This is an invitation to take a step back from your usual responsibilities and to follow these personal views and experience of the author, based on his extensive experience in the field of travel documents, migration, crowd control and crisis management. To readers from both industry and government: take the refreshing challenge to break down silos and realise the little addressed business cases.
The rather conventional view of travel documents is to provide well-governed international travel across national borders. Securing borders has always been one of the key responsibilities of Government, involving border police and guards as well as military forces. The latter involves major state budgets, protecting the nation from conventional, armed invaders. Both immigration control and armed forces, however, are facing new challenges, as aggressors don’t necessarily need to cross borders to reach their goals: cyberwar, remote drone-based strikes, major-scale communication surveillance on one hand, sleeper cells and organised crime in multinational, open border environments on the other, just to name a few.
As an example: the border-free Schengen Area guarantees free movement to more than 400 million citizens, as well as to many non-EU nationals, businessmen, tourists and other persons legally present on the territory. In 2011, 13.4 million Schengen C visas were issued, that is roughly 4% of its inhabitants who, once immigrated into the area, potentially are never required to present their governmental ID again. They may never leave again, remaining unrecognised in a territory of 4.2 million km2 and EUR 11.4 billion gross domestic product.
From the guiding document COM 2010:05541 we need to understand that within this defined ecozone, continuing the example of the European Union and in particular the Schengen Treaty Area, no systematic border control-like checks may take place:
“Checks on persons in the exercise of police powers by the competent authorities of the Member States under national law are allowed throughout their territory, including border areas, insofar as the exercise of those powers does not have an effect equivalent to border checks. The Code contains a non-exhaustive list of criteria to assess whether the exercise of police powers is equivalent to border checks or not.
- Accordingly, police measures are not considered to be equivalent to border checks if they:
- Do not have border control as an objective.
- Are based on general police information and experience regarding possible threats to public security and aim, in particular, to combat cross-border crime.
- Are devised and executed in a manner clearly distinct from systematic checks on persons at the external borders.
- Are carried out on the basis of spot-checks.”
In the same document it is assessed: “While it is easy to determine that a check is carried out to enforce traffic law and not as a border check, e.g. when car drivers coming from a discotheque located in the vicinity of the internal border are required to undergo breath tests, which might include the necessity to determine a person’s identity, it is more difficult to assess the nature of checks that aim to enforce immigration law.”
From this we need to understand that law enforcement officers will usually be involved within their regular line of duty, without necessarily intense ID document and profiling training. Furthermore, they may lack the routine in doing so, as this is traditionally not their primary task.
Some sample use cases illustrate the situation:
• Police checking on a person carrying a Schengen visa in his foreign passport.
• Traffic police identifying foreign driving licences.
To make this even more challenging, the above-mentioned document requires: “Security Checks on Persons (Article 21(b))” […] “These checks should only verify the identity of the traveller against a travel document. EU citizens can identify themselves on the basis of their passport or identity card.” Basically, such identification will therefore need to happen offline, by simply matching person and document. For many use cases today this is a severe challenge.
Beyond the typically envisaged use for travel and other governmental use, many other entities depend on government-issued ID and legitimation documents. While reading the following examples, let’s keep in mind the challenge already set in place for the document professionals: Roughly 200 countries x 3 document types x 3 generations = 1800 potentially different security concepts.
Consider for example these situations in which civilian employees need to verify governmental picture IDs, most often lacking sufficient training, tools, documentation and in many cases feedback:
- The bank clerk confronted with a foreign passport presented in order to cash a cheque, tasked to prevent cheque fraud.
- The employer required to identify the jobseeker by his ID card or foreign residents card.
- The mobile phone reseller questioning if the person signing the premium network contract will walk away with the top phone model and commit subscription fraud.
- The bar owner obliged to restrict alcohol serving to minors − even in the environment of commercial and professional over-the-web counterfeiting.
- The pharmacist checking the picture ID health card.
The question in this context is primarily not legal, but systematic: What can the issuing authority do to support these and many other business processes, especially in the context that most likely no civil database access can be granted?
Learning from other, related industries
In setting the boundaries for improvements, there are some additional factors to be considered. One of these aspects is becoming very dominant: budgets are tight. With restrictive budgets the questions from governments as well as prime contractors must be: by introducing a system, process, technology, or feature; what is the cost-benefit ratio? Can other less performing systems be substituted? Are there new costs for verification devices introduced? Can previous investments be upgraded?
To identify opportunities we shall take an excursion into two related fields: brand protection and law enforcement. The protection of brands is a highly dynamic case, impacting very directly monetary and often public safety. The measures and efforts combating counterfeits are in many ways comparable, using national and commercial intelligence, and integrating a multitude of security technologies related or identical to the ID market. Very often looking behind the scenes we will find the same actors from the organised crime arena. With this in common there are many aspects to learn from in the field of governmental IDs.
In the field of commercial security for branded goods the possibility of the ‘Million-Eyes’ concept is strongly considered. This concept involves the general public standing watch for their own benefit and that of the community; it empowers and utilises in a win-win strategy the interests and potential of the consumers. This requires industry to not only develop highly performing technologies such as track-and-trace, OVDs and security inks, but also intuitive, rewarding tools to be easily and rapidly distributed, relying on readily available infrastructure. For brand protection, mobile apps are used more and more. Search your app store with the keyword ‘counterfeit’ and you will get a few dozen hits.
A very popular method these days is the use of smartphones and their respective app stores. Many police forces nowadays use mobile apps for dispatch, in-line reports and ticketing. The police force in Zurich, Switzerland for example has gone close to paperless in the field, using iOS from Apple for their field officers.
The use of mobile apps may be a very viable path for the general public, as figure 1 impressively demonstrates. Over one third of the population of many European countries are already online with smartphones.
In order to validate the feasibility for such undertaking in the law enforcement arena we performed a provisional market research in the field of law enforcement units, related to the use of commercial offtheshelf devices (COTS) such as smartphones within Europe.
The indications received are based on seven countries (Belgium, Germany, Greece, Italy, Poland, The Netherlands and Switzerland)3. The law enforcement units of these countries, such as police, traffic police, SWAT, secret service and border police have Professional Mobile Radio (PMR) at their service, or it is currently being deployed. Their systems are mostly based on the Tetra- and some on the Tetrapolstandard and currently support in many cases only a very limited range of digital communication capacity. Partly due to that reason, a significant portion of forces utilise civilian digital mobile communication infrastructure. The business models vary from using privately procured contracts (for example Belgium, where certain officers receive a contribution of approx. EUR 17 per month) to actually deploying devices. The nonexhaustive use cases covered are voice communication in non-critical situations, attainability of off-duty forces in case of emergency requiring first-responders and digital ‘paperwork’ functions to in some cases biometric and RFID functionality. The number of law enforcement agents comprising the units mentioned above in The Netherlands, Switzerland, Italy Poland, Belgium and Germany are estimated at 783,000 staff who are equipped with up to 225,000 phones − a coverage of approximately 29%.
The platforms used for smartphones differ, as often every unit and potentially every command region might select their own preferred operating system. Whereas in Germany, Apple’s iOS seems to be preferred, Poland uses Windows Mobile and The Netherlands tends to use Blackberry, other countries show no clear national platform strategy.
In many countries the deployment rate of smartphones is over 50% (mostly where private infrastructure is subsidised). For example, Belgium has, due to this model, a close to full deployment within the forces. Large forces such as those in Germany and Italy on the other hand have a general deployment rate of below 10%. Overall the received data indicates that the smaller the forces the higher the deployment rate of civilian communication infrastructure.
Most countries use specialised devices either for in-car biometrical identification or document verification, with the exception of Poland, the coverage seems to be punctual across all forces. Especially the on-man availability seems generally to be rather scarce and where available mostly with border police and secret service.
Illustrating business case responding to above situations
The following cornerstones mark one use case that U-NICA took out of the above situation:
- Following from thesis 1, 2 and 3: empower both general law enforcement personnel and various commercially dependent entities to verify with low threshold the authenticity of the represented data on various ID and legitimation documents.
- Applying thesis 4: operate on devices already deployed, to protect investments and avoid the need to procure additional devices.
- Conform with the applicable guidelines, recommendations and standards.
- Do not occupy the available surface on the documents − especially avoiding the addition of barcodes or dependency of electronic storage.
- Operate offline − independent of any local or remote databases.
- Avoid any deterioration of relevant data, especially the photograph.
The system seeks to establish a reliable link between the holder and a unique identifier on the document, making it robust and reliable rather than focusing on security features of the document.
To illustrate: Taking again the traffic police inspecting a traffic speed violator. He compares the face of the driver to the portrait on the driving licence and then radios the name and ID number to mission guidance for a background check. The questions standing are: is the picture reliable? And is the data untampered? Such a system will create this link of trust of the data represented on the presented document completely offline. Within seconds the user receives a yes / no answer if part of the data has been tampered with, be it physical manipulation, imitation or actual counterfeit. The pillars are strong encryption, selective robustness and its real-life proof verification engine, allowing to reliably identify even dirty, scratched and bent documents.
In the core, key data are encoded and encrypted into the portrait by using a highly developed watermarking technology, virtually invisible to the human eye. This is especially important, as any deterioration of the photo would be counterproductive. It supports printers from 300 dpi, on plastic and paper, printed by dye diffusion, laser engraving, inkjet and toner laser. The system utilises both border control devices as well as smartphone technology to establish this trusted link, completely offline and without a locally stored database. And moreover: without requiring any visual modification or use of document real estate.
The demand both within industry and various governmental ministries for above sketched solution is very encouraging. Both industry and government may conclude that there are many more use cases, even business cases for governmental ID documents than ‘just’ border crossing. Law enforcement has infrastructure that can be used to make their work more efficient and base their decisions on more reliable data. Though budgets are limited − there is much more available infrastructure out there that could be harnessed, than is currently being used.
1 Report from the Commission to the European Parliament and the Council on the application of Title III (Internal Borders) of Regulation (EC) No 562/2006 establishing a Community Code on the rules governing the movement of persons across borders (Schengen Borders Code).
2 Based on data from thinkwithgoogle.com
3 Data indicational and best effort, inofficial and not cross-checked.