You win some, you lose some

[Theophylact]

Biometric passports make things tough for false-cover operatives:

CIA’s Secret Fear: High-Tech Border Checks Will Blow Spies’ Cover

When Tom Cruise had to break into police headquarters in Minority Report, the futuristic crime thriller, he got past the iris scanners with ease: He just swapped out his eyeballs.

CIA agents may find that just a little beyond the call of duty. But meanwhile, they’ve got to come up with something else: The increasing deployment of iris scanners and biometric passports at worldwide airports, hotels and business headquarters, designed to catch terrorists and criminals, are playing havoc with operations that require CIA spies to travel under false identities.

Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a particular name. Likewise, the increasing use of biometric passports, which are embedded with microchips containing a person’s face, sex, fingerprints, date and place of birth, and other personal data, are increasingly replacing the old paper ones. For a clandestine field operative, flying under a false name could be a one-way ticket to a headquarters desk, since they’re irrevocably chained to whatever name and passport they used.

“If you go to one of those countries under an alias, you can’t go again under another name,” explains a career spook, who spoke on condition of anonymity because he remains an agency consultant. ”So it’s a one-time thing — one and done. The biometric data on your passport, and maybe your iris, too, has been linked forever to whatever name was on your passport the first time. You can’t show up again under a different name with the same data.”

The issue is exceedingly sensitive to agency operatives and intelligence officials, past and present. “I think you have finally found a topic I can’t talk about,” said Charles Faddis, a CIA operations officer who retired in 2008.

“I can’t help you with this,” added a former intelligence agency chief. “I do think this is a significant issue with great implications for the safety and security of our people, so I recommend you not publish anything on this. You can do a lot of harm and no good.”

Other former operatives would not even allow their polite refusals to comment to be quoted. The CIA, naturally, refused to comment for this story.

Read the whole thing. (Hat tip to Bruce Schneier.)

[Epidemic]

Wouldn't the US government have access to the database? wouldn't you simply change the database?

[Theophylact]

Wouldn't the US government have access to the database? wouldn't you simply change the database?

The database? How are you going to change, say, China's database? Your irises and fingerprints are in their system, and when you come in with a different name (and perhaps changed appearance) your biometrics will give you away.

[tony_j15]

Something as simple as printed contact lenses might fool an iris scanner. I'm sure some creative genius out there can come up with solutions.

With more and more data ending up online, hacking is replacing some spies, although I'm sure we'll always "need" spies.

[Epidemic]

The database? How are you going to change, say, China's database? Your irises and fingerprints are in their system, and when you come in with a different name (and perhaps changed appearance) your biometrics will give you away.

I kinda envisioned it being like this. They get a passport and they check it against a database in the USA. but I guess they can record the information they receive from the passport and keep it on file.

[Theophylact]

I kinda envisioned it being like this. They get a passport and they check it against a database in the USA. but I guess they can record the information they receive from the passport and keep it on file.

No, they get the biometrics directly from you: "Press finger here, please. Now look into this eyepiece. Thank you. Please wait while we check our database."

[pickel]

Not for me I'm NOT leaving the Good Ole USA or even going west of the Mississippi ( There be Strange Folks in them there Parts !!!!!)

[Epidemic]

No, they get the biometrics directly from you: "Press finger here, please. Now look into this eyepiece. Thank you. Please wait while we check our database."

They collect the biometric data from you and compare it to a database. Where is that database?

I am sure they store it locally after your first vistit. But is the normal process to check the local database or go back to the database where the passport was created?

With spying in mind they may well store it locally. But it also depends on how they use the database.

do they do a comparison based upon the biometrics like a fingerprint analysis... I doubt it because it takes hours to look through the FBI fingerprint database. So my guess is that they search on a name and compare that to the information on file.

There are a heluva lot of Joe Smiths out there.

To do analysis against all of the biometric data of all travelers past and present would not sound like a practical airport check. What do you think?


how would I get busted in the 30 to 40 seconds I am being screened if my country changed my data in the american database and assigned me a new name? I guess you could have a smaller suspect database that you screen against suspect agents.

Or have things progressed to the point where reverse biometric analysis could be done in seconds? To me it sounds a little like Jack Bower's super smart phone and Abby's ability to recover DNA match in seconds.

[MTAtech]

It's easy to sneak into a country, just disguise yourself as cocaine.

[tony_j15]

They collect the biometric data from you and compare it to a database. Where is that database?

In whatever country you visit. Going to China? China has its own database. Going to Israel? Israel has its own database. These things are localized because each country has its own rules about who they let in and who will get flagged. It would be near-impossible to create a centralized database.

I am sure they store it locally after your first vistit. But is the normal process to check the local database or go back to the database where the passport was created?

Of course a country is going to check against their own database! It would be stupid not to. "Hmm. This guy might be a spy. Let's look him up using the US's database. Oh, nope, he's good. Welcome to Iran, sir. Enjoy your tour of our nuclear facilities."

do they do a comparison based upon the biometrics like a fingerprint analysis... I doubt it because it takes hours to look through the FBI fingerprint database. So my guess is that they search on a name and compare that to the information on file.

They don't have to "google" the name. A lot of passports these days have RFID chips with a unique code tied in. Swipe the passport, the information comes up. Just like that bar code or magnetic swipe strip on the back of your driver's license.

Or have things progressed to the point where reverse biometric analysis could be done in seconds? To me it sounds a little like Jack Bower's super smart phone and Abby's ability to recover DNA match in seconds.

Considering business grade laptops often have a fingerprint scanner built in, I'd say the technology is definitely there.

[Epidemic]

In whatever country you visit. Going to China? China has its own database. Going to Israel? Israel has its own database. These things are localized because each country has its own rules about who they let in and who will get flagged. It would be near-impossible to create a centralized database.

the centralize database is already kept in the USA it is used to validate that the person is not using a false passport.

Of course a country is going to check against their own database! It would be stupid not to. "Hmm. This guy might be a spy. Let's look him up using the US's database. Oh, nope, he's good. Welcome to Iran, sir. Enjoy your tour of our nuclear facilities."

I understand that the database can be kept locally but do do a reverse biometric scan. if someone comes in with a new name and false passport with biometric data properly coded. you are going to verify it against the country of origin (I would guess) If you wanted to find a spook, you would have to do a reverse lookup where you would compare individual biometric data against a database you had compiled. From what i have seen it is a somewhat slow process for police to scan the database of fingerprints just to get a match.

They don't have to "google" the name. A lot of passports these days have RFID chips with a unique code tied in. Swipe the passport, the information comes up. Just like that bar code or magnetic swipe strip on the back of your driver's license.

The RFID chip will only provide the information it is encoded with. A spy will have a valid passport with valid information. Again requiring that you reverse look up to see if someone else in the past has come through with a different name. My only reference is the fingerprint database. a slow process when looking for criminals. I would think the volume of travelers would be even larger than the criminal fingerprint database.

Considering business grade laptops often have a fingerprint scanner built in, I'd say the technology is definitely there.

Again I am not talking about the process of collecting the fingerprints. That is not hard at all. But comparing it to every other fingerprint in a growing database that grows with each person who visits your country. Might be a monumental data processing task. Taking hours or days?

IAFIS takes has 70,000,000 criminal prints 27 Minutes not bad.

For the USA that is about 50,000,000 tourists visiting the USA each year. in two years we might collect more data then in all the years IAFIS has been running.

27 minutes might be of a long hold up at customs. would that time double the second year?

[tony_j15]

You keep on saying "the database". There is no singular database. Each country has their own database. Information is not shared between databases. You don't verify against other databases for the reason I explained earlier.

[Epidemic]

I keep saying the database because there is a database in each case.

The Database (China's X million visitors per year) X (the number of years it is in service) X (Scan time per record) = how long a search takes.

Currently IAFIS takes 27 minutes to scan a fingerprint against 70 million records.

They may have better computers or worse ones, efficeint queries or inefficient ones but in the end scanning an X point fingersprint scan and Y point retinal scan will take time.

Being that they have no record of the person the first time means they will assumably verify the passport throught the US database where they will key on the name and personal information and come up with an instant record for verification. If you do an unkeyed search like retinal scan and do a reverse lookup it will take substantially longer.

I don't know if this is a problem but on the surface it would seem as if a person with government falsified papers would take possibly hours to identify if they have a multi million person database.




you say information is not shared? Perhaps but when you come in with a passport containing biometric data you are saying that there is no verification that said passport is valid? No verification that Tom Jones with brown hair, and a 10 point fingerprint record matches Tom jones on file? Well then I obviously am confused as to the process. Quite possible.




I figured it worked like this.

You arrive in China, they scan your passport and it comes back with the correct checksum as verified by US database. China then records the biometric data at the point of entry and keeps a record in their database.

Next time you arrive (some 50 million passports later) with a government issue falsified passport they verify the passports legitimacy, and scan your biometrics and check it against their database year 2, and 27 minutes later it comes back with a record of you visiting before under a different passport/identity. Year 3 the database now contains 100million records year four 150 million records.

it just sounds like a monumental task to take analog fingerprint and retinal scan and parse through a giant and growing databse for a match.

I don't claim to know how it works but that is how I assumed it to work.