The Private Sector Tackles Public Access Control
Who in that long line at the airport should not be allowed to get on the plane? Looking for that person has cost all of us countless hours since the Sept. 11 attacks. Isn’t there a better way?
Private and public office buildings that require access control security have done a reasonably good job managing employee access. But what about screening the vendors and contractors that deliver packages, pizzas, furniture and other services to buildings? Many local, state and federal facilities, especially, need a tough, consistent system for vendor access control.
The recent controversy over the sale of port operations to an Arab company has raised the public profile of port security. How can a sprawling, busy port manage access to its critical facilities and help prevent terrorist attacks?
These three challenges illustrate the need for better access control in facilities that move hundreds, if not thousands, of employees, vendors and visitors in and out every day. The access control solutions to these challenges have key components in common: thorough background checks and biometric authentication of identification badge ownership.
REGISTERED TRAVELER AND VERIFIED ID PASS
Three years ago, entrepreneur and Court TV founder Steven Brill wrote a column for Newsweek and identifying a security problem with access control to venues where large numbers of people congregate, such as sports arenas, downtown office buildings and transportation centers, for example. He suggested developing “some kind of credible but voluntary nationally accepted identification card. The card need not be a government program. It could be issued by private companies licensed by the federal government, which would strictly regulate the card’s standards and use.”
Cardholders would undergo background checks against criminal databases and watch lists. The card would also contain a biometric identifier to ensure that the person presenting it was the real owner.
The key to the idea was that people would give up some privacy — voluntarily — for access control privileges. Brill liked the idea so much that he decided to build a business around it. In 2003, he founded Verified Identity Pass Inc. (VIP) in Orlando.
About the same time, the Transportation Security Administration (TSA), an arm of the Department of Homeland Security (DHS), was wrapping up a series of five pilot tests for a Registered Traveler program designed to reduce time spent in airport security lines. TSA issued a request for proposal that asked private companies to describe how they might create and manage an economically practical Registered Traveler program at the Orlando Airport. VIP and its equity partner, Lockheed Martin Corp. submitted a proposal. So did a competing team composed of Unisys and EDS.
VIP and Lockheed won the award and opened for business in Orlando on June 21, 2005. Within a week, 2,000 people had signed up for the service, which costs $79.95 per year. By February of this year, 15,000 frequent travelers had signed up to use Orlando’s ClearLanes, as the service is called. Tens of thousands more memberships had been purchased by Hyatt Hotels and Resorts, which intends to use them as perks for their most loyal guests.
VIP had also announced plans to set up ClearLanes in San Jose, Indianapolis and Sacramento airports upon receiving TSA approval.
VIP members sign up by stopping at a ClearSpace kiosk in the airport, completing a form using the kiosk’s computer and providing two biometric identifiers: prints from two fingers or a fingerprint and an iris pattern. Registration takes less than 10 minutes.
The kiosk sends the information to TSA, which conducts background checks. If the check does not find anything, Verified Identity Pass issues a smart card to provide access to a ClearLane security lane anywhere in the country. A cardholder presents a card to a scanner at the head of the lane and provides a fingerprint or iris scan to prove that he or she is the actual card owner. Upon authentication, the cardholder moves through the security lane.
A ClearLane looks like other security lanes, except it is not as crowded. It has X-ray machines for carry-on luggage, metal detectors to screen out weapons, and security guards to run the show. TSA pays for all of that.
What is the benefit? Cardholders will move faster because there are fewer people in line. In addition, the company plans to install new technology, at its own expense, to speed cardholders on their way. “GE has developed a shoe scanner that we’re going to put into our lanes at our expense,” Brill says. “So our members won’t have to take their shoes off.”
General Electric must like Brill’s idea. In mid-February, the company made a $16 million investment in VIP, offering support for Brill’s contention that the idea is not just for frequent travelers. “We’re talking to ferry operators, office buildings and sports arenas,” he says. “But first, we will have to get a critical mass in given cities. If, for example, we had the airports in New York City, then lots of people would have cards. Then we could use that when talking to other markets.”
WHAT TO DO ABOUT VENDORS
Last year, Wayne Truax got fed up. Chief of physical security and safety at the U.S. Coast Guard headquarters building in downtown Washington, D.C., Truax suspected that vendors entering his building were not screening their employees properly. Often they used inexpensive online services that could not provide the level of detailed screening Truax wanted. “Several times last year someone failed a background check for being a sex offender,” he says. “Each time, the person would say ‘that is not me.’ And when we checked, it wasn’t. If they were identifying people as criminals who were not, I wondered how many criminals they were missing.”
Truax asked around about vendor access control systems and traveled to nearby Fort Lewis to look at one called RAPIDGate, which is provided by Eid Passport Inc., Portland, Ore. He liked the system and wrote a request for quotation around its features.
He wanted a system with a standalone registration station that would not burden his security officers with taking photographs, collecting biometrics and producing badges. He also wanted a supplier that could solve the problem of background checks.
Controlling vendor access control is complicated by the fact that many vendors get contracts and then outsource the work. “Government may not know the vendors performing the work,” says Steve Larson, chairman and CEO of Eid Passport. “An agency may sign a contract with a company, and then the company will sub out to a company that subs out the work and so on. Eventually, you have no idea whether or not you are doing business with a legitimate company or one with a line to terrorism.”
Eid’s vendor program begins with vetting companies and principals, including the companies actually performing the work. Next, Eid screens the employees that will provide the services: truck drivers, delivery people and construction crews, who are usually subcontracting that work. To Truax’s complaint about slipshod background checks, Larson responds: “All companies have access to the same data, because it is public information. A few companies do a better job than others of acquiring the data and warehousing it. Those are the companies you must deal with for reliable background checks.”
The Eid background check for the Coast Guard includes a 10-year felony background screen and other criminal screens, including a check against terrorist and sexual offender watch lists.
If the company checks out and if the employee background checks are acceptable, RAPIDGate issues an identification badge to the vendor’s employee. In general, the system works this way: Guards at participating RAPIDGate facilities scan the badges using wireless handheld units to retrieve the employee information. The guards evaluate the information and grant or deny access. The process requires only a few seconds to complete. The handheld units can also verify fingerprints during periods of elevated security.
At the Coast Guard facility, Truax has integrated the RAPIDGate database into the building’s access control database, allowing vendors entering through the lobbies to scan their cards at turnstile readers. To date, the program has enrolled 73 vendor companies and 249 of their employees. According to Eid, RAPIDGate’s benefits include providing vendors with the ability to move more efficiently in and out of customer facilities.
How has the system worked for the Coast Guard? “I know that in the past, our contractors were hiring people off the street,” Truax says. “RAPIDGate has stopped that. In addition, the quality of workers we were getting then is not nearly as good as now. I have stood in our lobby and watched people come in to register at the kiosk we have set up in the lobby. They will come to certain questions and get up and leave without hitting submit.”
ACCESS CONTROL FOR FLORIDA’S PORTS
Since last May, Bellevue, Wash.-based Saflink Corp. has been constructing the Florida Seaport Gate Control System, which is to be installed at each of Florida’s 12 deepwater seaports.
The half-million-dollar project will eventually install up to 1,035 access control readers that would manage physical access by way of identification badges and biometric fingerprints.
Florida’s specifications for the work were developed in concert with TSA’s Transportation Workers Identification Credential (TWIC) program. TWIC has not been finalized, according to Michael Frederickson, senior director of hardware development with Saflink. A series of pilot programs officially ended last summer, and TSA was expected to submit a final ruling on what TWIC would be. But that has been delayed.
“Meanwhile, ports have a lot of security concerns and want to move forward,” Frederickson says. “Florida has passed legislation saying we will move forward.”
The access control problem at a port facility includes dealing with terminal employees that come to work every day, while also accommodating populations of truck drivers and vendors that may show up every day, a few days a week, or a few days a month at several different ports.
“Right now, many port facilities check drivers’ licenses and perhaps a paper document,” Frederickson says. “It’s a time-consuming manual process, and you cannot really be sure if the individual coming onto the site is who he or she says and that they do not present a terrorist threat.”
Like other public access systems, the Saflink plan will enroll companies and people, include background checks carried out by state personnel and issue smart card credentials with photographs and biometrics.
A key feature of this system is that Saflink is designing it to work at all 12 Florida ports. When an individual receives a card, he or she must then register at each of the facilities. Once registered, an individual can move quickly in and out of the facility.
But when a driver leaves Florida and goes to Georgia, the old manual system will prevail. The driver will have wait in line to show a driver’s license and paper documents and receive clearance to enter.
The TWIC concept aims at solving this problem. “And that has been a problem,” Frederickson says. “Who pays for the enrollment? Who pays for the supporting infrastructure for the nationwide system? Florida is buying our system. But that may be unusual. In other states, it might be the terminal managers or the individual ports. This is what has to be worked out.”
As biometric authentication has matured, it is delivering a technical solution to the problem of controlling access of hundreds and thousands of people to large numbers of public or quasi-public facilities.
Granted, financial questions remain. So do questions about privacy. It also remains unclear whether any of these ideas can scale up to a national level. Nevertheless, the need for public access control solutions has given rise to a host of innovative solutions. The final answer may be some combination of these emerging ideas. Or another concept that no one has thought of yet.