Modern passports can contain up to three biometric modalities.
Faces are used in every passport. In addition to being printed on the biographic page, face images are often embedded in an electronic chip. This chip dissuades fraud by allowing for a comparison of the printed image with the image submitted during the issuance process. The faces contained in passport chips are not protected with any form of encryption – they are freely available through a standard interface accessed through the Machine Readable Zone (MRZ).
Many countries now embed fingerprint images in their passport chips, and a select few use iris as well. Unlike the face images, however, fingerprints and irises are closely guarded through an International Civil Aviation Organization (ICAO) system called Extended Access Control (EAC). In a nutshell, EAC requires a certificate from the issuing country (and in many cases, the specific government agency) to verify the chip before the contents can be unlocked.
There is an ICAO mechanism for countries to share their certificates, yet the reality is that very few countries use it, essentially negating the value of passport biometrics. A select group of European Union countries are tentatively moving in the direction of sharing their certificates with each other, but the political will to do so is fragile. In addition to EAC protections, certain countries even delete the original fingerprint or iris image after personalization so it remains only on the passport and not in a government database.
“Hard” and “soft” biometrics
The (perhaps inevitable) result of this unequal accessibility of biometrics is that face images are commonly matched against passport data at border crossings, while fingerprints and irises are not. (Countries which currently collect fingerprints and irises at their borders are using them to compare against existing holdings and previous encounters, not against the passport itself.)
Up to now, this dichotomy made a certain kind of sense. Faces, it was argued, are not only publicly available by their very nature but also difficult to reliably match. Most civil and criminal databases contained images which were non-standard and not viable for electronic comparisons. Images scanned from passports often contain watermarks which make matching difficult. As a “soft” biometric, there was little concern that a person’s privacy would be violated through a face search.
Fingerprints and irises, however, are collected specifically for matching. Since they are difficult to capture passively and known to be extremely accurate for identification, these biometrics are held to a different privacy standard. By categorizing fingerprints and irises as “hard” biometrics, their usefulness was effectively blunted through restrictive access control measures.
The changing calculus
Emerging technologies and practices are starting to erode the logic behind this separation, however.
On the technology side, face matching technology has advanced considerably in recent years. With a pristine, ICAO-standard passport image as an exemplar, today’s face recognition engines can reliably pick individuals out of a gallery even in sub-optimal conditions. The quality of facial images in criminal and terrorist databases has also improved, increasing match reliability.
Governments are further increasing the reliability of face matching through targeted searches. By narrowing down the gallery to the size of a flight manifest, the known challenges of face matching can be dramatically reduced. Pioneered in Australia, the United States recently announced that it would use this concept of operations for its biometric exit program.
This gradual transformation of face into a “hard” biometric is creating a double standard for face and iris. ICAO continues to protect fingerprints and irises through the EAC mechanism. In the meantime, facial images are made freely available, even though ICAO’s baseline assumptions about the public nature of face images often no longer apply. As the only passport biometric which can be captured passively (or even clandestinely), face now poses a far more significant privacy threat.
As the civil liberty implications of this shift become more apparent, governments and societies will face a difficult choice. Either equally restrictive access controls can be applied to face as a “hard” biometric, or the constraints on fingerprints and irises can be eased. There are strong operational and public benefit reasons to create a level playing field, yet the political impulse to default towards stricter protections will be strong.
Whichever way the consensus ends up leading us, a realignment of policy and practice is increasingly necessary. Technology continues to deliver better match rates for every biometric modality. Fingerprint and iris are becoming easier to read, and may one day be collected almost as passively as faces. In this changing context, governments would be wise to reconsider the “hardness” or “softness” of any biometric.
Article by Ben Ball.