Finavia and Finnair pilot investigates biometric data portability in air travel
Finnish airport operator Finavia, airline Finnair and Finland-based digital identity initiative the Sandbox of Trust, led by cybersecurity company Nixu, have completed a pilot to investigate biometric data portability in air travel, announced Nixu Corporation.
Because passenger journey is an extensive process that includes steps such as transit to the airport, parking lot payment, baggage drop, check-in, security control, lounge access, and boarding, the companies propose biometric authentication solutions such as facial recognition systems that would identify passengers without user interaction.
According to an IATA Global Passenger Survey report from 2018 cited by Nixu, almost half of passengers aged between 15 and 44 would use biometric identification for travel if given the opportunity.
By partnering with the Sandbox of Trust, Finavia and Finnair created the SisuID initiative, a next generation passenger authentication system to overcome roadblocks in air travel and introduce a seamless experience without IDs or travel documents. A facial recognition app let citizens identify themselves in digital services with an ID by matching their faces to the document, with user consent for the biometric data to be used for authentication.
The pilot project ran in spring 2019 and delivered valuable insights on tech and privacy barriers of biometrics and digital identity in air travel. The pilot confirmed strong authentication mechanisms like SisuID can strengthen passenger authentication safety and found no technical issues that prevent biometric authentication from being deployed in the Schengen Area. However, travel outside of the 26 states included in the Schengen Area requires more research into the process.
The companies say some open questions related to privacy should be addressed in further pilots in the Schengen area. A significant legal issue encountered is that not all passengers have given their consent for biometric authentication, and scanning them without obtaining consent would breach EU’s GDPR. To be GDPR compliant, further clarification is also necessary on how biometric data is handled between the airline, airport, border control, and the other stakeholders in the travel ecosystem, as customers’ biometric data has to be shared between all parties in the travel process. Facial recognition legislation could also present an obstacle to the service flow, and needs further investigation to make travel digitalization possible.
Detailed pilot findings are available here.