A recurring media story over the past half year has been that “a person’s identity can be stolen from new biometric passports”, which are “easy to clone” and therefore “not fit for purpose”. Most of these reports began with a widely quoted presentation by Lukas Grunwald in Las Vegas in August 2006, and continued with a report in the Guardian last November and one in this week’s Daily Mail on experiments by Adam Laurie.
I have closely followed the development of the ISO/ICAO standards for the biometric passport back in 2002/2003. In my view, the worries behind this media coverage are mainly based on a deep misunderstanding of what a “biometric passport” really is. The recent reports bring nothing to light that was not already well understood, anticipated and discussed during the development of the system more than four years ago.
It is important to understand that a “biometric passport” is something very different from a traditional passport. Calling both creatures “passport”, and tying them together physically into the same booklet, unfortunately misleads many people into thinking that they somehow share similar security requirements. “Biometric certificate” might have been a better name, which would have carried no connotation that having its content become public knowledge would represent a problem. So what is the difference?
A traditional passport is a security token, an object that helps you to get access by the mere fact that you are in its posession. Therefore, similar to banknotes, passports are produced using fancy printing technology (laminates, holograms/kinegrams, Guilloché patterns, UV ink and threads, etc.), all aimed to make it as expensive as possible for a fraudster to modify the data on an existing passport or to produce something looking very similar to a genuine passport from scratch. Traditional passports could be stolen, therefore they also carry some biometric data (photo, hand signature, in many countries also the height and eye colour of the person). But because humans are not very good at comparing faces of strangers on old photos, it is not too difficult to find in a small group (say 30 people of similar sex, age and ethnicity) multiple pairs of similar-looking persons who would have little problems with using each others’ old passports in border controls (especially if hair styles are adjusted to match the photo). Because the traditional form of photo ID is not very reliable to verify, there exists an entire revocation infrastructure for reporting lost or stolen passports. Passports must be guarded against theft.
A “biometric passport” is just a computer file that lists a small number of commonly known attributes of a person (name, date and place of birth, nationality) together with a few administrative details (document serial number and expiry date) and some biometric data that can be used to verify the identity of a person (photo of face, fingerprints or iris). This entire file is digitally signed by the passport office, such that anyone can easily verify its authenticity.
Modern biometric identification algorithms have a much lower false-positive rate than humans. While you need to search in a group of about 1000 people to find someone whose face would pass a good comparison algorithm with a given passport photo, with iris photos or prints of all fingers, that group would exceed Earth’s population many times. Therefore, biometric passports (especially the second generation with iris or multiple fingerprint images) can quite securely be verified on their own. There is no need for fancy packaging and security printing.
In fact, some of the early proposals for the introduction of biometric passports suggested that the biometric passport should be handed out as a simple memory chipcard or even as a simple 2D barcode on a piece of paper that can be faxed. We could even carry them with us on USB sticks, mobile phones, or simply email them to embassies to apply for visas.
There is nothing wrong with copying or publishing all the data in a “biometric passport”, because it isn’t a secret. When I get mine, I’ll be quite happy to put all its data onto my web page. It is just another certificate, like my old PGP public key. A copy of my biometric passport should not allow you to impersonate me, because for that you will need to find someone whose fingerprints match a comparison with those in my passport.
So much about the basic idea. There is of course much more to be said about the particular choice of contactless interface and optional access control mechanisms that passport offices currently use to package the in-itself pretty harmless biometric certificate, but I’ll save that for other posts here.