Customs and Border Protection Biometric Exit program
U.S. Customs and Border Protection (CBP) implemented a pilot program in a limited number of airports that employs biometrics to streamline travel. It developed a system that uses facial recognition to preclude the need to present a passport while traveling. Participating commercial partners—such as airports, airlines, or cruise lines—let passengers opt in to the service, which captures images of travelers’ faces at boarding. If the CBP system finds a match to the photos on file, travelers can board their flight or ship—and in some instances go through customs—without presenting their passport.
Six sea entry ports and 34 airports use this program, and three airline partners and one cruise line implemented the system for document-free boarding. The service uses passenger manifest data, which includes travelers’ demographic information and existing photographs (such as from passports), to confirm individuals’ identity by comparing the images against those captured during boarding. The commercial partner will receive a message from the system that a match was found, and the traveler is not required to show a passport or a ticket to board a flight or go through customs.
When individuals book their travel, they supply basic demographic information to the commercial airline or other carrier. This information creates the manifest that contains all expected passengers and their basic demographics (name, birthdate, gender, and address), which is sent to CBP. This information is used to create a gallery of the passengers, pulling from existing demographic information and photos already on file (obtained from prior CBP encounters, or from other federal agencies, such as the U.S. Department of State). The CBP system converts the raw images to templates then performs identity verification throughout the travel process.
When the passenger queues to board the flight, CBP officers or airline personnel capture a photo of the individual at the gate (where a boarding pass and passport would usually be scanned) using commercially available technology, such as a tablet or webcam. The camera system used at the gate sends the image to the CBP system, which converts the photo to a template and compares it to the images in the photo gallery using a matching algorithm. The airline receives a yes or no response within seconds that indicates if the passenger matches the flight manifest and can board without using a passport. If a match isn’t found, the passenger uses a physical passport and boarding pass.
Technological and other key characteristics
Airlines and cruise ships can use COTS cameras, including tablets and standard webcams, to capture images only if the device has a network connection. After initial testing of matching using images from COTS cameras, CBP had successful match rates in the high 90s.40 The composition of the photo must meet the CBP-determined quality standards in order to be used by the matching algorithm, including the position of the head of the traveler, and the percentage of space the head must fill within the photo. When taking the photos, CBP requires that the airlines or cruise lines:
- capture multiple images;
- ensure travelers look directly at the camera;
- include a “timeout” function in technology that sends the best image even if none meets the desired quality threshold; and
- provide proper lighting.
The CBP system is a secure cloud-based database with restricted access. For CBP staff who are granted access, two-factor authentication is required.41 Air and cruise lines do not have access to the images, and they do not retain photos in their systems. Airline and cruise ship officials will see only a positive or negative match confirmation from the system.
Airports and other travel locations did not adjust their network infrastructure or bandwidth in preparation for using the CBP system. In some cases, this resulted in delays in system implementation and in capturing images, exchanging data, and matching results once it went live.42
Any U.S. citizen may opt out of the CBP Biometric Exit program and choose not to have their image captured.43 If opting out, travelers will go through a manual process, including a CBP officer or airline official reviewing their passports and boarding documents as typically occurs absent this program.
To ensure that privacy protections and matching algorithms remain current, CBP conducts routine testing and system audits. As the system continues to be used and with more travelers, there is more data available to assess match rates and ensure the highest possible confidence in match determinations.44 This data is used to update the system and improve the match rates.
The application of facial recognition by travelers underscores three lessons important to applying biometrics in the U.S. health care system: using commercially available technology, ensuring adequate infrastructure upgrades, and mitigating privacy concerns.
- Use of COTS equipment: This example highlights how facial recognition, unlike some other biometric modalities, can succeed with COTS cameras and equipment, including tablets and other standard webcams that are widely available. The use of COTS can lower the cost of implementing facial recognition within health care without sacrificing quality.
- Infrastructure upgrades: As demonstrated by bandwidth challenges at airports, biometric use can increase traffic on an organization’s network and lead to delays. Implementation of biometrics for cross-organization matching may require hospitals and other facilities to adjust or upgrade that infrastructure and networks and monitor traffic for challenges that emerge.
- Mitigate privacy concerns: CBP implemented several layers of security protections, including private network connections, dual-factor authentication, and limitations on user access. Similar approaches could mitigate concerns in health care. Encrypting information within databases and during exchange also adds to the privacy of the sensitive data.
World Economic Forum Known Traveller Digital Identity project
Similar to the CBP Biometric Exit program case example, the Known Traveller Digital Identity (KTDI) project has the ultimate goal of eliminating the need to present passports and boarding passes in international travel. The KTDI project works across stakeholders—government agencies, sectors, and countries—to allow travelers to use a smartphone application as their identification when traveling.
Although many travelers store boarding passes within airlines’ smartphone applications, passengers can also use the KTDI app to store and manage their identity information (passport data, photo, and flight information). From the app, they can consent to share the identity information required by a particular entity, including facial photographs, with border authorities, airlines, and other partners in advance of their travel. At specific checkpoints and throughout their travel, biometrics are used to confirm their identity.
As of April 2020, the KTDI project remains a pilot program and can be used in three airports globally: Montreal-Trudeau International Airport, Toronto Pearson International Airport, and Amsterdam Airport Schiphol. Air Canada and KLM Royal Dutch Airlines participate in the program and plan to use the KTDI app as a digital form of identity for up to 10,000 travelers throughout the pilot.45 To join in the pilot, the traveler must be invited to create a digital wallet that contains the identity information using the KTDI app through participating airlines.
To participate in the program, the traveler first creates a username and password via the KTDI app and can elect to use the mobile device’s biometric verification in place of a password (e.g., fingerprint or facial recognition, depending on the device). Once in the app, the traveler creates a profile.
After the digital profile is set up, the traveler goes to a local government office to verify their identity. To do this, they supply their passport to a government official and have a digital picture taken. Both pictures—the new one and the existing photo image, which is accessed through the chip on the physical passport—are converted into templates and run through a matching algorithm; this step ensures that the passport belongs to the traveler. Upon match confirmation, the recently taken photo is deleted.
Once the match is confirmed, a QR code is created and displayed on the government official’s computer. The traveler opens their KTDI app and scans the QR code, which creates a secure connection between the government computer and the mobile device, allowing for data exchange between them. Through the secure connection, the government official sends a mobile passport to the KTDI app, which includes demographics and the digital facial photo image that were pulled from the passport via its chip. The facial image, along with demographic information, is stored on the user’s mobile device in the KTDI app. The traveler now has a government-approved mobile passport in the KTDI app. Before their travel begins, the traveler can elect to share their mobile passport with the airline and border control.
When using the KTDI app prior to travel, the raw images are encrypted and sent to the stakeholder’s biometric system, where they are converted into templates. There is a KTDI lane at security, boarding, and border control, where live photos are taken of passengers. The images of those photos are also sent to the biometric system, where they are converted into templates, and facial recognition is used to compare the live image with the photo from the mobile passport. If a match is found, the traveler can proceed without needing to use a passport or boarding pass.
Technological and other key characteristics
KTDI uses a decentralized identity model, meaning that there is no central authority needed to validate an identity claim, with the user controlling the access. Travelers maintain the data on their smartphones for the duration of the KTDI pilot, and the stakeholder’s biometric system containing the image galleries used to confirm identity is frequently purged, often 24 hours after travel is completed.
The photo must be a passport photo that is compliant with the International Civil Aviation Organization standard, which is based on the International Organization for Standardization (ISO) standard.46 These standards control for quality, format, and size, among other image requirements.
When users elect to share data from the KTDI app, they can see when and by whom their data is accessed and viewed.
The KTDI example demonstrates two key lessons on the power that individuals can exercise over their digital identities:
- The use of standards: KTDI works across industries and among public sector agencies because these stakeholders agree upon and commit to the use of standards, as they did with ISO facial image standards. As health care implements and uses many standards—including code sets to document diagnoses, order labs, and send claims—the industry is capable of adopting them, when the benefits are clear.
- User control as a privacy lever: In the KTDI process, individuals not only control who can access their digital identities but can also see an audit trail. Putting people in charge of their data can help with uptake in participation in programs that use biometrics, and audit trails can act as an important mechanism for transparency. In health care, allowing patients to be in control of their biometrics and increasing transparency around how their data is used could help with adoption of this technology.
MasterCard’s biometric payment card
Mastercard created the first payment card that uses biometrics to verify individuals’ identity for purchases in lieu of a personal ID number (PIN) or signature. The technology inside the chip on the card allows users to scan a fingerprint by placing it on the card’s embedded sensor to authenticate who they are during a purchase. Merchants do not need to purchase additional hardware, as the biometric reader is the card itself, powered by the standard EMV (Europay, Mastercard, and Visa) terminal in use worldwide.
This biometric card uses existing merchant hardware and transaction messaging as part of its solution. It functions as an alternative method of authentication confirming that the person is permitted to make the purchase without the need for a PIN or signature. The user experiences a checkout process that is as fast as current contactless transactions, while keeping sensitive biometric data on the card itself. Additionally, the results of the biometric match are shared with the issuer as part of the authorization request.
Cardholders can enroll for the biometric card at home using battery-powered “self-enrollment devices,” which are available from card vendors. In a typical use case, the cardholder inserts the biometric card into the device, providing power to the card for enrollment. After the cardholder completes the enrollment, they then contact the card issuer to activate the account and verify their identity.
If the card will be used for the distribution of formalized benefits, such as disbursements or insurance benefits, enrollment is an in-person process. The cardholder provides demographic information and a government ID to confirm their identity. The cardholder is either given the enrollment device as above or uses a tablet to capture fingerprint images. The fingerprint images are converted to a template and transferred for storage onto the card.47 The card is then activated. In either case, the biometric data is stored securely as a digital template on the card and never shared externally.
Once the templates are stored on the card, the cardholder can begin to use it normally. The cardholder inserts or taps the card at a terminal at purchase, placing a thumb on the card’s sensor. The thumbprint is compared against the stored biometric template on the card. If it was successful, the cardholder does not need to complete any additional steps. If the match fails—after a set number of attempts that merchants can determine for themselves—the card automatically switches to the next cardholder verification method enabled on the card using either a PIN or signature so the transaction can still be completed.
Technological and other key characteristics
The biometric card complies with the same standards as a regular payment card and can be used in any EMV terminal. For most effective workflows, the terminal should be:
- accessible to cardholders; and
- designed so the card sensor is not blocked from use for contact transactions.
For contactless transactions, the card can be used by tapping or hovering it close to the contactless indicator on the terminal.
The template of the cardholder’s fingerprint is never shared with the merchant.48
If the card is lost or stolen, individuals use the typical procedures for canceling and replacing a card. The card issuer would deactivate the account, and the card would not be usable.
This case study demonstrates the increased accessibility and acceptance of biometrics in everyday activities, as well as that biometrics provide an accessible approach for identity verification:
- Accessible authentication options: Biometric cards can be a simple tool for identity authentication and verification. A biometric card could become a health insurance card, acting both as insurance and identity confirmation, and is already something patients are accustomed to bringing to medical appointments.
- Multiple solutions for authentication: Biometric cards have backup authentication methods, such as using a PIN. If the matching fails, there is a safeguard for individuals in real time.
Provider authentication for electronic prescribing of controlled substances
A new federal law aimed at combating the opioid crisis requires physicians to start electronically prescribing— sending a digital prescription to a pharmacy, rather than a paper slip—controlled substances in a manner compliant with the Drug Enforcement Administration’s (DEA) rules and standards for digital credentials by Jan. 1, 2021.49 The DEA requires two-factor authentication, or providing two sources to confirm identity, for a provider to electronically prescribe controlled substances (EPCS). Allscripts, an EHR developer, and ID.me, a biometrics company, designed a solution to streamline electronic prescribing for controlled substances such as opioids.
Normally, EPCS requires multiple steps and the use of an external device, such as a fob, that generates a custom code. Through this approach, providers can use a smartphone application that transmits identifying information for two-factor authentication to meet the DEA requirements.
First, the provider downloads the ID.me app and enters their EHR user information, such as a username and password. The clinician then receives an email to their EHR and app accounts. After clicking the link to make the connection, the provider sets up multifactor authentication by entering a security code received via text into the app.
The provider then uploads both a photo of a government-issued identification—a passport or driver’s license— and a selfie taken in real time into the app. ID.me compares the image from the government ID with the photo using facial recognition.50 Both of the images are stored in the ID.me database as encrypted raw images.
After the above steps, the provider can use ID.me to provide two-factor authentication for EPCS. Using the standard electronic prescribing workflow within Allscripts, the physician can place the order for the controlled substance. The provider will then open the ID.me app and see an automatically generated six-digit code to enter within a field in the order as the second factor needed for authentication. The clinician can then sign and send the electronic prescription to the patient’s preferred pharmacy.
Technological and other key characteristics
Armed security guards, surveillance equipment, and access control technology secure the servers hosting biometric images.51 This approach helps protect the data from both physical and cyber intrusions.
The biometric selfies follow NIST Identity Assurance Level (IAL) 2 standards for quality, which include requirements on image resolution, pixels, and color and is the standard used for government-related transactions (NIST defines IAL2 as follows: “Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing.”).52 Photos can be captured on any mobile device with a functioning camera and network connection.53
For the photos used at registration, liveliness (meaning the image was taken live and not uploaded from a stored photo) and anti-spoofing detection, used to ensure the image is coming from the appropriate source, prevent the use of photographs of other individuals.54 These processes follow a NIST framework that stipulates how to complete the identity-proofing process with minimal security risk.55
The ID.me process of verification and the associated creation of a digital identity follow the principles developed by the National Strategy for Trusted Identities in Cyberspace (NSTIC). Launched in 2011, NSTIC is a government initiative that encourages collaboration across private and public sectors to improve the efficiency, safety, and security of online interactions, including digital identities.56 The principles state that credentials should be: privacy-enhancing and voluntary, secure and resilient, interoperable, and cost-effective and easy to use.57
This example highlights the security measures for central databases and the role that individuals’ smartphones can play in collecting biometrics and confirming identity:
- Centralized databases can be secure: Although many concerns over the use of centralized databases focus on breaches, there are ways to provide multiple layers of security to protect sensitive data. ID.me stores raw images and has designed access controls, auditing, and physical security to protect this information. If health care organizations use central databases, multiple layers of protection for sensitive health information could reduce the likelihood of unauthorized data access. There is, however, an associated cost that comes with physical security and extensive auditing and access control.
- Role of smartphones: As demonstrated by this example, smartphones typically available for consumers can take the photos as well as transmit the needed information, perform facial recognition, and share back a response on match status. As most patients have smartphones, this system provides a feasible and low-cost way to capture a biometric and can act as a form of identification from wherever patients and their smartphones are located.
- Users have sole control: Following the NSTIC principles, in this example users have control over their data—in this case, the choice of whether to use this approach for two-factor identification or revert to other approaches. Individuals opt in to the process, can choose to delete their digital identity at any time, provide consent for sharing each data element, can view what data elements have been shared and with whom, and can revoke access at any point. Giving the user this level of control empowers individuals to determine what to share, with whom, and for what purposes. As patients become more empowered through access to personal health information, this level of control over biometric data could help address concerns about privacy, security, and inappropriate usage.
Department of Homeland Security US-VISIT program and the IDENT database
The Department of Homeland Security (DHS) implemented a program that uses biometrics for security purposes at border control and points of entry into the U.S. The U.S. Visitor and Immigration Status Indicator Technology, or US-VISIT, program uses fingerprints and facial scans to identify all non-U.S. citizens who enter and exit the country. US-VISIT maintains a centralized database, referred to as the Automated Biometric Identification System (IDENT), to reduce the use of fraudulent travel documents and ensure that individuals entering the country are not known or suspected terrorists, criminals, or immigration violators.58 Federal agencies use IDENT to ensure that individuals entering or exiting the country are who they claim to be—and that their identity matches the demographic information on their travel documents and applications.
IDENT was the original database for fingerprints collected by border control in the 1990s.59 The US-VISIT program expanded IDENT to collect fingerprints and facial scans in international airports and additional ports to grow the database and confirm identity of non-U.S. citizens when they entered the country.
Several other federal agencies—including Citizenship and Immigration Services (CIS) and the Department of State—send raw images to IDENT as well. These images come from visa applications, past visits to the U.S., or criminal records.
US-VISIT is in place in 115 airports, 15 seaports, 101 land border stations, and 211 visa offices worldwide.60 It contains more than 200 million fingerprint records, 36.5 million facial scans, and 2.8 million iris scans.61
US-VISIT and the widespread collection of biometrics, particularly facial scans, were subject to scrutiny by the House Committee on Homeland Security in 2019.62 The committee raised concerns regarding security of the data because of a CBP system breach early in 2019, as well as issues with facial recognition software misidentifying people of color.
The US-VISIT program collects biometrics of non-U.S. citizens and stores the raw images within IDENT. The process begins either in a traveler’s home country at a U.S. visa-issuing post, such as a consular office, if the traveler is required to travel with a visa or upon arrival in the United States if the traveler is from a visa-waiver country. In the case of the former, the traveler goes to the closest U.S. visa-issuing post and meets with a Department of State consular official. There, a U.S. government representative interviews the traveler and collects biometrics: 10 digital fingerprints and a digital photograph. The raw images of those biometrics become part of the IDENT database.
Once travelers arrive in the United States, a CBP official reviews travel documents, scans 10 fingerprints, and takes a digital photo. These images also become part of the person’s record in IDENT and are assessed for a match to the existing images in the database. To determine a match, the images are sent to the IDENT biometric vendor, where they are converted into proprietary templates and assessed for a match against the templates of biometrics already on file. Upon finding a match, the CBP official obtains information on past travel, visa status, and whether the individual is on a criminal or terrorist watch list. Based on the information received, the CBP official processes the traveler’s entry accordingly, such as by allowing entry or detaining for further questioning.
If biometrics for this individual are not in the database and no match is found, the CBP official relies on travel documents and interviewing the individual before determining whether to permit entry into the country.
There is no permanent biometrics process at departure; the biometric exit process described here is currently being piloted. Instead, airline manifests complete the exit process. In the future, DHS plans to implement a similar biometrics process at exit as well.63
Technological and other key characteristics
IDENT uses international standards (American National Standard for Information Systems/National Institute of Standards and Technology—International, or ANSI/NIST-ITL) for raw image and data quality as well as for data exchange to enhance interoperability. These include specifications for image resolution, the percentage of the image that should be filled by the subject’s face, and overall dimensions.64
IDENT is a centralized database, and user access is restricted and monitored.65 Because so many U.S. government agencies provide and query the data, DHS controls access and limits the availability of information. If a user requests information and does not meet the security requirements to view data, IDENT does not return results.66
The US-VISIT process collects and stores raw images of multiple modalities for several purposes, revealing two lessons for health care:
- Raw images provide flexibility: Although the storage of raw images elicits security concerns, the images enable matching when aggregated from a variety of organizations and systems with limited barriers. These images can also be collected and compared when captured by different technologies, such as digital cameras or smartphones. Unlike with the exchange of templates, health care organizations could share raw images between facilities and databases for matching purposes without running into issues with vendor-lock or proprietary templates.
- Multipurpose uses: The images in IDENT are used for several different purposes: confirming identity, processing visa entries, identifying suspected terrorists, and reducing fraud, among others. By collecting and storing biometric images, health care could also find multiple purposes for them, with appropriate patient consent. Health care organizations could use images for patient matching but also identity verification when administering medications in the hospital or dispensing prescriptions to patients.
Five Country Conference Protocol
The Five Country Conference (FCC) Protocol is a collaboration among the United States, Canada, the United Kingdom, New Zealand, and Australia to share biometric data to enhance immigration and border operations and security. Each country allows the others to search their biometric database for matches when reviewing and processing immigration applications, including asylum and refugee determinations, using specific criteria. These criteria include: if the identity of the applicant is unknown or uncertain; if the applicant’s current location is unknown; or if there is reason to believe that the applicant has spent time within one of the participating countries.67
Each country maintains a database containing biometric data of individuals who enter their country. All five countries include fingerprints; several also incorporate additional modalities. The U.S. database IDENT (discussed in the case study on the US-VISIT program) contains biometrics of non-U.S. citizens who enter and exit the country. The country’s relevant agency queries the applicable country’s database to search for a match for a specific applicant and receives information back.
The FCC Protocol began in 2009 and shares nearly 3,000 individuals’ biometric data among the five participating countries each year.68
Each country’s immigration authority collects biometric data on individuals applying to visit the country, either through a visa or as a refugee seeking asylum. The collection of biometrics begins either at a consulate or visa-issuing office or at ports of entry, including airports, seaports, and land crossings. If travelers require a visa, they go to the closest visa-issuing post at their point of origin. There, a U.S. government official interviews the traveler, reviews the visa application, and collects the biometrics. These raw images become part of the participating country’s biometric database. This is the same initial process used in the IDENT example.
If any of the partner countries identify an individual who meets the criteria, that country can query the system of the other nations for a match. The requesting country sends the raw biometric images it collected using a shared standard messaging format.69 The providing country works to respond to the request within 72 hours with match information.
When one country queries another’s database, a two-part process ensues. First, a message, containing only the raw fingerprint images, is sent through a firewall to a secure server hosted by the Australian government. That server works as the central processer for the requests and passes along the images to the applicable country. Once received, each country converts the images into a proprietary template and compares the data to the templates it has on file. Each country uses a different vendor to convert the images into a template and run the matching algorithm.
If a match is confirmed, the country that received the request will share the positive result as well as the demographic and other information about the individual.70 With this information, the requesting country then determines next steps for the specific applicant—such as moving forward with the individual’s visa or asylum application to enter the country or denying entry.
Technological and other key characteristics
Each country’s database and administering agency is as follows:
- The Immigration and Asylum Fingerprint System in the U.K., administered by the U.K. Border Agency
- The Biometric Acquisition and Matching System in Australia, administered by the Department of Immigration and Citizenship
- The Automated Fingerprint Identification System in Canada, administered by the Royal Canadian Mounted Police for its own purposes and on behalf of Citizenship and Immigration Canada and the Canada Border Services Agency
- The IDENT System in the U.S., administered by DHS
- The Immigration New Zealand database
The raw fingerprint images meet ISO standards for quality and formatting. After assessing a match, each country deletes information received from another. This process ensures that no nation incorporates data from another country into its system.
Each country signs a formal protocol for bilateral, international data-sharing that outlines the requirements for privacy and security controls. DHS provides oversight to ensure compliance with the protocols, both within each country’s database and through any process of exchange. The protocols include an agreement prohibiting the exchange of classified information, requiring two-factor authentication to access information, and mandating regular access audits.71
The FCC Protocol allows disparate countries to access each other’s biometric databases, highlighting three lessons for health care:
- Interoperability via a federated approach: This federated data model lets each country maintain separate, centralized databases yet still query and share information among them. Because many health care organizations host their own database, this example demonstrates that a federated model connecting separate health care systems could allow for query-and-response messaging to perform patient matching using biometrics through the use of agreed-upon standards.
- Sharing raw images: The exchange of raw images prevents vendor-lock. With raw images, users can maintain separate centralized databases, exchange raw images between them, select the biometric vendor of their choice, and use proprietary templates on which to run matching algorithms. This would allow health care organizations to select the system and vendor that meets their needs and still be able to exchange data with other facilities.
- Common agreement needed: All the countries in the FCC Protocol agreed to a common set of policies addressing use, technical standards for storage and exchange, and privacy. In health care, a common agreement could set similar guidelines that develop standards and principles for the storing and sharing of biometrics. An existing model already exists in the United States: the Trusted Exchange Framework and Common Agreement (TEFCA). Congress in 2016 required ONC to establish TEFCA—an opt-in commitment for health information exchanges to use the same standards to receive and share health information. TEFCA could outline modalities to use standards for images, requirements for exchange of those images, and privacy and security stipulations. Agreeing to a set of standards allows health care organizations to maintain their own systems and vendors, yet still be able to utilize a much larger connection of partners to improve the accuracy of patient matching.
eu-LISA Visa Information System
Officials of the Schengen area, which comprises 26 European countries, eliminated passport and border controls for travel within the region. Additionally, the Schengen area countries share biometric images for nonmember country visa applicants in order to create a greater level of security and reduce duplicative applications. A citizen from a non-Schengen area country can apply for a single Schengen visa and visit any member countries freely.
Schengen area countries use a shared database to manage visas, called the Visa Information System (VIS). The VIS uses biometrics to confirm the identity of visa applicants, avoid duplicative review among member countries, and reduce fraudulent applications. The system is managed by the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA), which manages all large-scale IT systems used for security and justice. The VIS also ensures that there are not duplicate visas for the Schengen area granted to the same person: for example, that a visa is not granted to the same individual by both Austria and Germany, when only a single Schengen visa is needed for visiting both countries.
At the end of 2017, the VIS contained data on more than 31 million visa applications, resulting in the granting of 29 million visas and the denial of 2 million across member countries.72
The VIS contains all visa application data from Schengen area countries, including demographic information, digital photographs, and fingerprint images. When a traveler from outside the EU requires a visa to travel to a Schengen country, the individual goes to a consular office in his or her home country with a visa application and passport. The consular official collects the traveler’s fingerprints and facial image, and the VIS stores the raw images along with the application.
At this point, the consular official determines if the traveler already received or applied for a visa, either to the same country or to another Schengen area country. To do this, the recently collected fingerprint images in the VIS are sent to the biometric matching system (BMS) that is also maintained by eu-LISA. BMS converts the images into templates in order to perform matching and never retains the raw images. BMS does retain the templates in order to use the images for future comparison. If the traveler already existed in the VIS from a prior visa, the consular official receives a match notification. The official then grants or denies the visa application.
If the visa is granted, a border control official collects the traveler’s fingerprints again at an airport, seaport, or land crossing station. The fingerprint images are templated and run through the matching algorithm, and the border control official receives a yes or no response. If a match is confirmed, the traveler can proceed with the entry process. If there is no match, the border control official determines if the individual can enter the country through an interview and a manual review of travel documentation and identification.
Technological and other key characteristics
Fingerprint images in the VIS meet the ANSI/NIST-ITL standard that determines quality, resolution, and size. All member states receive a fingerprint acquisition toolkit that performs quality control assessments on the collected fingerprints to ensure they meet the requirements and undergo processing by the biometric matching system.
As the VIS is a centralized database and all participating Schengen countries have access, users obtain access authorization and encrypt all data exchange over a private network.73
Visa applicants who visit frequently are not required to provide a new set of fingerprint scans with each application. Once stored, returning applicants can reuse their stored fingerprints for five years.74
This example demonstrates how to share a centralized database across many users:
1. Cooperation allows for shared infrastructure: The VIS is shared by 26 countries with each nation collecting, storing, and querying data within it. Despite the geographic dispersion, each country adopted shared criteria, common standards, and a single process for managing visa applications to participate. If health care in the United States adopted a single system or multiple shared systems or services approach, organizations would also need to implement a similar common agreement—around principles, practices, and infrastructure—to effectively and securely exchange biometric data. If health care commits to a common agreement and infrastructure, it is feasible for multiple facilities to contribute to and reference a shared database to use biometrics for patient matching between organizations. As previously mentioned in the FCC Protocol example, TEFCA could serve as a platform to secure this cooperation.
Estonia national e-ID card
Estonia’s e-ID card, introduced in 2002, is widely acknowledged as one of the most advanced approaches to digital identity and, although biometrics play a limited role, the infrastructure used offers lessons learned for health care. Estonia mandates an e-ID card for citizens over 15 years old. Citizens can use their e-ID as a national health insurance card, for official identification when traveling within the European Union, to remotely access their bank account, to pay for goods, to sign contracts, to view their health information, and even to vote.75 Estonians can use e-IDs to access 99% of public services digitally—for instance, collecting social welfare benefits, paying for public transportation, or reporting a crime.76 Currently, citizens set up a PIN to confirm identity when using their card, but Estonia is upgrading the system to allow for the use of a fingerprint in its place.
The e-ID is a physical card with an image of the citizen’s face, basic demographic information, various security features, and a chip. The chip contains two digital certificates aligned to two separate PINs: one for identity authentication, and the other for providing a digital signature. Every individual’s PIN stays the same (so long as the card is not stolen or breached in any way) and is used to confirm identity, access services, and send data.77 By 2019 individuals had used the e-ID as a digital signature more than 900 million times, as well as to vote in national elections and electronically submit taxes.78
Despite the widespread use, Estonia dealt with a major breach in its e-ID and chip technology in 2017. The country recovered from this incident through risk mitigation strategies and transparent communication with the public. For example, cardholders could update their PIN remotely, and Estonia upgraded the card chips to address the cyber risk. The country resolved the crisis that same year as a result of cooperation among the government bodies, researchers, private sector partners, and residents.79
The e-ID can be used to access many needed services and share information—including personal health information. Although biometrics are not yet a part of the process, the workflow includes elements relevant to health care in the United States that could integrate disparate health information and use digital identity in the confirmation of patients.
Estonia has an electronic health data repository (e-Health Record) that integrates data from providers and systems across the country. Acting as a centralized system, patients can view all of their health information in one place, regardless of the providers, facilities, or systems in which they received care. To access their data, patients use the e-ID to confirm their identity when logging in to the country’s patient portal. Patients insert their e-ID into a COTS chip reader, and it reads their user credentials to log in to the portal. They then enter a PIN as a security measure in order to access health information.
Through this process, patients also control access to their health information and determine which providers can view their complete e-Health record.80 However, in a medical emergency, a provider uses a patient’s e-ID card to view critical health information such as blood type, allergies, medications, and current diagnoses.81 Similarly to accessing the patient portal, the provider can insert the e-ID into a chip reader to access basic emergency health information through e-Health Record.
If the e-ID card is lost or stolen, the individual must call the ID helpline within 24 hours so the following processes could be triggered:
- Certificates are suspended: The individual must call the 24/7 helpline and identify themselves by stating their name and PIN. Suspending the certificates means that e-services cannot be accessed or used. To end the suspension, the individual must appear in person at a service point of the issuing authority and file an application to reactivate their e-ID.
- Revocation of e-ID/e-Residency card (including the certificates): To revoke an e-ID, an individual must go to a service point and file an application. Revocation means that the certificates are revoked, and electronic functionality can neither be used nor turned back on.82 The individual will need to reapply for a new e-ID.83
Technological and other key characteristics
The e-ID works across industries and sectors through the use of a solution called X-Road. X-Road securely shares information between systems and normalizes data. This system can send large data sets, write data into databases when appropriate, and search across multiple systems at the same time.84 X-Road also provides an extra layer of security and ensures that only known and approved entities and users participate in the data exchange by monitoring and tracking access.
Estonia’s e-Health Record displays relevant data in a patient portal. Providers and organizations can use an EHR and other systems of their choice, and those systems communicate directly with the central e-Health Record. Systems send information using standards-based interface messages (e.g., HL7 messages, the international standard for sending and receiving electronic health information, and DICOM, the standard for exchanging medical imaging data). In this case, the e-ID allows patients to authenticate their own identity and grant access to authorized users before viewing or sharing sensitive information. The card does not store health information.
The cards themselves work with most COTS scanners to read the chips. The chips store encrypted data that can be accessed only by an individual using a private PIN (and potentially biometrics in the future) or through a user granting access.
The e-ID demonstrates that a digital identity can scale across many different industries, scenarios, and environments. Health care can apply these lessons:
- Risk mitigation strategies: The crisis response in 2017 demonstrated that a breach doesn’t need to result in the termination of the technology or its use. Having plans in place to address breaches, maintaining open communication on resolution and next steps, and getting a fix out as quickly as possible allowed the e-ID card to remain a trusted solution. In health care, a similar risk mitigation and communication plan is needed to address potential breaches to the selected technology.
- Identity can be repurposed: The e-ID’s use and purpose grew exponentially beyond identity confirmation. As discussed, Estonian citizens can use the e-ID to vote, as proof of health insurance, and as a digital signature, among other purposes. A similar digital identity approach for a patient in the U.S. could be used for initial identity confirmation and also for other health purposes, such as checking in for an appointment, telehealth access, or filling a prescription. The digital identity could include biometrics as part of it—in place of a PIN—and individuals could opt in to their use in health care for patient matching and other purposes.
India’s Aadhaar program
India’s Aadhaar program is the world’s most extensive use of biometrics: More than 1.2 billion people have registered and received an Aadhaar number.85 This optional number allows both citizens and noncitizens who reside in India to use multiple biometric modalities to identify themselves when receiving social services, traveling, or opening a bank account. The Aadhaar program collects fingerprints, iris scans, and a digital photograph alongside demographic information.
Any individual, regardless of age, can opt in to the program and receive a 12-digit Aadhaar number after completing the registration process. Individuals can use the number to obtain public services and benefits and confirm identity within the private sector, such as when applying for a job.
Prior to the Aadhaar program, nearly 400 million Indian citizens did not have a way to prove their identity.86 The Unique Identification Authority of India (UIDAI) implemented the voluntary Aadhaar initiative in 2009 as a way for citizens to have a government-sponsored method to confirm their identity.
Despite being lauded for its efficiency and cost-savings, the program has also received criticism about the danger of compromising individuals’ data in the event of a breach, because it collects all biometric modalities (face, finger, and iris).87 The program further raised questions of inequity: Individuals with medical conditions such as leprosy may not be able to take part in the program because their condition prevents them from providing fingerprints or iris scans. Due to these concerns, the Indian Supreme Court found that private companies could not require the use of the Aadhaar number (though individuals can still choose to use their Aadhaar number to confirm identity for private sector services).88
To receive an Aadhaar number, an individual goes to an official enrollment center, which are located across the country. The registration process requires providing demographic information, a verified government-issued ID (e.g., a birth certificate or driver’s license), and biometric information: 10 fingerprints, iris scans, and a facial photograph.89 In situations where individuals do not have supporting documentation or a government-issued ID, they can work with someone who the Indian government has called an “introducer”—an individual who has a verified identity and is a recognized member of the community, such as an elected official, teacher, or health care worker.90 An introducer can vouch for an individual’s identity in lieu of providing supporting documentation.
At the enrollment center, an operator scans the documents, returns them to the resident, and manually enters the demographic data. The operator then collects the biometrics. For children under 5 years old, only a facial image is captured along with one parent’s biometric confirmation.91 For residents over 5 years, all three modalities are captured.92
The government then stores the raw images in a central database called the Central Identities Data Repository (CIDR). The raw images are sent to biometric service providers, where they are converted to proprietary templates in order to be used for matching in the future. India uses three different biometric service providers to offer options for using different organizations to conduct the matching—each with its own templates. Each biometric service provider stores only its proprietary templates and deletes the images once processed. This step completes the enrollment process.
Then, individuals can use their Aadhaar identifier at service providers, such as government departments or private organizations. These service providers go through a certification process and must use registered biometric devices.93 They collect and use biometrics in real time to confirm identity, which occurs through a multistep process:
- An individual provides their Aadhaar number and has a biometric modality scanned.
- The technology used by the service provider sends the image to a biometric service provider, where it is converted into a proprietary template.
- The biometric service provider already has templates of the biometric provided at Aadhaar enrollment and runs a matching algorithm comparing those to the newly captured biometric.
- The biometric service provider informs the service provider if the biometric matches the Aadhaar number. If a match occurs, the individual can obtain the service.
Technological and other key characteristics
All biometric images collected for Aadhaar meet ISO standards.94 These standards dictate the format of the collected image, including resolution, content, and size.
As the CIDR contains and sends sensitive information, all data is encrypted in transit. Anti-tampering measures are used to safeguard data.95 The system tracks all actions, and the government orders regular audits. The authentication requests to the CIDR are purged every six months.96 Further, the program remains voluntary, and private entities cannot require the use of Aadhaar numbers to confirm an individual’s identity.
This use case demonstrates some challenges with large-scale biometric deployment and the utility of raw images for interoperability:
- Biometrics can highlight inequities: Just as artificial intelligence and machine learning have brought to light existing inequities in health care, the use of biometrics can present similar challenges. Biometric use can, for example, present obstacles for individuals who cannot provide fingerprints or iris scans due to existing health conditions. Similarly, facial scanning technology may not accurately identify people of color.97 This case serves as a reminder that no single modality or approach can work universally for identity confirmation and that software should be designed with inclusivity in mind. Health care should consider solutions that address these gaps and also have backup authentication options, such as texting a smartphone with a unique code.
- Raw images allow for interoperability: The secure sharing of raw images in Aadhaar allowed for the use of multiple vendors without sacrificing interoperability. The sharing of images allows new facilities and systems to opt in to the biometric infrastructure over time, as the solution becomes more commonplace and patients are comfortable with its use—all while allowing organizations to choose biometric vendors that meet their needs.
The need for digital identity is high in rural and hard-to-reach areas and in countries with high percentages of displaced populations, where many individuals do not have a government-issued form of identification. ID2020, a nongovernmental organization, works across the public and private sectors to develop new models for using digital identification around the world.
Individuals store this digital identity, including biometrics, on a smartphone application. By using this approach to demonstrate their identity, people can receive needed vaccinations, apply for a job, open a bank account, receive government services, and vote. This solution puts users in control of their identification information; they can decide with whom and for what purpose to share data.
ID2020 launched several pilot programs that use a smartphone application to store a digital identity. For example, in Indonesia, local governments used smartphone-driven digital identity to more accurately distribute state-subsidized propane gas; the details of that pilot are the focus of this use case.
Although the Indonesian pilot is a simple workflow, it raised several important considerations for future use. The program noted that in regions where local government was more engaged in the project and in communicating with individuals, it received higher numbers of volunteers for participation, compared to other regions where government was less engaged.98 The program also dealt with challenges collecting biometrics, including dust and dirt obstructing clean fingerprint reads, headscarves and veils worn by women that caused issues with facial recognition software, and network connectivity affecting collection and matching, especially in more rural and remote areas.99 Although the pilot did not solve all of these problems, it provided information on how to improve software and infrastructure to work in remote areas and across all populations.
In the spring of 2020, the media highlighted criticism that ID2020 would be used to track individuals through microchipping to combat the global coronavirus pandemic.100 However, neither the digital identity solution nor any of the pilot programs use microchipping or location tracking. The digital identification system still carries possible risks to privacy and security—as was illustrated with prior examples—that are mitigated through user-driven storage and access.
Indonesia recently completed a pilot program in 2019 of approximately 6,000 households within several different rural communities that used digital identity to access and receive government subsidies for liquified propane gas.
In Indonesia, local governments had challenges ensuring subsidized propane went to the correct person. In an effort to stop fraud and confirm that only qualified individuals were receiving the subsidized price, they implemented this pilot to use a confirmed digital identity. The National Team for the Acceleration of Poverty Reduction, an Indonesian cross-agency collaboration formed to improve implementation of social welfare programs and reduce inequity,101 estimated that better oversight could save the Indonesian government up to $3.49 billion per year.102
To enroll, individuals go to a registration center, where an official collects and confirms a government-issued form of identification (if one exists), demographic information, and biometrics, which include fingerprints and a digital photograph. These biometric images are stored on the individual’s smartphone. Within an application on the smartphone, an individual can create and store a digital identity using the demographic information and the biometric images. After enrollment, the person can use the digital identity app, along with biometric confirmation, as proof of identity and to receive the subsidized price.
When purchasing propane from a local authority, the individual opens the smartphone digital identity app containing their digital identity and an official scans a QR code within the app. Then, the official collects fingerprints using a digital scanner and/or a facial image with a digital or smartphone camera. The images are sent to a remote biometric processing and matching system, where they are converted to templates. The biometric system then confirms a match between the image stored on the smartphone and the one just taken by the official. The match confirmation enables the individual to purchase propane at a subsidized price.103
This pilot program is a single representation of how smartphones, in concert with biometrics, could improve access to services, reduce fraud, and ensure every individual has access to a validated form of identification. Several different pilots around the world have demonstrated the ID2020 approach, albeit with workflow changes because they are context-dependent.
Technological and other key characteristics
ID2020 uses a decentralized, distributed database architecture and a multimodality solution. In this model, sensitive data, including raw images, are saved only on a user’s smartphone in an application and can be shared only by the individual granting access. No central database stores the images or templates.
A multimodality system is another feature of ID2020’s approach. Collecting and using fingerprints, facial images, and iris scans provides multiple forms of biometrics and backups if one method fails or is unreliable. This also helps avoid issues such as those that the Indonesian pilot experienced, where fingerprints were unreadable because of dust or dirt.
All biometric images collected adhere to ISO standards, which dictate the quality of characteristics of the image, such as resolution, color, and format. The use of standards helps support exchange as pilot projects evaluate its use for identity between different types of systems and authorities.
Although ID2020 has a wide range of possible uses, the following two lessons are the most applicable to health care:
- The use of personal devices: Mobile technology is available worldwide and has reached even the most remote populations. ID2020 chose mobile applications because it found that even displaced refugees who did not have access to identity records still often had access to personal devices.104 In a 2016 consumer study of adult smartphone users, nearly 70% of respondents said that they want apps that provide digital identity documents, such as passports and national IDs.105 Health care in the United States could also leverage this approach for individuals to proactively share their digital identity with health care providers to support matching. Patients could use a smartphone application that collects demographic information, verifies a government-issued ID, and collects facial images to confirm identity. This process meets NIST’s identity-proofing standards and is managed by the patient.106 Biometrics are incorporated within the digital identity, as within the Indonesian example, and could be used across health care facilities to confirm patient identity.
- Infrastructure needs: As the Indonesian pilot demonstrated, individuals in rural and remote areas also require access to services. However, these areas faced challenges with connectivity, which were especially apparent when it came to exchanging data required for biometric matching. For these solutions to be equitable and accessible across the United States, infrastructure and connectivity issues must be addressed. Broadband remains inaccessible to portions of the country, and these areas may not yet have the infrastructure needed to support a biometrics-based solution for patient matching that relies on this type of connectivity.107