Airport Biometrics: A Primer (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

91   System Design and Information Technology Architecture Summary This chapter focuses on the IT architecture related to biometric technologies and solutions. First, the focus is on the variety of types of biometric credentials, choices for storage of biometric data, and different biometric interaction touchpoints such as e-gates, camera-on-a-stick, kiosks, and walk-through tunnels. Thereafter, the chapter identifies and explains five distinct IT archi- tecture models to illustrate how these options tie together, with a real-world example of each to demonstrate its use case. A secure digital biometric identity credential will bring many possibilities and advantages for passenger processing. Nonetheless, the supporting IT architecture design faces a larger challenge with more stakeholders because interoperability and scalability becomes more complex. With stakeholders in multiple countries, those countries’ respective privacy laws also have an impact on the design. On the other hand, with ICAO DTC, an international stan- dard is being developed to create common technical specifications that allow technologies to interact smoothly while abiding by multiple nations’ (and states’) laws and being software-, hardware-, and vendor-agnostic. Although the U.S. market is big enough for the broad application of biometric systems such as the TVS, U.S. stakeholders might want to consider compliance with future global standards. U.S. stakeholders that invest in systems that are or can adapt to interoperable systems now may be challenged to change later when a global standard is adopted. In other words, where there is a development of a range of different systems, country-specific and extraterritorial application are the norms that will need to be contended with in the future. Introduction One of the challenges of a biometric implementation is assessing the IT architecture and associated business cases that can drive the ROI equation. Various drivers, such as the existing IT architecture at an airport, meeting performance standards and requirements, and the delivery of the desired objectives, may greatly affect that equation. Many airports are challenged with implementing biometrics because of the scale of the capital investment and the technical know-how required, as well as the complexity to meet stakeholder requirements and achieving alignment and trust. This primer is not meant to be an all-encompassing standard guide for technicians; rather, it provides senior management and executives a comprehensive introduction to the most important concepts and acquaints them C H A P T E R   5

92 Airport Biometrics: A Primer with the typical issues covering a range of business risks. By business risks in biometric rollouts, the authors mean: • Will the capital program be right-sized for the objectives? • Are performance specifications (false-accept/false-reject rates, speed) adequate to meet the desired customer experience? • Are there risks/vulnerabilities that are introduced by the range of privacy and cybersecurity issues? • To what extent is scalability built-in in the first year versus life-cycle reinvestment in future phases? For implementation of biometric projects, it is important to pay attention to performance, risks, and scalability issues because of the different types of facilities. Age of existing assets, sunk costs that may form part of the business case, and localized makeup of the travel market can greatly influence the direction of biometric project definition. For instance, airports with a population of a low number of passport holders will require more emphasis in their IT strategy on the enrollment of passengers. Other airports using current technologies such as fiber-optic infrastructure backbones will have an opportunity to leverage existing investments. This chapter discusses key lessons learned related to technology architecture and airport facilities. Invariably there will be more detailed technical expertise needed, and there will be local program requirements that will need to be addressed. These challenges are best solved by project teams that systematically create technology solutions, detailed designs, implementation programs, and rollouts. Use of this chapter will enable airport management to address some of the most important questions and considerations to evaluate what is required, understand the risks, and evaluate various investment scenarios. What Is Information Technology Architecture? At any airport, the IT architecture describes the IT software, IT platform, and IT infrastructure components, as well as how these are designed to work together. The software is the applications, computer programs, and data that drive the airport’s processes, passenger services, and operational systems. The IT platforms are the operating systems and middleware on which the software runs. As for the IT infrastruc- ture, or hardware, these are the actual computers, network cabling, servers, switches, and other physical equipment that are needed for the IT system to function properly. But in addition to these software, platform, and infrastructure components, the IT architecture describes how these are designed to work together in a framework of principles. The IT architecture principles include, for example, technology stan- dards, policies, and guidelines. In order to have a well-functioning IT system that is able to meet the airport’s needs, the IT architecture must be well-designed, maintained, and upgradable when needed. With airports developing rapidly over time, especially with more technology solutions being implemented in airport processes, services, and systems, the IT architecture should be aligned with the airport’s business/strategic direction, supporting transitional requirements in support of future technology needs. With every airport being unique due to its demography, size, location, culture, and other factors, IT architectures are designed to best match the airport’s needs. When it comes to implementing biometric technologies and solutions, existing IT architectures are often redesigned to incorporate these new biometric hardware and software components and updated principles. For new airports, the IT architecture can be designed from the ground up. Key Takeaway IT architecture is composed of the IT software, IT platform, and IT infrastructure components, as well as the IT architectural principles that describe how these different components are designed to work together.

System Design and Information Technology Architecture 93   Summarizing: • The IT architecture software is made up of the applications, computer programs, and data that drive the airports’ processes, passenger services, and operational systems. Examples of biometric software are the mobile applications or programs used for access control with a fingerprint and check-in via facial recognition. • IT architecture platforms include the operating systems and middleware. Operating systems such as Microsoft Windows, Apple OS, and Linux are common examples seen on today’s laptops and personal computers. Larger IT systems might run on cloud-based platforms such as Amazon Web Services or Azure. When platforms host sensitive biometric data, it can be important where the platform is located since it might be in a different country. Middleware is the collection of software that is needed to run certain software or applications. • IT architecture infrastructure is the hardware components such as computers, network cabling, servers, switches, and other physical equipment that are needed for the IT system to function properly. Biometric IT infrastructure components may be, for example, a fingerprint scanner, a camera that is used for facial recognition, or a self-service kiosk with biometric capabilities. • IT architectural principles should be defined in a solution-free manner. This means that the principles are not prescribing any technology, software, hardware, or solutions but only act as criteria for the assessment of the different options when choosing specific solutions or tech- nology. Examples of principles are (1) include privacy by design, (2) use modular components instead of monoliths, (3) performance is more important than cost (or vice versa), (4) stability is more important than innovation, and (5) user experience is most important. Designing Airport IT Architecture for Biometrics When designing airport IT architecture that incorporates biometric technologies or solutions, several generic architecture models can be chosen as a starting point. In considering the different architecture models, it is good to take note of several factors that influence the architecture model choice. Governance of the IT Architecture When designing and implementing IT architecture, the right governance model must be taken into account. A governance model appoints roles and responsibilities to enterprise architects, solutions architects, product managers, product owners, design thinkers, and pro- curement experts who orchestrate all the developments in line with the design and upgrading of the IT architecture. Single-Party or Multi-Party Technology Solutions One of the first main crossroads that the airport/airline/government finds itself at is whether to choose between one of generally two options: • A single-party biometric technology solution is typically the best choice when the airport aims to create a system that services only the one airport, thus leading to IT architecture that supports the operations for a smaller user group with fewer stakeholders. • A multi-party biometric technology solution provides interoperability between multiple stakeholders, often across multiple countries or locations (airports), which thus greatly increases the complexity of the IT architecture. The national Digi Yatra system, which uses the Indian government’s Aadhaar database (See Chapter 2), is such a solution, where all airports and airline stakeholders are to be users of the countrywide solution.

94 Airport Biometrics: A Primer Stakeholders Stakeholders are important in determining the feasibility of a concept in a real-world envi- ronment. Private- and public-sector stakeholders must collaborate to pilot a prototype, apply iterative development methodologies to demonstrate its value, and seek continuous feedback from each other to adapt accordingly. The use of an iterative approach encourages the necessary paradigm shift among stakeholders and establishes an environment for large-scale adoption. Each airport will have a unique mix of stakeholders affecting the IT architecture in a similarly unique way. Existing IT Architecture Implementations of biometric technologies and solutions need to align with the existing IT architecture. The existing IT architecture may not be ready to support biometric additions and, thus, should be assessed. Airport Size The airport size has a direct impact on the IT architecture and the type of (biometric) services to be considered. Due to some IT infrastructure components having a limited range, large airports will need a different and more extensive network topology to connect hardware over longer distances. Funding Options Throughout the world, there are major funding gaps and insufficient budgets to maintain assets and their IT architecture, which can lead to a higher risk to public safety. Therefore, airport operators may need to evaluate their mechanisms to fund capital and maintenance expendi- tures. Other mechanisms, beyond the traditional methods, include the following: • Public–private partnerships can be an effective way of transferring life-cycle costs of infra- structure off public-sector budgets and simultaneously to create investable assets for the private sector. • There should be a regional approach to infrastructure rather than direct funding from a country’s government. This is especially true as urbanization transforms many of our global cities into mega-regions, requiring broad and interconnected infrastructure systems. • Dynamic pricing is a usage charge policy that can increase revenues and ensure the efficient use of infrastructure assets. This policy can be linked to peak-hour congestion fees and passenger facility fees during peak travel times. Depending on the funding, the IT architecture design may need to be selective with regard to what is hoped to be achieved, or it should be expandable in its design and incorporate more generous flexibility for future expansion. Biometric IT Architecture Infrastructure Components In the implementation of biometric technologies and solutions, there are three design choices that have the largest impact on the actual physical infrastructure components or the hardware of the IT architecture. These are: 1. What biometric credential to use? 2. How to store biometric data? 3. How do we design the interaction of the passenger at biometric touchpoints? Key Takeaway There are various IT aspects that need to be considered when implementing biometric technologies and solutions, from the type of credential, how it is stored, and how the interaction at touchpoints is designed. These choices greatly affect the hardware components of the IT architecture.

System Design and Information Technology Architecture 95   Often, technology specifications of infrastructure, communication protocols, and other details such as how data are stored are left to the designer of the system, which in many cases is the vendor of the technology solution. Nonetheless, choices that an airport, airline, or govern- ment makes related to performance, envisioned use, and interoperability have a significant impact on which infrastructure components should be considered. Also, these choices can have significant capital impacts, such as upgrading existing infrastructure or replacing various components to address legacy issues and new technology standards and performance. For that reason, it is good to be familiar with the following considerations: • Type of biometric credential: The credential is an object or data structure that authoritatively binds an identity to an authenticator. This can be done via one or multiple authenticators, such as a biometric. Examples of physiological biometrics are one’s face, fingerprints, hands, and irises. Examples of behavioral biometrics are one’s signature, voice, and keystroke. The selection of the biometric affects the choice of the type of credential and inherently affects the IT architecture. • Type of storage for biometric data: The type of storage, in this case for the storage of the biometric data, opens the discussion of data ownership, location, and protection against data theft or misuse. Biometric data can, for instance, be stored in a database (locally or over the Internet in the cloud) or they can be stored on one’s own smartphone or on an access card or token. The type of storage chosen affects how passengers can use their biometrics in the airport processes, services, and systems, and how the IT architecture is to support those uses. • Type of interaction with passenger/customer/user at biometric touchpoints: There are several types of touchpoint hardware (e.g., kiosks, e-gates, camera-on-a-stick) that may facilitate the interaction of a passenger/staff member with the biometric technology and solutions. The choice of type of interaction affects which infrastructure components are used and, thus, the IT architecture. Biometric Credentials A biometric credential is an object or data structure that authoritatively binds an identity— via an identifier or multiple identifiers—to at least one authenticator owned and controlled by a subscriber (passenger or airport staff). The following credential types are discussed in this section: • E-passports; • Cards, tokens, or passes; • Digital credentials (of three types); and • Government-issued identity cards. E-passports The most evident globally accepted process for verifying a person’s identity is a physical passport that is issued by the passport holder’s home authority. The first standardization of the details on a passport were developed under the auspices of ICAO in 1980. Standardization included the person’s image; a standard-format, machine-readable zone; and the passport holder’s biographical information. The identity of a person can be verified by border officers manually by comparing the person to the image on the passport. In 1998, the format was upgraded with the introduction of an embedded electronic microprocessor chip (hence e-passport), which could contain both biographic and biometric information. The e-passport uses contact- less smart-card technology, including an embedded radio-frequency identification chip. The passport’s critical information is printed on the data page, repeated on the machine-readable lines, and stored on the chip with a country-specific digital signature.

96 Airport Biometrics: A Primer There are now more than 100 countries that issue e-passports (see Figure 5-1). The digital signatures are unique to each country and can be verified by using the originating country’s respective certificates. A digital signature on an e-passport is authenticated by the issuing state’s security certificates—the Country Signing Certification Authority (CSCA) Certificate and the Document Signer Certificate. Together, the signature and certificates form a trust chain wherein the CSCA certificate is securely anchored in the authority of the issuing state and the Document Signer Certificate is securely stored in the chip of the e-passport as the Document Security Object. To validate an e-passport at an international border, the border control system retrieves the Document Security Object from the chip. The CSCA certificate can be derived from the ICAO Public Key Directory, which is a database maintained by the ICAO to facilitate the secure, online sharing of information between states. Certificates, however, can also be exchanged through a bilateral exchange process. The data elements that are contained on the chip of the e-passport are the biographic details of the passport holder and an encoded digital photograph. An e-passport contains additional data fields for fingerprint and iris data. The actual storage of this biometric data on the e-passport is optional and depends on the individual country’s legislation and policies. Cards, Tokens, or Passes A token system (portable) uses a smart card or a fob to store biometric data. This means that your fingerprint, once captured, is stored within the token. The benefits of storing biometric data on a portable token are that it need not be transferred over a network for verification purposes, and this reduces the risks that can come with network-related vulnerabilities. When using this method, users need to present their card or fob and then their biometric data as a two-step authentication process. Digital Credential – Self-Sovereign Identity The most recent development in biometric passenger processing is the concept of self-sovereign identity (SSI). An SSI is owned by the individual just like a physical passport. As owner, the individual has access to, can refer to, and can share components of this identity at his/her dis- cretion. While certain components of the identity are established by issuing authorities (e.g., passport number, bank details), the individual must consent to the sharing of his/her identity and any related data. This is achieved by individuals securely storing their own identity data on their own mobile devices and providing it on request to those who need to validate it. Just as with the format of the e-passport, the New Technologies Working Group of ICAO has recently published guidelines for developing these digital travel credentials, titled the “Guiding Core Principles for the Development of a Digital Travel Credential” (ICAO 2020). The ICAO working group defined four basic criteria with which the credential needs to comply: • It should be produced from a travel document issuing authority; • It should be capable of being supplied unaltered to verifying entities in advance of the traveler’s journey or arrival; • It should be globally interoperable to ensure that it can be used for different use cases; and • It needs to be easy enough to use and provide enough benefits for broad adoption by travelers (ICAO 2020). The DTC workgroup is opting for a hybrid credential, which is a combination of a virtual credential (biometric template) that is linked to one or more physical credentials (authenticators). The credentials could be stored in a remote system, such as a database or web server, and the authenticator could be an e-passport, smart card, or mobile phone.

Source: ICAO n.d.-c. Note: PKD = public key directory; MRP = machine-readable passport. Figure 5-1. Countries that issued biometric e-passports as of mid-2019.

98 Airport Biometrics: A Primer Any credential being developed will eventually need to be embraced by governments, industry, and citizens and accepted throughout the world, which is an inherently complex undertaking that will take time. With the recent COVID-19 experience, travel documents may need to incorporate health certificates, and consideration of this is needed in the development of the DTC. This requirement could increase the need to develop a global solution. Digital Credential on a Mobile Device Smart mobile devices provide a platform for individuals to carry and provide a digital credential that is trusted with a unique ID number that resides on the device. This allows the individual to provide a digital credential in place of a traditional physical credential. It also offers the same functionality of a physical credential when accessing a secure or controlled area. Digital Credential in a Blockchain Distributed ledgers, such as blockchains, are a developing technology that is proving to be adaptable across industries, providing cost-effective and secure real-time (data) transactions between two parties. The data stored are secure and immutable by design because the data trans- ferred are recorded and verified by all the different participants or computers (called nodes) in the system (thus the term “distributed”). This creates a database of data records that offers transparency and traceability. In many biometric identity solutions that utilize blockchain technology, it is not the actual credential that is stored in the blockchain, but rather a record of successful verification of that identity. These records are called “verified claims of identity” and can be shared as proof of veri- fied and authentic identity. These solutions often connect through an untrusted medium (e.g., the Internet) and thus require a secure connection and strong authentication (of the device, software, user, environ- ment, and so forth). Due to their complexity, implementation is often achieved with the involve- ment of specialized technology partners. Government-Issued Identity Cards Identity cards are issued in many countries, while some countries are still discussing their implementation. These cards can also contain biometrics, much like the e-passport. Biometric Data Storage There are various forms of storage that can be used, and they will work with more than one mechanism to deliver the desired solution. In this chapter, the following storage mechanisms are discussed: • Centralized server or in a local data center (on premise), • Secure cloud in a remote data center, • Mobile devices such as smartphones, and • Distributed databases and ledgers. Centralized Server or Data Center A centralized server is one way to store data and allows biometric technologies and solutions to access data at any location connected to the server. In some cases, the centralized server only offers connections to the systems at the airport, not outside it. In cases where the server is connected to the Internet, it is susceptible to a cyberattack. To reduce the risk of the server being breached and the data stolen or copied, the data must be encrypted when stored or transferred

System Design and Information Technology Architecture 99   over the network. The issue with encryption is deciding where encryption keys will be stored and who will be trusted with their access. With the implementation of data and privacy protec- tion, there are increased responsibilities for managing and securing data. Secure Cloud The use of biometric security systems in cloud computing is progressively increasing. In general, storage in the cloud comes with a separation of responsibilities when it comes to maintenance of the IT systems. The cloud provider, such as Amazon Web Services, Microsoft Azure, or Google Cloud, is responsible for maintaining the underlying hardware, software, and security, and the entire cloud provider’s organization is aimed at reaching the highest levels of security and performance in this. No single organization can reach the same amount of security and quality offered by these providers. The client organization, such as an airport or its supplier, is solely responsible for the configuration of the storage of the data, and the trouble of hardware, software, and network maintenance is taken out of its hands. Biometric security systems have the potential to take cloud computing to the next level as they guarantee an extremely high level of security and ensure that the rendered services are accessible to only legal and authorized users and no one else. There is a clear distinction between cloud service providers and the customer. Breaches of data in the cloud are not typically breaches of the underlying cloud provider’s infrastructure. To make a cloud secure, it is vitally important that responsibility be shared. Customers are responsible for securing how they use the cloud services, including properly configuring iden- tity and access management, storage and computation settings, threat analysis and defense, and the security of the application and data processed and stored in the cloud. Cybersecurity for centralized server solutions and cloud-based services is the protection of IT-connected systems and protecting them from cyber threats. Mobile Devices Such as Smartphones Biometric data can also be stored on the end user’s device. This is most common with smart- phones that use touch ID fingerprint sensors. On-device storage can be used to store biometric data through a chip that holds the data separately on the device’s network. When storing the data on the authentication device itself, the organization implementing the biometric verification process does not have control over it or the ability to copy the data and is also not liable for the theft of large databases with personal data. Distributed Databases or Distributed Ledgers (Blockchain) Public blockchains are a collaborative creation, with their goal being to create a world that is completely decentralized and where the ownership of digital assets is always protected and transferable. Blockchains can concurrently achieve high security, decentralization, and scalability. The core value of blockchain technology is not to provide rudimentary data services (like the decentralized database) but to build a new system of digitized data assets and auto- mated trust services. The global blockchain updates its state autonomously, and data are traceable to their source. Data contained in a blockchain are immutable, which supports privacy concerns when personal data need to be stored. In contrast, a distributed database is centrally managed by a service provider. The goal is to create a logical center that can provide efficient, low-cost services with great scalability. The core value of distributed database is to supply data storage and access services to business systems, focusing on the analysis and retrieval processes.

100 Airport Biometrics: A Primer Biometric Touchpoint Interactions Travelers are required at various points in their journeys to interact with various customer- facing biometric solutions. Some of these biometric interactions (e.g., e-gates, camera-on-a- stick, kiosks, and walking through gate or tunnel) are already commonplace in many countries. This section describes some system architecture implications related to the operations of these different solutions. There is a major debate on the optimal technology types to use for flow control. E-gates are the prevailing methodology used outside the United States to control flows. Several U.S. airlines and CBP, on the other hand, prefer the camera-on-a-stick method. Both require staff intervention to some extent, such as when dealing with exceptions when an e-gate does not open and monitoring a successful passage through a visual/audible signal from the camera-on-a-stick model. E-gates Automated e-gates at checkpoints with the capability to use biometric technologies for the verification of identity or granting permission for entry by scanning a biometric (credential) are by now common solutions at airports. With an e-passport, the e-gate can be used worldwide at border control checkpoints for customs, immigration, and emigration, allowing for automated self-service border crossing. The e-gate might use the data stored in the chip of a biometric passport to verify the user’s identity. Travelers undergo biometric verification using face, fingerprint, or iris recognition, or a combination of modalities. In some locations, systems such as Global Entry (in North America) are used for verification. Functionality can be extended so that the e-gate can authen- ticate the signature on the e-passport against the origin country certificates, read the biometric image, and match it with the person in front of the barrier (1:1 matching). After identification, the person’s details can be digitally vetted according to the national border control checks and procedures. Typically, e-gate biometric identification and verification will provide a two-gate option, allowing the traveler to cross a border with no ability to return unless following and meeting the entry or exit criteria of the country. Automated e-gates used for boarding usually have a single gate system where a traveler presents a boarding pass to board a flight. This type of e-gate is controlled by the team responsible for managing boarding issues and incorrect boarding procedures. After positive identification and authentication, there is no need to store the passenger’s data in a database. Since the data are stored on the passport and not in a database, passport bearers are the keepers of their own data. The advantage of an e-gate is the ability to manage flows with a device that physically obstructs passage if there is no biometric match to confirm identity. In other words, e-gates serve as a mechanism similar to the payment system gates used for mass transit. The disadvantages are that e-gates are bulky and require more planning around wiring and data, as well as the life-cycle wear-and-tear of gates. Camera-on-a-Stick – Gateless Interaction Point The point of interaction is where biometric identification or identity verification can take place without the passenger needing to go through an automated gate. Currently, these points are, in many instances, manned by ground agents or airline representatives, but they still offer the opportunity to increase security performance and decrease processing times. Many different applications can be designed to be incorporated in a totem (a contactless interface panel that can use facial recognition and can be either free-standing or integrated into a gate or kiosk),

System Design and Information Technology Architecture 101   the most common being the camera-on-a-stick method, which refers to the camera being used for facial recognition. The advantages of the camera-on-a-stick, from the point of view of CBP and some airlines, are that the overall capital cost is low and the biometric processes are integrated with other customer interactions. For CBP officers, it is the questioning of passengers; for airline agents, it is a face-to-face customer-service driver to help with additional services. There are some clear disadvantages: a camera-on-a-stick model is less bulky physically but negates the full passenger self-service potential. In other words, to truly get hundreds of passengers through without the need for staff time is much harder if the concept of operations is built on front-facing passenger interaction. Moreover, with social distancing measures and reduction of face-to-face time for customer service, there is also a realignment of how to use methodologies that do not require a gate. A hybrid model may be developed that uses a wayfinding approach to direct passengers to Point A if successful and Point B if a biometric match has not been achieved. In so doing, the bunching up of people is minimized, and there are methodologies to ensure that individuals are not routed to the wrong location. Kiosks The typical choices available for passenger check-in are via mobile phones, airline desks, and kiosks. Kiosks provide self-service devices that are simple to use and convenient, making it possible for passengers to check in any time on the day of departure. The next generation of kiosks is being tested by various airports and airlines. These kiosks include sensors to help with touchless check-in using touchless infrared technology. Robotic biometric kiosks are also being used to alleviate congestion at check-in areas. Contactless check-in via a smart device remotely and at the airport may be used to print boarding passes (if necessary) and baggage tags at kiosks. Check-in with a smart device or website may be done to obtain a boarding pass and provide personal details, including passport information. There is an increased focus from airports and airlines on enhancing existing processes with touchless options using passenger smart devices, and the introduction of biometrics through smartphone cameras is also a possibility. Alterna- tively, using on-device biometrics based on Apple iOS or Android systems to confirm identity is a methodology of SSI that can limit the amount of transmission of information but still validate individual identity. Walking Through a Gate or Tunnel This technology is being tested in various airports, allowing passengers after enrollment to clear immigration in seconds by walking through a defined path (e.g., a touchless gate or tunnel). Iris biometric technology is used to authenticate each passenger, ensuring that queuing is eliminated. IATA OneID or Seamless Flow The IATA OneID concept envisions an end-to-end travel journey where passengers enroll with their biometric details prior to each journey and are then able to pass several process- ing steps (e.g., check-in, bag drop, security, border control, boarding, and even airline lounge entry and duty-free purchases) by simply showing their faces. The concept aims to include the departure and arrival processes at both the destination and origin airport. In addition to smooth processing of passengers, the system can also recognize and differentiate passenger personas and provide services tailored to those personas (for example, for priority or disabled passengers).

102 Airport Biometrics: A Primer IATA has been working on this initiative for 15 years, with the aspiration that its solution can be adopted initially in markets struggling with capacity. The rollout of OneID has seen several pilot projects; however, a wider adoption will take time. A more detailed description of the complete system can be found in Appendix M. IT Architecture Models Introduction to Five Models This chapter identifies and compares five different models, focusing on the enrollment, verification, data facilitation, and authentication of the various credentials that were used for the categorization of the case studies of biometric implementations in Chapter 2. Literature often references at least two types of model: a per-trip model and a per-life model, where the differences are obvious. In the first, the system architecture aims not to retain information such as biometric data much longer than necessary past the duration of one completed trip. In the latter, enrollment or the retention of information is for a much longer period, in this case for life. A distinction added to these two main models, due the trends of focusing more on privacy pro- tection, data storage, and the governance of the system, is whether the system architecture facilitates biometric data to be governed by the passengers themselves, by a third party, or by an authoritative party such as a local or national government. This results in the following five models (see also Table 5-1): Model 1: Identity as a service – a centralized, government/authority model Model 2: Identity as a service – a centralized, third-party model (not bound by national/state borders) Model 3: Per trip – a semi-federalized model Model 4: Per life – a federalized model Model 5: Per life – a federalized model with SSI Model 1: Identity as a Service – Centralized, Government/Authority Model The government-driven model is a centralized approach to passenger and data facilitation. The government establishes and verifies the traveler’s identity and serves as the identity manage- ment service provider to other stakeholders within the airport system. This model does not depend on formal traveler enrollment or adoption because the govern- ment uses centralized databases of pre-verified own nationals’ and foreigners’ biometrics (facial) to authenticate travelers. No further data are collected, and no booking information is integrated to create a digital identity. The core platform is a cloud-based biometric matching service. The government can extend this to private-sector providers as an identity as a service (IDaaS), which provides a scalable, secure, and seamless solution that easily integrates with providers’ systems through web-based application programming interface (API) connections. On arrival at any journey touchpoint, a traveler’s image is captured by facial-recognition technology (e.g., e-gate, stand-alone facial-recognition cameras) and sent to the government verification system for authentication; a match result is then returned to the travel provider. The government-driven model demonstrates applicability and implementation success at touchpoints across the airport system. Any traveler providing consent to participate Key Takeaway The five IT architecture models discussed here differ predominantly in terms of (1) who owns the biometric data, (2) which entity is responsible for the verification of the passenger’s identity, and (3) how long biometric data are stored.

System Design and Information Technology Architecture 103   Model 1 Government/ Authority Model 2 Third Party Model 3 Per Trip Model 4 Per Life Federalized Model 5 Per Life SSI Example e-passport* CLEAR Happy Flow Digi Yatra DTC on blockchain Enrollment How to enroll Every 5–10 years, at a government location outside the airport Once, at airport Every trip, prior to check- in at or outside airport Once, at government location outside airport Once, on a personal device, verified by a government agency Ability to opt out Yes Yes Yes Yes Yes Data (biometrics/ biographic) used Biographic, facial, fingerprint Biographic, facial (iris) Biographic, facial, flight information Biographic, facial (iris) Biographic, facial Type of hardware used Government enrollment office or online Kiosk Kiosk or on a personal device Government enrollment office or airport kiosk On a personal device Type of software and architecture required Government cloud platform Cloud-based orchestration platform Cloud-based orchestration platform Government cloud platform Distributed ledger Enrollment process Apply or renew before expiration Online plus CLEAR enrollment center or just CLEAR enrollment center Check-in kiosk or counter Register with central system, validate ID at start of first trip at registration kiosk Download app and upload information Retention period Period of validity Life of the credential, until one’s membership terminated Length of a trip, or limited number of hours after departure Per life Per life Integration of reservation data Separate Integrated Separate Integrated Integrated (Biometric) Verification of Identity Where in biometric journey it is required Check-in, bag drop, security, border, e-gate Security/ border/ boarding Check-in, bag drop, security, border, e-gate Check-in, bag drop, security, border, e-gate Check-in, bag drop, security, border, e-gate Verifying party Airline, airport, government Third party, government Airline, airport, government Airline, airport, government Airline, airport, government Data (biometrics/ biographic) used Facial Facial (iris) Facial Facial (iris) Facial Hardware used Kiosk/e-gate Kiosk/e-gate Kiosk/e-gate Kiosk/e-gate Kiosk/e-gate Software required Facial recognition on orchestration platform Facial recognition on cloud platform Facial recognition on local template database Facial recognition on cloud platform Facial recognition on orchestration platform, mobile DTC application Method of verification Picture of face (live) matched Picture of face (live) Picture of face (live) matched Picture of face (live) Picture of face (live) matched Table 5-1. Comparison of models. (continued on next page)

104 Airport Biometrics: A Primer Model 1 Government/ Authority Model 2 Third Party Model 3 Per Trip Model 4 Per Life Federalized Model 5 Per Life SSI to stored biometric on the physical credential encrypted and sent as photo/template to third party for matching with on-file biometric to stored biometric on personal device or temporarily on airport system encrypted and sent as photo/template to government for matching with on-file biometric to biometric on personal device (verified by issuer of digital credential) Data facilitation Type of platform Local or cloud- based orchestration platform Private cloud- based orchestration platform Local template database and orchestration platform Cloud-based orchestration platform Orchestration platform, distributed ledger, and mobile DTC app Storage of data at location Government, airline, and airport servers (temporary) Private, airline, and airport servers Temporary: airline, airport servers; records of immigration, emigration may be kept by authorities Government server Blockchain, records of immigration, emigration may be kept by authorities; all stored data are immutable. Connectivity through Application programming interface (API) Platform API API Ledger Data and privacy protection Laws governing government data retention and protection Laws governing commercial companies’ data retention, use, and protection Privacy by design integrated Laws governing government data retention and protection Privacy by design integrated Authentication of credential When in journey? Check-in, bag drop, security, border, e-gate Security/ border/ boarding Check-in, bag drop, security, border, e-gate Check-in, bag drop, security, border, e-gate Check-in, bag drop, security, border, e-gate Authenticating party Government Third party Airline, airport, government Government Airline, airport, government Data (biometrics/ biographic) used E-passport, facial E-passport, facial (iris) E-passport, facial E-passport, facial (iris), digital credential Digital credential (on mobile device), facial Hardware used Kiosk/e-gate Kiosk/e-gate Kiosk/e-gate Kiosk/e-gate Kiosk/e-gate Software required Orchestration platform connecting to government Orchestration platform connecting to government Orchestration platform connecting to government Orchestration platform connecting to government Orchestration platform authentication service authentication service authentication service authentication service connecting to blockchain API Method of authentication Scan of e- passport for check of authenticity of certificate of issuing authority Third party checks authenticity of identity documentation upon registration Authenticity of identity documentation (e-passport) checked upon enrollment Government is issuer of digital identity and checks the authenticity of identity upon enrollment. Identity documentation authenticity checked upon enrollment, stored on blockchain as verifiable claim *Specific requirements may differ slightly by country. Table 5-1. (Continued).

System Design and Information Technology Architecture 105   experiences a streamlined journey without having to enroll in advance. The core challenge with this model is legislative restrictions that prevent the extension of IDaaS beyond its current mandated realm. As a result, there may be limitations when attempting to integrate car rental services and hotels into a model that was developed and approved for use only in the airport/ governmental system. Example: Border Control Authorities Various border control authorities across the world use an e-gate or kiosk that supports biometric microchip passports: • France: Charles De Gaulle Airport allows citizens from the European Economic Area (EEA), Andorra, Monaco, San Marino, and Switzerland to use the PARAFE gates. These gates can only be used by citizens aged 18 or over and holding a valid biometric passports. • United Kingdom (UK): E-gates are in place at 15 air and rail ports across the UK. Users must be 12 and over and a British citizen or a national of the EU, Australia, Canada, Iceland, Japan, Liechtenstein, New Zealand, Norway, Singapore, South Korea, Switzerland, or the United States. • The Netherlands: E-gates can be used by those 16 years or older and holding a valid EU passport. • United States: At the time of writing, CBP was in the midst of rolling out the Simplified Arrival program to speed clearance for international arrivals. Simplified Arrival uses facial biometrics to automate document checks and provide travelers with a touchless process. Model 2: Identity as a Service – Centralized, Third-Party Model (not Bound by National or State Borders) The European Commission is implementing a central biometric matching system (BMS) that will serve the biometric identity requirements of multiple applications that are essential to European security. This system is ground breaking in terms of scale, transactional support, and strategic approach, offering many valuable lessons in the use and adoption of biometric identity capabilities. At the time of writing, the system was in development and was expected to be live during 2022. The system aims to instantiate a new entry/exit system (EES), creating a unified information system for recording data on the entry and exit movements of short-stay third- country nationals crossing the external borders of the EU. The key body of the EES is EU-LISA, the European agency for the operational management of large-scale IT systems, which is headquartered in Tallinn, Estonia, with an operational site in Strasbourg and a backup site in St. Johann Im Pongau (Austria). The agency is responsible for the following tasks: • Development of the central system, • Implementation of a national uniform interface in each member state, • Secure communication between EES and Visitor Information System (VIS) central systems, and • Communication infrastructure between the central system and the national uniform interface. Each member state is responsible for the organization, management, operation, and mainte- nance of its existing national border infrastructure and its connection to the EES. The EES will be a centralized system through which the member states cooperate—hence the need for a common architecture and operating rules. Secure Internet access to a web service hosted by EU-LISA will allow third-country nationals to check their remaining authorized length of stay at any time. Airlines will also be able to use this function to check whether their passengers are authorized to enter the EU.

106 Airport Biometrics: A Primer Example: Traveler Verification Service A digital ID verification service in the United States is the TVS. This service, which is provided by CBP, is based on the concept of IDaaS. CBP uses a biometric matching service. The system compares a new photo taken at the time of departure with a DHS-stored subset of a larger DOS dataset (based on the flight manifest) that includes images from photographs taken by CBP during the entry inspection; photographs from U.S. passports, U.S. visas, and other travel docu- ments; and photographs from previous DHS encounters. The TVS can be applied at all entry/exit locations (air as well as sea) in the United States. For air travel, instead of the airline conducting a manual passport verification and a registration of the boarding card of the passenger in the flight manifest, the process can be automated by means of facial biometrics. The TVS can be applied at security, check-in, bag drop, or the boarding gate and uses facial-recognition software; a live-captured image is matched with the person’s identity creden- tials that are stored in the TVS database. On a match, the system returns the biographic data of the person together with a unique identifier that the airline can use to link the passenger to its DCS and allow access or passage through the touchpoint. Model 3: Per Trip – Semi-Federalized Model The per-trip model is a semi-federalized approach to traveler and data facilitation throughout the traveler journey. Unlike the government-driven model, the traveler has the choice to opt in to participate in per-trip travel experiences at the time of enrollment. The enrollment process for per-trip travel experiences typically begins on arrival at the airport. Using a biometric check-in kiosk, passengers verify their identity with an e-passport, biographic information, and facial image (biometric token). The data orchestration platform creates a digital identity that lasts only for the duration of the journey. In this model, data is stored, managed, and facilitated by an orchestration platform, which all stakeholders trust to supply verified traveler data. Connections between the orchestra- tion platform and travel provider or government agency systems normally only require API integrations. These platforms are built to adhere to privacy-by-design principles and securely store and send encrypted traveler data to stakeholders on a need-to-know and authorized- to-know basis. A traveler’s identity is verified on arrival at a touchpoint using facial-recognition technology that captures the traveler’s image, which is transmitted to the orchestration platform in order to generate an authenticated status; any other data required to complete the process is transmitted as well. The per-trip model has emerged as one of the most prevalent models to be tested and implemented worldwide. This model is widely accessible to a broad set of travelers, including occasional travelers and non-nationals of the country using the technology. It is also relatively easy to implement from a technical perspective and easy to use from a customer experience perspective. Challenges to designing an end-to-end model will be extrapolation beyond the airport environment and ensuring that different parts of the journey (e.g., connecting flight at another airport) are included without the need for passengers to re-enroll. Example: Happy Flow The Happy Flow model is based on collaboration among public and private stakeholders, including the government of Aruba, the Aruba Airport Authority, the Netherlands, KLM, and

System Design and Information Technology Architecture 107   the Schiphol Group. In the past 4 years leading up to 2020, this group piloted a streamlined, user-friendly, end-to-end experience at Aruba International Airport. Enrollment after opting in creates a single biometric token that is only kept for 24 hours. When the biometrics token is created, the passenger’s e-passport is used for authentication, after which the holder’s identity is verified at each touchpoint using facial recognition. Model 4: Per Life – Federalized Model This federalized per-life model has a federalized approach to traveler and data facilitation throughout the traveler’s journey. Travelers have full discretion over how much of their data are shared, to whom, and at what point. Travelers also keep data integrity by storing their digital identity on their mobile device. The per-life travel experience typically begins with the creation of a digital identity on a traveler’s mobile device using a digital identity management app. This initial enrollment allows travelers to upload and verify core pieces of their identity (e.g., passport biographic information, facial image) using the app’s built-in e-verification capabilities, and also allows verification by government. On completion, the digital identity resides on the traveler’s mobile device for life. The traveler may add as much additional information as desired and can perform one-time verification of this information with relevant, trusted stakeholders (which may be but are not required to be government agencies). Finally, the traveler easily integrates bookings into digital identity to allow for seamless data management and sharing. Pre-journey, a traveler’s mobile device pushes minimum required data to relevant travel pro- viders or government officials. Data facilitation is managed by distributed-ledger technology and cryptography, which ensures the secure transfer of data. On receiving traveler data, stakehold- ers can perform a host of activities (for example, government officials can perform risk-based assessments to streamline security processes, and travel providers can leverage shared data to enhance the traveler experience). At touchpoint arrival, a traveler is authenticated via facial- recognition technology, which captures the traveler’s image, authenticates it against received data, and receives an authentication status. This per-life model offers numerous opportunities for secure, seamless travel experiences across a multitude of use cases. The key challenge for end-to-end model consideration will be ensuring stakeholder acceptance and trust in this level of federalized digital identity. Example: Digi Yatra Digi Yatra is an industry-led initiative overseen by the Indian government, which uses the link to the Aadhaar system (12-digit unique identity number of all Indian citizens) in partner- ship with airlines and other system players during the booking process, facilitating faster airport entry and automated check-in without the need for any paper-based interventions. Dubai International Airport recently introduced a pilot where enrolled travelers walk through a biometric tunnel without stopping due to the advanced biometric security solutions. The biometric tunnel uses iris and facial biometrics for identification and verification. Once the traveler has successfully cleared the tunnel, the traveler can receive real-time noti- fications about congestion and delays, as well as obtain greater visibility on the next step of journey, which includes navigation though the airport using a smartphone or via an interactive kiosk and various augmented reality applications. Returning passengers can receive alerts about their luggage and its arrival on the baggage belt, submit baggage claims, and provide customer feedback.

108 Airport Biometrics: A Primer Model 5: Per Life – Federalized Model with SSI An SSI is owned by the individual. As owner, individuals have access to and can refer to and share components of this identity at their discretion. While certain components of the identity are set up by issuing authorities (e.g., passport number, bank details), individuals must consent to the sharing of their identities and any related data. This is achieved by individuals securely storing their own identity data on their own personal devices and providing it efficiently to those who need to confirm it, without relying on a central repository of identity data. Example: Known Traveller Digital Identity WEF has published a white paper describing in detail its proposed biometrics-backed paper- less international travel concept, the KTDI, a limited pilot project involving travel between Canada and the Netherlands (World Economic Forum 2020b). A KTDI would be an international traveler’s digital profile—one that is detailed, secure, and shareable (at a traveler’s discretion). The new profile model would be decentralized and facilitated by blockchain processes, biometrics, mobile devices, and cryptography. The KTDI concept is a public–private endeavor that the pilot consortium launched midway through 2019. The pilot is being run by the WEF, government agencies of Canada and the Netherlands, KLM Royal Dutch Airlines, Air Canada, Amsterdam Airport Schiphol, the Greater Toronto Airport Authority, Aéroports de Montreal, and Accenture Plc. An open-source blockchain called “Hyperledger Indy” has been chosen as the decentralized identity platform. Hyperledger is a global enterprise blockchain project that offers the necessary framework, standards, guidelines, and tools to build open-source blockchains and related applications for use across various industries. For the Hyperledger platform, a person’s digital identity, authenticated by a national government, would be linked to the person through bio- metrics. The identity would be encrypted and stored on the traveler’s phone. The KTDI applica- tion would keep an ongoing list of attestations, beginning with the government authentication and continuing with a running travel history that includes border crossings and transactions with trusted vendors. Information shared by the traveler is verified by checking trusted databases. Evaluation of Architecture Models Table 5-2 provides an evaluation of the five architectural models as well as their differentiators, benefits, and challenges. Each model needs to be carefully evaluated based on one’s circum- stances since one may be more appropriate than another. One consideration is the type of air services offered (domestic, regional, or international, or a combination of all). Other consider- ations include the airport type, airport size, and types of airlines providing services. Stakeholder Challenges: Interoperability, Scalability, and Privacy Protection There are multiple challenges to the design of an IT architecture, which often merits careful collaboration between the airport, airline, government, and the stakeholders to achieve the desired interoperability. IT architectures must be increasingly capable and scalable to incorpo- rate the new technology needs of airports. Many are also dependent on local or national laws, especially when it comes to the protection of privacy and biometric data. On top of that, the designer will want to Key Takeaway The IT architecture design faces a larger challenge with more stakeholders as interoperability and scalability become more complex. With stakeholders in multiple countries, the privacy laws of those countries also affect the design.

System Design and Information Technology Architecture 109   Metric Notes Model 1 Government/ Authority Model 2 Third Party Model 3 Per Trip Model 4 Per Life Federalized Model 5 Per Life SSI Example e-passport CLEAR Happy Flow Digi Yatra DTC on blockchain Enrollment Pre-journey enrollment is possible. No Yes Yes Yes Yes Accessibility for all passengers Passengers with reduced mobility, families with children, the elderly, requirement for a passport? Low Low Medium High Medium Speed of enrollment Low High High Medium Medium Integration of booking data is possible. No Yes Yes Yes Yes Authentication/Verification Level of acceptance (quality of authentication) Authentication of an identity; is the identity (digital) credential authentic and accepted by government/ country/ authority? High Medium Low High High Quality of verification (confluence of verifiers) In case of facial recognition High High Low High High Potential for U.S. preclearance U.S. preclearance: some models allow for data Yes If third party is a trusted No Yes Yes sharing that is required by United States. partner of CBP Government acceptance (likelihood) High Low Medium Low Low Data and Privacy Traveler ownership of data, ID Does the traveler own the data? No No ? No Yes Privacy protection Low Low High Medium High Data security (of the platform) from external manipulation Difference between distributed ledger and central database Medium Medium Medium Medium High Table 5-2. Evaluation of five architecture models. (continued on next page)

110 Airport Biometrics: A Primer Metric Notes Model 1 Government/ Authority Model 2 Third Party Model 3 Per Trip Model 4 Per Life Federalized Model 5 Per Life SSI Operational Efficiencies Time savings (speed at checkpoints) Medium Medium High High Medium Customer experience improvement Assuming a faster, relaxed journey is delivered, disregarding preference for data ownership (considered in a different metric) Medium High Low High High Space and resource savings Low Medium Medium High High Applicability outside airport system The passenger journey outside the airport (ride share/taxi) No Yes No Yes Yes Other considerations Availability of technology (now) Yes Yes Yes Pilot Pilot Sharing data with stakeholders Airport, airline, government authorities Yes Yes Yes Yes No Sharing data with third parties (anonymized) Retail, food and beverage, hotels, etc. Yes If third party shares with airport Yes Yes No Operational big data applications (passenger flow tracking, prediction) Medium If third party shares with airport High High High Table 5-2. (Continued). implement best practices and make the architecture secure and user friendly. With more stake- holders, this becomes increasingly complex. On the other hand, global standards, although typically 2 to 3 years behind technology devel- opment, aim to create common technical specifications, allowing technologies to interact smoothly while abiding by multiple nations’ (and states’) laws and being software-, hardware-, and vendor-agnostic. More specific to biometrics, the ICAO DTC development is an example of an emerging global standard and is explained at the end of this section. Single-Party Biometric Solution In this scenario, every airport/airline/government has designed a system for themselves that applies to local conditions. This is a technology solution that can be implemented more quickly, easily, and with less capital investment than the multi-party biometric technol- ogy solution. A few models exist, and a broader range of possibilities exist for choosing infrastructure components because these generally do not have to be agreed on by multiple

System Design and Information Technology Architecture 111   stakeholders. This option also has the advantage of offering more opportunities for a stricter set of guidelines and allows for more transparency and broader privacy-protection guidelines. Around the world, governments, airlines, and airports have rolled out or are testing passenger processing systems based on, for example, biometric recognition systems. Many of those plat- forms and systems have been developed based on national law, international border agreements, stakeholder interests, and limitations of existing facilities, which leads to a varied implementa- tion of solutions. Stakeholders focus on individual interests and not the interests of others, and thus, data sharing across borders and to other stakeholders is not realized. Multi-Party Biometric Solution Multi-party biometric solutions comprise all other systems using biometric technology; aim to allow functionality across multiple stakeholders, parties, and countries, or even aim to allow global implementation; and are to a certain extent interoperable and scalable. Technology solutions are typically much more complex in design to allow for interoperability. Ideally, infra- structure components are made compatible and are not vendor specific, although operational requirements need to be specified to guarantee functionality across different infrastructures. Technology guidelines are the greatest hurdle, with many stakeholders having to agree on issues like privacy protection, data sharing, data protection, and data retention. Stakeholders As highlighted previously, the direction taken for a single-party or multi-party biometric solution affects the number of stakeholders at the table. The list that follows presents an overview of the main stakeholders, each of which will have a different effect on addressing the challenges of interoperability, scalability, and privacy protection. • Border control authority (CBP) is responsible for carrying out customs, immigration, and emigration procedures on airport premises and has multiple biometric-ready implementa- tions linked to the use of the TVS. • Security screening (TSA) screens passengers at the airport as part of the layered approach to security to get travelers safely to their destinations. TSA’s screening procedures are intended to prevent prohibited items and other threats to transportation security from entering the sterile area of the airport and being introduced onto the aircraft; are developed in response to information on threats to transportation security; and provide expertise and specialist processes to protect passengers, staff, aircraft, and airport property from accidental/malicious harm, crime, terrorism, and other threats. Aviation security is a combination of human and material resources to safeguard civil aviation against unlawful interference. Unlawful interference could be acts of terrorism, sabotage, threat to life and property, communication of a false threat, bombing, and so forth. • Airlines are responsible for the verification of valid travel documents of passengers for entry to the destination country. They are concerned about delivering an optimum passenger experience and are therefore a stakeholder in the entire passenger journey at all touchpoints. • The airport (operator) is responsible for verifying that passengers carry a valid boarding pass on entering the security checkpoint and facilitates the passenger process in its terminal. In addition, airports have a special interest in improved efficiencies in space usage and improving the passenger experience. • Technology providers are responsible for the development, delivery, and installation of the biometric systems applied at the airports. • IATA, as representative of the airlines and initiator of the OneID concept, is responsible for guidance and facilitation of the biometric passenger processing developments. IATA advocates striving for efficiencies for all airlines and their passengers.

112 Airport Biometrics: A Primer • ACI is a representative of the airport industry responsible for guidance and facilitation of biometric passenger processing developments. ACI strives for efficiencies in the entire industry. • ICAO is the collective body of member state representatives with the role of setting global aviation standards and any rules for aviation safety, security, efficiency, capacity, and environ- mental protection. ICAO strives for efficiencies in the entire industry, notably resulting in, for example, Doc 9303 (ICAO 2015). ICAO also has the Facilitation Panel established in 1995 that plays a critical role in the accomplishment of priorities and helps to ensure that ICAO Annex 9 (ICAO n.d.-b) is kept current. • The passenger requires a seamless travel journey without the need to continuously present the same documents at each point. The passenger seeks travel safety and security and an easier process to facilitate entry to a country (visa, supporting documentation, validation). ICAO Digital Travel Credential A global standard that has been under development under ICAO is the DTC. Its policy paper “Guiding Core Principles for the Development of Digital Travel Credential (DTC)” was pub- lished in October 2020 and sets out a clear set of principles that lay the foundation for a digital credential standard, which would also apply to biometric credentials stored on tokens, on a mobile device, or in a database (ICAO 2020). The policy paper relates much of the technical specifications to current standards for e-passports, which are an example of an electronic machine-readable travel document (eMRTD). Following the current security of the eMRTD, which results in the verification and consistency of data between physical and electronic documents, the intent is to validate to the DTC at the same level of the eMRTD process. More on the DTC specifications can be found in Appendix N. For airport management considering implementing biometric technologies and solutions, it is important to track the DTC standard developments and make decisions that guarantee the IT architecture is able to incorporate or adapt to such emerging global standards. Lessons Learned Large facilities such as airports may have existing IT installations that are not necessarily designed to support biometrics due to their cur- rent architecture, ability to scale, or inability to meet privacy-protection requirements. There are elements that need to be considered to support biometrics, such as network cabling, managing processing loads, bal- ancing network traffic, and applying network standards that address communication between a large number of devices connected to the network. If these are not addressed in planning, network bottlenecks can lead to passengers waiting an unusually long time for a response from the system, leading to the creation of unnecessary queuing. Cabling, Local Area Network The main artery to the IT network in a large facility is the cabling, which will link all devices connected to the network. This needs to be maintained and managed at all times. Existing IT installations may not necessarily be designed to support biometric requirements. The network must have the ability to scale as well as to meet privacy-protection requirements. Before start- ing the biometric journey, the present network architecture needs to be evaluated, not only to ensure the best use of existing assets but, more importantly, to identify limitations and the required best practices to provide the relevant biometrics foundation. Key Takeaway Supporting your biometric solution and taking into consideration your existing architecture and systems ensures the efficiency of existing and future investments and best practices. By learning from prior completed biometric implementations, much risk can be prevented going forward.

System Design and Information Technology Architecture 113   Network Processing Loads and Network Switching Network processing loads and network switching refer to the concept of ensuring that the network is efficiently designed and properly balanced and that no item in the network is doing all the work, leading to reduced performance. All the devices that are connected should be sharing the required workloads to make sure that there are no delays, bottlenecks, or slow response times. A vital part of a biometric network design is what is known as “data packet switching” (transfer of small pieces of data across various networks). For example, when at least three bio- metric devices are connected or when a biometric device is connected to three or more central servers, different network routes may be used to reach the destination biometric device. Network Protocols A network protocol can be defined as the format and the order of messages exchanged between two or more communicating entities (e.g., computers), including any actions taken in transmission or receipt of a message. Biometric devices connected with each other must use certain network protocols to transmit their data packets back and forth. A biometric enrollment kiosk includes, in most cases, a passport reader to verify the person’s identity based on the image in the passport. Such a kiosk can also have full common-use self- service (CUSS) functionality to guide a passenger through the airline’s boarding process and obtain a boarding card for the passenger in the same step. Facial Recognition: Liveness Detection Facial-recognition technology uses a biometric reference database to compare an individual’s identity with a verified credential—the biometric template. Facial-recognition software performs a series of tasks before it stores a person’s biometric template, and at a later time, when an image is captured at a biometric touchpoint, conducts a similar series of tasks to perform the facial- recognition operation. An important element to these operations that should be performed in parallel is liveness detection. This detects people spoofing or bypassing the system by showing photos, videos, masks, or artifacts to the camera. There are many different techniques available to check the liveness of the person, and these have variable accuracies and response times. Which technique is needed may depend on the scale of the threat that can be expected and the actual location and layout of the touchpoint. Supervision of the touchpoint during operating hours may deter certain threats. Facial Recognition: Lighting Facial biometrics supply an easy-to-use method of verifying an individual’s identity. However, the accuracy of the verification is significantly less than that of other biometric methods. One of the shortcomings is that many facial biometric algorithms are sensitive to even minor changes in lighting and thus require standardized lighting. This can prove to be challenging as facial biometric kiosks are incorporated into existing buildings. Modulated light sources synchronized with video cameras can be used to supply images that are lighting independent for these situations. The amount of modulated light needed

114 Airport Biometrics: A Primer is minimally obtrusive. The lighting arrangement should be appropriate for the application. It should also be remembered that good lighting can suppress the background in closed and open spaces. Facial Recognition: Face Capturing Hardware The equipment used for capturing images of passengers’ faces has developed over the years and no longer shows large variations in performance, but the hardware and physical layout of a touchpoint can influence the match results. With a high-quality image and the right com- position, the face-match system will be more accurate. First, the quality of the camera (light sensitivity, number of pixels, and encoding type) can influence the performance. In addition, the enrollment station and verification touchpoint can be designed in such a way that every person is lined up in front of the camera in the same way, thereby leading to the same composition. Accuracy can be further improved by ensuring that faces receive enough and equal lighting conditions at every touchpoint. Decent quality images will require less processing by the facial-recognition software for detection and normalization, which in turn will lead to better-quality biometric templates. Equal conditions for images taken at enrollment stations and images at verification touchpoints will lead to more reliable match results. The following features can be provided at biometric touchpoints to improve the quality of face capturing: • Stickers of feet on the ground that show the position for the passenger, • A camera on a moveable stick that is manually pointed at the target person, • A speed gate with barriers to position a person in front of a camera, • A camera that can move vertically, • A dynamic indicator or an avatar to attract attention, and • Illumination of faces. Facial Recognition: Accuracy With the application of facial-recognition systems in aviation, it is important that all stake- holders be aware of how accurate these systems are. Inaccurate capturing equipment or facial- recognition technology leading to a false positive match must not result in a passenger gaining illegal passage at a border checkpoint or entering a secure area or a plane. On the other hand, the algorithm should not be too strict, causing a high number of falsely rejected passengers (false negatives). Finally, the time to render the facial recognition and matching must not take too long. A balance between accuracy and speed of computation needs to exist, as well as the need to abide by national, state, and local laws and security and facilitation. More detail on this subject is included in Appendix O. Technology Will Fail and an Opt Out Will Need to Be Ever Present Technology has revolutionized consumer experiences for the past 30 years; however, as airlines and the infrastructure that serve them become increasingly reliant on technology, vulnerabilities become clearer, and minor technical failures can cause catastrophic outcomes. Insufficient investment in technology infrastructure in the past can result in many technical outages that can cripple airport and airline operations for days on end. As exposure to technology increases, so do the risks of an IT failure. Measures can be introduced to try to limit the risk, but it is obvious that air travel of the future will be prone to the risk of IT failure. Using legacy systems that are already overstretched will increase the likelihood of an IT failure.

System Design and Information Technology Architecture 115   It is important to plan for the inevitable because the biggest risk areas are the loss of landside or airside activity and the loss of baggage systems that work between landside and airside, lead- ing to major impacts on airports, airlines, and passengers. Contingency plans with a recognized structure and model need to be developed to address what happens when things go wrong. The very nature of IT, seamlessly working in the background, means that it is often not obvi- ous that a problem is just around the corner. The next best thing to preventing a problem is being ready when one occurs. Findings Implementing Biometrics Biometric technology takes the role and the benefits of passenger automation in airports a significant step forward. With the innovations that are taking place, passengers will be able to move through the airport with limited human contact using technology to create their own seamless journey at their own pace. Airports are already using automation to improve the passenger experience, which allows the flexibility to scale up and down their activ- ities due to seasonal changes, passenger growth, and major disruptions to the industry. The introduction of biometric technology needs to be implemented carefully and without major interruptions to present operations or disruption to passengers, and needs to be integrated into present systems and technologies. Planning is important because the replacement of assets is intrusive and is linked to current technologies and the introduction of a multitude of solution providers and contractors as well as existing infrastructure that is operating in different types of building and terminal designs. One of the challenges is to develop an interoperable identity management system that can be used worldwide rather than having countries and stakeholders invest in localized solutions that are not interoperable or accepted by different authorities. Biometric systems should be designed to anticipate development and easily adopt new technological advancements, and components that are likely to become obsolete, such as bio- metric sensors and matching systems, should be modularized. A life-cycle approach is needed that considers the capabilities and limitations of the technology and devices. This approach must also be flexible enough to manage the unexpected reactions of users, operators, and other stakeholders. Cloud Data Security, Ownership, and Technology Data security has consistently been a major issue in information technology. Biometrics use cloud computing environments primarily because the data can be stored in different locations across the globe. Data security and privacy protection are the two main user concerns about cloud technology. Data security and privacy-protection issues are relevant to both hardware and software in a cloud architecture. Cloud computing allows processing on demand and convenient, ubiquitous network access to shared configurable computing resources such as storage, networks, servers, services, and applications. This type of solution is suitable for biometrics. Biometric identification manage- ment systems are multimodal, and they generate large amounts of data. Processing petabytes of data cannot single-handedly be addressed by sheer central processing unit (CPU) power Key Takeaway Three areas derive value from a biometric implementation: the use of cloud security, data ownership, and the opportunities of digital travel credentials.

116 Airport Biometrics: A Primer and needs flexible and economical infrastructure that can manage variable processing and data requirements. Data ownership in any environment relates to both the possession of and responsibility for information. In other forms of control of information, cloud services not only provide the ability to access, create, modify, package, derive benefit from, sell, and remove data, but also protect by applying rules relating to the assignment of privileges to others. In a cloud environment, the use of blockchain technology is beneficial when low processing volumes are expected and the transactional records are located in a distributed-ledger database that links to numerous stakeholder databases. The records are unchangeable and signed crypto- graphically with a consensus protocol to confirm that the data are correct (or are not). In order to deliver a biometric solution across different geographies, the distributed-ledger database, linked to other stakeholder databases, will need to be applied. Digital Travel Credential and Self-Sovereign Identity When booking or checking in, travelers could potentially send their virtual credential in advance from their mobile phone to the border authority or to an airline for advanced passenger information/passenger name record (PNR) purposes. As ICAO’s DTC standard is implemented by different countries, it could simplify biometric enrollment or potentially augment legacy systems such as the Electronic System for Travel Authorization (ESTA). For the DTC, ICAO has the role of coordinating and establishing the digital identity format between all nations. Border authorities are the direct stakeholders charged with the responsi- bility of ensuring that border processes comply with national legislation. Airports and airlines are indirect stakeholders that may benefit from more efficient passenger processes. Technology providers have an interest in developing systems that they can sell on a global scale. The DTC can be used as part of the credential-issuing stage of a biometric process. This stage can be performed from a passenger’s mobile phone, and the credentials can be sent to any system or database. Related to the DTC, where no specific facilities are required, this will depend on the use case that is to be applied at the airport. Theoretically, all passengers could be able to prove their identity, store their biometric details digitally, and have them certified with an identity verifier. A secure digital biometric system will bring many opportunities and advantages for passenger processing and can be adopted internationally. A similar time frame to the adoption of e-passport standards could be foreseen. Due to individual countries developing and adopting their own biometric solutions, a wide range of different systems per country and on an extraterritorial basis could be the norm in the future.