FASTER-PrivBio Project Plan · 2018-01-29 · Data group 15 – Active Authentication public key info (if present) Take selfie The applicant takes a self-photo using the mobile phone’s

CAN UNCLASSIFIED

Defence Research and Development Canada Contract Report DRDC-RDDC-2017-C282 November 2017

CAN UNCLASSIFIED

FASTER-PrivBio Project Plan Kim Burrett-Scott WorldReach Software

Jean-Guy St. Amour Immigration, Refugees and Citizenship Canada

David Bissessar Canada Border Services Agency

Prepared by: WorldReach Software 2650 Queensview Drive, Suite 250 Ottawa, ON K2B 8H6 PSPC Contract Number: B8625-160470-001-SV Technical Authority: Jean-Guy St. Amour DRDC Contact: Brian GreeneContractor's date of publication: November 2015

CAN UNCLASSIFIED

© Her Majesty the Queen in Right of Canada (Department of National Defence), 2015 © Sa Majesté la Reine en droit du Canada (Ministère de la Défense nationale), 2015

CAN UNCLASSIFIED

IMPORTANT INFORMATIVE STATEMENTS

The information contained herein is proprietary to Her Majesty and is provided to the recipient on the understanding that it will be used for information and evaluation purposes only. Any commercial use including use for manufacture is prohibited.

Disclaimer: This document is not published by the Editorial Office of Defence Research and Development Canada, an agency of the Department of National Defence of Canada, but is to be catalogued in the Canadian Defence Information System (CANDIS), the national repository for Defence S&T documents. Her Majesty the Queen in Right of Canada (Department of National Defence) makes no representations or warranties, expressed or implied, of any kind whatsoever, and assumes no liability for the accuracy, reliability, completeness, currency or usefulness of any information, product, process or material included in this document. Nothing in this document should be interpreted as an endorsement for the specific use of any tool, technique or process examined in it. Any reliance on, or use of, any information, product, process or material included in this document is at the sole risk of the person so using it or relying on it. Canada does not assume any liability in respect of any damages or losses arising out of or in connection with the use of, or reliance on, any information, product, process or material included in this document.

This document was reviewed for Controlled Goods by Defence Research and Development Canada (DRDC) using the Schedule to the Defence Production Act.

Abstract_____________________________________________ Project CSSP-2015-CP-2114 (FASTER-PrivBio) aimed to develop a proof-of-concept for an innovative ‘end-to-end’ screening process for foreign travellers applying for an Electronic Travel Authorization (eTA) and crossing the border into Canada by leveraging the capabilities of the ePassport, smartphone, and Automated Border Control kiosks. The reports collected here capture the project’s initial planning and design work.

Table of Contents_____________________________________ Concept of Operations – Use Case Model Issuance Exercise Test Scenarios Baseline Demonstration Report Exercise Plan Integration Analysis Report

Concept of Operations (Use Case Model) FASTER – PrivBio

Project: CSSP-2015-CP-2114 Page 1

FASTER – PrivBio

CSSP -2015-CP-2114

Concept of Operations - Use Case Model

30 November 2015

FINAL

(Charter Task# 2.1, Contract Milestone# 1)



Introduction A Concept of Operations diagram and process descriptions have been provided as a guideline of the functionality, flow

and sequence of activities which are part of the FASTER-PrivBio project. The next level of decomposition provides a

more granular look at these activities. This has been done in a use case module presenting all of the actors (human or

system) and actions or steps. This is not presented in a sequential flow necessarily but is more representative of the

decomposition of the steps.



Record of Amendments Version No. Amendment / Section Amended Entered By Amendment

Date

Version 1.0 Initial version Richard Gauthier 16 October 2015

Version 1.1 Updates from WorldReach

review

Richard Gauthier 23 November

2015

Version 1.2 Revisions based on project team

feedback

Kim Burrett-Scott 27 November

2015




Description of each action Request Pin The applicant requests a PIN after entering a valid email address

Generate Pin Faster server generates a random 4 digits PIN and sends it to the applicant’s email address

Login The applicant logs in to the Faster app entering the valid email address used when

requesting the PIN and the PIN received

Authenticate user Faster server authenticates the credentials entered by the applicant. Secure connection is established between the user’s phone and the FASTER server.

Take photo of MRZ The applicant takes an image of the ePassport bio-page using the mobile phone’s camera

Validate MRZ Faster app reads the MRZ lines from ePassport bio-page image and validates the passport issuing country and the passport validity

Set phone on ePassport The applicant sets the phone on a valid passport where the ePassport chip is located

Read ePassport chip Faster app reads the chip using the mobile phone’s NFC capability

Extract data groups Faster app extracts the logical data structure (data groups) and the security data objects (data group hashes) from the ePassport chip: Data group 1 – contents of the Machine readable zone (MRZ) Data group 2 – Passport holder’s photo Data group 15 – Active Authentication public key info (if present)

Take selfie The applicant takes a self-photo using the mobile phone’s camera

Validate selfie quality Faster app validates the applicant’s photo to meet the quality ICAO standards

Extract selfie template Faster app extracts a photo template from the valid self-photo

Answer questions The applicant answers a set of background questions such as criminal convictions, current health conditions etc.

Upload required documents

The applicant provides additional information required by uploading documents

Submit payment info The applicant enters the payment information and submit it

View application info The applicant reviews the application information entered, can continue a partially completed application or submitted

Validate payment Faster app validates and processes the payment information

Submit application info Faster app submits the application information (applicant’s and passport information) to the Faster server

Store application info Faster server stores the application information submitted by the applicant. No images or data are kept on the phone



Request biometric token Faster app request the biometric token to be generated

Generate biometric token

PrivBio app generates the biometric token using the photo template and pieces of the applicant/traveler personal information

Request biometric token signature

PrivBio app requests the signature of the generated biometric token

Sign biometric token PrivBio server signs the generated biometric token

Store signed biometric token

PrivBio app stores the signed biometric token on the mobile phone

Retrieve application info Faster server retrieves the application information submitted by the applicant

Validate ePassport data group hash

Faster server hash each data group extracted from the passport chip and compares it with the data group hashes also stored in the ePassport chip

Validate ePassport Issuer Signature

Faster server validates the data groups’ hashes using the Document signing certificate use to sign them

Validate ePassport Country Signature

Faster server validates the Document signing certificate using the Country signing certificate authority

Evaluate selfie Against ePassport Photo

Faster server compares the applicant self-photo versus the passport photo extracted from the ePassport chip and determines the percentage of match

Query Lost & Stolen Passport List

Faster server sends queries about the passport information tothe lost and stolen passport database and only stores only responses indicating pass/fail or ok/not ok (no data is passed)

Query Watch Lists Faster server sends queries about the passport holder information to the watch list databases and only stores only responses indicating pass/fail or ok/not ok (no data is passed)

Approve Application Faster server automatically approves the application if all the check criteria have passed

Generate QR code Faster server generates a QR code once the application has been approved

Send Notification to Applicant

Faster server sends the required notifications to the applicant’s email address: - Request additional information - Request interview - Approval confirmation - Rejection confirmation

Review Application The Immigration reviewer or the Immigration approver can look at the application information when it has not been auto-approved to determine the next step

Request Additional The Immigration reviewer or the Immigration approver can issue a request for further



Documentation information to the applicant’s email.

Approve Application The Immigration approver decides to approve the application after reviewing all the application information received

Reject Application The Immigration approver decides to reject the application after reviewing all the application information received

Send Interview Request to applicant

The Immigration approver sends an Interview request if deemed necessary to the applicant’s email address, indicating place, date, time and name of the Immigration interviewer

Attend to interview The applicant attends the interview if it was requested

Interview Applicant The Immigration interviewer meets with the applicant and uses an interview script specific to the applicant’s case

Record Interview Notes The Immigration interviewer registers the notes with answers and comments related with the interview

Present Travel Authorization Credentials

The applicant/traveller presents the ePassport and Biometric token stored in the applicant/traveller’s mobile phone

Verify Biometric Token Signature

PrivBio kiosk verifies the Biometric token signature presented by the applicant/traveler

Retrieve Biometric Token

PrivBio kiosk retrieves the Biometric token once its signature has been verified

Scan ePassport PrivBio kiosk scans the biopage of the applicant/traveller’s ePassport to retrieve the MRZ lines

Validate MRZ PrivBio kiosk reads the MRZ lines from photo and validates the passport issuing country and the passport validity

Read ePassport Chip PrivBio kiosk reads the chip using the kiosk’s NFC capability

Take Photo of Traveller PrivBio kiosk takes a photo of the applicant/traveller using the kiosk’s camera

Extract Traveller’s Photo Template

PrivBio kiosk extracts a photo template from the photo taken by the kiosk

Generate Biometric Token

PrivBio kiosk generates the biometric token using the photo template and pieces of the applicant/traveler personal information

Compare Generated Token Against Stored Token

PrivBio kiosk compares the biometric token just generated with the one stored on the applicant/traveller’s phone

Provide Verification Feedback

PrivBio kiosk informs the applicant/traveller the result of the verification of their travel authorization credentials



Issuance Exercise Test Scenarios FASTER – PrivBio


FASTER – PrivBio

CSSP -2015-CP-2114

Issuance Exercise Test Scenarios

30 November 2015

FINAL




FASTER-PrivBio Issuance Exercises

Goal/Purpose The two technology demonstration exercises are intended to provide the project team and partners an

opportunity to work through a series of different usage scenarios highlighting the interfaces and

interaction of the technologies, processes and policies that constitute the FASTER-PrivBio Concept of

Operations.

Exercises There are 2 technology demonstration exercises as part of FASTER-PrivBio CSSP-2015-CP-2114. The first

exercise will focus on the steps leading to the issuance of a response to an application - Issuance

Exercise which will take place in February 2016.

The second is the Verification Exercise which will take place in July 2016.

Exercise 1

The objective of this document is to outline the content of various scenarios to be executed in Issuance

exercise 1. A second set of scenarios will be prepared at a later point to focus on Verification processes

for exercise 2.

All scenarios are simulated; however, the exercises will make use of volunteered ePassports provided by

individuals close to the project. The information read from these ePassports as part of the application,

assessment and issuance processes for electronic travel authorization will be kept in a separate, secure

test database, used and disclosed only for the purposes of this project and will not be retained any

longer than the duration of this project. At the end of the project, the volunteered data will be securely

destroyed.

No data associated with this project will be integrated with external databases. Any Interpol Stolen and

Lost Travel Document Database (SLTD) or watchlist references in the scenario outcomes are strictly

fictitious for the purposes of understanding the relevant processes and policies.

All information and discussions as part of the exercise are to be treated as confidential and not for

disclosure outside the exercise.



Scope Scope Item Description

Type of exercise This is a functional tabletop exercise. Expected to take 1 day (x hours?)

Situation Consists of a number of volunteer individuals and groups going through the process of applying for an Electronic Travel Authorization & Agency (IRCC) personnel reviewing & making determinations on issuance.

Functions /Activities Simulation of application process – by volunteers public users Simulated assessment process –

i) FASTER application automated steps, including checks of IRCC database(s) ii) Manual steps, by IRCC agents in the case of flagged applications

Simulated issuance process – PrivBio automated credential preparation, signing & issuance

Agencies involved Public citizens - represented by volunteers project team & invitees IRCC –Immigration agency CBSA – Border agency DRDC –as observer OGDs -as observers, participants

Personnel CIC – Strategic Business and Analysis Unit and Subject Matter Expertise (SME) from the Operational Management and Coordination Branch CBSA , Ottawa U & Ryerson U – biometrics, privacy & mobile platform security (PrivBio) WorldReach – technical application & platform development and requirements gathering (FASTER)

Exercise tools

1. Android phones 2. ePassports (voluntarily provided by project team members & invitees, as well as specimens provided by IRCC) 3. FASTER mobile application downloaded to phones 4. FASTER issuance server 5. PrivBio application 6. PrivBio issuance server



Scenarios Scenario 1

Simulation outline –Single Applicant Auto-approval - 1 person applying for an eTA from a visa-exempt country - not flagged on any watchlist - ePassport is valid, not fraudulent - passport photo is of the person applying - selfie matches on passport photo

Player Actions Applicant Immigration Agents

Actions Comments/ Instructions


Evaluation criteria Observations /Comments

Access the WR VisaReach (henceforth FASTER) application on the phone

The application will be loaded on the phones used in the exercise in advance

-Applicant is able to follow instructions on mobile application to complete process quickly & easily - Immigration processing agent can quickly search for the approved applicant if they wish to look for it -it is clear to the applicant what the token is for

Follow instructions on the application to provide a valid email account & access PIN

Email account needs to be accessible from the location of the exercise, either on the smartphone being used or another device

Follow instructions on the application to take photo of ePassport(ePPT) MRZ, place phone on ePPT and take self-photo

May require more than one self-photo if quality not good enough for submission

Enter address information as required.

Answer questions in such a manner that no additional information is necessary (e.g. no criminal convictions, health or other concerns)



Submit payment This is a simulated payment –no credit card information needs to entered

Receive approval email and token on phone

No action – application is auto-approved

Scenario 2

Simulation outline – Single Applicant – Flagged on Watchlist - 1 person applying for an eTA from a visa-exempt country - Gets flagged on watchlist( Facilitator will request passport # in advance of executing this scenario) - ePassport is valid, not fraudulent - passport photo is of the person applying - selfie matches on passport photo







-Applicant is able to follow instructions on mobile application to complete process quickly & easily -Instructions for follow-on activities are clear -Immigration processing agent can quickly access the application & become aware of what the issue is -Multiple agents involved can see what others have added to


Email account needs to be accessible from the location of the exercise, either on the smartphone being used or another device. If a PIN has been issued as part of another scenario, it



can be reused. the file.






Reviewer -Hit for this passport # on the watchlist flagged

Hit on watchlist means Immigration wants applicant to appear at mission closes to applicant.

Reviewer -Issue request for further information/ interview. Note to file for interviewer.

SME to indicate what information would be required.

Receive email request for interview, more info Access application again to submit additional information. In person interview at Mission/embassy

Will require adding an attachment/ scanned passport

Interviewer – access existing data on applicant & can update notes. Passport may be seized & application rejected. Appropriate information to file after interview

Information on seized passport to be relayed to other systems? CBSA procedures kick in.



Scenario 3

Simulation outline –Single Applicant – Selfie & ePassport photo are not for the person applying (intentional misuse/fraud) - 1 person applying for an eTA from a visa-exempt country - not flagged on any watchlist - ePassport is valid, not fraudulent - passport photo is not of the person applying - selfie manipulated to try to match on passport photo







-Applicant is able to follow instructions on mobile application to complete process quickly & easily -Applicant can easily access application previously submitted to provide additional information -Immigration processing agent will see a very high match (e.g. over 99% if the applicant has a copy of the passport photo that they are able to submit as the selfie) & can quickly determine that additional photo required & execute request


Email account needs to be accessible from the location of the exercise, either on the smartphone being used or another device. If a PIN has been issued as part of another scenario, it can be reused.

Follow instructions on the application to take photo of ePassport(ePPT) MRZ, place phone on ePPT and provide a self-photo

Passport does not belong to the applicant. A photo that matches the passport will be provided to use in place of a selfie the person applying for this scenario.

Enter address information



as required.



Reviewer- the application has been flagged due to selfie & ePPT photo receiving too high a % match. Request another photo, ask for a different pose (e.g. mouth open, eyes closed)

Receive request for additional photo by email, access mobile app to redo self-photo & submit

Applicant tries again to submit a photo that is not a selfie but a photo of a photo.

Reviewer- it should be apparent to reviewer that this is not a self-photo.

SME to indicate what would be done in the case where you believe someone was trying to use false documentation to obtain eTA

Receives refusal email.



Scenario 4

Simulation outline –Single Applicant – ePassport expired - 1 person applying for an eTA from a visa-exempt country - not flagged on any watchlist - ePassport has expired







-Applicant is able to follow instructions on mobile application to complete process quickly & easily -Applicant is clear on why the process cannot proceed with this passport



Follow instructions on the application to take photo of ePassport(ePPT) MRZ,

After user takes photo of the ePPT, system will detect that it is an expired ePPT & present a message to the applicant. Processing will not proceed unless a valid ePPT is used.

User will cancel the application.

No record of this applicant should be



found in the system

Scenario 5

Simulation outline – Group (Family) Application -1 Applicant Flagged on Watchlist - family of 2 people applying for an eTA from a visa-exempt country - 1 applicant is flagged on watchlist ( Facilitator will request passport # in advance of executing this scenario) - Both ePassports are valid, not fraudulent - passport photos are of the persons applying - selfies match on passport photo







-Applicant is able to follow instructions on mobile application to complete process quickly & easily -Applicant can easily access application previously submitted to provide additional information -Immigration processing agent can quickly determine that additional information required & execute request.



Follow instructions on the application to take photo of ePassport(ePPT) MRZ, place phone on ePPT and take self-photo of first applicant






Follow instructions to add a second applicant on the same application

Same as 2 steps above. Assumption is that family will want to make one payment covering both people


Reviewer -Hit for 1 of passport # on the watchlist

Reviewer -Issue request for further information for both applicants. Notes to file on both applicants.

SME to indicate what information would be issued to applicant.

Receive email request for more info for applicant who was on watchlist. Provide documentation

Will require attachment of documentation. Sample document will be available for applicant to use

Approver – Determination is that applicants are to be approved. Notes to file for Border agency

SME to indicate what the situation would be to result in approval of both. If rejection, were to occur for 1 applicant note how to handle tracking of this.

The way FASTER works currently is approval or refusal on all applicants in the application. The flexibility to approve some applicants while refusing others that have been submitted in the same application will be modified by time of second exercise.


Scenario 6



Simulation outline – Group/Family Application – 1 Applicant Triggers Manual Review - Family of 2 people applying for an eTA from a visa-exempt country - 1 applicant’s answers to questions triggers further inquiry - Both ePassports are valid, not fraudulent - passport photos are of the persons applying - selfies match on passport photo


Actions Comments/ Instructions Actions Comments/ Instructions




-Applicant is able to follow instructions on mobile application to complete process quickly & easily -Applicant can easily add attachments/scans when required -Immigration processing agent can quickly determine that additional information was provided & sufficient to approve.



Follow instructions on the application to take photo of ePassport(ePPT) MRZ, place phone on ePPT and take self-photo of first applicant



Answer questions in such a manner that additional information is necessary (e.g. criminal conviction, health problem)

Will require explanatory text to be entered

Follow instructions to add Same as 2 steps above.



a second applicant on the same application

Assumption is that family will want to make one payment covering both people


Reviewer –application is not auto-approved due to answers to questions so the application becomes available to review.

Reviewer -Issue request for further information for both applicants. Notes to file on both applicants.

SME to indicate what information would be issued to applicant.

Receive email request for more info for applicant. Provide documentation

Will require attachment of documentation. Sample document will be available for applicant to use

Approver – Determination is that applicants are to be approved. Notes to file for Border agency

SME to indicate what the situation would be to result in approval of both. If rejection, were to occur for 1 applicant note how to handle tracking of this. Currently system only allows approval/rejection on all applications in a submission




Scenario 7

Simulation outline –Single Applicant – Token Misplaced - 1 person applied for an eTA from a visa-exempt country and was approved - Was not flagged on any watchlist - ePassport was valid, not fraudulent - passport photo is of the person applying - selfie matches on passport photo - Token received but misplaced by applicant & want to reobtain token







-Applicant is able to follow instructions on mobile application to complete process quickly & easily - Immigration processing agent can quickly search for the approved applicant if they wish to look for it -applicant is easily able to obtain replacement token





Answer questions in such a manner that no additional information is



necessary (e.g. no criminal convictions, health or other concerns)



Misplace token & need to re-aquire prior to travel to Canada

Q-to PrivBio team –how will this be handled?



Scenario 8

Simulation outline –Single Applicant – Change Phones After Token Issuance - 1 person applying for an eTA from a visa-exempt country and was approved - not flagged on any watchlist - ePassport is valid, not fraudulent - passport photo is of the person applying - selfie matches on passport photo - applicant has a new phone & wants to reobtain token







-Applicant is able to follow instructions on mobile application to complete process quickly & easily - Immigration processing agent can quickly search for the approved applicant if they wish to look for it -applicant is easily able to obtain replacement token











Acquire a new mobile phone in advance of travel to travel to Canada and need to re-aquire token???

Q-to PrivBio team –do they need to get another token or would it be associated with the email that was received?



Scenario 9

Simulation outline –Single Applicant – Passport which is not an ePassport - 1 person applying for an eTA from a visa-exempt country - not flagged on any watchlist - Passport does not contain a chip







-Applicant is able to follow instructions on mobile application to complete process quickly & easily -Applicant is clear on why the process is altered after trying to read chip & determining not possible. - Immigration processing agent can quickly search for the approved applicant & see that this was not an ePPT application but that all other available information is valid & application is -it is clear to the applicant that their application has been approved and email with 2D bar code is proof.


Email account needs to be accessible from the location of the exercise


After user places phone on passport system after a period of a number of seconds it will not be able to detect chip & present a message to the applicant that the step can’t be completed & they should proceed to the next step to take the selfie.



The applicant should be found in the system but the information available




for review will be less than was available for an ePPT submission. Review and approve the application.


Receive approval email with 2D bar code.



Scenario 10

Simulation outline –Single Applicant – Passport which is not for a Visa-exempt country - 1 person applying for an eTA from a country which is not visa-exempt - not flagged on any watchlist - ePassport is valid, not fraudulent










Follow instructions on the application to take photo of ePassport(ePPT) MRZ,

After user takes a photo of ePPT, system will detect that it is not a passport for a visa-exempt country & present a message to the applicant. Processing will not proceed unless a



valid ePPT is used.


No record of this applicant should be found in the system



Scenario 11

Simulation outline –Single Applicant – Passport holder is a refugee for Visa-exempt country - 1 person applying for an eTA has passport from a visa-exempt country but applicant nationality is another country & they are a refugee - not flagged on any watchlist - ePassport is valid, not fraudulent










Follow instructions on the application to take photo of ePassport(ePPT) MRZ, and place phone on ePPT

After user takes a photo of ePPT & places phone on passport to read the chip, system will detect that the nationality is for refugee or non-visa-exempt country & present a message to the applicant. Processing will not proceed unless a



valid ePPT is used.


No record of this applicant should be found in the system



Scenario 12

Simulation outline –Single Applicant – a Minor - 1 person applying for an ETA from a visa exempt country is a minor - not flagged on any watchlist or SLTD - ePassport is valid, not fraudulent - passport photo is of the person applying - selfie should match on passport photo


Actions Comments/ Instructions Actions Comments/ Instructions




-Applicant is able to follow instructions on mobile application to complete process quickly & easily - Immigration processing agent can quickly search for the approved applicant if they wish to look for it -it is clear to the applicant what the token is for


Email account needs to be accessible from the location of the exercise


No requirement for information on someone submitting on behalf of a child. Is it necessary?



Minor will require possession of the token or a QR code at verification time.

Baseline Demonstration Report FASTER – PrivBio


FASTER – PrivBio

CSSP -2015-CP-2114

Baseline Demonstration Report

30 November 2015

FINAL




Contents Record of Amendments ................................................................................................................................ 3

Executive Summary ....................................................................................................................................... 4

Overview of Baseline Demonstration ........................................................................................................... 4

Where we are in the project ..................................................................................................................... 4

Participants ............................................................................................................................................... 6

Overview of Workflows ............................................................................................................................ 7

Principles of PbD ........................................................................................................................................... 8

Demonstration Record of Observations and Findings .................................................................................. 9



Record of Amendments Version No. Amendment / Section Amended Entered By Amendment

Date

Version 1.0 Initial version Kim Burrett-Scott 12 November

2015

Version 1.1 Updates from WorldReach

review


2015

Version 1.2 Revisions based on project team

feedback


2015



Executive Summary

The “Facilitation and Secure Identification of Low Risk Categorized and Extremist Traveller (FASTER Priv-

Bio)” Technology Demonstration project seeks to demonstrate a mobile technical solution that would

facilitate the remote authentication of travellers applying to the Immigration, Refugees and Citizenship

Canada (IRCC) formerly known as Citizenship and Immigration Canada (CIC) using a mobile device, the

ePassport and privacy preserving facial biometrics (Renewable Biometric Reference or RBR). This would

allow for early identification, screening and facilitation travellers to Canada and accelerate the screening

processes throughout the air travel continuum while protecting the traveller’s personal data, such as

biometrics, passport and other sensitive biographic information. The demonstration will apply the

Privacy by Design framework and 7 Foundational Principles.

The project will conduct software integration of a number of key technologies, including RBR, which will

then be used in a number of technology demonstration exercises for which WorldReach is providing the

software and technology platform. The project partners will participate in the exercises, consisting of

realistic business scenarios simulating remote pre-screening. The project is a simulation, no real

person/applicant information or data or government traveller systems or networks will be used in

testing.

.The first phase of the Execution Stage of this project included tasks to complete the baseline

demonstration of the technology and the definition of test scenarios for the first technology

demonstration. Feedback received during this phase will be used in the following phase to define the

potential project integration points. The baseline demonstration resulted in a number of findings

detailed in this report that will influence the next phases of the project.

Overview of Baseline Demonstration

Where we are in the project At the project Kickoff meeting, held on August 17, 2015, the diagram below which formed part of the

FASTER-PrivBio Project Charter was presented. At the beginning of this baseline demonstration it was

revisited to update partners on the current state of the project.


The first phase of work in the Execution Stage of this project was to carry out a number of tasks to facilitate a baseline demonstration. These included:

Setting up a ‘sand-pit’ environment for this project which WorldReach and Ottawa U can do installs and integration of software for use in the project. This is an isolated environment not connected to any live systems or containing any live data. Establishment of a set of test scenarios to be used in the first technology exercise focusing on the Issuance process of electronic travel authorizations scheduled for the 1st Quarter of 2016. Elaboration on the concept of operations initially presented in the Project Charter in conjunction with information gained in discussions with universities & other partners. Conduct baseline demonstration with partners reviewing potential integration points and flow between the components in FASTER and PrivBio Execute the test scenarios using the baseline technology and software to the extent possible for the Issuance processes

These tasks have now all been completed and the deliverables circulated for feedback with the project team.



Participants The following is a list of the participants from all the project partner organizations who were able to

attend the baseline demonstration /working session:

Immigration, Refugees and Citizenship Canada (IRCC)

Jean-Guy St-Amour – Manager, Business and Strategic Research, Operations Performance Management Branch

Kimberly Chrétien –Policy Advisor, NHQ Admissibility Branch

Waleed Shatob – Statistical Analyst, Operations Performance Management Branch

Karen Tso – Manager, NHQ Admissibility Branch

Canada Border Security Agency (CBSA)

Nicholas Koutros –Senior Policy Officer, Access to Info. & Privacy Division

David Bissessar- Research Scientist, Border Technology Division

Kai Paul - Senior Program Advisor, Air Division, Identity Management

Lori Pucar – Manager, Traveller Transformation -Air Division, Identify Management

Marnie McKinstry Manager, Traveller Transformation -Air Division, Passenger Processing

Ottawa University

Carlisle Adams - School of Electrical Engineering and Computer Science (EECS)

Maryam Hezaveh – working on PhD (EECS)

Ali Noman – working on PhD (EECS)

Xiaomei Zhang –Post doctorate (EECS)

Fayzah Al-Shammari –working on Masters (EECS)

Ryerson University

Michelle Chibba –Research Associate

Alex Stoianov –PhD, CIPP/C

WorldReach Software

Gordon Wilson –President

Kim Burrett-Scott –Requirements & QA

Richard Gauthier –Architecture & Development

Ana Negrete –Business Analyst

Randy Wong –Business Development -Canada

Steven Grant –Business Development - International

Jason Knapp –Technical Architect

Shelley Bryen –Marketing


Overview of Workflows During the baseline demonstration of the FASTER-PrivBio project, two main workflows were discussed and foundation principles of Privacy by Design were considered. The first discussion focused on WorldReach’s current VisaReach platform for the application and issuance of secure travel authorization. This baseline product was used to demonstrate the data capture and authentication process of the applicant, for usage in the approval of an electronic travel authorization. The following diagram represents the workflow that was demonstrated through the WorldReach application. This workflow is a subset of the concept of operation from the initial FASTER-PrivBio proposal and charter.

Application and Issuance of Electronic Travel Authorization



The second part of the discussion focused on the PrivBio concept. The following diagram was

presented by CBSA. It describes the components involved in acquiring and processing the data required

for the generation of the Renewable Biometric Reference (RBR). The data is first captured with the

mobile device, then processed by the issuance server to generate the RBR. The RBR is then transmitted

to the mobile device to be available during the verification process. The generation of the RBR will be

available for demonstration during the first Issuance Exercise to be conducted in late February 2016. The

verification process will be demonstrated in the second Verification Exercise in the early summer of

2016.

Generation of the Renewable Biometric Reference (token)

Principles of PbD Michelle Chibba was able to attend in person for the follow-up face-to-face meeting (September

28/2015) and refresh the group on the principles of Privacy by Design as summarized in the diagram

below. After reviewing these, and in the context of the demonstration of the FASTER baseline, there

were numerous comments and considerations noted with relation to embedding privacy into the design

and functionality of the overall system, the use of privacy-preserving biometrics and resulting policy

implications.



Demonstration Record of Observations and Findings The baseline demonstration generated a great deal of interactions and discussions which provided

valuable input for the technology integration, capabilities review (e.g. business policy), as well as privacy

and biometric security reviews being carried out in subsequent phases of this project.

For those who couldn’t attend the group session, a separate demonstration was arranged at IRCC and a

general offering to conduct demonstrations was put forward for anyone in partner organizations.

Observations from such demonstrations are also included below.

These observations and comments have been summarized in subcategories below.

Visibility /Transparency

General Observation

Ensure clarity to members of the public using FASTER (WorldReach VisaReach application) on:

o How their personal information is to be used when submitting this information to a

government agency to request a travel authorization.

o Only the necessary information is requested.



o What will become of the information in the long term (eg. specific use of the

information by the government agency, who has access to this information, information

storage procedure and time limit, etc.)

The baseline version of FASTER collects only the information captured from the ePassport. The

interface has been developed with the goal of using graphical images as much as possible to

instruct the user on the steps required, and provide instructions that are simple and brief.

For consideration in FASTER

Terms & conditions should be easily accessible to the “enrollee/applicant” at any point when

completing the application process and duplicated on the website

The terms & conditions should be concise, given this is a mobile application, and clearly stated

The questions asked of the applicant may change over time, therefore the public application

must have the facility for these questions to be easily modified by the government agency as

required.

FASTER must have the capability for the user to cancel their application at any point in the

process or securely delete it after they have submitted their application.

Data Protection/Security

General Observation

Ensure that there is adequately protection of the personal information a user has entrusted to

the application, on the mobile device and wherever the personal information is stored or

transmitted.

It was noted that FASTER is intended for transmission and storage of personal data using the

encryption standard appropriate to the sensitivity of the data.


Ensure that the phones log files (image gallery) do not retain any images of the passport MRZ

snapshot or selfie that are submitted as part of the application process. Minimal personal data

should be stored on the mobile device.

Team members looking at Privacy by Design (Ryerson) are to consider and provide feedback on

the email/PIN process and the sufficiency of this process for protection of private data.

A depersonalization process needs to be configurable for the government agency to set the time

period for retention of the data, as this may vary due to policy changes over time.



Usability/ User Interface

General Observation

A user-centric approach which encompasses User Interface Design features that make it easy for

the user to:

o Know what they have to do

o Know where they are in the process

o Easily complete these tasks

o Provide the user feedback to confirm what they have done is right or needs correction

o Encounter minimal risk of making mistakes that result in incorrect information being

submitted or having to abandon the application

The FASTER mobile application currently reads as much information from the passport as

possible to minimize data entry required by the applicant which helps to reduce keying errors. It

was noted in discussions with the IRCC – eTA group that there is a % of current applications via

their web application that require manual review due to data entry errors (e.g. entry of date of

birth or typo in a name).


Ensure the application is as stream lined as possible– e.g. all necessary instructions to complete

a task should be able to be seen without scrolling.

Make clear distinction between actions that have not been completed correctly, therefore user

correction is required and where the user can take action to delete information or applications

voluntarily. Provide clearly differentiated visual cues (e.g. how to take a picture of your

ePassport bio page, not covering the MRZ lines, garbage cans presented where the user can

choose to get rid of information; caution or exclamation signs where the user has something not

completed correctly – along with text describing steps for corrective action).

Exercise Plan FASTER – PrivBio


FASTER – PrivBio

CSSP -2015-CP-2114

Exercise Plan

30 January 2016

FINAL




RECORD OF AMENDMENTS

Version No. Amendment / Section Amended Entered By Amendment Date

Version 1.0 Initial version Kim Burrett-Scott 26 November 2015

Version 1.1 Revisions from internal review Kim Burrett-Scott 27 November 2015

Version 1.2 Revisions from project team

review

Kim Burrett-Scott January 2016

Note: It was determined that it was not possible to obtain enough time from participants to approach the

exercise in this interactive manner. Voluntary involvement by one or two participants was decided as a

reasonable approach.



Table of Contents

RECORD OF AMENDMENTS .............................................................................................................................2

Table of Contents ....................................................................................................................................................3

Purpose ...................................................................................................................................................................4

Exercise Description ............................................................................................................................................4

Background .........................................................................................................................................................4

Overview .................................................................................................................................................................5

Objectives ............................................................................................................................................................5

Process ................................................................................................................................................................5

Assumptions ........................................................................................................................................................5

Evaluation / Analysis Methodology .........................................................................................................................6

Agenda ....................................................................................................................................................................7

FASTER-PrivBio Issuance Exercise Tentative Agenda ..........................................................................................7

Roles & Expectations ...............................................................................................................................................8

Facilitator, Players, Evaluators, Observers ..........................................................................................................8

Players Role .....................................................................................................................................................8

Players Expectations........................................................................................................................................8

Facilitator Role ................................................................................................................................................8

Facilitator Expectations ...................................................................................................................................8

Evaluator Role .................................................................................................................................................9

Evaluator Expectations ....................................................................................................................................9

Observer Role ..................................................................................................................................................9

Additional Material .............................................................................................................................................. 10

Scenarios / Narrative ............................................................................................................................................ 10

Training ................................................................................................................................................................. 10



Purpose This Exercise Plan will identify the processes,

procedures, and administrative requirements, type

of exercise and exercise roles and responsibilities

that will support the exercise planning initiatives.

Exercise Plans provide exercise developers and

potential participants with guidance concerning

procedures and responsibilities for exercise design,

and how it is conducted, evaluated and supported.

It explains the exercise concept, establishes the

basis for the exercise and establishes and defines

the exercise support structure needed before,

during and after the exercise.

Exercise Description The exercises for FASTER-PrivBio will be in the form

of workshops, which are a type of discussion-based

exercise used to draw information from players

regarding specific topics while using software to go

through specific pre-defined business scenarios.

There will be 2 exercises held during 2016, one in

the late winter and one in the summer. The first

exercise will focus on the Issuance process for

secure biometric references. The second exercise

will focus on the Verification process at the point of

entry.

Background FASTER-PrivBio represents a unique collaboration

between Citizenship and Immigration Canada (CIC),

the Canada Border Services Agency (CBSA),

WorldReach Software Corporation, and multi-

disciplinary experts in the fields of biometrics,

privacy, security and border management to

facilitate legitimate travel and traveller

convenience, improve the safety and security of

Canadians while at the same time addressing

privacy and data security, and protecting the

integrity of the border from real and present

threats.

The project also explores the use of electronic

travel credentials carried on the Smartphone and

the ability to secure them using privacy-preserving

biometric references.

The concept of operations for the project involves a

traveller applying for a travel document by

providing travel information and access to his/her

ePassport to retrieve facial biometric and

biographical information. Access to the ePassport

provides a secure and reliable method of identifying

the traveller. Once approved by an agency, the

traveller is issued an electronic travel credential

which is then carried on the Smartphone. The

credential is used at various points during the

traveller’s trip, to provide added security and

convenience throughout the travel experience.

These exercises, as part of the project, are intended

to demonstrate this process in a non-production

implementation using voluntarily provided

ePassports which will not be retained after the

exercises.



Overview

Objectives The following objectives will be addressed

throughout the exercise:

Ensure that the FASTER-PrivBio system

accommodates the normal use

scenarios for valid travellers going

through the process to obtain an

electronic travel authorization.

Test out scenarios where someone is

fraudulently attempting to obtain an

electronic travel authorization and

ensure they get flagged and/or

rejected.

Ensure that user privacy is protected

and security concerns are addressed.

Confirm ease of use and identify gaps

and areas for improvement.

Process This workshop will involve the completion of a

number of different scenarios with participants

carrying out various rolls. The day will begin with a

brief training session on the use of the agency side

application intended for use by immigration officers

(for the issuance exercise) and border control

agents (for the verification exercise). There will be a

Player briefing followed by the initiation of the

scenarios by the exercise controller(s).

The exercise is intended to raise awareness of the

intended interrelationship & integration between

the application, assessment, issuance and

verification stages of the FASTER-PrivBio process

and other systems that may be queried and

connected to during the life cycle of an electronic

travel document.

Following the exercise a Wash-up / Debrief will take

place, the purpose of which will be to highlight the

key issues raised, obtain participant feedback and

propose possible recommendations for

improvement.

Assumptions In order to achieve the exercise objectives during

exercise play, it is intended that exercise events will

progress in a logical and realistic manner. To

ensure these realisms, the following assumptions

must be made:

Basic scenarios will be used with a brief

narrative. Players are asked to use the

scenario to stimulate discussion and

consideration of variables that may

affect the process.

In the absence of appropriate written

instructions, Players will be expected to

apply individual initiative to satisfy

response requirements.

Players will assume that any

organization not participating in the

exercise is responding to the best of

their ability or at full capacity unless

otherwise noted by the Facilitator.



Evaluation / Analysis Methodology Evaluation is an integral component of the exercise

and is designed to focus on the overall discussion.

For this exercise the aim is to get a sense of the

processes and components involved in achieving

integrated security and authentication of citizens in

order to issue a biometric reference and identifying

strengths and noting opportunities for

improvement in the process. Evaluators will

observe, assess and compare Player actions to the

list of objectives to enable an efficient analysis and

review process.

A Wash-up / Debrief is a post-exercise session that

allows Players to explore the following:

What happened

Why it happened

How to sustain strengths

Areas for improvement

Lessons learned

After both the Issuance and Verification Exercises

an exercise report will be prepared. This serves as a

record of events and written analysis of the

exercise. The exercise participants will be asked to

review a draft of the report produced from each

exercise and provide comments within a set

timeframe and a final Exercise Report will be

disseminated following that review process. The

Exercise Report will include the following:

A record of observations

A record of issues and lessons learned

Recommendations for future integration,

analysis and exercises



Agenda

FASTER-PrivBio Issuance Exercise Tentative Agenda Time Activity Notes

09:00-09:15 Welcome and Introduction

09h15-

10h00

Training

10:00-10:15 Introduction of Scenario Provided by FASTER-PrivBio

team

10:15-12:00 Exercise – scenario execution

Facilitator (for Exercise) will

prompt discussion & direct

flow of interaction between

players as required.

12:00-12:45 Break

12:45-

2:0000

Exercise – scenario execution

cont’d

2:00-3:00 Wash-up / Debrief .

The exercise will take place on {a date yet to be determined towards the end of February 2016}.

The activities will begin at 0900 with Welcome and Introduction and will end by 1530.

All activities will take place in {location to be determined}

In the event that the HPEOC is activated for a real-life event the workshop will be relocated or

postponed to later date.



Roles & Expectations

Facilitator, Players, Evaluators, Observers

Players Role

Players are all personnel who discuss or carry out either a role assigned to them as part of the scenario

(e.g. member of the public applying for a travel authorization) or a role they are currently familiar with

through their work (e.g. immigration officer reviewing applications). Players discuss/take actions in

response to the simulated situations.

Players Expectations

The following can be expected of the exercise Players:

Players should have a working knowledge of their standard operating procedures where they are applicable to the scenario.

Players with relevant experience are expected to share those experiences with less experienced participants during the discussions.

Facilitator Role

The Facilitator manages the conduct of the exercise by directing and monitoring the pace and intensity

of play. The Facilitator is the only non-player who may provide information or direction to Players.

Interaction will only occur as required to ensure the flow of the exercise and that exercise objectives are

being addressed.

Facilitator Expectations

The role of the Facilitator is to guide the participants through the exercise. Primary responsibilities

include:

Read and understand this guide prior to conducting the exercise.

Become familiar with the objectives of the exercise and ensure the participants are familiar with these objectives prior to the exercise.

Establish and monitor a basic set of ground rules for participants to follow during discussion.



Keep the exercise on schedule.

Identify the appropriate times for breaks and lunch (if applicable).

Facilitate discussions by asking pertinent questions rather than offering opinions. Keep all discussions focused by bringing the group back on track if the conversation strays off topic.

Encourage interaction among the different groups as they would be in the “real world.”

Encourage the participants to share their experiences and ideas so that they can learn from one another.

Identify participants that have relevant and recent experience with scenarios such as this and encourage them to share with less experienced participants.

Evaluator Role

The Evaluator collects information and is responsible for recording observations about what happens

within the exercise. It is important to emphasise that the Evaluator(s) are not evaluating players but

rather they are evaluating the relevant plans, processes and procedures.

Evaluator Expectations

The role of the Evaluator is to monitor and capture detailed player activities throughout the exercise.

Primary responsibilities include:

Read and understand this guide prior to the exercise.

Become familiar with the objectives and evaluation forms of the exercise.

Be clearly identified as an Evaluator.

Avoid personal conversations with exercise Players.

Do not prompt players with specific responses or interfere with Player performance in any way.

Stay in proximity to Player decision makers.

Observer Role

Observers do not participate in the exercise but will observe in order to gain a better understanding of

the FASTER-PrivBio and its objectives.



Additional Material Reference documents may be made available in advance of the exercise, such as Concept of Operations,

Integration Analysis Report etc. This will be determined by the FASTER-PrivBio team in advance of the

exercise.

For the exercises it will be necessary to have numerous Smartphones and ePassports for Players in the

role of members of the public applying for an electronic travel authorization. On a voluntary basis,

participants will be asked in advance to bring their ePassport and /or Smartphone to the exercise. Once

again it will be emphasized that no personal data voluntarily provided for the exercise will be retained

after the exercise or used outside of the project. Details on the number of ePassports and Smartphones

required will be provided closer to the first exercise.

Scenarios / Narrative The scenarios for the Issuance Technology Demonstration Exercise have been circulated separately and

feedback has been provided by project team members. These scenarios will be reviewed and circulated

again just prior to the exercise in order to address any changes necessary based on the integration work

of the PrivBio biometric reference with FASTER.

Training A brief overview of the Agency application interface and its basic functionality will be provided on the

day of the exercise for those who will carry out the role of immigration officer reviewing applications

that have been flagged for various reasons.

There will not be any training provided on the mobile application used by members of the public to

submit their application for an electronic travel authorization as one of the outcomes of the exercise will

be to see how intuitive and user friendly the application is for people downloading it to their

Smartphone and using it for the first time. This will ensure a more accurate real-world test of the

usability of the mobile application.

Integration Analysis Report FASTER – PrivBio

Project: CSSP-2015-CP-2114 page 1

FASTER – PrivBio

CSSP-2015-CP-2114 Integration Analysis Report

Initial: Issuance Report Release 14 December 2015, v0.5

Update: Verification Report Release

May 30, 2016, v0.6




RECORD OF AMENDMENTS

Version No. Amendment / Section Amended Entered By Amendment Date Version 0.1 Initial version Richard Gauthier 24 November 2015 Version 0.2 Updated on initial internal feedback Richard Gauthier 26 November 2015 Version 0.3 Initial draft for internal project team

distribution Richard Gauthier 27 November 2015

Version 0.4 Changes to Option 1 & 2 sequence diagrams

Richard Gauthier 02 December 2015

Version 0.5 Overall edits and addition of the acronym list.

Richard Gauthier 14 December 2015

Version 0.6 Revised to include verification integration points.

Richard Gauthier 30 May 2016



TABLE OF CONTENT

ACRONYMS ........................................................................................................................................................................... 4

ACRONYMS ........................................................................................................................................................................... 4

1. INTRODUCTION ............................................................................................................................................................. 5

1.1 Purpose..................................................................................................................................................................... 5

1.2 Background ............................................................................................................................................................... 5

2. INTERFACES/INTEGRATIONS ...................................................................................................................................... 6

2.1 Application Data Interface......................................................................................................................................... 6

2.2 ePassport Key Validations ........................................................................................................................................ 7

2.3 FASTER-PrivBio Application Integration .................................................................................................................. 7

Option (1) ......................................................................................................................................................................... 7

Option (2) ....................................................................................................................................................................... 10

Conclusion ..................................................................................................................................................................... 12

2.4 Watchlist Service .................................................................................................................................................... 12

2.5 PrivBio Issuance Interface ...................................................................................................................................... 13

2.6 Kiosk Verification Interface ..................................................................................................................................... 13

3. PRIVACY-BY-DESIGN .................................................................................................................................................. 15



ACRONYMS CBSA Canadian Border Service Agency

eTA Electronic Travel Authorization

GCMS Global Case Management System

HTTP Hyper Text Transfer Protocol

ICAO International Civil Aviation Organization

IRCC Immigration, Refugee and Citizenship Canada

MRZ Machine Readable Zone

NFC Near Field Communication

PKD Public Key Directory

QR Quick Response

RBR Renewable Biometric Reference

TRL Technology Readiness Level



1. INTRODUCTION 1.1 Purpose

The Integration Analysis Report defines the potential integration points between the FASTER, PrivBio and external systems that are considered for the technology demonstrations. This report provides a description of the integration points and approaches for implementation. For the purpose of the technology demonstrations, the integration may be limited to a simulation of what a full production integration would require. Live external systems will not be accessed for the technology demonstrations, only representations with test data.

1.2 Background

FASTER-PrivBio represents a unique collaboration between Immigration, Refugees and Citizenship Canada (IRCC), the Canada Border Services Agency (CBSA), WorldReach Software Corporation, and multi-disciplinary experts in the fields of biometrics, privacy, security and border management to facilitate legitimate travel and traveller convenience, improve the safety and security of Canadians while at the same time addressing privacy and data security, and protect the integrity of the border from real and present threats. The project provides an option for an innovative “end-to-end” screening process of millions of immigration applicants by leveraging the capabilities of the ePassport and the Smartphone (such as Near Field Communication (NFC) technology). The technology will demonstrate and test the ability for applicants to self-authenticate during their online immigration application, and the ability of the technology to transmit trusted biometric/biographic data for enhanced screening against watchlists/databases. The technology process would then demonstrate how the results drawn from the client’s information could be used during adjudication of their application. The technology project will also include the creation of a digital client token and show how it can be used to authenticate an approved client to facilitate the movement of the traveller in the travel continuum. In the proposed scenario, the traveller applies for a travel document by providing travel information and access to his/her ePassport to retrieve biometric and biographical information. Access to the ePassport provides a secure and reliable method of identifying the traveler. Once approved by an agency, the traveller is issued an electronic travel credential which is then carried on the Smartphone. The credential is used at various points during the traveller’s trip including points of entry into Canada, to provide added security and convenience throughout the travel experience. Requirements that naturally emerge from this scenario are that the issued credential should be verifiable by authorized verifiers, and should not be lendable from traveller to traveller.


1. Application Data Interface 2. ePassport Key Validations 3. FASTER-PrivBio Application Integration 4. Watchlist Service 5. PrivBio Issuance Interface 6. Kiosk Verification Interface

1. Application Data Interface 2. ePassport Validations 3. FASTER-PrivBio Application Integration 4. Watchlist Service 5. PrivBio Issuance Interface 6. Kiosk Verification Interface



The data elements required for this interface include:

Applicant profile information Application information (e.g.: travel dates, answers to questions) ePassport data groups including Machine Readable Zone (MRZ) information and photo Applicant’s selfie Supplementary documents

2.2 ePassport Key Validations

The ePassport Key Validation interface is embedded within the WorldReach VisaReach platform. The purpose is to validate the data residing on the ePassport chip. The following validations are performed as part of this interface:

1. Data Group Hash values are computed for each of the data groups stored on the ePassport chip. The resulting hash values are then compared with the hash values in the Security Data Object on the chip to ensure the content of the chip is not corrupted.

2. The Document Signing Authority is then validated by comparing the Security Data Object signature with the Document Signing Certificate.

3. The Document Signing Authority is validated against the Country Signing Certificate Authority to determine if the document signing authority is valid.

The Data Groups and the Security Data Object for the ePassport are the data elements required for this interface. For the purpose of the technology demonstration the certificate list is maintained and validated within the WorldReach platform and therefore there are no external sources or external interfaces. Countries issuing ePassport are responsible for maintaining their Document Signing and Country Signing Certificate Authorities which include the private and public keys. The International Civil Aviation Organization (ICAO) provides a public key directory where issuing countries can share public keys. In a production environment, the –public key directory would be provided and maintained by an agency such as IRCC.

2.3 FASTER-PrivBio Application Integration

The purpose of the FASTER-PrivBio integration is the exchange of data required by PrivBio to generate the renewable biometric reference (RBR). There are two options being considered to meet this requirement. The options differ in when and where the data is being shared.

Option (1) Option (1) shown in the sequence diagram below proposes that the integration be implemented on the mobile device. Processing required to generate the RBR is performed on the mobile with the exception of the signing process which is performed on thePrivBio Issuance Server. The data exchange and processing is performed after the application is submitted and approved by the responsible agency which for purposes of the technology demonstration would be IRCC. The data exchange in the Sequence Diagram Option 1 within the red dotted lines, represent the FASTER-PrivBio integration points. The blue dotted line around the FASTER App and PrivBio App indicates that both of these apps reside on the smartphone.The sequence diagram focuses on data flow while not specifically stating all of the functional steps (e.g. selfie ok, continue, not ok so retake). The processing flow is as follows:

1. Data Acquisition and Payment Processing a. Smartphone acquires input data. This includes selfie, ePassport data and payment info b. Payment information is sent to the server for fulfilment

2. Application assessment and Notification

a. FASTER Server conducts name-based search on Global Watchlist b. FASTER Server conducts Passport-based search on Lost and Stolen Passport list.



c. FASTER Server conducts biometric match verification on passport image and selfie d. FASTER Server conducts validation of ePassport chips information. e. FASTER Server sends acceptance status and QR Code(eventually to be a Signed Digital Seal information

to applicant

3. Credential is prepared and delivered a. FASTER App passes Data Group, Passport template and confirmation number to PrivBio Smartphone

component b. PrivBio smartphone component prepares data for credential issuance c. PrivBio smartphone component invokes PrivBio Server component d. PrivBio Issuance Server component prepares the credential and signs it e. PrivBio Issuance Server component sends the credential to the PrivBio Smartphone Component f. PrivBio smartphone component stores the credential in phones storage




Option (2) Option (2) shown in the sequence diagram below proposes that the integration be implemented at the server level. All processing required to generate the RBR is performed on the PrivBio Issuance Server. The data exchange and processing is performed after the application is approved by the agency. All the data required to generate the RBR is provided by the FASTER server. There is no direct communication between the mobile device application and the PrivBio Issuance server. The data exchange in the diagram within the red dotted lines, represent the FASTER-PrivBio integration points for option (2). The processing flow is as follows:

1. Data Acquisition and Payment Processing a. Smartphone acquires input data. This includes selfie, ePassport data and payment info b. Payment information is sent to the server for fulfilment

2. Application assessment and Notification

a. FASTER Server conducts name based search on Global Watchlist b. FASTER Server conducts Passport search on Lost and Stolen Passport list. c. FASTER Server conducts biometric match verification on passport image and selfie d. FASTER Server conducts validation of ePassport chips information.

3. Credential is prepared and delivered

a. FASTER Server passes Data Group, passport photo template and confirmation number to PrivBio Issuance server

b. PrivBio Issuance Server component prepares data for credential issuance c. PrivBio Issuance Server component prepares the credential and signs it d. PrivBio Issuance Server component sends the credential to the FASTER Issuance server e. FASTER Issuance Server sends acceptance status, QR code and credential information to applicant f. FASTER App requests credential download g. FASTER Server sends credentials. h. FASTER App stores credentials.




The benefits of each option are outlined in the following table.

Option (1) (mobile device integration)

Option (2) (server integration)

Increased privacy: Biometric and biographical data required to generate the RBR contained within the mobile devide and not shared with server.

Simpler integration with a single call at the server level to generate the signed RBR.

RBR generating process is easier to maintain and modify with greater access to servers than distributed mobile applications.

Reduced communication traffic between mobile device and server. Data required to generate RBR is also required for application processing.

Execution constraints (mobile capacity, OS and device differences) are not a factor in this option.

2.3.1. Conclusion The FASTER and PrivBio technology are at different Technology Readiness Levels (TRL). The FASTER component will be a prototype by the time of the Verification Technology Demonstration. The PrivBio components are at the concept and prototype level. For the integration of FASTER and PrivBio, the overall technology needs to be considered at the lowest common denominator. The Benefits outlined above for Option (2) are generally associated with taking a technology to production ready levels (TRL 8 or 9). The objective, as defined in the charter, of the FASTER-PrivBio project is to demonstrate that the technology can move to TRL 7 which is defined as “Demonstration and Validation/Engineering Feasibility – Concept, process, or system prototype demonstration in an operational environment.” The approach described in Option (1) is more in line with the original intent of the PrivBio project regarding privacy, and therefore is the integration option chosen by the project team.

2.4 Watchlist Service

The purpose of the Watchlist Interface is to identify lost & stolen passports and to identify individuals who may be considered high risk travellers. In a live environment the interface to watchlists can be implemented in a number of ways. In some instances, a centralized solution for evaluating the risk of a traveller is centralized within an organization. The centralized solution can provide a web service where information about the applicant is provided and a risk factor is returned. The FASTER platform also supports biometric watchlist verification in which the ePassport photo could be compared with records in the watchlist to identify a person that may have entered under a different alias. For the purpose of the FASTER-PrivBio project, this interface will be simulated with two reference files. These files can be updated by WorldReach to trigger the desired scenarios during the technology demonstrations. The Global Watchlist file contains records with surname, given name and date of birth. When an applicant’s information matches all these fields, the application will be flagged as a person of interest. The system will not provide additional information as to the reason it was flagged. It is expected that if further investigation is required, a processing agent would perform it outside of the system. The Lost & Stolen file contains a list of records with issuing state, passport number, surname, given name and date of birth. When an applicant’s passport matches the issuing state and passport number or when the applicant’s information



matches surname, given name and date of birth, the application will be flagged as a potential lost and stolen passport and will require further manual review by the processing agent.

2.5 PrivBio Issuance Interface

The purpose of the PrivBio Issuance interface is to digitally sign the RBR. It was originally intended to have this capability embedded within the PrivBio library on the mobile device. However, this is not feasible as there is need to have access to the PKI hosted either by IRCC or CBSA for generating the digital signature and therefore it would need to be hosted in a more controlled IRCC or CBSA environment than the mobile device. The hash value of the RBR is generated and provided by the PrivBio library on the mobile device. The PrivBio Issuance interface will return the digital signature which is then kept as part of the RBR. When the signed RBR is provided as part of the verification process, the signature together with the public key provides the assurance that RBR was issued by the issuing authority and that it has not been tampered with.

2.6 Kiosk Verification Interface

The purpose of the Kiosk Verification Interface is to validate the credentials of the traveller through the kiosk at the border. The data exchange and processing is performed when the traveller presents him/herself at the kiosk on entry into the country. For the purpose of the technology demonstration, the interface with the FASTER server will be established directly with the kiosk. In a production environment, it is expected that all kiosks would interface with FASTER through a centralized CBSA server. In this context the focus is on the data exchange, therefore not describing the processes related to the encrypting and decrypting of the renewable biometric reference /token. The processing flow is as follows:

1. eTA Validation a. The kiosk will read the ePassport, and the eTA QR code to extract the Passport Country of Issuance,

Passport Number and ETA Number. b. The kiosk will send the FASTER Server the Passport Country of Issuance, Passport Number and eTA

Number c. The FASTER Server will return one of the following eTA statuses:

i. Active ii. Not Valid

iii. Expired iv. Revoked

2. Kiosk Photo Validation

a. The Kiosk will take a photo of the traveller. b. The kiosk will read the photo extracted from the ePassport c. Using facial recognition software, the kiosk will compare the photos.

The decision to allow the traveller entry or send them to a border agent for further assessment due to the eTA status or % match between the photo of the traveler and the extracted ePassport photo, will be a manual process handled outside of the FASTER-PrivBio system.




3. PRIVACY-BY-DESIGN One of the goals of the FASTER-PrivBio technology demonstration project is to identify privacy factors within the technology and concept of operations. Initial considerations were identified during the baseline demonstration and are documented in the FASTER-PrivBio Baseline Demonstration Report. Although, integration of new privacy-by-design considerations was not an objective of the FASTER-PrivBio technology demonstration project, the following considerations are either already included in the design of the WorldReach platform or will be added for the next technology demonstrations.

1. The term & condition should clearly state what data is captured, its purpose and how it will be shared to

external parties. 2. Terms & condition should be accessible to the user anytime during the application process. 3. Capture only the data that is required for the review, approval and verification of the travel document. 4. Ensure that there is no residual private data including ePassport data or photos on the mobile device (such as

logs). 5. Ensure that transmission of data between the mobile device and server uses encryption technology (such as

HTTPS). 6. Ensure that the user provides consent to the mobile device application for accessing certain components such as

camera and NFC reader prior to collecting data from these components.

DOCUMENT CONTROL DATA (Security markings for the title, abstract and indexing annotation must be entered when the document is Classified or Designated)

1. ORIGINATOR (The name and address of the organization preparing the document. Organizations for whom the document was prepared, e.g., Centre sponsoring a contractor's report, or tasking agency, are entered in Section 8.) WorldReach Software 2650 Queensview Drive, Suite 250 Ottawa, Ontario K2B 8H6 Canada

2a. SECURITY MARKING (Overall security marking of the document including special supplemental markings if applicable.)

CAN UNCLASSIFIED

2b. CONTROLLED GOODS

NON-CONTROLLED GOODS DMC A

3. TITLE (The complete document title as indicated on the title page. Its classification should be indicated by the appropriate abbreviation (S, C or U) in parentheses after the title.) FASTER-PrivBio Project Plan

4. AUTHORS (last name, followed by initials – ranks, titles, etc., not to be used) Burrett-Scott, K.;Bissessar, D.; St. Amour, J.-G.

5. DATE OF PUBLICATION (Month and year of publication of document.) November 2015

6a. NO. OF PAGES (Total containing information, including Annexes, Appendices, etc.)

70

6b. NO. OF REFS (Total cited in document.)

0 7. DESCRIPTIVE NOTES (The category of the document, e.g., technical report, technical note or memorandum. If appropriate, enter the type of report,

e.g., interim, progress, summary, annual or final. Give the inclusive dates when a specific reporting period is covered.) Contract Report

8. SPONSORING ACTIVITY (The name of the department project office or laboratory sponsoring the research and development – include address.) DRDC – Centre for Security Science Defence Research and Development Canada 222 Nepean St., 11th Floor Ottawa, Ontario K1A 0K2 Canada

9a. PROJECT OR GRANT NO. (If appropriate, the applicable research and development project or grant number under which the document was written. Please specify whether project or grant.)

9b. CONTRACT NO. (If appropriate, the applicable number under which the document was written.)

B8625-160470-001-SV

10a. ORIGINATOR’S DOCUMENT NUMBER (The official document number by which the document is identified by the originating activity. This number must be unique to this document.) DRDC-RDDC-2017-C282

10b. OTHER DOCUMENT NO(s). (Any other numbers which may be assigned this document either by the originator or by the sponsor.) CSSP-2015-CP-2114

11a. FUTURE DISTRIBUTION (Any limitations on further dissemination of the document, other than those imposed by security classification.)

Public release

11b. FUTURE DISTRIBUTION OUTSIDE CANADA (Any limitations on further dissemination of the document, other than those imposed by security classification.)

12. ABSTRACT (A brief and factual summary of the document. It may also appear elsewhere in the body of the document itself. It is highly desirable that the abstract of classified documents be unclassified. Each paragraph of the abstract shall begin with an indication of the security classification of the information in the paragraph (unless the document itself is unclassified) represented as (S), (C), (R), or (U). It is not necessary to include here abstracts in both official languages unless the text is bilingual.)

Project CSSP-2015-CP-2114 (FASTER-PrivBio) aimed to develop a proof-of-concept for an innovative ‘end-to-end’ screening process for foreign travellers applying for an Electronic Travel Authorization (eTA) and crossing the border into Canada by leveraging the capabilities of the ePassport, smartphone, and Automated Border Control kiosks. The reports collected here capture the project’s initial planning and design work. ___________________________________________________________________________

13. KEYWORDS, DESCRIPTORS or IDENTIFIERS (Technically meaningful terms or short phrases that characterize a document and could be helpful in cataloguing the document. They should be selected so that no security classification is required. Identifiers, such as equipment model designation, trade name, military project code name, geographic location may also be included. If possible keywords should be selected from a published thesaurus, e.g., Thesaurus of Engineering and Scientific Terms (TEST) and that thesaurus identified. If it is not possible to select indexing terms which are Unclassified, the classification of each should be indicated as with the title.) Biometrics, Border Security, Traveller Screening

Documents

FASTER-PrivBio Project Plan · 2018-01-29 · Data group 15 – Active Authentication public key info (if present) Take selfie The applicant takes a self-photo using the mobile phone’s