Feeds

Much of UK biometric passport data for archive, police use only?

Minister maybe blurts truth - but it won't fit anyway

Top three mobile application threats

Passports and ID cards are unlikely to actually use most the "13 biometrics" the Government proposes to collect on all citizens, which is probably just as well, because they won't fit. But much of the biometric data that will be collected on registration will hardly ever be used. In a parliamentary answer to questioning by Lynne Jones MP last week, Home Office Minister Andy Burnham said that: "As the images [the biometric data] will not be required for routine matching and may only be used for generating the template on enrolment and subsequent biometric renewal, they could therefore be stored in a separate database which may be managed as an archive."

The amount of biometric data that can be housed on an ID card is a simple matter of available real estate, and that means there will be clear limits on the nature of the local (i.e., compare holder to data on card) checks that can be carried out. Burnham's answer, however, indicates that even 'higher security' biometric checks via the NIR will use only a subset of the data gathered, with the balance being 'for the record', allowing the Government to run a full ID check on you every time you have to renew your passport or card. But it will be of no earthly use to anybody else. If some of the data is not used, there will be no need for it to be part of the NIR (indeed, this would be very poor IT practice), and it could be housed separately. Burnham's use of the word "archive" should not however be taken to mean the data will be used solely on enrolment and renewal; the Home Office's document Identity Cards Scheme - Benefits Overview anticipates the ID scheme being used for "police identifying fingerprints from scenes of crime", and this will clearly require access to a full set of fingerprint biometric data, which implies that security services will have access to the archive.

No firm decision on identity scheme data storage have yet been taken, according to Burnham, but at minimum the passport will include an ICAO standard "high resolution image" that can be read by machine. "It is also assumed," he says, "that images of the other biometrics will be stored at a sufficient resolution to enable templates (the compact encodings of the essential patterns in iris and fingerprint biometrics which are used by matching algorithms) to be regenerated should the matching technology being used by the Identity Cards scheme be updated or changed."

That however is where he switches from what's actually carried in the passport (and, assuming the use of the same technology, the ID card), to data that may simply be squirrelled away in the Home Office archives. According to the Passport Office's published statements the passport will contain a facial image, but the inclusion of other biometrics is simply an option that will be considered. Europe however intends to include both facial and fingerprint from 2008, and while the UK is not bound by this decision because it is not part of the Schengen agreement, the UK Government intends to toe the line anyway. So whatever the Passport Office says, we can assume fingerprints will be added.

The ICAO biometric standard calls for a minimum of 32K storage, but 64K, which has been adopted for the US passport, looks likely to be the de facto world standard. The templates Burnham refers to "might be expected to take up a few 10's of Kilobytes per person", so should be no great challenge as far as central storage is concerned, but that is clearly not the case when it comes to a 64K chip in the passport. According to data prepared for the European Council of Ministers, the facial image will take up 12-15K, while fingerprints are expected to require 12K per finger. The European standard biometric passport is currently planned to include facial image and two fingerprints, so Europe's biometric data mops up 36-40K. More storage will be used by other data so, as and when the UK does add fingerprint, it's difficult to see how it could go much beyond Europe's two without going to the expense of increasing the available storage. This implies that when it comes to recognition of individuals without the presence of a card of passport (as in 'you are your ID'), the system will rely on two fingerprints alone, given the relatively poor performance of facial in such scenarios.

And iris data, which the UK likes but which is not part of the European proposals? In your dreams, we'd say. Incidentally, some people do argue that a signature is a biometric, and we can't see why it shouldn't be. So, strictly speaking, the UK scheme will use 14 biometrics, not 13, as the signature will be stored too. We commend this as a cheap marketing upgrade to the snake oil salesmen at the Home Office explaining why the scheme's so amazingly secure.

And about that biometric passport rollout... Given that, as the Home Office insists, the infrastructure for ID cards, including enrolment centres, is needed anyway in order to meet ICAO biometric passport requirements, there are just a few things about the Passport Office's release schedules that seem not entirely to add up. We've just passed one small milestone in the form of the new rules for passport photos, which try to make it easier for machines by telling you to keep your head straight, tuck your teeth in and stop looking so shiny, etc.*. The next step is due early next year, when the issuing of biometric passports begins. But as we shall see shortly, "biometric" is something of a misnomer here, because really all it means at first is that they'll have a chip in them.

But you'll still apply for them in the same way, using the same normal (albeit with your teeth tucked in) pictures, and they'll be ICAO-compliant biometric passports anyway. We do not yet have an ETA for the biometric enrolment centres we'll have to show up at in order to have the full range of data collected, which is understandable insofar as the ID Cards Bill has not yet been passed, but would be perplexing if the enrolment centres were necessary for biometric passports. Which, as we keep saying, they're not.

The Passport Office does however intend that new applicants for passports will have to report for personal interview from late next year, and that's the obvious opportunity for the commencement of biometric enrolment. So, biometric passport rollout using normal (come on, we've told you to keep your head straight) pictures and processes, early 2006. Enrolment centres 'needed' for biometric passports, late 2006 at the earliest. Your honour, we rest our case. The Government's linkage between ID cards and passports is phoney. ®

* If you think about what's happening here, the Rise of the Machines is all too obvious. The deployment of technology means that just looking approximately like yourself, which has been enough to satisfy dozing border control operatives for many years, is no longer enough. You now need to look like what the machines imagine you should look like. The new rules haven't been in place long and were cunningly brought in after the summer passport rush, so we can probably look forward to the reports of many horror stories that haven't yet happened. The Sunday Times has started collecting, but disappointingly the original appeal for contributions is funnier than the subsequent selection of the best. Help them out, people...

Passport trivia(?): According to an answer given by Andy Burnham on 18th October, the total number of lost or stolen passports reported in the UK in 2004 was 306,406. The 2003 figure was 184,301, so the increase was much larger than in previous years (2002 - 166,358, 2001 - 148,230, 2000 - 114,624). One wonders what factors might underlie this apparently disturbing trend, but one very much doubts that it has yet occurred to the Home Office to do so.

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple ran off to IBM
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.