Electronic passports prepare for check-in

Electronic passports prepare for check-in
PARIS — A groundswell that has combined international efforts, technology breakthroughs and political momentum is clearing the way for the creation of electronic visas and passports. Implementation could start as early as next year in some countries.

But as technical work toward next-generation travel documentation coalesces on a global scale, the technology's political, social and economic ramifications are becoming fodder for public discourse. Debates are arising over such hot-button issues as privacy and data protection. Perhaps the central issue is one of trust-or the lack of it-between institutions and the constituencies they serve.

The transition from contact to contactless technologies, the electronic storage of biometric data and the integration of cryptographic engines will converge to define the next generation of travel documentation systems, predicts Detlef Houdeau , senior director for business development ID projects at Infineon Technologies' Secure Mobile Solutions business group (Munich). The German semiconductor company is involved in projects in five countries. In each, Infineon, collaborating with a secure printing company authorized by the country in question, is developing chips that can be reliably woven into a page of a machine-readable passport.

Once the stuff of fiction, biometric data mechanisms that can scan and record facial features, fingerprints and iris prints are destined soon to become part of standard travel documentation systems. A technical subcommittee of International Civil Aviation Organization (ICAO), a specialized agency of the United Nations setting international standards and regulations for air transport and services, published a report last month on machine-readable travel documents. It proposes use of contactless chips embedded in passports books, with the chip storing a facial image of the document holder. ICAO's final decision is expected shortly.

Separately, various technical subgroups within International Organization for Standardization (ISO) are hard at work standardizing biometrics' logical data structure. The groups have said they do not expect to complete their work until next year at the earliest, but reportedly they are under great pressure from various quarters to pick up the pace.

From a market perspective, large-scale deployment of biometrics in travel documents is destined to create winners and losers among the developers and suppliers of relevant technologies. Today's small biometrics industry is already feeling some pain. Dominated by many small companies and startups spun out of university programs, the industry "needs to become a big business" whose players can afford the rising R&D costs said Marcel Yon, CEO of ZN Vision Technologies, which specializes in facial-recognition systems (Bochum, Germany).

As the [biometrics] market expands at a projected annual growth rate of 100 percent, Yon predicted, "there will be fewer survivors, with many disappearing. After all, travel documents are an international business that needs a global solution."

ZN itself recently agreed to be acquired by Viisage Technology (Littleton, Mass.), a provider of secure ID technologies.

Superimposed on the face, an elastic grid calculates information at every node in the graph. Comparisons are made based on 1,700 facial features.

Aside from the companies that stand to profit from the new technology, government officials have perhaps been the most vocal proponents of electronic travel documents. In the name of the fight against terrorism, the use of biometric techniques to prevent forgery of passports and other travel documents was high on the agenda of topics discussed in Paris last month by the justice and interior ministers of the G8 countries.

The United States, armed an aggressive biometrics-ID plan for border crossings, has been a leader in the push toward technology definition and deployment. Under the U.S. Enhanced Border Security and Visa Entry Reform Act, passed two years ago in response to the Sept. 11 attacks, visitors from non-visa-waiver countries must provide biometric data in order to secure entry to the United States effective October 2004. The act also requires citizens from the 26 visa-waiver countries to have machine-readable biometrics information embedded in their passports. The short timetable mandated in the legislation effectively puts the United States in the technology driver's seat.

Further, as a showcase of progress made in its first 100 days, the U.S. Department of Homeland Security has just rolled out a program-called US Visit-that requires biometrics equipment to be installed at seaports and airports before the end of this year and that requires travelers from 25 countries to provide their biometrics information when they enter and exit the United States. If the plans proceed as scheduled by Homeland Security Secretary Tom Ridge, the United States would become one of the earliest adopters of biometric technology.

ZN Vision Technologies' 'elastic graph matching' procedure calculates facial patterns using an algorithm that is said to ensure robustness against variations.

Some see the biometric border-crossing labyrinth touted by the administration as too ambitious, too costly and a little too Orwellian. But, despite the aggressive timetable, the United States has set no firm decisions on the basic architecture for machine-readable documents, pending the final ICAO recommendations.

Similarly, the United Kingdom, which tested an iris-scan system at London's Heathrow Airport last year, plans to embed contactless smart card chips bearing at least one biometric technology in passports by 2005 but is waiting for the ICAO recommendations.

It is thus unclear how soon the talk about machine-readable travel documents will translate into contracts and markets for technology suppliers.

"After 9/11, everyone thought the market would start using RFID chips, smart cards and biometric technologies in a heartbeat," said Edward Rerisi, director of research at Allied Business Intelligence Inc. But "that didn't happen," he said, largely because of the perception that "the political and privacy issues are far greater than the security benefits" and because "there is a huge issue of cost in terms of who is going to pay for all this."

Some U.S. government officials are stumping for the use of not one but a combination of two or three types of biometric data-fingerprint, iris print and facial-feature recognition-in passports. The U.S. Department of Commerce's National Institute of Standards and Technology (NIST), which spearheaded the biometrics evaluations, issued a report earlier this year advising that both fingerprints and facial recognition would be needed to protect U.S. borders adequately.

Many point out that new biometric data can be always added once the basic structure is put in place and the various technologies mature. But even after the technological logistics are hammered out, a key question-raised by privacy protection advocates and others-will be whether implementation and, later, expansion of the system is justifiable, ZN's Yon noted. To some privacy advocates, he said, adding a new form of biometric-data logging to an existing system raises "the risk of data abuse."

Another headache for implementers is "the interoperability problem," said Patrick Bouju, worldwide sales and marketing consultant for biometrics at STMicroelectronics. Biometric "templates"—mathematical representations of physical features-may not be portable among readers because thus far the algorithms have not been standardized. But "the U.S. government has been repeatedly telling the industry that it would not wish to be locked into a particular system or technology" because of interoperability problems, Bouju said.

Templates lag other elements of biometric systems in that regard; standards already exist for the communication interface between RFID chips and RFID-enabled readers and for the security engine (based on the Public Key Infrastructure) to protect the stored data. Another area found wanting is the technical specification for the basic logical data structure of each biometric technique.

Some argue that the contributions of disparate standardization activities are moving toward harmonization, as evidenced in the latest report by ICAO's technical advisory group. Various ISO technical subgroups are developing biometric application-programming interfaces, exchange formats and test algorithms.

But others fear that those have gotten caught up in such detailed levels of standardization on biometric templates may be missing the point.

ZN's Yon is a big proponent of the use of original biometric prints-such as a plain passport picture-rather than a biometric template. "It allows the system to be vendor-independent. It's much easier to update technologies, because your technology does not need to be frozen by the use of certain biometric templates," said Yon. But perhaps the biggest argument favoring facial-recognition technology is that a mug shot is already present in every passport; it's not based on new biometric data.

Further, the use of biometric original prints, rather than templates, can ease the privacy issue, according to Yon. For both privacy protection and data protection, the most important thing is transparency [of information], he said. "Users must be able to look at what has been stored. If a template is stored, you need to depend on a machine to read it."

And you need to launch a campaign to convince citizens to supply it. If Germany's government were to tell its citizens to report to their town centers to supply fingerprints and iris images, "a revolution would start," Yon quipped.

Indeed, the successful rollout of biometrics-embedded travel documents in democratic nations could rely on enabling legislation that assures privacy protection. "Privacy law in the storage and usage of [other types of] data should apply to biometric data as well," Yon said. Germany passed a law in 2002 allowing the inclusion of biometric data in identity documents, but its parliament has yet to vote on implementation of the law.

Setting aside the need to choose among biometric platforms and algorithms, the technical details of implementing the technologies in travel documents have been largely sorted out. The trend is to embed passport booklets with chips of the type now used in ID cards, said Infineon's Houdeau.The major external element required to make the transition is the addition of a passport "holder page" for the chip.

Regulations vary from country to country, but generally passports are valid for five to 10 years, and those held by frequent travelers could take a beating over that time. To ensure the embedded biometric devices will hold up, chip companies and secure-printing companies have been working on new materials for the holder page and have been tinkering with the depth of the chip and its packaging. Other choices to be made are the process technology and equipment used to produce the chip.

The chip must have "an attack-free crypto controller" to protect the stored data and must manage low-voltage power, drawn from the reader, to start the controller, said Houdeau. The chip would run an operating system, such as Java, to allow information to be written to the device. Ample memory space must be provided on the die to store the biometric data. Houdeau estimated that it takes 200 bytes to store one fingerprint, while storing one face takes 3,500 bytes at minimum.

Much of the chip development work for Infineon's take on the technology has been completed, and the company is in the process of "stabilizing the product," Houdeau said. He said that Infineon will be able to produce the chip in volume starting in the second half.

See related chart