I made a mistake in my blog “Uncomfortable questions over biometric ID Cards and national security” posted on the 18th Feb. A couple of days after I had posted the text, the BBC carried reports that the Foreign Secretary had said that the new UK biometric passports were not used by those who assassinated a Hamas official in Dubai. I had written the blog assuming the passports were the biometric ones, so obviously my comments about how the biometric details were compromised was 100% wrong.
However, I do think that the Foreign Secretary’s claim that biometric passports would not have been exposed in this same way is misleading. The reason for saying this is that the use of biometrics raises a new set of privacy problems.
So, suppose someone tries to enter a country with a fake passport. How does one know that the passport is invalid, assuming that it is not an obvious error (e.g. incorrect design; wrong quality of paper or a serial number with an incorrect checksum)? If there is a chip embedded in passport, then the chip will no doubt be loaded with the biometric of the passport holder – the impersonator.
I think the only sure way is to check the details on the passport with the enrolment data and biometrics provided when the passport was issued. This in turn means that UK biometric data would have to be shared world-wide to most international airports – thus increasing the risk of compromising the biometric data of all travellers (as well as other passport details).
In addition, the audit trail associated with the Passport database would have to contain details of the check (i.e. where and when travellers were checked – and of course dated). The same would go for when the passport is examined by hotel reception, or traffic police, or in connection with eligibility for free health care or whatever.
This problem also pervades the ID Card, now promoted as a way for young adults to gain entrance to pubs and clubs. How is a bouncer on the door of a night club going to know whether the ID Card is a “good ‘un”? Answer, I think, by doing a check against what has been enrolled – and this updates the details on the audit trail of the National Identity Register.
In other words, fixing the problem of compromised passports could result in transfers of personal data and audit trails that could easily compromise the notion of privacy.
Uncomfortable questions over national security
(For completeness: this is the text of my revised 18th Feb blog that has not been removed)
Last week, the Foreign Secretary got up in the House of Commons to say that his legal action before the Court of Appeal was to protect intelligence vital to national security given to the UK by the USA’s national security agencies.
In relation to the intelligence issue, I accept that there are immense difficulties. However, if we start from the position that intelligence is information from which one can deduced or infer a possible action, then the position becomes clearer. For example, if “X has been in contact with Y” then it might be important to put “Y” on a watch list.
I also do not think that “X has been water-boarded” qualifies as intelligence – it is a description of what has happened to X. It might be confidential to qualify the intelligence by explaining that “intelligence from X has been gained under torture”, but there again, it is the information that is provided that is the “intelligence” and not the means by which it was extracted from the informant.
In other words, the Foreign Secretary’s claim that “The seven paragraphs contain summaries of American intelligence relating to Mr Mohamed’s case held in UK files” cannot possibly be substantiated by the facts. One cannot possibly undermine the principle of protecting intelligence sharing if the information itself does not qualify as intelligence (in this case, it relates to inhuman or degrading treatment).
Reference: In my evidence to the Joint Committee on Human Rights published in 2006, I explore national security in the context of Parliamentary scrutiny, data protection, human rights and terrorism. I explain why the UK system of scrutiny desperately needs an overhaul (http://www.amberhawk.com/policydoc.asp)
Chris - this is one of those cases where technology design is fundamental to the privacy impact of a system.
One option is the centralised system you outline above, with real-time online checks of scanned fingerprints/irises/faces against a UK govt-operated database. This leaves an audit trail of all (verified) uses of the biometric passport. It does not necessarily mean that "UK biometric data would have to be shared world-wide to most international airports". The verifying terminal could send a message to the UK system saying "Here is a passport number and a biometric. Is this valid?" - necessitating only a yes/no response.
A much more privacy-friendly system would store biometrics on a chip in the passport, *digitally signed by the issuer*. This prevents forgery by anyone not in possession of the relevant private signature key(s) - which can be held by the UK govt more securely than an online database that needs to be online and globally reachable at all times. Combined with a globally-broadcast list of revoked passports, this eliminates the need for online checking, and hence the generation of a personally-linked audit trail by the verifier.
Posted by: Ian Brown | 01/03/2010 at 09:48 AM
Chris - I wasn't quick enough to catch your original post on 18th Feb, so apologies if you had already made the following point about national security implication of biometric passports...
In many of the early discussions about the NIS/NIR, it was just noted, as an "inconvenient side-effect" of biometric enrolment, that individuals who legitimately need an assumed ID (intelligence officers, undercover police officers, endangered witnesses, victims of domestic abuse) would need to be specially handled by the NIR. The implication was that the NIR would (need to) be designed so as to allow an alias to be registered against a given biometric record.
However, the Dubai episode reveals that this initial analysis is flawed and does not fully reflect the risk involved.
It is one thing for the NIR to be able to respond as if a valid alias were a real ID - unfortunately, that's not the only valid use-case... as Dubai clearly illustrates. In practice, as you point out, it's possible for the passport to say that I am Oscar Wilde, and for my biometric to be registered against the name "Oscar Wilde" in the NIR. But if I then have to adopt an alias, and my NIR entry is therefore changed to associate my biometric with the name "William Gladstone", how the hell am I going to explain that to any country I have already entered, and which has registered my biometric against the name "Oscar Wilde" in its immigration database?
This will clearly be both inconvenient and possibly dangerous for intelligence officers, but it also raises serious safety, privacy and practical concerns for, say, victims of domestic abuse, who may be obliged to disclose that fact (quite unnecessarily) just in order to cross a frontier. If they are doing so in order to begin a new life away from the source of their abuse, that is not a happy start to the process...
Posted by: Robin Wilton | 01/03/2010 at 02:25 PM
The biometric templates embedded in the passport are digitally signed by the issuing country. The point is that this should not be possible for a forger to do, unless modern crypto is systematically broken (and then fake passports are least of your worries) – and the validity of the signature can be checked offline (that is how PKI works), without pinging a live national database online.
There are dumb and flawed aspects of the design of biometric passports, but at least in this respect, even the current generation were designed to avoid the particular problem you raise....
The problem is that the border control stations of most countries have not deployed reader infrastructure to check the digital signatures....
CB
Posted by: cp | 04/03/2010 at 12:46 PM