2012-03-18 _1_ e-mobidig strategy ver 1-92

Strategy for
Mobile ID
Near Final DRAFT, following 9th
e-MOBIDIG meeting, 7 and 8 March 2012

Strategy for Mobile ID Solutions

Contents
Summary .1
Context.2
Police and immigration services .2 Mobile solutions generally.2 Mobile applications for police and immigration.2 Characteristics specific to police and immigration use.3 e-MOBIDIG .3 1: Take a strategic approach focused on business benefits.4 2: Describe the vision and roadmap.4 3: Mobilise business process not just technology .4 4: A mobile device is a component not a solution .4 5: Smart infrastructure—the secure central hub .5 6: Understand connectivity .6 7: Excellence across several technologies .6 8: Pilot and learn .6 9: Test robustly .7 Your next move: developing a strategy for mobile solutions .8 Self-check: Where is my strategy? .9
Drafting note
Version 1.85 of this paper was discussed at the 9th e-MOBIDIG meeting on 7 and 8
March 2012. This further draft is near-final and reflects that discussion. It replaces the
earlier version 1 paper which was more a strategy for the e-MOBIDIG group.
Frank Smith, Chair, e-MOBIDIG
[email protected]
www.e-mobidig.eu
e-MOBIDIG—EU Mobile Identification Interoperability Group
Supporting police and immigration use of mobile solutions
Strategy for Mobile ID Solutions
Summary
Mobile technology is improving rapidly. This has important implications for police
and immigration officers working away from fixed locations, for example on patrol or
at the border, particularly in relation to identification.
Participants in the e-MOBIDIG working group are clear that mobile solutions can
make a valuable contribution to policing and immigration and border control but that
sound principles need to be followed taking account of previous experience and lessons
learned. A strategic approach is needed focusing on overall business benefits to the
organisation as a whole. This guide suggests good practice to be followed.
Strategy on the use of mobile devices is decided at national rather than EU level but
this paper presents thinking from e-MOBIDIG which we hope will help Member
States in this task. Key suggestions on good practice from e-MOBIDIG, described in
this paper, are:
1. Take a strategic approach focused on business benefits. 3. Mobilise business process not just technology. 4. A mobile device is a component not a solution. 5. Smart infrastructure—the secure central hub. 7. Excellence across multiple technologies. Discussion at meetings of the e-MOBIDIG working group have contributed to a series of further papers: Use cases—examples of how mobile ID devices could be used.
Country examples—illustrating projects and developments in particular
EU Member States.
Technical guide—what technologies are relevant to mobile ID devices and
key aspects of what is important to consider.
Standards—examples of agreed standards relevant to this area.
Context
Police and immigration services
Each Member State in the EU has operational services responsible for policing and
immigration, even though the allocation of responsibilities and legal powers may
differ. In doing their work, officers from these services have to distinguish between
people who are honest about their identity, and others who try to avoid identification,
possibly because they are wanted as suspects for a crime, because they are engaged in
unlawful activity and want to conceal their presence, or because they are using false
documents or identity.
Mobile solutions generally
Mobile devices have been undergoing a radical transformation. In the mass market,
consumers have been ‘liberated’ from having to use desktop computing at fixed
locations to access the internet: they now can have affordable handheld smartphones
and lightweight tablets built for easy use on the move. With these they can book
travel, hotels and entertainment, make payments, email and message social friends in
real-time, keep up to date with the latest news, locate where they are on a map and
navigate to another place or search for local information, search the internet globally
and download and install new software applications that leverage the high volume of
sales to achieve very low price. New and better devices and improved mobile
communications such as 4G continue to be developed.
All of this is creating a powerful awareness of the technology and its capability, and
officers increasingly expect similar technology to be available to them at work to
access systems previously only available at fixed locations. This vision is inspiring
innovation, though users may be less conscious that particularly for immigration and
police, solutions continue to need rigorous security controls to protect confidential
core systems from attack, and that bespoke solutions do not benefit from the same
very large user base to spread costs and reduce price.
Mobile applications for police and immigration
Possible applications of mobile technology for immigration and police use:
• Authenticating travel and identity documents using secure (cryptographic)
technology to authenticate a travel or identity document and information held on the chip, such as face images and the holder’s name. • Fingerprint verification from travel / identity documents—EU chipped
documents increasingly contain fingerprints of the authorised holder, allowing more secure validation that the right person is presenting the document. • Fingerprint search of central systems—to confirm identity or search
• Biographic checks against central identity systems—e.g. to check whether
someone is wanted by the police or is a previous offender, or whether a travel or identity document presented to the officer has been reported lost or stolen. • Business transactions (casework) at remote locations requiring more
conventional desktop services and access to systems, and possibly enrolment of biometrics, decisions, enforcement notices, etc. • Capturing evidence—written statements, photographs, voice recording,
• Rapid deployment—to respond to an urgent operational need such as many
unexpected arrivals at a remote border crossing; a planned operation; or other reasons for urgent deployment of officers away from the office. • Others checks against central identity systems—e.g. driving licence,
• Receiving and sending information from/to the central control room
• Writing reports
• Contributing to forensic crime scene analysis.
• Mapping and location-based services—using geo-location technology to
manage operations, determine current position, log and report position and time, display reference information and intelligence relevant to the location, navigate, and ‘geo-fence’ operational areas where a device will work. • See also the e-MOBIDIG papers on use cases and country examples.
Characteristics specific to police and immigration use
The police and immigration market can benefit hugely from all of these
developments, but perhaps not in standard form. This market needs particularly:
• Software development to connect to specialist applications for police and immigration including fingerprint matching and the protocols and infrastructure to authenticate secure passport and ID card chips. • Support for external devices such as fingerprint readers. • A strong emphasis on security so that a mobile device can be ‘locked down’ to prevent malicious changes to the software; encryption to protect
communications, data held on the device; and rigorous control over access to
core systems. Many mobile consumer devices are designed to enable software
easily to be downloaded and installed by the user—this has to be prevented on
a device for police or immigration use.
• Robust physical devices that will stand up to operational policing and • If needed, use of specialist data networks for emergency services (e.g. Tetra). • Development of infrastructure and systems to work with the mobile devices. • Although operationally independent, there are strong similarities between police and immigration work in different MSs—are there more opportunities for sharing of good practice, solutions?
Structures and the division of responsibilities between police and immigration may
differ between countries. Nevertheless, there are opportunities to share good practice
between MSs, as shown by e-MOBIDIG. Are there also opportunities to share the
design of solutions, and perhaps purchasing of common equipment, between MSs?

e-MOBIDIG
The e-MOBIDIG working group (EU Mobile Identification Interoperability Group)
brings together practitioners and experts—in police and immigration services, in
different Member States, and in industry and government, to understand
developments and trends relevant to mobile ID devices; to recommend how to
develop good solutions and strategies; and to help others to avoid repeating expensive
mistakes that can be made. This paper on strategy should be read with the other
reference papers published by the working group.
Suggested Good Practice The following good practice suggestions arise from discussions and presentations in meetings of the e-MOBIDIG working group. 1: Take a strategic approach focused on business benefits
A strategic approach means focusing planning and delivery on solutions that support
the primary aims of the organisation as a whole, judging success on the outcomes
achieved. It means designing and building ideas that work well operationally, driving
out potential benefits rather than just delivering technology. A strategic approach for
mobile solutions would also see common technology being planned (devices, back
end systems and infrastructure) that can be re-used, not multiple individual solutions,
risking duplication, poor interconnection and missed opportunities.
2: Describe the vision and roadmap
To show the organisation what a strategic approach would look like and to gain
support for co-operating to deliver that, a vision of what that end-state looks like is
needed. It may well not be possible to build a full strategic solution from the outset. A
roadmap is helpful to show how the organisation can progressively build new
applications and infrastructure to work from where they are now towards realising the
vision. This needs to be underpinned by analysis of the business benefits and
outcomes that are expected from each stage of the work, and should include the
change management and business process re-design needed for successful
implementation. Piloting and proof of concept and value will help to validate
expected benefits and decide whether each potential application should be rolled out.
3: Mobilise business process not just technology
Developing a good technical solution that works well, away from a fixed location and
network is important, but if it is used with the old business process, results may be poor.
To achieve full potential benefit from a mobile development, the technical design and
the business process design should be considered together. It may be better to work in a
new way to take full advantage of a new mobile solution. Change management and
user training are important too. Continuing effort may be needed after a solution has
been deployed to discover and embed the most effective way of working.
4: A mobile device is a component not a solution
New and more capable mobile devices are being produced all the time. A device may
enable a solution or help to deliver a good strategy, but no device on its own can be a
mobile strategy or complete solution. Some observations:
• Is there one ‘ideal’ mobile device? Probably not for a whole police force or
immigration service: suitability for purpose can only be judged in relation to
particular business needs which are likely to vary between users and business
functions. Different users may need a small smartphone for best mobility; some
may need the larger screen of a tablet to view more information with limited
input required; others may need a larger screen with extensive input and find
that a laptop is best for them; and some but not all of these may need multiple
peripherals such as camera, fingerprint reader, document reader and/or printer.
Some may need long battery life for continuous mobile operation; others will be
more intermittent users. The ideal solution may be a range of mobile devices,
with good interoperability and the capability to adapt over time.
• A device agnostic approach is therefore desirable, trying to make the overall
strategy more independent from particular devices and suppliers. Standard
interfaces may help to make it easier to add new devices and avoid lock in to
one solution.
• Mobile device management (MDM)—should be included in a mobile
strategy, helping to deliver good control and security, managing users and access rights and tracking who is responsible for every unit, at which location. Cost effective MDM solutions are available e.g. through cloud technology and can increase capacity and help to reduce support and back office costs. 5: Smart infrastructure—the secure central hub
The need for supporting a range of mobile devices and of ‘back end’ systems accessed
by mobile users argues for an architecture based on some form of central, secure hub
supporting the service for mobile users. This would connect to multiple devices and to
multiple back end solutions to orchestrate complex transactions using middleware.
The relationship between mobile devices, the hub, and reference systems is shown in
this figure (see also the e-MOBIDIG Technology Guide).
Mobile device A
Security
Middleware
Mobile device B
Connections
Services
Mobile device C
Mobile device D
System 4
e.g. PKI central source

An example of a complex, orchestrated search possible with this architecture would be
a fingerprint search to identify someone. Once the fingerprint system had returned an
identity, the hub could use this to search other reference systems, to locate further
information on that person, and then prioritise and arrange the information to present it
concisely on screen.
A hub can help in re-use of services so that a new device can readily make use of
existing reference systems and workflows, and a new reference system can more
easily be made available to existing mobile devices.
A smart design of infrastructure can help to manage complexity to deliver an
effective, secure and adaptable strategic solution serving multiple device types and
connected to multiple back end systems. It is however important to set and manage
realistic expectations about what can and cannot be achieved.
6: Understand connectivity
Mobile communications can be a powerful enabler for access to business functions on
the move, and continues to improve. However, connectivity can also be problematic
and will not always be perfect (or even available), in every location. Even though
fixed and mobile communications are increasingly converging, mobile
communication is not (yet) a universal replacement for a fixed networks. It is
important to understand why mobile communications can be problematic, where there
are limitations and how improvements may be achieved (see further explanation in the
Technical Guide). A solution needs to be mobile aware—it needs to be built with a
good understanding of where mobile solutions differ from their fixed equivalents.
Are communications always necessary? Can a device operate some or even all of the
time with no communications? If all the reference data needed to do a job can be loaded
onto a device before an officer starts duty, and all data collected be transferred from the
device after the duty (example: enforcement tickets?), communications may not be
needed for that task, resulting in a lighter device with more battery life because radio is
not used. If a device can operate some of the time with no signal (example: fingerprint
enrolment from several people?) and then be moved to where the signal is good to
resume connection, to send the data and obtain a result, the device will be more tolerant
of poor and interrupted connectivity.
7: Excellence across several technologies
Excellence in mobile solutions and strategies needs excellence in several technologies
and methods, e.g. mobile technology, mobile communications, security, biometrics,
secure authentication of documents… this needs sufficient expert knowledge in all these
subject areas, plus integration of different streams into a single solution.
8: Pilot and learn
Mobile solutions cannot just be designed on paper—they require a highly practical
solution that works for the organisation and its officers, in the actual context. Design
and analysis can go a long way, but ideas may need to be tried out and perfected (or
even, rejected) in operational use. Piloting on a smaller scale in live operation may be
very effective in validating ideas, for example before a larger rollout. Even if the
device is right, lessons may still need to be learned about how best to use them in the
business process for maximum value, to train users effectively, and so on. Good
piloting and learning will improve users’ confidence in the solution. Make sure that
lessons learned are included in user training.
How can you deliver a strong mobile solution where there is no existing experience?
One suggested framework is to get there in three stages:
• (1) Proof of concept (PoC)—prototyping an initial solution and simulating
operational conditions to understand business requirements and demonstrate technical feasibility; • (2) Proof of Value (PoV)—a trial of the technology and processes with a
limited user group in operational conditions to demonstrate that benefits can be achieved; before • (3) Full rollout—of what is by now a proven solution in which you have
9: Test robustly
There are a lot of ways in which a mobile solution may not be fit for purpose.
Functional testing is one aspect—does it do what it is supposed to do? Non-
functional testing is also critical—is the device reliable and quick enough in practice?
Is it able to be used and understood by real users in real use? If the device encounters
a connection problem is it able to recover cleanly and automatically? Is the device
secure and able to resist all foreseeable attacks, especially as the integrity and
protection of core systems could be at risk? Will the solution work at the full loading
of transactions required at peak?
The approach taken to all aspects of testing must be robust—the device needs to be
proved to work effectively in real, operational conditions, not just in the laboratory.
Testing must expose and resolve any shortcomings before rollout to large numbers of
users, including testing new business processes enabled by the mobile solution.
Once the right test approach has been found, define it clearly as a test standard for the
organisation so that it can be repeated consistently when needed.
Your next move: developing a strategy for mobile solutions
We believe that many organisations have still to develop a real, organisation-wide
mobile strategy. Several have implemented mobile solutions as a tactical approach to
solve a particular business issue. It is clear that mobile solutions will become more
significant and pervasive over the next decade and there is therefore an increasing
need to progress to a full mobile strategy within organisations.
e-MOBIDIG would encourage immigration and police services:
• To note the developments in mobile technology that are taking place and to consider the strategic opportunities these bring for increasing effectiveness and delivering business benefits. e-MOBIDIG encourages each organisation to investigate potential benefits and to develop a strategy for effective use of mobile solutions. • When considering a proposal for the use of mobile technology, this is a good opportunity to consider whether this should be progressed as a tactical or strategic solution. A tactical solution particularly with the opportunity to pilot ideas for further development may still be the right approach, but it is worth considering what is best for the organisation—whether a more strategic approach should be adopted. • To note the good practice advice set out in this paper and in other working papers from the working group. e-MOBIDIG intends to continue to work to identify and share good practice in this field, but encourages others to recognise that no two organisations are identical and that analysis is still needed for the individual circumstances of each organisation.
Potential main areas for business benefit from mobile solutions may include:
• Clearer, quicker, more certain identification of people away from a fixed police or immigration office. This benefits officers in reducing doubt about someone’s identity or possibly their intentions, and where appropriate in alerting the officer to important information. It benefits the genuine person who is correctly asserting their identity. It may increase the possibility of detecting identity fraud or apprehending people who are wanted for some reason by the authorities. Benefits may include: increase in operational success and assurance on identity, decrease in missed identification of wanted persons and those considered likely to engage in criminal activity. • This may therefore also generate benefits through saving of time and cost in bringing a suspect to a fixed office to do identity checks, potentially unnecessarily. Benefits may include: increase in productivity, saving of staff time / cost, saving of vehicle / fuel costs, potentially savings in office costs because less office space is required with more officers able to work at full productivity away from base. Clearly, all use of mobile (or fixed) systems for identification or other purposes involving personal information must be in accordance with the law within each country, including privacy and data protection, and with operational guidance issued by the service in question.
Self-check: Where is my strategy?
How would you describe your organisation’s strategy in relation to mobile solutions?
Description
Commentary
“We see potential value but
Observing are watching developments
before committing.”
growing capability, and some learning can only be obtained by operational experience. • Time to start piloting and
thinking about future strategy?
“We have a mobile device
• Tactical solution—aims to fix or
Tactical
developments.”
Beware of building multiple solutions that do not interconnect. • Encourage a more strategic
approach for the whole
organisation / all solutions.
“We have an organisation-
• Strategic approach—aims to
Strategic
of mobile devices in several
business functions, accessing
several core IT systems. This
delivers real improvements
to our efficiency and
effectiveness in achieving
the aims of the organisation
as a whole.”
Targeting substantial benefits at the strategic level should provide greatest advantage for an organisation, but requires a sustained, long-term programme to achieve. It is not a simple solution or a ‘quick fix’. But to make a long journey you must take the first step… and then many more to follow.

Source: http://www.e-mobidig.eu/IMG/pdf/2012-03-18__1__e-MOBIDIG_Strategy_Ver_1-92.pdf