NORVIEW 903 CTA-Inmate Identity Management


Feb 23, 2014 (7 years and 5 months ago)




Inmate Identity Management

NOREX has partnered with the Corrections Technology Association to provide periodic
WebForums focusing on issues specific to the corrections industry. This November
2011 session
on inmate identification issues

included a member presentation

retains the original, unedited version in order to facilitate future networking.

your NOREX Member Care Team for assistance.

*Please note that this is a transcript of an audio conference and it may contai
n misspellings and grammatical errors.

The names of participants have been abbreviated, and their organizations have been deleted from this transcript.




Member presentation:



int gathering



Integrating with offender management systems



Biometric devices



Biometric registration



ar scanners vs. Iris readers



Facial recognition



Biometric support considerations



Criminal history access/sharing



Ownership of encryption image




NOREX WebForum Transcript


Inmate Identification

10 November 2011



Welcome to today’s CTA
WebForum on inmate identification management.
First of all, let me mention for those of you
who may not be familiar with NOREX
, we are
a 30 year old consortium of information technology departments

North America.
Some of our members are in the corrections industry, and we have partnered with the
CTA to provide these web conferences

specific to the industry
. If you would like to know
more about
NOREX, please contact myself or anyone here. Our website


Before we get started with the discussion I want to turn it over to the current president of
the CTA, Leisa R.

Leisa R.

I do want to thank you all for taking the time to join us today. I just wanted

take a couple minutes to tell you a little bit about CTA. The Corrections Technology
Association, if you are not familiar with us, is an organization of corrections

and justices, CIOs, and other

decision makers. We work to faci
conversations with each other and with the business

out there that are maybe
providing technical solutions to help us solve our tough correctional business problems,
much like the one we are going to talk about today.

We are having our
Annual Technology

Summit in May, the 20th through the 24th, which
will be at Daytona Beach, Florida, a beautiful location. We would encourage you to
come join us there. If you are

in more about that, our website is We
would be happy to talk more about that. Or, you are
welcome to send me an email, and I will be happy to explain more about that if you
. I just look forward to the participation today, and again, thank you very
much for being a part of it.

Thanks, Leisa. Let’s get ready for our presentation now. I would like to
introduce Bill, who is the

of strategic technolog
y in corporate projects for The
British Columbia Ministry of Public Safety


This presentation given as part of a CTA WebForum is
used with permission from the BC Ministry of Public Safety and Solicitor General. It
describes the impr
ovement of service delivery through identity centric architecture.
5 Pages


Member presentation:

Bill Y.:
e just wanted to describe o
ur little business problem
we have had and
how we are addressing it, because we think it fits with the topic here today. We are a
member of CTA, and we do enjoy the participation in those forums over the years.

in 2009, we began what amounted to a four year project to essential
ly connect our
offenders, both in community and custody settings, to address a number of issues,
most of which you are familiar with, the typical sort

of things, the clients online
grievances, medical requests, you know, various e
services, messaging, et
We have
added a couple of other things.

One that
is slightly different

here in Canada

perhaps down in our jurisdictions down
in the states, we had a significant legal issue where inmates awaiting trial have an
unfettered legal

to the mater
ial that is being prepared by the

to be
used in trial. They have to have access to that.
ost of that evidence is now electronic,
gathered by the RCMP, the Royal Canadian Mounted Police. We have had a

Court of Canada decision that we ha
ve to provide basically unfettered, 24 hour a day
access to that material.

The current mechanism to that is heavily modified laptops. That did not address a
bunch of issues around security of the data. So, we realized we had to connect our
clients to a n
etwork, and while we were doing that, we had to be able to authenticate
them appropriately to be sure that they were who they were. This
, certainly on
the legal side, is high

. There would be other issues related to that. We are
also going to leverage this

in our community setting for probation and
, etc., and conditional sentences in the community up here, where suitable clients
in the community will be able t
o self
report on


So, we have this issue around identity management. You know, we have to have a
solution that protects the data. There was a content

backend to all of this
as well, while we were architecting the solution. W
e are going to use SharePoint 2010
and its content management components, and use the

and biometric
authentication appliance on secure devices to enable access to this content
management space, if you will, that

farm or stack of Share
. This is

would be uploaded by

and/or others, and the client will be
able to access that information.

I am going to give you over in a second here to Alec, who is our chief architect on the
project. Alec will des
cribe some of the other components related to how we are doing all
of this. In
our province
, and the slides sort of indicate it here, if an accused is


the appropriate access to the material that is going to be used against them in
court, to pr
osecute them, it does risk the prosecution. Judges have been known to throw
out trials if the evidence was not provided appropriately.

So, our drivers were both the sort of multiple issues around identification of offenders,
as well as the protection of
the criminal prosecution. We also realized that while we
were doing this, we could reuse this information, the biometric or the authentication of
identify information of the client, obviously, for identification purposes, do our controls,
phone call system
s, and so on.

So, we are trying to do this once and to do it wisely. It is certainly an enterprise solution.
I will flip you over to Alec now and let him carry on with the next slides.



Thanks, Bill. This is just our conceptual architecture of the
ICON2 system. At
its heart, ICON
2 is an intersecting set of custody and community based e
services. We
have got points at the range of these services that we are targeting here. Obviously, for

some of the simpler e
services, it might be acceptable to accept sort of a pseudo
anonymous transaction, consisting of just a user ID and a password, because we are
not giving away any sensitive information. But at the other end of the spectrum, when
we a
re dealing with the e
disclosure material, we really desire a higher level of identity
assurance, when a user comes to the table wanting to request a survey. To that extent,
we were driven towards augmenting our existing identity records, which has histori
been mostly based on physical characteristics, with a biometric identifier attached to it
as well.

As Bill mentioned, we are doing that through standing up a reusable service that could
be not only reused throughout the corrections branch, in somet
hing like the door control
system, but it might also be able to be reused throughout the justice sector or the
broader government, without having the biometric data that was obtained for corrections
purposes associated with it. So, all the services and des
ign patterns could be reused by
individual programs that might onboard later and would have to come up with their own
method for capture. This is our high level architecture of the Icon system.

The custody and community clients access the system through
a Java or Silverlight
based user interface. These interfaces are very lightweight. They do not have a lot of
processing guts to them. Then, they access through a secure device, which is also
hosted on a secure network. The biometric reader that they are go
ing to use to
authenticate to that device is going to depend for the most part on, well, what the device
type is.

Because, we are really looking at targeting a variety of devices, ranging from
sort of public facing kiosks to private laptops. It could be th
at a public facing kiosk would
use a standalone reader that would connect through USB, which would then be
protected through an enclosure. Whereas, the laptop, it makes the most sense to just

reader that ships with the laptop there.

So, it really

the device implementation.

next thing that we have done is;

we have expanded our services layer, which is
written in Software AG Web Method, to allow for information inside our OMS to become
That was all protected through the Layer 7 SecureSpan Gateway that
provides access to all the WS

standards, to ensure that our front end and our
back end are completely protected once it gets through the network and device layers.

Finally, the

addition of the biometric to this architecture has really shifted our

towards identity
centric architecture and design. We have done
that by

a partnership through CA SiteMinder and the WEB
key product
through the BIO
vendor. We are looking at providing sort of a centralized
that is
where we are standing up all of our services. We chose this particular partnership
because it maximized the interoperability between
we could have some more flexibility
around the types of

readers that we hook into our system, and we would not be bound
to a specific vendor as we move forward.


, we are integrating all of the biometric infrastructure with our existing vendor
management system, which is an Oracle Forms system. It is b
eing extended to allow for
fingerprint search on intake, and then if they are not in the system, it will be captured.
We are currently sort of going through the processes of analyzing the cost benefit
versus a single print capture versus a multiple finger
capture. We are trying to figure out
sort of what the sweet spot there is, in terms of cost versus the time saved in speeding
up the intake process.

So, looking forward into the project, we have sort of set significant foundations here by
enabling a

oriented architecture, creating an augmented client identity, and
creating the concept of connected clients. What this really gives us is a standards based
interacted that will allow us to have a more flexible architecture, and leads us towards
and ac
ceptable framework and stronger governance. We are certainly moving towards
enabling externalized authorization and the concept of a federated identify in a G
System (
?) style of architecture. I am not trying to claim that we are completely G
System compli
ant at this point, but it is certainly take the step towards that direction.

Of course, the augmented client identity helps to build out the concept of a justice
participant registry, so that within the sector, we can really identify people. We know
is who with a stronger level of identity assurance,

to more accurate
identification and streamlined authentication process
es. I am just going to pass it back
to Bill to close up on some of the benefits of looking forward on Icon2.

Bill Y.:
Thanks, Alec. In short, we are going to be using the government infrastructure
and corporate services that make sense across the problems here in BC to deliver right
down to the cell level access to devices for inmates in custody. We are close to
ing the pilot. It has been three of the four years so far. So, we do not claim to
have this up and running, but things are looking pretty good. We will be doing that
April/May 2012.

You know, the future, as you can well imagine, is going to change our bu
siness and
how we interact with inmates and clients in the community. We are going to be using
some of these services to connect other professionals, lawyers, government service
providers, and so on, to the clients where it makes sense.
, messagin
g and
potentially sharing of

and so on and so
. A good component of this is,
wherever we can, we are also

this with our inmate call control systems,
where the revenue, of course, is generated by the client or the inmate using t
he phones.
It will pay for a good deal of the front end of this, the device, the networks, and those
kinds of things.
The phone

system will be integrated into the device, as well.

So, cell phone technology, the authentication, the
biometrics, and

the dol
lars and the
clients’ finances behind that will also all be part of the system. So, there you go. Thanks
very much. It was a pleasure having an

to tell you about what we are doing.


Thanks much. We will open it now to questions


Topic: Fingerprint gathering


I will throw a question out there.
Are there any issues when it comes to the
gathering of fingerprints, whether we take one or whether we take ten?

Bill Y.:
Well, there have been questions asked about that. Certainly, th
e privacy folks
think that it is better to take less. But, we are not going to be gathering the
. We
are only going to take the hash or the encrypted logarithm related to the print. We
decided early on that the image of the print is where the risk lie
s. The privacy folks, the
oversight agencies, once they were

with that solution or architecture, where
we could guarantee that that would not be the case, there would be no image to be lost,
the anxiety went away.

The other side of that coin, o
f course, is, from a corrections

perspective, we did
not want to take just one or two fingerprints, and then have the other eight or nine or
whatever be potentially used to create another identity by the inmate or

some later date. So,
by taking all ten, you eliminate the possibility of the others being
used in some other venue or some other agency or some other service into the future.
We think we have balanced that by not keeping the image.


A past
president of the CTA is
on the call on wants to provide some

Ed R.

I know that one state

has done a very similar project and has it up and running.
They have only deployed it out of one of their maximum security facilities at this time.
There were about 136 inmates, I think, involved. It was kiosks in the cells that are
interfaced with their
offender management system. So, as they take the action of the
inmate movement in the offender management system, the kiosk is automatically
logged on or off as needed, giving the inmate access to only those applications that
their classification level per
mits. They have already interfaced their IP television through
this system, IP phone network through this system, as well as your standard
commissary ordering access to the legal library, access to other e
books and that sort of

So, some very exciting stuff that we have seen from
that state

in their identity
management and how they had it tied in with their OMS.

Chris J.

I am going to back to a comment a minute ago,
from Alec. Y
ou are only using
one fingerprint, but you are tak
ing all ten so that the other fingerprints cannot be used. I
think that is what you said. Logistically, h
ow do you do that?

Alec W.:
The service that we are standing up allows for customization around how
many fingerprints you capture versus how many fin
gerprints you authenticate

So, we are going to capture all ten fingerprints, but when it comes to actually
authentication time, we are only going to require one of the ten. We could even set it to
say, you know, it has always got to be the index f
inger of your right hand. Or,

alternatively, it could be configured if that is not working out, you could put any finger
you want at authentication time. Does that answer your question?

Ariel V.

So, are you actually capturing actual images of fingerprints, as opposed to a
hash or just points in the fingerprints?

Alec W.:
No, we capture the image, and it gets translated into a hash. The image is not
stored, just the hash is. We have got an actual

extra layer of privacy protection on this.
On what gets stored back in the offender management is not the hash, it is a reference
to the hash. So, that is what happens sort of at intake time.

Then, when they go to authenticate, they put their finger dow
n, it matches, and then it
comes back to say, does this reference match a reference that you have in your system

Chris J.:
OK, thanks. We are just trying to figure out how that is going to help me. It
uses the index finger one day, and then it goes and tr
ies to use a different finger to
create a different account, you are trying to prevent that, right? That is the idea?

Alec W.:
That is exactly what we are trying to prevent.

Ed R.:

ow will your agency handle inmate account management for these systems?

e have heard
Bill and Alec

introduce how they are addressing it with the biometric.

John D.

I can just say, you know, we are at the early stages as we are looking at this
quite a bit. We are probably looking at fingerprint
. We are

a little bit to see if that might be an
. I am working with one company that is
working with HID cards that are doing that for some type of identification. So, we are
exploring the different option, but right now we are leaning towards biomet

Ariel V.:
We have actually got a network law library up and running. However, because
e inmates are really doing real research in that
, we have chosen not to
really do any sort of authentication. We basically have walk
up kiosks, and

they are not storing any information that is personal to them, we have not seen a need
yet to implement authentication for individual offenders. We also have some services in
our locational computer labs that are doing some digital literacy trainin
g. They are using
biometric authentication. We have got about three labs up and running that have
approximately 40 students in each of them. We have been running a pilot for maybe
about three months.

What we did was, we chose to buy an off
shelf prod
uct that integrates tightly with
Active Directory, and we are creating accounts for offenders.

now, we are taking
class enrollment lists, provided by the instructors, creating accounts for them, and
having instructors do fingerprint enrollment in the

classroom as new student cycle in
and out. So, those are some of the choices we have made.

Steven G.

Our telephone system uses a PIN number, which is not tied in any way to
the law library network or the locational network, so they are not connected in
any way.


Topic: Integrating with offender management systems


Do any of your sites integrate your offender management identification
with the electronic health records?

Ariel V.:
No. We have really chosen to keep any offender management or

would be confidential totally separate. We have built a completely separate secure
network. Any

that needs to go back and forth, we walk across on a USB
stick, and we try to keep that to a minimum wherever possible.

Thomas H.

Just a quick clarification. If I understood the question correctly, it is, is your
offender management system integrating with your medical records system? Is that the

Deborah O.:

No, I am curious about the inmate identification piece only. We
do not

our medical

with our offender management information. We, of
course, keep those

and confidential. But there is really only one ID process.
We currently do not use biometrics, so

at intake is very c
umbersome at
times. But, we are moving toward an electronic health record, and we need to be able to


for healthcare, as well as all of the correctional and
judicial things that go on with them on the

side of the equ

Thomas H.:
Yes, I understand that point. We have an offender

which is a Legacy based system. We also have the

of electronic medical record
and electric health record, which are also on Legacy based systems. While those
systems are

integrated, there is no offender input into any of those systems. We
do not associate the record with the offender by anything

other than his assigned form
and identification number.

Deborah O.:

OK, thank you.


Deborah, you are looking to set up an identity management system that
would work for two different purposes?

Deborah O.:

Right. That is the way we do it now.


office manages all of the
identification issues. Then, once they have the person officially identified, they provide
the healthcare system with the name, the date of birth, and the individual’s booking
number. That becomes his identification

for both correctional

and for medical

So, my point is, if we are going to use biometrics at intake, when the sheriff’s office is
doing their best to properly identify these people, we in healthcare also need to make
sure that

ve the same individual properly identified. I can only imagine that if we
share that official identification piece, we would all be working on it at the right time.

Ed R.:

the question. Here, the

office is doing the same sort of
thing, as far as one way data exchange between the offender management system after

the inmate identification from the
?) system upon booking, that would then be fit to
your electronic medical records.

Is that what I
heard you say?

Deborah O.:
That is the way we do it now, except we do it all manually. So, the sheriff’s
office has to give up the proper identification of the person before we can officially
develop a complete health record for the inmate.

Ed R.:
we do this electronically now. I think that is a little bit different from
that is the question, too, that is really a valid question. Is it any different? When we are
talking about inmate identification, as far as purposes of authenticating them to a

is there some way that we should be leveraging the ID system from booking or from

Deborah O.:
Well, to me, it does not make any sense for the healthcare system to jump
through a whole bunch of additional hoops to do their own identificatio
n process.

Ed R.:
That is very true. Yours should be easily resolved just by one way data
exchange with your offender management system, that a file is sent electronically to
your medical system.

Deborah O.:
Right. That is the way it happens now, althou
gh, we are not currently
using biometrics. So, my real question was, of any of the participants on the call, is
anybody electronically providing the biometric identification information to the medical
side of the house?

Bill Y.:
Just on our end of it, we are enabling the ability for the inmate to send a
message, a healthcare request, if you will, to the nurse. We have a separate health
information system, in which the identities are populated from our offender management
system on

intake. There is a message pushed across, the identity is created over there,
so the identity is the same.

We have not done it in this phase, but shortly after we get it up
and running next year,
we will

provide the ability to nurses, for example, that
the inmate can swipe his finger
and it will pop up the identity information to confirm things, like for the purpose of
medication and so on.

We expect to do that all over the place wherever we have a
requirement, for example on exit or an ID count at a cus
tody center and so on. Once
you have connected a client, once you have

biometric and once you are consuming
and controlling that inside of your sort of custodial or corrections jurisdiction the
application of that biometric is

only limited by t
he number of devices and effort
that you want to put into it.

So where it makes sense you can do it. You can also of course

the biometric to
an inmate identity card as a

piece of information that can be used to
authenticate a fingerprin
t to the card on a door device without going across the network.
So once you gather these things and you have the control and you hang your identity
numbers if you will and all of the aliases that our offenders like to have all off of the

identity number a
s a biometric you are well on the way to managing it any way that you


I am going to jump to this topic from Ed. It seems like this is in the ballpark
of what we have been talking about. He is asking; do
you have

a data exchange
between your offender management system and whatever system inmates are
authenticating on? How are the data exchanges being used? If no current data
exchange or interface are there plans for one? Does this tie into the discussion Ed?

Ed R
It could. Again I was referencing what
one state

is doing in that they certainly are
relying on that interface for their offender management system. I could see from a
medical standpoint it depends on which system they were to interface with.
issue with medical seems like it could be resolved with a two finger ident that is tied into
their AFIS system just to identify who it is in front of them requesting medicine.
may have some sort of biometric component with their electronic medical sys
tem and so
they want to store the same hash that the kiosk system is storing. I think that is what I
was hearing. Those

of data exchanges that are shared with any of the system
that are going to rely on inmate authentication that we are just enrolli
ng inmates one

Deborah O.:

Topic: Biometric devices


Let’s dive into biometrics a little bit more. Who is using biometrics for
? What product suites are you using? What has been your
experience with the methods and provider options that are out there?

Has any
particular method or provider set themselves apart from the rest of the pack?

Ariel V.:
We went with a product from Digi
tal persona. We have

Seaborne integrated readers and their standalone readers and we went with their
keyboard integration product suite. They have

been really great. We are a
version behind their most current version and we have
had to do a little patching with
them and work with them to get the password randomization and Citrix

working the way we wanted but we have been really happy with the way they worked
with those and their turnaround times and with the readers as

well which are their

Steven G.:
The reader is the same whether it is on the keyboard
or separate
. It is the
same reader integrated to the keyboard.

Ariel V.:
Slightly different form factor but they are the same.


Who was the vendor?

Ariel V.:
Digital P


Steven G.:
It is an active directory integrated application. We get to do a lot of things
that we do anyway. Once it is implemented everything works the same way as if you
were logging in with the user nam
e and password. It allows us to randomize the
password so that the offenders no longer know their password, nor
does the staff

the passwords for their user accounts. So the only way to get in is with a password with
your fingerprints at that point whi
ch gives us a lot of security. There are no spots where
you can get in and try to type your password somewhere because you




Which eliminates the need for password management

which was a huge benefit.


So Digital
Persona, there

must be options, who are the other players in
this space?

Steven G.:
From our perspective we looked around and we didn’t find anybody that had
an integrated AD product that you could just buy off the shelf. People have products that
you cou
ld program to work through active directory but we didn’t see one. I imagine
there are some
out there
. We haven’t found them yet.

John D.:
I wanted to
pass on information from the state Ed was telling us about earlier,
since they couldn’t make the call.
They are not using active directory.
They are using
NetWare services and they are using authentication based upon the location of the
person. They are doing some authentication but it is not fingerprint authentication.
are using

Services as th
eir back end.

Topic: Biometric registration


For those that are actively using biometrics, please explain how you are
handling the registration process?

Ariel V.:
Sure, as I mentioned a little bit earlier basically counselors meet with the
offenders about once a week on Wednesdays and in those meetings it is decided what
different classes the offender is going to be participating in. so we

know on
Thursday o
r thereabouts who the new enrolees to the different classes are. Right now
we actually just have vocational supervisors in the facilities sending us lists of their new
students. Our hope is to start utilizing some data feeds from our inmate payroll system
to do that without needing the end users to get involved. We have our support person
basically create the active directory accounts using a script. He runs a script on the
spreadsheet that we get. It creates the active directory passwords.

We also have a
nother product, a typing

that is

used in there that also uses
the active directory. We have another product that we create accounts that does the
digital literacy
. We send those back. By prearrangement with the instructors
the cl
assroom there is a default password that every batch of offenders gets. That is
really only good for use for authenticating
. You can’t login anywhere using your


So every Monday morning basically the instructor takes

their new students and

fingerprints. Instead of using

keyboard integrated reader in those
environments we actually have just a little reader that connects via USB and a long cord
so the instructor is able to put in the password that they

get, take the

having the offender look at the screen or see any of the tools.
It takes reads for two
fingerprints and then the software that we are using, active directory, immediately
randomizes their passwords so now they have got a

very long, I think 16
digit, password
or something like that.
That is their password in active directory and the software
matches that up with their fingerprints from then on.

Bill Y.:
I just wanted to point

somebody had mentioned earlier we are no
t going to
use passwords. That just was too much of a business problem. The authentication will
be the biometric plus their threshold service number, the unique identifier, the eight digit
number that they have. Those are the two things. We don’t want name
s. We don’t want
any of that stuff. It would just be their number and their fingerprint.

The other part of that is we are using the device itself as part of the authentication so
the third factor authentication; we know where they all are and we know wha
t they are.
So that helps us control access as well. The registration process will be done at intake
so that is where you have the kind of photos taken and the biometric will be captured
and it will all be put against the client record or the inmate record

in the offender
management system to work for the biometric. So that is how we intend to

of get it
at the beginning and keep it. We want to just do it once.

Ariel V.:
Just to clarify, we are not actually ever having anybody enter a password

the active directory authentication you sort of have to have a password for
active directory. So that initial password is just basically a token that
is a placeholder
l the fingerprint is taken.


OK, next topic, staying on the print biometrics; who has had extensive
experience using single print biometrics and what products are you using? Does anyone
have a thought on a product for single print biometrics?

Thomas H.:
Bill, what are you using for your


I know
are doing one of
ten but what product suite did you decide upon to gather and validate your biometrics?

Bill Y.:
We are in the process of selecting our biometric reader vendor. We are in an
evaluation process right now. We did pick the BioKey product because it is not bound to
a vendor. They have an extensive product list that they support. So we are running a

right now to determine what product we are going to use based on sort of
the usability and the accuracy and published standards.

Thomas H.:
Did you do an RFI or anything like that to gather any information from
anybody? Did anybody separate themsel
ves in that process for

Bill Y.:
Are you talking about the device or are you talking about middleware?


Thomas H.:

I am talking more about the
middleware right now.

Bill Y.:
Well BioKey kind of separated itself in terms of when we did the review. We

do a review of what was out there. As you probably know they are in with the FBI and
the Department of Justice I think and others so it is well established. Down there in the
states we had conversations with the folks that are leading some of those in

I guess there are two pieces of advice that I will share with you. Make sure that you use
only one reader if possible across your domain. Not many different products. The other
one is, and this one you will enjoy, the people get the readers up
side down. So one
office will have it oriented one way and the other office will have it oriented the other

Thomas H.:
You are right, I do like that.

Bill Y.:
That caused a lot of problems initially but we heard that. BioKey seems to be the
that worked

quite well with us or is apparently working quite well with us. There
are some challenges around taking multiple prints at once and we are working through
that. They have been a good partner so far.

Thomas H.:
Did you look at all at your east
coast Canadian friends from ComNetics or

Bill Y.:
Off the top of my head I am not sure.

Thomas H.

Have you been experimenting with print readers that are built into the

or do you prefer


Bill Y.:
The BioKey is the sof
tware behind it. The device readers I think Alec may have
mentioned earlier we are probably going to have a bit of a multiple of that.

Alec W.:
That is right so for devices that are very similar to a laptop we would just be
purchasing the highest grade i
ntegrated reader that you could get on that device of a
laptop. Then hopefully from the same vendor purchasing a USB connected device is
when we are going to be wrapping our device in an enclosure such as for mounting in a
public area.

Topic: Vascular
scanners vs. I



OK, how about this question from Todd. Vascular scanners verses iris

verses print readers; does anyone have substantial experience with these
technologies and can describe accuracy rates, installation, support or challenges? So
pros and cons verses the three different methods here. What is the difference? A
vascular scanne
r does what Todd?



A vascular scanner scans the subsurface of the back of your hand and reads
your veins. So apparently every individual has a unique system of veins and I guess

they have determined that you could use a

scanner in many areas but the
simplest in on the back of the hand where you reach into the scanner. You grab a bar
so to speak to locate your hand in the right position and it takes a scan of the back of
your hand.

We don’t have any of these technologie
s implemented to date. We were going down the
road of an iris scanner. The product we were looking at the manufacturer discontinued
and it was unsupported. It was a Panasonic product so our integrator recommended
that we go with the vascular scanner and we

are just chewing on what the
recommendation is. We would like to get some alternatives. If there is anybody that has
any experience with these that we can vet what the contractor is telling is good. We
would like to hear from anybody else.


t sounds like we have some people on the call with the print reading
method. Is anybody lese looking at the vascular method? Thoughts on it?

Thomas H.:
We looked briefly at vascular and just didn’t go with it. We went with prints
for a couple of other re
asons. There are also some good iris readers out there. I think
Todd if we take a look at our participants at last years’ CTA conference we can probably
get you some folks to talk to. There is one group, I met with them and

product was
really good. W
e are just not going to use iris scanning
in our state
. They are out of
Massachusetts and their name escapes me right now but if I review last

I should be able to send you something.

Todd W.:
Things that I have heard are that the print and the iris are a little bit
more easily defeated in terms of if you are wearing contacts you can have issues.
course you can remove a thumbprint which defeats a print reader.
With the iris you have

heights. Simple logistics such as where do you set the iris reader and with
inmates having different heights and so on. That can be an issue as well.

The vascular seems to be a good solution. I don’t know what the accuracy rate of that
device rate or if

there are other issues that I am not aware of. This is very initial stages
for us. We are just getting into it. So this was kind of timely that this conference was
being held today. I am a rookie in this area so I am more or less just listening to what
u folks have to say. As I say from what I have heard there are some problems with
both iris and print that maybe you don’t have with vascular.

Thomas H.:
There used to be the center for biometric excellence down in New York
City. It was a NITA funded grou
p but I think the funding got pulled on them. They sent
me some stuff on vascular or iris verses print. Honestly I think it is all pretty accurate
from what the research says. The stuff that you are talking

with respect to iris
scanning about the hei
ght of the readers and stuff like that, I think the industry has
evolved a little bit since when they were having problems initially. They have gotten to
the point now where they can read it from almost proximity like walking up and doing
proximity passing

even. You don’t even need to be at the right height. It can read you

almost 15
20 feet away.


Bill Y.

If you want to get in touch with us we can talk a bit. We did quite a bit of
research. The bottom line though is

the cost. You can buy ten readers for
biometrics to every one of those vascular ones.
Just to sort of reiterate Tom’s point; the
industry has moved on quite a bit.
The accuracy of fingerprints is as good as anything
else out there and perhaps better.

dd W.:
Tom was it BI2 Technologies that you were trying to think of?

Thomas H.:
Yes, I think that is correct. If they are the ones with the

address then that is the chaps.

Todd W.:
They are out of Plymouth
yes. Shawn Mullin
is a contact

Thomas H.:
That is it. You have got it.

Topic: Facial recognition


Very good.

question; is anyone using facial recognition as a means
of biometric authentication?

Rafael S.


were testing that technology for close to two years. We found
that the percentage of identification was closer to 35
45%. Considering that it was not
identifying properly we kind of abandoned the project because it was just not functioning
for us and it w
asn’t meeting our business requirements.

Thomas H.:
Can you tell us which provider or methodology that they were using for
doing the biometric?

Rafael S.:

I can provide that information offline for you guys. We did a successful test
for two years. We actually were doing surveillance with schools and various other areas.
Again as we were doing the testing we just found that it wasn’t properly identifying the


Thomas H.:
Great. I would appreciate it if you could share that with us by way of
. That would be great.


What did you end up going with?



We abandoned the project altogether.


Are you using any kin
d of biometrics?

Rafael S.:

At this time we are kind of listening to what you guys have been discussing.
The company that we are looking at was originally called Secure Metrics. They

got bought out by Visage. Their device was called the Haida4. The Haida actually has
multi levels of biometrics authentication. It does iris scan, it does finger and it also does

the full palm. It is actually technology that was being utilized in the mili
tary. It is currently
also being used on the border.

That is

of the direction that we were going. We didn’t really successfully implement
it. We are still kind of evaluating the technology.

Topic: Biometric support considerations



move on. What has been the impact of introducing biometric
authentication on your infrastructure and your ability to support it under
considerations, server side support,
and storage

and retrieval

Thoughts on
this? Wha
t do you need to plan for regarding support?

Ariel V.:
I don’t think that we have had a lot of support issues revolving around the
biometrics. I don’t think we have seen any bandwidth issues that we have noticed
because of that piece rolling it out. Our s
upport calls on the fingerprint authentication
has actually been very low. We were a little concerned when we put it in that we were
going to have some resistance and that was going to create some support calls. It has

been very easy.

We were ju
st putting some numbers together.
I think we had one person that we had to
delete the fingerprints on and re
enroll them.
Besides a little bit of user education for
some of the instructors making sure that people’s fingers are moisturized and that they

patient and using multiple fingers if one isn’t working it has been pretty quiet. That
means it



Topic: Criminal history access/sharing


I have one other submitt
ed topic. It is from Ralph
. It
is kind of brief
. It is
asking for criminal history.

Ed R.:
I imagine probably what Ralph is referring to is just a lot of

AFIS projects
that I am aware of across the country. It is just for law enforcement purposes as far as
helping them identify offenders on the streets. That I imagine would have applications
for us as well for those who are dealing with or overseeing parol
e. Personally I am not
but someone else out there might have some experience with that.

Then again are those biometrics the ones that are being used for the end custody
applications? At this point they are not but should they be? I don’t think there is j
ust a
common standard out there for those

points for converting an image to a hash.
There is not a common standard that one database can be utilized for multiple software

Thomas H.:
One of the things that we do when an offender gets t
o a correctional facility
is we do a digiscan on them which compares their one to one print against the criminal
history database just to

that they are who we think they are when they walk in
the door. You would be surprised sometimes what you get
. One of the emerging

technologies here is because of the advances in AFIS technology is the idea of having
these mobile print readers available for corrections.

Here is where it comes in handy. If you are emptying the yard after a big fracas and you
e used gas and everything else and you are pulling all of these guys out one of the
advantages of the security staff would be to do an immediate print on everybody so that
you can get them separated into the right places. So if you can get a print reader t
can read your enemy system you can make sure that you are not putting two

or two guys who are known for having problems with each other after a big
fracas like that. That is one idea.

The other one that Ed talked about was

idea of doin
g supervision for both

and parole; arrival reports, check
ins and things like that which could actually help really
push that industry a little bit further along too.


Very good. Any other topics today?

We have been going just about one

Topic: Ownership of encryption image

Bill Y.:
I just wanted to point out the public key issue. If you have got encrypted

or whatever your encrypted store identity information is, make sure that you own

it. One of the issues with not storing the image was how do you recreate the hash or the
encrypted data if you go from vendor to vendor? So if you hold the decryption key if you
will, then you basically own that forever and other products or other vendors

can be
brought in in the future and you don’t need the image. That is the other one. If you don’t
hold that, if you have a proprietary key held by the vendor then you are pretty well
forced to hold the image in order to recreate that data

in the
future if you
switch vendors.

End of session

Copyright 2011, by NOREX, Inc.

5505 Cottonwood Lane

Prior Lake, MN 55372 The opinions expressed in this
NORVIEW are those of NOREX members, not necessarily those of NOREX, Inc.