings.
In response to Homeland Security Presidential Directive 12,
NIST developed a standard to improve the identification and
authentication of Federal employees and contractors for access
to Federal facilities and IT systems. NIST is updating the
standard and guidelines to include optional use of iris images
for biometric authentication; use of facial images for
issuance, re-issuance, and verification processes; and privacy-
enhancing on-card comparison.
NIST leads the development of conformance tests for
implementations of national and international biometric
standards. In August of 2010, NIST released conformance tests
designed to test implementations of finger image and finger
minutiae biometric data interchange format specified in four
American national standards, and in 2011 we released
conformance tests designed to test implementations of the
international iris image data interchange format standard.
Understanding capabilities and improving performance of
biometric technologies requires a robust testing
infrastructure. For more than a decade, NIST has been
conducting large biometric technology challenge programs to
motivate the global biometric community to dramatically improve
the performance and interoperability of biometric systems,
foster standards of option and support global deployment, and
achieve an order of magnitude that are accuracy gains.
One example is the Iris Exchange, or IREX, testing program
initiated at NIST in support of an expanded marketplace of
iris-based applications based on standardized interoperable
iris imagery. The work is conducted in support of the ISO and
ANSI/NIST standards. The IREX III testing program evaluated
large-scale one-to-many iris identification algorithms.
The NSTC National Biometrics Challenge 2011 report included
key challenges to the future applications of biometrics
technologies, including research in the privacy and usability
of biometrics. For privacy, NIST is collaborating to advance
technical methods to safeguard and control the use of
biometrics through methods such as liveness detection and
biometric template protection.
Usability is a priority for deploying biometric systems
within the Federal Government. NIST was identified in a recent
National Academies report as one of only two organizations
addressing usability in biometric systems. NIST has applied its
usability expertise to several studies involving biometric
systems. As a result of one study, all of the fingerprint
standards at U.S. ports of entry are now angled to improve the
collection process.
In summary, NIST has a diverse portfolio of activities
supporting our Nation's biometric needs. With NISTs extensive
experience and broad array of expertise, both in its
laboratories and in collaboration with U.S. industry and with
other Government agencies, NIST is actively pursuing the
standards and measurement research necessary to deploy
interoperable, secure, reliable, and usable biometric systems.
Thank you for the opportunity to testify on NISTs
activities in biometrics, and I would be happy to answer any
questions that you may have.
[Prepared statement of Mr. Romine follows:]
[GRAPHIC] [TIFF OMITTED] T1804.001
[GRAPHIC] [TIFF OMITTED] T1804.002
[GRAPHIC] [TIFF OMITTED] T1804.003
[GRAPHIC] [TIFF OMITTED] T1804.004
[GRAPHIC] [TIFF OMITTED] T1804.005
[GRAPHIC] [TIFF OMITTED] T1804.006
[GRAPHIC] [TIFF OMITTED] T1804.007
[GRAPHIC] [TIFF OMITTED] T1804.008
[GRAPHIC] [TIFF OMITTED] T1804.009
[GRAPHIC] [TIFF OMITTED] T1804.010
[GRAPHIC] [TIFF OMITTED] T1804.011
[GRAPHIC] [TIFF OMITTED] T1804.012
Mr. Mica. We will hold the questions, as I said.
We will turn next to Mr. Steven Martinez, Executive
Director of the Science and Technology Branch of the FBI.
Welcome, and you are recognized.
STATEMENT OF STEVEN MARTINEZ
Mr. Martinez. Good morning, Chairman Mica, Ranking Member
Connolly, and members of the subcommittee. I want to thank you
for the opportunity to appear before the committee today and
for your continued support of the men and women of the FBI.
I am pleased to describe for you today the FBIs experience
in using fingerprints as an effective identification biometric
so that you may consider it in the context of the issuance of
Government credentials.
While the FBI has developed deep expertise in a variety of
biometric modalities, the production of Government
identification cards beyond our own use for physical and
logical access control is not a primary area of direct FBI
responsibility.
The FBI uses fingerprints in two primary ways: in
conducting background checks and in criminal investigations. A
criminal history record, or rap sheet, is a catalog of
information taken from fingerprint submissions in connection
with arrests. All arrest data, including a criminal history
summary, is obtained from fingerprint submissions, disposition
reports, and other information submitted by agencies having
criminal justice responsibilities. The FBI also maintains a
civil file of fingerprints tied to biographical data collected
and submitted in matters of Federal employment, naturalization,
or military service.
Fingerprints recovered from evidence found at crime scenes
are processed through our Latent Print Operations Unit, or
LPOU, located at the FBI Laboratory in Quantico, Virginia.
These latent prints of unknown individuals are examined and
used to assist in criminal investigations.
The LPOU also uses fingerprints to assist in the
identification of victims from natural disasters and mass
fatalities. Such events include Hurricane Katrina, the Thailand
tsunami, the Oklahoma City bombing, and the attack on the USS
Cole, and, most recently, the 9/11 terrorist attacks and, of
course, it will be applied in the attacks in Boston.
Originally, fingerprint identification and matching were
performed manually by trained fingerprint examiners in a
laboratory. Today, through the use of computer technology, the
practice has evolved into a highly automated and reliable
process. For most of the past 14 years, more than 18,000 local,
State, tribal, Federal, and international partners have been
electronically submitting requests to the FBIs legacy
Integrated Automated Fingerprint Identification System, or
IAFIS housed and maintained by the FBIs Criminal Justice
Information Services Division.
But with advances in technology, changing customer
requirements, and the growing demand for IAFIS services, the
FBI was compelled to create the next Generation Identification
Program, or NGI, as we call it. With NGI, the FBI is
dramatically improving all of the major features of IAFIS,
including system flexibility, storage capacity, accuracy and
timeliness of responses, and interoperability with other
systems such as the biometric matching systems of the
Department of Homeland Security and the Department of Defense.
NGI is being developed and deployed incrementally. The
initial increment included the launch of the NGI Advanced
Fingerprint Identification Technology, or AFIT, in February
2011, which replaced less capable technology within IAFIS. This
enhancement provided increased processing capacity for sequence
checking and image comparison. It improved search accuracy,
provided a new validation algorithm for image quality, and it
improved flat print screening.
NGIs system accuracy is currently measured at 99.6 percent.
Prior to IAFIS, the FBI reported false matches to contributors
at a rate of approximately 1 of every 50 million searches.
There have been no known false matches since IAFIS went online,
with nearly one-half billion fingerprint checks conducted.
NGIs second increment, the Repository for Individuals of
Special Concern, or RISC, was completed in August of 2011. RISC
enables mobile access to law enforcement officers nationwide
through handheld devices that capture and submit fingerprints
of high interest individuals and search them against the
repository of wanted criminals, terrorists, and sex offenders.
As part of the third NGI increment, new capabilities in
relation to latent and palm prints, rapid DHS response, and
full infrastructure were completed and rolled out in May of
this year. U.S. Customs and Border Protection officials at some
ports of entry now have access to 10-second search of the
system's full criminal master file of biometric-based criminal
history information.
The fourth increment on schedule for delivery in June 2014
will complete the new system's functionality and will add two
new services: Rap Back and the Interstate Photo System. The Rap
Back Service will provide an ongoing status notification of any
change in criminal history reported to the FBI after an
individual's initial criminal history check and enrollment of
their fingerprints in our files.
The final increments of NGI will include an effort to
provide identification-based iris image checking, scheduled for
pilot deployment in 2013, with a focus on technology
refreshment as well.
Since automation through IAFIS, and now NGI, the FBI has
processed more than 456 million fingerprint submissions. The
current reject rate on these submissions is 3.77 percent, with
most rejections being due to poor image quality or an
inadequate accompanying documentation.
Strict quality control over the data enrolled in NGI, in
concert with state-of-the-art automation, is key to the
system's accuracy and speed. The FBI has long been a leader in
the development and use of biometrics, with much emphasis on
fingerprint technology. While fingerprints may be considered
the most common and widely biometric modality, the FBI is
actively evaluating emerging modalities, researching their
accuracy, reliability, and potential suitability for the use in
the lawful or constitutional performance of our mission.
This concludes my remarks, Chairman Mica, Ranking Member
Connolly. I thank you for this opportunity to discuss the FBI's
fingerprint and biometric programs, and I would be pleased to
answer any questions you might have.
[Prepared statement of Mr. Martinez follows:]
[GRAPHIC] [TIFF OMITTED] T1804.013
[GRAPHIC] [TIFF OMITTED] T1804.014
[GRAPHIC] [TIFF OMITTED] T1804.015
[GRAPHIC] [TIFF OMITTED] T1804.016
[GRAPHIC] [TIFF OMITTED] T1804.017
[GRAPHIC] [TIFF OMITTED] T1804.018
[GRAPHIC] [TIFF OMITTED] T1804.019
Mr. Mica. Thank you. As we said, we will hear from all the
witnesses.
We will hear from John Allen, who is the Director of Flight
Standards Service with FAA next. You are recognized. Welcome.
STATEMENT OF JOHN ALLEN
Mr. Allen. Good morning, Chairman Mica and Ranking Member
Mr. Connolly. Thank you for the opportunity to appear before
you today on the issue of incorporating biometric data into
pilot certificates.
The FAA has responsibility for issuing 23 different types
of airman certificates. In addition to pilot certificates,
these include certificates for mechanics, dispatchers,
parachute riggers, and air traffic controllers. The agency also
issues certificates for flight attendants. There are
approximately 837,000 active pilot certificate holders.
Historically, the primary function of these pilot
certificates was simply to document that its holder meets the
aeronautical knowledge and experience standards established for
both the certificate level and any associated ratings.
Although pilot certificates have not been intended for
identification verification purposes, the FAA has a long
history of responding to law enforcement interest in enhancing
airman certificates. Pursuant to the Drug Enforcement
Administration Act of 1988, for example, the FAA began the
process of phasing out paper certificates and replacing them
with security-enhanced plastic.
Since April 2010, all pilots have been required to have the
new plastic certificates, and holders of the remaining airman
certificate types, such as mechanics and dispatchers, were
required to have these plastic certificates by March 31st,
2013. These plastic certificates include tamper-and
counterfeit-resistant features such as micro printing, a
hologram, and a UV-sensitive layer.
Additionally, the FAA has taken other steps to meet law
enforcement concerns. Since 2002, the FAA has required pilots
to carry a valid Government issue photo ID, as well as a pilot
certificate, in order to exercise the privileges associated
with the certificate. This allows an FAA inspector or a fixed-
based operator that rents airplanes to confirm both the
individual's identity and his or her pilot credentials.
In 2004, Congress directed the FAA to develop tamper-
resistant pilot certificates that include a photograph of the
pilot and are capable of accommodating a digital photograph, a
biometric identifier, or any other unique identifier the FAA
administrator considers necessary. I want to emphasis the FAA
had already met some of these requirements when we began
issuing the tamper-and counterfeit-resistant certificates in
2003.
To address the remaining requirements, the FAA was required
to initiate a rulemaking. We did so in November 2010, and while
the agency was reviewing the hundreds of comments received on
that notice of proposed rulemaking, the FAA Modernization and
Reform Act of 2012 became law.
Section 321 of that Act requires that pilot certificates
not only contain photographs, but also be smart cards that can
accommodate iris and fingerprint biometrics, and are compliant
with specific standards for processing through security
checkpoints and to airport sterile areas. The FAAs NPRM did not
contemplate these additional features.
Because the Section 321 requirements were not within the
scope of the previous NPRM, the agency was required to initiate
another rulemaking in order to comply with the congressional
directives. Currently, we are developing a notice of proposed
rulemaking to issue smart card pilot certificates that can
accommodate a photograph and other biometric data.
In addition, we are analyzing the costs and benefits of
various alternatives to meet this statutory mandate. To justify
imposing a new cost on pilots, we must carefully consider the
benefits of improved pilot certificates, and if pilot
certificates with embedded biometrics are intended to permit
airport access or increased security, we must coordinate with
the Department of Homeland Security and TSA, who develop
standards for airport access and security.
Further, the FAA must coordinate our efforts with the
National Institute of Standards and Technology, which is in the
process of establishing standards for use of iris biometric
data. It is essential to identify and quantify the benefits of
biometric enhancements and work with other Federal agencies as
we move forward. The FAA must ensure we are not duplicating
effort or imposing an undue burden on the public. We must also
coordinate with airlines, industry trade associations, and
organizations representing individual pilots through the FAAs
aviation rulemaking committee process.
We are working hard to accomplish the goals outlined by
Congress and we are in the final stages of preparing a report
to Congress. We believe this report will assist Congress in
assessing the future use and inclusion of biometric data in
pilot certificates. We look forward to working with you and in
collaboration with other agencies as our efforts progress.
This concludes my prepared remarks. I will be happy to take
questions as you wish. Thank you.
[Prepared statement of Mr. Allen follows:]
[GRAPHIC] [TIFF OMITTED] T1804.020
[GRAPHIC] [TIFF OMITTED] T1804.021
[GRAPHIC] [TIFF OMITTED] T1804.022
[GRAPHIC] [TIFF OMITTED] T1804.023
[GRAPHIC] [TIFF OMITTED] T1804.024
Mr. Mica. We will get back to questions.
Ms. Colleen Manaher is the Executive Director of Planning,
Program Analysis, Evaluation with Customs and Border Patrol.
Welcome, and you are recognized.
STATEMENT OF COLLEEN MANAHER
Ms. Manaher. Good morning, Chairman Mica, Ranking Member
Connolly, and distinguished members of the Subcommittee. Thank
you for this opportunity to appear before you on behalf of the
dedicated men and women of the U.S. Customs and Border
Protection to discuss our Trusted Traveler Programs and the use
of biometric information to enhance the security of these
programs.
As the unified border security agency of the United States,
CBP is responsible for securing our Nation's borders, while
facilitating the flow of legitimate trade and travel that is
vital to our Nation's economy. CBP operates at more than 320
ports of entry and processes nearly 1 million travelers every
day as they enter the United States.
From 2009 to 2012, the volume of international air
travelers has increased by 12 percent and is projected to
increase 4 to 5 percent each year for the next five years. CBP
continues to address the security elements of its mission,
while meeting the challenges of increasing volumes of travel in
the land, air, and sea environments. We do this by implementing
multiple layers of security throughout the entire supply chain
of goods and throughout the entire transit sequence for people.
We accomplish our mission of expediting trade and travel by
separating the knowns from the unknowns. This risk-based
segmentation allows us to facilitate the entry of legitimate
trade and travel. Twenty million of these known documents have
been issued by DHS, our partners at the Department of State, by
four of our States, four provinces in Canada, and two U.S.
Native American tribes. By knowing the holder of these 20
million documents, CBP can focus its resources on travelers and
traders that are unknown, with the goal of stopping
illegitimate trade and travel.
I would like to share just a bit more detailed information
with you on DHSs flagship credentialing program, CBPs Trusted
Traveler Program, which had been essential to our risk-based
approach to expedite the flow of travelers into the United
States. It provides expedited processing upon arrival for pre-
approved, low-risk participants through the use of secure and
exclusive dedicated lanes and automated kiosks.
Our Trusted Traveler Program issues secure documents in
accordance with the best practices consistent with
international standards, applies rigorous biographic and
biometric vetting procedures, all of which increases our
confidence in a program that provides a secure service when
time is valuable. We simply know far more about these travelers
than anyone else.
CBP operates four Trusted Traveler Programs: SENTRI for our
land border crossings along the southern border; NEXUS for our
air, land, and marine environments along the northern border;
FAST for low-risk commercial carriers and truckers; and Global
Entry for our international air travelers.
SENTRI, the Secure Electronic Network for Travelers Rapid
Inspection Program was established in 1995 and has grown to
include over 20 vehicle lanes at the 12 largest southern border
crossings along the U.S.-Mexican border. SENTRI pedestrian
crossing is also available at several locations. SENTRI members
currently account for 14 percent of all cross-border traffic.
Approximately 58,000 travelers a day use the SENTRI lanes.
NEXUS is a partnership program between the United States
and Canada, and provides for the expedited travel for air,
land, and the marine environment along the northern border. A
NEXUS applicant also undergoes an interview conducted by
officers by both CBP and the Canada Border Services Agency.
NEXUS is the only CBP Trusted Traveler Program that requires
the collection and use of an iris scan for travelers wishing to
use the program at Canadian pre-clearance locations.
The Free and Secure Trade Program, FAST, is a commercial
clearance program for known motorist shipments entering the
United States from Canada and Mexico. FAST allows for expedited
processing for commercial carriers to include the truck driver.
Participation in FAST requires that every link in the supply
chain, from manufacturer to carrier to driver to importer be
certified under the Customs Trade Partnership Against
Terrorism, or CTPAT, program.
Global Entry is an expedited customs clearance program for
pre-approved, low-risk air travelers entering the United States
without routine CBP questioning, bypassing the regular passport
control cues and, instead, use an automated kiosk at over 34
designated airports, accounting for 98 percent of the arriving
international travelers.
Advanced technology is the critical element of the Trusted
Traveler Programs. In the land border environment, the
implementation of the Western Hemisphere Travel Initiative
involves a substantial technology investment that continues to
provide both facilitation and security benefits. Today, as a
result of that Initiative, more than 20 million RFID-enabled
technology documents have been issued. These documents
represent the ultimate in security feature, as they can be
verified electronically in real-time back to the issuing
authority to establish identity and citizenship. They also
reduce the average vehicle processing time by 20 percent.
RFID technology has also increased CBPs capability to query
national law enforcement databases, including the U.S.
Government's terrorist watch list. Today, CBP is able to
perform law enforcement queries for 97 percent of travelers at
the land border, compared to only 5 percent in 2005.
More than 1.9 million people, including 425,000 new members
this year, have enrolled in the Trusted Traveler Program. Fees
range from $50 to $122 for a five-year membership, which covers
the direct cost affiliated with these programs. The time and
resource savings for CBP are considerable. For example, as of
May 2013, Global Entry kiosks have been used 4.6 million times.
When that many passengers use Global Entry, it frees up the
equivalent of 18 CBP officers to focus on other mission-
critical work. The time savings are extended to travelers as
well. Global entry has reduced wait times for members more than
70 percent, compared to the general process. More than 75
percent of the travelers using Global Entry are processed in
less than 5 minutes. In fiscal year 2012, the average NEXUS
vehicle processing time was only 20 seconds.
To counter the threat of terrorism, secure our borders,
while expeditiously facilitating travel and trade, CBP relies
on a balanced mix of professional law enforcement personnel,
advanced technologies, and innovative programs. CBP has made
significant progress in securing the borders through a multi-
layered approach using a variety of tools at our disposal.
We will continue to enhance and expand our Trusted Traveler
Program, which expedites the processing of known and low-risk
travelers as we focus our attention on the high-risk travelers.
We will remain vigilant and focus on building our approach to
position CBPs greatest capability to combat the greatest risks
that exist today.
Chairman Mica, Ranking Member Connolly, thank you for this
opportunity to testify about the work of CBP and our efforts.
Thank you.
[Prepared statement of Ms. Manaher follows:]
[GRAPHIC] [TIFF OMITTED] T1804.025
[GRAPHIC] [TIFF OMITTED] T1804.026
[GRAPHIC] [TIFF OMITTED] T1804.027
[GRAPHIC] [TIFF OMITTED] T1804.028
[GRAPHIC] [TIFF OMITTED] T1804.029
[GRAPHIC] [TIFF OMITTED] T1804.030
[GRAPHIC] [TIFF OMITTED] T1804.031
[GRAPHIC] [TIFF OMITTED] T1804.032
Mr. Mica. Thank you.
We will hear from our last witness on the panel, Brenda
Sprague, Deputy Assistant Secretary for Passport Services with
the Department of State.
STATEMENT OF BRENDA SPRAGUE
Ms. Sprague. Mr. Chairman, Ranking Member Connolly, and
distinguished members of the subcommittee, thank you for the
opportunity to testify today about the Department of State's
role in the U.S. ePassport and Passport Card programs.
I think we all agree the integrity of the U.S. passport is
essential to our national security and the protection of our
traveling citizens. We believe that issuing secure travel
documents to qualified citizens is a cornerstone of our
national mandate. In pursuit of this mandate, we have spent
years creating a physical passport with security features, a
photo biometric, and enhanced electronics that render a U.S.
passport virtually impossible to counterfeit.
We are proud of this achievement and we are not resting on
our laurels. We are well into the planning and development
process for the next generation passport.
Having a high quality physical document is not enough. It
is only in conjunction with our highly trained passport
adjudicators and fraud prevention managers that access to the
document remains secure.
Their attention to detail, specialized knowledge, and daily
commitment to excellence are central to our ongoing efforts to
ensure that only qualified U.S. citizens ever get the
opportunity to have and use a U.S. passport.
Passport adjudicators spend hours annually in mandated
training to make certain their skills are up to this monumental
task. We conduct systematic audits of our issuance to identify
errors in adjudication. We have also built anti-fraud tools
into the adjudication process to assist them in this endeavor.
Passports are issued based on a review of citizenship and
identity documents issued by Federal, State, and local
jurisdictions. Our ability to verify the accuracy and
authenticity of those documents is greatly enhanced by real-
time information sharing and cooperation with the issuing
agencies.
In the last six months, we have incorporated the FBIs NCIC
Supervised Release files and a real time Social Security check
into our front-end verification process. Additionally, we use
the National Law Enforcement Telecommunications System's
network to verify driver's licenses. We are working with State
vital record bureaus to encourage participation in a national
centralized database of birth and death records.
We believe data-sharing programs like these are essential
tools for verifying the identity and entitlement of passport
applicants, and we continue to pursue opportunities to expand
these efforts among Federal, State, and local agencies.
Biometrics provide for an additional level of security to
ensure that these documents are not fraudulently altered or
used. Using facial recognition, all photos submitted by
passport applicants worldwide are screened against the State
Department's extensive database of facial images to confirm
identity, as well as to detect fraudulent applications.
Since 2006, the ePassport has been in the vanguard of our
effort to improve border security. It is fully compliant with
the recommended specifications for machine-readable travel
documents of the International Civil Aviation Organization,
ICAO. It has printed biographical data protected with secure
laminate and many other security features to protect the
integrity of the document and deter counterfeiting.
The passport also contains an integrated circuit or chip.
The personal data stored on the chip is identical to the data
that is printed visually on the data page, including a digital
photo image of the passport bearer. A unique signature is
written to the chip, completing what we call the Public Key
Infrastructure, PKI, process. The chip is then locked so the
data can never be changed. The Department believes that the
various security features, combined with the use of PKI,
mitigates the risks associated with altering data from the book
or chip.
In July 2008, the Department of State began issuing
passport cards which incorporate vicinity read RFID technology.
These cards are designed to facilitate the frequent travel of
U.S. citizens living in border communities. With this
technology, CBP inspectors at U.S. land and seaports of entry
are able to verify the traveler's identity before the traveler
reaches the inspection station. The card has forensic security
features to guard against tampering and counterfeiting, and to
give CBP officers see and feel cues to verify the card.
To have the world's most secure travel documents requires
that we continually assess the security features and design of
the passport and passport card for potential vulnerabilities
and risks, and to incorporate new measures as technology
advances.
Thank you again for the opportunity to appear before you
today. I am happy to answer any questions you may have.
[Prepared statement of Ms. Sprague follows:]
[GRAPHIC] [TIFF OMITTED] T1804.033
[GRAPHIC] [TIFF OMITTED] T1804.034
[GRAPHIC] [TIFF OMITTED] T1804.035
[GRAPHIC] [TIFF OMITTED] T1804.036
[GRAPHIC] [TIFF OMITTED] T1804.037
[GRAPHIC] [TIFF OMITTED] T1804.038
[GRAPHIC] [TIFF OMITTED] T1804.039
[GRAPHIC] [TIFF OMITTED] T1804.040
[GRAPHIC] [TIFF OMITTED] T1804.041
[GRAPHIC] [TIFF OMITTED] T1804.042
[GRAPHIC] [TIFF OMITTED] T1804.043
Mr. Mica. Well, I thank the witnesses for their testimony
and now we will turn to questions.
First, Mr. Romine, welcome. I am sorry to see that your
predecessor has retired, who testified back in April several
years ago, what was it, 2011, that it would just be a matter of
months. You heard that testimony. How do you respond to her
testimony? And we swore her in, too. I think I did. Maybe I
didn't; maybe that was the problem. Ms. Furlani said, oh, yes.
Not one yes, but two yeses, that they would have that standard
for biometric iris.
Mr. Romine. Yes, sir. So thank you for the question. I know
Ms. Furlani very well and I can guarantee she had no intent to
deceive the subcommittee.
Mr. Mica. But that was April 14th, 2011.
Mr. Connolly, is today 2013? Is this June? What is the
date?
Mr. Connolly. June 19th.
Mr. Mica. June 19th.
What has happened?
Mr. Romine. Thank you for asking.
Mr. Mica. Your worst nightmare has come true, I am back and
chairing a committee with broad jurisdiction.
Mr. Romine. What I can tell you is that----
Mr. Mica. How long? What are you going to tell us? Where is
the iris standard?
Mr. Romine. Well, if I can expand a little bit first on the
testimony of Ms. Furlani. It was predicated, as she stated at
the time, on the assumption that no major technical hurdles
would surface.
Mr. Mica. My God, technical hurdles? We asked for this
after 2001, and they were working on it. This is to 2011. We
were promised it was, I mean, at least three times in three
different appearances, it was just around the corner. This is
2013. When? When, when, when can we get--I don't want to harass
the witness. Sir, please tell me when we can get this standard.
These people can't do a damned thing unless you set the
standard. That is what they are going to testify to when I go
after them in a minute.
Mr. Romine. During the public comment there were three
major technical issues.
Mr. Mica. Tell me the when. Is it an estimate? A month? A
week? Two more years? When can you set a standard?
Mr. Romine. We expect to be able to release the special
publication immediately after the workshop that we are holding
in early July. So on July 9th we will hold a workshop on a
camera certification, iris camera certification. Our
expectation is that we will be able to release the second
edition or the second version of Special Publication 876 at
that time, or immediately thereafter.
Mr. Mica. So say by September 1st these agencies should
have some standard to go by?
Mr. Romine. At the risk of repeating the mistake of a
predecessor in your view, I would say I am willing to agree
that that is an appropriate release time.
Mr. Mica. Mr. Connolly, if I die or you guys take over, do
you pledge to follow up on this?
Mr. Connolly. We don't want you to die, Mr. Chairman, but
we certainly want to take over, and I do make that pledge.
[Laughter.]
Mr. Mica. Okay.
Mr. Romine. We certainly want to be responsive to the
subcommittee's concerns.
Mr. Mica. Well, again, you just heard testimony. They are
producing documents to which we don't have dual biometrics. The
Canadians have had a system, I went to see it, since 2007; it
has both. I told Mr. Connolly I went to Amsterdam; I saw they
put the fingerprints, the iris, and they went through the
turnstile. But it is the only way you can absolutely confirm
the identity of that individual, according to the technology
that is available today. Is that pretty much correct?
Mr. Romine. I would not say that necessarily.
Mr. Mica. But, again, unless we have some check.
Now, Mr. Martinez, with the FBI, you do fingerprints.
Fingerprints can be tampered, can they not, sir?
Mr. Martinez. Yes. There are several examples of people who
have attempted to obscure surgically alter their fingerprints.
Mr. Mica. Okay. So we are finished with you, Mr. Martinez.
You can go. No, just stay.
But, again, our best bet, we were told this after 2001, was
to have iris and fingerprint.
Mr. Allen, welcome. FAA. And we are still producing the
Wilbur and Orville Wright. You saw they are dead; I confirmed
it. And now you come before me and you testify. I just about
went out of the seat and over the podium to get you,
restraining myself, did not contemplate the use. We put it in
law that you would have a durable biometric with a photo of the
pilot. Never said anything about Wilbur and Orville. I never
put it in any law; it wasn't in the most recent 2012 law.
But you did not contemplate. Then you came before us today
and used the excuse of the law that redirected you to do what
we told you in the beginning as an excuse for not performing.
Is that right?
Mr. Allen. Yes, Mr. Chairman.
Mr. Mica. Oh, my God.
Mr. Connolly. Mr. Chairman, could I just clarify what I
just heard?
Mr. Mica. Yes.
Mr. Connolly. Mr. Allen, did you just testify under oath
confirming what the chairman asserted, that you used the law to
not comply?
Mr. Mica. He is using it as an excuse.
Mr. Connolly. But that was his question.
Mr. Mica. We put it in the law because they hadn't done it
in the beginning, and he says, well, and then he says we never
contemplated that this could be used for an ID. What the hell
were they going to use it for?
Mr. Connolly. I know.
Mr. Mica. You used it to get into the Regal theaters on
Friday night with a senior discount?
Mr. Connolly. Mr. Allen, I just wanted to make sure I
understood what you said because that is what you said, and I
want to give you the chance to either expand or clarify.
Mr. Allen. Thank you, Mr. Connolly. What I testified to was
that we already had a rulemaking process in place that was
meeting specific issues from that rulemaking and we received
another legislative requirement, and some aspects of that were
not identified in the earlier legislation.
So when you get into rulemaking and you got that thing
going in process and you are addressing those issues, it wasn't
addressing some of the things that were brought up in the
second legislation. That is what I was saying.
For instance, iris scan. The iris scan was not in the first
one; it is in the second one. So, consequently, the iris scan
was not entertained, was not being addressed in the first
rulemaking process, so now we have iris scan we have to
address.
Mr. Mica. I am taking back my time.
Biometric would include fingerprint and iris. That was in
the original law. Where is the original law? Doesn't the
original law that I passed say that, in fact, you would have to
have biometric capability?
Mr. Allen. Yes, sir, it says accommodating a digital
photograph, a biometric identifier. And there is some debate as
to whether it has to be an iris scan or it can be a fingerprint
or something like that. So, therefore, that first rulemaking
was not entertaining the iris scan.
Mr. Mica. And then you suddenly said you couldn't
contemplate it being used for security. Again, what were they
going to do with it?
Mr. Allen. Sir, as you know, and as my boss testified
earlier, this was originally for a license.
Mr. Mica. Well, again, I don't know how we could make it
any clearer that we are trying to get a pilot, and you don't
have to put the photograph on it, it could be embedded in it.
You would be better off telling me some standards hadn't been
set for that as an excuse.
But I am telling you this is highly frustrating, and I
expect, and we will haul you back in here, that we get a
pilot's license that meets the intent of the law, that can be
used, so a pilot who is going to the airport to get on a plane
to fly a commercial passenger aircraft, we know who that
individual is and we have some certainty of it, okay? We have
been lucky so far. And now they have a known pilot program. If
they get any more lanes at the airport of programs, there won't
be room for the passengers. We have, at least one airport,
probably a dozen different lanes now.
Ms. Manaher, I just described the Global Entry experience.
I don't mean to get personal in these hearings, but I had to
relay my wife's experience of not qualifying for pre-check, so
she goes to Global Entry, and then you produce a card the way
the form is set up that requests her name, and she ends up with
her maiden name on her passport, Ms. Sprague's passport, and
her middle name on the Global Entry card. Is she going to be
accepted by Sprague now?
Ms. Manaher. [Remarks made off microphone.]
Mr. Mica. Yes? Even though it doesn't match? Had anyone
given any thought to having the requirement even in the form
that the passport match the Global Entry?
Ms. Sprague. Colleen, it is your form.
Ms. Manaher. Sir, it is my understanding that is now fixed
for Mrs. Mica.
Mr. Mica. Oh, I don't care about Mrs. Mica.
Ms. Manaher. Oh, oh.
Mr. Mica. Don't tell her I said that.
[Laughter.]
Mr. Mica. I am just talking in general.
Mr. Connolly. I move that be stricken from the record.
[Laughter.]
Mr. Mica. Without objection, that is stricken from the
record.
I am talking about, again, it is a simple thing that your
form should, if you are producing all of these Global Entry
documents, that they should match the passport. Basic? Can we
look at that?
Ms. Manaher. Yes, of course, sir.
Mr. Mica. At least look at the form or something. And you
are very nice people and you are here, but when you get to that
agent that is responsible for checking the documents and they
don't match, I have seen people in tears at TSA lines because
their ticket doesn't match their ID exactly.
Have you given any contemplation to incorporating an iris
in the future, in addition to a fingerprint, on your documents?
Ms. Manaher. Yes, sir. As you know, our NEXUS program with
Canada we do use an iris, and I do believe that both iris and
facial recognition----
Mr. Mica. What standard are you using on the NEXUS for the
iris?
Ms. Manaher. It is the Canadian standard, sir.
Mr. Mica. Yay. How about if we put in law that we just
adopt the Canadian standard? They have had it since 2007. Have
you ever known an instance in which it has been thwarted?
Ms. Manaher. Not to my knowledge, sir.
Mr. Mica. So others have done this.
Is anyone familiar with the CLEAR program? We couldn't get
CLEAR to testify; they are terrified, and I don't blame them,
to come before a panel and actually tell us they have something
that works. Probably they would be stricken from the Federal
qualified vendor list.
Mr. Connolly, I will let you go at it a little while.
Mr. Connolly. Thank you, Mr. Chairman.
I think the frustration being expressed here is that it has
now been 12 years since the tragedy of 9/11 and we seem not to
have resolved this problem. We don't have a uniform standard;
we haven't agreed on whether the appropriate biometric
standards. We have spent a lot of money on an ID card that
doesn't work very well, even though there are examples within
the United States Government of ID cards that do work.
And even listening to all of you, if you flew in here from
some other place and didn't really know much about the subject,
it sounds a lot like stovepipe; well, I don't know what anyone
else is doing, but here is what the FBI is doing.
Ms. Manaher and Ms. Sprague, if there is a program that
ought to be cross-fertilized, it is Global Entry and the
passport. And yet I think they were developed separately. Is
that correct?
Ms. Manaher. We have a very close partnership with
Department of State, but, yes, they were developed separately.
But we used a similar international standard, sir.
Mr. Connolly. And, Ms. Sprague, what is the rationale for
developing these programs separately?
Ms. Sprague. The passport has a different purpose than
Global Entry. But I would note that your passport is the token
you use to activate Global Entry when you enter the United
States, so we are sharing that technology and that is the way
it works. But the Global Entry card is also used for TSA pre-
check.
Mr. Connolly. I understand. But understanding the overlap,
when they were developed, did these two agencies cooperate in
the development of the technology and in the statement of
needs, in the RFP or whatever it was?
Ms. Sprague. I don't know how formal the process was, but I
know in anything we do with the passport we invite Customs and
Border Protection, as well as ICE and the Government Printing
Office and others are involved in the development of all our
standards so that they all work. Our passports have to work
with what CBP is doing at the borders, so that is a constant
interchange daily that we are communicating on those standards
and the interoperability of our documents with their systems.
Mr. Connolly. Mr. Allen, you testified that the FAA hadn't
foreseen the use of iris as a biometric index or standard. Why
not? I mean, isn't this more than what the Congress explicitly
spells out? Isn't this somewhat what the FAA thinks we need to
protect the Country, and did that never come up and was it
rejected? Why wasn't that included?
Mr. Allen. Good question, Mr. Connolly. No, it wasn't
rejected outright, it just was not mature at the time, to meet
the requirement.
Mr. Connolly. I am sorry. You mean the technology was not?
Mr. Allen. Well, the iris scan technology and standards
were mature at the time, but this was back in 2004 for that
initial legislation, so we were looking at biometrics of the
proven fingerprints, a picture, and going down that path, and
then when we got this next legislation that suggested, or
actually required, iris scanning. Now we have to change course
and also find out what that standard is, and to accommodate
that extra biometric into a proposed license or a proposed
certificate.
Mr. Connolly. The chairman pointed out that the picture on
a pilot's license is that of Orville and Wilbur Wright. To vote
these days I need to produce a driver's license with my picture
on it. Not a very good picture in Virginia, I might add, but
that is a different matter. But why wouldn't we have airline
pilots' pictures on their own ID, rather than Orville and
Wilbur Wright?
Mr. Allen. We will get there. We intend to fully get there,
but we want to make sure that you don't come back and complain
about our program like you are complaining about the TWIC
program. There is a foundation we have to set in here and there
is a system behind this that we have to do smartly so that we
don't put or exercise an undue economic burden on pilots and we
do it smartly. We are learning a lot from the Global Entry
program, and as of today they do have to submit a picture ID
with their pilot's license, so there is actual verification--I
have a Virginia driver's license as well--that picture, that
they have----
Mr. Connolly. Did they make you take your glasses off?
Mr. Allen. Yes, sir, they did.
Mr. Connolly. And you couldn't smile?
Mr. Allen. No, I couldn't.
Mr. Connolly. Yes, I know.
Mr. Allen. So you do have that security right now. So we
believe we are going at it smartly and we are working with TSA
so we don't have stovepipe, as you suggested earlier, so that
we don't go out shooting from the hip and doing undue harm on
the public by requiring something that is not in concert with
other Government agencies, so we have some standardization.
I share your frustration as well. I have more cards,
including a military ID card. I understand what you are saying.
We understand the intent and we intend to meet that, but we
have to establish a good foundation now and set the system
behind it so that we don't have the public incur a financial
liability that they will push back on.
Mr. Connolly. Those are all good points. I think, however,
you might concede that I think to the public it will come as a
surprise to learn, 12 years after 9/11, we still don't really
have a photo ID requirement for the license itself. I think
that is somewhat shocking to the public.
Mr. Allen. Yes, sir, I would agree that that would look
shocking.
Mr. Connolly. All your points notwithstanding, because I
think we do want to get it right. But it has been 12 years.
When are we going to get it right?
Mr. Allen. Well, when we do the whole megillah. I mean,
just put a picture on there is one thing, but to put the
picture and biometrics and also to work with other Government
agencies to make sure we are congruent with them, to also work
with the public and the airlines and the pilots to help them
understand what the systems are. And we are not even talking
about the infrastructure out there that would be needed to put
in place for regulating access to secure areas of the airport.
There has to be due diligence.
Mr. Connolly. Well, let me ask you this, Mr. Allen. Even
before we get to the biometrics, your point is let's do it all
at once, and that is a good point. But if I purport to be a
pilot or if I am a pilot, as I am going through the system, am
I ever required, actually to get on the airplane, to show
somebody a photo ID?
Mr. Allen. Yes, sir, you are. You are required to do that.
Mr. Connolly. All right. So it is not like we are totally
ignoring that.
Mr. Allen. No, sir.
Mr. Connolly. The fact that it is not on the pilot's
license, per se, doesn't mean there isn't some sifting and
sorting in terms of verification and validation.
Mr. Allen. Yes.
Mr. Connolly. All right.
Mr. Romine, NIST is charged with trying to set a standard
so we do avoid the stovepipe Mr. Allen and I were just talking
about. Again, what one does not sense is that we, as a unified
Government, are seized with a mission here. Now, absent some
kind of effective biometric ID standard, you ask yourself what
could go wrong with that, the absence of that. And we all know;
we can all speculate on the answers to that.
Frankly, Ms. Furlani, maybe she meant well, maybe she
believed what she said. I am sure she did. But now she is not
accountable. So it is easy to reassure Congress and the public,
through its Congress, when you are on the brink of retirement
and you won't be the one testifying next time, poor Chuck is.
And I don't mean to suggest she did that deliberately, but I
will say to you it is a little troubling.
I mean, where does that end if everybody who comes here and
testifies on behalf of a Federal agency is watching the clock
in terms of I retire in two months, so I won't have to be back
here and explain myself. But why, two years later, two years
and two months later, actually what I gave assurances for did
not happen and we are not even within sight of it happening? So
I think that is the frustration you are hearing.
But are we seized with a mission? And how can we provide
guidance to Federal agencies, including your colleagues at this
table, through a robust, rigorous process and standard setting
by NIST on something so vital?
Mr. Romine. So you have keyed on exactly the right point.
First of all, I am happy to be accountable for this to this
subcommittee. I have told my staff I only have another 23 years
in this job. I have done two; 25 is my limit.
Mr. Connolly. You are not going to retire on us?
Mr. Romine. I will not retire anytime soon.
Mr. Mica. They are only in the second decade; we can get
him into the third.
[Laughter.]
Mr. Romine. But you have hit on it, which is this robust
process that NIST manages that is a process whereby we convene
the best technical experts, nationally and internationally. And
during that process in the iris case we received many comments,
but several of them were sufficiently of concern to us that we
feared that, unless we resolved them, it would derail our
ability to stand behind the iris standard, and those three are
the compression of the iris image and the size of the resulting
image, there were constraints on it, on how large it could be.
We wanted to be sure that that would still give us sufficient
comparability.
The second, the community had expressed some concern about
iris changes with age, and to avoid the potential of frequent
re-enrollment because of iris changes as people age, we wanted
to do the research necessary before we issued the guidelines.
And then the third was the camera certification that I
alluded to earlier, and not putting the Government in a
position of having vendors come in with claims about camera
capabilities that weren't backed up.
Those three things were of sufficient concern to us that we
have spent now, as you point out, a significant fraction of our
time resolving those issues. So we have been very active in
this space and I am pleased to report that in each case we have
had successful resolution. We have determined that the
compression level that we are required to adhere to for
interoperability with some of the identity cards that Federal
agencies are using is not an impediment.
We have done extensive research on a very large collection
of iris images that date as long as a decade with the same
individuals' images over a 10-year period, and we have
determined that change due to aging in iris is not an
impediment. That is a recent finding from our researchers. And
we have now put in place all of the tools that we need for
certification of the quality of iris cameras.
Mr. Connolly. Mr. Chairman, you have been most indulgent.
Just two more questions, if I may.
Mr. Mica. No, go right ahead.
Mr. Connolly. I assume part of the process is you are
looking at best practices, you are benchmarking with other
entities, other countries.
Mr. Romine. That is correct.
Mr. Connolly. The chairman, for example, mentioned
Amsterdam, so presumably you have looked at what they do.
Mr. Romine. We engage with the international community
broadly through the standards development process, yes.
Mr. Connolly. But hopefully we are going to adopt best
practices if we think they are best practices.
Mr. Romine. Absolutely.
Mr. Connolly. For example, Ms. Manaher's organization has
already adopted the Canadian best practices because they work.
Is that correct?
Mr. Romine. I believe that that decision was made as a
result of the fact that they wanted to move forward. Our
concern is we have to do the absolute best standards
development and coordination that we can do on behalf of the
Federal Government in the United States.
Mr. Connolly. I understand. But if you were to look at best
practices and discover, I don't know, the Cote d'Ivoire
standards are the best in the world and there is just no
beating that based on everything we know, why not adopt it?
Mr. Romine. That is our standards development process.
Mr. Connolly. Okay.
Mr. Romine. We engage the international communities.
Mr. Connolly. And the second question is and does NIST look
at what we are doing at Federal agencies to avoid the
stovepiping, to avoid the duplication of effort and to make
sure that in fact we are coordinating so that, for example,
where Global Entry leaves off the passport begins, or vice
versa, so that we are not creating two separate systems that
don't really synchronize?
Mr. Romine. Yes, in the sense that NIST, by statute and by
administration ruling, is the agency that is charged with
coordinating both the development and the adoption of
standards. Those standards are generally, again, by statute and
administration ruling, we engage the private sector. Most of
the standards development activity in the United States, unlike
other countries, is led by the private sector, with NIST as the
coordinating role on behalf of the Federal Government.
Mr. Connolly. But you are not a policeman. You don't have
the authority to tell the State Department you are not going to
issue that kind of passport because of X, Y, and Z.
Mr. Romine. That is correct.
Mr. Connolly. But can you be a clearinghouse to say--I am
just using the State Department as an example--gee, in our
research here is something you may want to look at; you don't
really want to do that, upon reflection, because here are the
problems that have occurred with that and oh, by the way,
country X has great experience you may want to look at because
that is a standard we are probably going to incorporate?
Mr. Romine. We do routinely engage with Federal agencies as
part of our role, and agencies have standards officials that
are attune to the work that NIST is doing on their behalf and
on behalf of the Federal Government.
Mr. Connolly. But you do play that clearinghouse role?
Mr. Romine. We do play a role in coordination.
Clearinghouse, I am not sure. That conveys a sense in which we
are a gatekeeper, and I don't think we can, as you point out,
we don't have authority in this case.
Mr. Connolly. Well, I don't mean it as a gatekeeper, I mean
it as the compiler of sort of universal information.
Mr. Romine. Yes.
Mr. Connolly. The State Department hasn't got the time or
resources to look at best practices everywhere.
Mr. Romine. Yes.
Mr. Connolly. That is your job.
Mr. Romine. That is our role.
Mr. Connolly. Okay.
Mr. Chairman, thank you.
Mr. Mica. Thank you, Mr. Connolly. And if you want to
excuse yourself for that, I will finish up.
Well, it is interesting today to hear, first of all,
Customs and Border Patrol here actually has implemented the use
of iris and the Canadian standard.
Ms. Sprague, did they consult with you when they did that?
You say you guys work hand-in-glove?
Ms. Sprague. We were aware that they were moving ahead with
that program, but the border is the responsibility of Customs
and Border Protection, and if they choose to accept a document
or go in another direction, they certainly have the authority
to do so.
Mr. Mica. But they did consult with you? You do know they
are using that?
Ms. Sprague. Yes, we do.
Mr. Mica. Okay. Does your passport have the ability to
incorporate a biometric standard, both fingerprint and iris?
Ms. Sprague. Yes, it does.
Mr. Mica. It does? So when they set the standards, you have
the capability and the document could incorporate that?
Ms. Sprague. Yes, it does. But, if I can, the question, the
challenge will be the capture of that data. We have 113 million
passports that do not have a secondary biometric. We are
issuing about 13 million passports a year. We have to find a
way to capture that.
Mr. Mica. It would seem that you would start with renewals.
Now, when they issue a visa, does that have a biometric
capability embedded in the visa document itself?
Ms. Sprague. The visa document, when it is read at the
border, it points to the computer, which does have the match to
the fingerprint. So we have captured the fingerprint overseas.
Mr. Mica. And that can also be incorporated to include iris
in the future?
Ms. Sprague. It can be.
Mr. Mica. Okay. Because, again, if you look at most of the
instances where we are trying to identify folks, whether it is
issuing a visa from Nigeria or Yemen, or wherever, that we know
who is who and we can also track those people.
I did not know, and I asked staff to see if there is any
Federal agency. Mr. Martinez, are you aware of any Federal
agency or do you have any use of dual biometric iris, either
internally, or do you know of any agency that uses it, both
fingerprint and iris?
Mr. Martinez. I am not aware in the context of
credentialing. We have an iris pilot where we are looking at
iris as another identifier or a technology that we can use to
add to our identification file with fingerprints and other
data.
Mr. Mica. We are told the military does use some; I think
they use it for some access, and they have a system they have
agreed on. I think it is in Afghanistan, maybe some other post.
CIA, we didn't call them in, but I am sure they have some
sophisticated credentialing that is available.
Now, Mr. Romine, you had testified that you are getting
close, and I am holding you to maybe some time this summer. In
previous meetings, when we had your predecessor folks in
before, there was a panel or interagency group that met to
discuss these. Does that still exist, the standards?
Mr. Romine. Under the NSTC, the National Science Technology
Council, there was a biometrics and identity management
subcommittee, and I believe that is still active. But I can
double-check that.
Mr. Mica. That worries me, I believe that is still. Now, if
anybody, you should know because Mr. Connolly just talked about
stovepiping, and the only way we are not going to stovepipe it
is for people to be talking, meeting, discussing. When is the
last time the group met? Did you ever meet with them?
Mr. Romine. I have not met with them.
Mr. Mica. Are you in charge of setting the standard or
overseeing it?
Mr. Romine. I manage the laboratory.
Mr. Mica. And have you been at one of these meetings?
Mr. Romine. I haven't personally been.
Mr. Mica. Now I am really getting worried. Has anybody here
been to any of those meetings? No, Mr. Allen? Mr. Martinez, you
are the standards guy with FBI. Have you ever been to a
meeting? The interagency meeting where we set down and discuss
the credentialing standards.
Mr. Martinez. That would be out of the responsibility of my
particular branch. I would probably have to defer to our
security division.
Mr. Mica. To see if somebody had been.
Ms. Sprague, anyone? Have you guys been to one lately?
Ms. Sprague. We attend a lot of meetings, but I don't know
that we ever attend that specific one.
Mr. Mica. Okay. I guess if I put it in law that they should
attend the meetings, that would be used as an excuse because we
didn't require that before, and it would set us back further.
How about guys getting together, Mr. Romine?
Mr. Romine. I am sorry?
Mr. Mica. Can we see if the subcommittee is activated?
Mr. Romine. Of course.
Mr. Mica. Who is in charge of the subcommittee, does anyone
know?
Mr. Romine. It is managed by the Office of Science and
Technology Policy at the White House.
Mr. Mica. Oh, okay. Just like IRS, it leads to the White
House. I am just kidding.
[Laughter.]
Mr. Connolly. I move that be stricken from the record
again.
Mr. Mica. All right, we will take that one too. We can have
a little humor at these meetings.
Well, we have to get people talking to each other. We have
to get the standards set. We spent billions. I had the staff
starting to count this. TWIC is half a billion by itself. Now,
because they don't have a reader, we haven't incorporated a
dual biometric, they are talking about just using it as an ID.
Pretty expensive ID card for the taxpayers to foot that.
We have 900,000 airport workers, Mr. Allen. No
standardization in identification and credentialing. No
biometric standard, right?
Canada has had it since 2007. Have you been to Canada, Mr.
Allen?
Mr. Allen. Yes, sir. I was in Ottawa about a month ago.
Mr. Mica. And did you see what they are doing?
Mr. Allen. I didn't go up there for that purpose, to see
what they are doing.
Mr. Mica. Well, that is not the question.
Mr. Allen. No, I didn't.
Mr. Mica. Can I talk to whatever his name is, and maybe we
can get you a trip up there to look at it? You should go see.
It is incredible, the credentialing. And they have within the
biometric ID, it has various levels of security clearance, so
airport workers can get in to certain parts; pilots can access
certain things; access to towers is limited within the
credentialing. It goes on and on. And it is replicable and,
obviously, if our good friends here from Customs and Border
Patrol could adopt their iris as a standard, I have never heard
of any thwarting of this system.
Do you ever look at other credentialing, Mr. Romine, in
other countries or systems?
Mr. Romine. We don't look specifically at credentialing so
much as we look at the standards.
Mr. Mica. The standards, right.
Mr. Romine. Yes.
Mr. Mica. You have never looked at the Canadian?
Mr. Romine. I am sure that we have.
Mr. Mica. You have? Okay. And obviously CLEAR, somebody
cleared CLEAR, because they are using iris and fingerprint, and
they are using it for travelers. No one is familiar with that
program? Did they ever come to you on the CLEAR program?
Mr. Romine. I am not aware of a direct engagement, but I
can follow up.
Mr. Mica. Again, Mr. Connolly said this looks like a lot of
stovepiping. But it doesn't appear that the communications are
that good on an interagency basis, and we do need to get a
standard in place. Any standard, too, would have to be
upgradable, wouldn't it, Mr. Romine?
Mr. Romine. That is correct.
Mr. Mica. I mean, since we started this thing in 2012, I
think it was when it first started, the technology has
dramatically changed, so the standard you set now, 2013, pray
to God some time this summer, might need to be upgraded
periodically.
Mr. Romine. That is correct.
Mr. Mica. But I guess the best way is just don't set
anything, so then we don't have to worry about it, and
everybody goes off in different directions. We spend billions
of taxpayer dollars and we leave ourselves at risk with all
kinds of credentialing that doesn't really meet the security
test.
Mr. Martinez, thanks so much for confirming that the one
biometric method that we have can be thwarted, so that makes me
feel good too, that the one biometric measure.
Mr. Allen, he testified to Mr. Connolly that we had three
requirements. The first one was that the document be durable.
Now, they met that one. They had trouble with the next two.
They never got to the bio, and then the photo, of course, that
is very complicated to get a photo of a pilot either embedded
or on the ID. So they are a third of the way there some decade
later. Very encouraging.
Any final remarks, Mr. Connolly?
Mr. Connolly. I look forward to the next hearing, Mr.
Chairman.
Mr. Mica. I think we will schedule it for this fall, just
to make certain that we follow up.
So I want to thank the witnesses for coming. I am hoping we
can make some better progress in the next hearing. We will
follow up. This is the first time I think we have ever brought
at least this many agencies together. We need DHS. We had them
in TWIC last time. Maybe we can get them all back and get a
report later this fall.
There being no further business before the Subcommittee on
Government Operations, this hearing is adjourned.
[Whereupon, at 11:04 a.m., the subcommittee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC] [TIFF OMITTED] T1804.044
[GRAPHIC] [TIFF OMITTED] T1804.045
�