« ICO concerned that DNA retention law neuters four data protection principles | Main | Do local authorities spend nearly half a billion pounds on ineffective CCTV? »



Feed You can follow this conversation by subscribing to the comment feed for this post.

Chris - this is one of those cases where technology design is fundamental to the privacy impact of a system.

One option is the centralised system you outline above, with real-time online checks of scanned fingerprints/irises/faces against a UK govt-operated database. This leaves an audit trail of all (verified) uses of the biometric passport. It does not necessarily mean that "UK biometric data would have to be shared world-wide to most international airports". The verifying terminal could send a message to the UK system saying "Here is a passport number and a biometric. Is this valid?" - necessitating only a yes/no response.

A much more privacy-friendly system would store biometrics on a chip in the passport, *digitally signed by the issuer*. This prevents forgery by anyone not in possession of the relevant private signature key(s) - which can be held by the UK govt more securely than an online database that needs to be online and globally reachable at all times. Combined with a globally-broadcast list of revoked passports, this eliminates the need for online checking, and hence the generation of a personally-linked audit trail by the verifier.

Chris - I wasn't quick enough to catch your original post on 18th Feb, so apologies if you had already made the following point about national security implication of biometric passports...

In many of the early discussions about the NIS/NIR, it was just noted, as an "inconvenient side-effect" of biometric enrolment, that individuals who legitimately need an assumed ID (intelligence officers, undercover police officers, endangered witnesses, victims of domestic abuse) would need to be specially handled by the NIR. The implication was that the NIR would (need to) be designed so as to allow an alias to be registered against a given biometric record.

However, the Dubai episode reveals that this initial analysis is flawed and does not fully reflect the risk involved.

It is one thing for the NIR to be able to respond as if a valid alias were a real ID - unfortunately, that's not the only valid use-case... as Dubai clearly illustrates. In practice, as you point out, it's possible for the passport to say that I am Oscar Wilde, and for my biometric to be registered against the name "Oscar Wilde" in the NIR. But if I then have to adopt an alias, and my NIR entry is therefore changed to associate my biometric with the name "William Gladstone", how the hell am I going to explain that to any country I have already entered, and which has registered my biometric against the name "Oscar Wilde" in its immigration database?

This will clearly be both inconvenient and possibly dangerous for intelligence officers, but it also raises serious safety, privacy and practical concerns for, say, victims of domestic abuse, who may be obliged to disclose that fact (quite unnecessarily) just in order to cross a frontier. If they are doing so in order to begin a new life away from the source of their abuse, that is not a happy start to the process...

The biometric templates embedded in the passport are digitally signed by the issuing country. The point is that this should not be possible for a forger to do, unless modern crypto is systematically broken (and then fake passports are least of your worries) – and the validity of the signature can be checked offline (that is how PKI works), without pinging a live national database online.

There are dumb and flawed aspects of the design of biometric passports, but at least in this respect, even the current generation were designed to avoid the particular problem you raise....

The problem is that the border control stations of most countries have not deployed reader infrastructure to check the digital signatures....


The comments to this entry are closed.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.