Airport Biometrics: A Primer (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

172 Case Study: Known Traveller Digital Identity at Aéroport International Montreal–Pierre Elliot Trudeau, Montreal, Canada Summary To respond to the increasing demand for a more efficient and streamlined passenger process, the WEF and several airport and industry partners launched the KTDI program for the devel- opment of a trusted digital identity based on biometric technology. The goal of this initiative is to make it possible for all industry partners to use the digital identity securely and easily while protecting the passenger’s privacy. The KTDI program is still in the early development phases and relies on the self-sovereign concept, where passengers are the owners of their personal data and can elect to share them (or not) with different parties (e.g., airport, airlines, border authority). In its current design, the program identifies that the digital identity should be created by an identity-issuing authority, either a third party or a government authority. This authority would create a biometric template of the passenger as well as a unique security feature. With the use of distributed-ledger tech- nology on a blockchain, the immutability of the digital identity can be secured. The KTDI concept would use the distributed ledger to register every successful identity claim at various authentication touchpoints in order to build up trust through verifiable claims, which is a type of smart contract in the blockchain. In 2018, the governments of Canada and the Netherlands established a pilot group to drive the KTDI efforts. After the successful pilot, efforts for implementation were, at the time of writing, stalled due to the COVID-19 pandemic. See Table F-1 for more information on KTDI. Introduction After evaluation of the Cathay pacific trial, it was concluded by AMS that the passenger process could be further optimized. Biometric enrollment with the use of an e-passport is still a time- consuming procedure. If it would be possible to enroll once and then be able to fly every time regardless of airline without additional enrollment at the airport, this would save a processing step and create a more seamless passenger experience. A potential solution for such a process was initiated by the WEF: the KTDI (Known Traveller Digital Identity 2020). The KTDI concept (Accenture 2018b) shifts from conventional travel documentation verification to a digital format. The concept is piloted by cross-border collaboration between Canadian and Dutch public and private partners. In 2018, the governments of Canada and the Netherlands established a pilot group to drive the KTDI efforts and determine the potential of the concept for international connections. The pilot group includes the public authorities of both countries, the airports A P P E N D I X F

Case Study: Known Traveller Digital Identity at Aéroport International Montreal–Pierre Elliot Trudeau, Montreal, Canada 173   What biometric technique is used? ● Facial recognition ● 1:1 and 1:few matching of biometrics Where? ● Initial pilot at three international airports: – Aéroport International Montreal–Pierre Elliott Trudeau (YUL) – Toronto Pearson International Airport (YYZ) – Amsterdam Airport Schiphol (AMS) Passenger process steps ● Enrollment first, prior to booking a flight – KTDI enrollment with a third party or a government authority ● Departure at airport – Passenger and bag check-in follow the conventional check-in process – Enrollment by forwarding passenger flight details to the KTDI app on a mobile device or by enrolling at biometric kiosk in the departure hall – Entry to security filter with biometric lane for enrolled passengers – Border control emigration checkpoint with biometric lane – Boarding gate with biometric lane ● Arrivals – Enrollment by forwarding passenger details through mobile phone (prior to departure or from the plane) or by enrolling at biometric kiosk in the arrival hall – Border control immigration checkpoint with biometric lane Who? ● The KTDI facilitation was developed by the governments of Canada and the Netherlands, in partnership with WEF and several other partnering organizations. The complete pilot group consists of: – WEF – Government of Canada (Transport Canada) – Government of the Netherlands – YUL – Toronto Pearson International Airport – Amsterdam Airport Schiphol – KLM Royal Dutch Airlines – Air Canada – Accenture (Accenture 2018a) – Vision-Box – Idemia – Customs and Border Service Authority CBSA (Canada) – Immigration Refugees and Citizenship Canada (IRCC) – Koninklijke Marechaussee (Dutch Border Police) – Rijksdienst voor identiteitsgegevens (Dutch Identity authority) ● The workgroup was initiated in 2018; pilot implementation in terminal was originally planned for 2020 but was postponed and is expected to commence in the near future. Why? ● The KTDI program is based on a platform that enables a traveler- managed digital identity for international paperless travel to create a seamless passenger flow that is faster and more enjoyable. KTDI protects the passengers’ privacy by giving them control over their data and who they share that with. How? Technology used? ● KTDI is based on an interoperable digital identity, linked directly to government-issued identity documents (e.g., e-passports) of which the verifiable claim is stored on a blockchain. The platform allows for identity verification to airports, airlines, and border authorities using cryptography, distributed-ledger technology, and biometrics (facial recognition). Table F-1. Key facts of case study on KTDI. (continued on next page)

174 Airport Biometrics: A Primer Enrollment/digital identity creation and verification ● During the pilot, a one-time enrollment in the KTDI program was achieved, as follows: – Airline invites a select group of passengers to participate – Passenger creates and certifies digital ID with appropriate official issuing authority: local government digital identity-issuing office hosted at Schiphol airport or the Canada Border Services Agency (CBSA) in Canada – Passenger downloads mobile phone application and creates KTDI profile – The local identity-issuing authority makes a photograph of the passenger with the passenger’s capturing device in a controlled environment. The passenger stores the image on the KTDI app, where it is encrypted, which the authority then verifies. – The passenger then tests this verified digital ID by making a selfie, which is compared to the digital ID, and if a positive match is made, it is verified by the local authority and becomes the first verifiable claim of a traveler’s identity data stored on the KTDI blockchain. The photos are not stored anywhere other than on the passenger’s own device. The blockchain only stores the verifiable claim. – In the mobile phone application, the passenger can then add information regarding upcoming flight, such as digital boarding cards. ● Per-trip online check-in for each flight: – Prior to a flight, the passenger can push biometric details, passport details, and boarding card to the seamless system of the airport, where they are temporarily stored (maximum 24 hours) in a passenger data envelope (PDE). This can be repeated for each flight without having to enroll again. Note: The exact method of enrollment may be subject to change due to the fact the project is still in development. Verification of identity how? ● The Digital ID and other details of the passenger are temporarily stored in the PDE. Directly after forwarding the data to the airport of departure or arrival, the system can perform all checks of whether the passenger is authorized to pass each touchpoint. At the airport on arrival at each biometric lane of the seamless process, the passenger’s face is matched with the template stored in the system and processed according to the authorizations. For which user groups? ● Pilot group of passengers between the Netherlands and Canada with a Dutch or Canadian Passport traveling with KLM or Air Canada between AMS and YUL and AMS and YYZ in either direction. The system could potentially be used for any nationality (with an e-passport) as long as the respective authority of the country provides the required digital ID verification and KTDI support. Table F-1. (Continued). and airlines offering a direct connection, and the technology companies involved with KTDI’s development. As part of the initiative, the concept is planned to be implemented at AMS for KLM and Air Canada flights from and to Montreal and Toronto. Note that as the pilot has not started, this case study description is limited to the main concept of operation, functions, and technical aspects. How Does It Work? Before the Passenger Journey The KTDI system relies on two main platforms. The first platform is the KTDI-supported airport system hosted by an airport; the other is the KTDI app on the mobile device of the passenger, which holds the passenger’s digital ID and flight information.

Case Study: Known Traveller Digital Identity at Aéroport International Montreal–Pierre Elliot Trudeau, Montreal, Canada 175   The airport’s orchestration platform that supports KTDI can accept passenger data when shared via the app prior to departure or arrival. The orchestration platform creates a passenger data envelope (PDE) for those data and will store it for the duration of the trip. The platform is typically hosted locally or on a cloud dedicated to the airport systems. The KTDI app on a passenger’s mobile device stores the passenger’s biographic data (passport data) as well as the passenger’s biometric data: the photographs of the passenger’s face. These data are stored only locally on the mobile device and can be shared with airport platforms and country authorities if the passenger chooses to do so. The touchpoints at the airports operate on a system provided by Vision-Box and are based on IATA’s OneID concept. The system is made up of the following components for departures: • KTDI enrollment kiosk for post check-in, • Biometric lane with digital ID verification at security filter access, • Biometric lane with digital ID verification at border control filter, and • Biometric lane with digital ID verification at boarding gate. The following components are installed for arrivals: • KTDI enrollment kiosk at the arrival gate, and • Biometric lane with digital ID verification at border control filter. The Passenger Journey Passengers that travel with the KLM or Air Canada flight from AMS to Aéroport Inter- national Montreal–Pierre Elliott Trudeau (YUL) or Toronto Pearson International Airport (YYZ) and vice versa can be invited to participate in the pilot. During the pilot, participation is for invitees only. KTDI Enrollment and Preparation The KTDI concept relies on a KTDI profile and a verified digital ID that is kept in a digital wallet on the mobile device of the passenger in the KTDI app. The digital ID contains biometric and biographic details of the passenger. These details are verified by an identity-issuing authority and are encrypted by a security certificate. In the Netherlands, the verification of the KTDI profile on the mobile device takes place in the municipality office near the place of residence. The municipality office is designated as the orga- nization to issue identification documents on behalf of the Rijksdienst voor Identiteitsgegevens (translates as National Office for Identity Data). Verification is done at the desk of the municipality office with the passenger being present. In Canada, passports are issued by Immigration, Refugees, and Citizenship Canada (IRCC) at dedicated passport offices. Application for a digital ID and verification of the KTDI profile takes place at these IRCC offices and takes a few processing days as the Canada Border Services Agency (CBSA) checks the application. Passengers enroll at a kiosk, after which the passenger data are vetted by the office authorities. Once set up and verified, the KTDI profile is ready for use with the mobile device and includes the first verifiable claim of a traveler’s identity data. The digital identity, being from a trusted traveler (verifiable digital identity), is on the mobile device and can be expanded with travel data (e.g., boarding card) but also immigration data such as visas or electronic traveler authorization. The passenger has self-sovereignty over the data and can push data to the seamless

176 Airport Biometrics: A Primer airport/airline platform. The data remain with the passenger on the mobile device and are not centrally stored. Airline Check-In and Airport Enrollment Per Trip To prepare for a trip, the passenger can check in online or at the airport to receive a mobile boarding card. The boarding card can be added to the digital KTDI app, after which the passenger can forward all the relevant data to the seamless platform of the airport. This includes passport details, a biometric template, and boarding card details for the airline. The seamless platform then creates a PDE that contains all the data required for the journey of the passenger by the airport, airline, and border control authorities, being either the Koninklijke Marechaussee (Dutch border police) or the CBSA. The platform provides the interfaces with the systems of the stakeholders and organizes the data flows. It also manages the business rules and organizes the authorizations that are received from the stakeholders. The data that are provided by the passenger are pre-staged in the seamless platform. No passenger data are exchanged or stored at the blockchain; only transactions with pointers are provided. As long as all transactions (i.e., the verifiable claims) are without complication, the required level of trust is present, and the passenger’s credibility is established. Arrivals with the KTDI App On arrival at the destination airport, a dedicated area with registration kiosks is present at the gate for the invited and enrolled passengers. These kiosks register the passengers’ ID as well as their biometrics to create a PDE in the same way as is done at the departure airport. Again, the passenger’s details will be verified against the systems of the border control agency. At immigration, dedicated lanes for KTDI with a mantrap layout are equipped with a camera to recognize and confirm the passengers’ ID and are also equipped with a near-field com- munication reader for the mobile phone with the digital ID or the e-passport, when required (for redundancy). When the passenger is authorized to proceed, the exit barrier opens. Retention and Storage Although the process at the airport is based on a per-trip model, enrollment in KTDI can be considered a for-life model. The digital identity that can be stored on the passenger’s mobile phone is created for the lifetime of the passenger’s e-passport and can be used for multiple journeys unless the passenger decides to opt out by deleting the KTDI app and its data from his/her mobile device. The passenger’s identity data are not stored on the blockchain. The blockchain holds the pointer to the verifiable claims (interactions) of a traveler’s identity data with trusted entities. The record is expanded with every claim from every time the traveler uses the profile and thereby re-establishes the credibility of its identity. As the record expands, the credibility increases. The mobile phone application can contain additional data related to the passenger. Prior to a trip, the passenger can push this information to the seamless flow system of the airport. The passenger manages the KTDI profile and digital ID with self-control over the permissions and data pushed to the respective airport, airline, and authority per trip. The identity data itself stay with the passenger and are not saved centrally at the airport or authority. The data that are made available by the passenger to the airport, airline, and authorities are encrypted and stored in the local databases for 24 hours and are only available for the trip (World Economic Forum 2020b).

Case Study: Known Traveller Digital Identity at Aéroport International Montreal–Pierre Elliot Trudeau, Montreal, Canada 177   System Architecture Flow Diagram The flow diagram of this case study can be found in the Known Traveller Digital Identity at Aéroport International Montreal–Pierre Elliot Trudeau, Montreal, Canada, case study in Chapter 2. System Specifications – Digital ID and Self-Sovereign Identity Instead of simply replacing the hardcopy ID with a softcopy digital ID derivative or alter- native, the concept uses verifiable claims (interactions) of a traveler’s identity data with trusted entities. The use of such claims ensures that the credibility of the traveler and his/her identity are established and authenticated. Blockchain technology is used to provide information for these verifiable claims as they are essentially transactions between the digital ID of the passenger and verifying entity. The use of a digital format enables optimization of the passenger process and improves risk management. Stakeholders and Responsibilities The KTDI program was brought together under the WEF (World Economic Forum 2020a) with many partners. The three airports, the two national governments, Accenture, and WEF led the program through its initial forming, setting its direction with innovation and the drive to organize pilot programs. Stakeholders The main stakeholders of the KTDI program were the YUL, YYZ, and AMS airports, together with the two airlines, KLM Royal Dutch Airlines and Air Canada. Also, three private companies were involved: Accenture, Vision-Box, and Idemia. As partners during the devel- opment of the KTDI program and thus stakeholders, the governments of Canada (Transport Canada, CBSA) and the Netherlands [the Koninklijke Marechaussee (Dutch border police)] were closely involved to facilitate the program’s first pilot. Most importantly, the stakeholder group most affected by the program was the passengers who were selected flying KLM or Air Canada to take part in the pilot. Responsibilities and Governance The consortium between the stakeholders led, at the start of the project, to the formation of multiple working groups, all made up of members of the different stakeholders to maximize working together on multiple fronts. The working groups were guided by a project manage- ment committee and a steering committee, which oversaw the progress as well as guarded the project goals and timelines. Working groups were formed for tasks related to legal topics, communications, the system architecture and technology, implementation and performance measurement, and the delivery of pilot projects leading up to larger implementation. In this format, responsibilities among the different stakeholders were divided equally, with experts in each of the groups taking the lead and informing the other members. Case Study Review Benefits Benefits from the implementation of KTDI are numerous and are different for each stake- holder. The main benefits relate to the passenger experience. KTDI allows for faster touchpoint processing, better privacy protection, and a touchless journey through the airport, which in

178 Airport Biometrics: A Primer the COVID-19 period is a key focus. The complete process allows passengers to only use their mobile device, relieving them of having to fumble with a passport and boarding pass. Faster processing through touchpoints at the airport will smoothen the journey and make it less stressful, allowing the passengers to spend more time relaxing, visiting retail shops, or selecting offerings such as food and beverages. Furthermore, for government agencies/subcontractors, such as border protection, immigra- tion, and airside security, the digitized process allows for a more efficient resource allocation, a smaller footprint in the airport, and, notably, a safer and more secure airport operation. Airlines will benefit from efficiency increases as automation makes room for more personal service, where needed, and more streamlined processes. Passengers will predominantly interact with the airline through the application on their phones. For airports, the biometric solutions provide means to increase automation, decrease the necessary footprint of touchpoints, decrease staff numbers, and process more passengers in less space. Especially with regard to COVID-19, the focus lies on creating a touchless and seamless travel experience, which KTDI paired with the right infrastructure offers. Another benefit for airlines, airports, and passengers is the forward verification and country entry eligibility that is possible with the system, which prevents passengers being rejected at the country of destination and having to fly back. Arriving at the destination, passengers present their KTDI digital identity and, being vetted prior to arrival, they only have to wait for a positive match of the picture made at the e-gate. Because the system architecture includes a blockchain component that aims to store the veri- fiable claims of confirmed identity rather than the digital identity itself, passengers can choose exactly what data they share with which stakeholders in the passenger journey (Kelleher 2019). The complete identity document or credential is only stored on the passenger’s mobile device. KTDI is designed to comply with Canadian and European privacy-protection rules and is designed according to privacy-by-design principles. Responses from Passengers At the time of writing, with the biometric solution still being under development, no passenger feedback had been collected. Internal feedback by members of the working group and employees of the consortium had been used in the development of the mobile application, which had progressed to a second beta phase. Trials in a laboratory environment will aim to test all components together and link the systems of all the different stakeholders. Fall-Back Options The KTDI program is designed to replace the current touchpoint infrastructure at the airport, but a non-biometric, non-KTDI option will still be required for the near future for passengers that wish to opt out. The initial pilot program that was successfully rolled out only included a limited number of selected passengers per flight; thus, the standard processes were still available for passengers wishing not to use the KTDI system. Concerns Two points that were a concern for the consortium were (1) who would host the mobile application, and (2) the legal frameworks that would need to be agreed on. On the first concern, discussion was ongoing on whether the WEF would host the application or if a separate

Case Study: Known Traveller Digital Identity at Aéroport International Montreal–Pierre Elliot Trudeau, Montreal, Canada 179   entity would need to be created. Development of the application by Transport Canada or CBSA (with experience in application development) or the Dutch government authority would not necessarily mean that party would host the application. On the second concern, the consortium had knowledge of multiple industry providers of technology and hardware infrastructure that demonstrated the individual use and capabilities of the components; much more difficult would be the drafting of legal agreements between the multiple stakeholders regarding their roles in data processing, data control, data exchange, and how these legal agreements would be affected by privacy impact assessments that several stakeholders would go through. Lessons Learned One of the main lessons learned by the working groups of the consortium was that the creation of the legal framework was underestimated at first (Gendreau 2020). Expertise needed on a wide range of matters, from privacy protection for the two countries as well as the European GDPR, to data management, matters of intellectual property, and legal arrangements, is typical for collaborations between public and private companies. The drafting of these legal frame- works started slowly, and expertise had to be drawn from outside the consortium, affecting budgets and project timelines. A second lesson learned related to the switching from a detailed project approach descrip- tion and plan to a more flexible, phase-by-phase approach. This dynamic approach provided clearer short-term goals and deliverables that were easier to manage and attain by the project working group. Findings and Trends Findings • There was ongoing development of the digital credential, with international standards devel- oping simultaneously, with the ultimate goal of being interoperable with other (biometric) systems. • The multi-stakeholder (multi-country) system proves a much more complex project, although the potential benefits in the long term (interoperability and scalability) can only be attained through this route. • Lessons were learned on privacy of information and transmission and collaboration with foreign governments, especially regarding legal frameworks between public and private project partners. Future Situation and Broader Implementation The goals are to implement the KTDI system at all airports that offer flights between the Netherlands and Canada and to offer the seamless flow option to all passengers flying with the project stakeholder airlines (Air Canada and KLM). Proof of concept might attract more interested countries, airlines, and airports. Until that time, a pilot in a lab environment aims to test the complete system for a small number of simulated passengers. Pilots at actual airports with actual passengers would follow before further implementation at the partner airports. Scalability is another major focus for future implementation, especially as the blockchain component needs to be well designed to handle larger amounts of data traffic. Similarly, the

180 Airport Biometrics: A Primer hosting of the application on the passengers’ mobile devices needs to be able to handle the data load as well as the interoperability and integration with multiple (new) airlines. As many digital and biometric solutions are being developed around the world, the consortium is in constant contact with IATA and ICAO so as to follow developments in DTC and OneID. The consortium aims to align the KTDI system with these international standards and devel- opments to increase the likelihood of successful interoperability with other systems. Trends Identified For this specific case study, all five trends identified in the second chapter make their appear- ance. Key in this biometric solution for passengers is the use of a mobile device (smartphone) for storage of their digital identity and biometrics. Looking at the system architecture design shows a trend toward a complex, multi-stakeholder system that aims to maximize long-term benefits of interoperability and scalability by aligning to global standards for digital identity credentials as well as standards for biometrics with regard to privacy, security, and ethical concerns. It is no surprise that the consortium in this case study has applied the design prin- ciples of privacy by design and is taking significant time preparing legal frameworks to mitigate potential risks. Finally, this case study provides another example of a solution that leans heavily on biometric technologies for identity verification and takes care to distinguish itself from systems that might be used for mass surveillance.