Title: DAY

10h00-10h15

10h15-10h30    Introduction into the objectives of the workshop, the agenda and organisational information; Martin Meints (ICPP)

10h30-11h45    Presentation, Günter Karjoth (IBM):

Practicability of protection mechanisms for RFID tags in relationship to their physical capability 

Questions, Discussion and Answers: 

Various questions concerning the technical abilities of various types of RFIDs in the context of ID documents were answered; a central point was the use of RFID for tickets for the Football World Championship 2006 in Germany. Central aspect of the discussion was that RFID tickets raise important privacy issues. Among them is the question whether the huge processing of personal data which is needed to install such a system is really necessary (principle of proportionality) to achieve the reported goals (i.e. limiting criminal actions by hooligans). Moreover, such a system would augment the risk of profiling and allow interconnection of databases. 

More in general, Mr. Karjoth explained that there are multiple privacy concerns connected with the use of RFID which should be dealt with, namely
1. the use of unique identifiers for all objects,     
2. massive data aggregation,     
3. possibility for individual tracking and profiling,     
4. stored data to be altered and     
5. the availability of scanning RFID tags from a distance (further discussed in the presentation of Mr. Pfitzmann, “id-document specific bombs” and the website www.rftracker.com).

Finally, Mr. Karjoth gave some practical advice to protect oneself against RFID technology (e.g. shield your RIFD readable passport in a Faraday cage by wrapping it in aluminium, use RFID sensor detectors or active jamming (a device which actively broadcasts radio signals to block/disrupt RFID readers)). 

A better – infrastructural – solution could be that the manufacturer provides a way to deactivate the RFID tag. In practice, one could think of (non-reversible, password controlled) “kill commands” in shops where RFID protected goods are purchased, in order to obtain post purchase privacy for the customer. This command could take the form of a device that “kills” the RFID tag, in a similar way as book protections are deactivated in libraries. 

An enhanced solution would be the usage of “smart” RFID tags which could be anonymised instead of deactivated. 

11h45-12h00    Coffee break

12h00-13h00     Invited speaker Markus Nuppeney (German Federal Office for Information Security)

    Explanation and Demonstration of the “Golden Reader Tool”

Demonstration: 

Using an optical passport reader (used to scan the printed MRZ code) and a contactless smart card reader, Mr. Nuppeney demonstrated how the golden reader tool makes it possible today to access electronic information from different kinds of machine-readable passports.

Mr. Nuppeney took the opportunity to present the German ILSE project, which aims to obtain interoperability for passports. 

Concrete results of this project are the “silver data set”, a reference structure for storing different biometric data on a passport which is a very important contribution to the recent ICAO specifications, and the “golden reader tool”. This tool is an important step to implement interoperability for passports: it is internationally accepted reference software. 

The distance from which the used type of RFID tags is readable is limited; with appropriate readers like the one used for the demonstration 10 cm and almost no movement of the RFID tag is required. With manipulated readers using e.g. more transmitting power, passive detection up to 10 m seem to be reachable. But from this system the chip cannot be activated or the sensor of the reader gets blocked by the power of the transmitter. In these cases the reader cannot receive an answer from the RFID tag. 

Questions, Discussion and Answers: 

How does the reader react, when two passports are put on him? Mr. Nuppeney demonstrated that in about 50% of the cases the golden reader tool chooses the passport answering first, or reports an error due to overlapping signals. 

13h00-14h30     Lunch

14h30-15h15    Invited speaker Bernd Martin (Office of the CIO of the Austrian Government)

The Austrian “Bürgerkarte” 

Questions, Discussion and Answers: 

The main result of the presentation and discussion was that two or more sector-specific personal identifiers (“ssPI”) are uniquely connected to the person, but they are not interconnectable between sectors. Basically, a ssPI is just a one way hashed source pin (e.g. health care number of person X or driving licence number of person X), which does not allow the back-calculation of the original source PIN. Consequently, the organisation set up to manage them is an approach to limit the linkage of transactions performed by the same person, which is the main privacy risk discussed with today’s PKI and electronic signatures. The “Bürgerkarte” specifically addresses the communication with the various governmental administrations. The solution does not try to achieve full unlinkability: There are ways to link the ssPIs of a person under specific conditions. The disadvantage of this solution is limited interoperability / compatibility on a European level.  

It is noteworthy that the Austrian “Bürgerkarte” does not replace the “regular” Austrian ID card and that it exists in different formats (e.g. as a smart card or integrated in a mobile phone).  

15h15-16h00

Demonstration of the AXS ID-card 

Mr. Müller explained that the AXIONICS’ goal when they developed the AXS ID-card was to find a way to provide secure authentication, by solving some of the basic problems in IDM, namely by 1. creating a secure link between the person and his/her identity, 2. with simple verification means, that are 3. difficult to forge and 4. which would prevent traceability. 

AXIONICS’ solution integrates biometric information (fingerprints) in their suggested IDM model.  

Questions, Discussion and Answers: 

The discussion was focused on the ways how to integrate biometrics in IDM solutions in practice in a secure privacy compliant way. Central topics in the discussion were the problems arising from central storage of biometric templates (such as the possibility to retrieve additional personal health information from them, the use (or misuse) of the stored biometric data for other purposes, after the lifetime of the (authenticated) relationship, etc.) and possible strategies to avoid those problems (such as decentralised storage, under exclusive control of the biometric data owner).

Another issue which was raised is the complexity of biometric credentials. Once you start to share these kinds of credentials in identity federation, it creates privacy problems, as it augments the risks of traceability (and identity theft, see the presentation of Mr. Pfitzmann). 

The basic idea of the AXS ID-card is to integrate biometrics as part of a 3 factor authentication of a digital credential container, which functions as a token and secure link between the person and the network. 

In practice, you authenticate yourself by putting depending on the requested authentication one or more fingers of the requested type an in the right order on the cards sensor. The secret you know (type of finger respectively fingers and their order) allows you to be identified by the device.  

A weak point of the current advanced prototype is the quality of the capacitive fingerprint sensor. With a dry finger, there are enrolment and verification problems. The sensor will be improved in the next version of the card and will then be adaptable to the requirements of the user of the card. 

The AXS ID-card communicates with the counterparty (the application which requests the authentication) through a visual signal in a web browser. The visual signals (flickering of the screen in four black and white sectors) are registered and interpreted by the sensors on the AXS ID-card. 

After the demonstration by Mr. Müller, it was clear that the usage of the card is not as simple as, e.g., the usage of a keyword. This will be taken into account when looking for appropriate markets for this device. Certification of the AXS ID-card following the Common Criteria is planned. 

16h00-16h15    Coffee break

16h15-17h00    Presentation Andreas Pfitzmann (TUD)

Biometrics – how to put to use and how not at all? 

Questions, Discussion and Answers: 

Mr. Pfitzmann points out problems with respect to the use of biometrics. Major problems relate to identity theft and profiling, resulting a.o. from the fingerprints industry (fairly easy to counterfeit).  

Another big issue is the obvious devaluation of the value of biometrics (leaving someone else’s biometrics on the scene of crime). 

Furthermore, privacy issues are also at stake, as biometrics generally can contain medical data and (once they are given away) could allow processing without the person’s consent. 

The only acceptable way – if any – to use biometrics is between the data subject and his/her devices: in this case, there is no devaluation of forensic evidence of biometrics, as they are only used for devices under the exclusive control of the data subject and there are no privacy risks as long as there is no external processing of the data.  

However, this use of biometric data does not solve the security problem. In each situation, it should be evaluated how much security is wanted / required and by which means this security level can be achieved.  

For instance, it’s probably better not to use biometric technology in expensive cars, because of its undesired effects: a thief could ‘easily’ counter the security measures, by kidnapping the “biometrics owner” or steal his/her biometric data (“cut his finger of”).  

The result of the discussion was that raw biometric data always contains information, which is not needed for authentication purposes, such as, for instance, medical information. This information is very sensitive from the privacy point of view. 

17h00-18h30     Presentation Danny De Cock (KULeuven) and Wim Schreurs (VUB)

Legal and technical aspects of the Belgian ID card 

Questions, Discussion and Answers: 

The way the card is introduced was discussed. It can be assumed that a citizen to whom this card is issued does not know about the inherent electronic signature and its legally binding character. Apart from this “educational” matter, it appears that there are serious technical and legal concerns: 

The concept to deactivate the signature functionality of the card is weak. 

Furthermore, the serial numbers of the certificates are based on the national registry number. It is somehow controversial that the usage of the same national registry number is strictly regulated and subject to prior authorisation by a Subcommittee of the Belgian Privacy Commission. 

Moreover, the format of this number makes it possible to deduce additional information about the user such as sex, date of birth etc. 

Consequently, the problem of linkability of transactions performed by the user via the certificate number appears not to be solved in the first generation of the Belgian eID.

18h30-19h15    Presentation Ian Angell and Dionysios Demetis (LSE)

ID cards: The socio-economic concerns

LSE calculated the total costs of the proposed eID scheme, namely approx. 435 EUR per card (the government’ proposal did not include large parts of the needed infrastructure).

Besides the high price tag, there are also severe problems with the proposed eID scheme itself: the proposed technology appears to be immature and very poorly tested.  

Mr. Angell explained that even in the test phase, there was a non-negligible group of false positives and false negatives and that there was a very large group of people who were not able to have their biometrics recorded at all. These results would be disastrous on the scale of a population of more than 50 million people.  

Questions, Discussion and Answers: 

The differences of the registration in Britain compared to other European countries such as Belgium and Germany were discussed.  

Planned presentation by Martin Meints (ICPP) 

The eCard Strategy of the German Government was moved to the 2nd day of the workshop

19h15-19h30    Discussion and conclusion