Appendix: Identifying terrorists before they strike by using Computerized
Knowledge Assessment (CKA)
Steve Kirsch, firstname.lastname@example.org
This document is the Appendix for Identifying terrorists before they strike.
If you are reading a hardcopy of this page, the most recent version of this page
can be found at:
Subjects covered in this document include (though not necessarily in order
and not limited to the following):
- Tables containing common technical and non-technical objections that
people have raised and my response to each objection
- System configuration details (many configurations are possible)
- Why this isn't a violation of civil liberties
- Why this isn't psychological profiling
- Cost estimates for prototypes and deployment for each system component
- CKA advantages
- Iris scan advantages (and why the iris is the ideal biometric identifier)
- Details on how CKA would work in this situation (beyond
the info on Farwell's site) and the potential for additional technological breakthroughs in
- Why the FBI isn't pursuing this now (and why the leadership of the FBI or
FAA must be involved for this to go anywhere)
Advantages of iris identification
- Each iris is absolutely unique.
- The iris is the most personally distinct feature of the human body.
- The iris remains stable and unchanged throughout life.
- Average recognition time is about one(1) second.
- The iris alone is sufficient to uniquely identify a given individual in 1
second (no smart cards or ID cards are required)
- The iris is superior to all other biometric forms of identification (see http://www.eyeticket.com/technology/biometric.html)
- There has never been an error (the chance of an error is 1 in 1072
which means there will never be an error for all time because by this time
the universe has degraded into black holes)
- It's proven in US public airports for both access control as well as
passenger ticketing. It is also in use for ticketing at sporting events.
- It cannot be fooled
- The characteristics of the iris are captured by simply glancing into a
digital camera for a fraction of a second.
- Automatic identity verification is made in a non-intrusive way by matching
patterns found in the iris against enrolled records.
- Eyeglasses and contact lenses are easily accommodated.
- No other biometric technology can rival the combined attributes of
mathematical certainty and non-invasive operation offered by iris
- See http://www.eyeticket.com for
Advantages of CKA
- The underlying brain mechanism that the CKA technique
relies upon is 100% accurate. It cannot be fooled. It has been known for 20
years and has been well studied and is without controversy.
- The CKA technique was first published in 1987.
- The only reason that the technique is typically only 99.9% accurate is due
to a signal to noise issue which varies from person to person. With more
people focused in improving the signal to noise ratio of the detector, we
can both reduce testing time and increase accuracy rates.
- The longer the testing time, the more accurate the results. We can achieve
arbitrarily high confidence levels just by lengthening the testing time.
- A 10 minute scan is sufficient to provide a rough screen against a wide
variety of threats... in fact, fewer than 1 terrorist in 1,000 would escape
detection (that's a worst case; in the typical case, when the system is
fully tuned, only 1 terrorist in a billion might escape detection).
- The computer can automatically probe any suspect areas in more depth that
showed up during the initial screen if necessary
- Most passengers will only need the 10 minute test (this is the security
equivalent of a medical "whole body" scan... you only get
specialized scans if the whole body scan shows that there might be a
- There is no chance of error. Unlike a lie detector, the test is completely
objective and totally automated. Unlike a lie detector, there is no human judgment.
All scores are mathematically quantifiable and calculated automatically by
computer. Confidence levels are also automatically calculated by computer.
- Unlike DNA which requires a sample, with CKA, anything
can be tested.
- The test is not a psychological profile; it cannot measure how you feel
about something. It measures only the presence or absence of information. It
is best equated to an automated version of the yes/no security screening
questions we have today. Essentially, it is nothing more than a sequence of
"Have you seen this item before?" questions. You can choose to
stop the test at any time. You can review all the questions in advance of
the screening (your particular screening will be a random subset of the full
list of words and images).
- It does not discriminate on race, creed, color, sex, religion, or any
other factor. It just tests what you know.
- By varying the testing protocol periodically, it would be impossible for
terrorists to "teach around the test"
- It has already been proven in two areas similar to terrorist
identification. Terrorists are trained agents taught to murder. CKA has already been proven to identify murderers as well as FBI
- In 90 days from a request by the FBI or FAA, a terrorist screen can be put
together and we can compare the results with the results a trained FBI agent
could achieve in the same amount of time. The results are predictable: the
brain fingerprint will identify a terrorist in a crowd every time. The FBI
agent will miss every time. Which system would you rather have protecting
- See http://www.brainwavescience.com
for more info
The answer to the "Super Bowl scenario"
For any major event, such as a sporting event, you treat it no differently than
you do access to the departure gates at an airport, i.e., you require all Super
Bowl attendees over a certain age to get their security profile done at their
leisure at any time in the months before the game at a local airport. So then
each person looks into an iris scanner upon entry and if they pass, they are
admitted. So as long as perimeter security is good (as it usually is in sporting
events since otherwise they'd forfeit profits), the only way in is through the
iris scanning stations, via airdrop from above (which would be very easy to
detect), or by tunneling into the stadium (which would be prohibitively
expensive and virtually impossible to do without arousing attention). Iris
scanning and CKA have never been fooled. Never. So we'll
accurately identify the terrorists, each and every one of them. We didn't have
to know in advance how many there were. We didn't have to get the FBI tip. And
we didn't need to know their organization.
Could a terrorist come up with a new technology to thwart the brain
fingerprint/iris scan? Sure. Is it likely to happen in the next 100 years?
Doubtful since terrorist organizations don't usually have big R&D labs to do
this sort of work. But it's possible! However, if they do, we'll be ready
with effective counter-measures. No solution is perfect and no solution will
cover all cases. If we attack any suggestion by pointing out the cases it won't
cover, we'd never adopt any new ideas. Instead, we have to look at the solutions
available to us, and pick the solutions that provide the greatest amount of
protection at a price (money and convenience) that we are willing to pay.
Selling this to the public
Logically, this system is less invasive, more private, more secure and more
convenient than today's system. Some people won't understand and will fail to
comprehend the arguments in the three tables below. We've done this before with
seat belts where people argued that the government has no right to dictate how
we behave in a car. This system is far less problematic than seat belts! The technology wouldn't
be ready to deploy for 2 years. During that period, it would be important to get
the involvement and endorsement of the ACLU and other civil rights/privacy
groups, as well as support from other influential groups (Teamsters, etc.).
Members of Congress and the President should go through it before anyone else.
We can phase this in for all people arriving into the US. Then expand it
nationwide. We should start with an FBI test. The FBI can put a unknown number
of terrorists in a group of 250 people to be tested. If the system can
repeatedly without error find the terrorists in the group, then we should begin
the next phase of development, e.g., a prototype of what an airport testing
station might look like.
Best way to explain it to people
I've found that if you explain it this way, you minimize objections.
The FBI has discovered that there is 20 question Yes/No test that we can give
air passengers that is 100% accurate in identifying those passengers who have
been trained by terrorist groups who have threatened the US. The questioning
takes 10 minutes and need only be done once every two years. You are given the
choice of two planes to board to your destination: one plane requires the screen
of every passenger, the other does not. Which plane will you board?
Another approach...Suppose we had a new airport security checkpoint that worked like
- You approach a security officer. He does NOT ask you for any form of ID if
you promise to tell the truth. He just asks you 20 yes/no questions. You can
refuse to answer any question, but if you do, he may not let you on the
plane. The test takes 10 minutes.
- At the end of the 20 questions, he decides whether to allow you on the
plane or not. However, the 20 questions are carefully selected so that only
terrorists fail the exam. Everyone else passes. It's an infallible test.
100% accurate. It works even if you lie.
- If you fail, you don't get through the checkpoint (you aren't arrested or
anything). However, since the test is 100% accurate, no one but terrorists
will be turned away.
- If you pass, the security officer offers you a choice. You can look into a
camera that will record what your eyes look like and store it in a federal
database as a "good" set of eyes. No name is associated with that
data. If you do this, any time you enter the airport, you can just look into
the camera and it will lookup your records and pass you through in 1 second.
If you choose not to have your eyes photographed and stored, then you
must take the 20 question test each time you want to pass through
- Is this reasonable so far (if you trust my assumption that it is 100%
- Now suppose that instead of someone asking you questions, we ask you to
wear a baseball cap and have you watch TV for 10 minutes. The security
officer will look at you while you watch TV and make his determination.
Would that be equally acceptable if the security officer is still 100%
accurate in his assessments just by watching you watch TV?
- Because we're concerned about civil rights and possible bias based on
race, and because we want to lower costs, would it be OK to replace our
security officer person with a computer that monitored your reaction while
you watched TV (again, assume the computer program is perfect), i.e., are
you OK with a machine, that is blind to racial and ethnic bias, monitoring
you while you watch TV for 10 minutes?
- Are you OK with the machine monitoring you using the same methods that
hospitals use every day to monitor patients that has been proven to be
medically safe and have no side effects?
Non-technical objections (see table below for Technical Objections )
This page has been viewed by over 20,000 people. Negative e-mails
that have been received were mostly skeptical of future government abuse of the
system, not the system itself. None of
the those critical of the system offered a superior alternative. This
demonstrates that if the concept is properly explained to people, it's not
objectionable. In fact, the more people know about it, the better they like
Even Thomas Greene, the reporter for "The
Register" who wrote a scathing article about the approach admitted on CNET
radio (on October 4) that " if it worked and if it could be confined to the
very strict uses Steve proposes, which I very much doubt, then I'd have no
objection." The biggest downside of the system is it's hard
to explain to some people. The biggest objections are (a) skeptical that it can
really work as described (i.e., sounds "too good to be true") and (b)
fear of government misuse in the future. Here's the table:
|The government will misuse this screening in the future to
find out things they have no right to know.
||This is a bit like arguing "we can't give the
government the right to search us and ask us security questions before
we're allowed to board the plane because if we let them do that, then who
knows what they'll ask for next." So while we have a fear of the
unknown, we should we remember that we elect the government. If the
government oversteps its bounds, vote for someone else.
|Why not just make this test optional?
||Unless we have an equally reliable method of screening
passengers on the plane that has the same accuracy as this technique, I do
not think this should be an option and I would be very suspicious of
traveling on a plane where this were not required. However, here's a way
to accommodate your request: create "safe" planes (100%
passengers are tested) and "unsafe" planes (traditional
screening). This is sort of like non-smoking vs. smoking flights. I'll
book my travel in the "safe" planes 100% of the time. How about
you? Which plane would you ride on? Know anyone who wants to ride with the
|If this tool falls into the hands of a repressive
government, it will be abused.
||If we really have a repressive government, this will be the
least of our problems. Do you really think not using this today for
airport security will stop them? The genie is already out of the bottle.
Secondly, suppose you're right. Exactly how would they abuse the
technology? What would they show you?
|This is just a ruse to get my biodata so that the government
can track me. You may not link the data today, but it's just one step
closer to that. It's just like a social security number. It wasn't
supposed to be a permanent identifier.
||So shall we eliminate social security numbers and driver's
license numbers? Shall we eliminate credit cards because the credit card
company knows what you purchased? Shall we eliminate bank accounts and
move to a Swiss banking system that is identified by number only? If
everyone's lives would be better off this way, why isn't there any
movement at all to eliminate these existing systems? Also, when we banned
AK-47's some argued that was the tip of the iceberg and it would lead to a
total ban on all weapons. It didn't.
There is an alternative which is to sign the brain data/iris data using
the government's secret key and record it on a smart card instead of in a
|Giving up my bio data to the government is too extreme.
||Then you should be in favor of replacing the current system
with this system because it
protects your biometric data better than the system we have now. Today,
when you check-in at the ticket counter and present your driver's
license, your age, height, weight, eye color, and complete facial
biometrics are disclosed to the agent. Wouldn't it be easier and more
private if you only had to present one biometric (which is only useful to
a machine) rather than at least 5?
And wouldn't it be better if you can present that biometric (to check-in
and board) completely anonymously so that no human being or computer can
associate your biometrics with your identify? That's exactly what this
system does. It protects your biometrics from disclosure to anyone. The
computer tracks a list of enabled biometrics, but there isn't an
association of biometrics and identity (your name) kept anywhere. So even
if there were an association with your name, it's no worse than the system
we have now. And today's system is acceptable to people, since we see no
protests about presenting photo ID to check-in. This system is less
intrusive than we have now.
Lastly, you trust the government with your complete financial data now
when you file your taxes. And that data is associated with your identity.
There aren't any protests that this is an invasion of privacy or too
extreme. In the system described here, the government just has a biometric
file with no names. Which database are you more afraid of being made
public or misused? Even if the government could associate your biometrics
with your identity, which is the greater threat to you: the government
disclosing your eye color or your financial data? The point is that even
if the governments bio data database were publicly disclosed, it's
useless. The tax database is another matter. So we should be encouraging
the government to adopt more systems such as this one because it is less
intrusive than systems we have now. The fact that we don't rebel against
the government having our tax data and willingly present our ID and
biometrics upon airport check-in indicates that the system described here
is completely socially acceptable since it is far more protective of
personal privacy than existing systems.
|This invades my privacy too much
||Actually, it doesn't invade your privacy at all. When you
sent your SAT scores into colleges, did you consider that an invasion of
privacy? Most people didn't. Suppose the colleges let you send in your SAT
scores without your name so that nobody but you would know what your SAT
scores were. Wouldn't that totally protect your privacy? Most people would
say "absolutely!" Well, guess what? That's exactly the case
here. After you take the test, since you don't have to present ID, nobody
but you knows whether you passed or failed the test. So if nobody knows
but you knows how you did on the security screen, then how can you be
negatively impacted? In fact, the only people who get negatively impacted
by this are people who are trained terrorists. That's the price we pay...
the trained terrorists get negatively impacted. I'm willing to accept that
tradeoff. Why aren't you?
|This is some kind of trick. This will be used for mass mind
||If it is a trick, then someone will expose how people are
being fooled. And then people will demand that it stop. Of course, this is
based on science known for the last 20 years so it's no trick. And the EEG
sensors are standard sensors that have been used in the medical community
|It's inconvenient to have to take a 10 minute test every 3
||Consider the alternative: long lines everywhere and showing
up to the airport 3 hours before your flight? With this system, security
screening can go back to the way it was before 9/11 because the system is
so effective in identifying terrorists. The only reason for the increased
security was to screen against terrorists. If there is an effective
alternative, we can go back to the old system.
|This won't work. Terrorists will find a way around the
system. For example, they'll just pick someone, get them certified, then
train them and have them execute the plan in under 3 years.
||The configuration described in the paper was just one
possible approach. If we believe a terrorist can be recruited,
brainwashed, and trained in less than 3 years, we can have 10 minute scans
every 3 years and "quick scans" every month. The system need not
be perfect to act as a significant deterrent. We'd expect to have a few
loopholes and close them over time. We've got to start somewhere. Stopping
999 terrorists out of 1,000 is certainly a reasonable starting point.
|If I don't pass the test for some reason, you'll restrict my
freedom to travel.
||Not really. We'll probably just allocate an air marshal to
your flight unless you have a really severe profile in which case you're
right, we will restrict you from traveling and if you are a foreigner, we
won't let you enter the country. That's the price you paid for going to
terrorist training camp for 3 years. Next time, just say, "No."
|What do privacy experts think of this?
||I wish I had a nickel for every time I've heard this. Funny
how people can't seem to make up their own minds as to whether they should
be upset or not... they want to be told by others how they should react.
So see the section above on privacy.
|This can't possibly work. If I haven't committed a crime,
you've got no right to keep me off the plane.
||It's never been fooled. We aren't judging your future
behavior. We are only making an objective determination as to whether you
are a security risk. And if you are, we reserve our right to refuse to
serve you and to to protect our citizens.
|How would we get all of the possible terrorist suspects
already in the U.S. to go to a CKA session? Wouldn't they
simply not show up?
||They probably won't show up because if they do, they will be
caught. So they won't be able to enter the country through any border we
patrol and they won't be able to board planes or enter major sporting
events, etc. If we want to go after the terrorists already here, then we
might require anyone with a driver's license to be tested as well in order
to renew their license. The nice part about this method is you only need
to be tested once overall, not once for the DMV, once for airports, etc.
|If it allowed 1 terrorist in 10,000 terrorists through,
that's enough to do serious damage.
||By that logic, we should only implement a security measure
if it is 100% foolproof. Since nothing is 100% foolproof, we'd do nothing.
The point is that probabilities are everything and this substantially
reduces the threat of terrorism on planes by at least 100 times at minimal
cost and convenience. It's not perfect. But it's a good start.
|This will cost too much. We can't afford it.
||We'll certainly save people's time like the 2 hour long
waits in the security line while they look for nail clippers. What's that
time worth? And hard dollars, we'll probably save those as well. So, for
example, the cost of this single terrorist incident is probably $100B. If
we spent $1B a year in prevention that's cheap insurance. We won't need to
spend anything near that. To monitor 20 machines, maybe you have 1 full
time person at $40K/yr. So maybe the cost is $200M per year labor
costs. That's rounding error compared to the cost of this one incident (or
the other things we are doing such as the air marshal program). Again,
compare the cost of the program to the cost of preventing one disaster and
saving thousands and millions of lives. What price do you put on 5,000
human lives? On 100,000 lost jobs? The bottom line is that we can't afford
not to have this system!
|This violates the 4th and 5th amendments.
||Nobody is forcing you to take the test. You are consenting
to take the test because you want a benefit (air travel). Also, the 4th
says you have a right to personal security and to me that means I have a
right to travel on a plane where people are screened. The 5th applies only
to crimes and seizure of tangible personal property without just
compensation. Again, you are consenting to release information.
|I'm much more worried about losing my Constitutional right
to travel unmolested within the United States, than I am about
||You have no such Constitutional right. You are molested by
having to show your ID (with 5 different biometrics typically) and to risk
those biometrics being associated with your identity. You are scanned with
a metal detector. Your carry-on bags are searched with an x-ray. Your
checked bags probably go through a more sophisticated scanner. They might
also be smelled by dogs. You may have to turn on your computer and cell
phone. Your car is searched when you enter the parking lot. You must
answer security questions. This system is superior to the current system
since it achieves the same ends more reliably and more conveniently.
|If you offer both types of flights (secure and non-secure),
how will you get a flight crew to agree to go on the non-secure flights?
||Just as there are people who would refuse the computer
security screen, there are some people who value their perception of
increased privacy over their personal safety. We should not force or
require a airline employee to be on board an unscreened flight. If there
are not enough of these people, then there will be fewer non-secure
flights offered by the airlines.
|Congress will never vote to support this.
||They don't have to. It can be done via executive order. It
could also be done by a single airline or a group of airlines acting
together. There is substantial market demand for this. In fact, some of
the biggest detractors of the approach fear that the market demand will be
so substantial that there will be no flights available to people who
|The public will never support this... brain probes...it
sounds too invasive.
||People also said nuclear power is completely dead and that
nobody would support it. Then we had a power crisis in California and
suddenly virtually all the public is in favor of it. In this case, we are
offering people an alternative to the 2 hour long security lines that make
sure that honest travelers can't carry as much as a nail clipper (while
leaving terrorists with sharpened credit cards, etc) and to the risks
associated with flying. They don't have to take this option. But as
Americans we must support giving those people who consent to this test the
option to take the test. That's what freedom is all about.
Technical objections/Misconceptions about the technology
|This won't work because...
|Terrorists will easily fool the system by informing the
public of every detail of their internal operations so that every member
of the public looks like a terrorist, rendering the test useless.
||If the terrorists can accomplish such a thorough and mass
education effort, then we should copy their techniques to educate the
general public! If the terrorists did this, (a) it would be super easy to
track where the money is coming from and shut them down, (b) you'd have to
physically enroll in one of their training camps for at least a year for your P300
brain response to look similar to a terrorists brain response. So for
example, looking at a picture of an AK-47 doesn't give you the same
response as having used it to kill people. You'd have to do special drills
as Rosenfeld's students did (see below) to fool the amplitude of the P300
(but not the latency). No honest person would do such preparation since
there is no incentive.
|The New York Times reported
that Japanese researchers couldn't replicate Farwell's research.
||The Japanese researchers had results that were no better than
random chance. It would be difficult to replicate Farwell's system
because, according to Dr. Rosenfeld, Farwell has not disclosed his
methods. If Farwell's system didn't work, how could we possibly
explain how the computer was able to pick out the FBI agents without
error? The odds of that happening by random chance are less than 1 in a
million. So we're left with the inescapable conclusion that either Farwell
is the greatest magician since Houdini (having fooled the FBI, his thesis
advisor, peer reviewers, the experts interviewed for the article, and the rest of the brain science community), or it
really does work.
|The New York Times reported
that Dr. Rosenfeld of Northwestern has been able to train students to
confound p300 lie detection tests and called it "a sound idea that's not ready for prime time yet."
recent research published on his website is on
measuring the P300 response for false memory, not on techniques for erasing true memory.
However, Rosenfeld is preparing a paper for publication next Spring that
describes how he can train students to deceive the P300 response, i.e.,
suppress true memory. But he's not tested it on Farwell's system.
By "not ready for prime time," Rosenfeld said (in an e-mail
to me) that he meant two things:
- no countermeasures studies were tried
- the total lack of real field data
Rosenfeld believes that the FBI wasn't trying hard enough to fool
We are left with (a) the undisputed fact that nobody has ever
demonstrated that they have "fooled" Farwell's system, and (b) that there are some calling
for more data, and (c) that there is at least one researcher who claims he can beat
There is one way to get to the truth and it's ridiculously inexpensive:
have Rosenfeld "prep" a few FBI agents and run the same test
material that Farwell used previously that the FBI was unable to fool and
see who's right. I have asked Rosenfeld whether, if the FBI asked, he
would cooperate, and he said he'd be glad to.
Separately, Rosenfeld said that although he believes that he has
evidence that one form of the P300 recognition paradigm can be beaten, he
said, "I am confident that very sophisticated brain wave tests--not
simple P300-based recognition indicators-- perhaps in combination with
other physiological measures, will one day in the near future give us an
accurate lie-detector which is also hard to defeat."
So our best case is that it's hard to defeat today. The worse case is
that it's in the near future. So it seems worthy to test it out now and
see how difficult it is to fool it.
|The New York Times reported
that Farwell's thesis advisor (Donchin) calls Mermer "business
||Donchin co-authored the paper with Farwell 10 years ago
citing 87% accuracy (it's been improved in the last 10 years to get 99.99%
accuracy) and showing that it works even if subjects are deliberately
trying to fool the system.
Donchin's statement is most likely a
reference to MERMERs; it sounds catchy but has no operational definition.
However, the same article
also quoted Donchin (and others) as endorsing the technology: "Dr.
Donchin and others say that p300 testing may one day be as valuable as Dr.
Farwell currently claims if more research into how to present the right
questions or other stimuli." In our case, the research is in a very
narrow area (terrorism) and this can be accomplished quickly (within a few
months) and refined over time.
|Farwell only produced one peer reviewed paper with Donchin.
||This statement by Rosenfeld is just flat out untrue. For
example, Farwell's 2001
paper on mermers appeared in the Journal
of Forensic Sciences.
|Some scientists in the field think that Farwell has a
reputation of making excessive claims that cannot be substantiated and
that people in the CIA view him as an embarrassment and that he was never
on the faculty of the Harvard Medical School.
||In court, Farwell produced evidence that he was on the
faculty of the Harvard Medical School. Rather than argue each point, we
should separate the science from the scientist and evaluate the
hypothesis. If those claims are true (and I'm not saying that they aren't,
but just trying to present both sides here), then: 1) how do we explain
the undisputed 100% accuracy in the FBI tests (especially significant in
the light of the Japanese getting no better than random chance), and 2)
how do we explain the fact a very knowledgeable and senior FBI insider,
Drew Richardson, recently joined Farwell's company 8 years after first
learning of the technology? You'd think that in 8 years he would have
heard all the pros/cons.
|If this really worked as advertised, the FBI would be all
over this. There must be a catch.
||The New York Times article
noted that Dr. Drew C. Richardson, a psychologist who formerly headed the
FBI.'s research laboratory at Quantico, Va., and its unit overseeing
chemical and biological warfare threats was so impressed by the technology
that he recently left his job at the FBI to join Farwell's company. This
was not a snap judgement. Richardson was first introduced to Farwell's
technology 8 years ago so he had plenty of time to study it himself and
read all the FBI's research on the technique.
reason the FBI hasn't pursued it is because they delegated the evaluation
of the technology to the group that does polygraph examinations. Since Farwell's
technology is 100% automated with no human expertise or interpretation
required, endorsement of this technology would mean that they would be out
of a job. The FBI has no evidence for opposing it that could be presented
in a public forum that would stand up to any scrutiny at all. In fact, if
there were a Senate inquiry into the matter, this would be obvious. There
is a GAO report that is being done now (a report has not been issued), but it's merely a "he said,
she said" type of report. Nobody is asking any tough questions to get
to the facts.
|How can you possibly claim 99.99% accuracy since this
technique hasn't been tested on over 10,000 people?
||The P300 complex is 100% accurate. What's inaccurate is our
ability to measure it. Every measurement in real-life has (gaussian)
"noise." So if I give you an item exactly 1 inch long, and we
used 10 rulers to measure that item, we'll get 10 different measurements.
Statistically, we'd look at the mean and standard deviation of these
points to determine the size and our confidence in our measurement. So
we'd end up with say: it's 1 inch plus or minus .01" with 99%
confidence and 1 inch plus or minus .1" with 99.999% confidence. The
brain data is no different. The 99.99% confidence is calculated using
established statistical formulas. If you want to get to arbitrarily high
confident levels, you lengthen the test or test three different areas as
described in the next row.
|Even with a 99.99% accuracy rate, if you have 200M people
you test, you'll get 20,000 people who are falsely identified. That's too
||20,000 mistakes per year is about 1 per day per airport, and
that could easily be handled with a federal officer. However, the actual
number that would be problems is significantly less than that. This is
because the 99.99% figure is on a single probe, e.g., familiarity with al
Qaeda. So suppose we probed two things that terrorists would know. You'd
have 1 chance in 100M of getting mistakenly nailed on two things. In our
10 minute test we probe at least 3 different areas so for a well
constructed test, if you lead a
relatively normal life, your chance of being rejected if you are not a
terrorist is about 1 in a trillion. The converse is true. A terrorists
chance of escaping detection is the same...so for every 1 trillion terrorists
they try to put on the plane, we'll catch all but one. I can live with
|Once people take the test, they'll have seen the images so
if they take it again, they'll fail, so this won't work.
||Seeing a picture of an AK-47 doesn't elicit the same
response as someone who has used it to kill people. Here's another simple
example...suppose I were to show you pictures of 30 people that you saw
the last time you visited the airport. These would be people you walked by
on your way to the plane. How many of those people would you recognize? If
you asked me, the answer would be zero. The point is that for things we
are familiar with, there is a strong recognition response. For things
we've seen in passing, or not at all, there is a weak response. The test
itself is looking for strong familiarity and the thresholds for each
person are easy to calculate.
|We need more research before we try something like this,
e.g., on uncooperative subjects, etc.
||The approach used by Dr. Farwell can determine whether or
not someone has seen a particular image before. It has been tested on
hundreds of subjects, including the uncooperative, intelligent, and even
those who understand the system's workings. It is 100% accurate. This
technique is based on the Sternberg paradigm, which has been known for
decades. It has been very, very thoroughly peer reviewed. People in the
field of brain wave science would stake their reputations on this. I
encourage you to get an objective view on this from another
|Terrorists will have someone pass, train them, and have them
kill people before that person is re-tested in 3 years
||If we're seriously concerned that this is viable, we can
have people get "mini checkup screens" once every 60 days. Most
people are not "instant terrorists" that are willing to die for
their cause...it happens gradually over a
period of years.
|Terrorists will just find a way to fool the iris scan and
walk right past the scanner, e.g., with a phony contact lens.
||Iris scans have never been fooled, but that doesn't mean it
can't be done in the future. There are many ways to circumvent the people
who try this, e.g., by observing the iris dialation response (being able to
fake that is beyond the expertise of our best medical researchers). Someone
may come up with a way to fool the iris scanners. After all, we know how
big those R&D budgets are for terrorist organizations; we all know
they get the cream-of-the-crop researchers working with all the best grad
students at state-of-the-art facilities. So maybe they will figure out a
way. If they do, we'll close the loophole after they point out the
vulnerability to us.
|Terrorists will come up with some other way to fool the
||Sure, just like terrorists will come up with a way to put a
card into an ATM and draw out money from your bank account. So sure, it's
possible. It just means we need to be careful to design the system right
to minimize this possibility. We probably won't get it right the first
time. And as holes are exposed, we'll close them so that the system gets
more and more effective over time.
|Creating the tests will be tricky so you don't get any false
||That's true. Creating the tests are the key to making it
work as promised. Undoubtedly, we'll get better and better at this over
time. But even if the test is only 90% accurate, it means we'd only have
to screen 10% of passengers rather than 100%. And it's highly likely that
most people will pass with flying colors while terrorists will get nailed
on every image, so in practice, the error rates will be quite small.
|This depends on a connection to the Internet to work. The
terrorists can bring down the Internet.
||Even if the Internet fails this system will still work. The
complete government "OK irises" databank for every person on
earth could be stored on a single hard disk that can be purchased for
$250. So each airport can have it's own local copy of the database that
can be updated daily with new additions/deletions.
|You need an Internet connection to do authentication.
||If we issue people cards with a magnetic stripe (or smart
chip) which has their data signed by the secret key of the US government,
then we can do authentication without needing an Internet connection.
|You need "goop" for the EEG sensors
||Wet sensors work somewhat better than dry ones. So it's a
tradeoff between testing time and convenience. If we find most people are
short on time, we'd use wet sensors. If convenience is a factor, we'd use
dry sensors. The "goop" is non-toxic and water soluble and
cleans up with a paper towel in seconds.
|If the test shows you a question you object to, by the time
you object and stop the test, it's too late.
||The software would be set up to not transmit an incomplete
test into the federal database. This would have to be legislated and
audited to ensure consumer safety. If it did do this, someone would know
and tell everyone about it. Having the code to the machines made public or
given to independent organizations to audit is probably the simplest way
to accomplish this.
Do people actually prefer this approach over the existing solution?
Suppose the government had two different systems to protect air travelers.
Let's call them System A and System B. Which system would you choose based on
the table below?
Time to get past security
|Huge lines to get past security. Best to arrive an extra
hour or two earlier.
||Lines comparable to pre-Sept 11 plus 10 minutes every 3
Terrorists allowed on plane
||Yes. Allows equal access for terrorists to boarding areas
||No. All terrorists are accurately identified. Under no
circumstances will terrorists be permitted on the plane.
Security screener knows your name
||Yes. The screener sees your ID so he knows your name, where
you live, and gets to ask you all sorts of personal questions.
||The security screen is completely private and anonymous.
Nobody but you knows how you answered the questions.
Search all your bags and arrive 2 hrs early. No sharp objects allowed including
nail clippers, screw drivers, pocket knives.
||We ask you 20 Yes/No questions once every 3 years. Small
objects are OK if you passed the 20 question screen. Same x-ray and metal
detectors as before the 9/11 incident.
||Photo ID at gate. Fake IDs are acceptable if they are
||Biometric data must be presented before boarding to
authenticate your identity.
||Assumes everyone is a terrorist.
||Assumes everyone is minimal risk. Only treats people with
terrorist training as a terrorist.
System A is pretty much the system we have now. System B is our proposal. Do you
know anyone who prefers System A? This is the approach we must use to sell this
to the public.
Here are some other questions to ask people:
Is there a better way to reduce the threat of terrorism in the US?
If this system is implemented as described, how would you be worse off or
Does this system require you to give up any freedom or liberty?
What could you not do after the system is in place that you could before?
Ideal equipment configuration
Set up the equipment outside the boarding area since some boarding areas are
relatively small and isolated. These stations are like phone banks. There is one
security officer monitoring the machines at all times. There is a
"check-in" station where you present your iris. If you're cleared to
go, it tells you you're done and enables your biometrics for 2 hours (until used
to board a plane). If you need a "refresh" or a "retest" or
an "initial test" it notifies you. If this is your first test or a
periodic retest, it records your new biometrics. Then you pick a station and sit
down at it, and present one of your biometrics. Since there is a human monitor
at all time, we need not have iris checks at each station. You put on the
headset and watch images. If you pass it will tell you, and enable your
biometrics for the next 2 hours for boarding at this airport. So the whole thing
is anonymous. Also, there is a special fast-pass security checkpoint for people
who cleared the screening machine. You just present a biometric (like your hand)
and a card with an ID number on it (no name). If you pass, then they give you a
simple screen like the "old days" of screening... small objects are
OK. So no long waits in line and no inconvenience of not being able to carry
your razor and nail clipper in your carryon.
Commercializing the computerized security screening stations
The government can allow private industry to create these stations. Either
the consumers can be charged a fee to be profiled, or the airports or airlines
can pay the companies a fee per year for the devices. The federal government can
create the standards, certify the manufacturers, and certify the devices on a
regular basis. By having commercial enterprises create these devices we increase
innovation and lower government costs.
Computerized screening stations: The biometric sensors to record
your brain waves cost $5K in low volume. The computer with keyboard and
Internet connectivity costs about $1,000. The display device and iris scanning
goggles would cost about $4K. The machine to make the ID badges can be shared
for every 10 stations so is a trivial cost. The same is true for multiple
biometric sensors. Since this part is very quick, there can be a single
"biometric measurement" station that you go to after you are done
profiling that, after you put on the goggles again to read your iris, takes
all your biometric data and keys it to your iris. So the cost per station is
about $10K. If we place in a huge number of stations, say 100K stations, we're
looking at a $1B one-time capital investment which can all be funded privately
(see section above on commercializing). 100K stations is huge overkill; it
would allow us to screen every passenger on every flight. So it's probably at
least 10X more machines than we need. So $1B is a conservative estimate.
Security checkpoint stations: These stations would use a system
similar to that used by http://www.eyeticket.com/.
There is nothing to put on and you can be scanned and told your results in
under 1 second. These stations cost $10,000 each. Unlike metal detectors,
there are no false positives (no hassle of emptying your pockets and trying
again). Since there are 3M travelers per day, and since each machine can
handle thousands of passengers per hour, let's be conservative and put in
1,000 machines. That would cost only $10M.
Check-in and boarding gate stations: We'd need a cheap biometric
sensor and in the worst case, the equivalent of a way underpowered laptop PC.
So say $1,000 per station. Assuming there are 30,000 gates, that's $30M.
Federal Computer database: The data used by these devices is small.
If we save all biometric data plus profiling, we're looking at 5K bytes per
passenger. Assuming 1B passengers, that's 5 Terabytes. Amazingly, you can buy
a 100Gb hard disk for $250. We'd need 100 to allow for failure and to provide
a throughput of 10,000 IO/sec. That's about $25,000. We could distribute the
data on 100 PCs for safety and throughput. Each PC is $1,000. So for $125K, we
have all the hardware we need. And Larry Ellison said he'd donate all the
Oracle licenses we need.
Iris enrollment (from Iridian): $4,899 for a single unit! Under 15
seconds per person.
Iris recognition unit (from Iridian): $2,999 for a single unit. You
can be 1 foot away and look at it for a second. Set up for physical security.
Panasonic Authenticam (from Iridian): $239 each (single quantity).
Can be mounted on top of a computer to authenticate user while he is taking
The brain response used by CKA is 100% accurate. The reason
our final accuracy is not that good is due to signal to noise... there is a lot
of things going on in the brain and different people have different signal to
noise ratios. So on any given topic area to probe, the final confidence in the
result (solely because of the signal to noise ratio) is typically 90% to 99.9%.
So if we can reduce the signal to noise of the technique through application of
differential sensors, repetitive tests, etc., we'll get a higher confidence.
Still 90% confidence is orders of magnitude more than what we can get from
manual questioning. In 10 minutes, we can probe about 3 major areas with at
least 90% confidence in each area. So in our worst case scenario, only 1 in
1,000 terrorists would get a clean bill of health. In other words, at a bare
minimum, we've made their job 1,000 times harder. In the more typical case,
each area will have 99.9% confidence. In this case, only 1 in 1 billion
terrorists would escape with a clean bill of health. In other words, in the
most typical case, the terrorists' job just got a billion times harder.
The benefit is huge today, but the potential for improvement is huge as well.
Today, there are only a small number of people focused on the problem. With more
people thinking about the problem, it's likely we'll be able to improve the
signal to noise level dramatically.
Why the FBI isn't pursuing this
The FBI is a big organization. The people who know about the technique
within the FBI, such as Sharon Smith, are not the people involved in the
decision for how to combat terrorism. So unless someone high up in the FBI finds
out about this, it won't happen.
Creating the risk profile
We can create a "security risk profile" for most people in as little
as 10 minutes using a completely automated solution that is 100% automated and
up to 99.9% accurate. In fact, even if this system is only 90% accurate it's
still several orders of magnitude better than what we have now which has close
to zero accuracy in being able to screen out a terrorist. In fact, we couldn't
even stop the terrorists we knew about!
The testing can be completely automated and secure, requiring no human
intervention or training. Machines to do the testing can be built for
approximately $10,000. You just put on a custom headset (much like the new
video headsets from Olympus and Sony)
containing optical imaging to show you various test images, brain-wave sensors
to measure your response, and iris sensors to ensure that you are the person we
are testing. There are also a few biometric sensors at the station to associate
additional biometric data with your identity. A 10- minute screen can tell us whether or not a person has any
"security risk profile" elements at all. Most people will pass the first
screen. A very small percentage of people will require extra testing time in the
areas that showed up in the preliminary screen (the test is adaptive so that it
can probe deeper into any of the areas identified in the initial screen). The few people who fail to
qualify as being risk-free after extra testing time could then volunteer, if they
still want to travel, to be interrogated by trained professionals who
would have face recognition equipment and fingerprint equipment to match these
individuals up with known criminal databases.
We can convince ourselves of the efficacy of CKA over human
security screening very simply. Recall that CKA was able to
correctly identify FBI agents who were posing as "normal" people with
100% accuracy. Do we have any FBI agent in the country who, when given a group
of 20 people, only 1 of whom is an FBI agent, could correctly identify who the
FBI agent is? I don't think so.
We can also convince ourselves of the efficacy of CKA by
looking at the 9/11 attack. We had the knowledge that Osama bin Laden was
planning something big. CKA could have been used to screen for
bin Laden associates. No other technology would have worked for this purpose.
And after the 9/11 attack, we'd like to screen for commercial pilots and
associates of al Qaeda. CKA can do this easily without human interpretation or
intervention. No other technology can.
Because the technique is blind to race, creed, color, sex,
religion, etc. it is not a violation of civil rights. It is, in effect, an
automated way to ask the "security questions" that we are now asking
(and much more) that is cheaper, faster, and 100% accurate. This will actually
increase passenger convenience as well as passenger security because it need
only be done with a 10 minute screen once every two years or more.
The bottom line is that the vast majority of passengers will find this
system both more convenient and more secure than the system we have today! A
tiny percentage of passengers may find the system less convenient (for example,
if they have a strong risk profile, they may be denied access to flights). So we
somewhat inconvenience a tiny percentage of
passengers, and we terrify the terrorists who would have no means of
circumventing the system but would have to rely on having a few orders of
magnitude more people to carry out a task undetected. Is it perfect? No.
Will it make a mistake? Yes. Is it better than anything else we've got?
Here are some key benefits relative to the alternatives (manual security
questioning like El Al):
- It's more secure because 100% of passengers on the plane are
screened by a machine and 100% were biometrically screened before boarding.
It's also more secure since any currently known intelligence risks can be
factored into who gets to board the plane and the number of sky marshals on
the plane can be adjusted to the risk level of the plane. Lastly, it's much
more secure since the computerized security screening is much more accurate
than a human asking the same questions: the computer simply cannot be
fooled. We'd never catch a terrorist with manual screening or by trying to
detect the objects they are carrying. A terrorist's most dangerous weapon is
what's in his head and this system disarms that.
- It's more accurate because everything is done by machine. There is
no possibility of human error. The machines are self-testing as well as
periodically inspected by federal agents. Any tampering would be detected by
the machine and would place the machine offline until a federal agent could
re-certify it (including check-summing the code, etc.). The longer the
testing time, the lower the chance of error (a 10 minute test will catch 999
terrorists out of 1,000).
- It's more convenient because it adds only 1 second to the air
travel process and the 10 minute security screen was done
only once every few years. Most people will be in the no-risk category,
they can enter through the minimum security entrance, while others might have to enter through a high security entrance (e.g., having their items
hand searched, being prohibited carry-ons, or being denied boarding
altogether if the appropriate number of sky marshals are unavailable). The
passenger can be "checked in" at the gate with an inexpensive
biometric sensor so long lines should be a thing of the past. And there is
no more problem with "I forgot my ID" or "I lost my
ticket" because everything is tied to your biometrics. Lastly, those
"arrive at the airport 3 hours early to check-in" can be avoided
since most passengers will be pre-screened (they can do the 10 minute
pre-screen at any time it's convenient).
- It's less expensive because if everyone on the plane is a no-risk,
there is no need for a sky marshal. Also, we'd save the huge cost of
training people to do security screening questions (assuming we were to
implement an El Al-style security screening policy in which each passenger
is individually interrogated). We'd get the equivalent benefit of a 10 hour
FBI grilling with a lie detector on every passenger for a fraction of the
inconvenience and expense. The total system cost for everything is less than
$1B, much of which can be privately financed. Authentication stations can be
set up anywhere at low-cost. Using a wireless PalmPilot, an agent could key
in your ID number, bring up your photo and perform an authentication by
looking at you. In this case, it's done without any biometric sensor at all.
All that is required is an Internet connection. The biometrics are purely
optional for additional speed and accuracy (less likely to make a mistake
than a person doing a visual match).
- It's less intrusive because you don't have to answer any security
questions. You just put on a cap and watch TV for 10 minutes. The profiling
is just a yes/no profile of certain knowledge you have. It is not a
psychological profile and the data gathered cannot be used for psychological
profiling (see more information below)
- It's more private because you can control who accesses your data
and your data is not released to anyone. You just permit your knowledge area
to be judged against the profile of the place you wish to enter. You get to
choose whether or not you want to associate your security screening with
your name, i.e., you can take the test anonymously without providing any
identification. If you are arrested and charged with a crime, the police and
FBI will be allowed to associate a name with your profile (which is not much
different than the fingerprinting they do now when you are arrested). There
are certain benefits to voluntarily associating your name with a profile;
for example, at airport check-in, you wouldn't need to present ID anymore;
you wouldn't need to carry any ID or even remember your ID number. But the
tradeoff of convenience vs. privacy is totally under your control. If you
don't trust the government, don't provide your name when you take the test.
- It's publicly acceptable because the alternative, a 1 hour manual
security screening with an FBI agent with a 2 hour wait is a lot less
palatable than watching TV for 10 minutes, especially if the public has been
educated that it is nothing more than a sequence of "Have you seen this
item before?" questions. Over time, it will become second nature. The
public should love it because most people are legal and would want to be
protected against threats. There is simply no downside to this testing if
you are not a terrorist. You know exactly what questions are being asked
because they are shown to you on the screen. If you don't want to answer,
you can remove the headband. You'd want the government to do this for your
- It could increase your freedom. Today, you cannot carry a pocket
knife on a plane. You can't even carry nail clippers. Even the pilot isn't
trusted with a nail clipper (funny, we let him fly the plane, but we don't
trust him with a nail clipper, isn't is?). Once the FAA is satisfied that
the security screen works, if you have a "no risk" profile (as
most of us will have), we can let you carry the items you used to be able to
carry before 9/11. So your freedoms just got expanded in return for
answering a few questions.
- It's more fair because unlike a human screener, the computer is
completely blind to race, creed, color, sex, religion, etc. The test is
completely objective. There is no human intervention or interpretation. It
is not a psychological profile. The computer cannot determine how you feel
about anything. It is best equated to an automated version of the Yes/No
security screening questions we have today. Essentially, it is nothing more
than a sequence of "Have you seen this item before?" questions.
You may review the questions in advance and you may choose to halt the test
at any time. Your answers cannot be used to incriminate you.
- It would have prevented 9/11 and future 9/11 style incidents. We
knew about bin Laden before the attacks. Had the system been in place, we
could have done a security screen for bin Laden and not allowed more than
one bin Laden knowledgeable person on any flight. Today, we can prohibit
anyone from flying who has any inside knowledge of al Qaeda and specialized
- It aids law enforcement by allowing us to easily capture anyone we want
to talk with or arrest, i.e., it creates a convenient and precise dragnet
for capturing criminals. Suppose the FBI wants to contact someone for
questioning. Or has found a suspect and wants to arrest them. Or maybe they
want to just monitor their movements. Or maybe they have determined that
that person should no longer be allowed to fly or be admitted to sporting
events. This system allows the FBI to do all of this at any place where any
biometric information is used for authentication. Immigration authorities
can use the system to instantly ID whether an individual is a legal
immigrant or not. If all citizens are entered into the database at birth,
proof of US citizenship is no longer subject to fraud. While civil liberties
advocates would argue that this particular application of the system could
be abused by the government, the facts are quite the opposite since the
effectiveness of the system depends upon the cooperation of the
organizations with the scanners, e.g., the ballpark attendant could just
ignore the signal to detain a person. So as long as our society feels that
the balance should be in favor of protecting millions of lives, this will be
an acceptable tradeoff. The system still leaves us in control, not the
- Expanding the use of iris identification can accomplish good things for
good people. The federal iris databank can be used for positive deeds as
well as stamping out terrorism. We could iris scan all infants and parents
at birth making abandoned babies a thing of the past. We could find out of
Chandra Levy really did take a train or a plane from Washington before she
vanished (saving a huge amount of police time spent searching Washington
DC). We could use it to unite children with parents.
- It makes it easier for you to buy tickets to anything. You can buy
tickets to an event at the sports arena over the phone or over the Internet
using your ID number. There is nothing to mail and no ticket to lose. You
then just show up at the "FastPass admission gate," glance into
the lens (or present a biometric associated with your ID) and you're in (it
might then print a ticket for you to show you your seat). Super convenient
and super secure.
- It's extraordinarily difficult for a terrorist organization to "train
around" the test to avoid it. If the test was static, a terrorist
group could avoid detection by ensuring that all of its members had no
knowledge of what was on the test, e.g., if composite weapons were on the
test, the terrorists would just avoid that and teach automatic weapons or
bombs. However, because the content of the video is set by the federal
government and because the specific test given to a person is randomly
selected from a huge list of authorized images, it's impossible for terrorists to
"train around" the test because it keeps changing and is random
and different for each person. In addition, the test can be adaptive,
drilling down in an area that looks questionable. This is exactly like the
El Al security questions (which start general and drill down randomly into
an area). So in order to avoid detection, a terrorist
group would have to avoid teaching any terrorist techniques. And without any
training or knowledge, they won't be very effective.
- It will rarely keep even borderline people from flying if they are
truly innocent. At first, we may end up giving a high risk profile to
people who don't really deserve it, e.g., an FBI agent or SEAL might know
many of the same techniques as a terrorist as well as knowledge of specific
terrorist groups, e.g., training camps, the al Queda motto, the leadership
of al Queda. In these cases, where there might be ambiguity on the standard
screen and where the programmed secondary screen still fails, these people can
go through special screening terminals at the airport that would provide a different and extensive test so that their
profiles would reflect their unique circumstances and backgrounds. The same would be true of
former FBI agents, etc. Still there may be a few cases where people are
given "unfair" security profiles. In this case, they can be
scanned using special programs under selection by specialists.
Another available alternative is that the airline just adjusts the number of
sky marshals that they place on the plane to over power the security risk
profile of the plane. In this way, we minimize the inconvenience of
otherwise innocent travelers while only incurring additional expense when
- It's adaptable to new threats. As new threats are discovered, we
can modify our screening thresholds and/or require people to
"re-certify" on the incremental material. Depending on the
severity of the threat, the re-certification can be required immediately, or
within a 2 month grace window. So any threat, of any level of urgency can be
accommodated using the existing testing infrastructure.
- The timing is good. It will take a couple of years to put all the
pieces in place so that this can be installed in airports. The government
has a wide window in which to "time" the announcement to the
public. In addition, a gradual phase-in period or "test period" at
a single airport will help tremendously. Making travel more convenient with
the new technology should be a major selling point to the public.
- It doesn't have to work perfectly...in fact, may not have to work at
all! Deterrence is based on perception, not reality. It has only to work
well enough to discourage any terrorist from trying to take the test and be
identified. So if the technology doesn't even work at all initially, but
there are "changes" being made "daily" to improve the
system, then how many trained individuals will a terrorist sacrifice to
probe the efficacy of the system? If they get caught a few times, they will
decide to go elsewhere.
Important Note: Instead of just fingerprinting and photographing
people who are arrested, the FBI and local police should also start iris scan
them for rapid identification at airports, etc. Anyone entering the country or
traveling by air would also be entered.
Why most air travelers will find this more secure, more convenient, less
There are many scenarios in which this technology can be deployed to make air
travel both safer and more convenient. The preferred method is that the machines perform an iris scan of
the subject throughout the exam to associate a permanent iris ID to a person.
The iris ID is totally unique, cannot be forged, has a 100% accuracy rate, and
the iris does not change over a person's lifetime. Thus, a person cannot change
his identity. In addition, unlike other biometric techniques, iris data alone
can be used for a positive ID on a person (that means a person doesn't need a
smart card...they just walk up to a terminal, glance into the device for a
fraction of a second, and one second later we know exactly who they are).
Upon completion of the basic 10 minute screen (which tests for all basic
terrorist "risk profiles") or the extended screen, he's issued a card
with his photo, his name, and a 12 digit number (which will call his OneID)
imprinted on the card (this is just a serial number), and the same number is
encoded on the magnetic strip. If he loses the card, the card can be easily
re-issued without an additional test. The card doesn't require a smart chip. No
PIN is needed. No public-key encryption is needed. Of course we can add all
these options and get their associated benefits. The point is that the issued
card is only a convenience to facilitate doing authentication in the field (we
can still do field authentication without the card). We also record other biometric information (fingerprint, hand geometry,
facial features, etc) to associate those measurements with the iris and
"security profile" information. That way, less expensive means can be
deployed to authenticate someone than having to have iris scanners everywhere.
The least expensive would be just the OneID number and pulling up a photo, name
and risk profile on the Internet. The most expensive would be an iris scan. A
midway solution would be to ask for the OneID, verify one or more biometrics
(e.g., hand geometry and photo), and you've got something that's almost as certain (for most practical
applications) as an iris scan for a lot less money per station. If you lose your
card, we just print you a new one; the card itself is completely useless to
anyone but yourself.
We can install an even higher level of security for entrance to the secured
area. At the main security gate we can install iris scanners. These are the same
scanners that were inside our enrollment machines. These are a bit more
expensive, but, unlike most biometric devices, they provide positive ID in 1
second (see other benefits below). So we'll know exactly who went through. We
can only allow passengers who have a flight on that day into the secured area
and only allow non-terrorists through. All in 1 second (since we've already
pre-screened the passengers and we are just authenticating them). The airport
security checkpoint system can also operate totally independently of the airlines
system (just directly accessing the federal database).
How to authenticate people with high confidence using only an Internet
In the previous section, we've described how, once enrolled in the federal
database, we can perform totally flawless authentication with an iris scanner
and nearly flawless authentication with inexpensive biometric devices (some
costing as little as $60). But it gets even better than that. By leveraging our
own ability to do biometric identification (i.e., every person can do "face
recognition"), all we need is an Internet connection to do authentication!
And we can do it all on a device as inexpensive as a wireless PalmPilot (about
For example, if someone applies for a job at my company, I can just ask him
for his OneID number, type it in my web browser, and see that 1) he's registered
in the federal database, 2) his picture matches (i.e., we use humans as
"face recognizers" to provide authentication), 3) his true name
(aliases and name changes are impossible since a given person has only one iris
and thus only one record), 4) whether he is a security risk or not. The latter
is not a privacy violation because (a) we never forced the person to take the
test and (b) the person decided whether to make his terrorist profile public or
private. Of course, if the person hasn't registered, I can choose not to hire
him. And if he chooses not to make his profile known to me, I can choose not to
hire him. We do not force or require anyone to do anything. However, we will
probably make it illegal for a flight school to train anyone with security risk profile above a certain level.
For airport security applications, no OneID card is even required for complete
security! The passenger enrolls in the government database once every two years
(just like you get a driver's license re-test every few years, not every time
you drive). So on a typical airport visit, the passenger shows up at the ticket
counter and tells the agent his "number". The agent enters the number
to view the person's photo. This proves the person is who he says he is to a
degree much stronger than someone presenting fake ID. The airline agent can then
determine, based on the person's risk profile and the risk profile of the other
passengers, whether to allow the person on the plane. If the person is allowed
to travel, their biometric information is "enabled" to board the
plane. Only people which match the biometrics of a cleared passenger can board.
So we can install different types of simple (and cheap... less than $100)
biometric sensors at the gate and scan people when they board (the comparison
job is trivial since your match universe is just the people on the plane). We'll
typically install a few different types of scanners at a gate and randomly
select which one to use.
We can now target our clamp downs to remove high risk people, rather than
shutting everyone out
Another highly desirable property of CKA is that we can
precisely target only those people who are "at risk" without affecting
99% of the traveling public. For example, if the FBI decides there is a
heightened terrorist risk, we just decrease our tolerance so only people with
virtually zero terrorist profiles can board (instead of completely shutting down
airports as we do now). Same is true for crop dusters, etc. (we can enable only
non-terrorist crop duster pilots to fly). We can dynamically tune our "risk
threshold" on a daily basis to react to situations. Even better, since the
profile is done on individual probe areas (such as "knows about composite
weapons", "knows how to pilot a commercial aircraft", "knows
terrorism techniques", "knows about false IDs", "knows
bio-terrorism technology"), if we believe there is a bio-terrorism threat
that is imminent, we can deport/restrict/monitor only those people with a high
If there is a new threat that we haven't pre-screened people for, we can
require them to get their profiles "updated" before they travel again.
For example, if al
Qaeda is just discovered to be a threat, we can tell people to get an
"incremental" security scan to probe for this. They pop into the
booth, their iris is recognized, and they are only tested on the material that
is new since they were last tested, i.e., their association with al Qaeda. While
this is an inconvenience to everyone, the amount of time required per person is
minimal (about 5 minutes for the incremental scan) and it sure beats having to
get to the airport 3 hours early.
The networking, protocols, infrastructure, iris and biometric identification
performance, and so forth are all well established commercially. All of the
identification times cited above are easily doable. For example, Internet search
full text searches of 1 billion documents in a fraction of a second tens of
millions of times a day...the requirements of the system described here are
approximately two orders of magnitude simpler. The only thing that hasn't been shown is
how quickly we can perform our terrorist profiling. Larry estimates 10 minutes
for the first pass. This time may be adjusted to be shorter or a bit longer
depending on how many "risk factors" we want to screen for. Therefore,
we get to decide the balance between terrorist risk and inconvenience. We can
make it short or long.
Is this a violation of civil
We have a curtailed version of the desired security screen in place today:
consent and agree to answer the security questions we are asked when we travel
and the more extensive questions we are asked by customs agents when we enter
the US. So doing a security risk profile on people isn't new. It's accepted here
Some may think this smacks of a huge invasion of privacy to be profiled.
However, it's actually much less an invasion than other things that we've all
done that we never complained about. Note the following:
- Nobody forces you to take the test. It's only required if you want to
travel by air.
- The test does not discriminate on race, creed, color, religion, sex, or
any other attribute. It's totally unbiased.
- You are tested by a machine using an objective test, in areas that are
safety related (it's just an automated, more complete version of those
- It doesn't require knowledge of English. You are just viewing images. So,
unlike written or verbal exams, it is completely non-discriminatory. If we
do show you words, it will be words in your native language (you'll get to
select the language before the test).
- The test results are only available to the general public if you designate
- If you implicitly release your information, by willingly giving out your
OneID number or willingly allow your iris to be scanned, that is totally
Now contrast that with the math exams you were required to take as a kid. You
were given no choice. And those test scores can cause you not to advance a
grade. You were required to submit your SAT scores to the colleges you applied
to. You are required to take a driving test to get a license. You are required
to answer security questions to board an airplane. And how your driving record
is stored in a database and available to peace officers. You are required to
take a civil service exam to become a government employee. You are required to
take a blood test to participate in the Olympics and to get certain jobs. You are required to provide
all sorts of personal information to get a security clearance. Is this any different than
that? We're just saying you need a simple "security clearance" to
board a plane---for everyone's safety, especially yours. People should welcome
this! I know I would feel safer knowing this system were in place. Wouldn't you?
Lastly, associating a name with a profile is strictly optional. Your option.
The system can screen against terrorists just fine even if everyone is
anonymous. It does not depend on knowing your name. Your biometrics can be
completely disassociated with your name. So this system is actually less of a
privacy invasion than having a security officer ask you a bunch of questions
The security officer can associate a name with a profile; the computer need only
associate iris data with a security profile.
Is this psychological profiling in disguise?
No, it's a computerized version of a small number of yes/no security
- Do you have knowledge that only an insider would know about al Queda?
- Do you know how to fly a commercial jet?
- Do you have any skills for taking over a commercial aircraft using force?
So we do NOT ask what knowledge they have. We only ask whether they have
knowledge in certain areas. We don't ask for their opinion. We don't ask how
they feel. We don't ask how they perceive. We don't ask what they like. In fact,
the computer doesn't "ask" them anything at all, but the brain
patterns it looks at are just equivalent to the yes/no questions above. We
cannot tell what they "feel" or their "opinions" about
anything. We only test for the presence or absence of knowledge.
If we get a positive response on any probe areas in our initial screen, the
computer can then automatically tack on an additional screen in that area. We
have to be careful to ask questions that would only be known by terrorists. For
example, if we found that the person knew how to fly a jet, we don't want to
probe whether he works for an airline because a terrorist could be trained on
all that. Instead, we'd probe whether he knew inside details about terrorist
The brain is a one-way storage device. You can "look" like an FBI
agent to the machine by training to acquire everything an FBI agent would know,
but an FBI agent can never "look" like a normal person because he
cannot erase the knowledge that he has (without risk of permanent brain damage).
The system can be designed such that hacking the system is virtually impossible.
For example, all responses from the government database would be signed with the
government's private key and the response would include the request number of
the sender (a 64 bit random number) to guard against a replay attack. Multiple
copies of the database would be available so if one site were attacked, the
government could transmit, via SSL, the IP address of the backup servers so that
service would not be interrupted. In addition, because the cost to replicate the
database is small (we could store 64 bit checksums of iris data instead of the
full data in our backup database), we could replicate the data at each airport
on a local disk. So even if Internet service were disrupted, we could still
authenticate passengers and no unauthorized passenger could sneak through.
Identifying terrorists before they strike
Appendix: (costs, configuration, list of
FAQ on CKA (written by a PhD student at UCSD)
List of endorsers
Response to article