Signs of a classic design flaw?

Thanks to Privacy International for Twittering about this article on issues with the UK e-Borders programme and people with dual nationality. If true, the article suggests that there is a basic and fundamental design flaw in the system. [See Postscript at the bottom of this post]

The issue appears to be this: the new international agreements to collect Advance Passenger Information (APIS) requires airlines to collect passenger-supplied data (including passport details) and associate that with a given journey (and hence a given border-crossing event). However, passengers with dual nationality might well present one passport when leaving one country and another passport when entering their destination country. There’s nothing illegal about dual nationality, and nothing illegal about presenting different passports when departing and arriving… provided you’re the legal holder of both passports, of course.

From what I can gather (and I only have the Telegraph’s word for this…), the UK’s e-Borders system can’t cope with someone who registers the details of one passport when booking a flight and leaving the country, but presents another passport when returning to the UK. If true, this implies that the system is designed on the basis of a mistake which we really should not still be making – the assumption that there is only ever a one-to-one relationship between people and passports.

At the Brussels Privacy Summit, almost exactly two years ago, this question came up in the context of national identifiers, and we had a revealing discussion about the difference between the credentials issued to a person, and the ‘index value’ which might be used to organise and locate those credentials. It’s not, essentially, a hard design problem, provided the right level of abstraction has been included from the outset.

So, what should you do if it looks likely that this will affect you? I don’t have any way of confirming this myself, but one solution might be to enrol in the Iris programme (biometric scan of your iris on arrival in the UK, instead of having to present your passport). There’s a list here of the criteria for registering in the Iris scheme, which you do on your way out of the UK (for instance, there’s an enrolment office in Heathrow Terminal 1 just after the security scan).

Iris is not without its flaws (as I have described in previous blog posts) but it might be better than being stuck at immigration – or, possibly, put back on a plane to wherever you’ve just arrived from.

[Postscript: I found the following in the comments on the Telegraph article… part-buried amongst the usual “nothing to hide, nothing to fear” bleatings and the “round up all the illegals and us law-abiding folks won’t have any problem” rants.

One reader apparently emailed the e-Border programme a month ago and got the following response:

“Under e-Borders, you should not see any difference in your travel experience, or have to provide any information which you do not currently provide to your carrier, with the possible exception of your passport details which carriers may choose to request at booking stage. The biographical Travel Document Information that is collected will be the same on both passports (i.e. name, date of birth and gender).

As the e-Borders system is rolled out, it will provide additional capability to reconcile electronically where an individual travels using different documents, so that passengers with dual nationality can be identified.”

I would interpret that as meaning ‘e-Borders can’t cope at the moment if you give your carrier one set of passport details and present a different set on arrival, but will be able to later’.]