CIO — Early in the morning on Jan. 5, 2004, Gloria Quevedo, who had just flown all night from Chile to Atlanta, walked up to Customs and Border Protection (CBP) and became one of the first foreign visitors to the United States to undergo biometric screening. Newspaper and television reporters—as well as Department of Homeland Security Secretary Tom Ridge—witnessed the historic event. Quevedo’s fingerprints were scanned, her identity verified, and her name checked against numerous databases to make sure she wasn’t a suspected terrorist or criminal. Foreign visitors at 114 other airports and 14 seaports would undergo the same kind of screening that day.
More than 600 miles away in Washington, D.C., the man who helped guide the development and implementation of the new system was sitting
nervously at his desk, in constant communication with the help desk and other IT staffers in the field. Scott Hastings, CIO of the US-Visit program, knew that a major glitch in the system (which had been fielded in less than six months) could give the department a black eye. US-Visit, which stands for the United States Visitor and Immigrant Status Indicator Technology system, was one of the primary measures Congress had identified after 9/11 to protect the nation against terrorists.
If the system failed, it would be a public relations disaster. Biometrics had never before been used on such a large scale, and US-Visit needed to prove not only that it could identify miscreants but also that it could protect the privacy of innocent travelers and process them in a reasonable amount of time. Otherwise, the program risked doing serious damage to tourism and international relations.
But on Jan. 5, all went well. An agent greeted Quevedo and swiped her visa through a magnetic reader, accessing her biographical data and a photo from a State Department database. Then the agent took her picture and Quevedo placed her left and then right index fingers on an inkless glass plate, which scanned her fingers. To confirm her identity, the system matched that scan with those collected when she was issued her visa. Her bio-graphical data and fingerprint scans were also checked against watch lists that include suspected or known terrorists. Within seconds, the answer came back: No match. After answering some routine questions, Quevedo was allowed to enter the United States. As were 35,000 other visitors that day.
"The sense of relief was palpable," says Hastings, recalling the mood of his team at the time. "It was a ’cross the fingers every single day’ job." The US-Visit team had met its first deadline with no hiccups. And within its $380 million budget.
Hastings and his team would also meet the next deadline as they deployed the entry screening system to the nation’s 50 busiest land border crossings in January 2005. And later this year, Hastings says, the program office expects to meet yet another deadline by deploying the entry screening system to the remaining 115 border crossings. Of course, as Hastings and others acknowledge, the true measure of success for US-Visit will be keeping terrorists out of the country. In addition, the US-Visit team has yet to develop that portion of the system that verifies that a foreign visitor has left the country when he’s supposed to. As a result, CBP still doesn’t know whether visitors from other countries are overstaying their visas, as some of the 9/11 hijackers did.
While some officials have hailed US-Visit as a rare government IT success story, others are not so charitable. In February, a DHS inspector general report concluded that US-Visit met "only the bare minimum" for checking foreign visitors. The report noted that the system checked only about 3 percent of all foreign travelers to the United States, because many travelers (primarily Mexicans with Border Crossing Cards and Canadians, who don’t need visas), are not required to be screened by US-Visit. In essence, US-Visit seems to be fulfilling its initial mandate, but critics say it needs to do more.
Another internal report, which the Justice Department released in June, found that almost 32,000 individuals on the government’s terrorist watch list had been erroneously classified by US-Visit at the lowest level of security handling, which means CBP officers who encounter these individuals are not required to detain them. And the program recently came under criticism for mistakenly detaining 35 crew members from foreign airlines arriving in the United States. In addition, the Government Accountability Office, the independent watchdog agency for Congress, has repeatedly criticized US-Visit for not following standard program management disciplines, such as developing a strategic plan and tracking costs and benefits.
"Success depends how you measure it," says Randy Hite, the GAO’s director for IT architecture and systems issues, who conducts oversight on the US-Visit program. "If you don’t commit to what you are going to do and how you will measure it, you can declare success on whatever you choose to measure."
Hastings acknowledges that getting a workable screening system in place on time meant making trade-offs in standard project management practices, in documenting what was done and in measuring the ROI. He says he didn’t have time to do the kind of strategic plan that might have enabled the US-Visit team to build the most comprehensive solution possible. He also didn’t have time to build a new system using the latest technologies. Instead, to meet its deadline, the US-Visit staff was forced to cobble together a bunch of legacy applications and networks. The system will need repeated code changes as new requirements are added. In short, the US-Visit program is currently the sum total of all the compromises that deadline pressure made necessary.
"This violated every rule in how you do systems development," Hastings acknowledges. "But you’ve gotta compromise, and you’ve gotta break rules."
No Time to Lose
In the weeks after the 9/11 attacks, Americans looked to their government to respond quickly. In October 2001, Congress passed the USA Patriot Act, which called for (among other things) the creation of a system for checking the identities of foreign travelers entering the United States and for verifying when they left, a so-called entry-exit system. The Patriot Act also set a strict timetable for delivery: By Dec. 31, 2003, the government was to deploy such a system to 115 airports and 14 major seaports. By Dec. 31, 2004, the system had to be expanded to the 50 busiest land border crossings, which process nearly 90 percent of the 240 million people who cross the U.S. border from Canada and Mexico every year.
But before an entry-exit system could be built, let alone deployed, Congress had to create the Department of Homeland Security, a merger of 22 federal agencies. Government executives had to be hired, and security clearances had to be conducted. Consequently, work on the entry-exit system did not begin until the summer of 2003, by which time DHS had just six months to meet its first deadline.
In July 2003, Asa Hutchinson, then deputy secretary for DHS’s Border and Transportation Directorate, hired Jim Williams as director of the US-Visit program. And he hired Hastings, the former CIO of the Immigration and Naturalization Service (INS), as the program’s CIO. Williams and Hastings quickly met with Ridge and Hutchinson. Hastings recalls that they discussed the program’s goals, including making sure the system did not impede commerce (no long lines in customs), and that it protected travelers’ privacy while keeping the terrorists out. One of the only requirements that was not negotiable was the deadline, five months away. Hastings and Williams assured Ridge the project was doable.
After meeting again with Ridge a few weeks later, Williams informed Hastings and the US-Visit team that the secretary wanted the system to rely on biometrics to check identities, removing the opportunity to forge documents. Biometrics had yet to be successfully deployed in a major government-run system, and the privacy concerns were huge, especially in foreign countries where (like the United States) fingerprinting was seen as a practice reserved only for booking criminals.
In late summer 2003, Williams and Hastings set up a war room on the 17th floor of US-Visit headquarters in Arlington, Va., where the staff, consisting of no more than a dozen people, could meet. The team concluded that it needed a working prototype to test by mid-November.
One thing was immediately apparent: The staff would not be able to follow typical program management practices. Some steps would have to be done in tandem rather than sequentially, such as testing the system while conducting system design and development. According to the GAO, some processes were left out completely, such as documenting the system ROI.
"Given the deadline and resources, this was the only way to do it and still meet the letter of the law," Hastings says.
Hastings knew the team would catch heat for not following proven project management disciplines as, indeed, it did. "We thought the criticism was fair," Hastings says, "but we had no choice, and we knew we would have time later to correct some of the shortcomings."
The team also realized that it could not develop a lot of new systems. Certainly, the outdated infrastructure in U.S. ports would have to be replaced, including installing more than 3,000 new desktops (the old ones had Windows 95 operating systems) or replacing the CBP officers’ green-screen monitors. New biometric readers and digital cameras also had to be installed. The networks at the ports, running on aging cables and routers, had to be consolidated and upgraded. But new technologies such as Web services (which would remove the need to code individual links to multiple databases) were out of the question. The looming deadline forced Hastings to cobble together a system by integrating applications from four independent agencies.
Fortunately, Hastings already had intimate knowledge of the systems the INS used to fingerprint immigration violators and to store travelers’ arrival and departure information. And he had already tapped a small Department of Justice team that had been working on an older entry-exit system required by a 1996 law. (That project was languishing due to lack of funding and attention.) The eight people working on that system were transferred to US-Visit. The staff eventually absorbed program managers and IT staff from around DHS and from other departments, such as the State Department, involved in international travel and commerce.
The group mapped out what it would call a federation of systems—a network formed of legacy INS, customs and State Department IT systems. The team looked for systems that were embedded in existing business processes. (The team knew that the deadline would not allow for reengineering those processes, which would require retraining agents.) The systems had to be scalable so that they could be expanded to hundreds of ports. Ease of integration was a requirement as well, as there was no time for a lot of new programming. The systems also needed to be fast (so that travelers could be cleared quickly).
Seven applications were identified as the core of the new system, including the Ad-vance Passenger Information System, a decade-old mainframe system operated by the U.S. Customs Service that contains arrival and departure manifest data, and the Consular Consolidated Database, a State Department system that stores information on visitors who hold or have applied for a U.S. visa. (see "US-Visit Components" for a complete list of the seven networks.)
Hastings knew he could not afford the time to develop configuration management processes or traceability matrices for software development to determine if in fact every business requirement had been delivered. He had to trust that systems managers were applying the proper procedures to make sure the systems stayed operable and that the data was protected and not corrupted.
"We felt [Secretary Ridge] expected us to deliver immediate capability," Hastings says. "We had to get it right" the first time.
Two Versus 10 Fingerprints
One of the biggest problems still hadn’t been solved. How was the team going to satisfy Ridge’s requirement to use biometrics without bogging down the immigration inspections process?
Hastings felt he had one alternative, and it again required relying on a legacy system. For more than a decade, border patrol agents along the U.S.-Mexican border had been using a system known as Ident to collect fingerprints, digital photos and biographical data from people they encountered during enforcement activities. INS had begun to make the system interoperable with an even larger FBI fingerprint database containing 47 million fingerprint records of suspected and known felons.
The knock against Ident, however, was that it used only two fingerprints for identification, the right and left index fingers. Critics argued that using only two fingerprints makes matching less accurate. It also allows criminals (and terrorists) to foil the system by altering those two fingerprints. Lawrence Wein, a Stanford University professor, testified before Congress that by using the two-fingerprint method, US-Visit would be able to identify terrorists only 53 percent of the time.
But Hastings again had to make a choice. There was no time to develop a system based on 10 fingerprints and also meet the 15-second turnaround time the team believed it needed to keep the inspections process moving expeditiously.
The team also knew that even before visitors are issued a visa to come to the United States, the State Department searches a fingerprint database of suspected and known terrorists and felons. All the US-Visit team needed to do was make a one-to-one match with the State Department database of issued visas, people known to have passed the initial screening.
Hastings acknowledges that if US-Visit had had the time, it would have developed a 10-fingerprint system so that the program could more easily integrate with the FBI database. In July, DHS Secretary Michael Chertoff announced that US-Visit would begin collecting 10 fingerprints from visitors when they enroll in the program, which occurs before the State Department approves an application for a visa. CBP agents will continue to use two fingerprints to match against the State Department database to verify visitors’ identities when they arrive in the United States. But Hastings says if biometric technology improves, CBP agents could begin making 10-fingerprint matches in the future.
Privacy Iceberg Dead Ahead
Technological challenges aside, Hastings and Williams knew the whole program could be brought down if they failed in the privacy area. A public outcry in 2003 killed the Total Information Awareness system, a network the Defense Department had begun working on after 9/11 to identify possible terrorist activity by sifting through Americans’ personal information—e-mails, telephone records and credit card transactions. (See "Poindexter Comes in from the Cold") And Congress, responding to public pressure, also delayed the Transportation Security Administration’s Computer Assisted Passenger Prescreening System II (Capps II), which would have used an airline passenger’s name, address, phone number and date of birth to retrieve his credit and banking history and conduct a criminal background check.
Americans were clearly on guard about their personal information. But would foreign visitors trust the U.S. government to protect the privacy of their biographical and biometric data?
Hastings and Williams knew they had to do something dramatic, and so they decided to give international travelers the same protections granted U.S. citizens under the Privacy Act. The act permits only certain agencies to access the data and forbids them from sharing it with other agencies without posting public notices. Ari Schwartz, associate director of the Center for Democracy and Technology, a privacy advocacy group, says extending Privacy Act protections to international travelers was a decisive move because the law is among the most protective in the world. Invoking it "helped ease a lot of concerns," he says.
That didn’t go over well. The Brazilian foreign minister said his country would begin fingerprinting and photographing U.S. citizens traveling to Brazil if the United States implemented biometric screening of Brazilian citizens. Japan asked the United States to delete Japanese visitors’ fingerprints and photos once travelers have left the United States. And China demanded that the United States stop fingerprinting its citizens, calling the action discriminatory and a violation of human rights.
But, all in all, the outcry has been relatively muted, and the screening program seems to have had no impact on tourism. The total number of people arriving in the United States increased 12.7 percent in the first quarter of 2005 over the same period the previous year, according to monthly statistics collected by the Office of Travel and Tourism Industries.
US-Visit’s reliance on existing technology has worked for the entry portion of the system. But the exit portion has yet to progress past the pilot stage. That’s because there is no formal process, and no IT system, for tracking when a foreign visitor leaves the country. DHS estimates that as many as 40 percent of all illegal immigrants to the United States arrive here carrying a legitimate visa but end up overstaying.
Congress had mandated that a fully functioning entry-exit system be in operation by each of the stated deadlines. But Hastings says it would have been impossible to fully develop the exit portion of the system given the program’s deadlines.
To figure out what to do, US-Visit has developed a pilot project. Since last summer, 13 airports, including Chicago’s O’Hare International and New Jersey’s Newark International, and one seaport, Miami’s International Cruise Line Terminal, have provided checkout kiosks for departing foreign visitors. Much like the entry system, the exit process requires that a visitor swipe his travel documents in a magnetic reader in the kiosk, place his index fingers on the biometric reader and have a photograph taken. The kiosk sends the information to the US-Visit database to verify that the visa holder and the individual’s biometrics match. A receipt is printed informing the visitor that he has been processed for departure, which the visitor keeps for his records. But the system is voluntary, and Hastings, who declines to say what percentage of foreign travelers to the United States use it when departing, will only say the "compliance rate is lower than we would like."
One solution US-Visit is considering is based on the ultimate legacy system—paper. Every foreign visitor carrying a visa has to fill out an I-94 form, also called the arrival-departure record. On this single sheet, visitors must disclose how long they plan to stay in the country, the purpose of their visit and their temporary address in the United States. The form is affixed to their passport, and is returned to an airline or ship representative or to a Canadian or Mexican immigration inspector upon departure. While most visitors return their I-94 forms when they leave, officials have no record of departure for some 20 percent of visitors who enter the United States each year. To better track when and if a visitor has left the country, the US-Visit team plans to test the idea of embedding RFID tags in the I-94 form. (See "Tag, You’re Leaving")
Hastings hopes that US-Visit will eventually enlist the help of the airlines in checking identities as passengers are processed for departure. But given the airline industry’s financial straits, that will be difficult to do. In addition, an effective exit system would require new international passenger and transportation agreements to allow domestic and foreign airlines to exchange information with foreign governments.
"This is an area in which there is not much to build on," Hastings says.
The US-Visit program has its work cut out for it for the foreseeable future. Hastings would like to give his team a well-deserved breather. But they have another deadline to meet in less than four months.