20-year Anniversary Report: ICAO

Implementation Capacity Building Working Group (ICBWG), ICAO: Extending the benefits of ePassports

The establishment of the Biometrics Institute twenty years ago reflected a broader need to understand a world in which digital technology was playing an increasingly influential role in daily life. At about the same time in 2003, the International Civil Aviation Organization (ICAO) adopted specifications for electronic machine-readable travel documents (eMRTD or ePassport) that are digitally enhanced documents that contain an embedded chip, which holds both biographic information and a photo. The ICAO guidance material and specifications found in Doc. 9303 laid the foundation on which an extensive system of infrastructure could build. Beginning with Belgium in 2004, successive governments began issuing ICAO-compliant ePassports. By 2013, over 100 countries issued ePassports and nearly 400 million were in circulation worldwide.[1] As of 2020, 145 countries issue ePassports and there are roughly 1 billion in circulation.

In the post-9/11 world, the ability to confirm the identity of incoming travelers has increased in importance. ICAO’s specifications allow states to encode the documents they issue with a biometric to serve this objective. The capability to add biometric information to a document, combined with the option to authenticate data stored in an ePassport via ICAO’s Public Key Directory[2] (PKD), positions travelers to biometrically substantiate their claim to an identity in a secure manner. Moreover, electronic ePassport verification has enabled border authorities to streamline border processing by employing Automated Border Controls (ABCs). ABCs are “self-service” passport control points for arriving or departing travellers. In most cases ABCs will read and authenticate the ePassport and compare the holder to the ePassport facial biometric to verify identity. ABCs can thus be an important tool to expedite traveller process and identity verification, along with enabling border officers to focus on higher-risk scenarios.

The benefits of ABCs and the digital biometric data included in the ePassport can only be effectively leveraged if ePassports can be successfully read and if receiving states are consistently authenticating these travel documents. Compliance with Doc 9303 specifications will ensure that ePassports can be successfully processed at borders; however, it is important that receiving border entities carry out the full ePassport authentication process outlined in Doc 9303. Lack of adherence to these technical specifications can negatively impact the security, facilitation, and ID management benefits of the ePassport. Similarly, compliance with ICAO travel document issuance standards and recommended practices will help to ensure that presented ePassports can be trusted by receiving states. At the crux of trust lay the evidence of identity (EOI) principles of document issuance (i.e., a claimed identity is genuine, the presenter is linked to the identity, etc.).[3] In other words, states have assurance that data on ePassports are input only after issuing authorities exercise robust due diligence. The ICAO Implementation and Capacity Building Working Group (ICBWG), in which the Biometric Institute has been a valued participant, supports states in developing this capacity and has published a number of guidance materials and supporting documents for issuers and verifying entities.

As a reliable source of both digital identity and biometric information, the ePassport (or its derivative forms) is likely to be used to support facilitation and economic recovery – including as a tool to support low-touch processes in the new COVID-19 context. The profound impact of COVID-19 on the travel and tourism sectors cannot be overstated. As a recent Airports Council International analysis highlights, the airport industry anticipated a -64.2% reduction in traveller volumes and a reduction of over 6 billion travellers in 2020 compared to 2019.[4] ICAO has played a critical role in supporting states recover from the unprecedented crises through the establishment of the Council Aviation Recovery Task Force (CART). Among its many principles is the need to accelerate the use of contactless processing of travellers to reduce potential transmission. While governments and air industry sought to leverage biometrics and contactless processes well before the pandemic, COVID-19 has accelerated this trend.

As industries worldwide grapple with how best to exit COVID, there has been a proliferation of apps and solutions that support digital identity, and other inputs to cross-border travel, like vaccination credentials and testing results. The ecosystem is indeed fragmented. However, in the same way ICAO has played a significant role throughout the pandemic, so too has it continued to advance work on the Digital Travel Credential (DTC)—in its simplest form, the DTC is a digital replica of the data on the ePassport. The DTC presents a new opportunity to process travellers before their arrival. With the DTC, border entities can carry out most of the border inspection process before a traveller’s arrival, leveraging the embedded digital biometric to bolster pre-arrival screening. Upon arrival, the traveller would be linked to their pre-screened digital biometric and enjoy an increasingly streamlined and touchless arrival process. Now, perhaps more than ever, the existing infrastructure that supports ICAO-compliant ePassports is fundamental, as a strong base in ePassport issuance and processing is required to support the use of the DTC, along with the expanded use of digital identity and, by extension, the recovery of travel. The ePassport offers as much potential now as it did almost two decades ago.

Extending the benefits of ePassports will serve a variety of purposes. For example, leveraging existing ePassport infrastructure will reconcile privacy concerns by protecting the identity of individuals through well-established and trusted cryptologic practices. Additionally, bringing awareness to the ability for the ePassports to act like a record from an issuer’s database, but in the hands of travellers, strengthens the notion and principles of individual digital sovereignty. The DTC, as a digital replica of the ePassport, contains the same electronic and security features as an ePassport and contains a biometric that adheres to passport issuing processes. This can be electronically verified for signs of tampering and authenticity.

Although many private-led initiatives comply with privacy by design (PbD) principles, the ePassport remains one of the most reliable documents in circulation worldwide. That ePassports are issued according to global standards on travel document issuance underscores their global interoperability and trust. Further, no other entity has the same access to the PKD/PKI like government authorities do, which further supports the use of a DTC, the PKI’s cryptography, and a decentralized validation structure in the future.

As we approach the twenty-year anniversary of the ePassport, how can we ensure that the benefits of ePassports are maximized? What other use cases may benefit from leveraging biometrics and the backend infrastructure that support ePassports? ICAO has expressed interest to provide non-state actors access to the PKD for limited commercial purposes on a trial basis. This is welcomed news for many, particularly in the air industry. Accordingly, the PKD Board recently solicited interest from private entities to determine whether leveraging the PKD for limited commercial purposes may have utility beyond aviation. In this way, the benefits of ePassports may well extend into the private sector in the future and apply to a variety of areas in which digital identities are required.

For further information on the ICBWG please email ICBWG@icao.int.

Implementation Capacity Building Working Group (ICBWG), ICAO

[1] Government of Canada, “History of the ePassport: Backgrounder,” (Ottawa: May, 2014) Accessed 25 August 2021.

[2] ICAO PKD Background: https://www.icao.int/Security/FAL/PKD/Pages/default.aspx

[3] ICAO, “TRIP Guide on Evidence of Identity,” Version 5.4 (May 2018).

[4] Airport Council International – World (ACI), “The Future of Travel and Digital Identity at Airports,” (Montreal: May 2021), 5.

Applications and use cases | Privacy and policy | Research and development | Technology innovation

Lead the debate with us on the
responsible use of Biometrics