How to solve the INS problem of letting the wrong people into the US

Steve Kirsch
stk@propel.com
408-571-6317

I hear government officials talk about using technology from Silicon Valley to prevent a 9/11 repeat. But the single most important technology for stopping known terrorists isn't from Silicon Valley at all.

I'd like to suggest a very important problem that we should put high priority on solving because it's an important problem and a problem that we have available technology to solve completely and immediately. In fact, Canada has committed to using iris scans for their immigration (See Computerworld story about the 8 largest airports in Canada using iris scans) and iris recognition is in use at some US airports today (see www.iridiantech.com) 

Here are a few problems that we have that we can solve today:

Suppose the FBI has just determined that whoever presented a California driver's license with the name "Steven T Kirsch" on it 3 months ago at the San Jose airport is a terrorist. We want to stop this person from getting on another plane even if he presents a different phony ID next time. How can we do that with 100% accuracy?

We want to ensure that from anyone who has been convicted a felony after Jan 1, 2003, can't work as a security officer in a US airport even if they change their name. How can we do an instant check for this when it takes as long as 6 months to get a fingerprint match back from the FBI?

How can a regular employer (including private security firms!) who wants to hire people they can trust do a background check when it takes 6 months to get fingerprints back from the FBI?

It may surprise you to learn that we can do all of this without requiring a "national ID" or a new form of ID card. We can use existing driver's licenses or passports or even a major credit card (any ID where the number is machine readable). Even if you forget your ID card and left it at home, the system is still just as accurate. In fact, we can stop our wanted suspect with 100% accuracy without requiring that person to present an ID card of any type at the airport. It even works if the person presents a phony ID. He's still caught. But how?

60 Minutes on March 10 aired a story which pointed out that:

• the INS systems are often down
• we don't stop the people who should be stopped

In addition we know that:

• people can enter with phony passports to escape detection/capture
• a large number of workers at our local bay area airports had criminal backgrounds
• it takes up to 6 months to get a fingerprint check back from the FBI

We have the technology today to solve all of these problems. We can create a system that

• NEVER goes down (dual redundancy with cold standby)
• it cannot be fooled; stops anyone we want to stop guaranteed 100%, even if they are using any form of phony ID or traveling under an alias. The only restriction is that we know just one of the IDs the person used in the past. So someone cannot change their identity to escape detection.
• the ID check is made in a fraction of 1 second
• does not require the use of smart cards, cards with fingerprints, etc.
• does not require the creation of a new ID card
• it works with existing forms of ID including drivers license, credit cards, passports; it works with any ID card that has a number that can be read by machine ; you can even ID someone if they forgot their ID
• it is not subject to human error
• the more ID cards a person uses to identify themselves, the more we know about them (since our system will realize these are all the same person whereas existing systems are more likely to treat each ID as distinct, e.g., most systems can't tell that my driver's license and my credit card are from the same person)

How it works

The core of the idea is to tie iris code information to an existing ID at an "enrollment station." This is done once. Then, for authentication, a user presents his ID and his iris. The match takes less than 1/1000 of a second and is completely foolproof. 

Here are the details:

• Traveler walks up to enrollment station to enroll his ID and iris. Acceptable IDs are US driver's license or Passport. In fact, we can choose to allow a wide variety of IDs because any existing machine readable ID will do. We can even accept a major credit card as the registered ID! The traveler can enroll as many ID cards as he wants just by inserting them in the machine (just like swiping your card in the ATM slot). His iris information is scanned at the same time and stored in a database along with the ID card. We do not require that we store the person's name in the database.
• The enrollment machine has two very important functions:
  • It is connected to the Internet at 28.8 dialup or better
  • It has an specialized hardware to scan the person's iris
• We now have a bunch of ID cards that are all tied to the same iris code. This is critically important because the iris code is the only practical biometric that prevents duplicate registrations because (using a modification of the matching algorithm that I invented), we can do an iris match against a database of billions of iris in less than a second and determine whether that iris has been entered into the system before with no chance of a false match. This is because iris codes have approximately 255 degrees of freedom; they are more unique than a DNA match. No two people will every have the same iris until the end of time. Unlike with any other biometric, there has never been a false positive iris identification.
• Unlike with any other biometric, by using iris codes,  we can resolve any "aliases" to the same person. For example, if I register with a mastercard with "john doe" today and then come back and enroll a visa card from "steve kirsch" and tell the system I am a new user, the system will spot the deception and link up the two cards because I presented the same iris code. The unique feature that iris code technology enables is that a single person cannot have more than one entry in the database. 
• In order to pass through airport security, you choose any one of the enrolled cards and insert it in a reader and look into the iris scanner for under 1 second. We use this card to lookup the enrolled iris code and compare it with the current person. If they match, and there is no "detain this person" noted on the record, the person is allowed to pass. 
• So now if we wanted to arrest every person that traveled on United airlines flight 813 on May 12, 2000, we could do that with 100% certainty if they every tried to travel again, regardless of whether they enrolled a new or fraudulent ID.
• If police want to stop someone, they would enter the information from any one of the enrolled cards (such as my driver's license number) into the system, and the person would be flagged to be detained. This is data that would be entered into the airline's system, for example, to identify the passenger. But the airline does NOT have a database of iris codes.
• Personal privacy is maintained because the database that is used consists of iris codes and driver's license or passport numbers. That's useless to anyone. It has no names and cannot be used for identity theft, etc. However, if a person voluntarily chooses to enter a second piece of ID, then the database would have an association between the two numbers which might be semi-useful to someone, e.g., if they knew your passport #, they could find out your driver's license or vice versa.
• A person may choose to "register" all of his ID cards. To do this, he doesn't need to have his iris scanned again. He just swipes any previously registered card (such as his driver's license), and then swipes every credit card and ID card he has. These cards will then all be linked to the same iris information as the registered card. Thereafter, all of these cards will be useless to anyone but the real owner for confirming ID. 
• A simpler version of the above method is just to use a "federal stop list" of iris codes. So when people are arrested or convicted, we enter their iris code in a federal database. If we want to prevent them from boarding a plane, we just put their iris in the "stop list". Each passenger is then scanned to see if their iris code matches the stop list. This keeps the database size very small and there is no privacy issue whatsoever. No cards or enrollments are required, just iris scanners at airports. This might be a nice way to start.
• For blind people with no iris that travel, you require a passport and an alternate biometric such as facial geometry. This is subject to duplicate enrollment so if there is a match on enrollment, a human would have to resolve the ambiguity. This is a much smaller database so the problem is more manageable.

There are three key technologies you need to be able to do this cost effectively (under $10M one time investment in hardware). All three are available to us (or can be made available) immediately:

• Technique to do an iris match in a database of 200M iris codes in under 1 second and do at least 1,000 matches per second. I've disclosed this technique to Iridian who verified it would work. This is 1,000 times faster than today's methods.
• High speed client-server communications to millions of nodes. This is pretty widely available, but Propel has a very high performance server that makes this very easy to program and has extremely high performance.
• The basic hardware and software to do iris coding, enrollment, and matching has been around for years. Canada will be using this for their immigration.

Costs

Cheap iris scanners are under $200 in single unit quantities. However, for high volume, I'd recommend the LuckyGoldstar scanners available from Iridian Technologies which cost $2K for the camera plus video card in volumes of 10,000. The total cost here depends on the total number of scanning stations installed. You'd want one at security and at each gate.

The computer housing the iris codes for lookup can be just a few machines running Netscape LDAP server (which supports multi mastering). Price is very negotiable. If they charge you more than $2M, it would be cheaper to use open LDAP and write your own multi-mastering.

The computers doing the iris lookup for enrollment are where the expense is. You can put 1M iris codes on each computer (with 2G of RAM). The iris codes are 512 bytes each; the rest of RAM is filled with fast lookup hash tables to enable the ultrafast comparisons. So 100M unique registered travelers would require only 100 computers or $200K in computer expense. You'd want double redundancy in case a machine crashed, so you'd need $400K in computer expense (plus a few cold standby spares). 

Magnetic stripe readers are very cheap.

Computers to hook the iris scanner and mag stripe scanner to are $1K.

To develop all the software to do this would cost $4M.

More details

San Jose blue ribbon- iris ID 
a different variation on the same idea

Steve Kirsch Political Home Page