The European Commission Has a BAD Idea — Mandatory Biometric ID Cards
After Article 13 that mandates upload filters, the European Commission has another ill-advised proposal — now they want to make biometric data in ID cards mandatory for all member states.
Counter-terrorism, security, blah-blah… I don’t doubt they may be meaning well, but the technical details are just too complicated for the average politician to comprehend (and our politicians are very average, if I may quote “Yes, Minister”).
When I was advisor to the Bulgarian deputy prime minister I did extensive research on the issues of identity documents, as we were changing the Bulgarian legislation and had to decide whether it’s okay to have biometric ID cards or not (we decided to make them opt-in, which would mean practically nobody would go for that option). And I have listed the many issues with electronic machine readable travel documents (eMRTDs) but let me make a simplified overview of why the ICAO standard is bad (and I’m joined in this opinion by many security researchers, whose papers I’ve quoted in the linked article): the certificates and keys used to read the the fingerprints in the documents are stored in the terminal equipment (automatic or not) and are rotated frequently, because if they leak (and they can leak), then every passport in the world can be read with the single leaked key. And the fact that they are rotated frequently (which means — they are invalid after a day or two) doesn’t help, because the chips in passports don’t have clocks. If they are not validated often, they become stale and the fingerprints can be read by keys whose certificates have expired a long time ago.
“But the chip is NFC and can be read only in close proximity” you may say. Wrong. There is equipment (that’s easy and cheap to make) that fits in a backpack that can read up to a few meters. So in practice — you walk around the metro/subway train and collect fingerprints. It is not that trivial, of course, it requires some brute-forcing and advanced knowledge of the ICAO protocol (guess what — chips can’t prevent brute-force attacks), but it is doable.
So far I’ve talked about passports. The good thing about them is that you don’t carry them with you unless you are flying outside the EU. So very few people will have their passports on them at a given moment. They are still vulnerable in “train to the airport” scenarios, but passports are validated more often because you use them to cross borders.
ID cards have none of these benefits. You carry them all the time and they never go through border inspections (within the Schengen area at least). So they almost always have stale clocks.
Additionally, some countries may decide to make a fingerprint database when they collect the fingerprints of citizens for issuing the document. This database, no matter how well protected, can leak at some point. It is not technically required to have the database when issuing documents (you can write the fingerprint on the chip and then discard it), but some countries will inevitably store them unless explicitly restricted.
What can happen if someone has your fingerprint? It was a bit disheartening when (at a conference) an expert in passports answered my concerns with “well, nothing bad can happen if someone gets your fingerprint — I can get your fingerprint from that glass you are holding”. You can, but it won’t be high-resolution and won’t allow you to make perfect fake fingerprints (and yes, it’s pretty easy to make fake fingerprints, and fingerprint-only identification is a horrible idea). And even if you could make a fake fingerprint, you won’t be able to easily automate the process if you used glasses.
But what can you do with those? A few things to begin with — unlock stolen phones, unlock access doors (including home doors — there are fingerprint locks already on the market). When you unlock a stolen phone, you have access to everything — email (which can be used to gain access to most services), the 2nd factor in most 2-factor authentications, for e-banking for example. The worse thing is that you can’t change your fingerprint. And anything that relies on it is compromised forever. Your next smartphone. And the one after it. There’s no “invalidate fingerprint” option.
The general data protection and human rights argument is also here — having databases (whether centrally leaked or illegally collected) of biometric data is dystopian. And bad. Period.
But…but…counter-terrorism? Ah, yes, let’s get to that. Fingerprints won’t help. I’d be happy to see some analysis and threat models when the actual proposal is published, but I don’t think fingerprints solve any actual problem.
So what are the potential scenarios? A terrorists forges a document, a terrorist gets issued a fake document from a rogue/compromised state, a terrorist steals a document. Let’s see whether fingerprints in the document help and whether they are needed in each scenario. But first a clarification — the fingerprints in the document would be needed in order to verify that the holder of the document is actually the person to whom the document is originally issued. You match the fingerprints of the holder to the fingerprints in the document. This is the only thing the fingerprints in a document are good for. So:
- a terrorists forges a document —if the documents has any electronic data in it, signed with the private key of the issuing country, nobody can create a fake document because it won’t pass the signature validation. You don’t need fingerprints for that, you can sign the name and birth date.
- a terrorist gets issued a fake document from a rogue/compromised state — if a terrorist can have a document issued with a genuine private key from an actual country, then they can issue perfectly valid document under a fake name with the actual fingerprints and pass fingerprint verification. How about checking the fingerprints against a database? Well, you don’t need them in the document — you have the person in front of you, giving their fingerprints for inspection anyway.
- a terrorist steals a document — in that case, upon inspection, the fingerprints in the document won’t match the ones of the person. So maybe this is the actual use? Well, you don’t need them here either. There’s the photo (which I have no objections to being stored) which should also match. Yes, both automatic and human inspections can be fooled with similarly-looking people, but how likely is it? Also, stolen and lost documents are normally reported (not all of them, though) and are/can be distributed in central databases of invalid documents.
Only in the last case there’s some room for fingerprints. But when would the inspection be done? At airpoirts — on arrival you can go through automatic gates and use fake fingerprint anyway, so that’s not something you are solving. On departure — you are checked for dangerous items anyway, so even with a fake document you should not be able to crash a plane. I’m reminding again that in Schengen there’s no border checks, so the only way someone can inspect your ID cards would be for police officers to be patrolling railway and bus stations and asking strangers to give their fingerprints. Which means they will have to carry fingerprint readers (with the short-lived key+certificate).
When I was in the cabinet we mailed both ICAO and the European Commission most of the above concerns. The responses we got were … disappointing. The Commission replied: “We haven’t had problems so far”. Best. Security. Approach. Ever. “We haven’t had problems, therefore it’s secure”. No.
ICAO showed more understanding and replied “Thank you, can you recommend an expert for a working group” (we didn’t for various reasons out of the scope of this article).
This brings me to the bigger issue with legislation that requires technical expertise. Political decisions should be taken with the details in mind. The “general overview” and the “executive summary” are not sufficient when it comes to affecting millions of citizens.
I hope I’m missing something. But my hunch is that this is all nonsense which will hopefully be killed by the European Parliament.