Here’s a back of the envelope suggestion. Suppose there were a single biometric database that contains a unique identifying number (the meaningless but unique number, or MBUN). This biometric database contains a facial picture, iris scans and 10 fingerprints. Put aside how they get there for a moment, let’s just pretend there’s a biometric uniqueness machine (BUM) that can register these biometrics.
Now consider a person applying for a passport. They go to a Post Office claiming to be Dave Birch. They look into the biometric machine and the biometric sends off the iris scans, picture and fingerprints to the biometric database. Either these match in the biometric database, in which case the database returns P(MBUN), the unique passport identifying number, or they are matched in the database, in which case they are stored in the database and the database returns P(MBUN). Let’s not delve into what P(x) is, it’s just a one-way cryptographic mapping such that given x then P(x) is easy to compute, but given P(x) it’s impossible to compute x. Now the passport database can have an entry created for P(x) and the face and fingerprints sent from the BUM to the passport database, and the passport processes continue, and the person provides supporting documentation to label P(x) as indexing Dave Birch.
Now suppose the same person decides they want an ID card so that they can log on to eBay securely. They go to the Post Office to apply for an ID card. They look into the BUM, and the biometric database finds a match for record x and returns I(x). Note that you cannot compute I(x) from P(x) or vice versa. If hackers, or the police, have P(x), they cannot find x no matter what. The police can submit crime scene fingerprints (for example) under warrant and ask the biometric database to return P(x) or I(x) — if it finds a match — but not x. Now the identity register can have an entry created for I(x) and the face sent from the BUM to the ID card database. A card pops out of the slot in the Post Office (and for reasons not relevant here, the card might well know x but never disclose it). Now you can prove it is your card, and the cleverest of hackers cannot pretend it is theirs.
We have a passport system, we have an identity register, and we have a biometric database that powers them solely by ensuring that the index numbers are unique.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]