The opening line of Hamlet — “Who’s there?” — establishes the play’s theme of the uncertainty of identity, who and what anyone really is at any given point in time. Something was rotten in Shakespeare’s Denmark, but the challenge of authenticating identity is no less urgent, and complicated, for the security industry today.
Late last month, for example, a 95-year-old woman suffering from leukemia and flying to Detroit to die was forced by Transportation Security Administration agents to remove her urine-soaked diaper so they could inspect it. The incident provoked a storm of outrage against the putative insensitivity of the TSA agents and their apparent inability to recognize who and what this person was.
While examining an old woman’s diaper in a public space certainly seems both cruel and stupid, on Christmas Day 2009 a man did, in fact, hide explosives in his underwear and attempt to set them off on a flight to Detroit. The diaper incident highlights both the public’s sensitivity to invasions of privacy and the challenges currently faced by security professionals.
Determining who you are, or if you are who and what you say you are, is a critical issue in both the physical and digital worlds. Identity can be authenticated via three means: something a person carries, such as a driver’s license, the default U.S. identity card; something a person knows, such as a password, which is the way most computing systems are accessed; and individual biometrics, such as iris scans, fingerprints, or facial-recognition software.
Unfortunately, technology is helping bad guys forge the things people carry (licenses) and steal the stuff they know (passwords). “As technology becomes more pervasive,” says Peter Mundy, CFO of Intellicheck Mobilisa, a provider of access-control security systems, “it gives more people the ability to do improper things. It increases the ability of bad guys to get into systems. They can steal major bank logos [to enable phishing], and they look pretty real.”
At the same time, technologies to defeat the bad guys are ramping up. Many airports and other facilities have signed on with Intellicheck Mobilisa for its Defense ID Security System, which scans ID cards, including driver’s licenses, reading the encrypted strip or bar code on the back and matching it with more than 100 databases to determine whether it’s fake, whether it’s been reported lost or stolen, or if the person carrying it is listed somewhere as a bad guy.
“What should have happened in the diaper case,” says Mundy, “is the driver’s license should have been scanned and checked against a database of terrorists or the no-fly list. Then you’ve screened the person and you don’t have to check the diapers. Without the technology, all the agent is doing is checking to see that the person is the same person in the picture ID, not who they actually are.”
J.W. Pierron, COO of Workspeed, a real estate management firm focusing on operations, has used Intellicheck bar-code readers and its Defense ID system for the past three months to check IDs in the lobbies of the buildings Workspeed manages. “When you’re coming into a building, the first thing the guard at the desk does is ask for your ID,” says Pierron. “Intellicheck tells him if it’s valid or not: if it’s the correct format, and if the information on the front is the same as on the back.”
According to Pierron, along with providing enhanced security, the Intellicheck system, configured for Workspeed and accessed as a service through a browser, increases the efficiency of lobby operations in buildings with thousands of daily visitors — although, he says, it’s too soon to determine the system’s ROI.
Privacy and civil-liberties advocates are understandably concerned about technologies that work to reveal and authenticate identities. This fall, for example, dozens of police departments across the country will be deploying a device, attached to an iPhone, that will connect the phone’s camera to databases to check for matches with known criminals. The question of whether this will constitute a warrantless search has yet to be determined.
John Sviolka, principal in PricewaterhouseCoopers’s Diamond Advisory Services and a former professor at Harvard Business School, describes himself as a “big believer in strong ID systems” to facilitate security (and thereby commerce) on and off the Internet, but believes the individual should have a great deal to say in how they’re employed. “We need due process around disclosure of who you are,” says Sviolka. “I don’t think we should force people to be naked. Unfortunately, we oscillate between going naked and going dark.
“In a civil society, neither works.”
Until those due processes are established, and until we develop security systems that protect both society and individual rights, we could end up as Hamlet does: a stage strewn with corpses, both metaphoric and all too real.