NORVIEW 903 CTA-Inmate Identity Management

weepingwaterpickSécurité

23 févr. 2014 (il y a 3 années et 1 mois)

173 vue(s)

1


NORVIEW
90
3


CTA
-
Inmate Identity Management


NOREX has partnered with the Corrections Technology Association to provide periodic
WebForums focusing on issues specific to the corrections industry. This November
2011 session
on inmate identification issues

included a member presentation
.

NOREX
retains the original, unedited version in order to facilitate future networking.


Contact
your NOREX Member Care Team for assistance.




*Please note that this is a transcript of an audio conference and it may contai
n misspellings and grammatical errors.


The names of participants have been abbreviated, and their organizations have been deleted from this transcript.



Introductions:

................................
................................
................................
...............

2

Member presentation:

................................
................................
................................
.

2

Fingerpr
int gathering

................................
................................
................................
...

6

Integrating with offender management systems

................................
..........................

8

Biometric devices

................................
................................
................................
......

10

Biometric registration

................................
................................
................................
.

11

Vascul
ar scanners vs. Iris readers

................................
................................
............

13

Facial recognition

................................
................................
................................
......

15

Biometric support considerations

................................
................................
..............

16

Criminal history access/sharing

................................
................................
.................

16

Ownership of encryption image

................................
................................
.................

17




















2


NOREX WebForum Transcript

CTA
-

Inmate Identification

10 November 2011


Introduction
s:


Moderator
:

Welcome to today’s CTA
WebForum on inmate identification management.
First of all, let me mention for those of you
who may not be familiar with NOREX
, we are
a 30 year old consortium of information technology departments
across

North America.
Some of our members are in the corrections industry, and we have partnered with the
CTA to provide these web conferences

specific to the industry
. If you would like to know
more about
NOREX, please contact myself or anyone here. Our website

is
www.norex.net


Before we get started with the discussion I want to turn it over to the current president of
the CTA, Leisa R.


Leisa R.
:

I do want to thank you all for taking the time to join us today. I just wanted

to
take a couple minutes to tell you a little bit about CTA. The Corrections Technology
Association, if you are not familiar with us, is an organization of corrections
practitioners

and justices, CIOs, and other
technology

decision makers. We work to faci
litate
conversations with each other and with the business
partners

out there that are maybe
providing technical solutions to help us solve our tough correctional business problems,
much like the one we are going to talk about today.



We are having our
Annual Technology

Summit in May, the 20th through the 24th, which
will be at Daytona Beach, Florida, a beautiful location. We would encourage you to
come join us there. If you are
interested

in more about that, our website is
CorrectionsTechnology.org. We
would be happy to talk more about that. Or, you are
welcome to send me an email, and I will be happy to explain more about that if you
have
questions
. I just look forward to the participation today, and again, thank you very
much for being a part of it.


M
oderator
:
Thanks, Leisa. Let’s get ready for our presentation now. I would like to
introduce Bill, who is the
director

of strategic technolog
y in corporate projects for The
British Columbia Ministry of Public Safety
.


IDENTITY MANAGEMENT
.

This presentation given as part of a CTA WebForum is
used with permission from the BC Ministry of Public Safety and Solicitor General. It
describes the impr
ovement of service delivery through identity centric architecture.
5 Pages

(10
-
607)


Member presentation:


Bill Y.:
Thanks,
w
e just wanted to describe o
ur little business problem
we have had and
how we are addressing it, because we think it fits with the topic here today. We are a
member of CTA, and we do enjoy the participation in those forums over the years.
Back
3


in 2009, we began what amounted to a four year project to essential
ly connect our
offenders, both in community and custody settings, to address a number of issues,
most of which you are familiar with, the typical sort
s

of things, the clients online
grievances, medical requests, you know, various e
-
services, messaging, et
c.
We have
added a couple of other things.


One that
is slightly different

here in Canada
than

perhaps down in our jurisdictions down
in the states, we had a significant legal issue where inmates awaiting trial have an
unfettered legal
access

to the mater
ial that is being prepared by the
prosecution

to be
used in trial. They have to have access to that.
M
ost of that evidence is now electronic,
gathered by the RCMP, the Royal Canadian Mounted Police. We have had a
Supreme

Court of Canada decision that we ha
ve to provide basically unfettered, 24 hour a day
access to that material.


The current mechanism to that is heavily modified laptops. That did not address a
bunch of issues around security of the data. So, we realized we had to connect our
clients to a n
etwork, and while we were doing that, we had to be able to authenticate
them appropriately to be sure that they were who they were. This
material
, certainly on
the legal side, is high
ly

confidential
. There would be other issues related to that. We are
also going to leverage this
connection

in our community setting for probation and
parole
, etc., and conditional sentences in the community up here, where suitable clients
in the community will be able t
o self
-
report on
electronic

devices.


So, we have this issue around identity management. You know, we have to have a
solution that protects the data. There was a content
management

backend to all of this
as well, while we were architecting the solution. W
e are going to use SharePoint 2010
and its content management components, and use the
authentication

and biometric
authentication appliance on secure devices to enable access to this content
management space, if you will, that
client

farm or stack of Share
Point
. This is
where
sensitive
material

would be uploaded by
prosecutors

and/or others, and the client will be
able to access that information.



I am going to give you over in a second here to Alec, who is our chief architect on the
project. Alec will des
cribe some of the other components related to how we are doing all
of this. In
our province
, and the slides sort of indicate it here, if an accused is

not
provided

the appropriate access to the material that is going to be used against them in
court, to pr
osecute them, it does risk the prosecution. Judges have been known to throw
out trials if the evidence was not provided appropriately.


So, our drivers were both the sort of multiple issues around identification of offenders,
as well as the protection of
the criminal prosecution. We also realized that while we
were doing this, we could reuse this information, the biometric or the authentication of
identify information of the client, obviously, for identification purposes, do our controls,
phone call system
s, and so on.


So, we are trying to do this once and to do it wisely. It is certainly an enterprise solution.
I will flip you over to Alec now and let him carry on with the next slides.

4


Alec
W.:

Thanks, Bill. This is just our conceptual architecture of the
ICON2 system. At
its heart, ICON
2 is an intersecting set of custody and community based e
-
services. We
have got points at the range of these services that we are targeting here. Obviously, for

some of the simpler e
-
services, it might be acceptable to accept sort of a pseudo
-
anonymous transaction, consisting of just a user ID and a password, because we are
not giving away any sensitive information. But at the other end of the spectrum, when
we a
re dealing with the e
-
disclosure material, we really desire a higher level of identity
assurance, when a user comes to the table wanting to request a survey. To that extent,
we were driven towards augmenting our existing identity records, which has histori
cally
been mostly based on physical characteristics, with a biometric identifier attached to it
as well.


As Bill mentioned, we are doing that through standing up a reusable service that could
be not only reused throughout the corrections branch, in somet
hing like the door control
system, but it might also be able to be reused throughout the justice sector or the
broader government, without having the biometric data that was obtained for corrections
purposes associated with it. So, all the services and des
ign patterns could be reused by
individual programs that might onboard later and would have to come up with their own
method for capture. This is our high level architecture of the Icon system.


The custody and community clients access the system through
a Java or Silverlight
based user interface. These interfaces are very lightweight. They do not have a lot of
processing guts to them. Then, they access through a secure device, which is also
hosted on a secure network. The biometric reader that they are go
ing to use to
authenticate to that device is going to depend for the most part on, well, what the device
type is.

Because, we are really looking at targeting a variety of devices, ranging from
sort of public facing kiosks to private laptops. It could be th
at a public facing kiosk would
use a standalone reader that would connect through USB, which would then be
protected through an enclosure. Whereas, the laptop, it makes the most sense to just
an
upgrad
ed,
integrated

reader that ships with the laptop there.

So, it really
depends

on
the device implementation.


The
next thing that we have done is;

we have expanded our services layer, which is
written in Software AG Web Method, to allow for information inside our OMS to become
available.
That was all protected through the Layer 7 SecureSpan Gateway that
provides access to all the WS
-
*
security

standards, to ensure that our front end and our
back end are completely protected once it gets through the network and device layers.


Finally, the

addition of the biometric to this architecture has really shifted our
architectural
patterns

towards identity
-
centric architecture and design. We have done
that by
leveraging

a partnership through CA SiteMinder and the WEB
-
key product
through the BIO
-
key
vendor. We are looking at providing sort of a centralized
--
that is
where we are standing up all of our services. We chose this particular partnership
because it maximized the interoperability between
--
we could have some more flexibility
around the types of

readers that we hook into our system, and we would not be bound
to a specific vendor as we move forward.


5


Finally
, we are integrating all of the biometric infrastructure with our existing vendor
management system, which is an Oracle Forms system. It is b
eing extended to allow for
fingerprint search on intake, and then if they are not in the system, it will be captured.
We are currently sort of going through the processes of analyzing the cost benefit
versus a single print capture versus a multiple finger
capture. We are trying to figure out
sort of what the sweet spot there is, in terms of cost versus the time saved in speeding
up the intake process.


So, looking forward into the project, we have sort of set significant foundations here by
enabling a
ser
vice

oriented architecture, creating an augmented client identity, and
creating the concept of connected clients. What this really gives us is a standards based
interacted that will allow us to have a more flexible architecture, and leads us towards
and ac
ceptable framework and stronger governance. We are certainly moving towards
enabling externalized authorization and the concept of a federated identify in a G
System (
?) style of architecture. I am not trying to claim that we are completely G
System compli
ant at this point, but it is certainly take the step towards that direction.


Of course, the augmented client identity helps to build out the concept of a justice
participant registry, so that within the sector, we can really identify people. We know
who
is who with a stronger level of identity assurance,
leading

to more accurate
identification and streamlined authentication process
es. I am just going to pass it back
to Bill to close up on some of the benefits of looking forward on Icon2.


Bill Y.:
Thanks, Alec. In short, we are going to be using the government infrastructure
and corporate services that make sense across the problems here in BC to deliver right
down to the cell level access to devices for inmates in custody. We are close to
implement
ing the pilot. It has been three of the four years so far. So, we do not claim to
have this up and running, but things are looking pretty good. We will be doing that
April/May 2012.


You know, the future, as you can well imagine, is going to change our bu
siness and
how we interact with inmates and clients in the community. We are going to be using
some of these services to connect other professionals, lawyers, government service
providers, and so on, to the clients where it makes sense.
Obviously
, messagin
g and
potentially sharing of
information

and so on and so
forth
. A good component of this is,
wherever we can, we are also
integrating

this with our inmate call control systems,
where the revenue, of course, is generated by the client or the inmate using t
he phones.
It will pay for a good deal of the front end of this, the device, the networks, and those
kinds of things.
The phone

system will be integrated into the device, as well.


So, cell phone technology, the authentication, the
biometrics, and

the dol
lars and the
clients’ finances behind that will also all be part of the system. So, there you go. Thanks
very much. It was a pleasure having an
opportunity

to tell you about what we are doing.


Moderator
:

Thanks much. We will open it now to questions
.


6


Topic: Fingerprint gathering


Man:

I will throw a question out there.
Are there any issues when it comes to the
gathering of fingerprints, whether we take one or whether we take ten?


Bill Y.:
Well, there have been questions asked about that. Certainly, th
e privacy folks
think that it is better to take less. But, we are not going to be gathering the
image
. We
are only going to take the hash or the encrypted logarithm related to the print. We
decided early on that the image of the print is where the risk lie
s. The privacy folks, the
oversight agencies, once they were
presented

with that solution or architecture, where
we could guarantee that that would not be the case, there would be no image to be lost,
the anxiety went away.


The other side of that coin, o
f course, is, from a corrections
security

perspective, we did
not want to take just one or two fingerprints, and then have the other eight or nine or
whatever be potentially used to create another identity by the inmate or
offender

at
some later date. So,
by taking all ten, you eliminate the possibility of the others being
used in some other venue or some other agency or some other service into the future.
We think we have balanced that by not keeping the image.


Moderator
:

A past
-
president of the CTA is
on the call on wants to provide some
information.


Ed R.
:

I know that one state

has done a very similar project and has it up and running.
They have only deployed it out of one of their maximum security facilities at this time.
There were about 136 inmates, I think, involved. It was kiosks in the cells that are
interfaced with their
offender management system. So, as they take the action of the
inmate movement in the offender management system, the kiosk is automatically
logged on or off as needed, giving the inmate access to only those applications that
their classification level per
mits. They have already interfaced their IP television through
this system, IP phone network through this system, as well as your standard
commissary ordering access to the legal library, access to other e
-
books and that sort of
thing.


So, some very exciting stuff that we have seen from
that state

in their identity
management and how they had it tied in with their OMS.


Chris J.
:

I am going to back to a comment a minute ago,
from Alec. Y
ou are only using
one fingerprint, but you are tak
ing all ten so that the other fingerprints cannot be used. I
think that is what you said. Logistically, h
ow do you do that?


Alec W.:
The service that we are standing up allows for customization around how
many fingerprints you capture versus how many fin
gerprints you authenticate

against
.
So, we are going to capture all ten fingerprints, but when it comes to actually
authentication time, we are only going to require one of the ten. We could even set it to
say, you know, it has always got to be the index f
inger of your right hand. Or,
7


alternatively, it could be configured if that is not working out, you could put any finger
you want at authentication time. Does that answer your question?


Ariel V.
:

So, are you actually capturing actual images of fingerprints, as opposed to a
hash or just points in the fingerprints?


Alec W.:
No, we capture the image, and it gets translated into a hash. The image is not
stored, just the hash is. We have got an actual

extra layer of privacy protection on this.
On what gets stored back in the offender management is not the hash, it is a reference
to the hash. So, that is what happens sort of at intake time.


Then, when they go to authenticate, they put their finger dow
n, it matches, and then it
comes back to say, does this reference match a reference that you have in your system


Chris J.:
OK, thanks. We are just trying to figure out how that is going to help me. It
uses the index finger one day, and then it goes and tr
ies to use a different finger to
create a different account, you are trying to prevent that, right? That is the idea?


Alec W.:
That is exactly what we are trying to prevent.


Ed R.:

H
ow will your agency handle inmate account management for these systems?

W
e have heard
Bill and Alec

introduce how they are addressing it with the biometric.


John D.
:

I can just say, you know, we are at the early stages as we are looking at this
quite a bit. We are probably looking at fingerprint
identification
. We are
examin
ing

R
FID
a little bit to see if that might be an
issue
. I am working with one company that is
working with HID cards that are doing that for some type of identification. So, we are
exploring the different option, but right now we are leaning towards biomet
ric.


Ariel V.:
We have actually got a network law library up and running. However, because
th
e inmates are really doing real research in that
environment
, we have chosen not to
really do any sort of authentication. We basically have walk
-
up kiosks, and
because

they are not storing any information that is personal to them, we have not seen a need
yet to implement authentication for individual offenders. We also have some services in
our locational computer labs that are doing some digital literacy trainin
g. They are using
biometric authentication. We have got about three labs up and running that have
approximately 40 students in each of them. We have been running a pilot for maybe
about three months.


What we did was, we chose to buy an off
-
the
-
shelf prod
uct that integrates tightly with
Active Directory, and we are creating accounts for offenders.
Right

now, we are taking
class enrollment lists, provided by the instructors, creating accounts for them, and
having instructors do fingerprint enrollment in the

classroom as new student cycle in
and out. So, those are some of the choices we have made.


Steven G.
:

Our telephone system uses a PIN number, which is not tied in any way to
the law library network or the locational network, so they are not connected in
any way.

8


Topic: Integrating with offender management systems


Deborah
O.
:

Do any of your sites integrate your offender management identification
with the electronic health records?


Ariel V.:
No. We have really chosen to keep any offender management or
records

that
would be confidential totally separate. We have built a completely separate secure
network. Any
information

that needs to go back and forth, we walk across on a USB
stick, and we try to keep that to a minimum wherever possible.


Thomas H.
:

Just a quick clarification. If I understood the question correctly, it is, is your
offender management system integrating with your medical records system? Is that the
question?


Deborah O.:

No, I am curious about the inmate identification piece only. We
currently
do not
blend

our medical
information

with our offender management information. We, of
course, keep those
separate

and confidential. But there is really only one ID process.
We currently do not use biometrics, so
identification

at intake is very c
umbersome at
times. But, we are moving toward an electronic health record, and we need to be able to
properly
identify

those
patients

for healthcare, as well as all of the correctional and
judicial things that go on with them on the
sheriff

side of the equ
ation.


Thomas H.:
Yes, I understand that point. We have an offender
management

system
which is a Legacy based system. We also have the
element

of electronic medical record
and electric health record, which are also on Legacy based systems. While those
systems are
tightly

integrated, there is no offender input into any of those systems. We
do not associate the record with the offender by anything

other than his assigned form
and identification number.


Deborah O.:

OK, thank you.


Moderator
:

Deborah, you are looking to set up an identity management system that
would work for two different purposes?


Deborah O.:

Right. That is the way we do it now.

The
sheriff’s

office manages all of the
identification issues. Then, once they have the person officially identified, they provide
the healthcare system with the name, the date of birth, and the individual’s booking
number. That becomes his identification

for both correctional
activities

and for medical
activities.

So, my point is, if we are going to use biometrics at intake, when the sheriff’s office is
doing their best to properly identify these people, we in healthcare also need to make
sure that
we

ha
ve the same individual properly identified. I can only imagine that if we
share that official identification piece, we would all be working on it at the right time.


Ed R.:
I
understand

the question. Here, the
sheriff’s

office is doing the same sort of
thing, as far as one way data exchange between the offender management system after
9


the inmate identification from the
AFA (
?) system upon booking, that would then be fit to
your electronic medical records.

Is that what I
heard you say?


Deborah O.:
That is the way we do it now, except we do it all manually. So, the sheriff’s
office has to give up the proper identification of the person before we can officially
develop a complete health record for the inmate.


Ed R.:
Well,
we do this electronically now. I think that is a little bit different from
--
and
that is the question, too, that is really a valid question. Is it any different? When we are
talking about inmate identification, as far as purposes of authenticating them to a

kiosk,
is there some way that we should be leveraging the ID system from booking or from
intake?


Deborah O.:
Well, to me, it does not make any sense for the healthcare system to jump
through a whole bunch of additional hoops to do their own identificatio
n process.


Ed R.:
That is very true. Yours should be easily resolved just by one way data
exchange with your offender management system, that a file is sent electronically to
your medical system.


Deborah O.:
Right. That is the way it happens now, althou
gh, we are not currently
using biometrics. So, my real question was, of any of the participants on the call, is
anybody electronically providing the biometric identification information to the medical
side of the house?


Bill Y.:
Just on our end of it, we are enabling the ability for the inmate to send a
message, a healthcare request, if you will, to the nurse. We have a separate health
information system, in which the identities are populated from our offender management
system on

intake. There is a message pushed across, the identity is created over there,
so the identity is the same.


We have not done it in this phase, but shortly after we get it up
and running next year,
we will

provide the ability to nurses, for example, that
the inmate can swipe his finger
and it will pop up the identity information to confirm things, like for the purpose of
medication and so on.

We expect to do that all over the place wherever we have a
requirement, for example on exit or an ID count at a cus
tody center and so on. Once
you have connected a client, once you have
that

biometric and once you are consuming
and controlling that inside of your sort of custodial or corrections jurisdiction the
application of that biometric is
really

only limited by t
he number of devices and effort
that you want to put into it.


So where it makes sense you can do it. You can also of course
apply

the biometric to
an inmate identity card as a
stand
-
alone

piece of information that can be used to
authenticate a fingerprin
t to the card on a door device without going across the network.
So once you gather these things and you have the control and you hang your identity
numbers if you will and all of the aliases that our offenders like to have all off of the
10


identity number a
s a biometric you are well on the way to managing it any way that you
like.


Moderator
:

I am going to jump to this topic from Ed. It seems like this is in the ballpark
of what we have been talking about. He is asking; do
you have

a data exchange
between your offender management system and whatever system inmates are
authenticating on? How are the data exchanges being used? If no current data
exchange or interface are there plans for one? Does this tie into the discussion Ed?


Ed R
.:
It could. Again I was referencing what
one state

is doing in that they certainly are
relying on that interface for their offender management system. I could see from a
medical standpoint it depends on which system they were to interface with.
Deborah
’s
issue with medical seems like it could be resolved with a two finger ident that is tied into
their AFIS system just to identify who it is in front of them requesting medicine.
They
may have some sort of biometric component with their electronic medical sys
tem and so
they want to store the same hash that the kiosk system is storing. I think that is what I
was hearing. Those
sorts

of data exchanges that are shared with any of the system
that are going to rely on inmate authentication that we are just enrolli
ng inmates one
time.


Deborah O.:
Exactly.


Topic: Biometric devices


Moderator
:

Let’s dive into biometrics a little bit more. Who is using biometrics for
device
authentication
? What product suites are you using? What has been your
experience with the methods and provider options that are out there?

Has any
particular method or provider set themselves apart from the rest of the pack?


Ariel V.:
We went with a product from Digi
tal persona. We have
experimented

with
Seaborne integrated readers and their standalone readers and we went with their
keyboard integration product suite. They have
actually

been really great. We are a
version behind their most current version and we have
had to do a little patching with
them and work with them to get the password randomization and Citrix
integration

working the way we wanted but we have been really happy with the way they worked
with those and their turnaround times and with the readers as

well which are their
products.


Steven G.:
The reader is the same whether it is on the keyboard
or separate
. It is the
same reader integrated to the keyboard.


Ariel V.:
Slightly different form factor but they are the same.


Moderator
:

Who was the vendor?


Ariel V.:
Digital P
ersona.


11


Steven G.:
It is an active directory integrated application. We get to do a lot of things
that we do anyway. Once it is implemented everything works the same way as if you
were logging in with the user nam
e and password. It allows us to randomize the
password so that the offenders no longer know their password, nor
does the staff

know
the passwords for their user accounts. So the only way to get in is with a password with
your fingerprints at that point whi
ch gives us a lot of security. There are no spots where
you can get in and try to type your password somewhere because you
won’t

know

it
anyway.


Man:

Which eliminates the need for password management
,

which was a huge benefit.


Moderator
:

So Digital
Persona, there

must be options, who are the other players in
this space?


Steven G.:
From our perspective we looked around and we didn’t find anybody that had
an integrated AD product that you could just buy off the shelf. People have products that
you cou
ld program to work through active directory but we didn’t see one. I imagine
there are some
out there
. We haven’t found them yet.


John D.:
I wanted to
pass on information from the state Ed was telling us about earlier,
since they couldn’t make the call.
They are not using active directory.
They are using
NetWare services and they are using authentication based upon the location of the
person. They are doing some authentication but it is not fingerprint authentication.
They
are using
NetWare

Services as th
eir back end.


Topic: Biometric registration


Moderator
:

For those that are actively using biometrics, please explain how you are
handling the registration process?


Ariel V.:
Sure, as I mentioned a little bit earlier basically counselors meet with the
offenders about once a week on Wednesdays and in those meetings it is decided what
different classes the offender is going to be participating in. so we
usually

know on
Thursday o
r thereabouts who the new enrolees to the different classes are. Right now
we actually just have vocational supervisors in the facilities sending us lists of their new
students. Our hope is to start utilizing some data feeds from our inmate payroll system
to do that without needing the end users to get involved. We have our support person
basically create the active directory accounts using a script. He runs a script on the
spreadsheet that we get. It creates the active directory passwords.


We also have a
nother product, a typing
tutor

that is
actually

used in there that also uses
the active directory. We have another product that we create accounts that does the
digital literacy
training
. We send those back. By prearrangement with the instructors
in
the cl
assroom there is a default password that every batch of offenders gets. That is
really only good for use for authenticating
people
. You can’t login anywhere using your
password.


12


So every Monday morning basically the instructor takes
aside

their new students and
takes
their

fingerprints. Instead of using
their

keyboard integrated reader in those
environments we actually have just a little reader that connects via USB and a long cord
so the instructor is able to put in the password that they

get, take the
fingerprints

without
having the offender look at the screen or see any of the tools.
It takes reads for two
fingerprints and then the software that we are using, active directory, immediately
randomizes their passwords so now they have got a

very long, I think 16
-
digit, password
or something like that.
That is their password in active directory and the software
matches that up with their fingerprints from then on.


Bill Y.:
I just wanted to point
out;

somebody had mentioned earlier we are no
t going to
use passwords. That just was too much of a business problem. The authentication will
be the biometric plus their threshold service number, the unique identifier, the eight digit
number that they have. Those are the two things. We don’t want name
s. We don’t want
any of that stuff. It would just be their number and their fingerprint.


The other part of that is we are using the device itself as part of the authentication so
the third factor authentication; we know where they all are and we know wha
t they are.
So that helps us control access as well. The registration process will be done at intake
so that is where you have the kind of photos taken and the biometric will be captured
and it will all be put against the client record or the inmate record

in the offender
management system to work for the biometric. So that is how we intend to
kind

of get it
at the beginning and keep it. We want to just do it once.


Ariel V.:
Just to clarify, we are not actually ever having anybody enter a password
because
of

the active directory authentication you sort of have to have a password for
active directory. So that initial password is just basically a token that
is a placeholder
unti
l the fingerprint is taken.


Moderator
:

OK, next topic, staying on the print biometrics; who has had extensive
experience using single print biometrics and what products are you using? Does anyone
have a thought on a product for single print biometrics?


Thomas H.:
Bill, what are you using for your

biometrics?

I know
you
are doing one of
ten but what product suite did you decide upon to gather and validate your biometrics?


Bill Y.:
We are in the process of selecting our biometric reader vendor. We are in an
evaluation process right now. We did pick the BioKey product because it is not bound to
a vendor. They have an extensive product list that they support. So we are running a
procur
ement

right now to determine what product we are going to use based on sort of
the usability and the accuracy and published standards.


Thomas H.:
Did you do an RFI or anything like that to gather any information from
anybody? Did anybody separate themsel
ves in that process for
you?


Bill Y.:
Are you talking about the device or are you talking about middleware?


13


Thomas H.:

I am talking more about the
middleware right now.


Bill Y.:
Well BioKey kind of separated itself in terms of when we did the review. We

did
do a review of what was out there. As you probably know they are in with the FBI and
the Department of Justice I think and others so it is well established. Down there in the
states we had conversations with the folks that are leading some of those in
itiatives.


I guess there are two pieces of advice that I will share with you. Make sure that you use
only one reader if possible across your domain. Not many different products. The other
one is, and this one you will enjoy, the people get the readers up
side down. So one
office will have it oriented one way and the other office will have it oriented the other
way.


Thomas H.:
You are right, I do like that.


Bill Y.:
That caused a lot of problems initially but we heard that. BioKey seems to be the
things
that worked

quite well with us or is apparently working quite well with us. There
are some challenges around taking multiple prints at once and we are working through
that. They have been a good partner so far.


Thomas H.:
Did you look at all at your east
coast Canadian friends from ComNetics or
L1?


Bill Y.:
Off the top of my head I am not sure.


Thomas H.
:

Have you been experimenting with print readers that are built into the
device

or do you prefer
stand
-
alone

readers?


Bill Y.:
The BioKey is the sof
tware behind it. The device readers I think Alec may have
mentioned earlier we are probably going to have a bit of a multiple of that.


Alec W.:
That is right so for devices that are very similar to a laptop we would just be
purchasing the highest grade i
ntegrated reader that you could get on that device of a
laptop. Then hopefully from the same vendor purchasing a USB connected device is
when we are going to be wrapping our device in an enclosure such as for mounting in a
public area.


Topic: Vascular
scanners vs. I
ris

readers


Moderator
:

OK, how about this question from Todd. Vascular scanners verses iris
readers

verses print readers; does anyone have substantial experience with these
technologies and can describe accuracy rates, installation, support or challenges? So
pros and cons verses the three different methods here. What is the difference? A
vascular scanne
r does what Todd?


Todd

W.
:

A vascular scanner scans the subsurface of the back of your hand and reads
your veins. So apparently every individual has a unique system of veins and I guess
14


they have determined that you could use a
vascular

scanner in many areas but the
simplest in on the back of the hand where you reach into the scanner. You grab a bar
so to speak to locate your hand in the right position and it takes a scan of the back of
your hand.


We don’t have any of these technologie
s implemented to date. We were going down the
road of an iris scanner. The product we were looking at the manufacturer discontinued
and it was unsupported. It was a Panasonic product so our integrator recommended
that we go with the vascular scanner and we

are just chewing on what the
recommendation is. We would like to get some alternatives. If there is anybody that has
any experience with these that we can vet what the contractor is telling is good. We
would like to hear from anybody else.


Moderator
:

I
t sounds like we have some people on the call with the print reading
method. Is anybody lese looking at the vascular method? Thoughts on it?


Thomas H.:
We looked briefly at vascular and just didn’t go with it. We went with prints
for a couple of other re
asons. There are also some good iris readers out there. I think
Todd if we take a look at our participants at last years’ CTA conference we can probably
get you some folks to talk to. There is one group, I met with them and
their

product was
really good. W
e are just not going to use iris scanning
in our state
. They are out of
Massachusetts and their name escapes me right now but if I review last
year’s
participants

I should be able to send you something.


Todd W.:
Excellent.
Things that I have heard are that the print and the iris are a little bit
more easily defeated in terms of if you are wearing contacts you can have issues.
Of
course you can remove a thumbprint which defeats a print reader.
With the iris you have
different

heights. Simple logistics such as where do you set the iris reader and with
inmates having different heights and so on. That can be an issue as well.


The vascular seems to be a good solution. I don’t know what the accuracy rate of that
device rate or if

there are other issues that I am not aware of. This is very initial stages
for us. We are just getting into it. So this was kind of timely that this conference was
being held today. I am a rookie in this area so I am more or less just listening to what
yo
u folks have to say. As I say from what I have heard there are some problems with
both iris and print that maybe you don’t have with vascular.


Thomas H.:
There used to be the center for biometric excellence down in New York
City. It was a NITA funded grou
p but I think the funding got pulled on them. They sent
me some stuff on vascular or iris verses print. Honestly I think it is all pretty accurate
from what the research says. The stuff that you are talking
about

with respect to iris
scanning about the hei
ght of the readers and stuff like that, I think the industry has
evolved a little bit since when they were having problems initially. They have gotten to
the point now where they can read it from almost proximity like walking up and doing
proximity passing

even. You don’t even need to be at the right height. It can read you
from

almost 15
-
20 feet away.


15


Bill Y.
:

If you want to get in touch with us we can talk a bit. We did quite a bit of
research. The bottom line though is
bearing

the cost. You can buy ten readers for
biometrics to every one of those vascular ones.
Just to sort of reiterate Tom’s point; the
industry has moved on quite a bit.
The accuracy of fingerprints is as good as anything
else out there and perhaps better.


To
dd W.:
Tom was it BI2 Technologies that you were trying to think of?


Thomas H.:
Yes, I think that is correct. If they are the ones with the
Massachusetts

address then that is the chaps.


Todd W.:
They are out of Plymouth
Massachusetts
,
yes. Shawn Mullin
is a contact
there.


Thomas H.:
That is it. You have got it.


Topic: Facial recognition


Moderator
:

Very good.
Tom’s

question; is anyone using facial recognition as a means
of biometric authentication?


Rafael S.
:

We
actually

were testing that technology for close to two years. We found
that the percentage of identification was closer to 35
-
45%. Considering that it was not
identifying properly we kind of abandoned the project because it was just not functioning
for us and it w
asn’t meeting our business requirements.


Thomas H.:
Can you tell us which provider or methodology that they were using for
doing the biometric?


Rafael S.:

I can provide that information offline for you guys. We did a successful test
for two years. We actually were doing surveillance with schools and various other areas.
Again as we were doing the testing we just found that it wasn’t properly identifying the

individuals.


Thomas H.:
Great. I would appreciate it if you could share that with us by way of
N
OREX
. That would be great.


Moderator
:

What did you end up going with?


Rafael

S.:

We abandoned the project altogether.


Moderator
:

Are you using any kin
d of biometrics?


Rafael S.:

At this time we are kind of listening to what you guys have been discussing.
The company that we are looking at was originally called Secure Metrics. They
actually

got bought out by Visage. Their device was called the Haida4. The Haida actually has
multi levels of biometrics authentication. It does iris scan, it does finger and it also does
16


the full palm. It is actually technology that was being utilized in the mili
tary. It is currently
also being used on the border.


That is
kind

of the direction that we were going. We didn’t really successfully implement
it. We are still kind of evaluating the technology.


Topic: Biometric support considerations


Moderator
:

Thanks.
Let’s

move on. What has been the impact of introducing biometric
authentication on your infrastructure and your ability to support it under
bandwidth
considerations, server side support,
and storage

and retrieval
challenges?

Thoughts on
this? Wha
t do you need to plan for regarding support?


Ariel V.:
I don’t think that we have had a lot of support issues revolving around the
biometrics. I don’t think we have seen any bandwidth issues that we have noticed
because of that piece rolling it out. Our s
upport calls on the fingerprint authentication
has actually been very low. We were a little concerned when we put it in that we were
going to have some resistance and that was going to create some support calls. It has
actually

been very easy.


We were ju
st putting some numbers together.
I think we had one person that we had to
delete the fingerprints on and re
-
enroll them.
Besides a little bit of user education for
some of the instructors making sure that people’s fingers are moisturized and that they
are

patient and using multiple fingers if one isn’t working it has been pretty quiet. That
means it
has

been
fairly

easy.


Topic: Criminal history access/sharing


Moderator
:

I have one other submitt
ed topic. It is from Ralph
. It
is kind of brief
. It is
asking for criminal history.


Ed R.:
I imagine probably what Ralph is referring to is just a lot of
mobile

AFIS projects
that I am aware of across the country. It is just for law enforcement purposes as far as
helping them identify offenders on the streets. That I imagine would have applications
for us as well for those who are dealing with or overseeing parol
e. Personally I am not
but someone else out there might have some experience with that.


Then again are those biometrics the ones that are being used for the end custody
applications? At this point they are not but should they be? I don’t think there is j
ust a
common standard out there for those
minutiae

points for converting an image to a hash.
There is not a common standard that one database can be utilized for multiple software
solutions.


Thomas H.:
One of the things that we do when an offender gets t
o a correctional facility
is we do a digiscan on them which compares their one to one print against the criminal
history database just to
validate

that they are who we think they are when they walk in
the door. You would be surprised sometimes what you get
. One of the emerging
17


technologies here is because of the advances in AFIS technology is the idea of having
these mobile print readers available for corrections.


Here is where it comes in handy. If you are emptying the yard after a big fracas and you
hav
e used gas and everything else and you are pulling all of these guys out one of the
advantages of the security staff would be to do an immediate print on everybody so that
you can get them separated into the right places. So if you can get a print reader t
hat
can read your enemy system you can make sure that you are not putting two
combatants

or two guys who are known for having problems with each other after a big
fracas like that. That is one idea.


The other one that Ed talked about was
the

idea of doin
g supervision for both
probation

and parole; arrival reports, check
-
ins and things like that which could actually help really
push that industry a little bit further along too.


Moderator
:

Very good. Any other topics today?

We have been going just about one
hour.


Topic: Ownership of encryption image


Bill Y.:
I just wanted to point out the public key issue. If you have got encrypted
hash
marks

or whatever your encrypted store identity information is, make sure that you own

it. One of the issues with not storing the image was how do you recreate the hash or the
encrypted data if you go from vendor to vendor? So if you hold the decryption key if you
will, then you basically own that forever and other products or other vendors

can be
brought in in the future and you don’t need the image. That is the other one. If you don’t
hold that, if you have a proprietary key held by the vendor then you are pretty well
forced to hold the image in order to recreate that data
sometime

in the
future if you
switch vendors.



End of session
















©
Copyright 2011, by NOREX, Inc.


5505 Cottonwood Lane


Prior Lake, MN 55372 The opinions expressed in this
NORVIEW are those of NOREX members, not necessarily those of NOREX, Inc.