automated border control: problem...
TRANSCRIPT
Automated Border Control: Problem Formalization
Prepared by: Dmitry O. GorodnichyCanada Border Services Agency 14 Colonnade Road, 2nd Floor Ottawa, Ontario
S. Yanushkevich V. Shmerko University of Calgary 2500 University Dr. NW Calgary, Alberta
Scientific Authority: Paul Hubbard DRDC Centre for Security Science 613-992-0595
Contract#CSSP-2013-CP-1020
The scientific or technical validity of this Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada.
Defence Research and Development Canada DRDC-RDDC-2015-January 2015
IMPORTANT INFORMATIVE STATEMENTS
Risk analysis of face and iris biometrics in automated border control applications CSSP-2013-CP-1020 was supported by the Canadian Safety and Security Program which is led by Defence Research and Development Canada’s Centre for Security Science, in partnership with Public Safety Canada. The project was led by Canada Border Services Agency in partnership with University of Calgary.
Canadian Safety and Security Program is a federally-funded program to strengthen Canada’s ability to anticipate, prevent/mitigate, prepare for, respond to, and recover from natural disasters, serious accidents, crime and terrorism through the convergence of science and technology with policy, operations and intelligence.
© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 201
© Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 201
1
Automated Border Control: Problem FormalizationD. O. Gorodnichy, S. N. Yanushkevich, and V. P. Shmerko
Abstract—This paper introduces a formalization of the Au-tomated Border Control (ABC) machines deployed worldwideas part of the eBorder infrastructure for automated travellerclearance. Proposed formalization includes classification of theeBorder technologies, definition of the basic components of theABC machines, identification of their key properties, estab-lishment of metrics for their evaluation and comparison, aswell as development of a dedicated architecture based on theassistant-based concept. Specifically, three generations of theABC machines are identified: Gen-1 ABC machines which arebiometric enabled kiosks, such as Canada’s NEXUS or UK IRIS,to process low-risk pre-enrolled travellers; Gen-2 ABC machineswhich are eGate systems to serve travellers with biometric eID/ ePassports; and Gen-3 ABC machines that will be working tosupport the eBorder process of the future. These ABC machinesare compared in this paper based on certain criteria, such asavailability of the dedicated architectural components, and interms of the life-cycle performance metrics. This paper addressesthe related problems of deployment and evaluation of the ABCtechnologies and machines, including the vulnerability analysisand strategic planning of the eBorder infrastructure.
I. INTRODUCTION
The International Air Transport Association (IATA) esti-mates that the volume of international air travel passengers willgrow at around 6% per year. It will result in nearly 1.4 billionpassengers in 2015 [25]. The entire traveler screening systemparadigm should be changed to provide a solution that balancesthe trade-off between maximizing security while minimizingthe border processing time. The key challenges in the borderdomain are migration pressure, increased security threat, andpredicted increase of the travellers’ flow.
The human factor has also been regarded as a highly vul-nerable element of the border screening system. In 2009, therewere about 30,000 personnel members performing passengercheckpoint screening at all USA airports [10]. As mentionedin the above report, many factors contribute to human per-formance limitations, including inadequate training, lack ofmotivation and job satisfaction, fatigue, and workplace con-ditions, as well as general human perception and performancelimitations.
To address these challenges, many governments are in theprocess of developing the strategies for border moderniza-tion [11], [10], [14]. Their key component is seen in theautomation and improvement of the traveler authenticationand clearance process. The cost of modernization have beenreported in many documents, in particular, the costs of USAborder modernization are given in [28]. According to the
D.O. Gorodnichy is with Science and Engineering Directorate, CanadaBorder Service Agency. S. N. Yanushkevich and V. P. Shmerko are withBiometric Technology Laboratory, Department of Electrical and ComputerEngineering, University of Calgary, Canada, http://www.ucalgary.ca/btlab.
eBorders roadmap, created by the International Civil AviationOrganization (ICAO) for the short-term perspective (2017),e-gates and e-passport/ID will be deployed in most airports.From long-term perspective (2020+), the eBorder machineswill be able to communicate globally [25].
This paper extends on the presentation in [19] and presents aformalization of the Automated Border Control (ABC) systemas part of the larger eBorder infrastructure that is beingdeveloped in many countries for automated traveller clearance.The issues with the existing ABC systems are summarized(Section II), the evolution of ABC over time is analyzed(Section III), three generations of ABC are defined (SectionIV) followed by the presentation of the ABC machine withinthe Air Traveller Continuum (Section V), classification of alleBorder technology components (Section VI), analysis of toolsfor ABC machine performance assessment (Section VII) andfuture work (Section VIII).
II. ISSUES WITH EXISTING SYSTEMS
By examining the issues with the deployed biometric-enabled automated border control systems, including those thatled to closing of the UK IRIS program [4] and those thatcontribute to deviating performance of eGates in Europe, thefollowing conclusions can be made.
First of all, a substantial percentage of failure observed inthose systems is due to sources of risks other than those relatedto the biometric recognition performance. For example, EUeGate systems send approximately one in eight (10) travellersto manual control, with rejection rate varying drastically fromone country to another. This indicates that there are manyother factors in addition to biometric recognition quality thatinfluence the performance of the system [29], [35]–[37]. Someof these factors can be controlled, such as machine-humaninterfaces, ergonomic of man-traps, airport logistics and borderofficer training. Other factors, including traveller’s fatigue, or(non)familiarity with system, cannot be controlled.
Furthermore, the ABC system is one of many componentsin a complex semi-automated border crossing process, whichdeals with granting travellers an entry to a country. Therefore,any failure or risk related to the deficiency of the biometricrecognition can be mitigated by other non-biometric means. Itis, therefore, important to understand what a general eBordercrossing process is and what role a biometric-enabled technol-ogy/component plays there.
A. Lessons from UK IRIS systemIris Recognition Immigration system (IRIS) is UK Home
Office led program. It aimed at providing expedited automatedclearance at the UK immigration for certain low-risk pre-enrolled frequent travellers of low risk through the use of iris
2
Fig. 1. Conceptual diagram of the evolution of the ABC systems in time.
biometrics [22], [26]. The system worked by comparing liveiris images, captured by the system, against the iris imagesstored in the database. It was eventually dismantled in 2013in favour of using the e-Passport-based gates [4]. Key factorsleading to the closing of the IRIS program for trusted travelersare identified in [40].
B. Lessons from EU eGatesThe ePassport-based automated border control systems
(eGates) are currently the fastest growing development projectin the eBorder business. Recent analysis of these systems [29],[35]–[37] shows the following. Whilst the German Federalpolice is generally satisfied with the EasyPASS systems, theOperational Reject Rate (ORR), which is defined as an overallratio of people sent to manual examination, is still too high.Based on the current statistics, the target objective for futureoperation of EasyPASS systems is set to reach ORR < 10%.Within this number, a fraction of the ORR from biometrics is< 5% (first goal), the fraction of the ORR contributed by thewatch list and document checks is < 5% (second goal). Theoverall optimization goal for the user guidance/protocol is toavoid rejects due to travelers behavior (third goal).
The statistics from [6] provides additional highlights onthe variation of the ABC performance for various groups oftravellers. — The best facial False Reject Rate (FRR) hasbeen achieved with Portugese citizens (FRR= 1.36%), and theworst performance (FRR= 18.18%) was achieved for Danishcitizens. In total, one in 10 traveller was directed to manualcontrol, because of facial verification failure (FRR= 9.30%,among 18,884 travellers who used the ABC systems over thetested period).
III. EVOLUTION OF ABC SYSTEMS
Biometrics, as a technology for automated authentication ofhumans based on their measurable biological traits, has beenoriginally applied to access control. It has been often utilizedto allow the entry to protected areas for enrolled individuals.Physical and logical access control, enabled by the biometricssuch as fingerprints and iris, has become a one of the most used
real-time application of biometrics. While occasionally someissues related to those systems still occur, they have becomean essential part of the security and identity managementinfrastructure in many organizations. Several guidelines andstandards have been developed to support these systems andevaluate their performance [27], [30].
Following the success of biometric-enabled access controlsystems, it appeared natural to extend the application of bio-metric systems from access control to border control. In early2000s, several countries introduced the Registered (or Trusted)Traveller Programs (RTP/TTP) to allow the pre-cleared pre-enrolled travellers to cross the border by using biometrics.This was done by reusing the biometric framework for accesscontrol in the application to border control. In some cases, thesame biometric components were deployed for both borderand access control. An example is NEXUS iris recognitionprogram, which used the same iris biometric device as inCATSA RAIC access control system [7].
It took several years to appreciate the fact that, while seem-ingly very similar to access control systems, border controlsystems are critically different from their earlier predecessor.These differences are characterized by the following shifts:
1) From habituated to non-habituated users,2) From a close set to an open set of users,3) From low-risk to unknown-risk users,4) Toward higher number of supporting technologies,5) Toward semi-automated operation and need for auto-
mated personnel training,6) From optional to critical infrastructure, and7) From controlled to semi-controlled environment.In addition, the users of the ABC machine are referred to as
attended users of the biometric devices. The latter are observedand guided by the ABC management, as opposed to unattendedusers, such as in the unsupervised access control systems[47]. It can also be noted that the ABC systems operate inpublic spaces controlled by separate parties (airport authorities,transportation security, customs/border control), which havedifferent and sometimes conflicting objectives when operatingthe systems.
Finally, unlike the earlier generations of the ABC machines,which usage was voluntary albeit recommended, the ABCmachines deployed today are deemed to be a mandatorycomponent of the eBorder. The ABC machine shall processthe majority of on-going traveller traffic. Therefore, it shallwork 24/7, becoming a critical infrastructure that needs tobe constantly monitored and supported. In some cases, thissupport may have to be done by the border officers who haveother critical duties, related to their border control mission-critical functions.
The evolution of the biometric systems is conceptualizedin Fig. 1. Following the deployment of biometric-based accesscontrol systems, the first known ABC systems, embodied in theform of biometric-enabled Registered Traveller Program (RTP)kiosks, provided expedited passage to a small percentage ofpre-cleared registered travellers (Gen-1 ABC). Next milestone,eGates installed at checkpoints in various airports, are capableof processing all travellers carrying an ePassport and eIDbiometric documents (Gen-2 ABC). Finally, the future systems
3
State 1: Initialization of the ABC machine byproviding personal data when buying a ticket.State 2: Initial risk-factor estimation using theclearance technologies; information about thetraveler is searched and analyzed starting fromthe moment of the ticket purchase.State 3: Risk factor correction using the riskassessment technologies based on local surveil-lance facilities; information about the traveler’sactivity in the airport (logistics) is collected andanalyzed.State 4: Risk factor correction using verifi-cation technologies (e-passport) and additionalrisk assessment techniques (watchlists for the e-passport and its holder). Any decisions are madeby default.State 5: Risk factor correction by manual riskassessment (by border officer), if needed. Thefinal decision is made.
Fig. 2. Air Traveller Continuum: Schematic of the border process for a traveler wishing to cross the border by plane.
will process the entire flow of travellers arriving by air, withthe information about them collected through their entiretravel within the Air Traveller Continuum (Gen-3 ABC). Thefigure illustrates how the number of supporting technologies,including both biometric and non-biometric technologies, andthe number of factors influencing the performance of thesystem, changes with every ABC generation.
IV. THREE GENERATIONS OF ABC MACHINES
The rigorous division of the ABC machines into threegenerations reflects the needs, requirements, and trends. Itaddresses the technical point of view (all phases of the systemlife-cycle), technological one (gathering and processing ofinformation), and the system-level one (collaboration of large-scale distributed machines, their risks and vulnerability). It iscoherent with the vision by the IATA and ICAO, and theirunderstanding of 2020+ horizons [25].
The 1st generation (Gen-1 ABC machines): These ABCmachines serve only the registered travelers. Example of suchmachines are NEXUS’s clearance kiosks [9] based on irisverification (Canada/U.S. border) and IRIS machines in UKdemounted in 2012 [18].
The 2nd generation (Gen-2 ABC machines): These machinesare used worldwide. They are based on the e-passport/e-ID technology. They serve all travelers, including registeredtravelers, via a simplified checking procedure. The definitionsand analysis of such systems are best developed by Frontex[14], [17], [18], [36], [37].
The 3rd generation (Gen-3 ABC machines): They representa concept of the next-generation system that is being developedby many countries in support of the eBorder process ofthe future. Gen-3 ABC system extends the border controlfrom a Checkpoint solution to an Air Traveller Continuumsolution. It makes use of the entire eBorder traveller screeninginfrastructure.
By incorporating the knowledge of the ABC evolutionand trends presented above, we provide the following formaldefinition of an ABC machine.
Definition: A Gen-3 ABC machine is a future system definedby the following properties:
Property 1: It makes use of the entire airport infrastructureand related processes.
Property 2: It is a large-scale system.Property 3: It performs authentication of travelers.Property 4: It is a semi-automated system that operates
under supervision of a border officer.Property 5: It is a risk differentiation (profiling) system that
analyzes available information about each travelers and assignshim/her a risk factor.
Property 6: It is a machine that automatically communicatesacross the data network with other ABC machines and eBordercomponents.
Property 7: It is a machine that can be used in both anoperation mode and a training mode (automated short-termintensive training of personnel).
Such a formalization provides means for the analysis ofthe ABC system performance and risks through modeling andanalysis, which can be used for developing recommendationson the feasibility and costs of the ABC systems.
V. THE ABC MACHINE AS EVIDENCE ACCUMULATING
MACHINE OF THE AIR TRAVELLER CONTINUUM
According to its formalized definition, an ABC system isseen as an evidence-accumulating machine, which accumulatesinformation about travellers as they advance in their travelthrough the Air Traveller Continuum, and which makes thefinal admissibility decision based on the obtained evidence.
A schematic picture of a typical Air Traveller Continuumprocess is shown in Figure 2. Air traveller continuum isdivided into four main stages: PreBorder (prior to departure),PreBorder (en route), At border (entry), and At border (exit),which are divided into smaller distinctive stages. Pre-screeningtechnologies are engaged at PreBorder (prior to departure)stage. It is aimed at assigning a risk level (or risk factor)Rt(0) to a traveller prior to his arrival to an airport, basedon all surveillance information available about the traveller atthe time of buying a ticket. The rest of the technologies are
4
engaged at later stages, aimed at further refinement of the trav-eller’s risk factor Rt(s) as a traveller progresses through dif-ferent stages of the air continuum process and the information(evidence) about the traveller is accumulated. The process ofevidence accumulation continues until the final At border (exit)stage, at which the final clearance (admissibility) decision ismade, based on the decision rule and the final traveller’s riskfactor Rt(final). Additionally, a separate risk value associatedwith the traveller goods Rgoods(final) can be also establishedand tracked, and then used for the admissibility decision.
Following a typical eBorder process as shown in Figure 2,ABC machine is initialized at the moment the traveler providedhis/her personal data (Advanced Passenger Information) whenbuying the ticket or applying for visa. From this moment,the risk assessment and screening tool starts collecting andanalyzing the information about this traveler. This processis the first stage of the security clearance procedure. In theairport, a traveler is a subject to the local security surveillance,screening, and clearance. This constitutes the second stageof screening and includes data about the traveler’s activityin the airport (parking, taxi, baggage, accompanying people,calls, contacts, etc.) as well as the information about the goodshe/she is bringing (custom declaration). As a traveler boardsthe plane, arrives to a Port of Entry, picks up his/her luggage,proceeds to the Primary Inspection Lane, waits in the line, andis finally processed by an Officer and/or an ABC gate/kiosk,the information about him/her is constantly collected, until thefinal decision is made at the final stage allowing or denyinghim/her an entry to the country.
Fig. 3. Architecture of the ABC machine consists of (a) the supervisionfacilities, and (b) the decision support assistant which includes both theverification assistant and the clearance assistant.
A. Architecture of the ABC machine
Conceptually, the ABC machine can be viewed as a de-cision support assistant (Fig. 3). It includes a recognitionassistant tasked with identity verification using the biometric
modalities specified by the e-passport, and a risk assessmentassistant which performs the risk assessment function using allavailable sources. The reports, provided by these assistants,are processed using the principles of consolidated clearanceand decision-making. The output is a recommendation, whichis final by default. This corresponds to the semi-automatedprinciple of the border control. If a traveler has been directedto a manual check, the officer uses an interviewing techniquewhich can be supported by a behavioral assistant [48]. Themulti-gate ABC machine is an accelerated ABC machine thatuses multiple gates for processing travelers in a parallel mode.
VI. COMPONENTS OF EBORDER
The eBorder concept is recognized as an infrastructurefor automated border control and management. Through thesurvey of the border clearance technologies used in the lasttwo decades, five (5) key eBorder technology components areidentified as presented in Table I. These traveller screeningeBorder components rely on a number of supporting tech-nologies, such as RFID, MRTD, ePassports and traveller pre-screening programs. Specifically, pre-screening (also knownas statistical surveillance) of travellers is assumed by defaultin all eBorder screening technologies and is a separate andcritical component of the eBorder. Pre-screening programs(such as CAPPS [20], EUROSUR [24], SEMAPHORE [21],FLUX [13]) assign each traveller a perceived risk level (risk-factor), based on information involving personal background,prior travel history, social network etc. The initial data isprovided by the traveller when s/he is applying for visa orbuying the ticket. The obtained pre-screening risk factor ofthe traveler provides the initial basis for admissibility decision.This risk factor is updated during the travel, as more evidenceis collected about the traveller while s/he advances throughthe Air Traveller Continuum. When the traveller reaches theborder entry, the final admissibility decision is made, eitherby a border officer or an ABC machine, based on all evidencethat has been accumulated.
It is important to note that the ABC machine (Component Vin Table I), as the final component of the eBorder that makesthe admission decision recommendation, relies on all othercomponents of the eBorder deployed at earlier stages of theabove process. This principle is vital when the performance ofan ABC machine is analyzed.
VII. ABC MACHINE PERFORMANCE ASSESSMENT
A. Performance evaluation: brief overviewThere are various approaches to the ABC machine perfor-
mance evaluation. They have been developed for assessingthe systems such as a biometric-enabled system [5], [30],verification machine and supported technologies [14], [15],[16], or a particular case of authentication machine [38].Performance is measured in different metrics, for example,operational reject rate [35], and/or throughput rate [14], [15].These performance evaluation techniques cover the basic op-erational and deployment scenarios of the ABC machines. Theperformance in particular scenarios can be measured using theappropriate modeling techniques [1], [32]. In the abundance of
5
TABLE I. TAXONOMY OF TECHNOLOGIES FOR EBORDER SCREENING.
# Technology Key Principle Implementations Basic assumption and limitation
I.“Three-lane” risk-based processing
It divides travelers into the defined riskcategories: fast clearance for low-risktravellers, most attention to travellersof high or unknown risk. Division into“lanes” can be topological or logisti-cal, either accelerated by the travellerinvolvement or not.
As two-lane technology for regular andtrusted travelers, using one or two lo-gistical lanes; TSA Diamond (by trav-ellers choice) – three logistical lanes;APC/ABC kiosks (by travellers choice,according to citizenship) – two logisticallanes.
There is a mechanism for distinguishingthe travelers with respect to their risk-factor. Travellers cooperate when pro-vided with an acceleration technology.
II.Non-automated be-haviour screening
Trained officers observe the travelers us-ing airport surveillance facilities in orderto detect behavior abnormalities. It isbased on human skills only.
Typical mass behavioral profiling pro-grams (U.S.) The SPOT, CAPPS, SecureFlight are [12], [42].
Humans can be trained to identify ab-normalities. Trained personnel cannot bereplaced by any behavioral profiling ma-chine. Low use of technology. Humanabilities are limited.
III.
Automatedbehaviourscreeningtechnology
Detect hidden human intentions throughfusion of multi-modal and multi-bandbiometrics (voice, eye movement, pupildilation, etc. ) combined with ArtificialIntelligence tools.
The FAST project (U.S.) [11].Interview supporting machines:AVATAR systems [3].
Machines can better discern abnormali-ties and hidden intentions, better handlehigh volume of travellers, be unbiased.
IV.Automatedqueuingtechnology
Delegate the upstream border control(less intelligent tasks such as documentscanning) to machines, and the down-stream control (more intelligent tasks) toborder officers.
Self-service automated passport / borderclearance (APC/ABC) kiosks deployedin Vancouver, Montreal, Toronto, andChicago International Airports [2], [8].
Separate border crossing operations withrespect to the required level of in-telligence (human vs. machines). Donot perform authentication of documentholders. May have video cameras. Maypotentially capture travellers’ biometricdata.
V.
Biometric-enabledAutomated BorderControl (ABC)traveller clearancesystems
Person-interaction system with decisionmaking mechanism that assists trav-eller clearance through automation oftwo tasks: 1) traveller authentication(through biometrics) and 2) traveller riskassessment (through risk assessment)
Gen-1 ABC: RTP-based (since 2002,examples: UK: IRIS. Netherland: PRE-VIUM. Canada: NEXUS.[9]).Gen-2 ABC: eID/ ePassport based (since2006, examples: EU, Australia [14],[17], [18]).Gen-3 ABC: future eBorder machines(2020)
Combination of biometric and risk as-sessment technologies, supported byspecial purpose infrastructure (both localand global), makes border control moreefficient and secure.
approaches to performance evaluation, more general, combinedmetrics are often needed. An example of border managementapplication that requires a combined biometric performancemetric along with a risk/cost metric is introduced in [44].
In addition, the performance evaluation task must accountfor a well-known phenomenon such that the real operationalperformance of an ABC system is significantly less thenperformance of a particular biometric recognition componentor software [35], [36], [37]. To observe the effects of suchperformance degradation, a combined metric is needed. Moti-vated by this challenge, this paper proposes a combined metriccalled a life-cycle performance assessment.
B. Technical and non-technical factors
Developed as a technical system with a targeted perfor-mance, the deployed ABC machine shows the characteristicswhich are often different from the desired one. Technicaland non-technical factors influence its performance. Techni-cal factors can be efficiently controlled. For example, theperformance of the deployed recognition algorithms can beimproved, the machine-human and human-machine interfacescan be designed with the abilities to adapt to the user, er-gonomic of man-traps and e-gates can be improved, humanand machine operations can be better balanced, airport logistics
can be modernized, and border officers can be better trainedto deal with abnormal situations.
Non-technical factors include social, psychological, ethnic,cultural, religious, and geographical factors. They are usuallyhard or impossible to control, and they can significantlyinfluence the system performance. For example, it follows fromthe statistics reported in [37], [29], [36] that every 1 out of 8-10 travelers is directed by the ABC machine to the manualcontrol. Such performance is significantly worse than thedesired performance of biometric enabled system [33], [34].This is due to both the technical and non-technical factors, allof which that contribute to the performance degradation of theABC machines.
C. Life-cycle combined performance assessmentPerformance degradation with respect to non-technical fac-
tors is a particular feature of the ABC machine. The targeted,or desired, characteristics of the designed ABC machine cansignificantly differ from the ones of the machine being de-ployed and functioning under the pressure of non-technicaland uncontrollable factors. We suggest that this particularfeature of the ABC machine shall be evaluated using combinedperformance metric.
The combined performance metric is a way to evaluateperformance using two or more techniques. For example, (a)
6
evaluation of a system using notion of probability of thebest and the worth scenario is useful in analysis of risks ofdeployment scenarios [49]; (b) evaluation of the matcher in arecognition algorithm, using the false match/non-match metricand cost curves addresses the early phases of the ABC machinedesign [44]. In this paper, a combined metric is proposed forperformance assessment at three phases of the ABC life-cycle.
Definition 7.1: Life-cycle combined performance assess-ment of the ABC machine is defined by three measuring pointsof the ABC life cycle:(a) Design phase: Theoretical or algorithmic limit of per-formance; it is a performance of the biometric recognitionalgorithm tested on the database of biometric samples,(b) Prototyping phase: Predicted or vendor-reported perfor-mance; this is a performance of the integrated biometricalgorithm in the ABC machine, and(c) Deployment phase: Operational or real performance of thedeployed ABC machine, which defines the ratio of travelersfor whom the ABC machine cannot confirm the verification(they have to be sent to the manual control). It is expressed bythe clause “one in M travelers is directed to manual control”.
It follows from the above that (a) the real performanceis always lower than the desired one, or its predicted limit;(b) there are certain factors that influence the performancedegradation; and (c) it is difficult or impossible to estimatethe contribution of these factors to the system operationalperformance.
Life-cycle combined performance assessment includes twometrics: (a) the False Reject Rate (FRR) [5] for measuringtheoretical and predicted performance, and (b) OperationalReject Rate (ORR) for measuring operational performance[35].
The life-cycle combined performance assessment metric isuseful due to the following reasons:
1. It carries the notion of a potential, or available resource,which can be achieved. This resource corresponds to theperformance of the best recognition algorithms reported inliterature [33], [34].
2. It carries the notion of the efficiency of utilization of apotentially available resource, which represents the degree ofthe performance improvement.
3. It distinguishes the system performance and the biometricrecognition performance expressed by the clause (a) “1 in Mcustomers is wrongly recognized” and (b) “1 in N customersis wrongly directed to manual control”.
In addition, the proposed life-cycle combined performanceassessment metric provides the means to distinguish the con-trolled and uncontrolled factors. An example of such metric isgiven in Fig. 4, where the potential resource is estimated byratio 10/25.
D. Performance comparison of the deployed ABC machinesThe life-cycle combined performance assessment reported
for some known ABC machines is summarized in Table II. Thefirst three columns contain the country of deployment, year ofthe reported results, and sources of information, respectively.Next four columns contain a type of biometric modality,
Fig. 4. Example of the ABC machine life-cycle combined performanceassessment in terms of 1:M (1 in M ) metric. Theoretical performance, thatis, the performance of the biometric recognition algorithm tested on thedatabase benchmarks is 1:40. The predicted (vendor-reported) performanceof the integrated biometric algorithm in the ABC machine is 1:25, and theABC operational (real) performance of the deployed ABC machine is 1:10.
operational (real) performance, predicted (claimed by ven-dor) performance, and theoretical (algorithmic) performancein terms of 1 : M (1 person in M is falsely unauthorized).For simplification, the data in the last column correspondsto the following algorithmic FRRs of the recognition algo-rithms: iris – FFR = 0.1%, fingerprints – FFR = 0.1%,face – FRR = 1%, and fusion of face and fingerprint –FFR = 0.1% [33], [34]. Because of the limited availablestatistics, we assume that “the number of persons who arefalsely directed to manual control” and “the number of personswho are directed to manual control” are the same. The tablepresents the “pessimistic” low-bound reported values for theFRR.
TABLE II. LIFE-CYCLE COMBINED PERFORMANCE ASSESSMENT
METRIC FOR THE ABC MACHINES DEPLOYED IN EU.
ABC machine, Operational Predicted TheoreticalUK[22], [4] 1:10 1:50 (2%) 1:1,000Germany [36] 1:8 1:20 (5%) 1:100Germany [29] 1:7 1:20 (5%) 1:100Spain [6] 1:8 1:20 (5%) 1:100Spain [6] 1:10 1:25 (4%) 1:1,000
The following conclusions can be drawn upon the data fromTable II.
1. Best practice: Contemporary ABC machines operate atPerformance ORR = 1 in 10 travelers (1 : 10) . That is,1 in 10 travelers is directed to the manual control.
2. Resources: All deployed ABC machines have a goodresource for performance improvement. For example, the UK’sABC machine, based on iris recognition, utilized only 1/100 ofits resource (this machine was of the first generation, accord-ingly to our classification; the system was dismantled in 2012).The face-based ABC machines, deployed in Germany andSpain, utilize 1/10 of their potential resource. It is estimatedthat Spain’s ABC machines, based on fusion of face andfingerprint modalities, have a hundred times more resource.
7
3. Controllable factors: A lot of effort was undertaken byvarious institutions such as NIST and ISO to improve thedesign and performance of the biometric recognition algo-rithms. However, one can observe that increasing the powerof the recognition algorithms does not necessarily result inthe performance improvement. For example, Spain’s ABC ma-chine that combines power of facial and fingerprint biometricmodalities, performs just slightly better than the one with asingle modality.
4. Uncontrollable factors: International community, in par-ticular, the IATA and ICAO [25], and FRONTEX (EU) [14],[15] demonstrated the effort to reduce the dimensions ofthe uncontrollable factors. Additional study in various non-technical fields is needed in order to shift the weight of thenon-technical factors contributing to the performance degra-dation into the technical factors that can be controlled mucheasier than the other ones.
E. Evaluation via modelingModeling is the methodology for providing a predictive
measuring at any point/state of interest of eBorder infras-tructure, including the ABC machine and supporting tech-nologies. Three levels of the ABC modeling techniques aredistinguished:
The 1st level of modeling includes simulators, which offera general view of the eBorder crossing process, includingsimulation of illustrative examples/scenarios, aiming at ex-plaining the general bottlenecks of the eBorder technology,such as ARENA [43] and other modeling tools [32]. Thesetools are useful for this purpose and enable some numericalestimations, but they cannot provide all the necessary detailsfor the decision making.
The 2nd level of modeling corresponds to the needs ofa more complex ABC machine of the 2nd generation andsupporting infrastructure. To the best of our knowledge, thesetools are not developed yet.
The 3rd level of modeling involves powerful virtual simula-tors of global eBorders; this level is envisioned to be reachedby year 2020+, accordingly to the ICAO roadmap [25].
VIII. CONCLUSIONS AND FUTURE WORK
This paper attempts to formalize the concept of the ABCmachines and supporting technologies, thus differentiatingit from the particularized descriptions in terms of identitymanagement [38], [39] or deployment scenarios [14], [15].The framework of the proposed formalization is based onpostulating that the ABC machine is a (a) large-scale, (b)biometric enabled, (c) semi-automated, and (d) distributed au-thentication system. This machine is deemed to be embeddedinto social infrastructure in various ways and can operate onlyin a specific environment supported by intended technologies.The proposed formalization framework offers:
1) A classification of the ABC machines into three gener-ations,
2) Life-cycle combined performance assessment metric:three measuring points of the ABC life cycle reflect
performance degradation and potential resources forimprovement, and
3) A dedicated architecture: the principles of the assistant-based concept adopted from decision support or recom-mender systems are suitable for the ABC technologies.
The proposed formalization bridges the gap between thepractice of utilizing the deployment scenarios [14], [15], [25]and the concept of the generalized authentication machines[38], [39], [40]. These joint methodologies and techniquescan be useful in various emerging tasks. The latter includeevaluation and comparison of various ABC technologies, theirvulnerability analysis, application in other border crossingtechnologies such as immigration entry-exit systems, personneltraining, and strategic planning and development of the ABCtechnologies.
The key challenge of the ABC machine deployment is evalu-ation and prediction of the related risks. Modeling, quantitativeand qualitative prediction of such risks are recognized as ahigh-priority task of the future ABC technologies. This isidentified in this paper by the notion of three levels of modelingavailable to the researchers to analyze various risks of the ABCsystem within the larger eBorder process.
Disclaimer– The opinions presented in this paper are only that ofthe paper authors and do not represent the opinion of the CanadaBorder Services Agency (CBSA). The term ABC used in this paperdoes not refer to and does not have any association with the CBSAAutomated Border Clearance program and is used solely in referenceto a general system that performs automated clearance of travelersat the border.
Acknowledgment – This work was supported by the DefenceResearch and Development Canada (DRDC) Canadian Safety andSecurity Program (CSSP-2012-CP-1180). The authors are grateful toIgnacio Zozaya (Frontex) for provided valuable feedback.
REFERENCES
[1] Anderson, D. N., S. E. Thompson, C. E. Wilhelm, and N. A. Wogman,Integrating Intelligence for Border Security, J. of Homeland Security,Jan., 2004, Online: http://www.homelandsecurity.org
[2] Automated Passport control technology tolaunch at Chicago Midway International. Online:http://www.passengerterminaltoday.com/viewnews.php?NewsID=53566
[3] AVATAR: Border patrol kiosk detects liars trying to enterU.S. Homeland Security News Wire, August 21, 2012. On-line: http://www.homelandsecuritynewswire.com/dr20120821-border-patrol-kiosk-detects-liars-trying-to-enter-u-s
[4] Best, J., £9 m cost of eye scanning “would have been better spent onimmigration staff”, Government Computing, April 11, 2012, Online :http://central-government.governmentcor
[5] Bolle, R., Connell, J., Pankanti, S., Ratha, N. and Senior, A. Guideto Biometrics, Springer, 2004.
[6] Cantarero, D. C., D. A. P. Herrero, and F. M. Mendez, A multi-modal biometric fusion implementation for ABC Systems, Proc. IEEEEuropean Intelligence and Security Informatics Conf., 2013, pp.277–280.
[7] CATSA (Canadian Air Transport Security Authority): Restricted areaidentity card (RAIC). http://www.catsa.gc.ca/restricted-area-identity-card-raic
8
[8] CBSA (Canada Border Services Agency): Automated Border Clear-ance. http://www.cbsa-asfc.gc.ca/travel-voyage/abc-paf-eng.html
[9] CBSA (Canada Border Services Agency): NEXUS. http://www.cbsa-asfc.gc.ca/prog/nexus/menu-eng.html
[10] Elias, B., Airport passenger screening: Background andissues for Congress, Congressional research service, 7-570, www.crs.gov, R40543, April 23, 2009. Online:http://www.fas.org/sgp/crs/homesec/R40543.pdf
[11] DHS (Department of Homeland Security): Future Attribute Screen-ing Technology (FAST) Project, Science and Technology Di-rectorate, Department of Homeland Security, 2008. Online:www.dhs.gov/xlibrary/assets/privacy/privacy pia st fast
[12] Florence, J., and R. Friedman, Profiles in terror: Alegal framework for the behavioral profiling paradigm,George Mason Law Review, vol. 17:2, 2010, pp. 423–481. Online: http://www.georgemasonlawreview.org/doc/17-2 FlorenceandFriedman.pdf
[13] FLUX (Fast Low Risk Universal Crossing) is a governmental partner-ship that uses biometric data from passengers of participating countriesfor identification: http://en.wikipedia.org/wiki/FLUX Alliance.
[14] Frontex: Best practice technical guidelines for automated border con-trol (ABC) systems, Research and Development Unit, Warsaw, 2012.
[15] Frontex: Best practice operational guidelines for automated bordercontrol (ABC) systems, Research and Development Unit, Warsaw,2012.
[16] Frontex: Operational and technical security of electronic passports,Research and Development Unit, Warsaw, 2011.
[17] Frontex: BIOPASS II Automated biometric border crossing systemsbased on electronic passports and facial recognition: RAPID andSmartGate, Warsaw, 2010.
[18] Frontex: Study on automated biometric border crossing systems forregistered passenger at four European airports, Warsaw, 2007.
[19] D.O. Gorodnichy, V. P. Shmerko, and S. N. Yanushkevich, AutomatedBorder Control systems as part of e-border crossing process, NISTInternational Biometric Performance Conference. April 1-3, 2014.Online: http://www.nist.gov/itl/iad/ig/ibpc2014.cfm.
[20] Harris, D., How to Really Improve Airport Security, Ergonomics inDesign, Winter, 2002, pp. 1–6.
[21] Home Office (UK): eBorders programme review of the code ofpractice on data sharing, version 1.1, 19 December 2008. Online:http://www.ukba.homeoffice.gov.uk/sitecontent/documents/managingourborders/eborders/codeofpractice/review-code-of-practice?view=Binary
[22] Home Office (UK): Project IRIS (Iris Recognition ImmigrationSystem), Pilot Review Report, Annex A Pilot Success Cri-teria. Annex B Performance against Pilot Acceptance Crite-ria. V3.0, 30th November 2006. Online: http://www.ukba.home-office.gov.uk/managingborders/technology/iris/
[23] IRIS Project, Pilot review report, V3.0, Home Office, UK, 2006.Online: www.statewatch.org/news/2007/mar/bio-iris-project-review-pilot.pdf
[24] Hayes, B., and M. Vermeulen, Borderline the EU’s new bordersurveillance initiatives, Heinrich Boll Foundation, 2012.
[25] IATA: Checkpoint of the future. Executive summary.4th Proof. 2014. Online: http://www.bing.com/search?q=iata%3A+Checkpoint+of+the+future.+ Executive+summary
[26] IRIS Project, Pilot review report, V3.0, Home Office, UK, 2006.Online: http://www.statewatch.org/news/2007/ma
[27] ISO/IEC SC 37 FCD 19795, Information Technology – BiometricPerformance Testing and Reporting.
[28] Kephart, J., Biometric exit tracking. A feasible and cost-effectivesolution for foreign visitors traveling by air and sea, Centre forimmigration study, 2013.
[29] Marzahn, B., E-gate case study: The German EasyPASS Project,Federal Office for Information Security, www.bsi.de, Technical Ad-visory Group on Machine Readable Travel Documents (TAG/MRTD),International Civil Aviation Organization, 12th Meeting Montreal,Sept. 2011.
[30] Mansfield, A. and Wayman, J. Best Practice Standards for Testingand Reporting on Biometric Device Performance, National PhysicalLaboratory of UK, 2002.
[31] McLay, L. A., A. J. Lee, and S. H. Jacobson. Risk-Based Policiesfor Airport Security Checkpoint Screening. Journal TransportationScience, Vol. 44 Issue 3, 2010, pp. 333–349.
[32] Nie, X., R. Batta, C. G. Drury, and L. Lin. Passenger Groupingwith Risk Levels in an Airport Security System. European Journalof Operational Research, Vol. 194, No. 2, 2009, pp. 574–584.
[33] P. Grother and M. Ngan, Face Recognition Vendor Test (FRVT)Performance of Face Identification Algorithms, NISTIR 8009, 2014
[34] IREX III: Performance of Iris Identification Algorithms, NISTIR 7836,2012. http://www.nist.gov/itl/iad/ig/irexiii.cfm
[35] Nuppeney, M., Automated Border Control – state of play and latestdevelopments, NIST International Biometric Performance Conference.April 1-3, 2014 Online: http://www.nist.gov/itl/iad/ig/ibpc2014.cfm.
[36] Nuppeney, M., Automated Border Control based on (ICAO compli-ant) eMRTDs, NIST International Biometric Performance Conference,2012. Online: http://www.nist.gov/itl/iad/ig/ibpc2012.cfm.
[37] Nuppeney, M., M. Breitenstein, and M. Niesing, EasyPASS – Eval-uation of face recognition performance in an operational automatedborder control system, Federal Office for Information Security, 2010,Online: http://www.bsi.de
[38] Palmer, A. J., Criteria to evaluate automated personal identificationmechanism, Computers and Security, vol. 27, 2008, pp. 260–284.
[39] Palmer, A. J., Approach for selecting the most suitable AutomatedPersonal Identification Mechanism (ASMSA), Computers and Secu-rity, vol. 29, 2010, pp. 785–806.
[40] Palmer, A. J., and C. Hurrey, Ten reasons why IRIS needed 20:20foresight: Some lessons for introducing biometric border controlsystems. Proc. European Intelligence and Security Information Conf.,2012, pp. 311–316.
[41] PARAFE e-gates ease passenger flow at bor-der control, 2014. Online: http://www.safran-group.com/videos/video.php?sig=47dad33e0d3s&lang=en
[42] Poole, R. W. Jr. and G. Passantino, A risk-based airport security policy,Reason Foundation, Policy study No. 308, 2003.
[43] Rossetti, M. D., Simulation Modeling with ARENA, John Wiley, 2010.
[44] Sacanamboy, M., and B. Cukic, Combined performance and riskanalysis for border management applications, Proc. IEEE/IFIP Conf.Dependable Systems and Networks (DSN), 2010, pp. 403–412.
[45] SITA: A unique promise: Biometrics & border management, Air Trans-port IT Review, issue 2, 2012. Online: http://www. sita.aero/content/a-unique-promise
[46] TSA: Black Diamond Self Select Lanes. April 27, 2009. Online:http://www.tsa.dhs.gov/approach/black diamond.shtm.
[47] Wayman, J. L., National Biometric Test Center Collected Works.,National Biometric Test Center, San Jose, CA, 2000.
[48] Yanushkevich, S. N., O. Boulanov, A. Stoica, and V. P. Shmerko, Sup-port of interviewing techniques in physical access control system, In:S.N. Srihari and K. Franke (Eds), Computational Forensics, Springer,2008, pp. 147–158.
[49] Yanushkevich, S. N., V. P. Shmerko, O. Boulanov, and A. Stoica,Decision-making support in biometric-based physical access controlsystems: Design concept, architecture, and applications. In: N. V. Boul-gouris, K.N. Plataniotis, and E. Micheli-Tzanakou (Eds), Biometrics:Theory, Methods, and Applications, IEEE Press, Wiley, 2010, pp. 599–631.