Original URL: http://www.theregister.co.uk/2007/02/07/nao_epassport_report/

Replace your broken biometric passport? Just say no...

How can they tell with no readers, anyway?

By John Lettice

Posted in Policy, 7th February 2007 13:56 GMT

Analysis Widespread reports (proving at least that the press and opposition parties can speed read executive summaries) damn the Identity & Passport Service for only securing a two year warranty for a product with a ten year lifespan. Ah, but that's by no means the only thing about the project that's broken.

The National Audit Office report on the introduction of biometric passports, aka ePassports, is favourable in that it notes that the project came in on budget and on time. But the report nevertheless paints a picture of a project that hasn't been particularly well planned, and that faces numerous potential pitfalls as it develops. The warranty on the chip is just one of the problems - but it's a good place for us to start. Welcome to the wonderful world of consumer electronics vendors, IPS.

IPS initially secured a warranty of 12 months from the chip vendor, Philips Semiconductors, but this was subsequently extended to 24 months. This isn't wildly out of line for something that's supposed to go into a smartcard, given that the likely lifespan of these tends to be estimated in the three to five year range. IPS however has a product, the passport, that's warranted for ten years, and therefore IPS has a need to believe fervently that the chip will last for ten years.

So what happens if it doesn't? Well, says the Home Office in today's Times, "if it's a manufacturer's fault, the passport holder will not have to pay for a new passport." And if not...? Note that Philips will simply be warranting that the chips in the passport are manufactured to specification; it is unlikely to have any exposure to defects, flaws and failures in the design and operation of the complete product. So Philips picks up the tab (but probably still only for the chips rather than consequential loss or damage) in the unlikely event of a serious manufacturing glitch, otherwise it's nothing to do with Philips and nothing to do with that 24 month warranty.

It is something to do with IPS, the new consumer electronics device vendor (annual shipments around 7 million units) on the block. The NAO report tells us something The Register's been pointing out for some time: "An ePassport remains a valid travel document even if the electronic chip fails." This is an ICAO requirement, and it means a passport with a bust chip is still a passport that you can use to cross borders, and that they have no right to stop you because your passport is 'broken' - it isn't. So what do they do? According to the NAO: "If failure is detected at border control, the holder will be issued with a letter advising them to contact the issuing authority. The Identity and Passport Service will examine any faulty ePassports returned to it and, where it concludes the chip unit contains a manufacturing fault, the ePassport will be replaced free of charge."

Which is where we came in. Suckers who've acted on the letter by allowing IPS to take their passport hostage will be forced to cough up for a new one, except in the unlikely event that Philips screwed up. So if you're handed that letter, don't act on it. And if thousands, or tens of thousands of people are handed that letter, IPS will have a problem that it's not going to be able to park with Philips.

But it could well have problems with Philips. Among the "risks and uncertainties" flagged up by the NAO we have the possibility of IPS having to fund "patent costs to secure the use of certain intellectual property." As yet, however, it is by no means certain what this intellectual property might be. "Owing to its development of the chip and involvement in the international committees that set technical standards," says the report, "Philips Semiconductors holds many of the intellectual property rights in the chip unit. The Identity and Passport Service has been aware of this issue since the outset and has sought to pinpoint where intellectual property rights and patents reside given the evolving nature of requirements."

One might say, were one to attempt a free translation of this into English, that IPS hopes it has a fair grasp of who owns the technology it's shipping, but that it's not entirely sure who it might get sued by, and it's rather keen to find out. "The Identity and Passport Service is employing legal advice to assess its position on this issue. In particular, the Identity and Passport Service is seeking to quantify the risk of possible patent infringement and assess any possible costs arising." The "evolving nature of the requirements" is also likely to take IPS deeper into IP minefields, because as the biometric technology gets more sophisticated, the number of IP players decreases, and price tags and exposures rise.

Remember the days when a certain foolish Home Secretary was boasting about the benefits of putting the UK at the cutting edge of ID technology? Within a few short years this has mysteriously resulted in the UK trying to figure out how much it's in for, if the cutting edge of ID technology decides to sue the crap out of it. Funny old world.

The NAO report also identifies issues with the current ePassport border control regime, and further issues to come. Essentially all that IPS has managed to do so far is to switch over to a new passport format and ship it without messing up - but practically all of the 'advantages' of the new system have yet to be switched on. The readers for the new passports have, largely, yet to be deployed and the Immigration & Nationality Directorate only began testing of high volume throughput for ePassports in November of last year. In theory, they hope, it will take eight seconds to run a passport through a reader, but they really have no worthwhile experience of what happens when a couple of 747 loads of biometric passports all hit the barriers at the same time. And, if we again consider the possibility of broken chips, we should factor in here what the report has to say about how failures will be dealt with: "In instances where the chip cannot be read, secondary screening measures need to be in operation to maintain the increased security offered by the implementation of ePassports."

So in IPS's ideal world, the bearers of the small number of dud passports are encouraged to get them replaced by the judicious application of more tedious "secondary screening measures." But, should it turn out there are large numbers of failures, these secondary measures (which we can surely expect to be somewhat ad hoc and confused) will result in tailbacks at the barriers, or subsidiary tailbacks at the secondary screening with knock-on tailbacks at the barriers, or IND operatives putting their hands up and just letting everyone through. Which was by no means unknown in the pre-ePassport world.

And the screening in an extreme ideal world where none of the chips are broken has problems that will persist, even after the front desk readers are installed. Says the report: "Immigration Officers will, until September 2007, have to leave the front desk to undertake additional checks of the digital signature using the readers located in back offices." There is, apparently, a "technical issue preventing full functionality at front desks," and as an interim measure an extra 200 readers are to be installed in back offices to check digital signatures.

It's not clear from the report what precisely the technical issue is, but clearly the front line readers aren't able to check that the passport being checked is genuine, and they're also unable to establish this via a network connection. Immigration officers can check that the passport is genuine, but that's going to take a good deal longer than eight seconds, so it's only going to be done in 'special cases'.

Further problems will arise when IPS moves on to the next generation of ePassport, which will include fingerprint as well as facial biometric, because the chip's too small. The UK's biometric-hungry Home Office has from the outset been mustard keen on wildly exceeding the ICAO biometric passport spec by grabbing all ten fingerprints, mugshot and iris images (although the latter may now have been pretty well postponed forever), but in common with other EU countries it has conceded the point that unless you use chips with more memory than the chips they're actually using, you can only fit a facial image and two fingerprints onto them. But despite this, it turns out the chip still isn't good enough.

Says the report, "although there is spare capacity on the chip to store two fingerprints, the current model of chip has insufficient capability to accommodate the enhanced operating system and electronic key infrastructure required to protect fingerprint data. IPS "believes that existing production lines will only require minor modifications to insert a larger capacity chip into the ePassport and load data onto it," but it doesn't know how much this, the chips themselves, or the enhanced operating system, will cost. In paralel to the expression of this lack of knowledge, incidentally, the UK's representatives at the EU's Justice and Home Affairs Committee have been airily claiming that ten fingerprints will ultimately be fine because of how fast the technology improves, i.e. the IT strategy is that 'something is bound to turn up.'

More opportunities for spending lots more money are associated with the facial biometric, or 'picture', as we used to call it. "we were told by our consultants that the use of current facial recognition technology with two dimensional images (as is the case for ePassports) is not sufficiently reliable to enable fully automated searches even in relatively small databases, and performance is known to decline as database size increases... current facial recognition software cannot be used to check new applications against the entire database of existing ePassport holders." IPS says that its pilot of facial recognition software on new applications has revealed "over 400 confirmed facial matches", but given what the NAO has to say, it seems likely that IPS doesn't have anything that could be generally deployed, and that what ministers have been telling us about the impossibility of one face appearing on more than one ePassport is not entirely true, for the moment.

IPS, undaunted, nevertheless "believes there is good potential in the future for one-to-one comparison of the image held on the passport chip with the passport holder standing at border control, which could eventually enable automated border control of the sort currently being trialled in Australia."

So to sum up the reader situation, the readers that have not yet been installed will not operate at full spec at least before September, until which time an interim bodge will be applied, or more likely ignored, by immigration officers. Subsequently the readers will all have to be upgraded to deal with fingerprints, and the network (if by that time it has sort of magically appeared and started working) will probably need more work to accommodate the fingerprint system security. And on top of that, gosh, maybe we should roll out facial recognition software to all readers as standard too.

There's lots more - IPS has been consultants a-go-go, spending £4.9 million on them from May 2003 to November 2006, £322,000 on fixed-term contractors, £2.1 million on legal and accountancy advisers, partially to drive down the cost of the main contract, and (ah yes, remember them?) IPS also managed to spend £82,000 on paying its own staff. The NAO is quite reasonably worried that all of the expertise and knowledge of the project could quite easily vanish with the contractors, leaving a deskilled and disempowered staff to pick up the pieces.

Aside from fixing this by bringing more skills in-house in the future, it's recommended that future upgrades (does this include everything that's not connected or working yet?) should be managed as "a cross-agency project encompassing the Identity and Passport Service, the Foreign & Commonwealth Office and the Immigration and Nationality Directorate with a Senior Responsible Owner, a single project plan and project board." We feel that by reading between the report's lines we can infer a certain amount of finger-pointing between these three organisations having taken place - so the process of carving this one up should be a rich source of entertainment. ®