December,
1997
James
L. Wayman
Biometric Identification Research Director
College of Engineering
San Jose State University
Prepared under FHWA CONTRACT DTFH61-95-C-00165
0.
EXECUTIVE SUMMARY
0.1
Introduction
In
October, 1995, the Federal Highway Administration (FHWA) contracted
with San Jose State University to develop biometric identification
standards for possible use with the Commercial Driver's Licensing
Information System (CDLIS). This project was in response to the 1988
Congressional mandate of the Truck and Bus Safety and Regulatory
Reform Act (TBSRRA) (Public Law 100-690, Section 9105) for the
development of "minimum uniform standards for a biometric
identification system to ensure identification of operators of
commercial motor vehicles." It follows significant earlier FHWA
studies of biometrics, including a 1990 project by the California
Department of Motor Vehicles and the Orkand Corporation which
investigated the use of fingerprinting and retinal scanning for
identifying commercial drivers. The intent of the 1988 legislation was
to promote enforcement of the "one-driver, one-license,
one-record" provision of the 1986 Commercial Motor Vehicle Safety
Act (CMVSA). It is our intent that the acceptance of this report will
place the Secretary of Transportation in immediate compliance with the
1988 TBSRRA legislation mandating biometric standards development for
the identification of commercial drivers. It is not the role of this
study to advocate the creation of a biometric system implementing
these standards for use in the identification of commercial drivers.
0.2 The Purpose
of the System
Based
on our analysis of the House Committee on Surface Transportation
Hearings (September, 1987) which lead to the introduction and passage
of P.L. 100-690, Section 9105, we believe that the primary intent of
Congress was to provide a method of enforcement of the provision in
the CMVSA prohibiting the holding of multiple commercial licenses by a
single driver. We believe that a secondary intent may have been the
detection of counterfeit licenses. In the 9 years since the passage of
the TBSRRA, a new problem, that of the fraudulent issuance of a single
license to multiple drivers, has surfaced. We believe that a biometric
system for the identification of commercial drivers could be an
effective means of addressing all of these problems.
We
do not believe that Section 9105 limits the development of standards
to a predetermined biometric technology, nor do we believe Section
9105 extends to any application beyond commercial drivers licensing.
Consequently, this study considered all commercially available
biometric technologies for application only to the identification of
commercial motor vehicle operators.
0.3 Work Plan
The work plan
consisted of the following:
-
Review the
legislative and research history of this project;
-
Review all
currently available biometric identification methods;
-
Review and
revise, as necessary, the 1988 Multi-State Steering Committee
functional requirements;
-
Establish a
methodology for selecting a technology;
-
Select
candidate technologies;
-
Determine,
for candidate technologies, which standards exist and which need
to be developed;
-
Propose
standards for the candidate technologies;
-
Outline a
biometric identification system for use with commercial drivers;
-
Perform a
rudimentary benefit-cost analysis on the proposed system.
0.4 Technology
Selection
We determined
that any candidate technology must meet three criteria:
1) be claimed
by vendors to support all of the required applications.
2) have been
used previously in a similar large-scale application for which an
independent performance/cost audit is available indicating that the
revised functional requirements can be met.
3) be
available from multiple vendors supporting a single image
collection, compression and storage standard.
We
found that the only technology currently meeting all three of these
requirements is electronic fingerprinting. We anticipate no change in
this situation over the next decade. We believe electronic
fingerprinting to be a fully mature technology, capable of meeting the
revised AAMVA functional requirements. Further , we find no technical
justification for combining fingerprinting with any other biometric
technology
0.5 Standards
Development
Standards
are required if a biometric identification system is to operate
between states or on a national level. Three standards developed by
the Federal Bureau of Investigation (FBI), the American National
Standards Institute (ANSI) and the National Institute of Standards and
Technology (NIST) currently apply to the use of fingerprinting in
large-scale identification applications: the ANSI/NIST Data Format for
the Interchange of Fingerprint Information; the FBI's Integrated
Automatic Fingerprint Identification System (IAFIS) Image Quality
Specification for Scanners; and the FBI's Wavelet Scalar Quantization
(WSQ) Gray-scale Fingerprint Image Compression Specification.
These
standards were created for "forensic" (criminal
investigation) Automatic Fingerprint Identification Systems (AFIS)
and, although forming an extremely useful point of departure, cannot
be adopted for our use with commercial drivers without extensive
review. The primary purpose of forensic systems is to allow the
matching of partial "latent" prints, as left at a crime
scene, with previously sampled prints from a criminal population,
usually rolled onto inked "ten-print" cards. The emphasis is
toward identifying every possible candidate print, even if
intervention by human experts is required.
In
"civilian" (non-forensic) applications, the emphasis is on
identifying matches without human intervention and only when the
evidence is conclusive, even at the cost of occasionally missing a
possible candidate. Only full prints acquired from one or two fingers
placed directly on an electronic imaging scanner, not latents, are
used, and human intervention occurs only when the computer match on
all prints is so conclusive as to constitute evidence of willful
fraud.
There
are at least four standards required for the application of
fingerprinting to commercial drivers:
-
Finger
selection
-
Image quality
-
Compression
method and ratio
-
Data format
If
one application of the biometric system is to be "roadside"
identification of the commercial driver, the fingerprint must either
be placed on the driver's licensing document or be available using
"real-time" electronic transfer from a centralized database.
We believe that the placement of the biometric on the licensing
document is not secure against professional counterfeiting, even if
encryption is used. Consequently, "roadside" applications
will require "roadside" data transmission capability.
Interstate applications of "roadside" identification will
require the development of a fifth standard, one for "feature
extraction."
This
report only proposes to the Federal Highway Administration reasonable
standards such that the Secretary of Transportation will be in
compliance with Section 9105 of the TBSRRA. We suggest that the
adoption of such standards be done by the American Association of
Motor Vehicle Administrators (AAMVA) through their "best
practices" procedures, with any modifications as required.
0.5.1 Finger
Selection
In
May of 1997, seven states collected fingerprints for actual or
possible use in their driver's licensing programs. California, Alabama
and Hawaii collected right thumbprints. Florida collected left
thumbprints. Texas collected both thumbs. Colorado used the right
forefinger. Georgia collected both forefingers. As of this writing
(October, 1997), both Florida and Alabama have suspended their
fingerprint collection efforts.
While
it is clear from our study that large-scale identification systems
require two fingers, there is no clear choice of which fingers should
be used. Thumbs are larger and contain more information. Forefingers
are easier to present (ergonomically) and are slightly more varied
across the population. We have no scientifically-based information
regarding error rate differences among fingers.
Some
people, those in social service work for instance, have suggested that
the act of fingerprinting a thumb carries a connotation of
criminality. For this reason, social service systems universally use
forefingers. For technical reasons related to expected false match
error rate as discussed in this report, the CDLIS application will
require two prints to avoid "candidate lists" (false
matches) when matching fingerprints across the current database of 8.5
million licensed commercial drivers. Such candidate lists require
human intervention in the decision process and can severely impact the
throughput rate of an identification system. Our recommendation is
that AAMVA should determine, based on current state use, whether the
standard should be for both thumbs or both forefingers.
0.5.2
Image Quality
The
Criminal Justice Information Services "Interim IAFIS Fingerprint
Image Quality Specifications for Scanners," CJIS-RS-0010v4,
Appendix G, (included in this report as Appendix G) specifies
requirements for signal-to-noise ratio, gray scale resolution and
histogram, modulation transfer function and geometric distortion for
fingerprint images scanned into an AFIS. Notably missing from Appendix
G are standards for image resolution and size. The resolution standard
of 500 pixels per inch is actually included in the ANSI/NIST
"Data Format for the Interchange of Fingerprint Information"
standard, included in this report as Appendix I. There is no size
standard.
These
standards were adopted by the FBI after qualitative testing and
careful consultation with forensic fingerprint examiners. The goal was
to establish the loosest standards compatible with the accurate
identification of latent prints by human experts. Several fingerprint
companies manufacture scanners to these specifications. The FBI has,
in the past, certified scanner performance to Appendix G requirements.
Such certified scanners cost around $1000 per unit. The civilian AFIS
community has argued that the standards are much stricter than
required for non-forensic use, and that cheaper, non-Appendix G
compliant scanners can be successfully used for civilian
identification. As part of this study, we are proposing a reduced
standard, included as Appendix H. Unfortunately, no research data
exists on the relationship between image quality and AFIS performance,
so we are "guess-timating" when proposing requirements for
image quality. We are suggesting that AAMVA develop, based upon this
reduced standard, "best practices" for scanner image quality
for use in commercial driver identification.
0.5.3
Compression Method and Ratio
In
1992, owing to the pressing problem of large-scale IAFIS data transfer
and the noted degradation in expert and computer matching performance
when using JPEG-compressed fingerprint images, FBI adopted the Wavelet
Scalar Quantization (WSQ) method of compression as the standard,
included in this report as Appendix J. WSQ allows for a variable
compression ratio for transmission and storage. After qualitative
tests with human "latent" examiners, the compression ratio
of 15:1 was adopted as the standard. The civilian community believes
that higher ratios can be used without catastrophic AFIS performance
degradation, but there has been no scientific research in this area.
We are proposing that AAMVA adopt WSQ at 20:1 compression as the
standard compression method, pending additional scientific studies
regarding compression ratio and performance.
0.5.4
Data Format Standard
We
propose that the ANSI/NIST "Data Format for the Interchange of
Fingerprint Information," included in this report as Appendix I,
be adopted, without changes, for use in the commercial drivers
licensing project.
0.5.5
Minutiae Extraction
Even
fully-compressed fingerprint images are too large to be stored on a
licensing document. Almost all commercially available fingerprint
systems extract "minutiae" from the fingerprints. Minutiae
are, roughly speaking, the location of the ridge endings and ridge
"bifurcations" (splits) in the fingerprint. Beyond this,
however, there is no agreement among AFIS contractors as to what other
information should be contained in the minutiae record. Most
contractors differentiate between ridges and bifurcations, and add the
angle of the ridge at the minutiae point. The amount of additional
information that can be added is virtually endless, and minutiae
records can be from 26 to 1000 bytes long. The fingerprint image
cannot
be reconstructed from the minutiae record. Matching is done by
comparing the minutiae points to those extracted from previously
stored prints. There is no scientific research available regarding
AFIS performance and minutiae record size or content.
There
are no government standards for defining minutiae records or their
extraction or storage. This means that minutiae records stored on a
licensing document will not be usable across system contractors.
Unless every state contracts with the same contractor, inter-state
"roadside" driver identification is not feasible with
records stored on the document. Early in 1997, NIST held informal
meetings with the AFIS industry on this issue, but no immediate
progress was been made. Owing to vendor pride and
"proprietary" approaches, minutiae standardization is
proving to be a very difficult and daunting problem. We recommend that
AAMVA attend any minutiae standards meetings held by NIST. We do not
recommend that FHWA or AAMVA directly attempt to establish such
standards.
0.6
Three System Designs
There
are three ways of approaching the creation of a nationwide biometric
system for identifying commercial drivers. The general nature of this
system is independent of the choice of fingerprinting as the candidate
biometric technology, but is highly dependent upon funding, politics
and the Federal prerogatives/states' rights debate.
0.6.1
The Centralized System
The
most straightforward and cheapest approach to the identification of
commercial drivers would be a national system, much like CDLIS, which
electronically holds the minutiae records of all licensed commercial
drivers. The minutiae would be "pointers" by which the
database could be accessed. Recalling that fingerprint images cannot
be reconstructed from the minutiae records, the original images would
remain stored in the states which collected them and accessed only if
a prosecution for drivers licensing fraud was indicated. However,
because each state might be using different fingerprinting contractors
with incompatible minutiae record formats, the fingerprint images,
collected during the licensing procedure using scanners of
standardized image quality, would need to be transmitted in compressed
form to the central site for minutiae extraction. The states would
archive the images, while the central site would extract the minutiae,
then discard its copy of the original images. States objecting to the
transmission of compressed images could send the minutiae only, but
would be required to use the contractor-specific minutiae extraction
software mandated by the national system manager.
A
commercial driver applying for a new license or a renewal would have
copies of his/her images sent to the central site, converted to
minutiae and scanned against the existing database. The transmitted
copies of the images would then be destroyed. In the case of a new
license, if no match was found, the license could be issued and the
minutiae stored in the database. In the case of the issuance of a
duplicate or a renewal, a match should only be found against the
registered license holder. Any other matches would indicate multiple
license fraud. This approach to scanning the entire database for both
new licenses and renewals provides a "double check" against
multiple issuances. To be effective, all states would be required to
participate. A non-match during the renewal or duplicate issuance
process might indicate single license/multiple driver fraud.
Could
such a large centralized system be built and would it work? Scientific
information on large-scale system performance has recently come
available from an international AFIS contractor benchmark test
conducted by the Philippine government. An important feature of
large-scale AFIS systems is that of print classification to decrease
the required scope of the search. Stored prints are classified as to
"arch," "whorl," etc. (or into some other groups).
When a sample print is received for comparison, it is likewise
classified, then compared only to those prints with the same
classification. Two-print systems can, on average, match prints by
comparison with only about 10% of the stored prints in the total
database. The measure of this efficiency increase is known as the
"penetration rate." Assuming 8.5 million commercial drivers
(some of whom may be inactive and not seeking renewal), with
approximately 3 million renewal, state transfer and new licenses
annually, 240 20-hour work days annually at the central site,
two-finger matching and a 25% penetration rate, about 400,000
comparisons per second would be required. Although no system of this
size currently exists, it is within the capability of current
contractor designs.
Compressed
images are about 15 Kbytes in size. This data can be transmitted over
standard modems in two or three seconds and could be sent to the
central site over AAMVANet or internet lines. The data arrival rate at
the central site (over an 11-hour national work day) would be about
one 15 Kbyte image (plus data format header and overhead) every 3
seconds, requiring trivial input bandwidth.
Current
system performance appears to be highly contractor dependent, false
match errors occurring perhaps once in every 10 million comparisons.
Assuming independence of errors, two finger false matches would occur
about once every 10
14
matches. Using the same numbers as in
the paragraph above, this would equate to a false match every few
decades.
False
non-matches occur at a rate of 2% to 10% per single finger comparison.
Again assuming independence of errors, two finger false non-matches
would be less than 1%. This number has to be interpreted carefully. It
means that less than 1% of all persons attempting fraud through random
means will be successful, while 99% will be caught.
0.6.2
The Distributed System with Centralized Communication
A
second approach would be to have each state maintain and control its
own commercial driver AFIS system. Each state could have a different
contractor and different minutiae extraction protocols, but each would
collect data at the nationally-mandated image quality standard.
Duplicate or replacement licenses would be issued only upon the
verification against the state's own database of the applicant's
fingerprint. Single license/multiple driver or driver substitution
fraud could be detected with no interstate transfer of data.
When
a driver applies for a new license, the compressed fingerprint image
would be sent by AAMVANet, NLETS or internet to a centralized
communication site for distribution to the independent systems in all
the other jurisdictions. Any jurisdiction finding a match would report
the find directly to the originating state.
The
centralized communication site would have to transmit each image 50
times, leading to a centralized output of several hundred Kbytes per
second, a trivial load for a large server. Input data rate at the
state and central sites would be at the average rate of one image
every 3 seconds. California, the largest state with about 600,000
commercial driver's licenses (CDLs), would be conducting about 50,000
comparisons per second (considering a 25% penetration rate), requiring
a mid-sized system.
The
political advantage of this system is that states would only release
images for immediate search, not for storage in any form outside the
state. Each state would maintain complete control of all its images
and derived minutiae. The disadvantage would be the total cost of the
system, with loss of the economies of scale of the centralized system.
The effectiveness of this system would be identical to the centralized
system, provided that all states participated.
0.6.3
The Distributed System with Direct Communication
The
third approach is identical to the second, except that compressed
fingerprint images would be sent directly by the collecting state only
to selected, participating states for search. Receiving states could
charge a fee for searching of an image against their database. This
would require no generalized transmission of fingerprint images,
giving each state tight control over which images would be sent to
which states for search. Further, states could participate or not in
this system as local politics required. This system would be effective
against renewal and single-license/multiple-driver fraud.
Effectiveness against multiple license fraud would be limited,
however, if not all states participated.
0.7
Legal Considerations
We
have determined that there are several Constitutional principles
potentially linked to a government requirement for the submission of a
biometric measure as a prerequisite for the issuance of a driver's
license. These are: due process, search and seizure, and
self-incrimination, as well as the implicit right to privacy. Our
survey of legal challenges to government-required submission of a
biometric identifier revealed several pertinent court rulings, nearly
all of which upheld the practice when justifiable on grounds of public
safety.
The
most directly applicable case was
Christopher Ann Perkey v.
Department of Motor Vehicles,
decided by the California Supreme
Court. California instituted a requirement that each applicant for a
driver's license submit a fingerprint to the Department of Motor
Vehicles. Ms. Perkey refused to be fingerprinted and was denied a
license solely on the basis of this refusal. She took legal action,
claiming that the fingerprint requirement violated substantive due
process because there was no relationship linking it with the state's
stated interest in promoting highway safety.
The
California Department of Motor Vehicles asserted that fingerprint
technology was the only reliable way to ensure the integrity of its
drivers licensing records and that the interception of applications
from those who pose a serious danger to public safety constituted a
proper legislative objective. The California Supreme Court agreed that
the fingerprint requirement bore a rational relationship to the
legitimate goal of furthering highway safety by giving the state a
reliable method of checking the identity of driver's license
applicants and upheld the requirement for fingerprinting.
Although
this finding only applies in California, government required
physiological sampling has been upheld by several U.S. Supreme Court
rulings against several challenges. In the case of
Breithraupt v.
Abram
, decided in 1957, police took a small blood sample from an
unconscious person involved in a fatal car accident. The Supreme Court
ruled this extraction was constitutionally permissible, stressing that
clinical blood extraction was not significantly intrusive and had
become both commonplace and accepted by society. Nine years later, the
Court reiterated this point in
Schmerber v. California
, by
recognizing that both federal and state courts have held that the
right against forced self incrimination does not extend to forced
subjection to fingerprinting, photographing, or physical measurements,
nor to forced writing, speaking, standing, walking or gesturing for
identification purposes.
Our
research indicates that a requirement for fingerprinting as a
prerequisite for the issuance of a commercial driver's license would
most likely be upheld in a court challenge.
The
greatest legal challenge to such a system will be from the states
themselves. Of the four states currently collecting fingerprints
electronically, one (Georgia) would be unable to release those prints
to other states under current state law. One (California) would be
unwilling to release their prints to a federal system without
mandating federal legislation. Most states not currently collecting
fingerprints would require modifications to state law, or a federal
mandate, to begin collection.
0.8
Benefit-Cost Analysis
Our
study includes a procedure for a detailed benefit-cost analysis.
Estimating the financial costs of any of the three designs given above
is not difficult. Industry sources indicate that the centralized
system could be built for under $15 million. Total cost of the
distributed system would be greater, owing to the loss of economies of
scale, but capital expenditures of each state would be at most a few
million dollars.
The
primary problem we face is in estimating the financial benefits of the
system, particularly in the absence of any conclusive evidence that
the current system for enforcing the "one-driver, one-license,
one-record" is ineffective. In November, 1996, the New York State
Department of Motor Vehicles completed the "Multiple CDL
Study" for the Federal Highway Administration. According to this
study, "the multiple CDL problem has decreased to the point that
it appears to be virtually non-existent." Further, the study
states, "Although potential duplicates (CDLs) surfaced in our
records comparison results, the numbers were statistically
insignificant."
We
know of no documented, post-CMVSA case of a commercial driver actually
having two commercial licenses. On the other hand, anecdotal evidence
has recently emerged from the Alabama Department of Public Safety that
a problem may exist with multiple drivers sharing a single license.
This issue was not addressed by the "Multiple CDL Study"
and, consequently, we have no estimates of the size of this related
problem. The use of biometric identification with the CDL,
specifically the on-line availablilty of the biometric record with the
driver data in the CDLIS database, could eliminate the problem of
multiple drivers on a single license.
Pending
the completion of current, on-going studies, it is difficult to
estimate traffic safety benefits to be accrued from the deployment of
a biometric identification system for commercial drivers owing to the
lack of hard data on the size of the commercial driver authentication
problem. Nonetheless, we have included in our study a detailed
analysis of what types of data would be necessary to support this
project from a benefit-cost perspective.
0.9
Conclusions
This
study recommends that fingerprinting be established as the biometric
for identifying drivers pursuant to Section 9105 of the "Truck
and Bus Safety and Regulatory Reform Act." This study further
defines the minimum required scope of the system and recommends
specific "minimum uniform standards" for the biometric
identification of commercial drivers using fingerprinting. We have
included results of a recent large-scale fingerprinting test showing
the feasibility of two-finger systems at a scale comparable to the
current CDLIS enrollment.
We
suggest several standards (scanner image quality, compression, data
transmission format) for adoption by AAMVA as "best
practices" and outline several system approaches for using
biometric fingerprint technology to enforce the "one-driver,
one-license, one-record" mandate of the Commercial Motor Vehicle
Safety Act. In the absence of hard information supporting the
existence of a problem with multiple licenses or single licenses with
multiple drivers, we have difficulty in computing the benefit-cost
feasibility of such a system, but have included a computational
methodology for use as such data becomes available.
We
recommend that the FHWA cooperate with AAMVA to establish "Best
Practices" for biometric identification using the fingerprint,
including standards for finger selection, scanner image quality,
compression technique and data transmission format, based on the
specific recommendations of this report in these areas. We further
recommend that AAMVA create model fingerprint collection and
protection legislation to serve as a guide for states wishing to begin
the fingerprint identification of commercial drivers.
Top
Zip files may be downloaded using WinZip
|