Robin Wilton's esoterica

Heathrow, Dubai and Hong Kong are piloting an extended passenger biometrics system which will partially automate check-in, security and boarding for passengers travelling between Heathrow and those destinations.

Although from the details I've seen, registration for the new miSense system will share the same office as the recently-introduced Iris system, the two are separate projects.

miSense is run by IATA, which is an airline industry association (and incidentally, not to be confused with ICAO, which is a UN agency). If you remember, a number of national governments, including our own, have said that "biometric passports must be introduced because ICAO says so...").

The stated aim of the miSense project is 'to simplify passenger travel while maintaining high standards of security'. Interestingly, the strap-line on IATA's home page says "We represent, lead and serve the airline industry". I wonder which set of interests wins out in a fight... the airlines' or the passengers'...

As far as I understand it, there are three linked parts to the project:

- miSense; automated authentication at check-in, security and boarding, based on a linkage between your index fingerprint and your passport (created at check-in time);

- miSenseplus; an equivalent fast-track of passport control between the three participating nodes (with Heathrow as the hub);

- miSenseallclear; a pilot of Interactive Advance Passenger Information (iAPI), involving the real-time exchange of passenger data between airlines and governments.


Some interesting points to note:

- while miSense is entirely 'self-service' (i.e. it does not involve verification by a third party that the finger used to register is the finger of the person described by the accompanying passport), miSenseplus does involve a verification element in the registration phase. miSenseplus registration captures the passenger's facial and iris biometrics, and all ten fingerprint biometrics (in other words, the expected components of an ID Card biometric registration).

- both miSenseplus and miSenseallclear involve the exchange of your personal data between the UK Immigration Service and the equivalent authorities in Hong Kong and Dubai. Fair enough - in that they will get those details anyway when you arrive.

- miSenseallclear involves the real-time exchange of passenger information between the airlines and the government authorities in question. If this sounds familiar, it could be because the European Court of Justice recently ruled against an arrangement under which something very similar happened between EU airlines and the US. Presumably the UK government is confident that a similar transfer of passenger details to Hong Kong and the UAE would not give rise to similar concerns under the Data Protection Act and European privacy regulations.

- with miSenseplus you also have to have a membership card. I'm not quite sure why, given that there's no indication that this all means you will be entitled to travel without your passport... and in all probability you will have your biometrics with you too. Unlike Iris, then, this may mean it is possible for someone to get the digests of your biometrics from a source other than the miSense database.


- these are pilot projects, and the FAQ says that any data held will be destroyed on completion of the pilot. However, it also says that "the data you provide may also be disclosed to other government departments and agencies, local authorities and law enforcement bodies to enable them to carry out their functions", and I would be very surprised if the completion of the miSense pilot will have any effect on data retention by such bodies once they have your PII.

On balance, I'm pleased to see that the project is testing a range of authentication and verification levels, depending on which part of the process they want to automate. I'm also pleased to see a range of biometrics being field-tested - though we've been told often enough that biometrics are already sufficiently robust to be used for a national ID Card.

I'm also pleased that this is an optional service; according to the FAQs, even if their criminal record checks on you turn up something nasty, it will only affect your right to remain in the pilot, not your right to travel. That shows a welcome sense of proportionality.

As ever, getting the buy-in of the passenger is, I think, vital. There are two ways of doing that; this project successfully does the first, which is to offer an incentive - you get through the airport processes more quickly. (Though, of course, what that means in practice is that you get to spend longer waiting for your luggage to come off the carousel).

It is less successful at stimulating buy-in through the second method, which is that you convince the passenger that she/he retains consent and control over the usage of her/his data, and that such data cannot be used in a way which compromises the passenger's rights. That may be true of this project.... but if it is, it needs to be openly stated, and passengers need to know how it is achieved.

So over-all, I have a couple of concerns.

First, although the miSense FAQs are actually not bad (I've certainly seen worse, where the 'A' was clearly meant to stand for 'Avoided'), they are far from definitive, particularly about what data is stored where, in what form and under what protection. Like any security bod, I have tattooed on my anatomy (ahem) the homily "Obscurity is not security". If the biometrics and associated PII are securely stored, then that security ought to reside in things other than "not telling you about it". The test of security is to open the bank, show a cracker the vault and say "there you go; here are the blueprints for this kind of vault... do yer worst".

Second, I don't think the passenger is best served by glossing over all that and offering only one portrayal of the service: "it's a system for getting you through the airport quickly and conveniently, and that's all you need to worry your pretty little head about". I caricature, but not outrageously; at what point in the life of the project could one realistically envisage the operators simply publishing, unasked, the details of what data they hold, and how, and who else uses it for what?

I thought not.

I mean, if the White Star Line had said "We have introduced huge icebergs on the Southampton to New York route, for your added convenience and as a means of drastically shortening your journey time", would you take that statement at face value?