US-Visit, On Time and On Budget

In July 2003, Asa Hutchinson, then deputy secretary for DHS's Border and Transportation Directorate, hired Jim Williams as director of the US-Visit program. He in turn, hired Scott Hastings, the former CIO of the Immigration and Naturalization Service (INS), as the program's CIO.

Their mission: to create the U.S. Visitor and Immigrant Status Indicator Technology system, or US-Visit, an entry-exit system for foreign visitors to the United States. And to do so in six months, under the mandates of the USA Patriot Act.

Williams and Hastings set out to meet these goals: Make sure the US-Visit system did not impede commerce (no long lines in customs), and that it protected travelers' privacy while keeping the terrorists out. Meet the deadline. And use biometrics (a first for a major federal system) to check identities, removing the opportunity to forge documents.

How was the team going to satisfy all these requirements? Hastings' answer: Link existing systems to create the new entry-exit system on time, making trade-offs on some details in order to meet the deadline.

They picked up capabilities from seven existing government applications. Among them are fingerprint databases of suspected and known terrorists used at the State Department when issuing visas to visitors; and Ident, a system used by border patrol agents at the U.S.-Mexican border to collect fingerprints of left and right index fingers, digital photos and biographical data. (In July, DHS said that US-Visit would collect 10 fingerprints from visa applicants at the State Department, while customs agents use the two-fingerprint method.)

As for the privacy of visitors' personal data, Hastings and Williams decided to give international travelers the same protections granted U.S. citizens under the Privacy Act. The act permits only certain agencies to access the data and forbids them from sharing it with other agencies without posting public notices. While Brazil, Japan and China raised concerns when the privacy policy was posted, the outcry was relatively muted.

US-Visit's reliance on existing technology has worked for the entry portion of the system. But the exit portion is still in the pilot stage. Since last summer, 13 airports, including Chicago's O'Hare International and New Jersey's Newark International, and one seaport, Miami's International Cruise Line Terminal, have provided checkout kiosks for departing foreign visitors. Much like the entry system, the exit process requires that a visitor swipe his travel documents in a magnetic reader in the kiosk, place his index fingers on the biometric reader and have a photograph taken. The kiosk links to the US-Visit database to verify that the visa holder and the individual's biometrics match. Visitors get a printed receipt for departure.

The system is voluntary, and Hastings, who declines to cite statistics, will say only that the "compliance rate is lower than we would like."

One solution US-Visit is considering is based on the ultimate legacy systemthe paper I-94 form. On this single sheet, visitors must disclose how long they plan to stay in the country, the purpose of their visit and where they are staying. The form is affixed to their passport, and is returned to an airline or ship representative or to a Canadian or Mexican immigration inspector upon departure. Officials have no departure record for some 20 percent of visitors to the United States. The US-Visit team plans to test the embedding of RFID tags in the I-94 form to better track when visitors leave.

Hastings says he hopes that US-Visit will eventually enlist the help of the airlines in checking identities as departing passengers are processed. But aside from the airlines' financial straits, that will be difficult. An exit system would require new agreements to allow domestic and foreign airlines to exchange information with foreign governments.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful cybersecurity companies