Feeds

Security and interop issues cause EU biometric passport delays

Begs for deadline extension

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

The European Union has asked the US to put back its biometric passport deadline for another year, citing "data security and interoperability of reading devices" as issues that still needed to be resolved. Meanwhile, data security is becoming a major issue in the run up to the planned rollout of US biometric passports later this year. The current deadline, after which the US will require biometric passports for non-visa travellers, is 26th October 2005, but EU Justice and Home Affairs Commissioner Franco Frattini has asked for this to be put back to August 28th 2006.

The most serious of the problems Frattini describes with some understatement as "still being finalised" relates to the planned use of a contactless chip to house the passport's data, and the security mechanisms used to protect that data from unauthorised readers. Contactless means (at least in theory) that travellers can breeze through the barriers with a wave of their passport, thus speeding their progress towards whatever destination immigration officials choose to assign them. But contactless also means that the data is vulnerable to snooping, and it should not take too much effort for would-be snoopers to produce devices that will read the passport data from a greater distance than the designers would wish.

Much US opposition to the technology complains, with characteristic insularity, that such systems would allow terrorists to identify Americans abroad and kidnap them. For our non-US readers, however, we should stress that such systems would allow terrorists to identify anybody and kidnap them. Or steal their ID. Or even better from the point of view of automation-happy kleptos, locate and steal their passports.

So some form of security that will stop them doing this is necessary, but it's difficult to see how it could be devised, and the US itself seems to be tacitly admitting that it can't. The US is adding "technical features" to protect the data, but according to Frank Moss of the State Department these will play a role in "mitigating the risk of skimming." If he could have said eliminating, we feel sure he would have, but he said "mitigating".

Frattini's second issue of "interoperability of reading devices" rears its head here. Obviously, if you're going to have a global standard for contactless biometric passports, then all of the relevant people in all of the countries issuing them are going to need to be able to read of the passports. So what price your security? Even if you can persuade yourself your own people aren't going to be a source of leakage of either readers or technical data, are you seriously going to trust everybody out there?

One feels perhaps that there was a joined up thinking failure in the development of the cunning biometric passport plan. The data printed in the current generation of passports is completely open, unsecured, and available to any terrorist or official of an axis of evil member state who cares to open it and look. The International Civil Aviation Organisation (ICAO) standard for biometric passports is intended to provide a machine-readable equivalent of this, so logically it should be just as available. The error would therefore seem to arise from thinking making it available from a distance was a bright idea.

Faced with these difficulties, giving passports their very own 'tinfoil hats' so that they're only readable when taken out of their sleeves seems the most obvious workable (but perhaps not entirely marketable) solution.

The EU itself has uncovered further issues at the bleeding edge of computerised ID technology. Last year plans for biometric visas took a knock when a technical team reported that having multiple contactless chips in the one passport produced a predictably unintelligible noise from competing songsheets. Multipart bodges where the offending chips are housed separately have been proposed, but this doesn't sound like a particularly effective 'next generation' of a single passport document where all of the relevant data, including visas, entry and exit stamps and endorsements, is readily available. So we have another joined up thinking failure here.

Matters are further complicated because of the difficulties the various countries developing biometric passports face in keeping in step (even if they want to). The US is producing its own passports while the EU's effort is at least intended to be interoperable within the EU. But the UK, as a non-Schengen EU state, is engaged in efforts that are at least technically separate from the EU ones. The EU also intends to add fingerprint to the facial biometric (ICAO requires facial, but offers fingerprint as optional). Although the UK is very keen indeed on fingerprinting everybody, it isn't bound to do so by the EU timetable, so one can foresee the possibility that a delayed EU standard passport could emerge with fingerprint from the start, while the UK and the US simply used facial. At least the first generation of UK passport will ship with facial only, but will still miss the US October 2005 deadline.

It's now not clear when (possibly even "if") the UK will add fingerint and iris to the biometric data collected in passport applications. Passport applications were initially seen by the UK Government as a key enrolment route for the ID card scheme, but it has now ended up planning to ship what critics said it could have shipped in the first place - an ICAO-compliant passport with facial biometric (which is actually just a digitised conventional mugshot in this case), and without any spurious linkage to ID card schemes. The price of a passport will nevertheless still rise to ludicrous levels when they do ship - as a Privacy International analysis this week notes, this is something of a puzzle. ®

Related Stories:

Europe kicks UK out of biometric passport club
Fingerprints to become compulsory for all EU passports
Home Office prohibits happy biometric passports

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.