A series of challenges in the new year, hosted by the Homeland Security Department's Science and Technology Directorate, will help measure the accuracy of tools...
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
A series of challenges in the new year, hosted by the Homeland Security Department’s Science and Technology Directorate, will help measure the accuracy of tools meant to test the validity of someone’s identity. The sessions will challenge industry to deliver secure, accurate, and easy-to-use remote identity validation technologies. This so agencies can prevent identity fraud when users apply for government services, open bank accounts, or verify social media accounts. For more, Federal News Network’s Eric White spoke to the head of S&T’s Biometric and Identity Technology Center, Arun Vemury.
Interview transcript:
Arun Vermury
For almost a year now we’ve been planning to announce a new technology challenge. We’ve been seeing this significant adoption of what we call remote identity validation technology. So this is things where people might be applying for financial services or applying for government services, or even just opening or kind of doing stuff with social media accounts where they have to take a photo of their driver’s license, take a selfie, to help prove who they are. Some of the things that we’ve seen, there’s obviously these are not devices that are necessarily designed to scan driver’s licenses, right? How well can you take a visible light photo and figure out whether or not the document’s real or not when maybe some of the security features might not be visible? If you take a selfie, how well can the software tell that it’s really a human being and not a photo of a photo? Or a photo of an iPad screen or something like that? And then how well can we actually match that person back to the reference image on their driver’s license? Right? So while there’s a lot of use of this technology, and there’s a presumption that it works, well, we don’t have hard numbers about how well it works, right. And if you think about the federal agency, and DHS in particular, a lot of our job is about understanding and managing risk. So our goal here really is to help get a better understanding of how much risk is present in this situation. And how do these technologies help buy down or reduce risk for applications and use. The other benefit here that we see is by adopting a model similar to what we do with the biometric technology rallies, our goal is to help provide more actionable feedback to industry so that they can then make technologies better. Because at the end of the day, our goal isn’t to say this technology is good, this technology is bad. It’s to have many technologies available, that are really effective in helping to reduce the risks associated with identity proofing remote identity validation.Eric White
I want to just start out by focusing on the remote part of that when you say remote identity validation, I imagine that means out in the field somewhere where this type of tool will become necessary, such as, you know, identifying somebody that you’ve run into, or somebody applying for something in a field office.Arun Vermury
Oh, well, let me simplify. Yeah, you raise a very good point, the word remote can be confusing sometimes. Right? Some people think it means like, at long distances. Some people think it means, you know, at a distant facility or site. In this case, what we’re talking about is can we do this process using commodity smartphones, right person’s own device, right? So somebody has their own smartphone, they want to open up a bank account, they want to check in, you know, maybe apply for some sort of status change with up with a portion of DHS, can we help verify who they are correctly when they’re using their own device so that they don’t have to come into government spaces, they can do this from the comfort of their own home? Or maybe they’re really far from a government office, and they don’t have the ability to travel. So can we extend our services to people and have confidence that the technology is making sure it’s really that person? Not somebody, you know, pretending to be that person?Eric White
Gotcha. OK. And so, in focusing on identity theft in general, you know, in covering government trends and technology issues, I’ve kind of seen that identity theft has kind of taken a backseat to a lot of these other ideas and focuses of federal agencies. And so bringing it back, what is the issue with identity theft that DHS is running into?Arun Vermury
Sure, I guess it’s a little bit more than just identity theft, right? Like these technologies underpin a lot of potential capabilities, right? It’s not just that someone might steal someone’s else’s identity, there are huge potential benefits if we can really extend government services or application, the ability of people to interact with the government or interact with the private stakeholders at a distance right from their own homes, instead of having to go into different facilities. So basically, one of the reasons why we’re interested in this technology is that it’s foundational to so many different capabilities, right? Not only is it how people interact with the government apply for services or benefits, it’s how people interact with the private sector. So it’s not specific to just identity theft. If anything we see this as identity is foundational to almost all interactions you have with people. I mean, short of going down to your corner store and buying a newspaper. Everything else, you know, require, probably requires some some interaction or engagement of who the person is for fraud or theft or for any number of different things, are we extending the right benefits to somebody who’s applying for, for PreCheck. For somebody who’s applying for a government badge or access to a secure federal facility, for somebody who’s trying to do wire large amounts of money from one bank account to another, there’s a lot of different elements here. So we see this as really cross cutting. So while we actually if anything, the DHS’ niche is relatively small compared to the broader sector. So this is where we see that actually, a DHS S&T investment could actually provide a lot of benefit and value to our DHS stakeholders, our federal interagency partners, as well as to the private sector. Because this risk assessment just really hasn’t been done. And that there’s a good reason for that. It’s hard to test like this. If it was easy, people would have already done it. So we’re looking at doing this kind of more robust, more informed testing based on what kind of real attacks we presume to see? So we can better understand how much we’re actually hopefully weather how well these technologies may address and resolve those problems.Eric White
You provide me a perfect segue into my next question, which is the test sessions themselves? I don’t know if I want to call it a challenge, because it seems like this is just more for research ideas. But can you tell me a little bit about the evaluation process that you will be undertaking for these technologies?Arun Vermury
Yeah, sure. So we’re breaking down the overall effort into into three tracks. Right? The first track will be focusing on how well can software take photos, can software that receive photos, a genuine document and come up with the correct determination that it is genuine? How often can we give it a known fraudulent document, and have it determine that it is correctly a fraudulent document, we may also look at what we call document in the loop testing, where you might actually have a physical document in front of a smartphone camera and flip it around, we expect that there might be some proprietary methods out there that look at you know, the the interaction of the device, not just receiving the photo, the second test will focus in on software that takes an input like a selfie image or imagery, and try to figure out is this a real person or not? And we’ll present it real attacks of not real people. And we’ll see how well the software can actually say that that’s not a real human, or that’s not that person in the photo, right? It might be a photo of a photo, we’ll also give it real people, demographically diverse people and say, how well does the software actually say that this is detected a real person is a real person? And do we see differences across demographics, you know, across male, gender, or race or ethnicity or skin tone, things like that. And then we’ll look at the matching process when you try to, you know, verify a person’s selfie photo back to their, their authoritative document to their driver’s license or other form of ID and see how well does that process work? And do we see any sort of difference in performance based off of demographics?Eric White
Got it. And I have to just ask about the angle of customer experience, it seems to kind of play into this because it almost sounds as if you’re not totally concerned? Well, you obviously are. But it’s not so much the fraudulent part of it. But, you know, making it easier for folks that are trying to work with an agency in you know, everybody’s got to fill out the bureaucratic forms, and everything like that, if you can make that process easier for making sure that you properly identify somebody that’s going to go a long way.Arun Vermury
Yeah, it’s really both of those functions. It’s really how much can we detect fraud on the front end, right? And then when, how often will the systems fail? Right? Either because it makes the incorrect determination, or a legitimate user, for some reason can’t actually use the service, right? Because if you could imagine, let’s say that we deploy, you know, somebody deploys some of these technologies. And it let’s say it detects a fair amount of fraud, but then it incorrectly rejects 90% of legitimate users, that really doesn’t get folks the benefits that they’re looking for. So there’s always there’s going to be this trade off between the ability to detect fraud, but then also get the right, get people through the process correctly. And if I can add to that a little bit, you know, the technologies have to be good enough to defeat really smart and sophisticated attackers, but also easy enough to use, where, you know, my grandfather could use the technology and be able to successfully complete it. It has to be really simple to use and very effective for people who are legitimate users, but then also be sophisticated enough to make it really hard for attackers to defeat it. So there’s a careful careful balance to be had there.Eric White
Anything to make it so I don’t have to dig up my birth certificate anytime. Since I’m always for it.Arun Vermury
Yeah, I think one thing that’s really powerful here is actually what we’re doing here. Are with the federal agencies, some of the federal partners that we’re bringing in to help help us out with this effort, because no one of us have all of the necessary expertise to kind of pull this all together between what we’re seeing with documents with fraudulent documents, with some of the the lack of terminology, there’s going to be this is going to be really interesting, because we’re pulling in so many different stakeholders to help evaluate this, I think it’s gonna be very interesting, because of the potential benefits. This not only has to federal government, but private stakeholders. So in my mind, this is kind of really a story of collaboration. And honestly, all of us working within our limited resources and abilities to make a bigger hole than what we each individually could do so we’re really excited about that, we’re going to learn a lot through the process. One thing we don’t know, to be honest with you is, we know that we’re going to do a lot of testing, and we’re probably going to find some unexpected things. And in some cases, we you know, we want to broadly share, we want to make information available to industry to make technology better. But we might find things that might make it easier for attackers, too. So he might have to apply some sense of, you know, figure out what what information might be sensitive there. So we don’t, you know, help people who are you looking to exploit these systems as well.Eric White
And just one follow up that I want to clarify, you’re talking about these technologies, you mean, both hardware and some software applications, you know, I’m just thinking of an app on your phone or something like that, that can help identify and make sure you’re not sending an old selfie of somebody else, or making sure it’s not a screenshot something like that.Arun Vermury
That’s exactly right. I mean, we I presume that the many of the technologies we might look at might be software, purely software based, some things might incorporate a, you know, some component of hardware, right? Like, you could imagine that, you know, if you have an app or software running on a smartphone that’s meant to help support this remote identity validation. Maybe it’s just taking a photo, but the other ones might be looking for motion, or looking at data from the accelerometer on your phone and making sure that yeah, it looks like it’s being held upright and not you know, pointing it’s like completely still on pointing at the screen. So they might be took looking at different sensors within the device to help figure out if it’s actually appears to be a genuine transaction versus someone who’s kind of set up a more of like a pipeline or a process to just flash different photos on a screen and figure out which one’s going to be beat the system.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED