Biometrics may scan air travelers

SAN FRANCISCO--Before he starts work every morning, Oscar Carranza waves to a guard, swipes a magnetized card through a computer, and places his hand in a biometric scanner that traces the contours of his palm and compares them to digital records in the airport's central office database.

The high-security ritual contrasts starkly with Carranza's low-tech job loading and unloading luggage from United planes at San Francisco International Airport. But Carranza, who has been a baggage service operator for two years, is happy to jump through extra security hoops.

"After September 11, this gives a little more peace of mind--for passengers and for workers," Carranza said as he pulled on his airport-issued neon-green vest and offered his palm to the scanner. "It takes this much security to make me feel secure these days."

Carranza's daily ritual may become a routine for millions of people.

Airlines and industry trade associations have launched a number of high-profile security experiments in recent months, and many are adding secondary security checks such as card readers and biometric devices--on top of security guards, X-ray machines and check-in attendants who require photo identification.

They were originally most bullish about using the new devices for airport workers, but they're considering the programs for business travelers, frequent fliers and other people motivated to speed through security checkpoints.

Although civil libertarians and privacy advocates decry such experiments as invasive, the Federal Aviation Administration, International Air Transport Association (IATA), airlines and other industry groups are carefully monitoring the 10-year-old program in San Francisco and newer experiments with an eye toward expansion. Meanwhile, businesses are rushing to build biometric devices and the vast amounts of microchips, screens and cameras they require.

Security experts say such inspections will be widespread within five years. Offering thumbprints, palm scans or iris checks will become "second nature" for anyone passing through an airport, said Richard Gritta, a professor of transportation and finance at the University of Portland in Oregon.

"This isn't a pipe dream at all," Gritta said. "It's the reality of where we're going. Airlines and passengers want tighter security, and there's less room for human error with biometrics."

Frequent-flier guinea pigs
One of the newest biometric experiments began in November in London's Heathrow Airport, where 2,000 frequent fliers on trans-Atlantic flights on Virgin Atlantic and British Airways agreed to have scans of their irises kept in a database as part of Heathrow's "Simplifying Passenger Travel" program.

Instead of waiting in all of the required security checkpoints, they file past a camera and, if approved, proceed faster to the gate. Officials at Washington's Dulles International Airport hope to launch a similar program in upcoming months, according to the IATA. Boston's Logan International Airport is also conducting a biometric experiment to identify people already in a database of known or suspected criminals or terrorists.

Gartner analyst Laura Behrens says it's unlikely that new identification technologies will result in airport security methods that are universally acceptable or effective. see commentary

Biometrics is the digital analysis using cameras or scanners of biological characteristics such as facial structure, fingerprints and iris patterns to match profiles to databases of people such as suspected terrorists. Some experts say face recognition is perhaps the most promising biometric technique for overcrowded airports because it relies on distant cameras to identify people--not finger scanners or other devices requiring people to click, touch or stand in a particular position.

Several airports adopted face-recognition software in an effort to beef up security after the suicide attacks on the World Trade Center and the Pentagon. In addition to Logan airport, Oakland International Airport in Oakland, Calif.; T.F. Green Airport in Providence, R.I.; and Fresno Yosemite International Airport in California installed identification technology to check passengers.

Earlier this year, the IATA started pushing the federal government to fund "smart cards" that contain embedded microchips for some travelers. The cards would contain an encoded biometric description of the cardholders, so when the card passed through a reader, a machine would verify that the card belonged to the person who presented it. JetBlue Airways already issues smart cards with embedded fingerprint information to employees who require access to airplanes.

But biometrics could gain traction fastest among frequent fliers. By asking people to volunteer for the program, the airlines wouldn't be infringing on privacy concerns of people who objected to biometric inspections. Some advocates say iris-scanning devices would save frequent fliers so much time that airlines could actually charge a fee--say, $50 per year--to customers whose time is extremely valuable.

"It was a matter of picking people who travel a lot and wanted the convenience of the program," said Wanda Warner, assistant director of the IATA's Washington office. "This started as a way to enhance convenience for the most frequent travelers. We used to think enhanced security was a great byproduct. Since September 11, security is the chief reason we're doing it, and convenience has become a great byproduct."

Few airlines would comment on their ongoing discussions about biometrics, but Southwest Airlines spokeswoman Beth Harbin said the low-cost operator might pass off the expense of biometrics or smart cards to customers who volunteer for the service.

"There'd be some small fee for the convenience to pass through the airport quickly," Harbin said. "The hope is that this would limit the field of passengers we'd have to stop for inspection."

The new biometric experiments are part of a larger emphasis on security in the wake of the terrorist attacks and news reports poking holes in national security systems. According to an article in USA Today earlier this week, Transportation Department Inspector General Kenneth Mead reported that human screeners at airports missed knives 70 percent of the time, guns 30 percent of the time and simulated explosives 60 percent of the time. Tests were conducted at 32 airports at the White House's request.

Push for "two-factor security"
Private industry has been quick to exploit the security breach.

One of the hottest buzz phrases has become "two-factor security," a decade-old concept in the intelligence industry that's catching on in corporate America. The idea is that one factor of security, such as password protection or biometric inspection, is not sufficient to protect a system from attack, and that most systems would be safer with a combination of factors.

Alan L. McCann, senior vice president and general manager of corporate marketing at Irvine, Calif.-based software security company Phoenix Technologies, said some industries, including finance and aviation, are even moving toward three-factor security. In addition to passwords and biometric inspection, they're requiring employees to use computers or other hardware that is directly connected to a central security system--so that if they report a computer or cell phone as stolen, a security officer will immediately be able to track the device once it's turned on.

"Three-factor security requires the user to present something he knows, such as a password; something he has, such as a piece of hardware; and something he is, such as a fingerprint or iris scan," McCann said. "It sounds tedious, but the reality is that people have to choose between freedom and security."

Jeff Katz, vice president of marketing worldwide for San Jose, Calif.-based semiconductor company Atmel, said orders have surged for non-volatile chips and secure microprocessors--the chips destined for smart cards and biometric readers.

"One idea popular now with the airlines is to take all of the airlines' frequent-flier clubs and instead of issuing plastic cards with their name on them, issue people smart cards so it will be simpler for those people to bypass security gates and reduce the lines for everybody else," Katz said. "Anybody who wishes to enroll could certainly apply and have their security checked."

But adding another layer of security--either biometrics or smart cards--would not be a panacea. With roughly 65,000 flights a day in the United States, no amount of technology can completely secure travelers from terrorism. Groups ranging from the American Civil Liberties Union to former security officers in private industry have complained that biometrics misidentifies some innocent people as criminals and lets other suspected or convicted criminals slip through security checks.

"It is abundantly clear that the security benefits of (face-recognition surveillance) would be minimal to nonexistent, for a very simple reason: The technology doesn't work," according to a recent report from the ACLU, citing a survey from the Department of Defense on the technology's high margin of error in pinpointing terrorists.

Harvey Burstein, a former FBI agent and security consultant and now the David B. Schulman professor of Security at Northeastern University in Boston, said human error would remain a factor even after the installation of biometric devices or a second factor of security.

"The thing that concerns me with biometrics or anything else is whether the people who are supposed to use the equipment use it properly," Burstein said. "How many times have we heard about people being evacuated from a terminal because the screening device wasn't working, then it turns out some idiot forgot to plug it in? Or someone could enter an error when putting information into a database of suspected criminals. It's a question of supervision and oversight of the people who are supposed to be doing the work."