Panel | The Future of Travel Credentials

All men, I guess I'm the gender balance here. Thank you. I am very happy with this panel because in the little, we're in a bubble here talking about digital identity wallets, but this is an even smaller bubble where we talk about travel and digital identity, and we have some of the brightest and influential thought leaders on the topic on the panel, and so I hope we have a frank discussion about what is going on. I will first like to ask you all to briefly introduce yourself and say what is your relationship to the topic. So Laurent, kick off.

Yeah, good afternoon everyone. So I'm Laurent Loup. I'm currently coordinating one of the large-scale pilot work package on travel and payment at EWC and currently working on the e-passport credential more specifically to check actually how we can accommodate with the current specification regulation and market requirements. You just dropped a few things there that I'm sure we will be talking about. Francois. My name is Francois. I work at Amadeus, an IT group, a global travel tech that power most of the airlines and some hotels on the planet. So we have 15,000 employees. I run this company.

I run the digital identity initiative where travelers will use various systems from travel agencies, airline hotels to show who they are and to get a better experience. Gabriel. Gabriel Marquier, working at IATA, the International Air Transport Association, looking after digital identity initiative. IATA is the bodies that help airline gather to define business, operational and technical standards for the operation and more precisely to what is of interest to us right now, operation around checking at the airport. Fantastic.

Wim, even though you were just, maybe some people joined, so just very briefly. I'm Wim van der Lingen. I work as an architect in the Ministry of Justice and Security in the Netherlands and I work in the program of border innovation to try and enhance border innovation with new technology. Fantastic. Dan. Dan Bakkenheimer with Accenture. I'm in our digital identity innovations and biometrics group. I'm on ISO standards for biometrics and for security devices for personal ID like MDL. I support IATA and in a former life I was a chief engineer for global entry. That's a lot.

So in, I think it was November 2020, the specifications for the digital travel credential type 1 were published. It is 2024 and we have pilots. Why don't we see a huge adoption yet of this necessary virtual credential of the passport? Why is it taking so long? What needs to happen before we can all use a DTC? Will we have it in our wallet? Will we have an app?

Yeah, maybe one point is actually to understand is the difference of level of assurance that we have in this different ecosystem. So on one hand, you have probably the most decentralized credential that we can imagine. This is this one, right? With an attack surface that is close to zero because I have it in my pocket. So it's very nice but it's, I mean, when you want to share your information specifically online, you need to make all the data processing with the passport, NFC chip, etc. So it's very cumbersome, not very user-friendly.

And on the other side, you have airlines, for example, that request currently for the advanced passenger information, even things manually, data entered manually. So I think this spectrum explains actually why this is currently so difficult. And to my perspective, I don't know the others, but I think that we might need to find, let's say, a midway in between all those different requirements so that we can fulfill probably both the travel, let's say, the border crossing and then the travel industry.

Yeah, François. Go ahead. So maybe an educated view on the topic, I'm new to travel. When I look at your question, why not more DTC around the corner?

Today, if you want to travel, you need a passport. There's the people and paper process that works. So for DTC to be there, it needs to be working much better than anything else. And if you look at pilots, you need to put some infrastructure in place, some dedicated lanes. It's a separate process. It's a new process. So that's maybe one reason.

Second, a lot of brave countries who started to enter the world of digitalization of admission have pre-DTC solution. They would need to migrate to a new standard. So spend some money to get to the same situation.

Now, what I see hope is that maybe some less regulated touch points, like airline boarding, for example, could allow private companies to issue their own DTCs and then allow non-regulated touch points to be used in a digital way, in a DTC way. So this is where we will see more option, but maybe at the border control, because it takes a lot of effort and heavy lifting, but maybe more at the commercial touch points, potentially, because airlines are willing to digitize the process.

This is a great step up to Gabriel, because IATA has to solve complying with rules and regulations like ICAO-NX9, your members, the airlines. But one idea is trying to solve this.

Indeed, and maybe just to piggyback on what Francois was saying. So indeed, there might be a hard step to take for governments to start issuing DTC. But at the same time, I think there have been numbers of positions that a DTC is only a DTC if it's issued by a member state. So you've got a bit of a catch-22 situation where you say, OK, government needs to have an incentive to go for it. They don't really have it. And at the same time, there is no alternative.

And that is pretty much where one idea is coming into place, because the DTC is a tool designed to meet government requirements for border requirements, for border needs. And airline private industry members have different name in terms of data, in terms of privacy, and in terms of level of assurance. So that's where one idea is coming forward. So one idea is the name of the initiative under IATA where airlines try to digitalize admissibility to travel.

And what has been put on the table there by airlines is actually to create a copy of the passport as a verifiable credential that can then be created by private entities and then used for private entities-driven touchpoints. So that's, let's say, the core of the IATA mission.

And to bring more awareness of what's being done and what can be achieved, we are organizing end-to-end POCs to actually make everybody aware of what is the potential and what can be achieved, because everybody in this room probably is pretty clear on the feasibility of this, maybe for more than 10 years for some of you, but I can tell you every time we show a little two-minute video, we've got quite a few wow moments in there. So no, that's part of what we're doing. Yeah. You want to respond right away?

No, I think a lot of good positives. I think in terms of like standards, right now these DTC1 specs says what the DTC, it just describes the format of it. How do you get it into your device? Wim already talked about some of the problems they had with the different devices being able to read it. And this specification doesn't say, how does it get from my device to the Royal Dutch Police? So that's all custom at that point. As Gabriel said, one idea is going to wrap the DTC using W3C standard specifications to get it from a person's device to its destination in a secure fashion.

So we're getting into the e-passport credential discussion, which is good. And Wim wants to respond, but I think Laurent was, Laurent go for it, and then Wim can gear up. I'm an impatient guy, people know that about me, so I say you can do it for real as well, and then they'll all find their thing. But I think DTC in general is well positioned as being a very good carrier for identity information on border control, because it piggybacks on this world of trust that is already in place around passports.

So I think it's well positioned, but making changes in border control is very difficult, because you have to do with legislation, all kinds of parties involved, like you've shown on the board, that's why it's not going that fast. That's, I think, the main explanation.

Yeah, and completely agree. But I think the question here is not about really the standard, because here, basically, we have the attributes that are basically the same. The question is, who is the issuer? Because actually, if we solve it from an industry point of view with, for example, one ID from IATA, actually, from a user perspective, we haven't solved the issue, because then I need my passport data for getting into a hotel or opening a bank account or somewhere else, and then I need to redo exactly the same.

So from my perspective, this credential should really be issued by the issuance authority that is responsible for the physical document, and then we solve the issue once for all. The issue is that the mandate from the ICAO is not to serve the private entities, but just the border crossing. And I think that's the ...

Which is, in my quick introduction, I said, you know, it's about security. Don't forget, that's a really important part of it. And it's about making it easier, making processes more efficient, but security, of course, for governments is first and foremost, and that means complying, but that's also the hotel check-in. That's also about security. Francois?

Yeah, the really cool thing, because I don't want to put too much gloom on the room, there's a private sector use cases that can use credentials that are easier to start today at a scale than border control. So security, DTC, super important, but in travel, there's so many use cases. You'd say checking at the hotel, there's so many other use cases. Leaving a verified review after a trip, collecting your receipt as a credential for expenses, personalizing your offer from a travel seller if you share a digital identity.

So there's a type of credential in travel which is about who you are, to cross a border. There's plenty of other credentials in travel about who you are as a person, how you want to be marketed at, what kind of experience do you want to have. So in travel, we are lucky, there's a regular use cases. We will get scale, but it's tricky.

It's long, it's a long process. We need to change law. And there's a bunch of really operational and interesting use cases that are not regulated that we can deploy at scale today. So I think travel is super exciting for them.

Oh, it is. It is. Because identity is at the core of every step you take. It's all about, yeah. So absolutely.

Vim, I'm coming back to you because you're the only government representative here. Sorry to pick on you. But like you say, for border control, it is a perfect tool, so to speak, the DTC. How do you see the complying with carrier responsibility for airlines or hotel check-in, complying with local police regulations, where always the travel document is mentioned in the law? How do you see that with also meeting data minimization and data privacy standards with the DTC? What do you see happening there?

I'm a guy, I'm a civil servant, so I'm about the facts and politicians are about the visions. So I'll... We totally understand. I'm a former civil servant, I know. I will continue so we can then see different options. I think there are other options shown here, the PYD, that would in future give good alternatives for using a passport for other situations where today passports are prescribed. So I think that's one way to go.

Perhaps it is thinkable that there are like intermediaries who unpack the DTC and deliver the data when the intermediaries are allowed to do processing of an entire DTC and are trusted to hand out that information. That could be a way out of this. But then again, if it's currently in law, we have to find a way around that. Technically this is not an issue. It's all about regulation. It needs to be a derived credential and need to comply. It needs to be DTC attribute derived and otherwise it's not complying with the rules and regulations.

DTC is a package deal, so you can basically only work with DTCs if you're entitled to work with the whole thing. The DTC is currently actually thought to be used in combination with the physical documents. So I think that's also one major difference when we talk about security and usability and comparing, for example, to the PYD and the PYD currently it's mostly online use case. PYD is also not a travel document per se. It's not the intent.

So here again, we have these different credentials that can serve those purposes, but they need also some willingness, some political willingness so that they can be used in certain contexts that we are looking for. And speaking of PYD and political motivation, so right now in 1995 ICAO said that the best way to bind the presenter of the document to the authorized presenter of the document is through biometrics. So when passports are issued, one of the key data elements in Data Group 2 is the photo.

It's required, it's mandatory, so that you know that the presenter of this document is the authorized presenter. I asked the Commission, I don't know if anybody's here, why did you not do that with the PYD? So you could bind the EU digital identity wallet to the user of it. They're not touching it. It's the third rail. There's an issue there, the PYD and biometrics, yes.

Yeah, this is, let's look at, going back to you, at the EUDI wallet briefly. What are your plans with DTC and if you want to make a seamless passenger facilitation, ease of travel, biometrics is the key. Very briefly, how do you see that? What are the plans?

Yeah, so we are working as well with experts and companies from the industry, and I think Amadeus here is a good representative, to actually facilitate all those technical implementations regarding the biometric boarding, for example. But at the same time, we see actually regulation and also in the EU, where creation of gallery can become problematic. So we are working with problematic regarding the data privacy. And so yet again, we are at square one, because basically we want to enter square into rounds, and we want to make every touch point here right.

And yeah, I think that's the current issue that we have. You're working together on that.

Exactly, yeah, to show use cases in the travel space. So I think for the EU open wallet, what's really exciting, I think, is when I look at this initiative, with what happened in COVID.

In COVID, there was a European initiative to produce this QR code, right? And after a year, there was 30 countries outside of Europe who used the technology, not only the standard, but the technological platform. I bet this would happen as well with the EU wallet. So you'll see EU wallets in many more places than in Europe, I suppose, in the future is my personal bet.

And even if that is true, in travel, what the companies who sell in travel, Expedia, Booking, British Airways, Lufthansa, Marriott, they will see travelers with European wallets, with DigiAtra, with a Google wallet, with Clear Wallet in the US, with the It's Me wallet from Belgium. So anyway, even if this initiative is taking a lot of scale, and I believe it will, there will be a variety of wallets of digital entities out there.

And we'll have to support our companies who see customers from all over the world with all kinds of wallets, and all kinds of technologies and protocols and what have you. So the future will be diverse and rich, I think, in that space. On the topic of galleries and the universality of passports, and as you said, the digital travel credential is the same, for good and for evil, as passports. So the legislation that the EU has on entry exit system for third country nationals coming, that will go live this fall, says, Article 15 says, do not use passports.

The photo of the third country national that's going to get into the gallery, as Vincent said, will be taken live by a border official of sufficient quality for automated facial recognition. So that's going to go live this fall. Do not use passports, except if you cannot get a decent photo. Because of countries like the US, where our photos are not taken live, we don't have a PID per se, where the photo is associated with the individual, but it's not taken live by a trusted official, it's taken by us. A practical issue, but very important.

A lot of it is about, because you have to do that on the spot, and a lot of it is about getting your data sent in advance, which is for IATA, a big program, part of the OneID, which is the digitization of admissibility. So you're ready to fly when you arrive, and the airline has all the data that they need, and nothing more. So could you elaborate on that briefly?

Sorry, before we go to the last round. We need to go back to the fundamentals of why is there a willingness to change in the airline industry? And the willingness is, make the journey better for people, so that they don't have to queue, and make it more efficient. And there are two key ways to go about that.

One, enable people to present and get ready to travel, have their document verified, before they go to the airport. And the second is, well, do you still need to queue after that at the airport? And as long as there is a need for a physical document check, well, as long as there is a need for a check, the question is, what's the fastest way to do that check? And so DTC and other forms of digital credentials are perfect for online, and actually even much better, they can be sent directly to the government, that can do advanced risk assessment of individual travelers.

So I think that's great, there is a huge opportunity for peer-to-peer communication between the travelers and the government there. But then, when we start to go into the physical space, if showing your real passport is faster than any digital version, then people are going to stick to showing the real passport. And as long as they're also, on top of that, mandated to have it with them, so I guess there is a real...

This is a great question, we have a minute and a half left, but one of the things that, especially in the bubble we are here at EIC, is we talk only digital, we don't talk anything physical anymore. But in this space, we will be talking physical, and that'll be the physical component, which is our mobile device, but also the booklet, for quite a while. So I wanted to wrap up and ask you all, when do you see we will travel without the physical booklet, maybe the physical component of our device, but that is for... We have a little bit of time, I'll just follow the line, Dan. Decades. Decades.

As a backup, same thing with mobile driver's licenses, it's gonna be a while. Very strange that in IT authentication we move to multiple factors, while here we want to reduce factors. I think it's going to be here for a long time. So actually DTC type 2 and 3 have two factors with the physical components that don't include the booklet. So my answer would be, it's going to be used when it's going to be easy to use your phone or a smart card as a second factor.

And one point to anyone working on a European digital identity wallet, if it can be in your European digital identity wallet that you use quite often, it's most likely to be used shortly, probably three to five years, than if it's in the 15th app on the service page of your phone. François? When at scale? Decades. Now where? Tomorrow?

Ah, let's see. Domestic travel in a country who's brave enough to do it? International in a group of regions? Where is a better question, I think? And you will see something happening, I think, in some places in the coming years. You have to differentiate between national, regional and global. Last but not least. I believe in a step-by-step approach, I think starting with unregulated aspects and use cases, having then maybe a combination of the physical and the digital document.

And yeah, ultimately really, maybe 10 years down the road, completely digital on the mobile. Because somebody's going to have passport stamps, you know, that are still using stamps. Get rid of the stamps. No digital stamps yet.

Well, we are past our time. Thank you very much. As you can hear, this is a topic where the physical and the digital are still very much married for a while, but a lot is developing and this topic will return to be discussed. Thank you all very much.