SoS - Society - Passports

Biometry in passports

Biometry is used to identify people by measuring some aspect of one's individual anatomy or physiology, such as fingerprint, facial features, iris, DNA or simply a photograph. In digital form, this measurement is usually called a template. It should be unique for each person. The attractive features of biometric measurements are that people always carry them around, that they are usually non-trivial to fake, and that the identification process can be automated (to a large extend).

Basically, there are 2 ways to use a biometric system.

Verification: given both a person and a template, is there a match?
Identification: given a measurement of an (as yet unkown) person, for instance a fingerprint at a crime scene or a picture from a surveillance camera, is there a matching template in the database, so that the identity of the owner of the biometric datum can be established?

In practice there is not always a perfect match between templates and individuals. One speaks of a false positive if the biometric recognition system says 'yes', but the answer should be 'no'. A false negative works the other way round: the system says 'no', where it should be a 'yes'. One of the main challenges with biometric systems is to minimise the rates of both false positives and of false negatives. In theory one is inclined to keep the false positives low, but in practical situations it often works the other way round: people that operate these systems hate false negatives, because they slow down the process and result in extra work and people complaining.

When a PIN code is used to authenticate people (via "what you know"), it is not a disaster if the code is lost or compromised (known to others): you simply ask your bank for a new PIN code. However, this is not possible with biometric templates (using "what you are"): you can not simply get a new iris, fingerprint or DNA print. Hence, biometric templates carry sensitive and very private information, that should be handled with great care. Loss or compromise of biometric templates may lead to serious cases of identity theft. Restoration is basically impossible.

Storing biometric templates

When biometric information is used in a system such as a passport, the first question should always be: where is the biometric template stored, and how does the comparison with the measurements take place? More concretely, when a passport carries a chip with a biometric template, in a proper set-up, the template should never leave the chip, and the comparison should take place on the chip itself. Also, the device that does the measurement (e.g. an irisscanner) should be secure, in the sense that it does not leak information to the outside. In such a set-up it is important to check the authenticity of the passport/chip, because a fake one could always answer 'yes'.

When the biometric templates are stored only in (the chip in) a passport, it can be used only for verification purposes, as explained above: to establish the relation between an individual and a passport. This will combat the so-called look-alike fraud.

As argued, there are serious privacy concerns when biometric templates are stored outside passports, for instance in large databases. Such databases can be used in order to identify people, for instance when a fingerprint is found at a crime scene. Such application may be justifiable, but a large database raises serious privacy concerns: it can be misused to track the whereabouts of all individuals. Typically, a database is kept only of convicted criminals (of a sufficiently serious criminal act). But there is growing pressure towards centralised databases.

Security mechanisms in the biometric passport

The International Civil Aviation Organization (ICAO) has selected facial recognition (to be stored in chips) as main biometric for "machine readable" travel documents. Additional biometrics, such as fingerprints or irisscans are allowed, see their dedicated webpage with lots of material, including many standards documents. The biometric passport in the Netherlands (and likely also in Europe) will contain pictures of the face, and also of two fingers (left and right, in principle). The ICAO standards allow several levels of security. The Netherlands will implement the highest level.

Basic access control is optional (but implemented in NL), and means that the chip embedded in the passport will only respond after receiving a specific (cryptographic) key. This key can be derived (automatically) from the so-called Machine Readable Zone (MRZ). It is the two-line text at the bottom of a special page in the passport. It contains the passport number, name of the holder, date of birth, date of issuance, together with some check-bits. This basic access control is not really a security mechanism. It makes sure that the holder of the passport must physically hand over the document before it can be read. This is meant to establish consent.
Passive authentication is not optional. It is the checking of the signature of the so-called security document inside the passport. This security document contains hashes of all the crucial data. It is signed with the private key of the issuing state. The corresponding public key must be made available via some international PKI---also because these public-private keypairs should be renewed every three months. This passive authentication mechanism must prevent the fabrication of fake passports.
Active authentication is optional, but also implemented in NL. It is a challenge-response mechanism with the card, where the card signs a challenge with its own private key. The corresponding public key can be read from the passport. Its hash is part of the security document (as in 2). This active authentication mechanism must prevent cloning of existing passports.
Extended authentication can be used to restrict access to some of the biometrical data. The facial image can simply be read out, once the basic access control protocol (from 1) has been carried out. The fingerprints however are encrypted (in a test version in the Netherlands). It is not clear yet which mechanism will be used for extended authentication.

A change of policy: from verification to identification

The situation in the Netherlands was quite reasonable at first, but changed to radical. The argument is simply "terrorism".

The orginal goal (in 2002) was verification only: according to the Memorie van toelichting (Kamerstuk 28 342 (R 1719), Nr. 3, Wijziging van de Paspoortwet 2002, Minister van Boxtel). At p.3 it says:

De vastlegging van biometrische gegevens in het reisdocument heeft als doel om aan de hand van deze gegevens te kunnen verifiëren, dat reisdocument en houder bij elkaar horen. Daarmee wordt de functie van het reisdocument als betrouwbaar identiteitsdocument versterkt. Het gaat derhalve om een beperkte, specifieke toepassing van biometrie.

This expresses the intention to use the biometric data only to establish the relationship between individual and passport. A bit further on, at the same page:

Voorts wordt de verspreiding van het biometrisch gegeven tegengegaan. Dit gebeurt enerzijds door het gegeven decentraal in de chip op het reisdocument zelf op te slaan, en anderzijds doordat het biometrisch gegeven bij verificatiehandelingen niet in bestanden van verificerende instellingen wordt opgenomen. Het biometrisch kenmerk zal wel worden toegevoegd aan de andere persoonsgegevens, die opgeslagen worden in de reisdocumentenadministratie. Deze, decentrale, administratie dient slechts ter raadpleging in geval vermissing en andere bijzondere omstandigheden in het gebruik van reisdocumenten, waarbij het noodzakelijk is om de identiteit van de betrokken persoon aan de hand van de in de administratie opgeslagen gegevens, waaronder de biometrische gegevens, te verifiëren. Hoewel de raadpleging van deze administratie in de verschillende paspoortuitvoeringsregelingen reeds aan strenge regels is gebonden, wordt met betrekking tot de daarin opgeslagen gegevens omtrent biometrische kenmerken van de houder in de wet zelf het kader aangegeven, waarbinnen verstrekking van deze gegevens uit de reisdocumentenadministratie kan plaatsvinden. Dit houdt enerzijds in dat verstrekking uitsluitend kan plaatsvinden in het kader van de uitvoering van deze wet aan de daarmee belaste autoriteiten of bij een vermoeden van fraude dan wel misbruik van het reisdocument aan met de opsporing daarvan belaste ambtenaren. Anderzijds zal in de reisdocumentenadministratie niet willekeurig kunnen worden gezocht op het daarin voorkomen van biometrische gegevens van een persoon, maar zal, indien de naam of het nummer van het reisdocument van betrokkene bekend is, aan de hand van de opgeslagen aanvraaggegevens, waaronder de biometrische gegevens, in een individueel geval kunnen worden nagegaan of de houder dezelfde persoon als degene aan wie het reisdocument is verstrekt.

Hence the original goal was to have decentralised databases with the biometric data, but they should only be used in case fraud with the passport is suspected. This is in line with recommendations by the observer Carlos Coelho of the European Parliament (COM(2004)0116 C5-0101/2004 2004/0039(CNS)). The recommendations say on p.8:

No central database of European Union passports and travel documents containing all EU passport holders' biometric and other data shall be set up.

However, in early 2005 the minister of justice and internal affairs in the Netherlands have sent a letter to Parliament (dated, 24 januari 2005, number 5327519/05/NCTb) on combatting terrorism. Among the many measures in this 23 page letter there is a crucial paragraph on p.12 where it is mentioned that a national database of biometric data from passports will be set up for identification purposes:

Daarnaast zal in het kader van terrorismebestrijding, in aanvulling op het aanbrengen van biometrische kenmerken op visa en identiteitsdocumenten, een informatie -infrastructuur worden ontwikkeld, waarmee de mogelijkheid ontstaat om de identiteit tevens online te verifiëren. Dit veronderstelt dat de administraties van de identiteitsdocumenten met biometrische kenmerken centraal zijn georganiseerd. Aldus kan het groeiende aantal gevallen van de zogenaamde look-alike-fraude, waarvan ook terroristen gebruik kunnen maken, worden tegen gegaan. Voor de wijze waarop verificatie, via de infrastructuur, in de databases moet geschieden, zullen uitvoeringsprotocollen worden ontwikkeld. Een en ander vloeit voort uit het kabinetsstandpunt inzake de bestrijding van identiteitsfraude en de toezeggingen uit de Terugkeernota. De ontwikkeling van deze informatie-infrastructuur draagt bij aan de intensivering van de samenwerking op Europees terrein en levert een bijdrage aan de effectiviteit van de uitvoering van de identificatieplicht. Deze infrastructuur dient onder andere ter ondersteuning van de intensiveringen bij de uitvoerende diensten. De middelen die in deze brief worden gereserveerd hebben uitsluitend betrekking op de genoemde informatie-infrastructuur. Over een centrale registratie van biometrische gegevens, die ten grondslag ligt aan een informatie-infrastructuur, zal de minister voor Bestuurlijke Vernieuwing en Koninkrijksrelaties de Kamer op een later tijdstip nader informeren.

This fundamental policy shift has received little attention, except in a (dutch language) item of the Radio 1 program De Ochtenden on 4 april 2005, and repeated on 21 april 2005 (mp3 (9 MB) © EO Radio).

A new phrase ``on line verification''

A next step is the letter BPR2005/54982 by minister Pechtold of 18 April 2005. It confirms the presence of the above mentioned security mechanisms (basic access control, passive authentication, active authentication). The passport will be introduced in two phases, first with a facial picture only, and later also with fingerprints. The latter will be protected via the extended authentication mechanism, the details of which still have to be laid down by the European Commission.

This letter gives motivations for the central database with biometric data---as announced in the ``terror letter'' described in the previous subsection. The earlier intended role of this central database for identification purposes (to contribute to the effectiveness of the identification obligation) is not repeated. Instead, the new role of the database is ``on line verification'', for which three arguments are listed. They are all invalid.

To obtain additional certainty about the identity of the holder of the travel document:
De on line verificatie van de documenten in de administratie van die documenten is noodzakelijk om (meer) zekerheid te kunnen krijgen omtrent de identiteit van de houder van het document en de betrouwbaarheid van het document.
There is no way that the central database can provide additional certainty, because it contains the same biometric data as the travel document.
There is one situation where the ``additional certainty'' argument may make some sense, namely when the chip in the travel document is broken. However, this is not mentioned in Pechtold's letter. In such a situation one can always fall back on the traditional aspects of the travel document, and record the biometric data (obtained from the holder) for a later check, and possible blacklisting. Anyway, it is not clear yet what the procedures will be in case of a broken chip, so the handling of this case is pure speculation at this stage.
To check the authenticity of the data in the travel document:
In de toekomst zal ook on line geverifieerd kunnen worden of de gegevens die in het document staan overeenkomen met de gegevens die bij aanvraag van het document in de administratie zijn opgeslagen.
The authenticity of the document can be established off line via the passive and active authentication mechanisms discussed above. It is the very reason for including these mechanisms. If you don't trust those authentication techniques, you should not include a chip at all!
Additional check at enrolment, to prevent multiple applications at different locations:
Het maakt het mogelijk om bij het verwerken van de aanvragen na te gaan of de aanvrager ook bij andere instanties een aanvraag voor een reisdocument heeft ingediend.
This is a peculiar argument, because application for a travel document has to take place in one's own home town, where they should have a local, decentralised database anyway. But even if one wishes to perform such checks, one can keep a lightweight central database at the passport manufacturer which contains only ``abstract'' biometric data, via hashing. This should prevent misuse.

The whole idea of such a central database is a sad example of what is usually called feature creep in the computer security literature: the original set-up is changed gradually where additional features are introduced, which, at the same time add additional security risks. Making the central database with biometric data on line available at so many check points is asking for trouble. It will be a very tempting target for hackers. It may be expected that such hackers work for organised crime (for large scale identity theft), or for terrorists. Compromise of the database would be a national disaster. It is incomprehensible that the Dutch government is willing to take such risks.

Further it would be very ironic if this central database, originally intended to combat identity fraud, would become, when hacked, the prime source for such fraud, on an unprecedented massive scale.

Another foreseeable case of feature creep is future use of the central biometry database for identification and tracking of individuals via surveillance cameras in public spaces. This forms a serious privacy concern.

This page is maintained by Bart Jacobs.
Back to the security-in-society overview page.