Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
IATA Asia-Pacific One ID Workshop
Singapore, 12 November 2018
HousekeepingWashrooms Coffee & Tea Valuables Fire Alarm
12 Nov 2018Asia-Pacific One ID workshop 2
Go to SSID: TrainingPassword: iatatraining
12 Nov 2018Asia-Pacific One ID workshop 3
Competition Law GuidelinesThis meeting is being conducted in full compliance with antitrust and competition lawThe following Agreements and Activities are Prohibited Any collective agreement concerning prices or charges, allocating markets, territories,
customers, suppliers, agents, etc.It is Prohibited to disclose the following information Individual airline cost, rates, charges, surcharges or customer Individual airline intentions regarding increasing, reducing or reallocating aircraft capacity Sensitive commercial or proprietary information without consent
Delegates are cautioned that any discussion regarding topics outside the scope of the agenda,either on the floor or off, is strictly prohibited. The foregoing applies equally to email discussions,instant messaging and social media discussions
12 Nov 2018Asia-Pacific One ID workshop 4
AgendaTime Agenda0900 Welcome & Introduction
0915 An overview of the One ID concept• Fundamental principles describing the envisioned end state • The key components of the solution• A roadmap for the next 15 years• Expected benefits for the various stakeholders involved
1030 Networking Break
1100 Attendee round table
• Information sharing by each location – own roadmap, end state and challenges
1200 Implementation case study 1
1230 Networking Lunch
1330 Concept of Operations
• Application of collaborative identity management and biometrics across the end-to-end passenger process
12 Nov 2018Asia-Pacific One ID workshop 5
Agenda Time Agenda1415 Implementation case study 2
1445 Networking Break
1515 Technology perspective• Biometric recognition solutions• Identity management platforms• Mobile technologies
1600 Legal & governance perspective• Digital identity schemes• Privacy and data protection• Operational frameworks for multi-stakeholder collaborations
1645 One ID project activities• Work streams and program of work• How to get involved
1710 Recap & Closing
12 Nov 2018Asia-Pacific One ID workshop 6
Introductions Name Organization Role
12 Nov 2018Asia-Pacific One ID workshop 7
An overview of One ID concept
One ID: breaking the silos, within and across locations
12 Nov 2018 9
From to
Asia-Pacific One ID workshop
A fundamentally different approach
12 Nov 2018 10
Legacy Process
As early as possible in the process (ideally off-airport) Who are you? Are you who you say you are?
At every subsequent touchpoint We were expecting you,
we recognize you (biometrics),and we have already determined how to handle you in this process step
At every touchpoint Who are you? Are you who you say you are? How do we handle you?
Asia-Pacific One ID workshop
12 Nov 2018 11
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
a single biometric travel tokenthrough all travel touchpoints
Asia-Pacific One ID workshop
12 Nov 2018 12
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
private and publicstakeholders collaborate,
with the passenger in the center
Asia-Pacific One ID workshop
Ready to Fly
12 Nov 2018 13
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on
flight back
The passenger arrives at the airport “ready to fly”:- “confirmed” or “standby”
status- identity authentication- document/credential
authentication- admissibility- biometric enrollment
The passenger information travels ahead of the passenger and is shared with various stakeholders
Asia-Pacific One ID workshop
Bag Drop
12 Nov 2018 14
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
• Hold baggage linked with passenger identity
• Self- or assisted bag drop with identity verification enabled by biometric recognition
• Optional capture of process data
Asia-Pacific One ID workshop
Security Access
12 Nov 2018 15
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
• E-gate with identity verification enabled by biometric recognition; possibility of smart queuing
• Enabler for risk-based differentiated security screening
• Optional capture of process data
Asia-Pacific One ID workshop
Outbound border control
12 Nov 2018 16
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
• Passenger background checks have already been performed
• Passenger may be authorized to cross the border without seeing an officer
• Optional capture of process data
Asia-Pacific One ID workshop
Boarding
12 Nov 2018 17
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel
on flight back
• Biometric self-boarding
• Optional capture of process data
Asia-Pacific One ID workshop
Physical touchpoints could be combined
12 Nov 2018 18
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel
on flight back
• Some physical touchpoints could be combined, removed or moved off -airport
Asia-Pacific One ID workshop
Arrival and inbound border controls
12 Nov 2018 19
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on
flight back
• Passenger information travels ahead of passenger
• Automated access management for priority lanes, dedicated lanes for trusted travelers, etc.
• Travel document does not need to be presented/scanned
• Background checks for the passenger have already been performed and (s)he is authorized to cross the border without seeing an officer
Asia-Pacific One ID workshop
Return trip
12 Nov 2018 20
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on
flight back
• Passenger information could be retained for the return leg if passenger has travel reservation to fly out from the same airport
• This would greatly simplify the “ready to fly” principle on the return leg
• Consider legal implications and passenger consent
Asia-Pacific One ID workshop
Application at Transfer: disembarkation, recognition of passengers, border controls if applicable, security screening and boarding
Application through various travel scenarios,both domestic and international
Application to broader travel and tourism industry
12 Nov 2018 21
And beyond …
Asia-Pacific One ID workshop
What are we aiming to achieve?
12 Nov 2018 22
HarmonizationRecommended practices, Standards
Interoperability
Asia-Pacific One ID workshop
Elimination of repetitive processes and reduction in the number of touchpoints, and thus shorter queues and reduced waiting times
Ultimately, enable passengers to arrive at the airport ready to fly in nearly every travel scenario
Translates into commercial opportunities for industry Increased attractiveness of air travel Improved competitive positioning
12 Nov 2018 Asia-Pacific One ID workshop 23
Why are we doing this – stakeholder benefitsSEAMLESS – improvements in passenger experience
Avoid or defer capex investment in airport terminal infrastructure
Staffing efficiencies and increased capacity by reducing time spent on manual ID checks
Other Costs associated with inadmissible passengers Minimum connection time (MCT) On-time performance (OTP)
Exposing exceptions earlier in the process Improved real-time visibility of where passengers are
12 Nov 2018 Asia-Pacific One ID workshop 24
Why are we doing this – stakeholder benefitsEFFICIENT – improved productivity, capacity and cost savings
Eliminate queues and crowds in airport landside areas
Reduce possibilities for individuals to cross borders under a false identity, and thus help combat human trafficking and other cross-border criminal activities
Risk based assessment and differentiated handling at border and security checkpoints Timely and qualitative API
12 Nov 2018 Asia-Pacific One ID workshop 25
Why are we doing this – stakeholder benefitsSECURE – improvements in border, aviation and airport infrastructure security
12 Nov 2018 26
How do we get from where we are today
…
… to where we want to go
Asia-Pacific One ID workshop
12 Nov 2018 27
Key elements of One ID
Trusted Digital Identity
Collaborative Identity
Management Platform
Biometric Recognition
Operational Framework
Asia-Pacific One ID workshop
global
multilateral
Scope of collaboration, and the underpinning processes & operational frameworks
Digital identity: e-passport, national digital ID schemes, Known Traveler schemes, private sector initiatives,ultimately a universal digital travel credential
Technology: evolution in biometric recognition, collaboration tools, systems interoperability, data security, etc.
Regulatory framework Closely linked with evolution in other areas of passenger
facilitation: future of passenger data, move towards e-visa, eTA, single window concept, etc.
Prioritization what should the One ID project focus on?
12 Nov 2018 28
The evolutionary roadmap is multi-dimensional
bilateral
local
Asia-Pacific One ID workshop
Overview of the One ID concept
DIGI YATRAcase study of a digital travel credential
30 / © BIAL S&D / Digi Yatra
Digi Yatra: Conceptual passenger flow courtesy ofBIAL
12 Nov 2018
31 / © BIAL S&D / Digi Yatra
Digi Yatra Step 1: Create a DY ID online
• Passenger is directed to the DY secure website and registers his/ her profile in the Digi Yatra program by providing
• Name, phone number and e-mail address;
• Option 1: Passenger completes AADHAAR information on DY ID website
• Enters the OTP sent to the AADHAAR Linked Mobile • UIDAI sends a UID Token (72 Character) to the DY Platform, which
will be stored in with the pax profile as the “pseudo identifier” of AADHAAR ID. The UID token shall not be visible to the passenger;
OR• Option 2: Passenger enters other valid Govt. ID number;
• Enters the OTP sent to the mobile number as provided above;
• The Digi Yatra ID is automatically created, and a pax is allowed to edit the ID should they choose to;
• DY ID is sent to the passenger via SMS or e-mail for their reference;• Once pre-registration is completed, Passenger can enter DY ID number
for booking a ticket• The pre-registered DY ID needs to be activated through a ‘one-time’
registration at the registration kiosk at an airport (Step 2);
First Name John
Last Name Doe
E-mail ID [email protected]
Mobile Number 1234567890
Option 1: Aadhar ID Enter AADHAAR #
Option 2: Other validGovt. ID
Enter Other Govt. ID #
Enter OTP ****
DY ID JohnDoe012345@DY
courtesy ofBIAL
12 Nov 2018Asia-Pacific One ID workshop31
32 / © BIAL S&D / Digi Yatra
DY Step 1: Create DY ID at Airport Enrolment Kiosks
• At the DY Registration Kiosk located at an airport, a passenger can register their profile by providing:
• Name, phone number and e-mail address;
• Passenger completes AADHAAR information at the Kiosk linked to the DY ID website;
• Kiosk captures passenger’s face and Iris in one single capture;• UIDAI validates the Passenger with AADHAAR Database;
• Sends a UID Token (72-character) to the DY Platform, which will be stored with the passenger profile as the “pseudo-identifier” of the AADHAAR ID;
• The Digi Yatra ID is created and a passenger is allowed to edit their ID should they choose to;
• DY ID registration is fully completed and facial biometric record updated;
• DY ID is sent to the passenger on SMS and e-mail for their reference;• Once registration is completed, a passenger can use the DY ID for any
future travel as the DY ID is fully activated;
First Name John
Last Name Doe
E-mail ID [email protected]
Mobile Number 1234567890
Aadhar ID Enter AADHAAR #
DY ID JohnDoe012345@DY
courtesy ofBIAL
12 Nov 2018Asia-Pacific One ID workshop32
33 / © BIAL S&D / Digi Yatra
Type 1: Passenger with DY ID (With AADHAAR UID token)• Scans boarding pass / e-ticket;• DY – biometric boarding system
(DYBBS) validates the ticket;• Kiosk captures iris and facial biometrics,
in a single capture;• AADHAAR validation happens;• Passenger profile updated on DY
PlatformType 2: Passenger with DY ID (With other valid Govt. ID)• Scans boarding pass / e-ticket;• DYBBS validates the ticket;• Kiosk captures passenger facial
biometrics;• Pop-up message is sent to CISF;• CISF staff checks & validates PAX ID; • PAX Profile updated to DY Platform;
Type 3: Passenger without DY ID*• Scans boarding pass / e-ticket;• DYBBS validates the ticket;• Kiosk captures passenger facial
biometrics;• Pop-up message is sent to CISF;• CISF staff checks & validates PAX ID;• DYBBS creates the local PAX dataset
Type 4: Passenger not willing to use biometrics**• Scans boarding pass / e-ticket;• DYBBS validates the ticket;• Pop-up message is sent to CISF;• CISF staff checks & validates PAX ID;• DYBBS updates itself for the non-
biometric passenger
• * - Minors will be tagged to parents;• ** - Passengers who don’t have a DY ID will need
to be verified by CISF staff each time they travel;
• Once in a lifetime enrolment for passengers with DY ID;
• Non DY ID passengers have to register at the Registration Kiosks every time they travel;
courtesy ofBIAL
12 Nov 2018Asia-Pacific One ID workshop33 DY Step 2: Registering at an Airport Enrolment Kiosk(One time)
Networking break
12 Nov 2018Asia-Pacific One ID workshop 34
Attendee roundtable
Objectives Share own Roadmap/End state/challenges Identify common challenges Learn from each other Output
Capture key challenges and issues (whiteboard/flip charts) Address in the later sessions
12 Nov 2018Asia-Pacific One ID workshop 36
Share with us…. Your objective and ‘End State’ Key drivers Roadmap How you will measure success Roadblocks
12 Nov 2018Asia-Pacific One ID workshop 37
Summary Key challenges and issues
12 Nov 2018Asia-Pacific One ID workshop 38
Implementation case study 1Changi Airport
Networking lunch
12 Nov 2018Asia-Pacific One ID workshop 40
Concept of Operations
One iD Processes
12 Nov 2018 Asia-Pacific One ID workshop 42
01
Pre-Travel
02
Ticket Issuance
03
Check-in
04
Document Scanning
05
Authorization to proceed
06
Baggage Processing
07
Immigration exit control
08
Security Access
09
Security Screening
10
Flight Re-Booking
11
Boarding
12
Immigration entry control
13
Baggage Collection
14
Customs
Departure
Document Check
Arrival
FLIGHT
Transfer
A.1
Border Control
A.2
Baggage Collection
A.3
Customs & Quarantine
D.0Capture &
validation of Passenger
data
D.1
Ready to Fly
D.2
Bag Drop
D.3
Secure Area
Access
D.4
Security Screening
D.5
Outbound Border Control
D.6
Boarding
D.7
Transmit PAX data to Destination
One iD Processes
12 Nov 2018 Asia-Pacific One ID workshop 43
D.0Capture &
validation of Passenger
data
D.1
Ready to Fly
D.2
Bag Drop
D.3
Secure Area
Access
D.4
Security Screening
D.5
Outbound Border Control
D.6
Boarding
A.1
Border Control
A.2
Baggage Collection
A.3
Customs & Quarantine
Level 2 business process maps havebeen developed for every process step
Example 1 : Check-in / Ready to fly (To Be)
12 Nov 2018 Asia-Pacific One ID workshop 44
The majority of passengers arrive at the airport “ready to fly”. The legacy terminology “check-in” will disappear in favor of “ready to fly” which includes several of the constituent elements of the check-in process and more, such as:
The passenger has “confirmed” or “standby” status for the flight and, if confirmed, has assigned seating.
Where applicable, the authenticity of the passenger’s identity has been validated [is this passenger who (s)he says (s)he is?]
Where applicable, the authenticity of the identity document/credential has been validated [is the credential valid, genuine and has it not been tampered with?]
The passenger’s admissibility has been validated [is the passenger authorized to travel to destination?]
The passenger is biometrically enrolled such that (s)he can be biometrically recognized at subsequent touchpoints. Ideally, this enrollment would persist across multiple trips, or better, would be rendered unnecessary as it ultimately replaced by a government-issued digital travel credential.
[Subject to review with the One iD Expert Groups]
D.0Passenger
Data
Biometric Enrollment of Passenger
Ready to Fly Kiosk
Identity/Flight recconciliation
Create IMP record
Mobile Enrollment
App
@ Home
D.2Bag-Drop Process
Exception Process
IMPRecordcreation
Identity Authentication / Enrollment
D.3 Secure Area
Access
No Checked Bag
@ Airport
Biometric Enrollment of Passenger
Identity/Flight recconciliation
Identity Authentication
Example 2 : Boarding (To Be)
12 Nov 2018 Asia-Pacific One ID workshop 45
• Before closure of the flight; if a PAX is missing; there should be the opportunity to check where was the last touchpoint of the Passenger and whether baggage was checked in or not.
• E.g. If PAX have checked baggage but have not yet passed security; decision from carrier could be to proceed to offload of the luggage. If linked with other services; the airline could even know if the PAX is still at the Lounge or on its way.
• Under a One ID process; there is no need to wait for the Boarding to trigger the no-fly procedure; this could be done ahead of the process (ready to fly) or even at the Security Access control.
• Automated Process would lead to more efficient Boarding procedures while removing the need to physically present travel documents and/or credentials.
D.5 Border Control
Proceed to gate
Exception Process
Access e-Gate
Update IMP record
Proceed to Boarding
IMPProcess Stamp
Retail & Lounge Access
Exception Process
Identity Verification
No Boarding Decision
D.6B Gate
Screening
“Ready-to-fly” and off-airport processing How to avoid on-airport enrolment
Roles & responsibilities of stakeholders A question of trust, but may also be embedded in regulation
E.g., identity and document authentication
Parallel processes (biometric vs non-biometric) Exception handling Parts of the population with special requirements Cross-border information sharing Technical infrastructure Trust / operational frameworks Legal considerations including privacy and data protection
12 Nov 2018 Asia-Pacific One ID workshop 46
Challenges
Discussion
12 Nov 2018Asia-Pacific One ID workshop 47
Tasks Identify key requirements to achieve the desired end state
at each process; Identify interim possible solutions; Identify what are the challenges and issues in adopting the
interim solutions and discuss how they can be tackled
12 Nov 2018Asia-Pacific One ID workshop 48
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
Authentication and enrolment: How can it take place?
49
Ready to fly How can stakeholders authenticate one’s
identity and one’s travel document? Under the current operation, what can be done as interim measures? Using existing touchpoints?
How can travel authorization take place? Is ETS the only enabler? What can be done where ETS or iAPI is not in place yet?
Should processes be different for nationals and foreigners?
Can enrolment be removed or moved off-airport? How can enrolment take place today?
Passenger data confirmed & ID verified
50
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
Is a regulatory change needed?
51
Bag drop Can One ID process fulfill the
requirements of AAA check? Are regulatory changes
needed? What regulatory changes are
needed?
52
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
How can it be different?
53
Security access How will One ID process
impact security access control process?
54
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
How can Immigration trust the single token created earlier?
55
Border Control What are the Immigration
requirements to be met in order to use the biometric token created earlier in the journey to perform the immigration checks?
56
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
Is a regulatory change needed?
57
Self-boarding Can One ID process fulfill the
requirements of AAA check? Are regulatory changes
needed? What regulatory changes are
needed?
58
Passenger data confirmed & ID verified
Bag Drop
Border Control(outbound)
Security Access
Self-boardingBorder Control
(inbound) Authorization to travel on flight back
Can passport check be eliminated completely?Which steps can be removed or combined?
59
Summary Key challenges and issues Interim solutions
12 Nov 2018Asia-Pacific One ID workshop 60
Implementation case study 2Sydney Airport
Facial Recognition Technology Trial
12 November 2018
Project Background
2
Strategic rationale & history
• Fast Passenger Processing (FPP) is Sydney Airport’s programme of work leveraging biometric technology to achieve a step-change in terminal operational efficiency, security and passenger experience
• The project is aligned with IATA OneID and NEXTT (New Experience in Travel and Technology) programmes
• Uses a single identifying token (facial recognition) throughout the passenger's journey to validate identity through key airport touchpoints
• The FPP project objective is to create a paperless end-to-end airport experience, where a passenger’s face becomes their passport and takes self-service technology to the next level, further streamlining & enhancing on airport passenger facilitation
• Vision-Box were appointed as key biometric technology partner in 2017 and Qantas chosen as launch airline partner
• Live trial commenced 19 Jun 2018 with Qantas passengers
• Sydney Airport is developing a longer term strategy for the application of biometrics to enhance passenger facilitation, including cross border capability
Strictly Confidential Fast Passenger Processing
SYD Facial Recognition
3
SYD Facial Recognition
4
Biometric Objectives
Enhanced Security measures
Government integration
Validate integrated security/border
process
Delivering a seamless
paperless journey
Facilitating ease of travel
Enabling a connected journey
Reliability of technology
Exchange passenger data with Gov and
Airlines
Understanding Passenger Movements
Resourcing Benefits for
Partners
Commercial models with airline
Making SYD a destination of
choice, powered by technology
Technology & DataCapacity & Infrastructure AirlinesSecurity Passenger Experience
Operational efficiencies
Increased throughput
Enabling off-airport check-in
SYD Facial Recognition
5
End to End Journey Departures Touchpoints
**
* In planning for development
SYD Facial Recognition
6
Departures Touchpoints
1 AIRPORT CHECK-IN BAG-DROP2
5 LOUNGE ENTRY
6 BOARDING
SYD Facial Recognition
7
Data Flows
CUSS Application
Qantas Checkin App Qantas ABD App
CUSS Application
CUTE Application
SYD Facial Recognition
8
The Learnings from the Trial
We are gathering new forms of data and insights from the project. There is more we would like to achieve to validate our biometric objectives and create a scalable solution
Current learnings Still to be tested
Capacity &Efficiency
• Additional step (registration) offset by faster bag drop
• Technology & operational processes needs further refinement to achieve savings
• Use of passenger movement and total dwell timing
Security• Establishment of Data and Privacy controls
was an extensive exercise• Biometric threshold setting accuracy proven
• GDPR to be evaluated• Transfer of data to Dept of Home Affairs (DHA)
PassengerExperience
• Customer acceptance high. Best on bag drop.
• Boarding gate experience hampered by need to still produce documents
• Lounge product• Self service capability• Validate the viability of a true paper-less airport
journey
Tech & Data
• Passenger detail (ie age, gender, nationality) collection
• Technology is feasible but requires further development
• Mobile checkin & registration• Face on the move technology requires further
development & testing
Airlines• Local and global interest has been generated • SYD is playing an active role in working with
IATA OneID Advisory Group• Developing business case
Success Drivers
9
Collaboration between airlines, airports, government and industry organisations is key
Technology Partnerships Industry Organisation Privacy
Delivering a connected world class passenger experience
*
* Sydney Airport is engaging withDHA to understand opportunities forhow biometrics can be used inpassenger facilitation at the border
SYD Facial Recognition
10
The Future
• Government integration• Business case: biometrics and self
service• Mobile biometric registration• Paperless journey• Local versus global use cases• OneID. Ownership and exchange of
information
Thank you
Networking break
Enjoy yourCoffee & Tea
12 Nov 2018Asia-Pacific One ID workshop 62
Technology perspective
12 Nov 2018 64
Key elements of One ID
Trusted Digital Identity
Collaborative Identity
Management Platform
Biometric Recognition
Operational Framework
Asia-Pacific One ID workshop
False positives and false negatives Interoperability and standardization of biometric templates Biometric recognition on the move
12 Nov 2018 Asia-Pacific One ID workshop 65
Biometric recognition – some technology considerations
12 Nov 2018 66
Key elements of One ID
Trusted Digital Identity
Collaborative Identity
Management Platform
Biometric Recognition
Operational Framework
Asia-Pacific One ID workshop
“Identity Management Platform” – Definition
12 Nov 2018 Asia-Pacific One ID workshop 67
IMP is defined in its broadest sense:
The environment where different stakeholders can share, re-use and update passenger information in a collaborative and trusted manner throughout the passenger journey.
As such, there may be different examples of IMPs, as well as the possibility that multiple IMPs interact with one another to achieve the same overall outcome as one centralized IMP.
The type of IMP chosen will depend of many different factors, including the stakeholders involved, local regulatory requirements, the touchpoints selected, the level of cooperation between stakeholders, the data flows, etc.
Example : Collaborative Platforms
12 Nov 2018 Asia-Pacific One ID workshop 68
Bag Drop
Ready to Fly
Access Control Security Border
Control BoardingBooking Border Control
Example : Another Collaborative Management Platform (Hybrid)
Bag Drop
Ready to Fly
Access Control Security Border
Control BoardingBooking Border Control
Persistent Enrollment
AADHAAR DB
Digi Yatra DB
Digi Yatra day library
12 Nov 2018 Asia-Pacific One ID workshop 69
c
c
c
“Digi Yatra”type of approach
Example: Airline System based / Biometric Boarding Pass
12 Nov 2018 Asia-Pacific One ID workshop 70
Bag Drop
Ready to Fly
Access Control Security Border
Control BoardingBooking Border Control
Example: Government operated centralized system
12 Nov 2018 Asia-Pacific One ID workshop 71
Bag Drop
Ready to Fly
Access Control Security Border
Control BoardingBooking Border Control
Discussion
12 Nov 2018Asia-Pacific One ID workshop 72
Tasks Share knowledge or experiences in use of biometrics Share knowledge or experiences in setting up own Identity
Management Platforms (IMP) Identify what should be done to undertake everything on
mobile
12 Nov 2018Asia-Pacific One ID workshop 73
Biometric recognition Which biometric
recognition are you looking at?
What are the reasons you chose that biometric?
Can you share any information on success/failure rate, false positives, false negatives, etc.?
74
Identity Management Platform Who is taking the lead in
establishing IMP in the current trial or in the model you are designing?
Who do you think should take control of it? Or it doesn’t matter?
What are the key considerations in establishing IMP? e.g. interface with other systems, such as CUSS, etc.
75
Can we do One ID with mobile? What are the
considerations/pre-requisites to enable identity registration, authentication and travel authorization on mobile under the end state?
What can be done under current state?
What are the issues and roadblocks?
76
Summary Key challenges and issues Interim solutions
12 Nov 2018Asia-Pacific One ID workshop 77
Legal & governance perspective
Legal & Governance perspective
Trusted Digital Identityand the Digital Travel Credential (DTC)
12 Nov 2018 80
Key elements of One ID
Trusted Digital Identity
Collaborative Identity
Management Platform
Biometric Recognition
Operational Framework
Asia-Pacific One ID workshop
The ICAO New Technologies Working Group (NTWG) has established a sub group to standardize the issuance of travel credentials in a digital format in the form of a DTC that is meant to temporarily or permanently substitute a conventional passport by a digital representation of the traveler’s identity
Policy Paper 24-Oct-2018, endorsed by the NTWG To ensure the same level of security as an ePassport, the DTC
approach is based on the ‘hybrid’ concept, in which the DTC will consist of a Virtual Component containing the digital representation of the holder’s identity and one Physical Component that is cryptographically linked to the Virtual Component
12 Nov 2018 Asia-Pacific One ID workshop 81
ICAO Digital Travel Credential (DTC)
Self-derived DTC DTC-VC is derived from existing travel document, with which it shares the document number Traveler must be in possession of travel document which serves as DTC-PC
Authority-derived DTC DTC-VC is derived from existing travel document, with which it shares the document number Option to store the DTC-VC in a remote system (e.g. database, web service) or elsewhere (e.g.
smart device) DTC-VC must be signed by the issuing authority’s public key infrastructure DTC-PC on a physical device that may be supplied by the issuing authority or by the holder Traveler should be in possession of travel document as alternate or fallback
Authority-issued DTC Virtual credential without an eMRTD as an alternate or as a fallback Issuing authority creates a DTC and has the option to store it in a remote system (e.g.
database, web service) and store it elsewhere (e.g. smart device); or store it solely elsewhere DTC-VC must be signed by the issuing authority’s public key infrastructure DTC-PC on a physical device that may be supplied by the issuing authority or by the holder;
only the physical device will serve as the DTC-PC
12 Nov 2018 Asia-Pacific One ID workshop 82
DTC Creation – 3 types/scenarios
The DTC-VC can be submitted by the traveler in advance of travel to provide advance passenger information (API), apply for authorizations, support advance risking, and prepare the airport for seamless passenger processing
In the process of travel, a passenger would use their DTC-VC by successfully matching to the biometric information included in the token, and, if required, presenting the DTC-PC when requested
If a traveler holds the DTC-VC on their phone, but has not been asked or does not want to submit their DTC-VC in advance, they may be able to present their smart device to the inspection equipment as a substitute for a physical document Information stored in the DTC-VC could be read out from the smart device
and be used to biometrically match the holder to their credential
12 Nov 2018 Asia-Pacific One ID workshop 83
DTC use
Like a regular travel document, issuing authorities can invalidate a DTC by reporting it to the appropriate domestic and international authorities DTCs that are lost, stolen, revoked or cancelled are no longer valid for travel Issuing authorities can invalidate a DTC by reporting the issued eMRTD lost,
stolen, revoked or cancelled The invalidation of the source authorization would automatically invalidate all
DTC-VCs linked to that eMRTD Self-Derived or Authority-Derived DTCs share the document number
with an existing eMRTD Revocation of the existing eMRTD also revokes the DTC
Authority-Issued DTCs do not share the document number with any eMRTD, and thus the Authority-Issued DTC must be revoked on its own
12 Nov 2018 Asia-Pacific One ID workshop 84
DTC invalidation / revocation
Legal & Governance perspective
Operational Frameworks
12 Nov 2018 86
Key elements of One ID
Trusted Digital Identity
Collaborative Identity
Management Platform
Biometric Recognition
Operational Framework
Asia-Pacific One ID workshop
An operational framework (sometimes also called a trust framework or liability framework) is a set of specifications, rules, and agreements that govern a multi-party collaboration established for a common purpose, designed for conducting specific types of transactions among a community of participants, and bound by a common set of requirements
12 Nov 2018 Asia-Pacific One ID workshop 87
Operational Framework
An operational framework may include such things as: Scope, goals and guiding principles, Roles, rights, responsibilities and obligations, Business and technical requirements and specifications Identification of applicable laws and regulations Financial arrangements Governance
12 Nov 2018 Asia-Pacific One ID workshop 88
What does it include?
Operational frameworks can exist at: the level of a local air travel ecosystem – for instance an airport plus a
number of airlines and control authorities; or national and international levels to facilitate collaboration in cross border
travel scenarios.
12 Nov 2018 Asia-Pacific One ID workshop 89
Types of Operational Frameworks
Legal & Governance perspective
Privacy & Data Protection
Because the One ID concept deals with passenger data, including biometrics, data privacy concerns are often raised
There is a perception that the introduction of biometrics fundamentally changes the type of passenger data that is collected and shared within an airport environment
Note that a lot of passenger information is already collected and shared in the traditional travel journey, and that many border agencies already use technologies that capture and process passenger biometrics
12 Nov 2018 Asia-Pacific One ID workshop 91
Privacy and One ID
Which privacy requirements must stakeholders comply with? State of departure State of arrival GDPR (implies extraterritorial applicability)
Home state of the passenger Other…
12 Nov 2018 Asia-Pacific One ID workshop 92
Understanding what general requirements apply
How can stakeholders comply when: They may not have all the information about the passengers Their business deals with passengers from many countries All the national requirements differ slightly and may or may not be
accessible?
This is not a new question
12 Nov 2018 Asia-Pacific One ID workshop 93
Understanding how stakeholders can comply
What constitutes a biometric?
Are biometrics a special category of data – i.e. data that can be used to uniquely identify someone?
Is there a difference between raw biometrics (i.e. images) and biometric templates when it comes to requirements?
12 Nov 2018 Asia-Pacific One ID workshop 94
Understanding what specific requirements apply
Legal Basis for data collection: Legal basis for data use and collection may vary between jurisdictions. Before proceeding with any identity management project, parties must clearly articulate under which legal authority they intend to collect and use data
12 Nov 2018 Asia-Pacific One ID workshop 95
Potential Privacy Concerns
What is the legal basis for data collection? Particularly for sensitive data?
Art 9.2 GDPR provides some legal basis for collection of sensitive data including when: Explicit consent is given The data is used for the purpose of social security/social protection Use of the data is in the public interest Used for research (what constitutes research is still an open question).
12 Nov 2018 Asia-Pacific One ID workshop 96
Legal Basis for data collection
Consent: Authorities and the public may wish to understand how data subjects will interact with the system in terms of participation.
How consent will be managed Processes for opt out Communication with passengers Who requires consent?
12 Nov 2018 Asia-Pacific One ID workshop 97
Potential Privacy Concerns
How must consent be obtained? verbally or in writing? does a record need to be maintained? is participating considered consent? for some or all processes? for one journey or multiple?
How long is consent valid for? How is consent managed across an end to end process considering each stakeholder may
use and store the data differently? Other considerations
Are passengers clear on what they are consenting to? Has the message been understood? (language considerations) Age of consent, which may vary by jurisdictions Avoid bundling consent for core services (i.e. getting the passenger from A to B) with non-core (i.e.
commercial like lounge access or retail). Do passengers understand what happens if they opt out? Care should be taken not to mislead or
force consent
12 Nov 2018 Asia-Pacific One ID workshop 98
Obtaining Consent
Transparency: agencies and the public may be concerned that data subjects (in this case passengers), will not have visibility as to the process or the way their data will be used
12 Nov 2018 Asia-Pacific One ID workshop 99
Potential Privacy Concerns
Data quality: If biometric and other sensitive data is being used to make decisions about a person, and can potentially impact their ability to check-in, pass border control, or board an aircraft, data quality may need to be addressed.
12 Nov 2018 Asia-Pacific One ID workshop 100
Potential Privacy Concerns
Data use, access and retention: There may be concerns that data may be used for purposes other than those intended, or that more data than necessary may be collected or stored.
12 Nov 2018 Asia-Pacific One ID workshop 101
Potential Privacy Concerns
Data Security: Ensuring that biometric data of passengers is stored securely will alleviate concerns of cybersecurity and that the passenger’s data is not misused or stolen and used for purposes other than travel. Cyber security and process will be important in ensuring only authorized persons have access to sensitive passenger data.
12 Nov 2018 Asia-Pacific One ID workshop 102
Potential Privacy Concerns
Governance and Auditing: Authorities will likely wish to understand how the parties plan to manage and ensure compliance with privacy requirements.
12 Nov 2018 Asia-Pacific One ID workshop 103
Potential Privacy Concerns
Because of the complexity of data privacy questions and the different ways stakeholders within and ecosystem may use that data, it is recommended that stakeholder conduct a privacy impact assessment before commencing any One ID related project. Set the context: introduce the project at a high level and help the
reader understand why a PIA is being conducted. Describe the process: help the reader to understand what data is
collected from passengers, when, in what form, and how it will be used. Identify Key Privacy Concerns and Outline Mitigation Strategies: It
will be important to demonstrate that risks to individual data subjects have been considered and appropriately mitigated.
12 Nov 2018 Asia-Pacific One ID workshop 104
Privacy Impact Assessments
Discussion
12 Nov 2018Asia-Pacific One ID workshop 105
Tasks Discuss implications of trusted digital identity Identify different types of operational frameworks and share
own knowledge and experiences Share concerns or works done with related to regulatory
changes and privacy and data protection; Share own collaboration strategies/experiences
12 Nov 2018Asia-Pacific One ID workshop 106
Trusted Digital Identity How can it be created under the
end state scenario and under the current scenario?
How do you think DTC will impact registration and authentication process?
What are the requirements/preparation needed from governments, airports and airlines to adopt/support DTC?
107
Operational Framework How are you collaborating with
other stakeholders? Who are involved in establishing
the operational framework you are working on? Roles and responsibilities?
What is the most challenging issue to deal with in your case among technical, operational, legal, business, financial requirements and governance? And why?
108
Privacy and data protection What regulatory changes did
you identify were needed? What regulatory changes were
made already? What seems challenging?
What is/are the regulatory frameworks that impact this aspect in your trial/implementation?
Are you facing concerns with privacy and data protection?
109
Summary Key challenges and issues Interim solutions
12 Nov 2018Asia-Pacific One ID workshop 110
One ID project activities
12 Nov 2018 112
One ID Project Organization
Advisory Group
Process & Operations
Expert Group
2018 project organization – One ID Task Force
Legal & Governance
Expert Group
Business CaseExpert Group
TechnologyExpert Group
• Concept ofOperations
• Standardprocessmodel
• Trust framework• Privacy impact
assessment• Regulatory
implications
• Quantificationof benefits
• Cost/benefitanalysis
• Technologyexploration
• Requirements forSARPS
• Define business, technical and legal context• Lessons learned from POC and pilot implementations
Asia-Pacific One ID workshop
12 Nov 2018 113
One ID Advisory Group
Asia-Pacific One ID workshop
Add as observers and
Process & Operations guidance Including level 2 business process maps for all process steps High level data flows and
stakeholder interactions
Analysis of existing SARPs Fast Travel [Facilitation]
12 Nov 2018 Asia-Pacific One ID workshop 114
Process & Operations EG – 2018 deliverables and next steps
01
Pre-Travel
02
Ticket Issuance
03
Check-in
04
Document Scanning
05
Authorization to proceed
06
Baggage Processing
07
Immigration exit control
08
Security Access
09
Security Screening
10
Flight Re-Booking
11
Boarding
12
Immigration entry control
13
Baggage Collection
14
Customs
Departure
Document Check
Arrival
FLIGHT
Tranfer
A.1
Border Control
A.2
Baggage Collection
A.3
Customs & Quarantine
D.0Capture &
validation of Passenger
data
D.1
Ready to Fly
D.2
Bag Drop
D.3
Secure Area
Access
D.4
Security Screening
D.5
Outbound Border Control
D.6
Boarding
D.7
Transmit PAX data to Destination
Arrival
Off Airport At Airport IN Flight At Airport
DCSData
IMP record
Creation
IMP Bag ID
IMP Process Stamp
Risk Score
Defined
Apply Risk
Score
IMP Process Stamp
Set BC Score
retrieve BC
Score
IMP Process Stamp
Retrieve Risk
Score
IMP Process Stamp
Archiving
Transmission
Reception &
Dispatch
IMP Process Stamp
Set BC Score
Set quarantine score
Provide BC
Score
IMP Process Stamp
Apply quarantine Score
Archiving
IMP Process Stamp
IMP Options
DCSData
IMP record
Creation
IMP ID Verification
IMP ID Verification
IMP ID Verification
IMP ID Verification
IMP ID Verification
IMP ID Verification
IMP ID Verification
IMP ID Verification
IMP CoreTransmis
sion
Technology Standards document Existing biometric standards to be
considered in the context of One ID V1 ready for release
Guidance on Collaborative IdentityManagement Platforms (IMP)
12 Nov 2018 Asia-Pacific One ID workshop 115
Technology EG – 2018 deliverables and next steps
One iD & Principles
Defining IMP
General Considerations for Setting up an IMP
Technical Considerations
Scoping
Information Flow elements
IMP TypesTechnical
Classification
Operational Classification
Required standards and RPs
Section 2
Section 1
Section 3
Section 4
Section 5
Data Privacy Considerations
General Considerations
PAX at the centerSP Providers
IMP (s)IMP users
Examples
Operational Framework Basic guidance developed including links to existing templates and advice Agreed no further development required at this stage.
Privacy Guidance on preparation of a privacy impact assessment (PIA) Development of key messages and talking points for use by project team
and stakeholders Identification of outstanding privacy questions – to be addressed in 2019
12 Nov 2018 Asia-Pacific One ID workshop 116
Legal & Governance EG – 2018 deliverables and next steps
Industry business case Qualitative analysis Further research and quantitative analysis required
Business Case guidance Initial guidance for stakeholders looking to develop their own cost/benefit
analysis and business case
12 Nov 2018 Asia-Pacific One ID workshop 117
Business Case EG – 2018 deliverables and next steps
One ID Expert Groups Plenary sessions e.g. at PEMG or dedicated meetings Ad hoc meetings on specific topics in smaller groups Conference calls Individual contributions
Participation is open to airlines, airports, governments, partner organizations and IATA Strategic Partners with relevant experience and expertise in order to actively contribute to development of industry guidance, recommended practices and standards
Contact: Amandine Thomas, Project Manager, One ID, [email protected]
12 Nov 2018 Asia-Pacific One ID workshop 118
How to get involved?
Recap & Closing