Feeds

Replace your broken biometric passport? Just say no...

How can they tell with no readers, anyway?

High performance access to file storage

The NAO report also identifies issues with the current ePassport border control regime, and further issues to come. Essentially all that IPS has managed to do so far is to switch over to a new passport format and ship it without messing up - but practically all of the 'advantages' of the new system have yet to be switched on. The readers for the new passports have, largely, yet to be deployed and the Immigration & Nationality Directorate only began testing of high volume throughput for ePassports in November of last year. In theory, they hope, it will take eight seconds to run a passport through a reader, but they really have no worthwhile experience of what happens when a couple of 747 loads of biometric passports all hit the barriers at the same time. And, if we again consider the possibility of broken chips, we should factor in here what the report has to say about how failures will be dealt with: "In instances where the chip cannot be read, secondary screening measures need to be in operation to maintain the increased security offered by the implementation of ePassports."

So in IPS's ideal world, the bearers of the small number of dud passports are encouraged to get them replaced by the judicious application of more tedious "secondary screening measures." But, should it turn out there are large numbers of failures, these secondary measures (which we can surely expect to be somewhat ad hoc and confused) will result in tailbacks at the barriers, or subsidiary tailbacks at the secondary screening with knock-on tailbacks at the barriers, or IND operatives putting their hands up and just letting everyone through. Which was by no means unknown in the pre-ePassport world.

And the screening in an extreme ideal world where none of the chips are broken has problems that will persist, even after the front desk readers are installed. Says the report: "Immigration Officers will, until September 2007, have to leave the front desk to undertake additional checks of the digital signature using the readers located in back offices." There is, apparently, a "technical issue preventing full functionality at front desks," and as an interim measure an extra 200 readers are to be installed in back offices to check digital signatures.

It's not clear from the report what precisely the technical issue is, but clearly the front line readers aren't able to check that the passport being checked is genuine, and they're also unable to establish this via a network connection. Immigration officers can check that the passport is genuine, but that's going to take a good deal longer than eight seconds, so it's only going to be done in 'special cases'.

Further problems will arise when IPS moves on to the next generation of ePassport, which will include fingerprint as well as facial biometric, because the chip's too small. The UK's biometric-hungry Home Office has from the outset been mustard keen on wildly exceeding the ICAO biometric passport spec by grabbing all ten fingerprints, mugshot and iris images (although the latter may now have been pretty well postponed forever), but in common with other EU countries it has conceded the point that unless you use chips with more memory than the chips they're actually using, you can only fit a facial image and two fingerprints onto them. But despite this, it turns out the chip still isn't good enough.

Says the report, "although there is spare capacity on the chip to store two fingerprints, the current model of chip has insufficient capability to accommodate the enhanced operating system and electronic key infrastructure required to protect fingerprint data. IPS "believes that existing production lines will only require minor modifications to insert a larger capacity chip into the ePassport and load data onto it," but it doesn't know how much this, the chips themselves, or the enhanced operating system, will cost. In paralel to the expression of this lack of knowledge, incidentally, the UK's representatives at the EU's Justice and Home Affairs Committee have been airily claiming that ten fingerprints will ultimately be fine because of how fast the technology improves, i.e. the IT strategy is that 'something is bound to turn up.'

More opportunities for spending lots more money are associated with the facial biometric, or 'picture', as we used to call it. "we were told by our consultants that the use of current facial recognition technology with two dimensional images (as is the case for ePassports) is not sufficiently reliable to enable fully automated searches even in relatively small databases, and performance is known to decline as database size increases... current facial recognition software cannot be used to check new applications against the entire database of existing ePassport holders." IPS says that its pilot of facial recognition software on new applications has revealed "over 400 confirmed facial matches", but given what the NAO has to say, it seems likely that IPS doesn't have anything that could be generally deployed, and that what ministers have been telling us about the impossibility of one face appearing on more than one ePassport is not entirely true, for the moment.

IPS, undaunted, nevertheless "believes there is good potential in the future for one-to-one comparison of the image held on the passport chip with the passport holder standing at border control, which could eventually enable automated border control of the sort currently being trialled in Australia."

So to sum up the reader situation, the readers that have not yet been installed will not operate at full spec at least before September, until which time an interim bodge will be applied, or more likely ignored, by immigration officers. Subsequently the readers will all have to be upgraded to deal with fingerprints, and the network (if by that time it has sort of magically appeared and started working) will probably need more work to accommodate the fingerprint system security. And on top of that, gosh, maybe we should roll out facial recognition software to all readers as standard too.

There's lots more - IPS has been consultants a-go-go, spending £4.9 million on them from May 2003 to November 2006, £322,000 on fixed-term contractors, £2.1 million on legal and accountancy advisers, partially to drive down the cost of the main contract, and (ah yes, remember them?) IPS also managed to spend £82,000 on paying its own staff. The NAO is quite reasonably worried that all of the expertise and knowledge of the project could quite easily vanish with the contractors, leaving a deskilled and disempowered staff to pick up the pieces.

Aside from fixing this by bringing more skills in-house in the future, it's recommended that future upgrades (does this include everything that's not connected or working yet?) should be managed as "a cross-agency project encompassing the Identity and Passport Service, the Foreign & Commonwealth Office and the Immigration and Nationality Directorate with a Senior Responsible Owner, a single project plan and project board." We feel that by reading between the report's lines we can infer a certain amount of finger-pointing between these three organisations having taken place - so the process of carving this one up should be a rich source of entertainment. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.