Analysis of Risks and Trends in Automated Border Control Executive Summary

Dmitry O. Gorodnichy Canada Border Services Agency

Prepared By: Canada Border Services Agency Science and Engineering Directorate Suite 210, 14 Colonnade Rd Ottawa, ON K1A 0L8

DRDC Project Number: CSSP-2013-CP-1020 Technical Authority: Paul Hubbard

Disclaimer: The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada.

Contract Report DRDC-RDDC-2016-C143 August 2015

© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015

© Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015

Science and Engineering Directorate Border Technology Division Division Report 2015 – 17 (TR) August 2015 ART in ABC: Analysis of Risks and Trends in Automated Border Control CSSP-2013-CP-1020 study Executive Summary Dmitry O. Gorodnichy

2

Version #: 1.0 Action Name Date Prepared By Dmitry Gorodnichy 2015-07-22 Reviewed By Phil Lightfoot 2015-07-30 Revised By Dmitry Gorodnichy 2015-08-10 Reviewed By Phil Lightfoot 2015-08-18 Final Version Dmitry Gorodnichy 2015-09-17 © Her Majesty the Queen in Right of Canada, as represented by the Minister of Public Safety, 2015 © Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Sécurité publique Canada, 2015

3

Abstract

This report presents the executive summary of the Border Technology Division Report 2015-11 “ART in ABC: Analysis of Risks and Trends in Automated Border Control", which was prepared for the “Risk analysis of face and iris biometrics in border/access control applications" (CSSP-2013-CP-1020) study conducted by the Canada Border Services Agency in partnership with the University of Calgary through support from the Defence Research and Development Canada, Canadian Safety and Security Program (CSSP). This study relates directly to the technologies that apply to e-passport-based gate systems and iris-recognition-based registered traveller programs such as NEXUS. It also contributes to the development of a new generation of automated border control (ABC) systems and processes that are currently being developed by many countries, including Canada. The summarized outcomes include: establishing the terminology, metrics and tools for describing and analyzing ABC systems, analysis of issues with currently deployed systems, and investigation into further development of ABC and other traveller screening technologies within a larger e-border process that deals with automation of traveller clearance at the border.

4

Acknowledgments This work was done under the funding from the Canadian Safety and Security Program (CSSP) managed by the Defence Research and Development Canada, Centre for Security Science (DRDC-CSS), in partnership with the Biometric Technologies Laboratory of the University of Calgary and with the feedback from the Research and Development Unit of the European Agency for the Management of Operational Cooperation at the External Borders (Frontex).

Disclaimer

In no way do the results presented in this paper imply recommendation or endorsement by the Canada Border Services Agency (CBSA), nor do they imply that the products and equipment identified are necessarily the best available for the purpose. For the purpose of this study, the term ABC does not refer to the CBSA's Automated Border Clearance program and is used solely in reference to a general automated border control system that performs automated clearance of travellers at the border.

5

Study overview

In 2013 the Canada Border Services Agency (CBSA), through support from the Defence Research and Development Canada (DRDC) Canadian Safety and Security Program (CSSP) and partnership with the Biometric Technology Laboratory of the University of Calgary, established the “Risk analysis of face and iris biometrics in border/access control applications" (CSSP-2013-CP-1020) study, later re-named the “ART in ABC" study.

This study is directly related to automated border control (ABC) technologies that enable seamless and fully automated authentication, screening and clearance of travellers at the border, in particular, the technologies that apply to e-passport-based gate systems and iris-based registered traveller programs such as NEXUS.

The study also contributes to the development of a new generation of ABC systems and processes that are currently being developed by many countries, including Canada. The study name (“ART in ABC") is thus crafted to signify both the state of art and analysis of risks in trends in ABC.

Scope and objectives

The work is structured along three complementary dimensions that define the use of biometric-enabled ABC systems:

Technology performance issues; Technology deployment (compatibility, implementation, post-deployment issues); and CELP (Cultural, Ethical, Legal, Privacy) issues.

with the objective to generate critical knowledge for the Government of Canada (GoC) related to the use of iris and face biometrics for ABC applications. Specific tasks included:

Performing subject-based analysis of iris and face biometric recognition performance; Identifying applicable techniques related to the use of the biometrics in ABC applications; Conducting benefit-risk analysis for existing e-gate systems; Developing taxonomies and recommendations that can be used by GoC stakeholders in

decision making related to the deployment of ABC systems in Canada; Developing protocols, recommendations and metrics for testing and deploying ABC systems; Developing recommendations on the usage of face and iris biometrics to mitigate risks to

security; Addressing the programs/policy/standards/recommendations component related to use of

biometrics by the GoC, through leveraging the GoC inter-departmental network, and Contributing to the development of the International Standards Organization (ISO) standards

related to the vulnerabilities of biometrics systems and ABC.

The results of the analysis conducted within the study are summarized in the current report. It is built on earlier study publications, as well as additional Contractor Reports from the University of Calgary, and presents the final outcomes of the study.

6

Key outcomes

In the following the key outcomes of the study are summarized, according to the structure of the full report (Border Technology Division Report 2015-11).

Chapter 1: Border control context.

Analysis of the international and Canadian context with respect to the use of current and future traveller clearance technologies clearly demonstrates a high interest in and need for ABC technologies on a global and local scale. In an effort to leverage different types of border clearance technologies for more efficient and secure processing of travellers, many countries and international organizations, including the International Air Transport Association (IATA), the International Civil Aviation Organization (ICAO) and the European Agency for the Management of Operational Cooperation at the External Borders (Frontex), are in process of developing visions and strategies related to the border of the future. A scan of international border programs and initiatives, including Entry-Exit programs, and the Border of the Future roadmap developed by IATA, is presented.

Biometric-capable technologies in Canada. By examining current infrastructure used in Canadian airports to process air travellers, it is recognized that, in addition to manual processing of travellers by border officers, six technologies that are using or capable of using biometric authentication of travellers are currently available in airports:

1. Nexus Trusted Traveller Program (TTP) 2. Temporary Resident Biometrics Program (TRBP) 3. Automated Border Clearance self-service kiosks 4. Biometric-enabled e-passports 5. Airline self-service check-in kiosks 6. Video surveillance technology

These technologies have overlapping functions, all employing (or able to employ) traveller biometric

data. This provides opportunities for optimization and enhancement of the overall traveller experience and clearance process.

Schematics of the Air Traveller Continuum. The development of automated border solutions is most recognized for the air mode of transportation or within so-called Air Traveller Continuum. The schematic of the Air Traveller Continuum has been introduced, within which eight distinct stages are recognized, each with its own layout and capacity for traveller screening and risk assessment. This schematic, shown in Figure 1, becomes the starting point for the discussion and analysis of the study.

Critical Observation Many countries, including Canada, are actively working on modernizing their borders through the use of automated border control and other e-border traveller screening technologies. To assist countries in these efforts, IATA, ICAO and Frontex have developed a strategic vision for border crossing automation, the rationality of which is confirmed and leveraged in this study. For agencies seeking knowledge-driven decisions related to border modernization, partnership with Frontex’s Research and Development Unit is recommended.

7

Figure 1: The schematics of the Air Traveller Continuum developed by the CBSA within the study: Eight zones are defined, each with its own layout and capacity for deploying e-border technologies, aimed at accumulating information about a traveller related to two main traveller clearance tasks (traveller authentication and risk assessment), as he or she moves along the continuum. Presently deployed e-border technologies are shown in red: self-service APC/ABC kiosks in Zone (5), biometric-enabled gates in Zone (6), and Entry-Exit kiosks in Zone (2). It is only after Zone (6) that travellers' identity is considered to be known.

Chapter 2: Definitions and terminology.

The study has identified five technical domains of expertise that are required for the analysis of ABC systems. They are:

1. E-border technologies (components of e-border, e-passport, e-gate, databases, logistics, etc.), 2. Biometrics (face / iris recognition, biometric performance metrics, biometric standards, etc.), 3. Traveller risk assessment (statistical surveillance, risk-based processing, data-mining, etc.), 4. Complex systems management (large-scale systems, cost and benefit analysis, system

modeling, etc.), 5. Training of personnel (training facilities, training automation, training scenarios, etc.).

The key concepts from these domains are summarized in the full report. Of a particular importance to this study are the concepts of “authentication" and “biometrics", which are extended from the traditional use of these terms, as defined by ISO and currently used by industry, to include incremental evidence-based authentication of travellers in scenarios when a person's identity and trust is established through the entire travel process.

The very concept of ABC, Automated Border Control, is re-examined to highlight the fact that it refers not only to (1) automation in traveller authentication (as in e-gates in the EU or NEXUS iris kiosks) and (2) automation in customs declaration tasks (as in self-service APC kiosks), but also to (3) automation in traveller screening and risk assessment. Furthermore, it is indicated that these automated tasks can (and ideally, should) be done at the same time, at the same location and at the

8

same kiosk/gate, provided that the kiosk/gate is equipped with proper sensors and algorithms. In doing so, the same biometric sensors, such as video, audio, weight / temperature / heat sensors, can be used to perform two types of biometric recognition: a) for traveller authentication - by matching his/her biometric measurements to those corresponding to a particular person (classic definition of biometrics), and b) for traveller risk assessment - by matching his/her biometric measurements to those normally expressed by stressed individuals (extended definition of biometrics, considered in this study).

Critical Observation The term “e-border" refers to the infrastructure for automated border control and management, specifically for the air mode of transportation, or within the so called Air Traveller Continuum (Figure 1). The key task of the e-border is to expedite the traveller's passage and improve border security through automation of the traveller clearance process, which includes the automation of two traveller clearance functions:

Traveller authentication (answers the question “Who are you?"), and Traveller risk assessment (answers the question “What is your risk factor?")

Additionally, the e-border may also deal with automation of other border control processes, such as data collection, luggage screening, customs declaration and duty/tax payments.

Critical Observation Biometric terms were originally developed for applications such as physical security and forensics, where the number of processed subjects is limited and controlled. When applied to more complex applications, such as automated border control or video-surveillance, where a flow of subjects is very high and subjects are not known in advance, these terms are found to be insufficient. - "Authentication" is no longer a single checkpoint act, but rather a process of accumulating the evidence over the entire traveller continuum. “Biometric recognition" also includes recognition of person's state (emotion, stress, health condition) and type (gender, age, race). Recognition of a traveller in a traveller continuum is always coupled with his/her risk assessment and trust. In addition, besides biometrics, cybermetric* is becoming very important for authentication of travellers. * Cybermetric is technology to identify a person from his/her interactions and circle of friends in social networks, such as Facebook or Google+ (adopted from N. Melnikov et al. “Cybermetrics: User Identification through Network Flow Analysis". 2010)

Critical Observation In the context of this study, Automated Border Clearance (ABC) kiosks used by the CBSA, also known as Automated Passport Control (APC) kiosks in the USA, are not called ABC machines, since they do not perform authentication of travellers. Instead they are classified as automated queuing and self-service technology (e-border Component IV). They however are critical to the e-border infrastructure, as they provide the foundation for further build-up of automated technology, including: interview supporting and behaviour screening technology (e-border Component III) and biometric-based traveller authentication and clearance, thus becoming a true ABC machine (e-border Component V).

9

Figure 2: Conceptual diagram of the evolution of biometric-enabled ABC systems in the technology-vs-human factors space. The number of technology factors, related to biometrics (blue) and especially related to non-biometrics (yellow), grows with every ABC generation. The number of human factors grows similarly: controlled factors (green) and especially uncontrolled factors (red).The need for different performance metrics and evaluation tools for each new generation of ABC is highlighted.

Chapter 3: Evolution and categorization of ABC.

Even though biometric-enabled border control came as a result and a natural extension of the success of biometric-enabled access control, these two applications are critically different from each other. It is important to highlight these differences so that better methodologies and practices can be developed for ABC, while making use of the already existing ones already developed for access control applications. These differences, described in terms of shifts in their functionality and the human-machine interaction procedures, include (see Figure 2):

Shift from habituated to non-habituated users, many of whom will not know or may forget how to use the system, because they use it infrequently (only when travel), and the system may look different in each airport;

Shift towards additional human factors, when travellers are preoccupied by many other travel-related tasks and challenges (finding the way in an unknown place, under time pressure, jet-lag, etc.) and are therefore under additional stress and fatigue;

Shift from a limited set of known users to a potentially unlimited flow of unknown users, some of whom may be high risk travellers who will intentionally attempt to defeat the system (non-zero effort attack), and some may cause the system to malfunction due to misunderstanding or a physiological condition (zero-effort attack);

10

Shift from biometric component only to a higher number of components and supporting technologies, each of which may malfunction with certain degree of probability;

Shift from fully-automated to semi-automated operation, when the final admissibility decision is made by an officer based on the recommendations provided by the machine, which highlights the need for developing ABC personnel training;

Shift from controlled to semi-controlled environment, controlled by separate parties (airport authorities, transportation security, customs/border control), which have different and sometimes conflicting objectives of operating the ABC system and which may result in sub-optimal configuration of ABC systems (e.g., poor light or location);

Shift from non-attended to attended users, who are observed and guided by border officers, as opposed to unattended users in access control applications.

Besides highlighting the increase in the number of factors affecting the system performance, this list of shifts in evolution of ABC from access control to multi-component e-border systems allows one to define three distinct ABC generations:

Gen-1 ABC (RTP-based): The first generation of ABC are biometrics-enabled kiosk systems deployed for Registered Traveller Programs (RTP), such as Canada's NEXUS and the UK's IRIS, which process pre-cleared RTP members. The definitions and analysis of such systems were introduced by IATA1.

Gen-2 ABC (ePassport-based): The second generation of ABC are biometrics-enabled e-gate systems that process travellers with biometric e-ID / e-passports. The definitions and analysis of such systems have been best developed by Frontex2. Gen-3 ABC (eBorder-based): The third generation of ABC is the concept of the next-generation system that is being developed by many countries in support of the e-border process of the future. The development and analysis of Gen-3 ABC systems requires understanding of the entire e-border process and all traveller screening, authentication and supporting technologies that can be deployed at the border.

It is noted that there exists an alternative ABC categorization developed by Acuity Market

Intelligence3, which classifies ABC systems by design, rather than according to the technology evolution. Such categorization however is shown to be suboptimal as it may lead to erroneous interpretations and forecasting related to ABC deployment. In contrast, the categorization of ABC

1 IATA: Recommended Practice 1701 I, 2011, page 4. 2 Frontex: Best practice technical guidelines for automated border control (ABC) systems, Research and Development Unit, Warsaw, 2012. 3 Acuity Market Intelligence, The Global Automated Border Control Industry Report: Airport eGates and Kiosks, 2014.

Critical Observation In contrast to earlier generations, which were checkpoint solutions, Gen-3 ABC systems are continuum solutions. That is, they accumulate information about travellers as they advance through the Air Traveller Continuum, making the final admissibility decision based on all gathered intelligence. D. Gorodnichy et al., “Automated Border Control systems as part of e-Border crossing process". Proc. NIST International Biometrics Performance Conference (IBPC 2014), April, 2014.

11

systems developed in this study, as belonging to one of three generations, the third generation of which makes use the entire e-border infrastructure, not only provides a holistic evolutionary point of view of the border modernization process, but is consistent with the visions and roadmaps developed by Frontex4, ICAO5 and IATA6.

By examining the issues with the two earlier generations of ABC systems and establishing the key technological components, or Pillars, of e-border, the study puts forward the vision for the next-generation ABC.

Chapter 4: Analysis of issues with deployed systems.

The study examined the issues with deployed ABC systems, such as those that led to closing of the iris-recognition-based IRIS program in UK7 (Gen-1 ABC systems) and those that contributed to varying performance of face-recognition-based gates in EU (Gen-2 ABC systems). Historical data from the CBSA’s Nexus iris-recognition-based kiosks (Gen-1 ABC systems) were also analyzed. Related scientific literature was reviewed. Key “take-away” findings and conclusions from this analysis are summarized below.

High-level conclusions: By examining the performance of Gen-1 and Gen-2 ABC systems deployed in Europe, two critical conclusions are made:

1. A substantial percentage of rejects observed in those systems are due to factors other than those related to biometrics. For example, in the UK IRIS program, one out of ten travellers is reportedly sent to manual control (i.e., an Operational Reject Rate (ORR) equal to 10%), while the biometric False Reject Rate (FRR) is much lower than that (less than 2%). Similarly, EU e-gate systems based on face verification send to manual control approximately one in eight (ORR=%12), while the biometric FRR is close to 5%.

2. Because an ABC system is just one of many components in a complex semi-automated border crossing process, which deals with granting or denying the entry of a traveller to a country, any failure or risk related to the deficiency of the biometric recognition can be mitigated by other non-biometric means. It is therefore important to understand what a general e-border crossing process is and what role a biometric-enabled component plays there.

4 Frontex: ”Futures of Borders. A Forward Study of European Border Checks”, Research and Development Unit, Warsaw, December 2011. 5 ICAO: “Driving technology developments and innovation: Next generation screening. High level component research roadmap. Working paper”, Proc. High-Level Conf. on Aviation Security, Montreal, Sept, 2012. 6 IATA: Reveals checkpoint of the future, International Air Transport Association (IATA) 7 A. Palmer and C. Hurrey, “Ten reasons why IRIS needed 20:20 foresight: Some lessons for introducing biometric border control systems”. Proc. IEEE European Intelligence and Security Information Conf., 2012.

Critical Observation In UK IRIS kiosks, 1 in 10 travellers were reportedly rejected by the system. In Germany's EasyPASS e-gate systems, 1 in 8 travellers were rejected. More than half of these rejects were due to non-biometric reasons. Markus Nuppeney, BSI, ``Automated Border Control - state of play and latest developments''. Proc. NIST International Biometrics Performance Conference (IBPC 2014), April, 2014.

12

Factors affecting ABC performance: For developing ABC deployment strategies and performing cost-benefit analysis of ABC systems, which can be done using simulation tools, it is important to know all factors that influence ABC performance. The list of these factors is produced, taxonomized by two categories: human-related factors vs. machine-related factors, and controlled vs. uncontrolled. Some factors can be measured using quantitative metrics, whereas the others may only be described qualitatively.

Machine-related factors include: limitations of capture devices, matching algorithms, machine-human interfaces, ergonomics of the kiosk or e-gate, airport logistics and process flow, which can be controlled and potentially improved, as well as system component or supporting technology failure due to intentional or unintentional attack, which is not controlled.

Human-related factors include: those related to guidance and decision-making of border officers, which can be controlled, and those related to travellers such as traveller fatigue and other social, psychological, ethnic, cultural, religious, and geographical factors, which may not be controlled.

The factors that cannot be controlled can be predicted, and all of them should be taken into account when designing the system.

Subject-based performance analysis to address usability issues: The biometric FRR for both iris and face modalities is shown to vary drastically from one group of travellers to another. In order to improve the overall system performance, it is important to focus the system performance analysis on those travellers who experience problems with the system. This can be done using subject-based performance analysis.

Analysis of Nexus performance: Using historical anonymized iris data recorded by the CBSA from 2003 till 2014, the Science and Engineering Directorate has conducted subject-based performance analysis of the Nexus system. A result from this analysis is shown Table 1, which presents the statistics related to the number of travellers who experience difficulty using the system. In particular, it is shown that there existed a small percentage of travellers (

13

Another important observation made from this analysis is that the percentage of travellers who experience the difficulty is considerable smaller among those who used the system many times, compared to those who used it only a few times. This is an indication that many travellers may stop using the system, once experiencing the problem.

Table 1: The results from the subject-based performance analysis of the Nexus iris recognition system showing the percentage of travellers who experienced difficulty with the system. Key question remaining: do travellers become more experienced or do they stop using the system once experiencing a problem?

Times used the system >2 >4 >8 >16 >32 >64 >128 Number of travellers 383,463 287,472 196,573 119,538 61,332 24,383 6,530

Percentage who experienced difficulty 4.2% 2.4% 1.3% 0.8% 0.6% 0.3% 0.2%

The table shows the data only for those travellers who were recognized by the kiosks. The data about those travellers who were not recognized by the kiosks were not logged and therefore could only be estimated based on the other data. See full report for more details.

Sources of biometric recognition failure: Four key sources of risks related to the biometrics performance are: i) overall recognition limits of the modality, ii) robustness to spoofing, iii) stability over time (aging), iv) degradation related to travellers health / physiology conditions. Investigation into these risks for iris and face modalities has been conducted, with results summarized below.

Biometric recognition limits: Compared to iris, the face biometric has a worse False Accept Rate (FAR) by several orders of magnitude. Iris systems generally operate at a FAR of 1 in 100,000 (or 0.001%), while face systems operate at a FAR of 1 in 1000 (or 0.1%). At the above-stated FAR, the False Reject Rate (FRR) for face systems is also worse, compared to iris, and varies significantly from one group of travellers to another: ranging from 5% for the best-performing travellers to almost 20% for the worst-performing ones. The full report provides more analysis on the performance characteristics of both modalities.

Spoofing of faces and iris: Successful efforts in defeating face recognition systems in live ABC settings have been reported, including using face masks, make-ups8 and synthetically morphed images9. In contrast, iris systems are shown to be much harder to defeat, due to the dynamic nature of pupil (as it moves and dilates with light changes), which allows one to develop efficient techniques for liveness detection. At the same time, the use of specially designed lenses, which are printed with the iris pattern of another person, is still considered a threat for the iris system, even though no successful attack of this nature has been reported yet.

8Tabula Rasa (Trusted Biometrics under Spoofing Attacks) Spoofing Challenge 2013. 9 Matteo Ferrara, et al. ``The Magic Passport'', Proc. Int’l Joint Conf.on Biometrics (IJCB 2014), October 2014.

Critical Observation False Accept Rates that are reported for ABC systems refer to the likelihood that a system will accidentally recognize a traveller as someone else (so called “zero-effort attack”, as in a 1-to-N match against a watch-list database). They do not refer to the ability of the system to resist an intentional effort to defeat the system (so called “non-zero effort attack”, as in spoofing by using a make-up or a face mask).

14

Multi-modal fusion: Because of the inferior recognition capability of the face modality, the use of iris and fingerprint, which are two other modalities allowed by ICAO in e-passports, is actively considered. The combined use of these modalities is shown to considerably reduce false reject rates.

Aging of faces and iris: By analyzing the results obtained by NIST researchers on the CBSA Nexus iris scores, who claim that iris does not age10, the counterarguments from the researchers of the University of Notre Dame, who claim the opposite11, and our own results obtained on the same dataset12, the conclusion is made that iris does age, however significantly less than face13. Most importantly, iris aging, which is displayed in a weaker ability of pupils to dilate, can be efficiently rectified algorithmically by iris recognition software. This is in contrast to faces, for which no age-rectifying face recognition algorithm exists at the moment. As a result, face images need to be re-enrolled every 10 years (some countries do it every 5 years), whereas iris has been accepted as the best modality for breeder documents, i.e., the modality that can be used the longest throughout the life-time of a person.

Future of iris: Overall, iris modality is demonstrated to have the highest capacity for further recognition improvement, to be least affected by a person’s life/work conditions and less vulnerable to spoofing. It is also the easiest to analyze and implement, thanks to expired patents that were previously hindering research and development in iris recognition. At the same time, iris images are not used in social media and forensic infrastructure, where faces and fingerprints are used. For this reason, the iris modality has not been actively considered for future ABC applications so far. However, as underscored by this study, due to facts that: a) iris is being chosen as a preferred modality for national ID programs in several countries, b) it can be captured at the same time as faces, and c) multi-modal fusion will reduce

10 P. Grother, J. R. Matey, E. Tabassi, G. W. Quinn, M. Chumakov, “IREX VI: Temporal Stability of Iris Recognition Accuracy”, NIST Interagency Report 7948, Information Access Division National Institute of Standards and Technology (NIST), Jul 2013. 11 K. Bowyer and E. Ortiz, Making Sense of the IREX VI Report, Computer Vision Research Lab Technical Report, Dec 2013. 12 The data that was provided to NIST in 2012 for iris aging analysis is a subset of a larger dataset that has been collected by the CBSA from 2003 to 2014. 13 D. Gorodnichy and M. Chumakov, “Subject-based performance analysis of Nexus iris recognition system", CBSA Science and Engineering Division Report, in preparation, 2015.

Critical Observation The study has confirmed that the effect of travellers’ aging on iris recognition performance is practically not observed using contemporary iris recognition algorithms, which supports earlier findings from NIST. At the same time, it has been also highlighted that there other factors that affect iris performance such as the location of the kiosk and the time of the day of its operation.

Critical Observation The biometric false reject rate (FRR) of e-gates varies significantly: from 5% (for best-performing countries) to almost 20% (for worst-performing countries). Applying multi-modal biometrics (such as performing fingerprint recognition, when face recognition fails) improves FRR significantly. In a pilot conducted in Spain, multi-modal fusion reduced FRR from 12.23% to 3.72%. D. Cantarero, et al., “A multi-modal biometric fusion implementation for ABC Systems”, Proc. IEEE European Intelligence and Security Informatics Conf., 2013.

15

the FRR considerably, iris should still be considered as having high long-term potential for future ABC systems.

Policy-related issues: One of key challenges in ABC concerns optimizing and harmonizing the policies related to the use of ABC systems by people of different nationalities, ages and races. A number of projects have been launched in EU for this purpose, a survey of which is provided in the full report.

Chapter 5: Components of e-border.

Through a survey of the border clearance technologies used in the last two decades, the study has established five key e-border traveller screening components, or Pillars, that make automated border control possible and efficient. They are briefly described below, with more analysis of each of them provided in the report.

Critical Observation ICAO-compliant quality of facial images in e-passports (showing no smile or deviation from frontal view) is an important condition for successful operation of e-gates. However, enforcing it on young children and infants, who are not eligible to use e-gates anyway*, not only causes discontent among travellers (who may not be able to force the required expression/orientation from their young children), but also -- contrary to the original intent -- complicates the task of border officers (who will have to visually match a child to the picture that was taken under conditions that were not typical/convenient for the child). * Most countries require travellers to be of 18 years or older to use the e-gate, except for Australia and New Zealand, where the age requirement for using e-gate has been recently lowered to 12 years.

16

I: “Three-lane" risk-based processing: Divides travellers into the three risk categories: known high risk, known low risk and unknown risk. Division into “lanes" can be topological (i.e., separate lanes are for different risk categories) or logistical (when all travellers use the same physical lane, however are processed differently). It can also be accelerated by the traveller (when a traveller has a choice of using a special lane). Efficient implementation of the “three-lane" risk-based processing remains one of the unresolved and highly demanded problems of border control. At the same time, it is widely used in a simplified “two-lane” configuration with trusted/registered travellers programs.

II: Non-automated behavior screening and interviewing: Border officers attempt to recognize terrorists and persons with malicious intentions among travellers through observation and interviews. The assumption is that people convey emotions through unconscious gestures and facial expressions which can be detected by trained officers.

III: Automated behavior screening and interviewing technologies: Automates the interview process and analysis of travellers risk factor through a combination of 1) a computerized expert dialog system, which generates questions and processes responses from travellers, and 2) remote biometric multi-modal sensors capable of inconspicuously analyzing the traveller's emotion and level of stress during the interview through his/her facial expression, voice, body/eye movement, pupil dilation, temperature, heart rate, etc. A critical example of this component is the AVATAR technology, developed by the University of Arizona under the funding from BORDERS (US National Center for Border Security and Immigration) and CITeR (Center for Identification Technology Research, National Science Foundation (NSF) Industry/University Cooperative Research Center). One of recommendations of the study is to further investigate this technology in partnership with CITeR, University of Arizona, and Frontex, in order to introduce it to the Canadian border control context. It is suggested that automatically generated interview questions for ABC be researched in the following order of increasing complexity:

Static: based solely on the traveller’s perceived risk factor, Dynamic: based on the traveller’s responses to the questions, Dynamic with traditional biometric characteristics: based on biometric characteristics

currently collectable in ABC (namely, static and video facial and iris images), and finally, Dynamic with non-traditional biometric characteristics: based on other biometric

characteristics that can be measured at distance with additional sensors (such as heat, pulse rate, etc.).

Critical Observation The efficiency of manual behavior screening is sometimes put in question, as it may often lead to wrong decisions, in particular due to human error with respect to individuals who have anxiety or other mental health conditions, the percentage of which is estimated at 5%-20% of the household population (according to Canadian Mental Health Association) and particularly when applied to travellers from unfamiliar cultural backgrounds and who are already under stress due to travel-related challenges. Computerized recognition of traveller behaviour indicators may i) reduce the percentage of false alarms, ii) alleviate the “human bias”, and iii) allow affordable scalability of screening solutions.

17

In doing that, questions related to a person’s hidden intentions (behavior screening) can be integrated with those related to medical screening and language interpretation, which are two other control functions that need to be done at the border.

IV: Automated queuing and self-service technology: Delegates the upstream low-intelligence border control functions (such as collection of customs declaration and passport data, performing name check against databases) to machines, while leaving the downstream control high-intelligence functions (such as authentication and risk assessment) to border officers, who make decisions based on collected data. The key examples are the self-service APC/ABC kiosks deployed in major US airports and three Canadian airports (Vancouver, Toronto, Montreal). Another example is the advance self-reporting systems used in EU for land crossing.

V: Biometric-enabled authentication and clearance of travellers, commonly referred to as Automated Border Control (ABC) systems: Perform automated authentication of travellers followed by automated clearance decision. Includes RTP-based Gen-1 ABC system (such as NEXUS), eID/e-passport-based Gen-2 ABC system (such as SmartGates in Australia, EasyGates in EU etc), and next-generation Gen-3 ABC systems, which will rely on the entire Air Traveller Continuum e-border infrastructure. This is the top component of the e-border functional hierarchy, which potentially may include other e-border components.

It is highlighted that ABC technology will only be efficient if it is a part of the e-border infrastructure and integrates the following supporting technologies: Radio Frequency Identification (RFID), Machine Readable Travel Documents (MRTD) and Optical Character Recognition (OCR), e-passports/e-IDs, video-surveillance (CCTV) and traveller pre-screening programs. Pre-screening (or also known as statistical surveillance) of travellers is assumed by default in all e-border screening technologies and is one of the most critical supporting components of e-border. An overview of pre-screening programs is provided.

Chapter 6: Metrics and tools.

A part of the study was dedicated to researching and establishing the tools for further analysis and deployment of ABC systems. These are summarized below.

Performance metrics. Performance of a biometric-enabled access control system can be evaluated using biometric performance metrics defined by the ISO Special Committee on Biometrics (SC-37), such as False/True Match Rates. However, the use of such metrics for biometric-enabled ABC systems is shown to be insufficient. As a complex multi-component system working within a larger e-border infrastructure, ABC systems need to be evaluated by means of the concepts used in evaluation and management of complex systems, which take into account all system components and factors and their relationship with each other.

Critical Observation It is envisaged that Automated Border Control (ABC) systems will converge to a single all-in-one multi-component globally-connected user-centred system (in the form of a kiosk, e-gate or a combination of both) that will automate all traveller clearance tasks: lower intelligence tasks such as those performed by APC kiosks (Component IV) and higher intelligence tasks such as traveller authentication via biometric authentication (Component V) and traveller risk assessment with automated behavior screening and interviewing technologies (Component IV).

18

There are three key top-level metrics that are used for describing ABC systems: Border Wait Time (BWT), Throughput Rate, and Operational Rejection Rate (ORR). Using the above metrics the performance of the system needs to be defined and optimized along three performance dimensions: Facilitation, Security and Cost. In addition, following the IEC 60300 standards for complex system dependability management, the performance of the ABC system is defined in terms of the ability of the system to perform its intended border clearance functions along three key performance categories: Reliability Performance, Maintainability Performance, and Maintenance Support Performance. The relationship between needs and metrics constitutes a key part in ABC deployment planning and procurement decisions.

The ultimate task for an agency interested in deploying an ABC system is to be able to develop technology specifications that would meet the agency business requirements. To assist with this task, the study has developed the list of operational requirements that should be consulted when developing the ABC specifications, based on the analysis of the ABC performance metrics presented above.

Technology Readiness Assessment of e-border components and supporting technologies. Any technological component, whether it is face / iris recognition on the move, AVATAR-like behaviour screening or border wait time estimation using video cameras, needs to be assessed for its deployment readiness prior to being considered for inclusion into a production ABC solution. The concept of Technology Readiness Level (TRL) has been adopted by many agencies for this purpose. Proper TRL assessment however may not be suitable for a wide community of users who may not have capacity or capability to conduct comprehensive TRL assessment. A light-weight alternative to the nine-point TRL assessment has been developed by the CBSA. Called PROVE-IT(x), where x is the name of the component, it uses a semaphore-like three-point scale to provide a practical means for preparing the recommendations related to the technology deployment and best investment opportunities. Using the PROVE-IT(x) assessment framework, the readiness of face recognition in video and video analytic technologies has been assessed. Similar assessment for other technologies is recommended.

Analysis via observation: Degraded performance metric. In addition to the performance metrics listed above that can be used for developing system specifications, a combined life-cycle system performance metric is introduced in this study called Degraded performance metric. It is motivated by the fact that the real operational performance of an ABC system is always and sometimes significantly less than its theoretical or expected performance. This phenomenon is attributed to the fact that, in such a large-scale, open-traffic applications as ABC, there are always factors that are not accounted for and that will degrade the performance of the system below the expected level. It is defined by three measuring points of the ABC life cycle: (a) Design phase (Theoretical or algorithmic limit of performance), (b) Prototyping phase (Predicted or lab-tested performance), and (c) Deployment phase (Operational or real performance of the deployed ABC machine), and is useful for both comparing the ABC systems and examining their potential, or capacity, for further improvement. Using a degraded performance metric, the ABC systems deployed in the EU are compared and it is shown that iris-based systems have the largest capacity for improvement.

Critical Observation A particular feature of the ABC system is that its real observed performance can be significantly worse than the one specified by operational requirements, because of the presence of the factors that are not accounted for. This needs to be taken in account when developing ABC specifications.

19

Analysis via modeling: simulation tools. Modeling is the methodology for providing a predictive measuring at any point/state of interest of e-border infrastructure, including the ABC machine and supporting technologies. Three levels of the ABC modeling tools are distinguished: 1st level tools such as Arena and Simio simulation software, which offer a general view of the border crossing process at a particular point and are used for resource allocation tasks. 2nd level tools such as the ExtendSim simulation software used by Frontex for cost-benefit analysis of ABC solutions in EU members, which allow one to incorporate probabilistic and qualitative factors into the model. Finally, 3rd level tools that allow one to model the entire Air Traveller Continuum process, based on all factors and e-border components and supporting technology that are employed throughout the continuum. Such tools are not developed yet, but the need for such tools is high. As a potential solution to this need, the University of Calgary researchers have proposed a tool called the e-Border Profiler, which is a modeling technique and software aimed at modeling (or profiling) the risks of any e-border solution at any of its states using various scientific techniques such as Bayesian networks, game theory, evidential theory, multi-agent simulation, etc. The PROVE-IT(x) technical readiness of this tool for operational needs at the present moment is estimated as “red” or not suitable for testing with real data. Categories for defining ABC deployment taxonomies. Another tool that has been proposed by the University of Calgary researchers relates to the description and analysis of ABC deployment scenarios. It is based on the work of Palmer14, which established over 200 generalized categories for the designing and evaluating automated personal identification mechanisms grouped according to the exhaustive list of notions that need to be consulted when deploying such mechanisms. The main of these are risk assessment and security architecture category groups. Other category groups include: cost forecasting, political considerations, regulatory constraints, legal imperatives and others. Using these generalized categories, one can define any ABC deployment scenario in a language that is understood by both system developers and border control stakeholders. An example of applying Palmer-developed quality categories specifications to the ABC context is shown using the requirements and recommendations for the ABC quality control developed by Frontex. Each defined ABC category identifies a vulnerability that can be exploited by terrorists to impose the damage to the ABC and e-border infrastructure. A summary of the ABC deployment categories that are vulnerable to cyber and hardware attacks is provided.

Chapter 7: Future outlook. The “ART in ABC” study put forward a vision for future ABC and a number of recommendations related to the above, which are summarized below. Implications of moving border control from a checkpoint to an air traveller continuum. The following consequences of expanding border control are identified:

Implications for the ABC concept (multi-function nature of ABC within the e-border): ABC will use the entire e-border infrastructure along the air traveller continuum; In addition to automation of traveller authentication, ABC will also include automation of traveller

risk assessment, Several border control functions will be combined in a single ABC unit, defining the final end-user

design of the system. These functions are:

14 A. Palmer, “Approach for selecting the most suitable most suitable Automated Personal Identification Mechanism (ASMSA)”, Computers and Security, vol. 10, 2010.

20

I. Identifying a persons’ identity (from iris, fingerprint and facial images), II. Validating whether he or she is in criminal databases, III. Performing customs declaration tasks (asking customs declaration questions and processing

travellers answers), IV. Behavior screening (detection of stress and hidden intentions) V. Medical screening (detection of disease symptoms, e.g., those of Ebola), VI. Language interpretation, and VII. Overall risk assessment, based on all the information obtained in mentioned above tasks.

The first three of these functions are already performed by the present ABC systems. The last four

are sought for future ABC systems.

Implications for the meaning and implementation of authentication (continuum-based identification): Traveller identification becomes an evidence accumulation process, rather than a single biometric

recognition act; all information gathered through different components and stages of e-border are used for traveller identification;

Traveller identification is always coupled with trust and risk assessment; Non-biometric-based identification, such as via cybermetrics, play increasingly large role in

identifying travellers before they arrive at a primary inspection line at the border. Implications for the meaning and implementation of biometrics: Biometrics characteristics, which a traveller provides to a border control system, may no longer be

used just for identity recognition, but also for establishing trust and risk assessment; In a border control context, the biometric characteristics of a traveller become important for

additional border control functions, such as recognition of travellers’ emotion, stress and heath condition.

Tools for developing and analyzing ABC systems. The following tools are recommended for consideration: List of ABC performance metrics for complex systems dependability management, including

Degraded performance metrics for measuring false reject rates; Simulation software, specifically high-level simulators capable of incorporating probabilistic models

of processes happening over a continuum; Light-weight PROVE-IT(x) technology readiness assessment framework for assessing the

readiness of e-border components and supporting technology; Palmer’s generalized categories for personal identification mechanisms.

Impact areas. The following areas are identified that are believed to produce the largest impact on the development of ABC technologies: Development of tools and policies for analyzing human factors and ergonomic issues. Development of tools and policies for automated risk assessment of travellers. Development of automated interview supporting and behaviour screening systems. Development of tools and policies for training ABC machine personnel. Development of tools for system risks prediction and mitigation. Development of additional standards to support ABC design and analysis.

21

Development of privacy preserving biometrically secured electronic documents. Development of tools for video-surveillance data mining and real-time alerting in airports.

Recommendations for deployment. The following two key practical recommendations for designing biometric-enabled ABC kiosks are made:

1. Eliminate or minimize as many as possible sources of risks (number of factors) affecting the performance of the system. Specifically:

Develop user-centred designs, e.g., automated adjustment of camera; Develop designs with users in the loop, e.g., use of mirror to allow users to improve the

performance of the system; Auto-illumination, auto-detection of possible process states: detection of motion, left luggage,

etc.

2. Perform biometric fusion, whenever possible:

Face and fingerprint: Travellers from several countries (France, Spain) have fingerprints in their e-passports in addition to the primary face modality. Allowing these travellers to scan their fingers in cases when their face recognition fails, will significantly decrease the operational reject rate of ABC systems;

Face and iris: Several countries (Brazil, UAE, India) have started using iris images for national ID programs. Iris can also be captured at the same time as face, and its recognition is much higher than that of faces. Travellers who will have their iris stored in e-passports /e-IDs will benefit from much better performance of ABC systems, should such systems be designed to allow capture and matching of both iris and face images.

In conclusion of the study, two main types of risks in border crossing automation are highlighted: i) the risk of over-simplification of the e-border concept, and ii) the risk of over-relying on the abilities of the ABC systems. It is recommended that critical decisions related to the future of e-border be made in partnership with researchers and organizations knowledgeable in all technical matters identified in this study, the list of which is provided in the full report.

Appendices Additional outcomes of the study are presented in the Appendices of the full report. These include:

A comprehensive bibliography categorized by the topics discussed in this report; A list of additional online resources; A summary of related projects funded by the European Commission and border modernization

efforts worldwide, including a future checkpoint roadmap developed by IATA.

They also include a number of technical supplements related to: Developing ISO standards for ABC technologies, including a glossary of new recommended

terms related to biometric-enabled ABC ; Subject-based performance analysis of the NEXUS iris biometric system; Analysis of recognition limitations of biometric modalities; and An overview of the light-weight TRL assessment framework that can be used for assessing the

readiness of various technological components of e-border and the updated TRL assessment results related to the use of video cameras in airports.

22

Presentation to Frontex

The outcomes of this study have been presented and discussed at the Global Conference on the Future of Border Checks (FoBC) organized by Frontex in Warsaw, Poland, on 17-18 June 2015. This presentation and the webcast of the discussion are available from the Frontex websites: http://btn.frontex.europa.eu/events/global-conference-future-border-checks-2015 and http://streamonline.biz/pages/frontex. The extended version of this presentation is included in the full report.

The Table of Content, List of Figures and Tables of the full report are provided below.

The “ART in ABC" study in numbers

240,000: ($) Funding provided by DRDC-CSS over two years. Over 200,000: ($) In-kind contribution in term of additional labour hours from all project

partners. Over 500: Publications reviewed. Over 50 terms reviewed and revised. 16: Publications produced, including 7 memos for internal clients. 9: Advantages of iris modality identified. 8: Distinct zones established in the Air Traveller Continuum recognized for deploying

traveller screening technologies. 7: Differences between biometric-enabled access control and border control recognized. 6: Biometric-capable technologies and programs used in Canada identified. 6: Key properties of the ABC machine of the future (Gen-3 ABC) defined. 5: Pillars (key traveller screening technologies) of e-border defined. 5: Potential development roadmaps suggested - on APC kiosks, AVATAR-like

technologies, ABC systems, iris biometrics ABC Standards. 4: Types of tools recommended for ABC analysis - life-cycle degraded performance

metric, simulation/modeling tools generic criteria for automated personal identification mechanisms, PROVE-IT(x) TRL assessment framework .

3: Generations of biometric-enabled ABC defined - RTP-based, eID-based, eBorder-based. 3: Levels of ABC modeling defined - basic illustrative, complex point models, complex

continuum models. 3: Packages of standards for ABC proposed - on lifecycle of general large-scale systems,

biometric components of ABC, and lifecycle of ABC systems

Contents

Front matter iiiAbstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiDisclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivRelease Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Table of contents ix

List of figures xi

List of tables xiii

Abbreviations xiv

Study overview 1Study reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Linkages with previous studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Study in numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 Border control context 41.1 Global context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Biometric-capable technologies in Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Schematic of Air Traveller Continuum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3.1 Pre-border (prior to departure)” stage . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3.2 “Pre-border (en route)” stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.3.3 “At border (entry)” stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.3.4 “At border (exit)”stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.3.5 Use of ABC technologies along the Air Traveller Continuum . . . . . . . . . . . . . . . 9

1.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Concepts and definitions 112.1 Concepts related to e-border technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1.1 Supporting technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Concepts related to traveller risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.3 Concepts related to training of ABC operators . . . . . . . . . . . . . . . . . . . . . . . . . . 172.4 Concepts related to complex system management and anlysis . . . . . . . . . . . . . . . . . . 172.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5.1 Wider meaning of biometrics and authentication in the context of automated bordercontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5.2 Wide meaning of automation in border control . . . . . . . . . . . . . . . . . . . . . . 19

v

ART in ABC: Analysis of Risks and Trends in Automated Border Control vi

2.5.3 Contribution to the standards on biometric terminology . . . . . . . . . . . . . . . . . 20

3 Evolution and categorization of ABC 213.1 Border control vs. access control: key differences . . . . . . . . . . . . . . . . . . . . . . . . . 213.2 Three generations of ABC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.2.1 Gen-1 ABC (RTP/TTP-based) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2.2 Gen-2 ABC (eID/ePassport-based) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2.3 Gen-3 ABC (eBorder-based) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.3 Architecture of the ABC machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.3.1 The ABC system as intelligence-gathering machine . . . . . . . . . . . . . . . . . . . . 26

3.4 Alternative ABC categorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4 Analysis of issues 304.1 RTP-based systems: UK IRIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.1.1 Performance statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.1.2 Lessons learnt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.2 ePassport-based systems: EU EasyPASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.2.1 Performance statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.2.2 Variation of system performance among subjects . . . . . . . . . . . . . . . . . . . . . 334.2.3 Policy-related issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.2.4 Lessons learnt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.3 Use of multi-modal biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364.4 Subject-based analysis to address the usability issues . . . . . . . . . . . . . . . . . . . . . . . 36

4.4.1 Analysis of Nexus performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.5 Issues related to social integration of modalities . . . . . . . . . . . . . . . . . . . . . . . . . 384.6 Modality specific issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.6.1 Stability over time: aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.6.2 Degradation related to travellers health / physiology conditions . . . . . . . . . . . . . 414.6.3 Robustness to spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.7.1 Factors affecting ABC performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.7.2 Future of the iris modality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.7.3 Need for better ABC performance evaluation practices . . . . . . . . . . . . . . . . . . 45

5 Components of e-border 465.1 Five components (Pillars) of e-border . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Component I: “Three-lane” risk-based processing . . . . . . . . . . . . . . . . . . . . . . . . . 46Component II: Non-automated behaviour screening and interviewing . . . . . . . . . . . . . . . 48Component III: Automated behaviour screening and interviewing technologies . . . . . . . . . . 48Component IV: Automated queuing and self-service technology . . . . . . . . . . . . . . . . . 48Component V: Biometric-enabled authentication and clearance of travellers (ABC systems) . . . 49

5.2 Supporting technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49MRTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49RFID technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Airport logistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Video surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Pre-screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.2.1 Pre-screening programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Border Technology Division Report 2015-11 Canada Border Services Agency

Contents vii

5.3 Special interest: AVATAR-like systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515.3.2 Potential Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.4 Special interest: APC kiosks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.4.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.4.2 Potential Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.5.1 Roadmapping of future ABC solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6 Metrics and tools 596.1 Performance metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.1.1 Top level metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596.1.2 Performance optimization areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606.1.3 Performance dependability areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606.1.4 Metrics for system specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.2 Technology readiness assessment tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616.3 Analysis via observation: Degraded performance metric . . . . . . . . . . . . . . . . . . . . . . 61

6.3.1 Use of degraded performance metric . . . . . . . . . . . . . . . . . . . . . . . . . . . 636.3.2 Performance comparison of the deployed ABC machines . . . . . . . . . . . . . . . . . 63

6.4 Analysis via modeling: simulation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656.4.1 1st level simulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666.4.2 2nd level simulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666.4.3 3rd level simulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.5 Criteria for deploying automated personal identification mechanisms . . . . . . . . . . . . . . 666.5.1 Applying Palmer’s categories for developing ABC specifications . . . . . . . . . . . . . 686.5.2 Sensitivity of the ABC deployment categories in terms of terrorism risks . . . . . . . . . 68

6.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

7 Future outlook 717.1 Impact areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7.1.1 Analysis of human factors and ergonomic issues . . . . . . . . . . . . . . . . . . . . . 717.1.2 Automated risk assessment of travellers . . . . . . . . . . . . . . . . . . . . . . . . . . 727.1.3 Development of automated interview supporting and bevahiour screening systems . . . . 727.1.4 Development of tools for training of ABC machine personnel . . . . . . . . . . . . . . . 727.1.5 Development of tools for prediction and mitigation of system risks . . . . . . . . . . . . 727.1.6 Development of new standards for ABC . . . . . . . . . . . . . . . . . . . . . . . . . . 737.1.7 Development of privacy preserving biometrically secured electronic documents . . . . . . 737.1.8 Development of tools for video-surveillance data mining and real-time alerting in airports 73

7.2 Final recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

A References and additional resources 75A.1 Events dedicated to ABC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

A.1.1 Online resources for news . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75A.1.2 Selected presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

A.2 Research groups working in ABC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76A.3 Projects funded by the European Commission . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

A.3.1 ABC4EU: Automated Border Control Gates for Europe . . . . . . . . . . . . . . . . . . 77A.3.2 FastPass: a harmonized, modular reference system for all European automated border

crossing points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Border Technology Division Report 2015-11 Canada Border Services Agency

ART in ABC: Analysis of Risks and Trends in Automated Border Control viii

A.3.3 BEAT: Biometrics Evaluation and Testing . . . . . . . . . . . . . . . . . . . . . . . . . 78A.3.4 Tabula Rasa: Trusted Biometrics under Spoofing Attacks . . . . . . . . . . . . . . . . 79A.3.5 Literature categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Bibliography 81* Publications produced by the study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81* Operations-driven publications: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Overviews / Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Guidelines and normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Border agencies publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Media coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88* Publications on e-border components and supporting technologies: . . . . . . . . . . . . . . . . . 88Traveller risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Behaviour screening and interviewing technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Queuing technology and self-service kiosks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Biometric-enabled ABC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Pre-screening technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Supporting technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90* Research-driven publications: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91By CBSA Science and Engineering Directorate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Other government funded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92By the University of Calgary’s Biometrics Technologies Lab . . . . . . . . . . . . . . . . . . . . . . 92Biometrics fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Face recognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Iris recognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Subject-based biometrics performance analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Modeling and other tools for complex system performance analysis . . . . . . . . . . . . . . . . . . 95

B Overview of border modernization initiatives 97B.1 Scan of international programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

B.1.1 EU: “Smart Border” program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97B.1.2 UK: “e-Borders” program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99B.1.3 Australia: Blueprint for Reform 2013-2018 . . . . . . . . . . . . . . . . . . . . . . . . 99B.1.4 United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100B.1.5 Canada: Border Modernization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

B.2 Entry-exit systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102B.2.1 European entry-exit system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102B.2.2 USA entry-exit system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102B.2.3 Canada entry-exit system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

B.3 IATA future checkpoint roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

C Roadmap for ABC standards 110C.1 Hierarchy of standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

C.1.1 Package I: IEC 60300 standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110C.1.2 Package II: ISO SC 37 of standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110C.1.3 The need for additional package of standards . . . . . . . . . . . . . . . . . . . . . . . 113

C.2 Package III: “ABC technologies” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113C.2.1 Goals and objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Border Technology Division Report 2015-11 Canada Border Services Agency

Contents ix

C.2.2 Strategic directions for standardization . . . . . . . . . . . . . . . . . . . . . . . . . . 114

D New age glossary of biometrics terms for automated border control applications 118D.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118D.2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118D.3 Terms categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119D.4 General terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119D.5 Core terms related to biometric recognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120D.6 Related to technology design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121D.7 Terms related to technology performance and evaluation . . . . . . . . . . . . . . . . . . . . . 122D.8 Related to people: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

E Subject-based performance analysis of Nexus biometric kiosks 124E.1 What is subject-based analysis ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124E.2 “Biometric menagerie” in iris systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125E.3 Additional results from NEXUS historical data scores . . . . . . . . . . . . . . . . . . . . . . . 126

E.3.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127E.3.2 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127E.3.3 Habituation vs. “Doddington zoo” phenomenon . . . . . . . . . . . . . . . . . . . . . 128

E.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

F Recognition limitation of biometrics 130F.1 Face . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130F.2 Iris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130F.3 Biometric performance in terms of convenience, security, and usability . . . . . . . . . . . . . . 131F.4 Biometric performance in conjunction with other identification technologies of e-border . . . . . 131

G PROVE-IT(x) assessment of e-border components and supporting technologies 134G.1 Development of the technology landscape map . . . . . . . . . . . . . . . . . . . . . . . . . . 134G.2 Three-phase technology readiness assessment process . . . . . . . . . . . . . . . . . . . . . . . 135G.3 Taxonomy of deployment scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135G.4 PROVE-IT(FRiV) and PROVE-IT(VA) assessment . . . . . . . . . . . . . . . . . . . . . . . . 136

H Presentation at Frontex Global Conference on the Future of Border Checks 138

Border Technology Division Report 2015-11 Canada Border Services Agency

List of Figures

1.1 Technologies used for air travel: manual processing at PIL (a), iris scanners for Nexus members(b), ABC/APC self-service custom declaration kiosks (c), airline check-in kiosk (d). . . . . . . . 5

1.2 Video surveillance is one of the technologies that supports automated border control. The figureshows three airport setups (zones) of increasing complexity defined in [135] where faces can becaptured for identification purpose: a) at PIL, b) in one-way corridors, c) in luggage area (seealso Figure 1.3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3 Traveller Continuum: schematic introduced by Frontex (from [34]). . . . . . . . . . . . . . . . 81.4 Air Traveller Continuum: schematic developed in this study. Eight zones are defined, each with

its own layout and capacity for deploying e-border technologies, aimed at accumulating the in-formation about a traveller related to two main traveller clearance tasks (traveller authenticationand risk assessment), as he or she moves along the continuum. Already deployed e-border tech-nologies are shown in red: self-service APC/ABC kiosks in zone (5), biometric-enabled gates inzone (6), and Entry-Exit kiosks in zone (2). It is only after zone (6) that travellers’ identity isassumed known (marked blue). Prior to that it is unknown. . . . . . . . . . . . . . . . . . . . 9

2.1 Key ABC system designs: a) kiosks (Canada airports), b) e-gates (Portugal), c) combination ofboth (Australia). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.1 Iris recognition camera used for access control by CATSA and automated border control byCBSA NEXUS program (see also Figure 4.3). . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2 Conceptual diagram of the evolution of biometric-enabled ABC systems in the technology-vs-human factors space. The number of technology factors, those related to biometric (blue) andespecially those related to non-biometric (yellow) ABC components, grows with every ABC gen-eration. Similarly grows the number of human factors: controlled factors (green) and especiallyuncontrolled factors (red). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.3 Architecture of the ABC machine consists of (a) the supervision facilities, and (b) the decisionsupport assistant which includes both the verification assistant and the risk assessment assistant. 26

4.1 UK IRIS system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.2 EU e-gate systems: a) first generation (Spain)– the camera is fixed, located on a side and b)

second generation (Germany) – the camera automatically adjusts to eye level, located in themiddle of the exit door. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.3 Nexus iris kiosks: used prior to 2006 (left), after 2006 (middle), new generation installed in2014, which uses two camera positions: at high and low level (right). . . . . . . . . . . . . . . 36

5.1 Five Pillars of e-border. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.2 Emotions that can be recognized from facial images: a) Seven (7) emotions used in recognition

by computers [101, 102], b) Fifteen (15) emotions recognized by psychologists [103]. . . . . . 515.3 AVATAR-like system architecture: a) in terms of human-machine interfaces (from University of

Calgary), b) design and sensors (from University of Arizona). . . . . . . . . . . . . . . . . . . 52

x

List of Figures xi

5.4 An example of questions generated by AVATAR border interview kiosk (from [92]). . . . . . . 535.5 APC kiosks: a) first generation (in Detroit), b) second generation (in San Diego) . . . . . . . . 55

6.1 Example of the degraded performance assessment of an ABC machine: Theoretical performance(reported in literature) is 1:40. The predicted (obtained in lab test vendor-reported) is 1:25, andthe ABC operational (real) performance of the deployed ABC machine is 1:10 (One of ten isrejected). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.2 Level-1 simulators: Example of visualization and resource allocation analysis in airports usingSimio simulation software [216]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.3 Level-2 simulators: Example of ABC simulation developed by Frontex for multiple scenarioanalysis using ExtendSim sofware: a model and border wait time forecast [40, 217]. . . . . . . . 65

6.4 Level-3 simulators: Example of constructing an e-profiler (simulator) for estimating border waittime using the Bayesian network (from [8]). . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

E.1 Subject-based analysis: a) Four main types of recognition results - categorizing all users intofour groups “sheep”, “goats”, “lamps” and”wolfs”, b) Reasons for system performance variation 125

E.2 Historical Nexus iris score data: distribution of enrollments (left) and recorded passages (right)by year. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

E.3 The averaged number of Attempts (left) and the smallest dissimilarity score HD.min (right) fortravellers who used the system different number of times. . . . . . . . . . . . . . . . . . . . . 128

G.1 Nine-grade TRL assessment scale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134G.2 The PROVE-IT(x) framework: two-dimensional technology landscape map template (top),

semaphore-like assessment scale (middle) and three-phase evaluation process (bottom). . . . . 135

Border Technology Division Report 2015-11 Canada Border Services Agency

List of Tables

1.1 Biometric-capable technologies in Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 Databases used in border control in the EU. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1 Key differences between biometrics-enabled access control and biometric-enabled border controlsystems, expressed in terms of shifts in system functionality and human-machine interactionprocedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2 The states of the ABC system as an intelligence-gathering machine. . . . . . . . . . . . . . . . 27

4.1 Performance of the IRIS system (from [106]). . . . . . . . . . . . . . . . . . . . . . . . . . . 304.2 Six key reported factors attributed to closing the UK IRIS program. . . . . . . . . . . . . . . 324.3 Sample of statistical data from the border control system EasyPass based on facial recognition

from [111] (March 2012). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324.4 2014 target objectives for operation of e-gates by the German Federal police (from [112]). . . 334.5 False Reject Rates (FRR) for travellers from different EU countries (computed from data reported

in [108]). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344.6 Factors attributing to varying performance of e-gates in Table 4.5. . . . . . . . . . . . . . . . 354.7 The results from the subject-based performance analysis of the Nexus system shows that travellers

who used the system many times perform much better than those who used it only a few times. 374.8 Face, fingerprints, and iris biometric modalities in national and international databases. . . . . . 394.9 Advantages of the iris modality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.1 Five main technological components (Pillars) of traveller screening. . . . . . . . . . . . . . . . 475.2 Potential development of APC kiosks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.1 Performance metrics for defining specifications of ABC systems (from [10]). . . . . . . . . . . . 626.2 Life-cycle combined degraded performance metric for the ABC machines deployed in the EU. . . 646.3 Recommendations for the ABC quality control developed by Frontex [36] described following the

generalized categories defined by Palmer [229] (from [10]). . . . . . . . . . . . . . . . . . . . . 696.4 Samples of the ABC deployment categories and features, which, if publicly available, may support

the development of cyber and terrorist attacks (from [10]). . . . . . . . . . . . . . . . . . . . . 70

A.1 Categorization of the “ART in ABC” study bibliography. . . . . . . . . . . . . . . . . . . . . 80

B.1 European border control systems based on e-passports (from [111]). . . . . . . . . . . . . . . . 98B.2 Roadmap of future checkpoint [27, 44]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108B.3 IATA vision of the 2017 and 2020+ checkpoint (sample) [27, 44]. . . . . . . . . . . . . . . . . 109

C.1 Common standards provided by International Electrotechnical Commission (IEC) and Interna-tional Organization for Standardization (ISO) in the area of deployment, operational require-ments, and performance of computer systems. . . . . . . . . . . . . . . . . . . . . . . . . . . 111

xii

List of Tables xiii

C.2 Sample of ISO SC 37 Package II of standards [170]. . . . . . . . . . . . . . . . . . . . . . . . 112

E.1 Iris recognition False Non-Match Rates (FNMR), reported using transaction-based and subject-based analysis (from [145]). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

F.1 Best and worst-case error rates for face, iris, and fingerprint modalities, and progress in accuracyof recognition technologies (2003-2010). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

F.2 Iris performance results (compare to face recognition performance in Table 4.5) from 2009 NISTIREX-I evaluation on three different datasets. See also the result from the CBSA iris evaluationshown in Appendix E and [145]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

F.3 The present state of face, iris, and fingerprint modalities with respect to convenience, security,and usability factors [165]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

F.4 Performance of face, iris, and fingerprint biometrics in conjunction with other identificationtechnologies of eBorder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133