D3.6: Study on ID Documents

Title: EXECUTIVE SUMMARY

This document concentrates on the technical perspective of ID documents and focuses on the use of new technologies. It non-exhaustively covers existing and planned electronic ID documents, also called eID documents, within the EU which use technologies for identification of citizen for various purposes. In addition on a European level the corresponding legislation is described and analysed with respect to the European data protection and privacy framework. A special emphasis is put on the European passport as the European implementation of international Machine Readable Travel Documents (MRTDs).  

The study starts with the description of five highly relevant technologies including the corresponding standards for current concepts and implementations of ID documents. These include: 

• Chip card technology (smart cards) 

• RFID  

• Electronic signatures and PKI 

• Biometrics 

• Back-office systems such as biometrics databases. 

Relevant aspects of interoperability of European eIDs are described and analysed. It can be concluded that by looking on a global and EU level common law based countries seem to have an extremely low adoption rate of national eID strategies. In contrast the civil law based European nations seem to be among the group of early adopters of national eID solutions. Despite that perhaps surprisingly clear and evident finding, by far the more challenging and pressing problem appears on a pan-European eID interoperability level, as the national individual legislation has to be harmonised in order to allow EU Member States to share, interconnect and use national versatile identities. Issues like data protection, privacy, information liability, access authority and the quality of authentication are heavily disputed issues. 

In chapter current European initiatives regarding machine-readable documents with biometrics are described: Eurodac (the EU central fingerprint database in connection with asylum seekers), the Visa Information System (VIS - the EU central database set up to create a common visa policy) and the European Passport (requiring fingerprints and facial images as biometrical identifiers). These initiatives are analysed with respect to the European data protection and privacy framework resulting in the following conclusions:

• The European data protection and privacy frameworks apply to the Regulations but in no case this means that the Regulations are a priori compliant with the Data Protection Directive nor with the European Charta of Human Rights (ECHR). In addition machine-readability of people and of their documents may turn out to be excessive, hereby surpassing the necessity and proportionality criteria set out by the European Court of Human Rights.

• The legal basis itself of the VIS and EU passport Regulations is questioned. While the VIS is in fact a ‘first pillar’ database, the proposal for the EU passport Regulations provides for access possibilities by ‘third pillar authorities’ - for which normally other legal grounds than articles 62 and 66 of the Treaty establishing the European Communion (TEC) must be invoked. While the EU regulates its passport on the basis of standards established by non-democratic standardisation bodies (ICAO), Article 18 (3) of the TEC even excludes the adoption of provisions by the EC on passports, identity cards, residence permits or any other such document.

• Eurodac, the EU passport and the VIS are subject to possible change in purposes for which stored data could be used (so-called function creep) that is not foreseeable. The impact of this deployment and the future of identity can - regrettably - not be entirely assessed at this moment. A step-by-step approach seems the essential requirement to safeguard the fundamental rights and freedoms. 

In addition a study written by Thomas Myhr with respect to a European legal framework for ID documents is compared with the results of a similar discussion in the Porvoo group. The chapter concludes that in this area still basic research is necessary.

In chapter a non-exhaustive overview on current concepts and implementations of European ID documents is given. Five implementations or concepts in advance phases of the project are described and analysed. This includes (1) the European passport, (2) the FINEID, (3) the Belgian citizen card, (4) the Austrian Citizen card (“Bürgerkarte”) and (5) the German e-health card. From the analysis with respect to the implementation of the projects the following factors of success could be concluded:

• Careful planning especially concerning the purpose of the eID and the appropriate technical solution (keep it small and smart); this should include technical, formal and informal aspects of interoperability 

• Intensive laboratory and field testing of prototypes 

• Refinement of the concepts using the results of the testing phase 

• Open communication within the project including all stakeholders of the eID and external experts 

• Appropriate education and qualification of the personal involved in the project 

In addition alternate implementations and ongoing research in the area of ID documents are summarised.  

The main already introduced basic technologies for ID documents are analysed with respect to security and privacy. Chip card technology has been discussed, used and further developed for many years now. As a result this technology is accepted as mature by technicians and privacy commissions in Europe. Of course, the combination of chip card technology with other technologies such as biometrics can result in new questions concerning security and privacy. PKI also has been used for ID document systems in some European countries for nine years now, though the number of issued certificates still seems to be limited. No major security problems were published. PKI currently does not implement privacy in an optimised way because of the existing linkability of transactions performed via the information in the certificates. Current technical approaches to improve the privacy compliance for authentication purposes using eIDs are presented and analysed in this document. 

In difference to these established technologies the use of biometrics and RFID in ID documents is relatively new. The first European ID document using both of these technologies is the European passport. RFID and biometrics raise a number of obvious privacy and security issues.

In addition to well documented security aspects of biometrics, for example with respect to (1) the quality of biometric identification, (2) identity theft and (3) devaluation of classic forensic techniques, a number of privacy aspects still needs to be addressed. This includes (1) minimisation of linkability, (2) enforcement of the purpose binding principle and (3) avoidance of additional, in many cases health concerning, information in biometric raw data. Advanced technical approaches for authentication using biometrics have not been tested for or implemented in ID documents so far. 

RFID originally has been designed for unrestricted remote access to the information stored on RFID tags. For the use of RFID in the European passport basic security measures, for example Basic Access Control (BAC), have been applied to restrict the unauthorised access. BAC seems to be cryptographically weak and uses information stored in the Machine Readable Zone (MRZ) on the document itself; this is like storing the key of a cash box directly under it. Together with well documented projects of non-European countries aiming at the storage of biometric data of foreign visitors in large databases, this creates a significant risk of identity theft via biometrics in cases the document is (even properly!) used or gets lost.

From the technological perspective biometrics and RFID as implemented in the European passport do not seem mature. For the use of the European passport as issued currently we suggest: 

• The European passport should be used and carried around only when necessary. 

• In case the European passport is not used, it should be kept in a Faraday cage (for example aluminium foil) to hamper unauthorised and unrecognised access. 

• In case the European passport is not used, it should especially be locked carefully to avoid loss or theft of the document because of additional risks compared to traditional paper documents. 

Finally economic factors that are relevant for eIDs were analysed. A number of elements that are critical for the cost projection have been elaborated and described. In addition the post implementation costs have to be calculated carefully to get a view on the Total Costs of Ownership (TCO) for an eID solution. Relevant factors in this context are: 

• Security aspects 

• Privacy aspects 

• Renewal of identity documents and register updates 

• Handling of complaints and false negatives 

• Internal audits 

• Costs of management of the register 

• Infrastructural costs and integration 

The analysis performed in this Deliverable shows that there is need for enhancement of eID concepts and implementations. In the future this topic should be further monitored within the FIDIS network. We hope that the findings from eID research will be considered in future (and perhaps even current) plans in the field of eIDs and related systems.