Mary K. McMunn, former Chief, ICAO Specifications and Guidance Material Section
This article reviews briefly the work ICAO has been doing over the past nine years to specify how to make use of biometric technology to enhance the security of travel documents and to facilitate inspection of international travelers at border control points.
The Convention on International Civil Aviation and Annex 9 (Facilitation) together provide a framework of obligations of member States and Standards and Recommended Practices pertaining to the immigration and customs inspection and clearance of persons in airports. In this context ICAO, since 1980, has been publishing specifications for standard formats for machine readable passports, visas and official travel documents. Document 9303, Machine Readable Travel Documents, is now a suite with three parts. Part 1 (Volume 1 and 2), Machine Readable Passports, was published in its sixth edition in September 2006.
Most readers and administrations are by now very familiar with the basic machine readable passport, which is now being issued by at least 110 States and territories, a number that is steadily increasing. The standardized format is comprised of two parts – a visual inspection zone or VIZ, containing mandatory and optional data elements in a prescribed layout; and a machine readable zone or MRZ, containing mandatory data elements in a form and position that are absolutely mandatory.
The two machine readable lines of OCR-B typeface, with their standard format, data elements, field lengths, and check digits, comprise the first security measure that ICAO invented for a passport.
Another security measure inherent in the document and in the inspection procedure is the use of a mandatory photo image to link the holder of the document to the document itself, in order to confirm identity. In recent editions of Doc 9303 ICAO has been tightening up the specifications for the photo, to insist on high-quality images of adequate size, preferably digital images printed directly onto the data page, in order both to prevent photo substitution and to offer more confidence to the inspector or airline agent making a visual comparison between the photo and the person presenting the passport.
But over the years – and well before 9/11 – member States identified the need to confirm identity of travelers more effectively, due to the myriad cross-border social, political and criminal problems that emanate from identity theft. So in 1997 the ICAO TAG/MRTD asked its New Technologies Working Group (NTWG) to begin a systematic study of biometrics and their potential to enhance identity confirmation with passports and other travel documents.
In search of the “right biometric” for travel documents, the chosen approach was to first identify requirements instead of just reviewing industry-based technology studies. This set ICAO apart from mainstream thinking at the time, and incidentally invited criticism from purveyors and users. But we felt that to choose the “best-performing” biometric based on laboratory tests and then try to adjust our requirements to it would not be the right approach. Instead we chose to evaluate the different biometrics against the unique requirements of travel document issuance and inspection.
And what are these requirements? Briefly, they are: compatibility with travel document issuance and renewal; compatibility with machine-assisted identity verification requirements in the issuance and inspection processes; redundancy; global public perception of the biometric and its capture procedure; storage requirements; and performance. Considering all of these factors and using a quantitative scoring methodology, the group found that face came out on top with an 85% compatibility rating while finger and iris were tied in second place with a 60-65% compatibility rating. Therefore face was recommended as the primary biometric, mandatory for global interoperability, and finger and iris were recommended as secondary biometrics to be used at the discretion of the passport-issuing State.
The face as primary biometric addresses numerous identity-related requirements. It supports lookout identification, as prior enrolment and cooperation of the subject are not required for successful image capture, and facial images are available on virtually every person in the world. Face also permits 100% identity confirmation in the inspection process, as the travel document photo of quality specified by ICAO could be used for machine assisted checks in the absence of an electronically stored image. Moreover, with the photo, facial recognition can be done visually, even when the equipment malfunctions!
After deciding that the face would be the primary biometric the NTWG looked for an appropriate storage medium. The medium chosen would have to offer enough data storage space for images of the face and possibly other biometrics, as the concept of using templates had been abandoned due to the fact that templates and their readers are not internationally standard. The technology had to be non-proprietary, available in the public domain worldwide, in the interests of global interoperability. And of course the technology had to be compatible with book-style (paper and cloth) documents. Ease of use, without a requirement to position or fit the document into a reading device, was also a factor. The technology that met all of these requirements was the contactless integrated circuit, and the NTWG decided that of the two ISO-standard options, the “proximity” type (ISO/IEC 14443) should be specified.
Next, a standardized “logical data structure” for programming the chip was specified to ensure that chips programmed in any country could be read in any other country. And because data written to a chip can be written over, a public key infrastructure (PKI) scheme was required, in order to give the reader of the chip assurance that the data had been placed there by the authorized issuer and that it had not been altered in any way since then. Thus an expert group within the NTWG developed specifications for a specialized PKI for application to travel document issuance and inspection.
Finally, during the testing of chips and readers there arose issues of skimming and eavesdropping. The physical possibility of skimming – the surreptitious reading of the data in the passport chip by means of a concealed device and unnoticed by the holder – is considered to be extremely remote, but nevertheless it is a concern. Eavesdropping – illegally listening in on a communication between the chip and the reader – though unlikely, is feasible. To address these concerns a scheme for “basic access control ” (BAC) was developed and recommended for use by issuing States. Under BAC the inspection system uses a “key” derived from numeric data elements in the MRZ to “unlock” the chip so that the system can read it. Thus the passport must be open in order for the chip to be read, and the holder is assured that his data can be read only when he hands over his passport.
So there you have it – what ICAO calls its biometric blueprint, consisting of four parts – the facial image, the contactless proximity chip, the logical data structure, and the ICAO PKI. These “four pillars” are each essential to the ePassport, and are inseparable from one another. Technical details about the blueprint and the ePassport standard and other aspects of ICAO work in MRTDs can be found on our dedicated web site – mrtd.icao.int.
Originally appearing in the ICAO MRTD Report 2006, this article is reprinted with permission.
Doc 9303 Part 1, Volume 1 and 2, was published in September 2006 and can be ordered at http://icaodsu.openface.ca/mainpage.ch2.