Biometric Passports And Biometric Databases Coming
Governments are rushing to meet a US government requirement for visa-free travel to the US with biometric passports.
International technical standards and civil aviation organisations have confirmed that they are working on deploying passports containing details that enable the "machine-assisted identification" of the passenger, which will be required by travellers visiting the US from October 2004.
Different governments are implementing different kinds of biometric passports.
Current plans call for the new passport books to include a
contactless smart chip based on the 14443 standard, with a minimum of
32 Kbytes of EEPROM storage. The chip will contain a compressed
full-face image for use as a biometric. European biometric passports, by contrast, are planned to feature both retinal and fingerprint recognition biometrics on their smart cards.
Some countries are using biometric data in many other forms of ID as well.
The technology will not just be used in passports but in driversí licenses. Malaysia is using biometric smart cards for government services. Unisys is even working on a registered traveler system which can give you a smart card with fingerprint information to use at airports and skip the check in lines.
Even without a formal approval of a national ID card system it seems inevitable that most people will end up having their biometric data recorded by one or more governments. This brings up an interesting twist: anyone who wants to pass thru an airport or other facility that has iris scanners and fingerprint checkers will end up having their biometric data recorded even if they never get a driver's license or other card that requires biometric data recording as part of the application process. Some people travelling around using multiple identities will likely be detected eventually by comparing biometric data and different names and nationalities used by the same person at different times.
If biometric datalogs are archived then British airports will become big iris pattern data collection systems.
Iris-recognition machines, which can identify people by reading the distinctive pattern surrounding the pupil of the eye, are to be installed at 10 British airports within a year.
Biometric passports might seem an improvement since they will be harder to counterfeit. But stop and think about it: A biometric passport is like a one person database of biometric data. Why have every persn carry a database for their own biometric data? After all, if a counterfeit passport can be made then a comparison of a person to the personal biometric database embedded in their passport will yield a match even though a person may be using a false identity. Many biometric identification systems do not rely on a person carrying a card. There is a central database so that each person can be scanned and compared to that database. Of course, a corrupt worker could make an inappropriate entry into that database.
One problem that biometric identification does not solve is that unscrupulous staff can issue biometric ids to people who do not qualify for them.
In Ireland, the introduction of national ID cards and biometric passports has provoked controversy, amid fears of data protection and privacy. On this front, the trustworthiness of staff with access to biometrics systems and data is considered to be important. A question the government and companies would need to ask itself in adopting biometric national IDs is "what checks and balances do you have to prevent them (staff) issuing false IDs to people," according to Allan.
One thing that biometric databases will make possible is comparisons to identify duplicate biometric data for people with multiple identities. A comparison of fingerprints and iris patterns of everyone in a massive database should not yield matches between different records. So biometrics will make it harder for a person to create a false identity if they have already been recorded with their real identity.
Even governments will find it harder to create new false identities for people. If a person travels to other countries and has their name and biometric data recorded in biometric database logs in foreign airports and yet eventually their own government provides a new identity some other government will be able to compare them to a database of previous visitors and recognize them by their older identity.
But stop and think about it: A biometric passport is like a one person database of biometric data. Why have every persn carry a database for their own biometric data? After all, if a counterfeit passport can be made then a comparison of a person to the personal biometric database embedded in their passport will yield a match even though a person may be using a false identity. Many biometric identification systems do not rely on a person carrying a card. There is a central database so that each person can be scanned and compared to that database. Of course, a corrupt worker could make an inappropriate entry into that database.
Appropriate cryptographic techniques could minimize these problems:
Encrypt the biometric data on the passport using a strong public-key algorithm with a secret key. Do this by
sending the raw data (using a strongly protected transmission system including encryption) to a central facility protected as below, and getting the encrypted data back, writing only the encrypted data into the passport.
To validate identity at a point of entry or wherever, have a "black box" measure the current raw biometric data of the person being checked, decrypt the passport using the "public key" (which in this case is safeguarded, but not as much as the private key because it must exist at the point of verification), and do the biometric algorithm on the spot. Thus the only place the biometric data is "in the clear" is inside the "black box" at the point of entry. The only place the "public key" is in the clear is inside one of these devices.
Protect the secret (private) key the way the big financial networks do it (I used to work for Visa USA):
*An extremely physically secure vault holds the encryption computers. The vault is protected by armed guards. To open the vault requires keys held by three separate people (best is they have both a physical key and a secret piece of knowledge).
*The secret key exists ONLY within the encryption computers in the vault. Likewise, the private key used for communications security exists ONLY within this vault.
*The secret keys are created by the use of a true random number generator (using random noise generators, quantum effects, or other NSA approved methods).
*One or more backup locations to duplicate the facility and the secret key, each location with the same level of protection.
This approach is extremely resistant to passport forgery, as making a passport requires knowledge of the secret key, or compromising the human(s) who run(s)a passport generation system (and there is no perfect defense against this approach).
Stealing the public key would require stealing one of these boxes and then hacking the key out of it (and the financial industry and the NSA know methods to make that extremely hard). But this would only allow one to read the biometrics of a presented passport, which is not a terribly interesting thing to do. Certainly the system protects against wholesale access to biometric information, and even the government cannot get an individual's information without physical possession of his passport.
A practical system would, of course, require some more details, such as using more than one set of keys so that the compromise of one results in limited damage, etc.
Of course, if you're worried about privacy, another simple approach is to use facial biometrics. Heck, they've got a picture of your face already!
I think the real problem with biometrics is the inaccuracies. These systems all have a false positive (setting off an alarm when it shouldn't) and false negative rate (letting the imposter through). You would hope in this case to have both very small, but the rates trend in opposite directions as you adjust the algorithms. In practice, this means that you go to the port of entry, present your passport and some part of your body (iris, fingerprints, hand...), and the system says that you are an imposter. I haven't worked with this for about 20 years, but I know that there is still a significant problem with false positives.
This is okay if the rate of these false positives is low enough, and very good procedures are in place to deal with it.
For example, one attack on it would be for an imposter to carry a password with someone else's biometry in it, and then use what hackers call "human engineering" or spies call "tradecraft" to defeat the procedure for dealing with the inevitable alert (in this case, a true positive). But doing this is very risky and certainly will leave a record, including the real biometrics and photographs.
It's a lot easier to just bribe the immigrations officers.