Sector organisation IATA predicts flight movements will grow by 30% by the end of 2016 (an increase of 800 million travellers). All these travellers will face passport checks on arrival at the airport and the majority on departure as well. Traditionally, these checks are performed manually, but to be able to deal with the growing stream of travellers as efficiently and effectively as possible in future, the search has been on for some time to find automated solutions without endangering the primary objectives of border control: to combat unwanted (illegal) immigration, international crime and terrorism. In this article, Alex van Duuren discusses the current limitations and possible future of automated border control.
As can be seen in figure 1, there are quite a number of processes that affect not just the effectiveness and safety, but also the acceptance of automated border control. This article deals with three control processes involved in border control: automated authentication, biometric verification and biographic identification.
Border control processes
The border control process depends on the type of traveller and the proffered travel document. The travel document is used to check whether the document and the traveller go together (verification). In addition, the travel document is checked for various physical and electronic security features, which are used to determine the authenticity of the travel document (authentication). Checks are also performed to ascertain whether the person meets all the criteria for admission (authorisation).
Beside the checks on the travel document, the traveller’s personal data are also checked. This involves using the personal data in the travel document to check whether a traveller has a police record (identification). Additionally, border control uses various types of selection or profiling, for example when checking for drugs traffickers, whereby certain criteria will prompt an additional check on members of the target group.
Accepted risks
Checking an identity document’s security features is specialised work that requires thorough prior training. Border guards have to deal with forgeries that in many cases are of good quality. Verifying the bearer of the identity document against the image in the passport is perhaps even more complex, and in many cases the border guard will struggle to establish an effective check. There is no doubt that border guards overlook things that they should notice, something that is inevitable wherever humans are at work.
However, automated border controls are not foolproof either, given that the technology is (as yet) unable to perform a 100% accurate check. A threshold value is used to determine the balance between correct and incorrect, thus establishing the accepted margin of error. This means that automated border controls involve a margin of error that is known in advance to the purchaser of the system. Setting up a system in such a way as to minimise the number of people who are wrongly let through (false negatives) means a great many people get wrongly rejected by the system (false positives). We could say that the vertical line shifts to the left (see figure 2). This makes the system less user-friendly, which in turn has a huge impact on its overall acceptance by both the travellers and the airport. This means that a balance will have to be found in automated border control between the accepted level of risk and user-friendliness.
Automated authentication
Whereas manual control involves the travel document being checked by a border guard, with automated border control the travel document is checked by an electronic passport reader. Electronic passport readers are able to check both the electronic features of the travel document and some of its physical security features.
Checking electronic security features
When checking the electronic security features, it is important that not only the RFID chip itself is authenticated but also that the data on the chip are checked in accordance with the ICAO protocol. So far the RFID chip has proved itself very reliable; to date there are no known examples of fraud involving the data on an original RFID chip being altered.
Checking physical security features
As well as checking the electronic security features the electronic passport reader’s optical functions also check the physical security features. Most electronic passport readers perform a check on the check digits of the machine readable zone (MRZ), as well as a standard check of the ink used in the MRZ (B900) and the UV dullness of the substrate. Moreover most electronic passport readers can be hooked up to a (template) database containing templates of the various security features used in identity documents. Pattern or image recognition is used to check the security features of the proffered document against these templates. This comparison produces a match whose score can be interpreted as positive (security feature is genuine) or negative (security feature is false/forged). It goes without saying that it is the threshold value that determines how the score is interpreted. Various studies have been conducted into the reliability of these (template) databases and show that there is room for further improvement in the future with regard to the reliability of this authentication process using (template) databases.
Biometric verification
In most cases the biometrics incorporated in the e-ID document are used for verification. At present, mainly facial (DG2) and fingerprint recognition are available, but in future other biometric features may be added such as eye (iris or retina recognition) and vein recognition. Some automated border control systems use biometric features captured during an advance registration procedure. A membership pass or just the biometrics are often used as tokens for this advance-registration border passage. Such systems tend to be far more effective because the identity document is often checked both manually and by machines during the registration process, and the biometrics are stored in a much higher resolution or in a biometric template. This means that it contains far more information than the biometrics on an e-ID document (with the size of the photograph being 15kB-20kB, the fingerprint around 10kB and the iris, if included, around 30kB).
A much-used phrase in connection with software applications is ‘garbage in is garbage out’. The same applies to biometrics. If the registered biometrics of, for instance, an identity document are of poor quality, then the biometric verification will be unreliable. A low-res biometric image contains less information than a hi-res image, and will therefore produce a poorer result than can be achieved with biometric verification or identification.
A biometric template requires a prior registration process. This registration process is structured in such a way that the software will produce a good template, which the software can retrieve at any time. In other words, a biometric template is a software file of the captured biometrics, which contains all the information that the biometric algorithm needs to achieve good results. These templates are often only several kBs in size, but tend to be a software abstraction of a hi-res image (several MBs in size). However, each algorithm has its own software for making templates, meaning that the template of algorithm A cannot be used by algorithm B; in other words, the templates are not interoperable. Conversely, that is precisely what an image is, which is why it has been included in e-ID documents. Nevertheless the ICAO would prefer to switch to templates in the future, as set out in ICAO Doc 9303, which defines the standards for identity documents.
Biographic identification
The MRZ includes biographical data such as surname, first name or names and date of birth. These biographical data are checked against available police databases and sent there digitally. Police databases often do not contain fully accurate data, and include minor spelling errors and phonetic spelling of personal details. In many cases they are old and slow, and the search request tends only to produce a match if the data are identical. To increase the likelihood of a hit a different way of requesting information from the databases is needed. The databases will need to use smart search engines, enabling them to provide border guards with a list of potential matches which they can then search to see if they have a match.
Selection or profiling
Border guards subject passengers to extra checks based on a certain route, behaviour or a certain style of dress. With automated border control this selection also called profiling often does not take place, whilst it is considered a very valuable part of the manual control as it often leads to the discovery of forgeries or aids other border processes. In some cases with automated border control this is solved by having a border guard positioned close to the automated gates as a supervisor.
Future of automated border control
In the context of automated border control the three processes authentication, verification and identification are essential to effective control. Each of these processes entail its own risks, as described briefly above, and a successful completion of one process has no bearing whatsoever on the greater or lesser effectiveness of the other. The aim should therefore be to optimise all of these processes. In addition, the following aspects have a part to play in the future of automated border control:
• The increase in the number of travellers in the coming years will partly determine the pace at which automated border control systems are rolled out. However, many countries are adopting a wait-and-see attitude, possibly due to doubts about and/or a lack of confidence in RFID technology, in the possibilities – or lack of them – of biometrics or in the checks performed by electronic passport readers.
• RFID technology will need to undergo further development if it is to remain reliable in the future. The author believes that RFID technology in identity documents has proven itself sufficiently over the past years and can be considered reliable, subject to the proper checks being performed as set out in the ICAO protocol.
• In future, identity documents will have to be made suitable for both manual and automated checks. At present, most identity documents contain mainly physical security features and hardly any security features that are suited to automated authentication. This must and certainly will change going forward.
• The existing technology, the electronic passport reader, has not yet proven itself sufficiently in terms of automated authentication. This is set to improve greatly in the future, aided by the introduction of security features specially designed for automated authentication.
• With the current rise in the number of automated gates in use, the number of bearers of fake and forged identity documents and people travelling on another person’s identity document (imposters) using these gates will also increase. Given that it is relatively easy to purchase an electronic passport reader, a fraudster can use this technology to test his forgery until it is accepted by the technology. Licences for and – even more easily – test versions of biometric algorithms are also freely available on the market, allowing the fraudster to compare his face against the face pictured in the identity document for likeness and so increase his chances of success at the border.
• Both the quality of the biometric data in identity documents and the biometric algorithms will require further improvement. It is possible that the increase in usage will even mean that the existing biometric identifiers – facial recognition and fingerprint recognition – will be replaced by other biometric identifiers such as iris recognition and vein recognition. These algorithms are currently getting better results and could possibly be used to speed up the process and make it more user-friendly and effective.
Conclusion
If the current automated border control technology continues to advance in the coming years then this development will certainly be an irreversible trend, but if the industry fails to embrace further innovation then automated border control will die a silent death. The way in which governments go about connecting people and the people-linked processes of recognition and profiling to automated border control in the future will be crucial, as this will mean humans once again have an important part to play in the ‘new’ automated border control process.
Alex van Duuren is owner of AVDSolutions, which provides consulting services in ID management and ID solutions. He started his career at the Royal Netherlands Marechaussee, where he worked for the Expertise Centre Identity Fraud and Documents for over 11 years. Alex has been a consultant and policy employee for projects such as ABC Schiphol (No-Q), Registered Travellers Programme FLUX and the current national passport of The Netherlands. He (co-) authored the paper The Limits of Electronic Passport Readers (2009) and has been a speaker on several international podia.