State Department seeks info on biometric solution for ID vetting overseas
A “Multimodal Biometric Solution” to perform multimodal biometric collection and identification using fingerprints, iris, and facial recognition in support of enhanced security at Department of State facilities overseas, is being explored by the Office of the Chief Technology Officer (CTO) of the department’s Bureau of Diplomatic Security (DS).
Currently, DS utilizes an application called DS Tactical High-Threat Operation Response, or, DS-THOR, which had been used to collect and maintain data only on foreign nationals, and authorized to operate through May 30, 2019. Meanwhile, though, the State Department decided to use the system to collect and maintain Personally Identifiable Information (PII) on US “persons” inside and outside the United States.
Described by the department as “a derivative of the Biometric Automated Toolset (BAT),” DS-THOR is currently being used to carry out DS’s multimodal biometric collection and identification processes at overseas facilities.
BAT was developed by the US Army at its Battle Command Battle Laboratory in 1999 for US Forces in Kosovo who lacked the ability to positively identify Local National Hires (LNH). It was fielded in Kosovo in 2001 to provide a concrete identification capability.
The Handheld Interagency Identity Detection Equipment (HIIDE) system was subsequently developed to be the tactical extension of BAT by way of untethered, portable biometric collection and identification devices.
Today, DS-THOR is a client-server application that’s used to acquire, collect, and maintain identification, criminal identification, crime, and other records which are shared internally within the Department of State to facilitate base access, for established vetting processes, and in support of existing law enforcement and investigative efforts. DS-THOR is also used to record information for fingerprint matching, iris matching, and other searches to verify the identity of individuals in a civil or criminal investigation.
The information collected within DS-THOR is shared externally with various law enforcement and intelligence agencies to establish and verify an individual’s identity.
“Once the information is shared, it is matched against data repositories to establish or verify the identity of the individual processed in THOR,” according to a State Department Privacy Impact Assessment (PIA) regarding DS-THOR issued earlier this year. “Law enforcement and intelligence agencies return results to authorized users. Data can be retrieved in DS THOR by keyword searches, such as applicant name, global unique identifier, [and] transaction control number.”
Further, authorized DS agents, investigators, and analysts — presumably in the State Department’s Bureau of Intelligence and Research — are also able to use DS-THOR to retrieve data based on text queries. According to the PIA, “Internally, DS THOR may share information with Department of State systems and offices with criminal, investigative, and intelligence responsibilities. All related data from such use, according to the PIA, is maintained in DS-THOR in order to provide a centrally indexed repository. Analysis can result in new information about a queried individual based upon the results that are returned by external agencies. An individual’s records can be updated to reflect the findings of the investigation.
Externally, information may be shared with federal, state, and local agencies and other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 or any successor order, applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives.
This includes, but is not limited to:
• Department of Homeland Security;
• Department of Defense;
• Department of Justice; and
• Other agencies and entities involved in national security; US border security, official government business, or federal law enforcement.
The purpose of the Request for Information (RFI) is to conduct “market research on current and near-term multimodal biometric systems capable of collecting and receiving biometric and biographic information,” and to identify those businesses that are capable of performing the functions described in the RFI.
The “market research will be incorporated into CTO’s ongoing process to provide DS with innovative solutions, industry leading capabilities, and opportunities to reduce maintenance expenses,” the State Department said.
According to the State Department, “A major component of THOR is the Enrollment Interface, which is an application locally installed on a user’s Department of State owned computer and used to enroll individuals into the system. Enrollment consists of collecting biographic information, fingerprints (slaps and rolls), iris images, and facial images. The Enrollment Interface also drives the fingerprint scanner and the iris/facial image peripherals via a USB connection.”
The problem with the THOR system, though, the State Department explained, “is … updates to the locally installed Enrollment Interface requires each computer to be manually updated, which is a resource intense endeavor that limits [the] ability to deploy new capabilities.”
The department’s CTO said, “One potential solution is to re-write the Enrollment Interface as a web application so updates would only require changes to a centrally managed server.”
However, the CTO stated, “biometric collection devices typically utilize SDKs, which to our knowledge, would still require an application to be locally installed on an end-user’s computer to serve as the interface between the web application and the biometric collection devices.”
Addressing this challenge is the primary purpose of the RFI and “should be the focus of any response” by interested businesses to the RFI, the State Department stressed.
The following are the “additional constraints” interested parties “should [take] into consideration when responding:
• All software components must adhere to the federal government’s network and software security standards;
• Suggested solution will be required to work within the Department of State’s OpenNet environment;
• Biometric collection peripherals must be FBI certified;
• The application must support Single-sign-on; and
• The application must have configurable role based access controls
The notice of the RFI does not constitute a Request for Proposal (RFP) or a commitment by the State Department to issue a solicitation. “Responders are advised that the government will not pay for information submitted in response to this RFI, nor will it compensate interested parties for any costs incurred in the development/furnishing of a response,” the department said in boiler plate language typically accompanying an RFI.