Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.6: Study on ID Documents
 |
Title: SUMMARY, CONCLUSIONS AND OUTLOOK |
 |
In this document basic technologies used or proposed for official electronic ID documents have been described and analysed with respect to privacy and security.
Chip card technology has been discussed, used and further developed for many years now. As a result this technology is accepted as mature by technicians and privacy commissions in Europe. Of course, the combination of chip card technology with other technologies such as biometrics can result in new questions concerning security and privacy.
PKI also has been used for ID document systems in some European countries for 9 years now, though the number of issued certificates still seems to be limited. No major security problems have been published. PKI currently does not implement privacy in an optimised way because of the existing linkability of transactions performed via the information in the certificates. Current technical approaches to improve the privacy compliance for authentication purposes using eIDs have been presented and analysed.
In difference to these established technologies the use of biometrics and RFID in ID documents is relatively new. The first European ID document using both of these technologies is the European passport. RFID and biometrics raise a number of obvious privacy and security issues.
In addition to well documented security aspects of biometrics, for example with respect to (1) the quality of biometric identification, (2) identity theft and (3) devaluation of classic forensic techniques, a number of privacy aspects still needs to be addressed. This includes (1) minimisation of linkability, (2) enforcement of the purpose binding principle and (3) avoidance of additional, in many cases health concerning, information in biometric raw data. Advanced technical approaches for authentication using biometrics have not been tested for or implemented in ID documents so far.
RFID originally have been designed for unrestricted remote access to the information stored on RFID tags. For the use of RFID in the European passport basic security measures, for example Basic Access Control (BAC), have been applied to restrict the unauthorised access. BAC seems to be cryptographically weak and uses information stored in the Machine Readable Zone (MRZ) on the document itself; this is like printing the corresponding PIN on a banking card. Together with well documented projects of non-European countries aiming at the storage of biometric data of foreign visitors in large databases, this creates a significant risk of identity theft via biometrics in cases the document is (even properly!) used or gets lost. A number of additional security and privacy methods currently in discussion or development such as applying a “Kill Command” cannot be used in a meaningful way with RFID in ID documents. Other methods such as integrating a Faraday cage in the cover of the European passport are not implemented.
From the technological perspective biometrics and RFID as implemented in the European passport do not seem mature. For the use of the European passport as issued currently we suggest:
The European passport should be used and carried around only when necessary.
In case the European passport is not used, it should be kept in a Faraday cage (for example aluminium foil) to hamper unauthorised and unrecognised access.
In case the European passport is not used, it should be locked carefully to avoid loss or theft of the document.
In addition the criteria for eIDs suggested by Niels Bjergstom (see chapter ) should be taken into consideration. In this context the following criteria seem to especially important:
It must not depend on irreplaceable personal characteristics to cope with the problem of compromised or lost/changed characteristics
The token containing the eID must be replaceable without undesirable consequences, i.e. theft or loss of a token must not enable impersonation
All its functions, including any disclosure of information in the token, must be fully controlled by the owner
Concerning future ID documents and the further development of the European passport the following suggestions subsequently should be taken into consideration:
The use of RFID should be considered carefully, especially as many problems concerning unauthorised and unobserved access from distances up to 10 m are not sufficiently technically solved today. Alternatively chip card technology can be used.
The use of biometrics should be considered carefully due to security and privacy problems this technology potentially causes. In cases biometrics is needed, advanced implementation taking security and privacy aspects into consideration should be used. This includes (1) the use of templates, (2) decentralised storage of data in the documents only and (3) on-card matching procedures for authentication.
In the legal chapter current European initiatives regarding machine-readable documents with biometrics have been described: Eurodac (the EU central fingerprint database in connection with asylum seekers), the Visa Information System (VIS - the EU central database set up to create a common visa policy) and the European Passport (requiring fingerprints and facial images as biometrical identifiers). These initiatives are analysed with respect to the European data protection and privacy framework resulting in the following conclusions:
The European data protection and privacy frameworks apply to the Regulations but in no case this means that the Regulations are a priori compliant neither with the Data Protection Directive nor with the ECHR. In addition machine-readability of people and of their documents may turn out to be excessive, hereby surpassing the necessity and proportionality criteria set out by the European Court of Human Rights.
The legal basis itself of the VIS and EU passport Regulations is questioned. While the VIS is in fact a ‘first pillar’ database, the Proposal provides for access possibilities by ‘third pillar authorities’ - for which normally other legal grounds than articles 62 and 66 of the T.E.C. must be invoked. While the EU regulates its passport on the basis of standards established by non-democratic standardisation bodies (ICAO), Article 18 (3) of the TEC even excludes the adoption of provisions by the EC on passports, identity cards, residence permits or any other such document.
Eurodac, the EU passport and the VIS are subject to possible function creep that is not foreseeable. The impact of this deployment and the future of identity can - regrettably - not be entirely assessed at this moment. A step-by-step approach seems the essential requirement to safeguard the fundamental rights and freedoms.
In the following chapter a study written by Thomas Myhr with respect to a European legal framework for ID documents is compared with the results of a similar discussion in the Porvoo group. Still a lot of research in this area is necessary to get a clear view on:
what regulation exists about visual and electronic ID documents in the EU member states and which “common umbrella” can be found in these regulations,
what the remaining issues are, and how they can be solved,
which the limits are for EU regulation and/if the issues can be solved without regulation (e.g. via standardisation).
In addition to an overview on existing eIDs five existing projects for the implementation of eIDs and three innovative technological concepts have been analysed in this document with respect to factors of success concerning the implementation. The following factors could be concluded:
Careful planning especially concerning the purpose of the eID and the appropriate technical solution (keep it small and smart); this should include technical, formal and informal aspects of interoperability
Intensive laboratory and field testing of prototypes
Refinement of the concepts using the results of the testing phase
Open communication within the project including all stakeholders of the eID and external experts
Appropriate education and qualification of the personal involved in the project
Finally economic factors that are relevant for eIDs were analysed. A number of elements that are critical for the cost projection have been elaborated and described. In addition the post implementation costs have to be calculated carefully to get a view on the Total Costs of Ownership (TCO) for an eID solution. Relevant factors in this context are:
Security aspects
Privacy aspects
Renewal of identity documents and register updates
Handling of complaints and false negatives
Internal audits
Costs of management of the register
Infrastructural costs and integration
| |
   |
|
| Denis Royer | 52 / 56 |
