Airport Biometrics: A Primer (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

1   Biometrics are among the most powerful yet misunderstood technologies used at airports today. The ability to increase the speed of individual processes, as well as offer a touch-free experience throughout an entire journey, is a revolution that has been decades in the making. Biometrics can be a fundamental building block for key aspects of airport infrastructure. However, like many foundations, it must be built on a range of considerations beyond technology— process, human factors, policies, to name a few. Considering biometrics in airports alone would be inappropriate: the technology must also be understood against the backdrop of the use and misuse of emerging technologies. From unlocking a smartphone to the automated recognition of individuals from a library of personal photos, the power of biometric recognition is widespread in our digital lives. At the same time, abuse of powers and flaws in recognition technologies have been widely publicized. Database breaches that enable the misuse of identity information as well as the limitations of certain technology types have given rise to public anxiety about facial recognition. Oversimplification and misunderstanding of technology uses have created an environment where several public entities have elected to outright ban the use of biometrics. Technology firms have reacted by pausing activities leveraging facial recognition conducted in concert with law enforcement agencies as society at large determines some of the parameters to better manage the potential misuse of biometrics. Biometrics in Aviation So where does this leave aviation and the use of biometrics at airports? ACRP Research Report 233: Airport Biometrics: A Primer was commissioned to encapsulate the range of issues and opportunities associated with the use of different forms of biometric identification. The primer is prepared by experts with a deep understanding of technical issues, but also the range of policy and business case aspects that require consideration by those seeking to introduce the use of biometrics for their operation. Three overarching clarifications regarding the primer should be noted: 1. This study is not about mass surveillance: The word “biometrics” is often conflated with mass surveillance. In other words, some in the media and public conflate the use of biometrics in the context of personal identification for individuals who opt in with a model used typically in law enforcement to use video to surveil individuals contrary to their privacy interests. 2. This report could be adapted into a living primer or could be updated: biometrics technology has accelerated significantly over 25 years at airports in the United States and continues to evolve. The concepts described herein are directional in nature, but a living primer could be considered to incorporate overall trends/changes in the future. This report would benefit greatly from an update in due time. C H A P T E R   1 Introducing Biometrics

2 Airport Biometrics: A Primer 3. There are no absolutes: biometrics are also often misunderstood due to the complexity and the number of choices required for an individual deployment. The overall system architecture requires much consideration before effective deployment, which extends beyond details such as the choice of biometrics technology to be employed (e.g., fingerprint, iris, or hand geometry). Objective of This Primer The objective of this primer is to help aviation stakeholders, especially airport operators, understand the range of issues and choices available when considering and deciding on a scalable and effective set of solutions using biometrics. These solutions may serve as a platform to accommodate growth and to address the near-term focus regarding safe operations during the COVID-19 pandemic. Fundamentals of Biometrics Definition of Biometrics Biometrics are biological and behavioral characteristics that can be used in a system to recog- nize someone or verify someone’s identity. Thus, the main purpose of biometrics is to accurately identify individuals, typically in relation to enabling access to a controlled environment. Types of Biometrics The earliest use of biometrics dates from the 1860s, with unique patterns (i.e., dash and dot signals demonstrating behavioral characteristics) used by telegraph operators to identify senders/ authenticate messages. In the past three decades, with the advent of sensor technologies and computing power, automated devices used to identify a person based on certain unique characteristics have proliferated. Biometric identification consists of verifying the identity of a person. One needs to capture an item of biometric data from a person. It can be a photo of their face, a record of their voice, or an image of their fingerprint. This digital biometric is now in a data format that can be stored for use by algorithms. However, biometric data are often stored as a biometric template, where the biometric data are encoded, for instance, as a random sequence of numbers and letters. There are many different types of biometrics that can be used to create unique templates for each individual. Some of the common types of biometrics are fingerprint, iris, facial, and voiceprint recognition. Many of these can increasingly be found in consumer electronics such as smartphones or laptops and are used to unlock devices or to confirm mobile payments. Emerging forms of biometrics include DNA matching, patterns of walking, and other forms of site-specific applications to capture unique traits/behaviors of individuals. A non-exhaustive selection of biometrics is explained in the following. Iris Recognition Iris recognition is an automated method of biometric identification that uses mathematical pattern-recognition techniques on video images of one or both of an individual’s irises, which have complex patterns that are unique, stable, and can be seen from some distance. Facial Recognition Facial-recognition technology can identify or verify a person from a digital image or a video frame from a video source. There are multiple methods by which facial-recognition systems

Introducing Biometrics 3   work, but in general, they work by comparing selected facial features from given images of faces within a database. Facial-recognition technology is also described as a biometric artificial intelligence–based application that can identify a person by analyzing patterns based on facial textures and shape. 3D Hand and 3D Finger Geometry Three-dimensional (3D) hand and finger geometry exploits discriminatory information provided by the 3D structure of the hand, or more specifically the fingers, as captured by a 3D sensor. The advantages of 3D hand and finger biometrics over traditional two-dimensional (2D) hand and finger geometry (more typically know as fingerprints) are authentication techniques, improved accuracy, the ability to work in a contact-free mode, and the ability to combine this form of authentication with facial recognition using the same sensor. Hand Geometry Hand geometry is a biometric that identifies users by the shape of their hands. Hand geometry readers measure a user’s hand along many dimensions and compare those measurements to measurements stored in a file. Voice Recognition Voice biometric technology works by digitizing a profile of a person’s speech to produce a stored model voiceprint or template. The tones collectively identify the speaker’s unique voice- print. Voiceprints are stored in databases in a manner similar to the storing of fingerprints or other biometric data. DNA Matching DNA matching is a complex technique that can be used to identify someone or verify someone’s identity. DNA matching requires highly specialized laboratory equipment and is not readily (or quickly) achieved. Further, techniques that use DNA may offer much deeper and far-reaching capabilities—with extensive research being done to map the human genome stored in our DNA—because someone’s DNA can provide much more information about that person than they are often comfortable sharing, even on a personal basis. DNA can store information about heritage and physical characteristics but also elements related to one’s health such as elevated risks to diseases. For these reasons, DNA matching is not (yet) applied in the airport environment and is not a candidate for biometric applications that require speed and efficiency. Nonetheless, DNA matching is mentioned here because it is used in other areas, such as (forensic) research applications in criminal justice cases, challenges in paternity cases, and in some other cases where it may be used either as a last resort or because of the high accuracy of identification it can provide. Use of DNA for biometric technologies in aviation would most likely occur only in the distant future, partially because the storage of one’s DNA in a database (in either the private or public sector) would likely be subject to legal challenges. Practically, there are various methods for analyzing DNA to establish if two samples are the same or different. These methods are often referred to as DNA fingerprinting. For example, two sample pieces of DNA can be studied in the laboratory to determine if they have portions in common and thus overlap with one another. Combinations of Biometrics At times, one biometric is insufficient, and a combination of is used. This combination raises the level of security and is sometimes used to control access to high-security buildings or areas such as vaults.

4 Airport Biometrics: A Primer Understanding the Differences Between Detection, Matching, Identification, Verification, and Authentication When dealing with biometrics, there are many ways to describe the expected outcomes of the technology. From detection to authentication, each term used has different connotations, from the concept of operations to the application of law. The following terms are described in relation to their use in biometrics: • “Detection” answers the question, “Is a biometric being sensed?” Often, a specific part of the biometric technology is in place only to process from sensors whether a biometric is presented (i.e., is there a finger on the fingerprint scanner? Is there a face in front of the camera? If so, the biometric can be digitally recorded.) Detection does not specify whether a biometric is scanned, used, stored, or retained. • “Matching” is the step that may follow detection of a biometric. In this case, the biometric is scanned, stored at least temporarily (as a template or not), and used for the purpose of comparing with a second (similar type of) biometric. The second biometric must be present or stored in order to be compared and matched. A positive match is when the two biometrics exhibit sufficient likeness to pass a specific matching threshold. • “Identification” answers the question, “Who are you?” The identification process implies using a process of matching a scanned biometric to a set of stored biometrics, with the intent of discovering the identity of the person to whom the scanned biometric belongs. • “Verification” answers the question, “Are you really who you say you are?” The process also implies the matching of two biometrics, one scanned and the other either on file or presented by the same person in the form of a token (e.g., an e-passport). Because both biometrics are presented, verification only aims to prove a positive match between the two, rather than to discover the identity of the person to whom the biometric belongs. In this case, the actual biographic information does not have to be linked to the biometric or stored with the bio- metric. It should be noted that facial recognition is a common type of biometric verification. The difference between facial recognition and facial verification is exemplified for the facial biometric in the following: – Facial recognition is a software-driven application that looks at facial points and contours to analyze and compare two face biometrics and make an attestation of likeness. – Facial verification is considered a form of biometric verification by definition and looks at unique biological characteristics so one’s identity can be verified. • “Authentication” answers the question, “Is this identity credential/document authentic?” This implies the checking or verifying of the authenticity of an identity document or credential; for example, is the passport fake or real? Passports, much like many currencies, have elements and attributes that allow an expert to prove the authenticity of the document. E-passports also have a digital attribute that allows for automated checking of the document’s authenticity (i.e., whether the document is indeed issued by the right issuing party or government). Biometrics are typically not used in the authentication process. • “Validation” is at times confused with verification (or authentication). A slight distinction is important to clarify here: validation looks at whether the specifications that are evaluated are appropriate to accomplish the goal, while verification checks whether the specifications have been met. For example, in the case where a passport is used to verify identity, one checks if the specifications (e.g., the name printed in the passport) match what the person claims his/her/their name to be. In validation, one may conclude that a passport is an adequate tool to verify one’s identity because the characteristics of the passport (printed name in the document) can be used to accomplish the goal of identity verification.

Introducing Biometrics 5   Using Biometrics: What Is the Purpose or Objective? There are three main modes of using biometrics for matching (see also Figure 1-1): • One-to-one (1:1) matching: verifying a biometric based on a previously registered identifi- cation document (i.e., is this really the same biometric as on the identification document?). • One-to-many (1:N) matching: verifying a biometric or identifying an individual out of a large database of biometrics/people (i.e., in case of verification, is the biometric presented also in the database? In the case of identification, to whom does the biometric presented belong?). • One-to-few (1:few) matching: verifying a biometric or identifying an individual out of a subset of a database of people. There are substantial differences between the three types of matching. One-to-one bio- metrics involves, for example, an individual approaching a door or checkpoint and uses a mechanism such as a previously registered template that is compared to a photograph to verify access rights. On the other hand, one-to-many is exemplified through mass surveillance techniques such as those integrated in closed-circuit television cameras for law enforcement and national security. This mode works through leveraging camera technologies to identify individuals who are in view of a camera, often without their knowledge. One-to-few is different from one-to-many because it uses a subset of a larger database to verify or identify individuals. This database is smaller due to a selection process prior to the comparison. While each type of biometric matching has privacy implications, each is rooted in a different technology type. One-to-many requires a substantial amount of data storage and computation power. India and China’s drive toward a mandatory national biometric system will require large amounts of information to be collected and protected to enable recognition of billions of individuals. One-to-few is less computationally intensive because it uses a subset of a larger database. Instead of comparing an image to the whole database, a selection of profiles can be used when it is known ahead of time who will be expected. At an airport, most passengers have booked their flights well in advance, allowing for the potential comparison to the passenger manifest as the population of the “few.” One-to-one biometrics is the least computationally intensive of the modes and has a range of options for data storage, including databases, smartcards, and the microchip on an e-passport. Figure 1-1. The three types of biometric matching commonly seen today.

6 Airport Biometrics: A Primer How Are Biometrics Collected and Stored? Biometrics are typically captured by a camera, a microphone, a scanner, or some other sens- ing device and turned into a digital signal. This signal is then transmitted to a computer chip that can process the signal with software to create a digital code called the biometric template. The biometric template is not a copy of the biometric scan itself, but rather is converted by an algorithm to a unique data file. The critical issue regarding biometric data security relates to the location of the stored biometric templates (see Figure 1-2). It is considered best practice for actual sensor data to be discarded upon creation of the biometric template. The biometric templates are typically stored in a database or on a mobile device or a token. “Token” is the generic term used to describe an item that one can carry with them on which a biometric template is stored, such as a passport, identity (ID) card, or memory stick. This guidebook discusses four distinct types of storage: 1. Locally on a mobile device, 2. On a portable token such as a chip on an identity pass, 3. Centralized on a database server, and 4. Distributed data storage. A locally stored biometric template can only be used on that device (e.g., using a fingerprint to unlock a phone). Biometric templates can also be stored on a database server in a data center. This method is typical for large corporations using biometrics to grant their employees access in office buildings or secured facilities. Storage on database servers comes with a higher risk since multiple templates are stored in one location. Biometric templates can also be stored on a portable token such as a USB drive, an access card, or an e-passport. Finally, biometric templates can be stored in distributed data storage. This method stores biometric templates on a local device and on a server, both of which must be accessed concurrently for authentica- tion. Because of the split nature of this biometric template storage method, hacking is nearly impossible and, therefore, this method is highly secure. Although encryption of the stored data significantly improves security, determining who has access to the encrypted data and how the data are used is a critical issue. With respect to the privacy retention and sharing of personal information, civil liberties groups and the Electronic Frontier Foundation have challenged the need to collect and use facial information. The legal, policy, and privacy aspects related to the collection, use, and retention of biometrics are discussed in Chapter 3. Current State of Biometrics We are in an era of mass adoption of consumer biometrics, with most common devices providing the option of password-based unlocking mechanisms or the use of facial recognition or other biometrics for unlocking. At the same time, several governments have elected to use Figure 1-2. Where a system stores the biometric data is critical in the design, whether it be on a token, on local storage, on a personal device, or in the cloud.

Introducing Biometrics 7   biometric technologies to enforce social order. For example, in Shenzhen, China, facial recog- nition is used to issue jaywalking citations as well as collect fines—all taking place before the individual reaches the other side of the street. Some entities and individuals seek an outright ban on the use of biometrics, which others consider analogous to banning the use of passwords for computers. Accordingly, it is important for organizations to define the range of biometric use cases, respecting laws, regulations, and best practices for privacy-protected interface with passengers, employees, and consumers to ensure that potential risks are proportional to benefits. The privacy discourse to date has focused, in part, on the retention and sharing of personal information. Chapter 2 explores U.S. use cases, and Chapter 3 addresses the legal, policy, and privacy issues. Vision for Biometrics at Airports With the fundamentals of biometrics described in the previous section, this section narrows the scope to the application of biometrics within the airport environment. The current vision for biometrics at airports dates from the late 1990s and accelerated in different phases centered on e-passport adoption in the 2000s as well as alternate forms of storing biometric information in the 2010s. Through this time period, multiple initiatives advanced common interests across stakeholders, including: • The Simplified Passenger Travel Interest Group initiated a discussion among airlines, airports, and governments to explore mechanisms for the implementation of biometrics. • OneID from the International Air Transport Association (IATA) is aimed at providing passengers with a seamless experience, enhanced security for governments, and reduction of costs for airlines and airport operators. • New Experience Travel Technologies (NEXTT) from IATA and Airport Council International (ACI) extends the biometric vision to other use cases for baggage handling on and off airport as well as to applications of artificial intelligence. • The Digital Travel Credential (DTC) standard from the International Civil Aviation Organi- zation (ICAO) envisions new opportunities from its passport standards documents. • The World Travel and Tourism Council’s Safe and Seamless Traveler Journey initiative aims to enable a seamless, safe, and secure end-to-end traveler journey through systematic, biometric-verified identification at each stage of the journey by replacing manual verifications. Broadly, there are also different visions for biometrics among entities in the United States. The U.S. Chamber of Commerce Facial Recog nition Policy Principles, from December 2019, point to “facial recognition technology as an enormous potential to enhance security and safety and enable innovation across a wide variety of sectors including transportation, retail, hospitality, and financial services” (Furlow 2019). The DHS and Customs and Border Protection (CBP) have also articulated a long-range vision for biometrics, as have individual airlines. This vision has four components: 1. Collection of tools: The use of biometric technologies is not simply one mode of operation; it is a family of different tools/devices/storage mechanisms, each with different implications. 2. Trust in identity: From credit card fraud to intercepting imposters, biometrics can provide more trust. This indirectly connects to improved security and safety in the aviation system. 3. Seamless flows: From the promise of a single form of identification, biometrics can ensure that the amount of document fumbling is minimized (passport, visa, health forms, etc.). To simplify the vision of biometrics specific to aviation, the following vision is offered: Biometric technologies are the collection of tools to establish trust in identity, seamless flows, and a touchless airport experience.

8 Airport Biometrics: A Primer 4. Touchless airport experience: From the status of COVID-19 immunization, to other ways of enabling airport retail to function, biometrics can augment minimized contact with disease- transmission media, surfaces, or staff. Interoperability and Scalability With the overall trend of biometrics moving to multi-stakeholder solutions, “interoperability” means a single biometric system that can be used by airlines, governments, or third parties through an airport environment and the ability for identity verification to be used throughout the journey. Other industries can provide interoperability examples to the aviation industry. In banking, for example, there was a point in the 1980s when every bank had a separate system for every ATM. Over time, interoperability became available so that you could use an ATM card from a U.S. bank at a different bank in France. Biometrics are similar but perhaps more complicated due to the potential for future use cases to be added. For example, if an identity verification system is used for airline check-in, the TSA security check, and flight boarding, this is a deployment that could be in place for several years before adding additional phases. Scalability planning dictates a pathway to enable more modules to be added, for example for rental cars, airport retail, or even other uses outside airports. A private third-party that has demonstrated scalability is CLEAR, which offers identity verification as a service through a paid membership. Related to interoperability is the common use of processes, installed systems, and facilities at airports. Common use is often characterized as passengers being able to use self-service kiosks and check-in desks for all airlines at an airport, but the concept of common use applies to a much broader set of facilities and sets a common standard for the design and operation of these facilities. The benefits of common use are as relevant to biometric technologies and solutions as they are to traditional facilities and include spatial savings, time savings (e.g., leading to shorter minimum connection times), and improved passenger experiences. For more on the design, implementation, and benefits of common-use systems and facilities at airports, refer to the ACRP Report 30: Reference Guide on Understanding Common Use at Airports (Belliotti et al. 2010) and to the forthcoming report from ACRP Project 03-52, “Guidelines for Adapting and Managing Airport Common Use Programs.”