CEN/TC 224/WG 18 - Interoperability of biometric recorded data

This Technical Report provides an overview of the current deployment of biometric systems within Europe. It addresses the challenges that are being faced, in order to detect the current needs for improving the specifications for the implementation and deployment of biometric systems. This Technical Report considers all kind of deployments, from border control to ad-hoc services. As most of the deployed systems are based on the use of fingerprints or face recognition, this Technical Report will focus on these two biometric modalities, from the system integrator and interoperability points of view.
Identity documents, in terms of production, structure, interoperability, etc., are out of the scope of this TR. The TR is focused on the performance at system level.
The current European legislative initiatives around this topic (e.g., Entry/Exit System, framework for interoperability between EU information systems, etc.) need a robust framework study about the availability of standard technologies to improve interoperability in biometric products around the European Union.
By showing these needs, a set of recommendations for future standardization works is provided.
From a methodological perspective, the report gathers information of different entities with this classification:
- Capture/enrolment of biometrics including the quality assurance and the generation of feature or biometric models from the images.
- Best practices and guidelines to use biometrics in Europe.
- Data Quality environment using biometrics in European networks.

This document establishes a systematic description of the concepts in the field of biometrics pertaining to recognition of human beings. This document also reconciles variant terms in use in pre-existing International Standards on biometrics against the preferred terms, thereby clarifying the use of terms in this field.
This document does not cover concepts (represented by terms) from information technology, pattern recognition, biology, mathematics, etc. Biometrics uses such fields of knowledge as a basis.
In principle, mode-specific terms are outside of scope of this document.

This document consolidates information relating to successful and high quality biometric enrolment processes of facial and fingerprint systems, while indicating risk factors and providing appropriate mitigations. This information supports decisions regarding procurement, design, deployment and operation of these biometric systems.
This document provides guidance on:
—   capturing of facial images to be used as reference images in identity and secure documents;
—   capturing of fingerprint images to be used as reference images in identity and secure documents;
—   data quality maintenance for biometric reference data;
—   data authenticity maintenance for biometric reference data.
The document addresses the following aspects which are specific for biometric reference data capturing:
—   biometric data quality and interoperability ensurance;
—   data authenticity ensurance;
—   morphing and other presentation attack detection as well as other unauthorized changes;
—   accessibility and usability;
—   privacy and data protection;
—   optimal enrolment design.
The following aspects are out of scope:
—   IT security;
—   data capturing for verification purposes, e.g. in ABC gates;
—   capturing biometric data for enrolment in other systems different from data enrolment for integration in secure MRTD, like entry/exit systems.
This document consolidates the role of the enrolment process in a biometric system and differentiates the enrolment from the authentication, while mentioning key factors of the enrolment process that are feature independent.
Interests of the existing stakeholders are broken down and provide an insight on different views of the enrolment. In addition, organisational enrolment approaches are covered.
This document is not concerned with IT requirements or the capturing of biometric data for inspection, identification or verification purposes without the required step of creating an identity document using the captured data.

This document provides guidance on providing access:
— to areas with physical access control, e.g. entertainment facilities, train stations, shops, libraries, banks, or border control,
— for small groups of persons, e.g. families with small children or seniors, or other accompanied persons in need of support,
— by means of biometric authentication technologies, e.g. facial, fingerprint, or vein recognition,
— in the European regulatory context.
The document addresses the following aspects, which are specific for biometric and group access:
— accessibility and usability,
— user guidance including group guidance and interaction control,
— privacy including data set content,
— presentation attack detection,
— applicable biometric technologies,
— storage of reference data,
— biometric process integration,
— specific needs considering biometrics for groups,
— biometric performance and error rates, and
— group internal linkage.
The following aspects which reflect on generic access control issues are out of scope:
— IT security,
— application specific physical security,
— policy definition,
— processes not related to biometric authentication, and
— specific performance requirements of identification (1:N) and verification (1:1) applications.

This document addresses biometric recognition systems that are used as part of an automated access control system to provide a second and independent authentication factor of the individual using the AACS to access secured areas of critical infrastructure.
This document:
-   specifies requirements for biometric recognition systems to be used as part of an AACS for critical infrastructure,
-   describes a methodology for the evaluation of biometric authentication for AACSs against the specified requirements.
The requirements and test methods address biometric authentication for AACS that: (i) operate in an internal environment constituting part of a larger site, access to which is restricted and controlled by a separate access control system; and (ii) use biometrics as a second authentication factor to a token or proximity card.
This document does not consider access by the general public, e.g. passengers in an airport, or visitors to a hospital.
Products that meet the requirements of this document will comprise (i) a biometric sensor(s) external to the secured area, which reads the biometric characteristics of the user at the point of access; and (ii) a biometric server system performing biometric enrolment, signal processing, storage of biometric references and biometric comparison within a secured area.
This document does not address AACS or AACS portals (turnstiles) but is only concerned with the biometric components which integrate with the AACS. Other standards address requirements and testing of the non-biometric parts of the AACS.

This document is an application profile for the International Standard ISO/IEC 30107. It provides requirements and recommendations for the implementation of Automated Border Control (ABC) systems in Europe with Presentation Attack Detection (PAD) capability.
This document covers the evaluation of countermeasures from the Biometrics perspective as well as privacy, data protection and usability aspects. Technical descriptions of countermeasures are out of scope. Enrolment, issuance and verification applications of electronic Machine Readable Travel Documents (eMRTD) other than border control are not in scope. In particular, presentation attacks at enrolment are out of scope.
The biometric reference data can be stored in an eMRTD and/or in a database of registered travellers.
This document covers:
- biometric impostor attacks and
- biometric concealer attacks in a watchlist scenario.
This document addresses PAD for facial and fingerprint biometrics only.

This Technical Specification is intended to provide a Full Body Image Format for pattern recognition services and applications requiring the exchange of full body image data. Its typical applications include:
a)   human examination of high resolution full body images;
b)   human verification of identity based on full body images;
c)   computer automated full body identification;
d)   computer automated full body verification.
To enable applications on a wide variety of devices, including devices that have limited data storage, and to improve image recognition accuracy, ISO/IEC 19794 standards are followed regarding not only data format, but also scene constraints (lighting, pose, expression, etc.), photographic properties (positioning, camera focus, etc.), and digital image attributes (image resolution, image size, etc.).
A specific biometric profile for cross-border interoperability is required for full body photographs. Full body photography standardization is required to get good quality database images for identification and verification using video surveillance and other similar system generated images. At the moment, border guards take full body photographs using local practices for enrolment, verification, identification and watch list identification.
ISO 22311:2012 [10] specifies a common output file format that can be extracted from the video-surveillance contents collection systems to perform necessary processing. ISO/IEC 30137 [8] specifies data formats for storing, recording and transmitting biometric information acquired via a video surveillance system. The EN 62676 series [11] defines video surveillance systems for use in security applications.
The purpose of this Technical Specification is to provide expert guidance (i.e. best practices) for the photography of full body, especially when the resulting images are to be used for purposes of identification and verification, either by automated recognition systems or by human viewers.

This Technical Specification primarily focuses on biometric aspects of portable verification and identification systems for law enforcement and border control authorities. The recommendations given here will balance the needs of security, ease of access and data protection.
ISO/IEC has published a series of standards dealing with biometric data coding, interfaces, performance tests as well as compliance tests. It is essential for interoperability that all these standards are applied in European deployments. However, ISO/IEC standards do not consider national or regional characteristics; in particular, they do not consider European Union privacy and data protection regulation as well as accessibility and usability requirements.
This Technical Specification extends the ISO standards by emphasizing specific European needs (for example EU data Protection Directive 95/46/EC and European databases access). The Technical Specification systematically discusses issues to be considered when planning, deploying and using portable identity verification systems and gives recommendations for those types of systems that are or will be in use in Europe.
Communication, infrastructure scalability, and security aspects other than those related to biometrics are not considered. This document also does not consider hardware and security requirements of biometric equipment and does not recommend general identification procedures.

The purpose of this document is to specify the ISO/IEC 29197 testing methodology for European ABC systems. This specification will cover the following aspects:
-   environmental conditions which influence biometric modalities used for European ABC systems, i.e. temperature, humidity, illumination and noise;
-   different tests that can be defined regarding European ABC systems and the procedures for defining of the evaluation conditions to analyse per each test;
-   particular characteristics of European ABC systems in accordance to best practice recommendations and privacy and data protection regulations for this kind of systems in case of European deployments.
As a consequence, the proposed document will include the following aspects:
-   specific requirements for planning and executing environmental testing evaluations for European ABC systems based on ISO/IEC 29197 project and the best practices recommendations provided by CEN/TS 16634 Personal identification — Recommendations for using biometrics in European Automated Border Control document;
-   recommendations for the selection of the possible tests according to the specific system that is going to be evaluated;
-   specific requirements to establish and measure such evaluation conditions as well as to establish the baseline performance;
-   a specification of the biometric performance evaluation including requirements for test population, test protocols, data to record and test results consistent with operational deployments of European ABC systems.

This Technical Specification primarily focuses on biometric aspects of Automated Border Control (ABC) systems. Drawing on the first European and international ABC deployments, it aims to disseminate best practice experiences with a view to ensure consistent security levels in European ABC deployments. Furthermore, the best practice recommendations given here shall help make border control authorities' processes more efficient, speeding up border clearance, and delivering an improved experience to travellers.
ISO/IEC JTC1/SC 37 has published a series of standards dealing with biometric data coding, interfaces, performance tests as well as compliance tests. In order to promote global interoperability it is essential that all these standards are applied in European deployments. However, these standards do not consider national or regional characteristics; in particular, they do not consider European Union privacy and data protection regulation as well as European accessibility and usability requirements [22]. Thus, this Technical Specification amends the ISO standards with respect to special European conditions and constraints.
The Technical Specification systematically discusses issues to be considered when planning and deploying biometric systems for ABC and gives best practice recommendations for those types of systems that are or will be in use in Europe. The document deals with personal identification including ergonomic aspects that have an impact on the acquisition of biometric data.
Communication, infrastructure scalability and security aspects other than those related to biometrics are not considered. This document also does not consider hardware and security requirements of biometric equipment and does not recommend general border crossing procedures.
The enrolment process, e. g. for electronic passports, is out of scope of this document.

The main goal of this Technical Specification is to give guidelines to follow during the acquisition process of slap tenprints in order to obtain fingerprints with the best quality possible in acceptable time constraints.
NOTE   Non-cooperative users are out of the scope of this Technical Specification.
When using ten-fingerprint sensors, it is fundamental to know how to use them and how to proceed during the acquisition. This Technical Specification describes how to capture fingerprints correctly by specifying best practices for slap ten-print captures.
This Technical Specification gives guidance on the following topics:
1)   Recommendations on the hardware of the fingerprint sensor and its deployment,
2)   Recommendations on user guidance,
3)   Recommendations on the enrolment process including a sample workflow,
4)   Recommendations for developers and system integrators on application software,
5)   Recommendations on processing, compression and coding of the acquired fingerprint images,
6)   Recommendations on operational issues and data logging,
7)   Recommendations on the evaluation of a solution and its components.
Although this Technical Specification primarily focuses on reaching optimal data quality for enrolment purposes, the recommendations given here are applicable for other purposes. All processes which rely on good quality tenprint slaps can take advantage of the best practices reported here.

This document establishes a systematic description of the concepts in the field of biometrics pertaining to recognition of human beings and reconciles variant terms in use in pre-existing biometric standards against the preferred terms, thereby clarifying the use of terms in this field.
Excluded from the scope of this document are concepts (represented by terms) from information technology, pattern recognition, biology, mathematics, etc. Biometrics uses such fields of knowledge as a basis.
In principle, mode specific terms are outside the scope of this document.
Words in bold are defined in this document. Words that are not in bold are to be understood in their natural language sense. The authority for natural language use of terms in this document is the Concise Oxford English Dictionary (COD), Thumb Index Edition (tenth edition, revised, 2002). Words used in their natural language sense are considered out-of-scope for further definition in this document.