D3.6: Study on ID Documents

Title: BIOMETRICS

The Legal and Procedural Perspective

The idea to use biometrics to secure ID documents is fairly recent. Nevertheless, after mid 2006, the inclusion of biometrics is mandatory for the EU Member States when issuing new passports to their citizens. Based on US policy and enhanced international security requirements at borders, and the decisions taken on the EU level to increase and harmonise the security features of travel documents, national initiatives have emerged to include biometrics in national ID documents as well. Some EU countries (e.g., Italy) have initiated pilots to test the inclusion of biometrics in national ID documents. Few countries, however, actually employ biometrics in national ID documents. One of the few countries in the world that have and use national ID-card which include biometrics is Malaysia.

Generally, the purpose of the use of biometrics in ID documents is to enhance the authenticity of the documents and to secure the use thereof. In other words, the inclusion of biometrics is aimed, on one hand to make it more difficult to counterfeit the documents, and on the other hand to provide additional means to verify and authenticate that the user of the ID document is the owner to whom the ID document has been issued (to counter the look-alike fraud, often incurred if ID documents are only secured by a (digital) picture of the owner). However, it remains possible that biometrics collected for the issuance of the new generation ID documents are also used for other purposes, sometimes without knowledge of the individuals involved. This is the fear of human rights organisations in the debate about the use of biometric data (e.g., use for face recognition surveillance, etc).

The processing of biometric data for ID documents by the public authorities is subject to the national general data protection legislation (implementing the Privacy Directive 95/46/EC). The requirements under the data protection legislation have to be respected by the controller(s) (for example, the government agency and responsible minister for the ID scheme) and the processors. These general data protection principles which apply are not analysed in this report. Reference is made to Deliverable 3.2 of FIDIS (p.101 et seq.)  

In this section, we will briefly describe some of the ‘procedural’ security and privacy aspects of biometrics in ID documents which are important. The description, however, is not exhaustive. With ‘procedural’ security and privacy aspects, we mean some overall requirements which are important for the protection of biometrics in the procedure of the issuance, the operation and the use of ID documents. Some of these aspects relate to the use of biometrics whether stored locally, or stored centrally, and are relevant for biometrics in ID documents in general. These aspects are described based on the research done in the IST-2002-001766 BioSec (Biometrics and Security) project (BioSec project). Other aspects have been described or are required in legislation or standards and have sometimes been commented by the Article 29 Data Protection Working Party (WP 29 party). The security and privacy aspects which are inherent to the characteristics of biometrics in general, e.g., uniqueness, possibility that sensitive information is included, FAR, FFR, and so on will be discussed in the section below (see chapter ).

Importance of the enrolment and issuance procedure 

It is clear that one of the most basic and essential security and privacy requirement for biometric ID documents is the reliability and security of the enrolment and issuance of the documents to the right person. The enrolment process for biometric ID documents is not standardised and not subject to specific requirements. The basic principle, however, is that upon enrolment all information to be provided by the applicant (in particular the information relating to the identity and the biometric information) shall be rigorously checked. How this is done, is sometimes not disclosed, as publishing such information could obviously have a negative effect. During subsequent identity checks based on submission of ID documents, it is important to realise that biometrics are not the only means or solution to check or verify that the user of the ID document is the rightful owner. Additional checks with information which are not stored on the ID document could prove to be very valuable.

Technological, data communication and architectural and procedural security aspects of biometric systems 

When using biometrics to enhance and secure eIDs, it is essential that one is aware of the multiple vulnerabilities and possible attacks to the various components of a biometric system. Attacks on the technological level include spoofing (creating artefacts from traces left by e.g., fingerprints on objects, to access the system), the installation of specific program code on a component of a biometric system by an attacker, use of unpredictable conditions such as power fluctuations and noise in order to obtain unpredictable system behaviour, power and timing analysis for breaking software code (including cryptographic algorithms and matching mechanisms), use of the residual biometric characteristics on sensor (e.g., fingerprint) to access the system, exploitation of similar templates to deceive the system, and even brute force. For each of these problems, appropriate security measures need to be taken. These security features could include aliveness detection and multimodality, both researched in the BioSec project.

On the data communication level, the attacks could be directed towards many communication points, as shown in the figure below: 

Figure : Possible attacks on the communication points of biometric systems

The attacks can be directed towards the biometric data and templates and include capture/replay attacks, whereby biometric signals are captured and replayed, TCP hijacking, man in the middle attacks, whereby the attacker places himself between two communication elements, digital spoofing, whereby a digital pattern that mimics a real one is maliciously injected, use of digital residual data by e.g., memory exploitation, hill-climbing attacks and denial of service. Specific security measures are needed to counter these attacks. It is clear that each of these attacks not only endanger the privacy of the owners of the biometric data, but the operation of the biometric system as such. Finally, security considerations at an architectural and procedural level remain also important and appropriate remedies shall be taken. In general, a security policy should be customised to the specific characteristics of the biometric authentication system. For the management of biometric data, it is noteworthy that there is a standard, ANSI X9.84 (Biometric Information Management and Security) that can be used as a minimum guideline for formulating some of the security requirements. Additional standards relevant for biometrics and which are being developed in ISO/IEC JTC 1, in particular in the subcommittees 27 (security) and 37 (biometrics) should also be followed up. In general, the security policy could be based on the ISO 17799 standard.

The importance of the authentication protocol  

If biometric data are to be sent over public networks, such as internet, the importance of a protocol that secures the confidentiality and integrity of the biometric information during the remote authentication process is of utmost importance. Therefore, it is necessary that a protocol which fits the biometric requirements, is chosen. Some of the possible protocols have been examined in the BioSec project, including a biometric Extensible Authentication Protocol (EAP), both in a centralised and decentralised scenario.

Need for a security architecture set out in a so-called ‘Protection Profile’ (PP)

The implementation and use of biometrics in a chip is vulnerable to many security attacks. For this reason, it is essential that all security challenges are addressed in a way which guarantees a secure exchange. The WP 29 has stressed the need to create a so-called ‘Protection Profile’ according to the Common Criteria for Information Technology Security Evaluation, which needs to be elaborated by experts, including experts which are fully aware of the privacy problems. Such PP should also address the characteristics and vulnerabilities of a Public Key Infrastructure which in many cases is the framework for the operation of ID documents. WP 29 further states that this PP should be part of the work to be done by the Committee set up by Article 5 of the Regulation 2252/2004.

Basic Access Control and Extended Access Control 

Basic Access Control (BAC) is a security feature which is aimed at preventing that the data and the biometric data in particular (i.e., the digitalised facial image) which is stored in the (RFID) chip in the ID document can be accessed without knowledge of the owner of the ID document. The reader therefore has to authenticate itself. The way this is done is by an access key built from the machine readable zone (MRZ) of the passport, and which is calculated from the number of the passport, the data of birth and the date of expiry. BAC is a recommendation of the International Civil Aviation Organisation (ICAO) and has been imposed upon the EU member states for the issuance of passports. The problem, however, is that the data of the MRZ are not secret and that the risk exists that the algorithm for the key for access to the data stored on the chip will soon become in the public domain. As pointed out by the WP 29, BAC is therefore a not sufficiently secure access protocol. For fingerprints and any other additional biometric features, Member States shall define and implement Extended Access Control. Details about this feature, however, have to be further clarified.

Register with details about use and access by authorised authorities 

In order to have a view on who has got access to the data stored and when, the European Parliament has stated the request that Member States keep a register of the competent and authorised bodies referred to in article 2 § 1a of Regulation 2252/2004. Purpose of this register would be to guarantee that only competent authorities have access to the (biometric) data stored. Whether such register will be efficient to limit access to a small number of authorised authorities based on a justified need to know is unsure.

Local storage – match-on-card versus match-of-card 

It becomes generally accepted that the risks for abuse of biometric data considerably lower if the biometric data are stored locally, this is on the object under the control of the user. For ID-documents, this means that the building of central databases is avoided and that the biometric information is only stored in the ID document itself. If the biometric data are stored locally, the data shall be stored in a secure way. In practice, this means storage of the biometric data in an encrypted way. This is, however, not sufficient. Upon verification, there remains a considerable privacy and security risk if the (encrypted) data stored on the card leave the card for the matching process (match-off-card). This is necessary because the card lacks an end-user interface and the user has to use the interface provided by a terminal which may not always be trustworthy. The matching is hence in an open environment, vulnerable for attacks and abuse (see also above). During the communication between the card and the card reader, the biometric information could be stolen or changed. Therefore, storage on the local device contains only limited privacy and security advantages, unless the matching process between the biometric credentials submitted and the ones stored, takes place on the card or subject under control of the user itself (match-on-card/match-on-token). In that way, the biometric information never leaves the token or card, which is a closed and more secure environment, than the communication in the open matching environment. Match-on-token as an enhancement of the privacy and security risks has been further researched and demonstrated in JavaCard first prototypes in BioSec project for fingerprint and iris as an enhanced security solution to privacy threats. It might be possible to employ this approach to be further researched and enhanced in ID documents as well, enabling a biometric-on-card verification. This technology could then possibly overcome the critics related to the BAC (see above). Presently, however, there remain for this technology hurdles to overcome, such as the required power consumption which is not compatible with power supply.

Restriction to verification 

In conformity with the proportionality principle of the data protection legislation, the WP 29 states in its abovementioned opinion that the use of biometrics in ID documents should be technically restricted for verification purposes, whereby the data contained in the document is only compared with the biometric data provided by the holder upon presenting the ID document.  

Distinction between biometric data used for ID documents and biometric data for contractual purposes 

Finally, the WP 29 states that a distinction should be made between the processing of biometric data for ID document purposes, (e.g., for border control), and for which a legal basis is enacted, and the processing of biometric data obtained on the basis of consent, e.g., for contractual purposes.