international civil aviation organization the new 9303 mrtd r… · introduce an identity card or...
TRANSCRIPT
Vol. 3, No 3
Also in this issue: Rethinking identity in the digital age • Before and after ePassports Operating systems for ID documents • Automated border controlState feedback: The Portuguese viewpoint
ICAOMRTD REPORT
INTERNATIONAL CIVIL AVIATION ORGANIZATION
The New 9303The addition of a globally interoperable biometric standardto Part 3 of ICAO Doc 9303 expands and enhances theworld’s guiding MRTD document to help States developa new generation of ID card implementations
ContentsEditorial: Mauricio Siciliano, ICAO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
COVER STORYTailoring Standards for States: The new Doc 9303, Part 3The third edition of ICAO Doc 9303, Part 3, updates and replaces the specifications for machine-readable official documents of identity published in the second edition (2002) and represents a substantial modernization of the material contained in previous editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automated border controlSjef Broekhaar of the International Organization for Migration, and Julian Ashbourn of the International Biometric Forum, on how automation can relieve the ever increasing burden of manual border checks . . . . . . . . . . . . . . . 7
Discipline in issuanceJohn Mercer, Senior Associate, Kelly-Anderson & Associates, discusses the steps that States must take in order to create sound systems of issuance,production and distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Making the most of chip technologyA G&D White paper analysis of the operating system options for eMRTD chips highlighting the Native, Java and Multos options . . . . . . . . . . . . . . . . . . . . . 21
Identity fraud and the digital ageClemens Willemsen, of the Dutch Department of Justice, discusses how States may choose to take advantage of new digital capabilities and paradigms as eMRTD programmes advance based on projected capabilities . . . . . . . . . . . . . . 26
State perspective: PortugalDr. José Magalhães, Secretary of State for Portugal, provides a testament to the importance of the new ICAO standards in the development of his country’simpressive ePassport and passenger facilitation systems . . . . . . . . . . . . . . . . . . . 30
Glossary: MRTD terms and concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
ICAO MRTD REPORTVOLUME 3, NUMBER 3, 2008
EditorialManaging Editor: Mauricio SicilianoMRTD Programme—Aviation Security and Facilitation Policy Section
Tel: +1 (514) 954-8219 ext. 7068E-mail : [email protected]
Anthony Philbin CommunicationsSenior Editor: Anthony PhilbinTel: +01 (514) 886-7746E-mail: [email protected] Site: www.philbin.ca
Production and DesignBang MarketingStéphanie Kennan
Tel: +01 (514) 849-2264E-mail: [email protected] Site: www.bang-marketing.com
AdvertisingFCM Communications Inc.
Yves AllardTel: +01 (450) 677-3535Fax: +01 (450) 677-4445E-mail: [email protected]
SubmissionsThe MRTD Report encourages submissions frominterested individuals, organizations and States wishingto share updates, perspectives or analysis related toglobal civil aviation. For further information onsubmission deadlines and planned issue topics for futureeditions of the MRTD Report, please contact MauricioSiciliano, managing editor at: [email protected]
Opinions expressed in signed articles or inadvertisements appearing in the ICAO MRTD Reportrepresent the author’s or advertiser’s opinion and donot necessarily reflect the views of ICAO. The mentionof specific companies or products in articles oradvertisements does not imply that they are endorsedor recommended by ICAO in preference to others of asimilar nature which are not mentioned or advertised.
The publishers extend their thanks to the companies,organizations and photographers who graciouslysupplied photographs for this issue.
Published byInternational Civil Aviation Organization (ICAO)999 University StreetMontréal, QuébecCanada H3C 5H7
The objective of the ICAO MRTD Report is to provide acomprehensive account of new developments, trends,innovations and applications in the field of MRTDs tothe Contracting States of ICAO and the international aeronautical and security communities.
Copyright © 2008 International Civil Aviation Organization
PRINTED BY ICAO
3
Bringing States the globally-interoperable tools they require
MESSAGE FROM THE EDITOR
Dear readers,
With this issue of the MRTD Report, we are proud toannounce the publication of the third edition of Doc 9303,Part 3, Machine Readable Official Travel Documents. We have included an overview of this document in this issue.
The specifications in this document are not intended to be astandard for national identity documents; however any Statewhich participates in bilateral agreement(s) with one or moreadditional States, and which allows its identity document tobe used to cross the border(s) between them, should designits identity document to conform to the specifications of Doc 9303, Part 3.
As with Doc 9303, Part 1, this third edition consists of twovolumes: Volume 1, which is an updated version of the secondedition containing all the specifications required for a Statewishing to issue a machine readable official travel documentwithout the incorporation of machine-assisted biometricidentification. The second volume contains the specificationsfor enhancing the machine- readable official travel documentwith the globally interoperable system of biometricidentification and its associated data storage utilizing acontactless integrated circuit.
With the publication of this document any additional biometricidentification methods and data storage media, as included anddescribed in the second edition (e.g. bar codes), are no longer
to be regarded as ICAO-endorsed options within the newglobally interoperable standard. However, States may use thenon-standardized identification methods and media as theydeem appropriate for their exclusive or agreed bilateral purposes.
One concept highlighted by the ICAO MRTD Programme is that of ‘global interoperability.’ In this context, the term isunderstood as the capability of inspection systems (eithermanual or automated) in different States throughout the worldto exchange data, to process data received from systems inother States, and to utilize that data in inspection operationsin their respective States.
Global interoperability is a major objective of the standardizedspecifications for placement of both human readable andmachine readable data in all Machine Readable TravelDocuments (MRTDs). Therefore, it is important to highlightthat any international organization promoting the issuance of official documents of identity, or States wishing to issuesuch official document of identity designed to facilitate cross-border travel with enhanced security by incorporating theglobally interoperable, machine assisted biometricidentification/data storage system, should comply with both Volumes of Doc 9303 Part 3.
Enjoy your reading.
Mauricio SicilianoEditor
MR
TD R
eport –N
umber 3 –
2008
Doc 9303, Part 3:An essential global standard
SUPPORTING STATES
4
The specifications in Doc 9303 are notintended to be a standard for nationalidentity documents; however any Statewhich participates in bilateral agree -ment(s) with one or more additionalStates, and which allows its identitydocument to be used to cross theborder(s) between them, should design its identity document to conform to thespecifications of Doc 9303, Part 3.
This third edition incorporates the newglobally interoperable optional standardcovering biometric identification of theholder and storage of the associated data on a contactless integrated circuit.Consequently, additional biometricidentification methods and data storagemedia, as included and described in the second edition, are no longer to beregarded as ICAO-endorsed options withinthe new globally interoperable standard.States may, however, use the non-standar -dized identification methods and media asthey deem appro priate for their exclusive or agreed bilateral purposes.
“For those States either planning tointroduce an identity card or upgrade an existing document the new ICAO Doc 9303, Part 3 standards provide a proven foundation for this work with the added benefit of a card that can be used for international travel on a bilateral or multilateral basis,” commen -ted Annette Offenberger, GeneralManager, Identity Services, New ZealandDepartment of Internal Affairs, and Chairof the ICAO TAG MRTD.
“While New Zealand has no current plansto introduce an identity card, I appreciatethat a form of identity document iscommonplace in many ICAO memberStates. The fact that the data storagemedium together with the associated PKIsecurity infrastructure has been provenoperationally in ePassports will giveStates confidence that the standard canbe applied in both national andinternational settings.”
The magnitude of the specification for thenew globally interoperable biometricidentification system and the data storageusing a contactless integrated circuit issuch that Doc 9303, Part 3, is nowdivided into two volumes. The first volumeis an updated version of the secondedition—containing all the specificationsrequired for a State to issue a machinereadable official document of identitywhere said State does not wish toincorporate the global facilitation optionfor its citizens that will be available withmachine assisted biometric identification.
The second volume contains the addi -tional specifications for the globallyinteroperable system of biometric identi -fication and associated data storageutilising a contac tless, integrated circuit.
It is important to note that any State,when wishing to issue an officialdocument of identity designed to facili -tate cross-border travel with enhancedsecurity by incorporating the globallyinteroperable, machine assistedbiometric identification/data storage
system, will therefore need to complywith both Volumes of Part 3.
“Part 3 now benefits from the compre -hensive experience that has been develop -ed based on implementations of theePassport,” began Eckart Brauer, TAG MRTDmember and specialist in this area fromGermany’s Federal Ministry of the Interior.
“In Germany, the development of anelectronic national ID card is now under -way with issuance currently planned forthe end of 2010,” Brauer continued,“however, the new German ID card ismore than a travel document—it alsocomprises e-government as well as e-business functionality. These modernconcepts needed to be reflected inappropriate standards to safely secureidentity and other personal informationstored on the card, and Doc 9303, Part 3will prove invaluable in helping States tomanage and take advantage of this ever-widening distribution of biometrically-secured identity cards that are now beingused more and more worldwide forsimplified border crossing. Germany istherefore very supportive of every effortextended to keep Part 3 updated and aliving, evolving document.”
Certain specifications within Volume 1,particularly in relation to the portrait andother identification features, have beenamended to ensure that when a Statedecides to upgrade to a globallyinteroperable biometric document only a minimum amount of change to thedocument will be required.M
RTD
Rep
ort
–N
umbe
r 3 –
2008
The third edition of ICAO Doc 9303, Part 3, updates and replaces the specifications formachine readable official documents of identity published in the second edition (2002) andrepresents a substantial modernization of the material contained in previous editions. As withall improvements to this essential global standard, this new round of improvements andenhancements is the result of an extensive and very cooperative process participated in bythe world’s foremost experts in this area, most notably from the ISO and the various MemberStates that have played instrumental roles as this process has continued.
The expanded specifications and guidance material on matterssuch as naming conventions, transliteration of national charactersin the machine readable zone, as well as the calculation of checkdigits, have been retained in this first volume of Part 3. Theoptions for the inclusion and placement of an integrated circuitwith contacts, a bar code, a magnetic or an optical memory stripeon the document remain, as does the option to use biometricidentifiers other than facial recognition supported by fingerprintand/or iris data. It is to be emphasized, however, that theinclusion of these storage media and the data thereon is solely for use by the issuing State or by other States by bilateralagreement—they are not globally interoperable.
The emphasis on the security of the document against fraud byalteration or counterfeit is given greater prominence in this thirdedition, as is the need for security of the premises in which atravel document is made, personalised and issued. New emphasishas also been added on the need for carefully vetting staffemployed in these activities.
One concept highlighted in the second edition was that of‘global interope rability.’ In this context, the term is understoodas the capability of inspec tion systems (either manual orautomated) in different States through out the world toexchange data, to process data received from systems in otherStates, and to utilize that data in inspection operations in theirrespective States. Global interoperability is a major objective of the standardized speci fications for placement of both humanreadable and machine readable data in all Machine ReadableTravel Docu ments (MRTDs).
In our increasingly security-conscious world, the need for machineassisted global interoperability has become a pressing concern.This has necessitated the standardisation of one primary biometricidentification method and of one method of data storage.
The New Technologies Working Group (NTWG), established by theICAO TAG in the mid-1990s, commenced an evaluation in 1998 of the various options and, in early 2001, selected and recom -mended facial recognition as the primary biometric to be employedalong with a contactless, integrated circuit as the approved datastorage technology. The recommendation was made specifically inresponse to the needs of passport issuing and immigrationauthorities to ensure accurate identification of a travel documentapplicant or holder—while minimising facilitation problems for thetraveller. This recommendation was endorsed by the ICAO TAG andby the ICAO Air Transport Committee in 2003.
As before, provision has been made for issuing a passport as a wallet-size card in accordance with the specifications for the Size-1 machine readable official travel document as setforth herein, provided that the issuing State makes appropriateprovision for other States to associate visas with it.
Automated Border ControleMRTDS & FACILITATION
Among the many potential benefits of the eMRTD is the promise of automation and thepossibility of either fully- or semi-automated border control points. Such a model might serveto relieve the ever-increasing burden of manual border checks, allowing immigration andborder control personnel to be more effectively deployed in handling exceptions and furtherrefining their own internal processes. Sjef Broekhaar and Julian Ashborn explain.
By Sjef Broekhaar, International Organization for Migration, and Julian Ashbourn, International Biometric Forum
The introduction of eMRTDs represents a significant change in the quality of travel-related documentation. We now have a document which is not only considerably enhanced withrespect to the physical security features of the documentitself, but which also introduces valuable operational featuresin the form of the integral electronic chip and the provision ofbiometric identity verification.
Considering the relatively short gestation period of the newdocuments, the emergence of the eMRTD represents a solidachievement of international collaboration, spearheaded bythe New Technologies Working Group (NTWG) of ICAO.Furthermore, an associated NTWG working group has
produced a comprehensive set of guidelines regarding “eMRTDs & Passenger Facilitation,” that offers advice andbest practices with respect to maximizing the potential of theeMRTD in passenger processing systems.
The combination of coordinated processes and the eMRTDitself provide an interesting framework for future bordercontrol operations. Legitimate travellers would also benefitfrom such automated processes, providing the physicalimplementation is thoughtfully considered and properlyscaled in relation to the wider operations of the port orentry point in question.
8
MR
TD R
epor
t –
Num
ber 3
–20
08
Since the mid-80s, immigration services worldwide have been looking for new solutions to process the everincreasing number of travellers. As anillustration of this fact, Airports CouncilInternational (ACI) reports that, in 2006,1,100 airports processed approximately4.4 billion passengers. Not all of thesepassengers were processed byimmigration or border control authori ties,since this number also contains passen -gers on domestic flights. However, thisfigure places the sheer scale of traveltransactions in context and the informa -tion in Figure 1 (above) provides a furtherillustration of the volume and growth inpassenger move ments using four largeinterna tional airports as a test sample.
The processes and metrics used byimmigration services and border controlauthorities have also progressed inrecent decades. In the 80s theImmigration and Naturalization Service ofthe United States developed a systemwhereby passports of incoming passen -gers were scanned by Airlines at check inand details of the Passenger NameRecord (PNR) were transferred to the USimmigration authorities in order toexecute an initial name check within theirdatabases. The aim was to accelerate theborder control process for those who hadbeen pre-checked. Other processes weresubsequently introduced, like AdvancePassenger Information, APP and Pre-Clearance programmes in several countries.
Currently, passengers departing for theUnited States from a number of airportsare cleared for entrance into the US byimmigration officials and, upon arrival,can go straight to the baggage area toclear customs. Other countries havefollowed suit, some with morecomprehensive entry systems like thatintroduced in Australia, in order toreduce the process time at the border.
Today, at many airports, seaports andborder crossing points at train stations,automated border control systems areused in order to process large numbersof passengers. These systems haveearned their place within the broaderborder control environment. Increasingly,
FIGURE 1: PASSENGER THROUGHPUT INCREASE AT MAJOR HUBS: 2002-2007
Airport 2002 2007 Growth %
London Heathrow 63,338,641 68,068,554 4,729,913 7.47
Tokyo Narita 61,079,478 66,671,435 5,591,957 9.16
New York JFK 29,943,084 47,810,630 17,867,546 59.67
Amsterdam Schiphol 40,736,009 47,793,602 7,057,593 17.33
countries, airport authorities and border control authorities areconsidering the use of such systems as part of their passengerhandling process.
One variation, which was first implemen ted at Schiphol Airport inAmsterdam, was an automated border control system. Frequenttravellers had the opportunity to enroll into a voluntary registrationsystem and were provided with a separate token containing anelectronic chip. On this contact chip, the traveller’s fingerprint wasstored in addition to applicable biographical data. The token couldbe used by the traveller to cross the border by verifying the livefinger print against the stored fingerprint, and the transaction wasalways undertaken under the surveillance of an immigration officer.
For these authorities the aforementioned guidelines on “eMRTDs & Passenger Facilitation” provide a better under -standing of the how to implement such systems successfully.
A limitation with this idea at the time was that the tokencould only be used at one port. However, with the introductionof the ePassport, similar (automated identity verification)benefits may be realised at all ports due to the univer sality of the document. The “eMRTDs & Passenger Facilitation”guidelines promote the use of the eMRTD as a possible tokenfor this process. However it must be remembered that thedocument is simply the physical result of a much widerprocess that includes issuance, renewal, revocation, as wellas identity verification from a security perspective. Thecombination of the eMRTD and these wider processestogether provide an operational frame work for ethical,responsible and sustainable border control. The frame work,however, is only as strong as its weakest link and, with theintroduc tion of a properly imple mented eMRTD, the weakestlink is now unlikely to be the travel document itself.
We must also turn our attention to the systems and processeswhich operate in tandem with the eMRTD in order to provide thebroader operational framework, while respecting the individualand, especially, those with special requirements, such as thedisabled and elderly.
Given the extra confidence that eMRTDs are likely to inspire, it isespecially impor tant to review our issuance processes, includingthe use of breeder documents and mechanisms for initial identityverification. The supporting systems are equally importantbecause, if these are compromised, data associated with alegitimate eMRTD may easily be falsified, leading to inappro priateactions including admissions and denials of service.
The security of every link in the system must receive attention,including root-level access control, administrator rights, activitylogs, data encryption, secure communications, the proper use of firewalls and regular audits. We must also respect privacy and ensure that personal data is not misused. In addition,contemporary compliance issues, inclu ding PCI DSS (PaymentCard Industry Data Security Standard) must be observ ed. Thewhole area of systems security and associated responsibilitiesmay be further complicated if government agencies elect tooutsource the provision and maintenance of such systems. This is an area for careful consideration.
In conclusion, the design and introduc tion of the eMRTD hasundoubtedly been a notable success story for ICAO and itsMember States. We might now consider this achievement as adistinguished first step towards a broader accomplishment: aharmonised and globally interoperable immigration and bordercontrol frame work which may be operated fairly and efficientlyfor the common good.
The guidelines discussed in this article are published on the ICAO website and may be accessed via: http://www.icao.int/mrtd.
Before and after ePassportsBy John Mercer, Senior Associate, Kelly-Anderson & Associates
The discipline required to operate a MRPissuance system is good training for themuch higher level of technical performancethat is possible with the ePassport. JohnMercer provides background and insight intothe steps that States must take in order to create sound systems of issuance,production and distribution.
States that have long issued machine readable passportsare upgrading their production to ePassports to providebetter identification for their citizens, to react to securityconcerns because of perceived threats to national andinternational security, to meet requirements of regionalassociations of States, most notably the European Union,and in the hopes that having an ePassport will be the ticketto getting Visa Waiver status.
States that do not yet issue machine readable passportsshare the same concerns as the present MRP-issuingStates, but they have the added challenges of establis -hing a basic passport issuance system built on goodcitizenship data and accurate national records. In somecases, States may go directly from a non-MRP status tothe ePassport.
The purpose of this article is to describe the process oftransitioning from the present passport to an ePassport.Regardless of what the present national conditions are, majorchanges have to be made in how the passport is issued.
Background
A passport is a government document that identifies the holderand facilitates travel by providing bearer information in auniform way, and a place for visas and other entrance and exitrecords. ICAO Document 9303, Part 1, describes the structuraland security features of the modern Machine ReadablePassport (MRP). In 2006, ICAO issued a revised version of Doc9303, Part 1, in two volumes, one describing the traditionalpassport with machine readable data stored in opticalCharacter reading (OCR) format, and the second volumedescribing the procedures for the electronic storage of data. M
RTD
Rep
ort
–N
umbe
r 3 –
2008
GUIDELINES FOR STATES
12
Being a government document, thereare laws, regulations and proceduresthat are established by each issuingState or Organization that describe howtheir passports are to be issued, andused. Not surprisingly, these variousissuance and usage laws differbetween the States. In some cases, a passport is a right of citizens, andother cases, citizens must justify theirneed to travel in order to be issued a passport.
ICAO provides standards and recom -mended procedures for passport andvisa issuance in Facilitation Annex 9 to the Convention on International Civil Aviation. However, this guidanceconsists of only 25 points, and is less than two pages. Consequentlythere is much room for differentinterpretation and practice. There’s anold saying that applies here: “In theory,there is no difference between theoryand reality, but in reality, there is.”
Nonetheless, there are a number ofsteps to the issuance of a passportthrough which all passports are issued.This paper is to provide an overview ofthese common steps, and the ways inwhich the addition of the biometricinformation, stored in an IntegratedCircuit (IC) chip contained in thepassport, has changed the procedures.In many cases, collateral advantagesmay be realized in the automation of the application process.
In speaking about upgrading passports tothe ePassport standard, there are severalinitial points that should be considered.
States should ensure that they haveadequate funding for the developmentand systems cost for the ePassportprogramme. This funding may be self-funded by user fees, or from governmentappropriated funds, or there may bedonor nations or organizations involved.In any event, funding is first.
States should consider the reasons for introducing the ePassport. VisaWaiver States have dates certain forcompliance. Members of internationalcommunities, such as the EuropeanUnion, have deadlines for ePassportintroduction.
While non-MRP States may wish toproceed directly to the electronicpassport, there is value in ensuring thattheir passport is first brought up to theMRP standard in Doc 9303, Part 1. Thepassport should be correctly formatted,contain the recommended security fea tures as cited in the Security Annex to Section 3 of any Doc 9303 MRTDstandard, and must have a data page in compliance with Doc 9303 Part 1 on MRPs, including a fully readable,correctly formatted, and properly printedmachine readable zone.
Not only is this the operating norm forinternational travel, but for States
14
contemplating use of the Basic AccessControl feature in their MRPs, having acorrect MRZ is mandatory for allowingelectronic access to the data stored onthe ePassport. In many cases, theePassport will be inspected visually, and it is important to maintain the tradi -tional physical security features, so thatin the case of electronic compromise or broken electronics, the passport canstill serve as a trusted credential forborder crossing. An ePassport with abroken or malfunctioning chip is still avalid passport.
Steps to passport issuance
Application
The person decides to apply for apassport. This usually requires filling out a form, either in paper or online. In addition to personal information, the applicant has to provide photos andthe proper fees. All first-time applicantsrequire a personal appearance before an authorized government official tocheck the veracity and completeness of information provided.
ePassports require biometric informationto be captured for inclusion in the elec -tronic chip contained in each passport.The mandatory biometric is the faceimage. This image must meet uniformstandards for clarity and size, as definedin ISO/IEC 19794-5. Illustrativeguidelines for portrait quality, style andlighting, glasses and head covers, andexpressions are included in Doc 9303,Part 1, Appendix 11.
In moving to electronic scanning offorms, considerable efficiencies can beobtained by having a scannable-friendlyform: all data on one side of the page,clear layout of data fields that may bemachine scanned, and print fonts thatare easy for the applicant to read, and to fill-in correctly.
Optional biometric measures are thefingerprint and iris. The quality of thebiometric images is critical to thesuccess of the identity comparison
process. While 10 print cards haveoften been used for fingerprints, thequality of the images varies, soelectronic live-capture and qualityassessment is becoming moreprevalent. Certainly live captureassures that the fingerprints belong to the applicant, and electronic imagequality checks ensure that thefingerprint is clear enough to store and obtain minutia required to domachine comparison of fingerprints.
Application review and processing
The application file is established, andinformation on the application is used todetermine the eligibility of the applicantto receive a passport. Is the person acitizen? Are there any reasons why theperson should be denied a passport orhave limited validity? Checks may bemade against any pertinent private orgovernmental record that bears on theapplicant’s eligibility. Fees must betracked and deposited.
Existing passport systems records must be modified to accommodatethe additional biometric informationassociated with each applicant, and in a way that is retrievable for use bythe government. Pertinent informationmay be stored in a variety of branchesof government, and problems ofinteroperability have to be resolved in order for thorough and timelychecks to be made. These inter -operability problems are oftensignificant, difficult to resolve, andexpensive to fix. Ideally, improve -ments in passport data could be usedto leverage improve ments through outthe national data storage systems.
ePassports require the biometriccharacterization of the applicant. Thisadds complexity to the process becausethere is more applicant data to bechecked. However, the addition offingerprint data allows checking againstexisting national fingerprint databases,and thus a better chance of detecting animposter or fraudulent applicant prior todocument issuance.
MR
TD R
epor
t –
Num
ber 3
–20
08
Decision to issue
With all available data at hand, the passport adjudicator orexaminer will make the decision to issue the passport. The onlything different between present practice for a State that alreadyissues a MRP and issuance of an ePassport is that there ismore data to be evaluated and more certainty of the identity ofthe applicant.
Data capture for passport printing
In present operations, data may be entered into the systemearly in the application review and receipt process or later, afterthe decision to issue has been made. In either method, it isimportant to ensure that the images are reproduced with thehighest fidelity. Assuming digital printing of the portrait, theresolution of the scan should be as high as the resolution ofthe printer, otherwise the printed image may be degraded bypixilation or other print-related problems.
Typing the data from the application is the most commonmethod of data acquisition. This has to be double checked foraccuracy, and often double entry of data is the best method.Electronic scanning of data is difficult, given the differences in the handwriting of people.
States whose primary language uses a non-Latin script will face the problem of transliteration of their data in the VisualInspection Zone as well as the MRZ. This is a basic require -ment and applies to both MRP and ePassports.
It is important that there be a method of correction of errors,so that only correct data is used to print a passport. If caughtinternally, then book spoilage is reduced, and the systemcorrects itself. If a bad book enters circulation then the travelerwill be inconvenienced or prevented from traveling. Errorcorrection methods are vital in increasingly automatedsystems, where the system is the arbiter, and if the system iswrong, then there is no recourse for the citizen to makecorrections or seek relief.
Electronic passports add the need to match the electronicdata with the visual data on the passport. Facial biometrics atleast allow the border officer to make a visual comparisonbetween the holder and the book as well as the electronicallystored image. Fingerprint readers are common enough that asimilar comparison could be made, but given the timeinvolved, such a comparison will most often be made in asecondary exami nation, where time of examination is less of an issue. Getting the stored fingerprints right is especiallyimportant, since a difference in prints between the holder
16
MR
TD R
epor
t –
Num
ber 3
–20
08
ICAO provides guidance on thesecurity features to be employed in the passport (InformativeAppendix 1 to Section 3, Doc 9303)as well as issuance procedures(Informative Appendix 3 to Section3, Doc 9303). There is enoughlatitude in the guidance to allow for national preferences to berespected, and for a robustcompetition to exist in the securitydocument industry. Arbitraryrestrictions on passportconstructions limit competition, and should be avoided if best valueis to be obtained.
“
”
and the book will automatically beconsidered fraud, and the holder will beguilty until proven innocent.
Book printing
ICAO has mandated (Annex 9, paragraph3.10) that all pass ports issued on orafter April 1, 2010, to be machinereadable. This refers to the presence ofthe two lines of machine readable codeon the bottom of the data page. Printersand systems must be in place toaccomplish compliance by that date. Afurther policy compliance requirement isthat member States shall have only MRPbooks in circulation after November 24,2015. This has the practical effect thata State with a 10-year validity documentis required to either plan on replacingsuch non-MRP books issued beforeNovember 24, 2005, or shorten thevalidity term of their non-MRPs so thatthey expire in 2015.
Of course books must be made with theprinter in mind. All ICAO compliantpassports should be formatted andconstructed according to the Doc. 9303Standard. But there are a myriad ofmethods of making ICAO-compliant datapages and passport books, and thebooks have to possess the physicalstructure to accept, retain and protectthe entered data.
Some States find it appropriate to moveto a centralized issuance system with theadvent of the ePassport. Other Statesmay continue with a distributedapplication and biometric live capturesystem, and centralized production.
Fingerprint and iris biometrics areparticularly suited to live capture.
ICAO provides guidance on the securityfeatures to be employed in the passport(Informative Appendix 1 to Section 3, Doc9303) as well as issuance procedures(Informative Appendix 3 to Section 3,Doc 9303). There is enough latitude inthe guidance to allow for nationalpreferences to be respected, and for arobust competition to exist in thesecurity document industry. Arbitraryrestrictions on passport constructionslimit compe tition, and should be avoidedif best value is to be obtained.
Some security features are substratebased, others ink based, while someare related to the personalizationprocess. An often repeated requestfrom border inspectors is for morefeatures that can help the first lineinspector. Features added in persona -lization, such as stegano graphicfeatures offer such help, especially ifthe country is using a full-page readerthat has been electronically program -med to look for the stegano graphy
present in the facial image. Suchfeatures can usually also be workedinto the image stored on the IC chip, if desired by the State in question.
Conversion to an electronic passportrequires significant changes to the bookstructure, accountability and security. The passport must contain the electronicIC chip and associated antenna in orderto store the biometric information in astandard way so that the passport maybe interrogated by authorized readers.This latter is accomplished by confor -mance to both volumes of Doc 9303.The data must be stored in its properdata groups within the electronic record,so that it can be read. This electronicwriting and reading is a significant changeas none of that has existed before.
ePassport books are required to havethe ePassport logo appear on the frontcover of the book.
The chips are numbered so an additionalaccountable item is added. The structureof the book must be modified to protectthe chip. Presently there are three
locations for IC chips in ePassports: in ahard thick plastic card, usually the datapage; in between the center pages of thebook, or in the cover, usually the non-foil-stamped cover. Protection againstunauthorized electronic access may alsobe included. This may take the form of ametallic foil or screen which disruptselectronic access to the IC chip.
The process control of ePassportsinvolves reading the IC chip for viabilityduring and after the production at thebook printer, and also reading on receiptby the government prior to persona -lization. This is especially importantsince the addition of the IC chip usuallyadds a significant increase to the priceof the base passport. Thus in-processmonitoring and reduction of spoilageattains an importance that may havepreviously been overlooked. Spoiling a $3 book is different than spoiling abook costing $30 or more.
To insure data integrity, ICAO has chosento use a Public Key/Private Key system,in which the data is written with a PrivateKey and read using a Public Key. In orderto use the Public Key Infrastructure (PKI, it is necessary to establish CountrySigning and Document Signing Certifi -cate Authority (CA) and Document Object Security (SOD). This issue is very complex, and must be done exactlyright in order to have international inter -operability of the electronic data. ICAO is the nexus for this authority.
The data has to be written to the IC chipin a way that fits within the Data Groupsprescribed by ICAO in Volume 2 of Doc
9303, Part 1. Furthermore, legitimateaccess to the IC chip can be controlledby several levels of electronic security,starting with Passive Authentication,Basic Access Control and Active Accesscontrol. These possibilities were firstexplained in ICAO Technical Reports andthen later added to the Doc 9303 inVolume 2 of Part 1, MRPs.
But there is more, in that the physicalstructure, and particu larly the thicknessof an ePassport is different and oftenpersonalization printers have to bechanged to adapt to the new thickness.Thicker books also may mean changes inshipping boxes, as fewer ePassportbooks will fit into a given box, comparedto non-ePassports. Vault space may alsohave to be increased. In many cases,multiple changes are made to thepassport, with new designs, changes innumbering schemes and location of thedata page within the book, so that thesephysical changes are not trivial, andonce made, are not readily adjustableback to the original settings. Going tothe ePassport is a one-way commitment.
Quality check and return to holder
Once printed, the modern MRP passportis usually visually inspected for obviousdefects, and the MRZ is read to ensurethat it is correctly printed. After that, thebook is returned by whatever means iscustomary in the particular State.
The electronic passport has moreinformation to check and has to be readelectronically as well as by MRZ readers.This is not only to assure viability of the
IC chip, but to ensure that data hasbeen entered correctly into the variousData Groups.
Summary
In summary, this article is a fast andrelatively high-level comparison ofpassport issuance before and after theadvent of ePassports. It is not intendedas definitive, as each point in theprocess requires great attention todetail in order to get it right.
States need to communicate to theircitizens about the advantages of theePassport, enable citizens to check theoperation and content of their ePassport(to eliminate surprise malfunctions ondeparture, and for privacy reasons), andcommunicate information about theirnew passport to neighboring States,other States in the world in illustratedbrochures or other communications toolsappropriate to the audience (i.e. bordercontrol agencies or the general public).
There are significant reasons to makethe transition to ePassports as soon as possible, but the success of anyePassport system is based on theproper functioning of the basic MRPplatform. The readers of these wordswill have to judge where their States are in relation to a strong and securesystem of identity management. Sufficeit to say that experience with thediscipline required to operate a MRPpassport issuance system is goodtraining for the much higher level oftechnical performance that is possiblewith the ePassport.
Operating systems for secure ID documents
G&D WHITE PAPER
A G&D White Paper comparative analysis of the Native, Java and Multos options
The chip in modern electronic identification documentsconsists of the microprocessor (hardware), the Chip OperatingSystem (COS) and the card applications (software). ICAOspecifications define the software (Logical Data Structure) for e-passports, and while some recommendations exist forthe memory of the microprocessor there is presently nospecification for the COS.
The result is that State officials have a choice betweenseveral chip operating system options and the following paperseeks to explain these in more detail.
Currently, three different types of smart card operatingsystems are being employed in the segment of national high-security documents:
Native COS (also called file-based or ISO cards) Java CardsMULTOS cards
Unlike a PC operating system, chip operating systems arerestricted in size and processing capabilities but need to behighly optimized for security. Because the security of any
smart card is defined by the interaction of its hardware, COS, and LDS, COS evaluations need to consider interrelatedfactors relating to performance, security, interoperability,reliability, cost, etc.
States may wish to note that Native COS implementationscurrently dominate in ePassports worldwide, possibly due toperformance requirements for the reading process. There isno clear trend as concerns national ID cards, with mostcurrent systems being based either on Java or on Native,depending on the geographic region (Europe is primarilyNative-oriented while Asia and the Middle East have seen anumber of Java implementations). Only a very small numberof MULTOS projects have been deployed internationally.
Native systems
In the early days of smart card technology, Native operatingsystems didn’t follow any common standards and thefunctionality supported was mainly proprietary. Modern Nativesystems support file systems based on the ISO-7816 smartcard standards although they may still contain vendor-specificcommands as well as proprietary functions. The reason for
secure data sharing across firewalls,although for security reasons this is not recommended in routine use.
The Java Card specifications define thegeneral behavior and architecture of aJava Card, but they do not describe aspecific solution for the card or theapplication lifecycle management indetail. By contrast, the GlobalPlatformcard specification defines a concreteimplementation of card components,command sets, transaction sequencesand interfaces that are hardware-neutral,operating system-neutral, vendor-neutraland application-independent.
One of the main differences betweenJava Cards and Native and MULTOSoperating systems is the organization ofthe “file system structure.” Java Cardsdo not have any similar ISO7816-4compliant file-system structure, nor dothey support the ISO7816 commandsand their security mechanisms. It istherefore up to the applet developer todefine their own file system organizationand supported commands that can beeither compliant or non-compliant withISO specifications.
MULTOS systems
MULTOS is a smart card operatingsystem that provides the underlyingcommunications, the memorymanagement, and an ApplicationAbstract Machine (AAM) for multi-application smart cards. Operatingsystem or platform services areavailable to application programmes in the form of an AAM.
The MULTOS COS handles the loading and deleting of applicationsand the sending/receiving anddispatching of commands to (andresponses from) the card. Like JavaCards, the core of the MULTOSoperating system is an interpreterthatallows the applications to be deve -loped independently of the underlyingcard hardware. Applications writtenwith the MULTOS API could be runanywhere on any MULTOS platform.
22
this is that while Native systemsovercome memory and performanceconstraints, they also provides additionalfunctions beyond the standard—which isa benefit.
Native cards have a pre-definedcommand set which allows developers todynami cally create their own applica tionsbased on the pre-established cardfunctionality. The pre-defined commandset is the interface to the outside world.The application and its data are comple -tely separate, although they use thesame basic card functions. The functionsare executed directly by the micro -processor and there is no inter pretationof byte code as is the case in a Java Card.
Java systems
Java Card technology adapts the Javaplatform for use in smart cards andother devices whose environments arehighly specialized, and whose memoryand processing constraints are typicallystricter than those of a regular PC.
A Java Card implementation is supposedto follow two sets of specifications:
The Java Card specifications initiallydefined by SUN Microsystems, andnow by the Java Card Forum.The GlobalPlatform specifications defin - ed by the GlobalPlatform organization.
Sun Microsystems realized the potentialof smart cards and similar resource-constrained devices many years ago. It defined a set of specifications for asubset of Java technology and proceed -ed to create applications for them—the so-called Java Card applets. A devicethat supports these specifications isreferred to as a Java Card platform.
The Java Card technology specification is in three parts:
The Java Card Virtual Machine (VM)specification, which defines a subsetof the Java programming language.The Java Card Runtime Environment(JCRE) specification, which furtherdefines the runtime behavior of Java-based smart cards.The Java Card API specification.
The Java Card platform is a securemulti-application environment—manydifferent applets from different vendorscan safely coexist in the same card.Each applet is assigned to an executioncontext—the security area assigned tothe applet. The boundary between oneexecution context and another is oftencalled an applet firewall. This firewallensures that one applet cannot accessthe code and data objects of anotherapplet. If necessary, the Java Cardplatform can support mechanisms forM
RTD
Rep
ort
–N
umbe
r 3 –
2008
The MULTOS AAM provides every application stored on the cardwith its own memory space. Each application resides in arigorously enforced application space, which consists of theapplication code and data segments. The memory and file systemis organized as an ISO7816-4 compliant file system structure.
Application loading and deletion is done using certificates. Whilean application is being loaded onto the smart card, MULTOSchecks its validity and allocates a memory area protected by afirewall. Each application is stored strictly separated from theother applications and it is not possible for them to interferewith each other. This means that an application has full accessrights to its own code and data, but cannot directly access thecode of another application. Like Java Cards, MULTOS allowsapplications to be loaded onto the smart card even when it isalready in the cardholder's possession.
Choosing a Chip Operating System (COS)
Dynamic Application Management and Flexibility
MULTOS and Java Cards have always been considered highlyflexible operating systems. This is due to the option of addingpost-issuance functionality to issued cards through highlystandardized, secure processes. But modern Native cards are
now also capable of adding new functions and applications tocards in the field. Their processes and mechanisms are alsobased on standards (ISO7816), although they can includesome vendor-specific features.
Native and Java Cards offer dynamic memory management,whereas MULTOS offers static memory management only,which can lead to memory fragmentation. In the latter case this is caused by the static memory allocation for applicationsresiding in their own, dedicated physical area.
Another aspect is the flexibility for adding new functionality and applications to the card quickly and cost-efficiently beforeissuance. On a Native operating system, the functionalityrequired for this could exceed the existing core operatingsystem functionality (e.g. security protocols) and might requirethe basic functionality to be extended. It is likely that newfunctionality could be integrated in the existing card (as a so-called patch in EEPROM). If not, a new COS developmentresulting in higher costs and longer lead-times will be required.
Security
Any smart card platform used for identification purposes needsto meet very high security standards. In many cases the issuer
Flexibility: Flexibility means supporting a wide range offunctionalities in order to cover use cases in the future. In doing so it may result in more overheads while executing functions.
Any platform can be optimized in any way and, as stated above,it is a trade-off between certain parameters. However, in thecase of MULTOS and Java Cards you are tied to standardizedprocesses, especially during the production phase—theinitialization and personalization of the card.
If you have a highly stable and properly defined use case sup -porting specific mechanisms—for example the electronic passport—then Native platforms will always be a very good choice.
Implementation levels
ISO standards as well as MULTOS and Java Card/GlobalPlatformspecifications are mainly driven by the industry, although thenumber of bodies involved in the definition and implementationof these specifications varies.
Java Card platforms are more widespread on the market thanMULTOS platforms—there are also many more vendors whohave implemented and/or who offer Java Card rather thanMULTOS platforms. However, the majority of smart cards usedfor identification purposes are still Native. In the case of single-purpose cards with no post-issuance intention, open systemslike Java Card and MULTOS are not necessary.
Application development toolkits
As a rule, all card vendors offer an accompanying software toolkitthat allows skilled software programmers to develop their ownapplications for the specific card. All these development kits arevendor-proprietary and naturally vary considerably in terms offunctionality and user-friendliness. They range from provision ofthe basic core functionality, such as definition of the ISO7816-compliant file system structures (for Native and MULTOS),through support for whole sets of cryptographic functionality, todebugging at byte-code level and support for TCP/IP interfacesfor direct connections between the simulation or debugger withexternal (third party) programmes or live environments.
Whereas toolkits for Native operating systems may be usedonly in conjunction with the corresponding Native platform ofthe particular supplier, the toolkits for MULTOS and Java Cardscan in theory be used with the platform of a third-party vendor,thanks to the write-once-run-anywhere principle of theseplatforms. In reality, this is not the case, since those platformshave their own specific characteristics due to their differentinterpretation of the MULTOS and Java Card specifications.Thus it could, though is not guaranteed, to be the case that anapplication which has been developed with a specific develop -ment kit from vendor A will run on a platform of vendor B.
24
of an identification document will ask for certifications from anindependent and accredited evaluation authority. In mostcases, the certification of a Native card consists of compositecertification of the operating system and one or more dedicatedapplications. The certification of Java Card and MULTOSplatforms can be done for the operating system alone, or as acomposite evaluation for both the operating system and thecard applications. In terms of genuine security, only the lattercertification guarantees a highly secure end-product that iscomparable to a Native composite end-product. This should bethe certification to aim for.
Each platform has its own security-related benefits anddrawbacks: the fact that a Java Card applet can be deve -loped by the governmental agency itself could be seen as a benefit. However, this could also be a big security risk,since applica tions should always be designed by experiencedarchitects and there are complex security guidelines thatmust be considered.
The mechanisms implemented for MULTOS—the necessaryapplication load and delete certificates and dedicated memoryaddressing is a benefit, but this comes at a high administrativecost. This type of security is important if a single smart cardoffers services from more than one organization. However, thevast majority of smart cards today offer a single applicationfrom a single issuer.
In general, all three COS architectures can be judged assecure, but the security of a concrete implementation needs to be verified by undergoing rigid tests and evaluations.
Performance
It has already been mentioned above that MULTOS and JavaCards are operating systems in which the functions are interpretedand not directly executed by the microprocessor. This is thecrucial argument in favor of Native platforms when it comes toperformance. Java Card performance has always been a conten -tious issue. The topic is sensitive, because it is a commercialargument, which has been used (and misused) over the years.
Generally, COS implementers have to make trade-offs betweensome important parameters:
Speed: Many factors influence the speed of the platform,which can be an important differentiation factor.Security: Security often implies redundancy (e.g. double-checks), which in many cases contradicts performance. Compliance: Compliance with all specifications andrecommendations can be costly, and little “cheats” can ease both speed and security. This can be tempting,especially in niche cases, although it does create problemsfor application portability. M
RTD
Rep
ort
–N
umbe
r 3 –
2008
As mentioned above, toolkits for Nativeplatforms cannot be used by third partiesto develop applications for any other plat -form than the given COS, since the imple -mentations are always vendor-specific.
Comparison summary
From a functional point of view, all theoperating systems described offer thefull spectrum of functionality and securityfor the implementation of secure IDdocuments.
In summarizing the various aspectsspeaking for or against a dedicatedsmart card operating system, we cansay that in general all have somestrengths in certain areas, and none hasany major weakness. States will have toconsider all of the factors noted above inthe context of their particular need inorder to ascertain which COS will beright for their electronic document.
Identity fraud and digital capability
BEYOND THE PASSPORT
26
Identity fraud is a worldwide problem, with criminals and terrorists currently travelingbetween States using non existent, fabricated identities or identities that have been stolenfrom a legitimate citizen. Government and law enforcement personnel tend to this problemthrough a wide range of measures—including improvements in the security of the traveldocument itself—but Clemens Willemsen of the Dutch Department of Justice argues that in the digital age we may wish to begin considering eliminating ID documents altogether.
MR
TD R
epor
t –
Num
ber 3
–20
08
Though some of the solutions beingpresented in the following article mayappear straightforward, they alsorequire that those of us involved in theareas of passport issuance and bordercontrol may need to change our way ofthinking about the very nature ofidentity documents. The three basicsteps that I propose are required forStates to diminish identity fraud are:
1. Using identity documents publishedby official authorities only.
2. Distinguishing between establishingidentification with a document andgranting rights to the owner of a document.
3. Replacing the physical document by a virtual document.
1. Using identity documents publishedby official authorities only
Identity documents can be categorized as:
Primary (published by an officialauthority). Secondary (published by a public or private organization such as ahospital, public transportationservice, company, etc).
A Primary ID document (PID) is handedover by an official authority, such as aState passport office or a regionallicense bureau branch, after a thoroughcheck on a citizen’s administrative
and/or biometric identity—making useof, for example, a birth certificate or an expired passport. There are strictprocedures surrounding identityestablishment and document issuancethat are employed by PID sources(editor’s note: see the ‘Issuance andIdentity’ section in MRTD Report Issue01 2008 for more on this topic).
A Secondary ID document (SID) is basedupon the PID. A hospital for example will admit you as a patient and requiresyou to show a PID. After verifying it isyou, you will be registered and handed a hospital card to serve as a SID. Thiscard identifies you only for hospitalpurposes and grants you certain rightsto specific hospital procedures. Thistype of SID document is generallysignificantly less secure than a PID and therefore easier to copy or forge.
It is more recommendable then to usethe PID for each visit to organizationsthat currently distribute SIDs for theirown use. In the past, this might havebeen a problem, but in more and morecountries citizens are required now bothto carry and to show their PID forofficial purposes. Therefore they aremuch more likely today to have it withthem at all times.
Under this type of regulated PIDenvironment States and otherorganizations or more localizedgovernment entities would no longerneed to concern themselves with the
infrastructure, staffing and costsinherent in their SID programmes.Overall citizen privacy would further -more be augmented by the fact thatthere would be fewer cards in circu -lation containing private informationthat could possibly be lost or stolen.
2. Distinguishing between establishingidentification with a document and granting rights to the owner of a document
Traditionally, PIDs not only identify thebearer and authenticate him or her fornational or international authorities, butalso grants certain rights to the bearer,such as:
1. Passport—identifies and grants the bearer the right to cross certainborders.
2. Driver’s license—identifies andgrants the bearer the right to drive a motor vehicle.
3. Social security card—identifies andgrants the bearer the right to usesocial services.
In other words, identity establishmentand user rights are combined in thecurrent PIDs. Many SIDs operate in thesame fashion:
1. Library card—identifies and grantsthe bearer the right to borrow books.
2. Credit card—identifies and grantsthe bearer the right to spend money.
28
This combining of ID establishment with bearer rights andpermissions was required in the past when physical ID toolsand systems (cards and/or other documents) were distinct andseparate from the administrative systems that tracked andrecorded the bearer’s associated permissions. It obviouslywasn’t practical using paper-based systems to re-verify thebearer’s rights at each presenting of their ID and so the ID
MR
TD R
epor
t –
Num
ber 3
–20
08
Birth certificate
Official Authority
primary identity document
services, granted rights, access
secondary identity document
Id-card
passport driver’s license
Hospital
patient’s card
Authorization system
drivers’s license
passport
Id-card
identify
authorize
itself needed to clearly indicate what rights the bearer wasentitled to and when these could be exercised, but whenviewed in light of current digital capabilities this requirement is no longer necessary.
When all State infrastructures become more developed in thisregard it would be advantageous to move away from the currentrequirements (even with the newer ePassports bearer rights arestill reflected on the ID itself as per the needs of olderadministrative structures) and instead simply use the PID toenable border and customs officials to access real-timeindications of the bearer’s completely up-to-date rights andpermissions.
The advantages of separating identity establishment from rights establishment with PIDs are numerous therefore:
1. Your specific identity card can be stolen but not your granted rights.
2. Granted rights can be checked online and are no longerrestrained to the time of issue and the expiration date of the card. It is always up to date.
3. A bearer would only require one PID.4. There would no longer be a need for SIDs that are less
secure then PIDs.5. When stolen, you only need to report/reapply for one card
instead of numerous cards.6. The real-time and continuous verification of bearer rights
would facilitate the identification and removal fromcirculation of stolen or fraudulent PIDs
One of the few disadvantages would bethat digital systems would need to beavailable and accessible to officials atall times. System down-time could resultin significant impacts to travel and otheractivities that will always require PIDverification. These disadvantages couldbe dealt with, however, throughestablished procedures now in place tocreate independent power back ups,information redundancy and mirroredaccess for essential digital networks—such as those that currently exist indefense and banking systems or otherproperly secured corporate networks.
An additional hesitancy could also beenvisaged by those who might bereluctant to have all their ID establish -ment reflected in just a single card(especially for suppliers who currentlyfurnish the global population withmultiple PIDs and SIDs). For the bearer,however, the separation of rights from IDestablishment would minimize the
implications of a lost or stolen PID,which brings to mind how a bearer’s IDcould be established if they were nolonger in possession of their only form of physical ID, and where this line ofthought would take us if carried to itslogical conclusion.
3. Replacing the physical document by a virtual document
The ultimate step in this process wouldbe to eliminate the physical documentaltogether and replace it with a ‘virtualdocument’ (basically the rights infor -mation alone that would be displayedelectronically when an official queried anindividual’s rights). Biometric informationis currently being employed in thenewest ePassports and visas to assistofficials in establishing a PID bearer’sidentity, but why not simply have thetraveler submit to biometric scans atpoint of entry and forego the need for aphysical document completely? This
would be the next step in the evolutionof our ability to ascertain theidentification and rights of all citizens in a fully digital age.
Clemens Willemsen works for the DutchDepartment of Justice where he isinvolved in identity management andbiometrics. This article is his personalview only and does not necessarilyreflect the point of view of his gover n -ment or its respective departments.
Portugal: capitalising on the fullePassport potential
With over 50 percent ofthe world’s annual totalof new passports nowconforming to ICAO’sePassport specifications,and with the number of countries still usingnon-Machine ReadableTravel Documents (non-MRTDs) growing smaller
year by year toward ICAO’s 2010 MRTDimplementation deadline, the MRTD Reportwill be devoting its attention in comingissues to highlighting the work of specificcountries in the efforts they’ve extended in adapting to and implementing new MRTD standards.
In this second instalment of the Report’snational profiles, Dr. José Magalhães,Secretary of State for Portugal, provides a testament to the importance of the newICAO standards in the development of hiscountry’s impressive ePassport andpassenger facilitation systems.
ICAO MRTD Report: How did ICAO's work in developingMRTD standards and specifications assist Portugal in itsown efforts to modernize its passport?
Dr. José Magalhães: Working closely with ICAO has played adecisive role in our efforts to fight against time constraintsand limit the huge risks in project management that candetrimentally affect this type of large-scale infrastructure
effort. As we were latecomers at the time (our project waslaunched in April 2005), not only did we carefully consider ICAOstandards and documents as we finalized our planning, but wealso requested to participate in the related MRTD working groups.
Portugal wanted to benefit from the knowledge of a worldwidenetwork of experts who were capable of helpings us solveconcrete problems. That very practical support was provided ina very timely manner with the assistance of ICAO and welearned the lessons we needed to very quickly. We could, ofcourse, be proud of the fact that we were such fast learners,but the excellent assistance and guidance we received wasprobably what really made the difference.
Has Portugal also developed new visas or ID cards as part of its recent work in this area and, if so, have ICAO specifica-tions been helpful in this regard as well? M
RTD
Rep
ort
–N
umbe
r 3 –
2008
WHAT THE STATES ARE SAYING
30
The new single European residencepermit model takes ICAO’s standardsand specifications strictly intoconsideration. Before the end of thisyear these new biometric cards will beginto be issued by our Border ControlService in association with thePortuguese Government Printing House(IN-CM). With respect to ID cards, as ofyet no mandatory standards have beenestablished at the European Union level,but despite this an effort has beenmade by Portugal to incorporate ICAO’sstandards into our Citizen Card project,which is now being gradually expanded.
Lessons will be learned during the firstmonths of service for the new card,which is presently replacing fourseparate low-security cards that hadbeen previously issued (ID cards, healthcards, social security cards andtaxpayer's cards).
To get back to travel-related matters for a moment, Portugal's passenger facilita-tion system (RAPID) is now one of themost advanced in the world. Could thistype of system have been developed with-out the hard work that has been done tomake the new generation of MRTDs asglobally interoperable as they are?
Definitely not. The key point that led toRAPID was this basic question: now thatmore and more electronic passports are
being issued, how can we make passen -gers feel that besides being secure thenew documents can make travellingeasier and faster? The answer to thisquestion always came back to themanned checkpoints and whether or notwe could devise a system to replacethem. Obviously, security was one of ourprimary considerations as we consideredthe various options before us. Weconcluded that if we could compare thepicture inside the passport chip with animage obtained in real-time at thecheckpoint, and then augment thatverification with as many queries aspossible in the available securitydatabases, then we just might be able to achieve the desired result.
The first feedback generated by ouroriginal pilot project in Algarve wasoverwhelmingly positive in every regard.The final result is that RAPID is now fullyinstalled in most of our airports and oncertain days some machines areprocessing up to 3,000 passengers!
What countries’ travel documents arecurrently capable of being read with theRAPID system?
Any holders of the 27 ePassportscompliant with the EU regulations arecapable of taking advantage of theRAPID system. Norwegian and IcelandicePassports are also now compliant.
What is the scope of Portugal's currentMRTD program? In other words, howmany passports does your country havein circulation, what percentage now con-forms to MRTD or ePassport (biometric)specifications, and how many docu-ments are issued on an annual basis?
Of the 3 million passports currently incirculation approximately 670,000 ofthese are now ePassports (we began toissue our electronic document as ofAugust 28, 2006). I should note that thePortuguese ePassport has become verypopular. Citizens admire the fact that nopaper forms or photographs are used.We established rigorous processes asconcerned issuance and delivery, but, inall, Portugal’s citizens enjoy almost zerobureaucracy, zero narrow-mindednessand very short delays in delivery.
Moreover, facts have confirmed that bydecentralizing the enrolment of data andcentralizing the issuance of passports(delivered to any part of the world by aleading distribution network) we canachieve a win-win solution. Once and forall Portugal has said adieu to stolen orlost blank booklets.
MRTD GLOSSARY
32
MR
TD R
epor
t –
Num
ber 3
–20
08
Anti-scan pattern An image usually constructed of fine linesat varying angular displacement and embedded in the securitybackground design. When viewed normally, the image cannotbe distinguished from the remainder of the backgroundsecurity print, but when the original is scanned or photocopiedthe embedded image becomes visible.
Biographical data (biodata) The personalized details of thebearer of the document appearing as text in the visual andmachine reada ble zones on the biographical data page of apassport book, or on a travel card or visa.
Biometric A measurable, physical characteristic or personalbehavioural trait used to recognize the identity, or verify theclaimed identity, of an enrollee.
Biometric data The information extracted from the biometricsample and used either to build a reference template(template data) or to compare against a previously createdreference template (comparison data).
Biometric sample Raw data captured as a discreteunambiguous, unique and linguistically neutral valuerepresenting a biometric characteristic of an enrollee ascaptured by a biometric system (for exam ple, biometricsamples can include the image of a fingerprint as well as its derivative for authentication purposes).
Biometric system An automated system capable of: 1. capturing a biometric sample from an end user for a MRP; 2. extracting biometric data from that biometric sample; 3. comparing that specific biometric data value(s) with that
contained in one or more reference templates; 4. deciding how well the data match, i.e. executing a
rule-based matching process specific to the requirementsof the unambi guous identification and personauthentication of the enrollee with respect to thetransaction involved; and
5. indicating whether or not an identification or verification of identity has been achieved.
Black-line/white-line design A design made up of fine lines often in the form of a guilloche pattern and sometimesused as a border to a security document. The patternmigrates from a positive to a negative image as it progressesacross the page.
Capture The method of taking a biometric sample from theend user.
Certificating authority A body that issues a biometricdocument and certifies that the data stored on the documentare genuine in a way which will enable detection of fraudulentalteration.
Chemical sensitizers Security reagents to guard againstattempts at tampering by chemical erasure, such thatirreversible colours develop when bleach and solvents comeinto contact with the document.
Comparison The process of comparing a biometric samplewith a previously stored reference template or templates. See also “One-to-many” and “One-to-one."
Contactless integrated circuit An electronic microchipcoupled to an aerial (antenna) which allows data to becommunicated between the chip and an encoding/readingdevice without the need for a direct electrical connection.
Counterfeit An unauthorized copy or reproduction of agenuine security document made by whatever means.
Database Any storage of biometric templates and related enduser information.
Data storage (Storage) A means of storing data on adocument such as a MRP. Doc. 9303, Part 1, Volume 2specifies that the data storage on an ePassport will be on a contactless integrated circuit.
Digital signature A method of securing and validatinginformation by electronic means.
Document blanks A document blank is a travel documentthat does not contain the biographical data and personalizeddetails of a document holder. Typically, document blanks arethe base stock from which personalized travel documents are created.
Duplex design A design made up of an interlocking pattern ofsmall irregular shapes, printed in two or more colours andrequiring very close register printing in order to preserve theintegrity of the image.
Embedded image An image or information encoded orconcealed within a primary visual image.
End user A person who interacts with a biometric system to enroll or have their identity checked.
This glossary is included to assist the readerwith terms that may appear within articles inthe ICAO MRTD Report. This glossary is notintended to be authoritative or definitive.
33
MR
TD R
eport –N
umber 3 –
2008
Enrollment The process of collecting biometric samples from a person and the subsequent preparation and storage of biometric refe rence templates representing thatperson’s identity.
Enrollee A human being, i.e. natural person, assigned anMRTD by an issuing State or organization.
ePassport A Machine Readable Passport (MRP) containing a contactless integrated circuit (IC) chip within which is storeddata from the MRP data page, a biometric measure of thepassport holder and a security object to protect the data withPublic Key Infrastructure (PKI) cryptographic technology, andwhich conforms to the specifications of Doc. 9303, Part 1.
Extraction The process of converting a captured biometricsample into biometric data so that it can be compared to areference template.
Failure to acquire The failure of a biometric system to obtainthe ne cessary biometric to enroll a person.
Failure to enroll The failure of a biometric system to enroll a person.
False acceptance When a biometric system incorrectlyidentifies an individual or incorrectly verifies an impostoragainst a claimed identity.
False Acceptance Rate (FAR) The probability that a biometricsystem will incorrectly identify an individual or will fail to rejectan impostor. The rate given normally assumes passiveimpostor attempts. The false acceptance rate may be esti -mated as FAR = NFA / NIIA or FAR = NFA / NIVA where FAR is
the false acceptance rate, NFA is the number of false accep -tances, NIIA is the number of impostor identification attempts,and NIVA is the number of impostor verification attempts.
False match rate Alternative to “false acceptance rate;” usedto avoid confusion in applications that reject the claimant iftheir biometric data matches that of an enrollee. In suchapplications, the concepts of acceptance and rejection arereversed, thus reversing the meaning of “false acceptance”and “false rejection.”
False non-match rate Alternative to “false rejection rate;”used to avoid confusion in applications that reject the claimantif their biometric data matches that of an enrollee. In suchapplications, the concepts of acceptance and rejection arereversed, thus reversing the meaning of “false acceptance” and “false rejection.”
False rejection When a biometric system fails to identify an enrollee or fails to verify the legitimate claimed identity of an enrollee.
False Rejection Rate (FRR) The probability that a biometricsystem will fail to identify an enrollee or verify the legitimateclaimed identity of an enrollee. The false rejection rate may beestimated as follows: FRR = NFR / NEIA or FRR = NFR / NEVAwhere FRR is the false rejection rate, NFR is the number offalse rejections, NEIA is the number of enrollee identificationattempts, and NEVA is the number of enrollee veri ficationattempts. This estimate assumes that the enrolleeidentification/verification attempts are representative of thosefor the whole population of enrollees. The false rejection ratenormally excludes “failure to acquire” errors.
34
MR
TD R
epor
t –
Num
ber 3
–20
08
Fibres Small, thread-like particles embedded in a substrateduring manufacture.
Fluorescent ink Ink containing material that glows whenexposed to light at a specific wavelength (usually UV) and that,unlike phosphorescent material, ceases to glow immediatelyafter the illuminating light source has been extinguished.
Forgery Fraudulent alteration of any part of the genuinedocument, e.g. changes to the biographical data or the portrait.
Front-to-back (see-through) register A design printed on bothsides of the document or an inner page of the document which,when the page is viewed by transmitted light, forms aninterlocking image.
Full frontal (facial) image A portrait of the holder of the MRPproduced in accordance with the specifications established inDoc. 9303, Part 1, Vo lume 1, Section IV, 7.
Gallery The database of biometric templates of personspreviously enrolled, which may be searched to find a probe.
Global interoperability The capability of inspection systems(either manual or automated) in different States throughout theworld to obtain and exchange data, to process data receivedfrom systems in other States, and to utilize that data ininspection operations in their respective States. Global inter -operability is a major objective of the standardi zed specifica -tions for placement of both eye readable and machine readabledata in all ePassports.
Guilloche design A pattern of continuous fine lines, usuallycomputer generated, and forming a unique image that can onlybe accurately re-originated by access to the equipment,software and parameters used in creating the original design.
Heat-sealed laminate A laminate designed to be bonded to thebio graphical data page of a passport book, or to a travel cardor visa, by the application of heat and pressure.
Holder A person possessing an ePassport, submitting abiometric sample for verification or identification while claiminga legitimate or false identity. A person who interacts with abiometric system to enroll or have their identity checked.
Identifier A unique data string used as a key in the biometricsystem to name a person’s identity and its associatedattributes. An example of an identifier would be a passportnumber.
Identity The collective set of distinct personal and physicalfeatures, data and qualities that enable a person to bedefinitively identified from others. In a biometric system,
identity is typically established when the person is registered inthe system through the use of so-called “breeder documents”such as birth certificate and citizen ship certificate.
Identification/Identify The one-to-many process of comparinga submitted biometric sample against all of the biometricreference templa tes on file to determine whether it matchesany of the templates and, if so, the identity of the ePassportholder whose template was matched. The biometric systemusing the one-to-many approach is seeking to find an identityamongst a database rather than verify a claimed identity.Contrast with “Verification."
Image A representation of a biometric as typically captured viaa video, camera or scanning device. For biometric purposes thisis stored in digital form.
Impostor A person who applies for and obtains a document by assu ming a false name and identity, or a person who altershis physical appearance to represent himself as another personfor the purpose of using that person's document.
Infrared drop-out ink An ink which forms a visible image whenilluminated with light in the visible part of the spectrum andwhich cannot be detected in the infrared region.
Inspection The act of a State examining an ePassportpresented to it by a traveler (the ePassport holder) and verifyingits authenticity.
Intaglio A printing process used in the production of securitydocuments in which high printing pressure and special inks areused to create a relief image with tactile feel on the surface ofthe document.
Issuing State The country writing the biometric to enable areceiving State (which could also be itself) to verify it.
JPEG and JPEG 2000 Standards for the data compression ofimages, used particularly in the storage of facial images.
Laminate A clear material, which may have security featuressuch as opti cally variable properties, designed to be securelybonded to the bio graphical data or other page of the document.
Laser engraving A process whereby images (usuallypersonalized ima ges) are created by “burning” them into thesubstrate with a laser. The images may consist of both text,portraits and other security features and are of machinereadable quality.
Laser-perforation A process whereby images (usuallypersonalized ima ges) are created by perforating the substratewith a laser. The ima ges may consist of both text and portrait
35
MR
TD R
eport –N
umber 3 –
2008
images and appear as positive ima ges when viewed in reflectedlight and as negative images when viewed in transmitted light.
Latent image A hidden image formed within a relief imagewhich is composed of line structures which vary in directionand profile resulting in the hidden image appearing atpredetermined viewing angles, most commonly achieved byintaglio printing.
LDS The Logical Data Structure describing how biometric data is to be written to and formatted in ePassports.
Live capture The process of capturing a biometric sample by an interaction between an ePassport holder and a biometric system.
Machine-verifiable biometric feature A unique physicalpersonal identification feature (e.g. an iris pattern, fingerprint or facial characteristics) stored on a travel document in a formthat can be read and verified by machine.
Match/Matching The process of comparing a biometricsample against a previously stored template and scoring thelevel of similarity. A decision to accept or reject is then basedupon whether this score exceeds the given threshold.
Metallic ink Ink exhibiting a metallic-like appearance.
Metameric inks A pair of inks formulated to appear to be thesame colour when viewed under specified conditions, normallydaylight illumination, but which are a mismatch at otherwavelengths.
Microprinted text Very small text printed in positive and ornegative form, which can only be read with the aid of amagnifying glass.
MRTD Machine Readable Travel Document, e.g. passport, visaor official document of identity accepted for travel purposes.
Multiple biometric The use of more than one biometric.
One-to-a-few A hybrid of one-to-many identification and one-to-one verification. Typically the one-to-a-few process involvescomparing a submitted biometric sample against a smallnumber of biometric refe rence templates on file. It is commonlyreferred to when matching against a “watch list” of personswho warrant detailed identity investigation or are knowncriminals, terrorists, etc.
One-to-many Synonym for “Identification.”
One-to-one Synonym for “Verification.”
Operating system A programme which manages the variousapplication programmes used by a computer.
Optically Variable Feature (OVF) An image or feature whoseappea- rance in colour and/or design changes dependent uponthe angle of viewing or illumination. Examples are. featuresincluding diffraction structures with high resolution (DiffractiveOptically Variable Image Devi ce (DOVID), holograms, colour-shifting inks (e.g. ink with optically variable properties) andother diffractive or reflective materials.
Optional data capacity expansion technologies Data storagedevi ces (e.g. integrated circuit chips) that may be added to atravel document to increase the amount of machine readabledata stored in the document. See Doc. 9303, Part 1, Volume 2,for guidance on the use of these technologies.
Overlay An ultra-thin film or protective coating that may beapplied to the surface of a biographical data or other page of adocument in place of a laminate.
Penetrating numbering ink Ink containing a component thatpenetrates deep into a substrate.
Personalization The process by which the portrait, signatureand bio graphical data are applied to the document.
Phosphorescent ink Ink containing a pigment that glows whenexpo sed to light of a specific wavelength, the reactive glowremaining visible and then decaying after the light source isremoved.
Photochromic ink An ink that undergoes a reversible colourchange when exposed to UV light.
Photo substitution A type of forgery in which the portrait in adocument is substituted for a different one after the documenthas been issued.
Physical security The range of security measures appliedwithin the production environment to prevent theft andunauthorized access to the process.
PKI The Public Key Infrastructure methodology of enablingdetection as to whether data in an ePassport has beentampered with.
Planchettes Small visible (fluorescent) or invisible fluorescentplatelets incorporated into a document mat erial at the time ofits manufacture.
Probe The biometric template of the enrollee whose identity is sought to be established.
36
MR
TD R
epor
t –
Num
ber 3
–20
08
Rainbow (split-duct) printing A technique whereby two or morecolours of ink are printed simultaneously by the same unit on apress to create a controlled merging of the colours similar tothe effect seen in a rainbow.
Random access A means of storing data whereby specificitems of data can be retrieved without the need to sequencethrough all the stored data.
Reactive inks Inks that contain security reagents to guardagainst attempts at tampering by chemical erasure (deletion),such that a detec table reaction occurs when bleach andsolvents come into contact with the document.
Read range The maximum practical distance between thecontactless IC with its antenna and the reading device.
Relief (3-D) design (Medallion) A security background designincorporating an image generated in such a way as to createthe illusion that it is embossed or debossed on the substratesurface.
Receiving State The country reading the biometric and wantingto verify it.
Registration The process of making a person’s identity knownto a biometric system, associating a unique identifier with thatidentity, and collecting and recording the person’s relevantattributes into the system.
Score A number on a scale from low to high, measuring thesuccess that a biometric probe record (the person beingsearched for) matches a particular gallery record (a personpreviously enrolled).
Secondary image A repeat image of the holder's portraitreproduced elsewhere in the document by whatever means.
Security thread A thin strip of plastic or other materialembedded or partially embedded in the substrate during thepaper manufactu ring process. The strip may be metallized orpartially de-metallized.
Tactile feature A surface feature giving a distinctive “feel” to the document.
Tagged ink Inks containing compounds that are not naturallyoccurring substances and which can be detected using specialequipment.
Template/Reference template Data which represent thebiometric measurement of an enrollee used by a biometricsystem for comparison against subsequently submittedbiometric samples.
Template size The amount of computer memory taken up bythe biometric data.
Thermochromic ink An ink which undergoes a reversible colourchange when the printed image is exposed to heat (e.g. body heat).
Threshold A “benchmark” score above which the matchbetween the stored biometric and the person is consideredacceptable or below which it is considered unacceptable.
Token image A portrait of the holder of the MRP, typically a fullfron tal image, which has been adjusted in size to ensure afixed distance bet ween the eyes. It may also have been slightlyrotated to ensure that an imaginary horizontal line drawnbetween the centers of the eyes is parallel to the top edge ofthe portrait rectangle if this has not been achieved when theoriginal portrait was taken or captured (see Section 2, 13 inthis volume of Doc. 9303, Part 1).
UV Ultraviolet light.
UV dull substrate A substrate that exhibits no visiblydetectable fluorescence when illuminated with UV light.
Validation The process of demonstrating that the systemunder consideration meets in all respects the specification ofthat system.
Variable laser image A feature generated by laser engraving orlaser perforation displaying changing information or imagesdepen dent upon the viewing angle.
Verification/Verify The process of comparing a submittedbiome tric sample against the biometric reference template of asingle enrol lee whose identity is being claimed, to determinewhether it matches the enrollee’s template. Contrast with“Identification”.
Watermark A custom design, typically containing tonalgradation, formed in the paper or other substrate during itsmanufacture, crea ted by the displacement of materials therein,and traditionally viewable by transmitted light.
Wavelet Scalar Quantization A means of compressing data used particularly in relation to the storage of fingerprintimages.
