Saturday, January 22, 2005

Booming Biometric Budgets Bane of DPS Boondoggle

If the Texas Department of Public Safety wants to play Big Brother, they have to figure out how to pay for it. The Texas Legislative Budget Board Staff Performance Review (go here to view the massive PDF file) evaluates funding options for the Texas Department of Public Safety push to add biometric identifiers to the information collected by DPS from drivers license and ID card applicants.
The Department of Public Safety has requested funding in fiscal years 2006 and 2007 for five homeland security related Exceptional Items ... an Emergency Vehicle Operations Course, an In-Car Computer Project, the Criminal Intelligence Bureau's Texas Security Alert and Analysis Center, a Driver's License Reengineering Project, and a Driver's License Image Verification System.
That last item, the "image verification system," is the euphemism for the drivers license biometrics proposal that went down in flames on a 111-26 vote during the 78th Texas Legislature. (I need to look into the specifics of this "Texas Security Alert and Analysis Center," too.) In 2003, DPS proposed that Texas drivers and ID card holders should be required to give up facial recognition data plus all ten fingerprints. LBB didn't mention the political controversy around the biometrics proposal, but merely discussed possible funding sources to pay for it.

DPS proposes spending $65.7 million total on these items -- $43.2 million from State Highway Fund 6, and $22.5 million in asset forfeiture funds the feds share from drug cases.

That said, LBB doesn't seem to envision DPS getting money for these "exceptional items" through the next Texas budget. Since 9/11, Texas' policy has been to pass through as much federal homeland security funding as possible to local government, but to fund DPS' proposals, that would probably have to change:
The state may retain up to 20 percent of National Homeland Security Grants for States and Urban Area Security Initiative Grants for its own purposes, as well as 3 percent for administration, for a total estimated amount of $54.6 million for the 2006-07 biennium. In fiscal year 2004, the Texas Engineering Extension Service distributed 98 percent of all National Homeland Security Grants for States to local jurisdictions.

The Department of Public Safety and the Texas Engineering Extension Service should examine whether homeland security related Exceptional Item requests for the 2006-07 biennium could be funded with Federal Funds.
Great Britain right now is debating the substance of how their own biometric ID system will work when they start putting that data on their proposed national ID card. Spy Blog has a fine post that shows how the ambitions of governement data collectors would moot any sensible budgetary limits. Vendor driven proposals are massively driving up costs. A commenter adds that costs for such a system might grow exponentially once it's in place, plus require massive ongoing investment to keep the databases useful and up to date. Bottom line, vendors' lobbyists, not security needs, are driving the train: "Thanks to the extra technical complexity which the Government is piling onto the scheme, Information Technology hardware, software and consultancy suppliers could potentially make a fortune."

Like Texas, the Brits hope to include not just facial recognition technology but all ten fingerprints and a variety of other identifying information in their smart card system. But the government's greed for so much data could doom the project. Here's the functional problem identified by Spy Blog:

You simply cannot fit

  • The digitised image of a "head and shoulders" photograph, to comply with the ICAO machine readable travel document standards
  • The facial recognition reference point "minutiae" maps of such a "head and shoulders" photograph,
  • The digitised fingerprint reference point "minutiae" maps of 10 fingers/thumbs
  • The two iris scan codes
  • The digitised image of a pen and ink handwritten signature
  • The speed/pressure reference point "minutiae" maps of digtal pressure pad and stylus signature
  • Any necessary smart card internal cryptographic checksums, digital signatures, certificate revocation lists etc.

into the standard 16Kb or 32Kb of tamper resistant memory of standard Smart Cards which are on the market from the likes of the market leaders such as Schlumberger/Ataxo or GEMPlus or Giesecke and Devrient (none of which are British companies).

It may not even be possible to do this with 64Kb or 128Kb Smart Cards.

Spy Blog predicts that the insistence on including so much data will create the same workability problems that have plagued the European Union biometric visas, which last month were deemed "not technically feasible."

I'll guarantee DPS hasn't worked out such problems yet -- they have to revamp their entire drivers license system to make it work, and haven't even started -- so the cost figures cited by LBB are almost certainly low-balled.

See more Grits coverage of biometrics issues here.

No comments: