[Dave Birch] When we think about electronic identity, we tend to think in terms of the identity structures that we are familiar with from the physical world, so we talk about passports and borders. But the current system of passports, visas and border controls doesn’t work terribly well — see the discussions ad infinitum about the recent Dubai death squad’s comedy disguises and simple faked passports — so I’m not sure it’s much of a basis for exploration. Why do I say this? Well, because I’ve been to a few presentations about the various systems involved recently and have been trying to understand some of the dynamics to help our customers develop some longer-term strategies around identity.

One of the problems is that there is so much going on. Start with moving on from SIS. The SIS2 (Schengen Information System 2) will store biometrics to prevent visa fraud. After a three year transitional period, SIS2 must check with the new Visa Information System (VIS). VIS will require fingerprints and these will be matched via AFIS (so that if, say, a Moroccan person applies for visas in both French and German consulates then this will be known). The fingerprints are currently kept for five years. The Central VIS will connect via a new secure network (S-TESTA) to the national VIS systems and these national systems are connected in turn to the national consulates overseas. Are you with me so far?

What’s the point? Well, it’s so that when a non-EU person applies for a visa in Schengen country, the details will be passed up to the central system and then they will be checked when the passport is presented at Schengen border control. The purpose of all this is to defeat a common immigration fraud, which is that a bona-fide Chinese businessman (say) gets a visa to come to a Schengen country, and gives it to someone else. That person enters Schengen and then sends the passport and visa back to China by DHL. The next Chinese person enters Schengen, and then posts it back again… Will SIS2 fix this? Surely the problem will shift to the feeder documents. It’s impossible to imagine that an EU consulate somewhere can accurately verify and validate passports from 196 countries, but let’s put that to one side for a moment. There are plenty of people who think that SIS will end up causing more problems than it is solving.

The number of computers with access to the Schengen Information System has doubled to 500,000 thanks to the extension of the EU.

[From Half a million PCs can access Schengen’s ‘secure’ database • The Register]

Since half a million PCs around Europe can access the system, that means that to all intents and purposes everything on the system is public.

Statewatch, a group that monitors civil liberties in Europe, said it was aware of a case in Belgium where personal information extracted from the system by an official was sold to an organised criminal gang.

[From 500,000 EU computers can access private British data | Technology | The Observer]

There’s another system coming online as well, the Euro Border Surveillance System, or Eurosur. This aims to reduce illegal migrants entering EU by sea, particularly aimed at Mediterranean). Good luck on that one. Spain has had some positive results from using satellite tracking (positive in the sense that the immigrants go to Italy instead) but I’m sure Eurosur will help further.

Then there’s the new e-passport. As has been discussed many times before, the current e-passport is a complement to the physical passport: that’s why it’s a chip inside the passport, not a chip instead of a passport. Almost everywhere you go in the world, the chip is not used, but in the future it may be. There’s security, naturally. The e-passports have Basic Access Control (BAC), which we’ve also discussed before. BAC locks the passport so that you have to physically read the passport MRZ in order to read the data from the chip (this is not strictly true, by the way, because the MRZ data isn’t random, but that’s a detail). Extended Access Control (EAC) is the next step: for one thing, it stops people from cloning the chips. But it adds additional functionality as well so, from 28th June 2009, member states have been required to issue EAC e-passports only.

Back to the difference between the chip and the book. If the e-passport is going to store data that isn’t on the passport (eg, your fingerprints) then these must be encrypted so that they can only be read by authorised authorities. An EAC passport will therefore only give up data to readers that it can authorise through the use of asymmetric cryptography (the reader must present a certificate signed by a recognised authority) and the passport can then encrypt and sign its own data. There’s something called Active Authentication as well, so the e-passport contains a key pair: the secret private key and the not secret public key (which appears in Data Group 14, DG14, in the data).

Unfortunately, shifting to EAC adds complexity because there are now two trust chains: the data trust chain (so that the readers can verify the passport data) and the terminal trust chain (so that the passport can verify the reader data). You can imagine that co-ordinating both of these chains across the globe has turned out to be something of a problem: every reader has to have every valid certificate from every country in it. The Brussels Interoperability Group (BIG) is responsible for harmonising the e-passport specification throughout the EU and has also been responsible for the certificate policies, protection profiles, conformance tests and interoperability tests. At ID World, Bob Carter from IPS said that the most difficult job was trying to work out how to exchange certificates between countries and he is, of course, right. One thing that is not yet in place is the protection profile from readers (a lesson from chip and PIN deployment in the UK: there’s no point having secure chips and wholly insecure readers).

It would be nice to be able to set a date when we might move to a wholly e-passport world, but to get there we have to get rid of visa stickers. There’s a name for this too: ESTA (Electronic System for Travel Authorisation). If this could be achieved, then there is no need to have manned border control, since introducing people into the loop could not improve the system in any way. This is a very appealing prospect to governments, but I think there is a real concern here: if a criminal is able to get a legitimate visa certificates, smart card, e-stamp or whatever else and is never questioned by a human security official, then once they are inside the perimeter they can operate with impunity.

Look, passports are a very special case of an identity document. Because of international obligations, we can’t just do what we want with them. Fair enough. But should they be at the heart of electronic identity for the 21st century? Should we be designing ID cards that are an electronic emulation of this existing system?

Without going into too much details, I believe the objective is to mimic the modern identity that revolves around photo IDs (passport, driving license, student card etc) in our online identity transactions.

[From Bringing identity home : Media Influencer]

There’s something else being mimiced here. Why the discourse on BAC/EAC? Well, the UK version of the UK National ID card — there are two: the non-UK citizens version and the UK citizens version, because national ID cards are travel cards in the EU so the non-UK citizen version doesn’t have the travel version — is also an EAC-compliant travel document. It has a contact plate on it, a contact plate which is not connected to anything (technically, there is no answer-to-reset, or ATR, via the contact interface). As I’ve mentioned before, this is a “Potemkin” plate, purely for show, intended to impress political masters, but actually useless. It has only contactless functionality, and the only contactless functionality is has is the e-passport. That’s all it is.

Potemkin Card.png

Surely it would have saved a lot of money to have just printed a picture of a shiny gold contact plate on the back of the card somewhere? Hence my suggestion to some policy wonks (I’m sure they won’t be offended by the description, since that what they called themselves) that when the incoming administration scraps the ID card scheme — but finds itself unable to scrap the systems, because systems integrators have contracts that will cost a fortune to terminate — they stop calling these “ID cards” and start calling then “Passport Plus’ (the non-UK citizen version without the travel functionality — so, in other words, with no functionality at all — can be called “Passport Minus”). That way, everyone’s happy, except for taxpayers.

Passports are a travel document: let’s leave them to that physical world and stop using them as a paradigm for identity management in the online world.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: