Kiddiprinters! EU biometric ID plans reach out for the children

The EU is planning to fingerprint children from as young as six, and earlier just as soon as it is technically feasible, according to documents obtained by Statewatch. The matter has already caused considerable debate (albeit behind closed doors and with no visible civil liberties concerns) among member states, but is being pushed ahead as part of a broader push towards biometric identifiers, without reference to the European Parliament.

Or indeed anybody much. The mechanism being used is an "Article 6" committee composed of representatives of the 25 governments and chaired by the Commission. This one was originally set up to decide on "technical specifications" for visas, then went on to cover residence permits for third country nationals, and then the matter of EU ID cards. In some areas the decisions taken are beyond the legal powers of the bodies involved (this is particularly obvious in the case of biometric security standards for ID cards), but matters can nevertheless proceed via the creation of 'soft law', non-binding "conclusions" of the Council of Ministers, and 'standards' agreed by ad-hoc groups of countries (see Statewatch with reference to biometric ID, and this House of Lords report for a more general review of the process).

The child fingerprinting document cites the regulation of 13 December 2004 standardising on a facial image and two fingerprints, which was purportedly "in accordance with ICAO provisions" - fingerprints are in accordance with ICAO "provisions", but are not an ICAO requirement. The overdesign of EU passport standards meanwhile bleeds into an effort "to follow a consistent approach to the use of biometric identifiers" - i.e. visas, residence permits, ID cards. All of this blamed on ICAO, sort of.

This particular document, from the Presidency, is in a sense more liberal than might otherwise have been the case. Fingerprinting of children will be "compulsory" from age 12, although the document notes that more sophisticated and expensive software can take account of changes in fingerprints that take place in development from age six. The Summary of discussions from the June meeting of the Council of Ministers' Visa Working Party however shows some divergence in views and practices on the subject. German legislation, for example, sets the minimum at 14, while several other states seem willing to go along with six. The French ("pensez aux enfants!") view six as important to combat child trafficking, while the UK (at the bleeding edge, as always) claims to have had no difficulty achieving matches and hits from as young as five.

As the UK's data can only have been produced via pilot studies on a relatively small number of asylum seekers' children, its usefulness with regard to large scale fingerprint databases which haven't been built yet is doubtful. Elsewhere in the document the Commission representative claims that "according to technical studies, fingerprints could be used from the age of six for 'one to one search' but not for search in big databases".

Ah, but what "big databases" might these be? The EU is currently committed to collecting biometric data from visa applicants and storing these on the "Schengen II" database currently under construction. Plans for central storage of the general citizenry's passport biometric data, or for a continent-wide exchange of biometric ID card data, have not as yet been revealed, and although some states (hello, the UK) have plans (currently broken ones) to set up their own databases, others are legally prohibited from doing so.

There is however a slippery slope that begins with centralisation of passport security. The current EU biometric passport specification follows ICAO closely on security requirements, the key difference being over the treatment of fingerprints. These, as we keep saying, are not compulsory under ICAO standards, but ICAO lays down security standards to be met where they are included.

And makes it clear that fingerprint and iris security is the job of the issuer - 'nothing to do with us, Gov' as the subtext clearly says. There's a difference here that's not much noted and deserves wider currency. ICAO's mission is not to identify individuals but to maintain the integrity of the document, and that is the purpose of the PKI system that ICAO will be setting up. It is designed to tell the inspecting authority simply that the passport was properly issued by the competent authority, and when (as is inevitable) particular countries' security systems are compromised, that (so long as everybody else knows about it) is the problem of the particular countries who've wound up issuing dud passports.

A passport can be used as an identity document, of course, but that's nothing to do with ICAO, that's to do with the inspection authority checking that whatever's carrying the document matches information contained in the document. Facial can at the moment be used as a fairly unreliable automated way to do this, hence the fashion for fingerprints, and hence also the need for levels of security that are nothing to do with ICAO. Which, in the case of the EU, means the construction of a "Public Key Infrastructure for Inspection Systems". This, derived from work by Germany's Bundesamt fur Sicherheit in der Informationstechnik (BSI), is effectively the EU-run equivalent of the ICAO PKI system intended to protect the document. But don't hold your breath - a technical working group (Brussels Interoperability Group, BIG) "will be established" (our emphasis) to "develop a common Certificate Policy within one year after the Commission Decision on the technical specifications. Then the "Country Verifying CA of each Member State shall [their emphasis] publish a Certificate Policy and may set up a Certification Practice Statement in accordance with the requirements set out by the 'BIG'".

Answering ID card security questions in the House of Commons recently, Home Office Minister Joan Ryan showed herself either blissfully unaware of ICAO's security strictures for fingerprints, or unwilling to share any knowledge she might have had with the rest of us. She certainly seemed to mistake ICAO's document security requirements for overall security requirements. But as the EU has only just got its PKI roadmap out of the door (June 2006), she may not have been entirely alone in this.

So do we go with the biometrics before the security is in place, or do we wait for the EU to set up a secure (which seems improbable to us, at least), EU-wide PKI infrastructure before we go with the biometrics? The House of Lords report cited earlier is relevant here, because it specifically deals with the conflicts between EU security and data protection/privacy standards. The Interior Ministers (via the Council of Ministers and its various spin-off groups) opts for pushing ahead on security (you might categorise its activities here as the A-Z of Big Brotherdom) and then fitting privacy standards in whatever space might be left. And as they do this without proper (or more accurately, any) scrutiny, privacy doesn't get a look in.

On the upside, however, we have yet to see how badly Brussels can screw up a really big, really public IT project, and how dismally the member states will perform when it comes to keeping data accurate, up to date and exchanging it. Schengen II may not be high-profile messy because it will primarily deal with third country nationals (conforming to US standards, we do not care much about these), but betting on a PKI disaster now might be a smart move, and as ID cards used as travel documents will have to conform to ICAO requirements or to "follow a consistent approach to the use of biometric identifiers", then PKI becomes a big internal EU issue.

In the UK, meanwhile, the situation is complicated first by the fact that we're not a Schengen signatory (see Blunkett, Blair and the wonderful world of EU opt ins), so not actually covered by EU passport/bio ID plans, and second by a commitment to ship biometric passports and ID in two to three years time (residence permits for third country nationals first, in 2008). So is it the case that the security systems the UK ID card and the passport (fingerprint version) will use are those to be built as part of Schengen? If it is, why, and will it be ready in time? And if not, will there be a specifically British PKI system instead? ®