Feeds

Security and interop issues cause EU biometric passport delays

Begs for deadline extension

  • alert
  • submit to reddit

Intelligent flash storage arrays

The European Union has asked the US to put back its biometric passport deadline for another year, citing "data security and interoperability of reading devices" as issues that still needed to be resolved. Meanwhile, data security is becoming a major issue in the run up to the planned rollout of US biometric passports later this year. The current deadline, after which the US will require biometric passports for non-visa travellers, is 26th October 2005, but EU Justice and Home Affairs Commissioner Franco Frattini has asked for this to be put back to August 28th 2006.

The most serious of the problems Frattini describes with some understatement as "still being finalised" relates to the planned use of a contactless chip to house the passport's data, and the security mechanisms used to protect that data from unauthorised readers. Contactless means (at least in theory) that travellers can breeze through the barriers with a wave of their passport, thus speeding their progress towards whatever destination immigration officials choose to assign them. But contactless also means that the data is vulnerable to snooping, and it should not take too much effort for would-be snoopers to produce devices that will read the passport data from a greater distance than the designers would wish.

Much US opposition to the technology complains, with characteristic insularity, that such systems would allow terrorists to identify Americans abroad and kidnap them. For our non-US readers, however, we should stress that such systems would allow terrorists to identify anybody and kidnap them. Or steal their ID. Or even better from the point of view of automation-happy kleptos, locate and steal their passports.

So some form of security that will stop them doing this is necessary, but it's difficult to see how it could be devised, and the US itself seems to be tacitly admitting that it can't. The US is adding "technical features" to protect the data, but according to Frank Moss of the State Department these will play a role in "mitigating the risk of skimming." If he could have said eliminating, we feel sure he would have, but he said "mitigating".

Frattini's second issue of "interoperability of reading devices" rears its head here. Obviously, if you're going to have a global standard for contactless biometric passports, then all of the relevant people in all of the countries issuing them are going to need to be able to read of the passports. So what price your security? Even if you can persuade yourself your own people aren't going to be a source of leakage of either readers or technical data, are you seriously going to trust everybody out there?

One feels perhaps that there was a joined up thinking failure in the development of the cunning biometric passport plan. The data printed in the current generation of passports is completely open, unsecured, and available to any terrorist or official of an axis of evil member state who cares to open it and look. The International Civil Aviation Organisation (ICAO) standard for biometric passports is intended to provide a machine-readable equivalent of this, so logically it should be just as available. The error would therefore seem to arise from thinking making it available from a distance was a bright idea.

Faced with these difficulties, giving passports their very own 'tinfoil hats' so that they're only readable when taken out of their sleeves seems the most obvious workable (but perhaps not entirely marketable) solution.

The EU itself has uncovered further issues at the bleeding edge of computerised ID technology. Last year plans for biometric visas took a knock when a technical team reported that having multiple contactless chips in the one passport produced a predictably unintelligible noise from competing songsheets. Multipart bodges where the offending chips are housed separately have been proposed, but this doesn't sound like a particularly effective 'next generation' of a single passport document where all of the relevant data, including visas, entry and exit stamps and endorsements, is readily available. So we have another joined up thinking failure here.

Matters are further complicated because of the difficulties the various countries developing biometric passports face in keeping in step (even if they want to). The US is producing its own passports while the EU's effort is at least intended to be interoperable within the EU. But the UK, as a non-Schengen EU state, is engaged in efforts that are at least technically separate from the EU ones. The EU also intends to add fingerprint to the facial biometric (ICAO requires facial, but offers fingerprint as optional). Although the UK is very keen indeed on fingerprinting everybody, it isn't bound to do so by the EU timetable, so one can foresee the possibility that a delayed EU standard passport could emerge with fingerprint from the start, while the UK and the US simply used facial. At least the first generation of UK passport will ship with facial only, but will still miss the US October 2005 deadline.

It's now not clear when (possibly even "if") the UK will add fingerint and iris to the biometric data collected in passport applications. Passport applications were initially seen by the UK Government as a key enrolment route for the ID card scheme, but it has now ended up planning to ship what critics said it could have shipped in the first place - an ICAO-compliant passport with facial biometric (which is actually just a digitised conventional mugshot in this case), and without any spurious linkage to ID card schemes. The price of a passport will nevertheless still rise to ludicrous levels when they do ship - as a Privacy International analysis this week notes, this is something of a puzzle. ®

Related Stories:

Europe kicks UK out of biometric passport club
Fingerprints to become compulsory for all EU passports
Home Office prohibits happy biometric passports

Secure remote control for conventional and virtual desktops

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
What a Mesa: Apple vows to re-use titsup GT sapphire glass plant
Commits to American manufacturing ... of secret tech
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.