Fast and trustworthy Identity Delivery and check with ePassports leveraging Traveler privacy

Executive Summary:
FIDELITY is a multi-disciplinary initiative which analyses shortcomings and vulnerabilities in the whole ePassport life cycle and develops technical solutions and recommendations to overcome them. FIDELITY demonstrates privacy enhanced solutions to:

• Secure issuing processes: authentication of documents, preventing impersonation fraud
• Improve ePassport security and usability: authentication processes, ID check speed, accuracy of biometrics, management of certificates, access to remote data bases, convenience of biometric sensors and inspection devices
• Better manage lost and stolen passports
• Strengthen privacy: privacy-by-design applied to all phases of the ePassport life cycle, systematic anomysation of data and separation of data streams, using novel privacy-enhancing-technologies

FIDELITY strengthens trust and confidence of stakeholders and citizens in ePassports, provides more reliable ID checks, hence hinders criminal movements, and eases implementation of Entry/Exit (E/E) records, providing better analysis of migration flows.

Significant efforts have been invested to strengthen border identity (ID) checks with biometrics travel documents embedding electronic chips (the "ePassport"). However, problems appeared regarding fraud in the ePassport issuing process, citizen losing control on their personal data, difficulties in certificates management, and shortcomings in convenience, speed, and efficiency of ID (identity) checks, including the access to various remote data bases containing important data for border ID checks.

FIDELITY solutions were designed with backwards compatibility to be deployed progressively in the existing infrastructure. The FIDELITY consortium is composed of market-leading companies, innovative SME, renowned academia, ethical-sociological-legal experts, and end-users, which help to define requirements and recommendations and assess results. They, together with the other partners, actively promoted the project results towards stakeholders and international working groups that elaborate future ePassport standards.

Project Context and Objectives:
FIDELITY aimed at improving the security and usability of biometric travel documents, whilst at the same time protecting privacy of travel document holders by a privacy-by-design approach. The project focused on ePassports with a holistic approach addressing its complete life cycle from issuance to expiry or revocation, during identity checks, and the management of certificates. FIDELITY developed technical solutions and demonstrated how to overcome current limitations, and studied privacy/legal/ethical and sociological aspects of biometric travel documents. It provided technical demonstrators and recommendations indicating how to increase convenience and trust in ePassports for end-users (immigration inspector, overseas consulate officer, border guards, etc.) and for the citizen (the passport holders) by combining strong security, better usability and privacy by design.

For 10 years, and especially after September 11, significant efforts have been invested to make travel documents more secure by issuing passports with biometric data and embedded electronic chips (the “ePassport”). On both sides of the Atlantic, aggressive time-lines have pushed for the adoption of ePassports: the PATRIOT Act in USA, the regulation 2252/2004 in the EU. This regulation requested the Schengen Member States (MS) to deliver ePassports with facial biometric data from August 2006 onwards. Later, to strengthen security and trust, the EU introduced fingerprint biometrics as mandatory feature for Schengen MS since end of June 2009. In the meantime about 250 million ePassports had been issued in 89 countries around the world.

The aim to create an almost impossible to forge travel document has been achieved. The ePassport is a travel document with a higher security than ever before. However, after a couple of years of use and exposure in real world conditions, some weaknesses appeared. In view of the important role of the ePassport to hinder criminal and terrorist movements and hence contribute to protect society, there was an urgent need for a multi-disciplinary research and development initiative, integrating innovation capacities and expertise on ePassports and related processes and infrastructures.
Unlike the formerly proposed partial technical improvements, there was the need to address not only a specific identified weakness of the ePassport, but rather the complete architecture and ePassport life cycle.

The overall objective of FIDELITY was to develop and demonstrate solutions that enable faster and more secure and efficient real-time authentication of individuals at border crossing, whilst at the same time protecting privacy of the travel document holders with a privacy-by-design approach. FIDELITY also proposed solutions to dramatically improve the issuance process of breeder documents.

Improved ePassports, integrating leading edge ICT technology, have potentially a very strong impact on the citizen’s everyday life and on the society as a whole. This initiative was therefore led by a consortium of market-leading industrial companies, renowned scientists in the security domain from public research institutes and universities, experts in the study of legal, ethical, societal aspects, ePassport manufacturers and end-users, represented by public administrations responsible for the issuance of ePassports and for border ID checks.

The FIDELITY project in particular had the following specific technical objectives:
• To study potential vulnerabilities of the current ePassport, as well as limitations regarding its usability, functionalities and performances, considering the whole life cycle from issuance, use for ID checks, until revocation.
• To develop technical solutions based on existing technologies, and where needed to develop new technologies to address the identified security or privacy gaps and to enable better and faster secure real-time authentication of individuals.
• To study related ethical, legal and societal aspects in order to guide in this respect the technical developments to ensure that the proposed technical solutions are viable and acceptable, and to identify if associated socio-political measures (such as regulations, laws) would be required for their adoption and deployment.
• To study a future ePassport architecture based on a privacy-by-design approach and allowing to radically overcome all identified security and privacy weaknesses and operational limitations, addressing needs that cannot be implemented in the current architecture.
• To demonstrate how FIDELITY solutions can be integrated into the existing ePassport infrastructure and how they improve ePassports security and usability, and how they enforce privacy.
• To validate robust technical solutions and provide recommendations for securing breeder documents and travel documents issuing processes, to prevent identity theft and fraud in the ePassport applications.
• To assess the achievements of the FIDELITY project through a set of demonstrators representing the typical ePassport use cases, with the direct involvement of end-users (government agencies responsible for travel documents issuing and checking).
• To elaborate recommendations for the improvement of the ePassport, taking into account existing standards, and legal, ethical and societal requirements, and the European privacy culture, and to prepare technical proposals for introduction in the standardisation process at the ISO and ICAO level.

FIDELITY focused on ePassports, but the solutions developed in FIDELITY are also relevant for other related electronic travel documents, such as e.g. electronic resident permits which use the same, or closely related, technologies and standards and have similar requirements as regards security and privacy.

For all developments FIDELITY applied the following principles:
• The proposed technical solutions took into account the already deployed infrastructures and millions of passports and hence are backwards compatible, so that already deployed ePassport can be used with no usability impacts.
• They are proposed as multiple bricks for the construction of a solid wall, enabling the stakeholders to select and adopt parts of it and a timing best suitable for their implementation.
• They are based on sound “privacy by design” approaches.

FIDELITY implemented a proactive privacy-by-design approach by systematically embedding citizen-centric privacy enhancing mechanisms in all steps of the ePassport lifecycle. ePassport security is combined with ID data protection and security is not affected by the respect of privacy.
FIDELITY anticipated and prevented invasive identity scrutiny. Data related to identity has been systematically anonymised before automatic processing. This approach has been applied on the whole ePassport life cycle, from issuing stage, during ID checks processes until ePassport revocation (including denied access mechanisms). This approach makes sense in ePassport ID checks because the huge majority concern “bona fide” travellers. With FIDELITY, citizens do not expose more personal data than necessary, and operators get accurate feedback. Depending on the feedback, further security investigation may then be decided by the operator.

Project Results:
The FIDELITY workplan is structured of seven sub-projects (SP) shown hereafter together with the indication of their periods of activity.

SP1 : Transversal activities (M1 – M48)
SP2 : Requirements analysis (M1 – M9)
SP3 : Safe travel document issuance (M7 – M38)
SP4 : Chain of trust for current ePassport (M7 – M36)
SP5 : One stop check (M7 – M38)
SP6 : Travel document of the future (M4 – M48)
SP7 : Assessment (M32 – M48)

SP1 contains all transversal activities, lasting the entire project duration, i.e. tasks that are linked to many (or all) other WPs. It includes consortium management (WP1), study of ethical, legal and societal aspects (WP2) and dissemination actions targeting stakeholders, exploitation planning, external cooperation, and training (WP3). WP2 is closely linked to all WPs that specify requirements, develop technologies and produce recommendations and will study and provide guidance on sociological, ethical and legal aspects to be taken into account in the development of FIDELITY solutions and recommendations.

SP2 is the technical start point of FIDELITY. It is composed of two WPs and focuses on security and usability of ePassports and issuance processes. SP2 will analyse shortcomings and specify requirements that will guide the development and assessment of FIDELITY solutions. It prepares recommendations for stakeholders on how to address shortcomings in ePassports, updated with the outcome of FIDELITY results assessment.

Three SPs cover the RTD work, grouped in related ePassport lifecycle domains:
• SP3 handles all research and development work related to safer travel document issuance. It is composed of three WPs (WP6 to WP8) and provides as main outcome recommendations and technical solutions enabling trust for a claimed identity (WP6), trust in the identity claimant (WP7), and trust in protection of private data (WP7-WP8).
• SP4 focuses on the chain of trust for ePassports, i.e. all issues related to the security and privacy of ePassports, from issuance, during ID checks until revocation. Fast, protected, and reliable security schemes for “trustable” verification is the main objective. SP4 includes innovative architectures (WP 9), different protocol configurations (WP 10), and the security of ID check devices, which process personal data (WP11). SP4 also provides innovative alternatives to the current certificate chain.
• SP5 develops a one-stop check concept, i.e. technical solutions to overcome current usability limitations of ID checks using ePassports. This concept covers biographic (WP13) and biometric data (WP14), packaged for protected and non-traceable queries in multiple databases. ID inspection terminals are developed (WP12) based on privacy-by- design principles, to implement this secure and reliable one-stop ID check concept.

SP6 “Travel document of the future” studies advanced ePassport improvements that would be possible only under condition to revise the current Logical Data Structure (LDS), access protocols to the ePassport, and chip requirements for ePassports and readers.

SP7 “Assessment” covers the development of demonstrators of FIDELITY solutions and their assessment. WP17 develops a set of demonstrators corresponding to the typical ePassport use cases. WP18 assesses, on the one hand, the components developed in SP3-SP5, and on the other hand, the integrated demonstrator. End-users are directly involved in the evaluation of the demonstrators and support dissemination to stakeholders.

After the first project year project performances and S/T results were as follows:

SP2 was the first sub-project to kick-off the project RTD activities since it elaborated the specifications for enhanced passports. Draft versions of the main deliverables D4.1 and D5.1 which specify the FIDELITY requirements for security and usability were prepared and presented to the FIDELITY Advisory Board (FAB) in September 2012. These documents were then finalised taking into account the feedback received from the FAB members.

SP3 started its work in M7 and was active only for the second half of the first project year. This sub-project progressed as planned. Procedural and technological developments were launched for evidence of identity trust enhancement, travel document issuance, and biometric data protection. From WP6 a survey on evidence of identity and recommendations were recorded in D6.1 and presented to the ICAO community. Work in WP7 and WP8 for travel document issuance and data protection were under development as planned. Some preliminary research results for duplicate enrolment checking and template protection were envisioned in the following project year.

Starting in M7, SP4 was active only for the second half of the first project year. The work carried out during this period allowed the partners to get distinctly closer to its overall goal of achieving a reliable security schemes for “trustable” verification, as expressed by the more specific objectives above. This assessment was based on the observation that :
(a) the current system with its weaknesses was now better understood by partners,
(b) ongoing tasks were focussed on addressing some of these weaknesses in a way that avoids duplication of effort,
(c) initial results shared on the website were promising and interactions showed a good degree of collaboration.

SP5: In the first project period, two of the workpackages composing SP5 were active: WP13 "ID claim verification" progressed on the study of anonmysation concepts and mechanisms and in the design of an architectural solution for collection of data from heterogeneous data sources. Regarding the datamining developments, the partners had to work on problems with getting access to information about the relevant data bases ethical concerns. WP14 "Secure and fast data exchange mechanisms for border crossing ID checks" was progressing as planned in schedule and targets. A first draft of deliverable D14.1- "Fuzzy and secure indexing algorithms for alphanumeric data" was elaborated and data collection activities were prepared in terms of modality and data capturing system.

SP6 started its work in M4. It provided a first version of the deliverable on “Data formats and application interface. It contains a detailed requirement analysis for the generation of travel documents, targeting at a solid balance between optical and electronic requirements. Special focus had been given to the definition of tables of mandatory and optional document security, material and chip features. Based on the analysis of current documents and infrastructure the partners also made a first preliminary proposal for the next generation e-Pass architecture.

During the second year of the project the following achievements were made:

SP2: As a follow-up of deliverables D4.1 and D5.1 a priority ranking of the requirements was realized by estimating, by consensus between SP2 partners and WPs leaders, the cost to achieve the requirements and the link with the planned tasks in the different WPs. This ranking underlined which requirements were planned to be addressed within the FIDELITY project.

SP3: Suitability of security features for evidence of identity (breeder document) were further investigated and refined based on the recommendation in D6.1 done in the first project year. New processes of life cycle management of evidence of identity were under development. A white paper for standardizing birth certificate as EU’s public document was also under development. Work in WP7 and WP8 for travel document issuance and data protection were progressing. D7.1 was generated for face sample compliance checking to ISO/ICAO standards. A Duplicate enrolment check platform was being developed. Multi-modal biometric databases for testing were established. Several biometric data protection methods were developed and their performance tested.

SP4 delivered several important building blocks to ensure a chain of trust for ePassports i.e. all issues related to the security and privacy of ePassports, from issuance, during ID checks until revocation. Starting from the requirements as laid down in SP2, firstly, a new ePassport certificate distribution architecture was developed, which is more efficient than the current system and provides flexible optimisation mechanisms and certificate revocation support. Secondly, several efficient authentication protocols were proposed including a protocol for the eMRTD chip to check the revocation status of the terminal; an enhancement of PACE to include biometrics; and a new lightweight private (mutual) authentication protocol between the eMRTD and the terminal that can replace EAC and PACE. Thirdly, the partners described state-of-the-art security features to be embedded into the design of the inspection devices, prioritizing these based on a cost-benefit analysis.

SP5: During the second work period, all work packages were active: WP12 (“ID Inspection Terminals”) started its activities during the second work period, while WP13 and WP14 were already active. In WP12, relevant requirements from WP4 and WP5 were identified, and other requirements from real world use cases were documented. A high-level architecture of the ID Inspection Terminals were defined, and work was started on both the fixed and mobile terminals. WP13 "ID claim verification" progressed on the study of anonymisation concepts and mechanisms and in the design of an architectural solution for collection, fusion and anonymization of data from heterogeneous data sources. In cooperation with WP2, the partners had to work on problems about how to technically cope with legal and ethical concerns raised when getting access to information about the relevant identity-related data bases. WP14 progressed as planned in the second project year. Numerous on-the-fly biometric sensing methods were proposed and tested for fingerprint and face recognition and fuzzy indexing methods were also proposed and tested. Algorithms innovation in fast indexing for both plain and protected biometric data had started.

SP6: SP6 contains two workpackages, WP15, “Next generation ePassport architecture” and WP16, “Next generation ePassport chip and terminals design”, but during the second year there were only activities in WP15. The objectives of the second year were to continue analysing the requirements of eMRTDs and to imply backward compatibility with current infrastructure and documents. Besides the results of other WPs especially WP4, 5, 9 and 10 were integrated.

SP7 starts much later but discussions regarding the practical organisations of the demonstrators are underway.

During the third project year the consortium partners made considerable efforts to achieve the planned intermediate results and milestones.

SP2: In the 2nd project year, a priority ranking of the requirements had been realized. This ranking underlined which requirements were planned to be addressed within FIDELITY project. In the 3rd project year this ranking was completed, at the beginning of the period.

SP3 addressed the challenges to the issuance phase of a travel documents in terms of trust of evidence of identity, eligibility of the applicant, duplicate enrolment checking, and secure and privacy enhanced identity checking technologies. SP3 took the requirements from SP2 as input and delivered procedural and technological solutions on travel document aspects to SP4 and SP5. The objectives of SP3 in the second project year were to:
• investigate the feasibility of the recommended security feature in D6.1 in practical application and survey the evidence of identity’s life cycle management process.
• complete the development of the duplicate enrolment checking solution and prepare the multi-modal biometric database for performance testing
• generate biometric data protection algorithms for security analysis and performance testing

SP4 focused on the chain of trust for ePassports, i.e. all issues related to the security and privacy of ePassports, from issuance, during ID checks until revocation.
Its main objective for the period was to provide fast, protected, and reliable security schemes for “trustable” verification is the main objective. SP4 achieved this overarching objective by defining
• innovative architectures,
• provide innovative alternatives to the current certificate chain,
• different protocol configurations, by analysing and taking into account the security of ID check devices, which process personal data.
SP4 continued until the end of the third year with the objective to:
• implement the certificate management architecture and revocation mechanism, which results in a significantly smaller quantity of certificates.
• develop protocols for ePassport verification and owner verification without a PKI, ensuring privacy and security
• implement several of the protocols for ePassport and owner verification, assessing the efficiency (communication and processing speeds)
• propose a state-of-the-art architecture for a trusted and secure inspection system

SP5 had the objective to develop technical solutions (hardware and software) to implement a fast and efficient identity check, taking into account the requirements expressed in other work packages (especially WP5) and the legal, ethical and privacy issues analysed in WP2.
In the third period, SP5 (WP12) had the objective of completing the development of the prototype of the Fixed ID Inspection Terminal and to continue the development of the prototype of the Mobile ID Inspection Terminal started in the second period.

Because of the impossibility of getting access to institutional data sources for collecting real data, the WP13 objective of realizing a complete data mining solution for ID ranking has been partially abandoned. However, remaining and new objectives were still valid for WP13: (i) the implementation of mechanisms aimed at validating the identity of the person wishing to pass the one stop checkpoint by applying data anonymization and fusion techniques, until the point the data are ready to be further elaborated by a decision support tool (possibly a data mining tool, in the future) in order to assess the quality of the ID element used to identify the traveler; (ii) a data generation activity in order to design and implement a reusable solution to generate realistic synthetic ID-related data from institutional data sources, able to feed anonymisation and fusion tools; (iii) a strong focus on the legal, ethical and societal (privacy) impacts of a full data mining solution for validating the identity of travelers at checkpoint (objective addressed by adding LEP experts to WP13 partners, when WP13 was redefined).

In the third project year, SP5 (WP14) also aimed at finalizing the studies (started in the previous years) on compact biometric templates and the studies on fast indexing algorithms for alphanumeric data and plaintext and encrypted biometric data. All these activities aimed at improving the speed and efficiency of the identity verification at the borders, while preserving the protection of personal information.

SP6 contains two work packages, WP15, “Next generation ePassport architecture” and WP16, “Next generation ePassport chip and terminals design”. During the third year there were only activities on WP15 except the WP16 kick off meeting in January 2015.

The work carried out during this period covered the tasks 15.2 15.3 and 15.4. As main outcome of this work the deliverable D15.3 “Next generation travel document architecture” was prepared.

In task 15.2 “Next generation EU passport architecture”, the findings presented in the intermediate report D15.2 were worked out in more detail. Therefore, authentication and communication protocols for the next passport generation presented in WP9 and WP10 were integrated. Main findings were the introduction of two new ePassport profiles. These profiles provide full backward compatibility and new access control mechanisms.

The work carried out in task 15.3 “Data formats and application interfaces for interoperable operation and integration” focused on how interoperability and integration of the two presented profiles can be achieved. Furthermore the aspects of integration into the existing infrastructure were investigated as well as the issue of keeping privacy and backward compatibility. Main result of this task was a table displaying chip security features versus requirements. It can be used for checking a set of requirements versus their feasibility.

Results of both tasks 15.2 and 15.3 have been integrated into deliverable D15.3.

Task 15.4 “Requirements for document inspection” was started. Its aim was to figure out requirements for the new security features presented in deliverables D15.2 and D15.3. Furthermore the different inspection methods were investigated. As a result a metric comparing all inspection methods and defining a set of inspection requirements were presented.

SP7 was started at the end of the third period (M32). In the third year, the following objectives were achieved:
• organization of the SP7 kick-off meeting, where the work to be done in the different tasks has been defined and scheduled;
• integration of the software to evaluate the compliancy of face images to ISO/ICAO standard into the Enrollment Station;
• definition of the integration details of a fingerprint recognition algorithm in the Mobile Verification Station;
• initial integration of the passport check module into the Fixed Verification Station;
• definition of a series of statistics to compare real and synthetic fingerprint DBs;
• development of a software tool for computing the above statistics;
• generation of a first synthetic fingerprint database.

During the final year of the project:
SP2 was finished during the previous period.
SP3 progressed as planned in the third project year. Suitability of security features for evidence of identity (breeder document) were further investigated and refined based on the recommendation in D6.1 done from the first project year. New processes of life cycle management of evidence of identity were under development. A white paper for standardizing birth certificate as EU’s public document was under development. Work in WP7 and WP8 for travel document issuance and data protection were progressing. D7.1 was generated for face sample compliance checking to ISO/ICAO standards. Duplicate enrolment check platform was developed. Multi-modal biometric databases for testing were established. Several biometric data protection methods have been developed and under performance testing
SP4 finished at the end of the third project year.

SP5: During the fourth work period all work packages were active. In WP12, the prototypes of the fixed and mobile ID Inspection terminals were completed and made available to the integration and evaluation work packages.
In WP13, the implementation of tools for data generation, able to adequately substitute the real data records from institutional data sources (not made available to the project) has been completed and documented. The generated data can be used by the anonymization mechanisms developed in the WP. The analysis of the LEP (legal, ethical and privacy) aspects related to the technical and theoretical work in the WP has been completed. Several use cases on the application of the proposed ID Claim verification architecture in border control scenarios have been defined and documented.
In WP14, the implementation of the services to manage remote identification queries (in alphanumeric and biometric databases) has been completed, with minimized transmission time. The implemented services and interfaces were made available to the demonstrator work package and the related deliverable (D14.4) was completed and submitted.

SP6 contains two work packages, WP15, “Next generation ePassport architecture” and WP16, “Next generation ePassport chip and terminals design”. In the fourth year the work of WP15 was focused on two topics. The first one was the analysis and definition of requirements for document inspection. The aim was to integrate the results and findings from the specification of the new generation passport architecture which had been submitted in the deliverable D15.3 as well as the outcome of WP11 and WP12. Results were covered by the deliverable D15.4 “Document inspection requirements”. Main achievements were the presentation of a document inspection “eco system” with best practice guidelines, recommendations and metrics for document inspection. Furthermore work was carried out on the specification and definition of future travel applications. Those applications are the electronic travel record and the electronic visa. For both recommendations and specifications based on the current ICAO specifications were made. Results were integrated in the deliverable D15.5 “Access controlled eVisa”.
Besides the WP15 activities, the work as defined in the DOW was carried out for WP16. A chip manufacturer survey and the integration of its outcome was one of the key tasks. Unfortunately, the response from many chip manufactures was late. However, the deliverable D16.1 “Security features for future chips & terminals” was delivered at the end of this period. Another activity of WP16 was the definition of new security evaluation methods for new chips. The requirements based mainly on our findings in WP10, 11, 12, and 15 as well as on the results of the manufacturer survey. Results were presented in D16.2 “Security evaluation methodologies for new chips”.

SP7 contains two work packages: WP17 (“Proof of concept demonstrators”) and WP18 (“Evaluation”). During the fourth year, the three demonstrators were developed in WP17 and presented at the FIDELITY public workshop (Brussels – December 2015).
Regarding WP18, the overall evaluation of the project outcomes was executed through series of tests focused on:
• Biometric accuracy,
• Efficiency,
• Security,
• Usability,
• Acceptability,
• Standard compliancy.
Moreover, the study aimed at verifying the possibility to predict fingerprint recognition accuracy in very large databases with synthetic data was completed.
Finally, two extra activities were carried out: i) study of the feasibility of creating fingerprint images by “mixing” the features (i.e. local orientations, frequencies and minutiae) from two users, and ii) analysing the potential advantages and obstacles of live facial enrolment when issuing passports.

After 4 years, FIDELITY delivered the following main results for:

ePassport issuance:

• Recommendations for reliable breeder document management processes, standards and technical solutions for implementing easily authenticable breeder documents
• Recommendations for secure ePassport application processes and technical solutions to
1. prevent duplicate identities and function creep,
2. ensure biometrics data quality (face, fingerprint and iris) in conformity with ICAO requirements,
3. support high-speed and high accuracy distributed multi-modality biometric databases, with secure protocols and crypto-biometrics technology to enforce privacy and protect biometric data.

ID controls at borders:

• Secure, highly integrated, and user-friendly fix and mobile terminals, supporting fast and reliable ID checks at borders and other security check points, enforcing privacy protection and preventing function creep of ID data,
• User-friendly ID check solutions with advanced “on-the-fly” biometric sensors, optimised protocols and compact biometric templates,
• Privacy-by-design based solutions for the generation of “ID elements ranking” indicators, based on secured data mining techniques of relevant remote data bases (VIS, PNR, etc.),
• Recommendations and concepts for next generation travel documents, including requirement specifications for enhanced ePassport chips supporting faster transactions, eVisa applications, enhanced revocation mechanisms, privacy enhancing technologies, improved management of lost and stolen travel documents, etc.
• Recommendations on how to improve (end-to-end) security and the usability of ePassports for ID checks and how to deploy the proposed solutions taking into account ethical, legal, and sociological factors

Management of certificates:

• An architecture and protocols for a secure management of certificates, with and without PKI, attesting the authenticity of ePassports and trustworthiness of passport readers, enabling rapid update/exchange of certificates issued by the MS.

Ethical, legal and sociological aspects:

• Studies, guidelines and recommendations for the implementation of privacy-by-design principles, and ethical, legal and sociological requirements in the developments of ePassport solutions within the FIDELITY project and beyond

Demonstrators for the assessment of solutions developed in FIDELITY based on a set of use cases:

• A reliable ePassport issuance process with authenticable breeder documents, prevention of duplicate enrolment, and control of biometrics data quality / conformity,
• One-stop-check solution for ID checks at borders and other security checks based on a secure fix ID check terminal
• ID check solution with a secure mobile inspection terminal,
• Generation of ID elements ranking indicators, thanks to a secure privacy-protected real-time access to and data mining in relevant remote data bases (VIS, PNR, etc.)

The demonstrators were assessed with the direct involvement of end-users. The assessment results used to update the above mentioned recommendations were prepared and widely disseminated by FIDELITY.

The consortium actively disseminated the outcomes of FIDELITY by targeting in particular stakeholders of electronic travel documents. The partners planned to present their developments in professional meeting or events such as the ICAO, “Article 6 group” and FRONTEX workshops, and to promote actively the project results to be taken up by relevant organizations, such as ICAO/NTWG and standardization working groups such as SC17/WG3, SC27/WG5 and SC37/WG5.

The direct involvement of end-users from different countries in the consortium and in the Advisory Board provided an efficient support for the dissemination and up-take of the proposed solutions and their fit to real world requirements.

Potential Impact:
Passports represents an enormous step forward, over previously used paper based travel documents, for increasing the reliability of ID checks and therefore enhancing border security:

• The embedded electronic security mechanisms make forgery of travel documents extremely difficult, and
• Biometric verification links the document to the authorised owner and hinders the misuse of authentic travel documents

However, as ePassports are being used in millions of units in real world conditions, some weaknesses have been recognised as described in previous chapters. Addressing these weaknesses will have a major impact on the political, societal and economic level:

• At the political and societal levels, it is important that stakeholders and users of the ePassport can trust the efficiency of ePassport for ID checks, the security of the processed data, and the respect of privacy principles.
• At the economic level, the impact can be measured considering, on one hand, the reduction of criminal acts based on identity fraud and hence the decrease of fraud management costs (in particular the currently undetected fraud) and, on the other hand, the strong business potential created for European companies providing identity security solutions..

The major impact of FIDELITY solutions is to establish trust and confidence in ePassports by demonstrating solutions that overcome the identified security and usability limitations whilst protecting stronger than ever the privacy of the ePassport holder. This is not only important to enable the further deployment of ePassports, but also of other electronic ID documents: as a matter of fact, other travel documents with embedded electronic ID rely on the ePassport specification (or part of it), such as e.g. electronic residence permits.

FIDELITY solutions will also have an impact ePassport usability / ID check efficiency by demonstrating solutions to extract ID elements ranking indicators from information available in various existing remote databases (such as PNR, SIS, VIS), hence solutions that can make border ID check much more reliable and powerful by real-time analysis of relevant remote data.

The project was timely as can be seen from publications, such as:

• the working paper TAG-MRTD/19-WP/3 from ICAO about problems identified in the ePassport issuing process (3) issued in November 2009,
• a press release from the European Commission on 21 October 2010 announcing the adoption of an external strategy on Passenger Name Record (PNR) data bases (16)
• the questioning in the British House of Commons on the further deployment of ePassports corresponding to the EU standard in the UK in May 2010 (17).

FIDELITY solutions will hence have a significant impact for all stakeholders concerned by secure travel documents as summarised hereafter:

Stakeholder Impact:
• European Union
• MS

FIDELITY helps MS to strengthen the security of the entire ePassport life cycle, increase reliability of ID checks at borders, and be a potential reference for other documents requiring user identification. Project results have been transmitted via the Committee on a Uniform Visa Format (“Article 6 group”) to stakeholders of MS.

The citizen more secure border checks will contribute to hinder criminal and terrorist movements and hence contribute to protecting the society. Also, secure electronic ID documents will also better protect the citizen against the consequences of identity theft.

Convenient and powerful border ID check solutions will allow to speed up ID checks and hence reduce queuing time, e.g. at airports.

A highly important impact for the citizen is the strong attention put on privacy requirements: FIDELITY applies privacy-by-design approaches in general for all solutions developed in the project, and implements PET (privacy enhancement technologies) for ePassports and the application processes.

• Standard making bodies
Organisations that elaborate travel document specifications or recommendations, such as ICAO NTWG and the associated ISO/SC17/WG3 benefit from the technical developments, demonstrators, and recommendations prepared by FIDELITY, which they can then assess and take up.

• Border control authorities, the police

The impact for authorities responsible for border security and law enforcement will be the availability of more reliable ID check solutions, and improved interoperability with existing traveller information related data bases (such as the frequent traveller FLUX system), through seamless and fast exploitation of electronics and biometrics, introducing a technology basis for an Entry/Exit system, which will allow them better control migration flows on the one hand, and criminal movements across borders on the other hand.
Also, other owner of control processes such as the national police authorities will benefit from trustworthy documents.

• National ePassport issuing institutions

FIDELITY proposes solutions to make the ePassport (and potentially other ID document) issuing process more secure and efficient, by proposing solutions to rely on authentic breeder document in a standardised format, and solutions to prevent duplicate enrolment of applicants.

Improvement of ePassport security

FIDELITY thoroughly studied the weaknesses of the existing ePassport and demonstrated solutions to address those throughout its entire life cycle:

• The ePassport issuance process
• The use of ePassport for ID checks at borders
• The revocation of lost and stolen ePassports.

FIDELITY project results will hence have an important impact on the ePassport security and integrity, which is recognised as a key issue: “The integrity of passports and other travel documents is a key component of national and international anti-crime and anti-terrorism strategies. Because travel documents can be powerful tools in the hands of criminals or terrorists, controlling the security of a country’s travel document and its issuance processes directly impacts not only national and international security but also international respect for the integrity of the document.”

Furthermore, ePassports are not only used for traveling but are often also used for other operations that required identification of the holder, such as opening bank accounts, supporting financial transactions, or accessing governmental services and benefits. A more secure ePassport will hence also have an impact in various other public and private applications, in which fake identities can generate important financial losses.

Secure and trusted ePassports is also a certificate for EU citizen abroad. February 2010 events in Dubaï demonstrated to the whole world that authentic European passports could be issued based on fake breeder documents. Improvement of the full cycle of ePassport is a must to offer to EU citizen the expected consideration around the world.

Improvement of ePassport usability

• More efficient ID checks at borders

FIDELITY provided technical solutions that increase speed and reliability of ID checks. The impact for ID checks at border will be a more fluid treatment of passengers, especially at airports. Today’s technical solutions leave the border guard the choice - based on subjective observations - between more thorough but time-consuming ID checks, or fast but limited ones. FIDELITY will allow processing the “standard” traveller rapidly, and provide ID elements ranking indicators as advices to the border guard for checks that require a more rigorous control. FIDELITY will hence render the ID checks more fluid whilst leaving the border guard more time for ID checks that merit special attention.

Furthermore, FIDELITY demonstrated advanced mobile terminals, i.e. solutions for ePassport based ID checks with similar capabilities than the permanent border control devices, for mobile border ID controls.

• Better analysis of migration flows across borders

Passports are used by border and immigration authorities “...to help determine admissibility and legitimacy of travellers who wish to cross international borders and enter another country’s territory. They are also used by the issuing nation to grant re-entry into the country. The passport enables the holder to apply for a visa for those countries that require it upon entry, and allows the authority to annotate the passport, and record entry and exit dates.”

The impact of more reliable ID checks at borders, and enhanced interactivity with travellers’ information related data bases provided by FIDELITY, will be that the immigration authorities will obtain more reliable information about movements of immigrants and therefore will be in position for a better analysis of migration flows.

FIDELITY integrated query mechanisms on alpha numerical data as well as on biometrics data. These queries were designed to provide fast and accurate feedback to welcome travellers in a convenient process. Visa applicants will benefit from previous data recording for facilitating “bona fide” considerations. Also, smooth, accurate and reliable entry systems will promote deployment of the mirror “exit” system.

Indeed, by providing technical solutions that allow establishing fast and reliable ID checks at borders, FIDELITY made an important contribution towards the implementation of systems such as E/E records, and solutions to generate representative figures that enable analysis of migration flows.

• Better analysis of criminal and terrorist movements across borders
FIDELITY innovative ePassport solutions will contribute to hinder criminal and terrorist operations across borders. Organised crime and terrorists require fake travel documents - the more secure travel documents are the more difficult it is for them to operate:
“In criminal hands, travel documents can be misused in an organized way to fund illicit activities, facilitate illegal migration, people smuggling and trafficking of humans, goods, or narcotics. A fraudulent passport can be used for espionage, financial crimes, flight to avoid prosecution or to facilitate other crimes. Such documents can also enable terrorists to travel - to recruit, network, mobilize, finance and organize internationally. Without the ability to travel freely that a travel document allows, terrorists can be impeded, localized, have their finances minimized and possibly even ‘quarantined.’ Consequently, their reach and impact is impaired. In effect, a passport, or other travel document, may be the security measure that prevents terrorists from reaching their target.”

Impact on the European citizen and the society

• Contribute to protecting society against crime and terrorism

As mentioned above, more efficient border ID checks will hinder movements of criminals and terrorists and hence contribute to reduce the potential exposure of the citizen. But another type of crime is steadily increasing that has a potentially very bad impact for a citizen and increasing cost for the society: identify theft. According to the “CREDOC”, identify theft has become the most frequent crime in France (210,000 cases in 2008) before robbery (153,000 cases) and car theft (130,000). (18)

FIDELITY allows to increase the reliability of electronic identity documents and therewith contribute to hinder terrorist and criminal acts based on impersonated identities.

• Improvement of ePassport holder’s privacy

Europe has a very strong privacy culture. “The respect of privacy and civil liberties is a guiding principle throughout the theme. All individual projects must meet the requirements of fundamental rights, including the protection of personal data, and comply with EU law in that regard” .

FIDELITY enables more efficient ePassport solutions, and at the same time a stronger respect of the privacy of the ePassport holder. On one hand, FIDELITY will address weaknesses of the current ePassport implementation that can present security threats. On the other hand, FIDELITY will apply privacy by design principles for the developed alternative technical solutions and demonstrate how privacy enhancing technologies (PET) can be implemented in the ePassport domain.

FIDELITY addresses the protection of citizens’ biometric data from issuing to verification stage. Indeed, this important ID component must be protected to establish trusted identity.

Mechanisms are considered at issuing (or re-issuing) stage, at the verification stage and also at the revocation stage (either at the end of validity or before in case of unattended access). For a proper understanding of the ethical and fundamental rights at stake, being refined in regulations and case laws, FIDELITY brings in relevant legal, ethical and societal expertise to guaranty the coherence and dialogue between technical developments and privacy and data protection rights of the citizens.

• More user-friendly ID checks at borders

FIDELITY opens the way to more efficient and faster border checks solutions will have an impact on the quality of life for the traveller who will be able to spend less time in queuing up at borders and especially at airports. Biometrics “on the fly” sensors enable the implementation of ABC (Automatic Border Control) solutions in which ID of travellers can be checked on the move.

FIDELTY proposes innovative trusted architectures to enhance speed to access ePassport biometrics data and at the same time to reinforce the security of the overall process. Travellers will therefore not anymore be victims of discrepancies of the system, which currently is supposed to benefit from a harmonised distribution of keys under an unified infrastructure.

Strengthen the competitiveness of the European security

The Security work programme 2011 mentions that one of the objectives of the programme is to “improve the competitiveness of the European security industry”. The ePassport market provides huge international business opportunities corresponding to hundreds of millions of ePassport units and tens of thousands of ID inspection equipment. Innovation in this field is key for market players as regards to the expansion of their business activity. A market study published in “Biometric Technology Today” shows that the developments proposed in the FIDELITY project meet precisely the forecasted market trends:

"As adoption rates indicate, ePassport deployment will reach a sustainable level of maturity over the next few years [...] With these documents in place, the focus shifts to developing a highly secure, truly interoperable international border infrastructure that incorporates fast and reliable ePassport authentication and biometric verification driving continued growth of the ePassport market ecosystem. [...] In addition ePassports and associated enrolment, verification, and authentication equipment will be continually updated and upgraded [...] Given the speed of technology innovation, the need to engineer ahead of security breaches, and the wear and tear on these human interfacing technologies, accelerated replacement cycles will provide on-going market opportunities" .

European companies and researchers are renowned at the international level for their knowhow in the IT security field, in biometrics, and eID management solutions. Also, the European Union is recognised as the most innovative region in the world as regards to biometric ePassports and associated implementation of strong secured rules which enforce privacy rights. FIDELITY helped the European security industry and security research community to strengthen their competitive position.

FIDELITY also helped to strengthen the influence of Europe in organisations like ICAO by providing a strong innovation proposal force, and by demonstrating an alternative approach for the introduction of mass deployed ICT solutions: in the past, the introduction of electronic and biometrics features in travel documents were carried out with a too low consideration of privacy issues and usability. FIDELITY included thorough studies of legal, ethical and sociological aspects related to the introduction of new ePassport features, and promotes solutions that respect sound ethical rules and acceptability for the users.

Steps to bring about this impact

FIDELITY delivered demonstrators, related legal, ethical and sociological studies and recommendations for the implementation of the proposed solutions. The adoption of these results will now depend on the organisations that are in charge of providing recommendations for the implementation of ePassport standards and border control processes, and of course, ultimately, of the European Union institutions and of the MS governments.
FIDELITY will facilitate the adoption of the developed results by:

• A modular approach for the various developments: The main developments and recommendations have been conceived as self-standing modules, each addressing identified shortcomings in the security and usability of eTravel documents. This modular approach allows stakeholders to adopt all or parts of the solutions proposed by FIDELITY. For example, FIDELITY developed two solutions for rendering the ePassport issuance process more secure: authenticable breeder documents and duplicate enrolment check. It will be possible to adopt only one or both of the proposed solutions, or both, but with a different time frame. The other developments rely on the same principle.
• Early cooperation with organisations like ICAO: the consortium partners are active members of the ICAO NTWG and these experts of outstanding reputation have promoted and will continue to promote FIDELITY technical solutions and recommendations in these bodies.
• Active dissemination of information

A scenario wit the steps from project results to deployment could be typically as follows:

• For the ePassport at the international level: adoption of technical improvements by ICAO
• For the European ePassport: adoption of more efficient trusted architectures by European inter-governmental groups (e.g. “Article 6 group” with the support of BIG)
• For the ePassport issuance: the decisions are taken at the MS level to implement improved ePassport issuance processes
• For the inspection devices, including biometric sensors: commercial solutions are developed and proposed to the target markets / applications / users.

List of Websites:
FIDELITY project partners
MORPHO, Safran Group (MPH), FR
Gjøvik University College (GUC), NO
Bundeskriminalamt (BKA), DE
Ministère de l'Intérieur, de l’Outre-Mer et des Collectivités Territoriales (FMI), FR
Hochschule Darmstadt (HDA), DE
Fraunhofer Gesellschaft zur Förderung der angewandten Forschung e.V (IGD), DE
Alma Mater Studiorum – Università di Bologna (UBO), IT
Thales Communications & Security (TCS ), FR
Finmeccanica/Leonardo, IT
Central Directorate for Immigration and Border Police (INT), IT
Katholieke Universiteit Leuven (KUL), BE
Bundesdruckerei GmbH (BDR), DE
Swedish Defence Research Agency (FOI), SE
Biometrika (BIO), IT
Institute of Baltic Studies (IBS), EE
Centre for Applied Ethics – Linköping University (LiU), SE
ARTTIC (ART), FR
The Dutch Ministry of Security and Justice (IND), NL
Contact details

11, Boulevard Gallieni
92130 Issy-les-Moulineaux France Sébastien BRANGOULO, PhD
Programme Manager, DTS
Office: + 33 (0)1 58 11 87 29
Fax: + 33 (0)1 58 11 87 01
Email: sebastien.brangoulo@safrangroup.com

FIDELITY project public website
The FIDELITY public website is located at the URL: https://web.archive.org/web/20181224055853/https://fidelity-project.eu/