It is important to note that the operative term in the definition of the ePassport is “biometric identification”. Biometric technology involves a measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity of a person.
by Dr. Ruwantissa Abeyratne
( August 8, 2017, Montreal, Sri Lanka Guardian) It is heartening to learn that the Cabinet of Ministers of Sri Lanka has approved the development and use of the ePassport. The ePassport is an integral part of the Traveller Identification Programme (ICAO TRIP) initiated by the International Civil Aviation Organization (ICAO) – the specialized agency of the United Nations handling issues of international civil aviation. Member States of ICAO, at ICAO’s 38th Session of the Assembly (24 September – 4 October 2013), adopted the ICAO Strategy, which aims to establish the goal and objectives of traveller identification management, to lead and reinforce a global approach, and to provide direction for action by ICAO, States and the many international, regional and industry partners in identification management.
The ePassport is the culmination of a sustained process of development of technical specifications for machine readable travel documents (MRTD). It introduces a new dimension to aviation security in that, within the conventional machine readable passport with its machine readable zone, an additional layer of verification of information contained in an electronic chip is placed, which verifies the information in the passport’s machine readable zone by the use of a special reader. Much research has gone into the areas of the technology and verification in the development of the ePassport. At a Symposium held at the International Civil Aviation Organization in early October 2012, the ePassport was subjected to much discussion by the various experts gathered from across the globe.
The additional feature that the ePassport carries in the conventional machine readable passport is a chip containing biometric and biographic information which have to be validated accurately, efficiently and quickly while retaining the security and integrity of the information. Ideally, an ePassport should be issued in accordance with the technical specifications approved by ICAO. However, this does not happen in all cases of issuance of ePassports. This lapse could seriously compromise global security.
The ePassport, which is defined by ICAO as a passport which has a contactless integrated circuit (IC) chip within which is stored data from the machine readable passport page, a biometric measure of the passport and a security object to protect the public key infrastructure (PKI) cryptographic technology, and which conforms to the ICAO specifications. The ICAO Facilitation Manual defines the ePassport as a machine readable passport that has a contactless integrated circuit embedded in it and the capability of being used for biometric identification of the machine readable passport holder in accordance with the Standrds specified in the relevant part of ICAO document 9303 (Machine Readable Travel Documents). ePassports are easily recognised by the international ePassport symbol on the front cover.
It is important to note that the operative term in the definition of the ePassport is “biometric identification”. Biometric technology involves a measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity of a person. Biometric identification has been defined as “a generic term used to describe automated means of recognizing a living person through the measurement of distinguishing physiological or behavioural traits”.
Biometrics target the distinguishing physiological or behavioral traits of the individual by measuring them and placing them in an automated repository such as machine encoded representations created by computer software algorithms that could make comparisons with the actual features. Physiological biometrics that have been found to successfully accommodate this scientific process are facial recognition, fingerprinting and irisrecognition which have been selected by ICAO as being the most appropriate. The biometric identification process is fourfold: firstly involving the capture or acquisition of the biometric sample; secondly extracting or converting the raw biometric sample obtained into an intermediate form; and thirdly creating templates of the intermediate data is converted into a template for storage; and finally the comparison stage where the information offered by the travel document with that which is stored in the reference template.
Biometric identification gets into gear each time an MRTD holder (traveler) enters or exists the territory of a State and when the State verifies his identity against the images or templates created at the time his travel document was issued. This measure not only ensures that the holder of the document is the legitimate claimant to that document and to whom it was issued, but also enhances the efficacy of any advance passenger information (API) system used by the State to pre-determine the arrivals to its territory. Furthermore, matching biometric data presented in the form of the traveler with the data contained in the template accurately ascertains as to whether the travel document has been tampered with or not. A three way check, which matches the traveler’s biometrics with those stored in the template carried in the document and a central database, is an even more efficacious way of determining the genuineness of a travel document. The final and most efficient biometric check is when a four way determine is effected, were the digitized photograph is visually matched (non electronically) with the three way check described above. In this context, it is always recommended that the traveler’s facial image (conventional photograph) should be incorporated in the travel document along with the biometric templates in order to ensure that his identity could be verified at locations where there is no direct access to a central database or where the biometric identification process has not entered into the legal process of that location.
The story of the passport- the precursor of the ePassport – starts with the birth of an individual and his birth certificate, which records the event of birth and time and place thereof. The Civil Registry is able, with this document to primarily establish the identity of the person at birth and inform his country of his details for purposes of maintaining census and vital statistics. The passport, which uses this information, gives a person a name and natonality that is required for him to travel internationally. The passport is a basic document in the transport by air of persons. Its use therefore is of fundamental importance as a travel document, not only because it reflects the importance of the sovereignty of a State and the nationality of its citizens but also because it stands for the inviolability of relations between States that are linked through air transport.
The key consideration of an ePassport is Global Interoperability — the crucial need to specify a system for biometrics deployment that is universally interoperable. A Logical Data Structure (LDS) for ePassports required is for global interoperability. It defines the specifications for the standardized organization of data recorded to a contactless integrated circuit capacity expansion technology of an MRP when selected by an issuing State or organization so that the data is accessible by receiving States. This requires the identification of all mandatory and optional Data Elements and a prescriptive ordering and/or grouping of Data Elements that must be followed to achieve global interoperability for reading of details (Data Elements) recorded in the capacity expansion technology optionally included on an ePassport. The other considerations are Uniformity — the need to minimize via specific standard setting, to the extent practical, the different solution variations that may potentially be deployed by member States; Technical reliability — the need to provide guidelines and parameters to ensure member States deploy technologies that have been proven to provide a high level of confidence from an identity confirmation viewpoint; and that States reading data encoded by other States can be sure that the data supplied to them is of sufficient quality and integrity to enable accurate verification in their own systems; Practicality — the need to ensure that specifications can be operationalized and implemented by States without their having to introduce a plethora of disparate systems and equipment to ensure they meet all possible variations and interpretations of the standards; and Durability — the requirement that the systems introduced will last the maximum 10-year life of a travel document, and that future updates will be backward compatible.
The major components of a biometric system are: Capture — acquisition of a raw biometric sample; Extract — conversion of the raw biometric sample data to an intermediate form; Create template — conversion of the intermediate data into a template for storage; and Compare — comparison with the information in a stored reference template.
In terms of security and privacy of the stored data, both the issuing and any receiving States need to be satisfied that the data stored on the passport has not been altered since it was recorded at the time of issue of the document. In addition, the privacy laws or practice of the issuing State may require that the data cannot be accessed except by an authorized person or organization. Accordingly, ICAO has developed specifications regarding the application and usage of modern encryption techniques, to be used by States with their machine readable travel documents as made in accordance with the specifications set out in ICAO documentation. The intent is primarily to augment security through automated means of authentication of MRPs and their legitimate holders internationally. In addition, ways and means are recommended to implement international ePassport authentication and to provide a path to the use of ePassports to facilitate biometric or e-commerce applications.
The decision of Sri Lanka goes to recognize that the foremost necessity is to establish a strong security culture in the country. For this, there must be a clear definition of State responsibility and accountability brought to bear by a close and unbreakable link between government and industry stakeholders. A security culture would make States aware of their rights and duties, and, more importantly, enable States to assert them. Those who belong to a security culture also know which conduct would compromise security and they are quick to educate and caution those who, out of ignorance, forgetfulness, or personal weakness, partake in insecure conduct. An ePassport must necessarily be the result of efficient and fail-safe organizational arrangements. It should be tested at border control by trained professionals. eGovernment and eID are the bare essentials for State security. The digital economy has also brought much facilitation that helps the world move to paperless processes which result in greater economy and streamlined processes. However, there must essentially be global harmonization in this process. In this regard ICAO has made remarkable progress in advancing its TRIP programme to the level it is at now. If harmonization means ensuring consistency between global practices, standardization means compliance with international Standards. There is no room for doubt that both harmonization and globalization are needed in this context.
The author is former Senior Legal Officer at the International Civil Aviation Organization