Feeds

EU ministers approve biometric ID, fingerprint data sharing

All this and record retention too!

High performance access to file storage

The European biometric ID card takes another step forward this week, with the European Justice and Home Affairs Council set to approve "minimum security standards" for national ID cards. Alongside this the Council will be roadmapping the rollout of Europe's biometric visa system, which will contain the fingerprints of 70 million people within the next few years, and hearing European Commission proposals for greater sharing of fingerprint data.

The latter proposals cover the existing Schengen Information System (SIS), its Visa Information System successor (VIS/Schengen II), and the EURODAC database of asylum seekers and illegal immigrants, but the Commission will also be raising "other initiatives", including the consideration of "a system for monitoring entry and exit movements", a "frequent traveller" system and the creation of "a European criminal Automated Fingerprints Identification System (AFIS)." So although some European states (not the UK) are strongly against the creation of a central biometric database of all their citizens, the construction of large-scale pan-European fingerprint systems proceeds apace.

The "minimum security standards" to be adopted for ID cards are effectively those already adopted for the European biometric passport, "bearing in mind the need for interoperability based on ICAO standards", and consist of an RFID chip containing facial and two fingerprint biometrics. Applicants will be required to attend in person (as is already planned in the UK), and "applications should be verified by authorised personnel against existing databases... for example, civil registers, passport and identity cards databases or driving licence registers."

According to UK Home Secretary Charles Clarke, in a written statement to Parliament yesterday, these security standards "will be important in addressing the weak link in EU travel documentation." Up to a point, Home Secretary, but there's a deal of frog-boiling going on here, as the Ministers slowly establish the ID cards and the databases without involving the voters or the legislatures.

Within the Schengen area of Europe (the UK isn't part of this) there are no permanent border controls, hence no need for ID at borders. Nor is an ID card necessarily required for air travel within the area (or for that matter between the UK and Ireland) - numerous different classes of identification are acceptable to various different carriers, and a fair bit of discretion is quite often exercised. Several of the current generation of European national ID cards are eminently forgeable, hence Clarke's "weak link", but as Europe's laws currently stand the holes a European biometric ID standard would plug are strictly limited. Although the requirement to carry national ID and produce it on demand exists in some European countries, there's no such general requirement, which limits the use of biometric ID for European internal controls. In the case of the UK, the ability to read non-UK ID cards at borders might be helpful, and this could initially be done via the biometric readers installed to support the biometric visa rollout. But in the absence of a central biometric database of European citizens it will only be possible to compare the bearer's fingerprints with the data on the card, so the system is only secure if the card really cannot be forged, and if cards don't end up being issued fraudulently.

The "standard" ID card is also not entirely standard, in that its endorsement by the Justice and Home Affairs Council is actually non-binding. This theoretically means that member states don't have to adhere to it if they don't want to, but as it's being agreed by the states on an intergovernmental basis it's more a case of the Interior Ministers committing to a standard European ID card without it being subject to any national or European parliamentary scrutiny. Implementation via this mechanism (which Statewatch editor Tony Bunyan terms "soft-law", and says is becoming increasingly common) also allows the Ministers to implement programmes in areas where their legal standing is at best dubious (see Statewatch for the legal position on biometric ID and passports).

Much of the current European security and anti-terror agenda falls into the "soft-law" category, with decisions made first by (in Clarke's words) "representatives of the Member States meeting inter-governmentally" in "the margins of the Council", then enshrined in law once an ill-balanced 'compromise' can be beaten out of the EU Parliament; Member State legislatures need not waste their time applying for a place in this process. ®

SANS - Survey on application security programs

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.