The Washington Post
Navigation Bar
Navigation Bar

Partners:
The Eyes Have It: Body Scans at the ATM

By Guy Gugliotta
Washington Post Staff Writer
Monday, June 21, 1999; Page A1

Bar code for the body HOUSTON Jordan Pearce stood before the Bank United cash machine, stared at a blinking light for perhaps three seconds, waiting quietly while a hidden camera scanned his eyeball. The machine's television screen spasmed once and opened for business.

Moments later Pearce pocketed $40 and departed, just like millions of other Americans who stop at their local ATM to get money every day. Except that Pearce, 18, a rising freshman at nearby Rice University, didn't have an ATM card.

Instead, he simply allowed the camera mounted in the top of the cash machine to examine his iris the colored part of the eye and check its characteristics against an earlier scan stored in Bank United's iris database. Once the match was made, Pearce was free to use the machine. He needed neither ATM card nor identification number: "They told me about it when I was making a deposit," Pearce said. "It sounded pretty cool."

The cash machines at Bank United, Texas's largest financial institution, have pushed the science of biometrics identifying people by their unique physical characteristics to a new frontier, transforming what began as a James Bond fantasy into everyday commerce. Bank United's use of iris scanning, which is harmless to the eye, represents the first time a large private company has attempted to use biometrics as a consumer tool.

Whether it's iris scanning, fingerprints, voice prints, hand geometry, face geometry or signature authentication, biometrics are rapidly becoming a cheaper, easier and more secure way to conduct business.

What consumers think about it is not yet clear. A customer poll by Nationwide Building Society, a British savings and loan that began using iris scanning last year, found that 94 percent of customers were comfortable with the system and that 91 percent preferred it to PINs or signatures.

But efforts in 1997 to put a biometric on Alabama driver's licenses had to be abandoned when outraged motorists refused to surrender their fingerprints. And while young techno-zealots like Pearce are easy sells on iris scanning, older customers tend to hang back: "They think it's great, but there's a lag time to get used to it," said Bank United assistant branch manager Gabriel Q. Ngo.."

Then there are depositors like Steven J. Tutt, 42, a chiropractor who likes the convenience of iris scanning at his Bank United branch in Dallas but confessed that "there was a little bit of fear about who can have my iris pattern."

An uneasiness toward yielding information about one's body has prompted outright rejection of biometrics among some, but libertarians of all ideological stripes have questioned biometrics' potential danger to citizens' Fourth Amendment right to privacy.

"Who's entitled to gather this information?" asked Barry Steinhardt, an associate director of the American Civil Liberties Union. "Can there be a secondary use? What is the form of consent, and is it truly voluntary? What security is there against theft?

"The paramount problem is that the technology has been developing at light speed," Steinhardt said, "while the law has developed not at all."

The biometrics industry is concerned enough about what it calls the "Big Brother Factor" to have designed a set of principles for companies to follow to avoid the misuse of biometric information. Their association has also urged adoption of legal standards to restrict public institutions' use of the data.

"When new technologies become available, you want to ensure they are not going to be proliferated in the wrong way," said Rob Van Naarden, president of Sensar, the company that builds the iris-scanning machines.

But the association's other main task is to point out that biometrics promote, rather than compromise, privacy. Van Naarden contrasts the data surrendered during an iris scan with the information contained on a standard driver's license, "something you willingly give up to almost anyone who asks."

Still, Van Naarden said, the real judgment on the future of biometrics "is whether people use them," and Bank United's cash machines are the vanguard test case. At the end of the summer, the bank plans to poll its iris scan customers at three pilot program ATMs in Houston, Dallas and Fort Worth and decide then whether to install the system at 60 ATMs in Kroger supermarkets across Texas.

"Banks are not known for being creative innovators," said Bank United Senior Vice President Ron Coben, who was instantly captivated by iris scanning when he saw it demonstrated at a 1997 trade fair. "So instead of pontificating about it for five years, why not get out and do it?"

A few years ago, the use of biometrics was limited to those government agencies and security firms that distrusted photo IDs and that had enough money to buy something else. "I sold my first device in 1978," said Paul Collier, director of operations for Identicator Technology, the leading manufacturer in fingerprint biometrics. "It must have had 100 moving parts."

Collier said that the technology was used then for the most part in government applications, such as driver's licenses, high-end security and military applications, but that "as the cost has come down, we are looking at wide-scale deployment. That is just starting now."

Different biometrics use different body characteristics, but the principle is fundamentally the same in all cases. Using a camera, sensor or other device, a person's physical trait is digitized, encrypted and filed away in a database, somewhat like a bar code.

Done properly, such a system is virtually fail-safe, the industry contends. None of the technologies can be reverse engineered because of encryption and because biometric sensors are geared to expect subtle differences caused by dirty hands, widened pupils or greasy thumbprints. Industry specialists say the machines would immediately flag a fabricated biometric that exactly matched the database template.

And identification is foolproof. Identicator uses nine fingerprint measurements. PenOp, Inc. has more than 30 ways to authenticate signatures, including unforgeable characteristics like acceleration, deceleration, pen pressure, total elapsed time and pen angle.

IriScan, the Marlton, N.J., firm that patented Bank United's iris technology, uses 266 different measurable characteristics of a person's iris, a membrane that has muscles with distinctive ridges, freckles and stretch marks that are formed in childhood and never change. Color has nothing to do with it, and glasses and contact lenses present no obstacle. The company is fond of saying that IriScan is "better than DNA" because it can distinguish between identical twins of the same sex. Their irises are different, even though their DNA is the same.

The IriScan technology was developed in the early 1980s and demonstrated for the first time in 1989. Company President and CEO John Siedlarz said it took 10 years to translate the science into a "usable product."

But not one that everybody could use. Profitability for IriScan, like many other biometrics companies, has depended on its ability to translate yesterday's technological exotica into an everyday tool.

"That train has now left the station," said Sensar's Van Naarden. "We have had a couple of generations of products that are showing a reasonable cost structure and convenience. We've crossed the barrier from science to engineering."

Sensar, an IriScan licensee that built the cameras used at Bank United and at England's Nationwide Building Society, has 12 bank projects under way in nine different countries.

Besides ATMs, Sensar is installing IriScan at teller stations and safety deposit vaults, Van Naarden said. It also has "back room" projects that involve check clearing, wire transfers and other kinds of cash management.

"Today when you're calling into your bank to get account information, you're talking to somebody that has access to all the bank's databases, each one with its own password," Van Naarden said. "Since no one can memorize the passwords, the staff has them written on post-its stuck on their computer screens." With IriScan, the person performing the transaction uses his or her iris instead of passwords, and there's no need to write anything down.

The uses for biometrics, either as security or authentication mechanisms, are virtually limitless. Law enforcement can make an electronic "mug book" from a face geometry database, with a hidden camera beeping the police station whenever a wanted fugitive steps in front of the camera at a known drug hangout.

Factories can eliminate "buddy punching" by using iris recognition or hand geometry to check employees as they come and go from work. Recognition Systems, the most established of the biometric firms, sees a growing market for hand geometry to get into health clubs. "People don't want to carry cards with them when they're coming to work out," said company President Lou Tilton.

Using a small plug-in device, consumers can already gain exclusive biometric access to their computer files, but in the near future, companies believe users will also be able to authenticate their identities in Internet transactions with banks, stockbrokers, auctioneers and anyone else who maintains an online biometrics database.

"That's the second level," said Identicator's Collier, and "down the road, you'll see biometrics in everything from home alarms to safes, automobiles, gun cabinets and cable television channels biometrics lends itself very well to parental controls."

John Woodward, a privacy attorney and adviser to the Biometric Industry Association, acknowledges that the use of biometrics contributes "to the feeling we have no privacy," that "the government could call up the central computer, punch in your name and find out where you've been today."

There need to be safeguards, he said, including laws restricting the movement of biometric databases. "If you think of them as mailing lists, you don't want them to be sold to other companies," Woodward said.

Also to be avoided, Woodward said, is "function creep," the idea that if the city welfare agency is using biometrics to keep track of its caseload, it should not be letting the city tax assessor or the state supreme court track people using it.

But now, the ACLU's Steinhardt said, "we enter the brave new world without any rules. There are no legal controls over how biometrics can be used whether the information can be sold, whether it can be turned over to law enforcement without a warrant."

Steinhardt believes the biometrics industry will have to be regulated, because "in the absence of any regulation, we're in a position where industry says 'trust us.'"

© 1999 The Washington Post Company

Back to the top
Navigation Bar
Navigation Bar