The problems with security and privacy in eGovernment – Case: Biometric Passports in Finland

AUTHOR
Olli I. Heimo , Antti Hakkala and Kai K. Kimppa

ABSTRACT

In this paper we discuss the problems that arise from the widespread adoption of biometric passports as travelling documents all around the world. This development has implications both in international and domestic context. The use of biometrics is not yet internationally standardized, and this can be seen in the ICAO[1] biometric passport standard[2], where inefficient compromises have been made. Side-effects from biometric passport adoption are seen throughout nations in discussion about centralized biometric databases. As biometric passports are only about 10 years old[3] – not mature as far as technologies go – and they have no clear analogy in the real world – the related ethical questions are harder to find, examine and analyze, and the consequences of the transition from regular to biometrically enhanced passports are yet totally unclear.

These consequences can be divided into direct and collateral. Among the direct consequences is lower security at borders due to inefficiency or errors in the system design. This can happen if 1) corners are cut in critical phases of the design process due to tight schedules and/or budget, 2) the security implementation is inadequate, or 3) the work processes in border security are understood incorrectly. Another direct consequence can be the erosion of document security. Although the data contained by the biometric passport chip is protected by several different methods, these security features have their own vulnerabilities[4,5,6]. This threat is visibly realized with automatic passport controls. If the trust is placed solely on the technology we might face a problem similar to the Munich taxi driver case: it was found that ABS brake systems did not reduce accidents, but increased close calls, as the drivers trusted the new brakes to compensate for careless driving[7]. Similar ill-placed trust in technology can be seen, if the professional skills and knowledge of a border official are replaced by automated systems without careful consideration. Collateral consequences can include identity theft[8] and the erosion of privacy of the people[9,10].

In Finland, the introduction of biometric passports took place in the first phase of the passport reform in 2006. At this time it was already planned that the second phase would incorporate fingerprints to the Finnish passport, in accordance to the EC Regulation No. 2252/2004[11]. In 2009, at the second phase of the Finnish passport reform, it was decided by the Parliament that the fingerprints gathered from passport applicants would be stored to a national fingerprint registry – an addition which the EC Regulation does not require[12]. During the legislation process the first step towards opening the registry to the police was the authorization to use it for indentifying the deceased. After this was adopted by the ministry, in the year 2008, the political debate for opening the registry started after police commissioner Markku Salminen and his successor Mikko Paatero both requested full access to the registry for serious and serial crime investigators[13,14]. These controversial demands were dismissed by the Parliament in 2009.

The discussion resurfaced in summer 2010, when Paatero renewed his claim.[15] This time the Minister of Internal Affairs gave a seemingly positive attitude towards police commissioner’s request[16]. After the discussion on opening the registry for forensic use gained a lot of attention in the media, all talks of the use of the national fingerprint registry were suspended, pending the next parliamentary elections in spring 2011[17,18,19]. There is no guarantee that the use of the fingerprint registry would not be extended to other than serious crime investigation as well. This classical “function creep” is a prime example of the erosion of privacy.

The need for security after 9/11 and other terrorist attacks following it, the international consensus of the need to identify the incoming travelers has never been higher, e.g. in Finland the Ministry of Internal Affairs promotes biometric passport to protect its citizens from international terrorism, illegal immigrants and international criminals[20].The recent scientific advancements in information technology and biometrics have created a possibility to fulfill this demand.

It is easy to understand the motivations behind the authorities’ interest in such centralized databases: solving serious crimes would be easier; however, this would cause inequality amongst those who possess a biometric passport and those who do not. If a national – or even international – database of fingerprints or other biometrics is used, it would probably increase biometric spoofing done by criminals; it is somewhat easy to copy and paste fingerprints[21] or leave the crime scene filled with human hair[22], for example. This could cause a serious amount of extra work for the police.

A common argument in the Finnish public discussion – from citizens and politicians alike – is, that no harm comes to law-abiding citizens just because mere fingerprints are found in a crime scene[23,24]. In international context, an example of such a situation can be found from the investigation of the 2004 Madrid bombings, where an innocent American citizen was erroneously identified by the FBI as an accomplice in the attack, based on the fingerprints found in forensic investigations. The Spanish police later connected the fingerprints to an Algerian citizen, and the FBI was forced to admit they had made a mistake[24]. Although an extreme example, this incident shows that, especially in high-profile cases to which serious crimes often belong, the pressure to produce results in the investigation can result in innocents marked as suspects with little to no actual evidence.

Some of the problems underlying the biometric passport control system can be easily found in other critical eGovernment and eHealth systems. These include detection of problems after adaption[26,27,28,29] extra costs[30] and extended delivery time of the whole system[31]. Some, but not all, of these problems can be mitigated or even eliminated outright if the mistakes made in previous large-scale projects of this kind are examined. The worst-case scenario for biometric passport misuse has not yet happened, but any sensible policy on biometric identification prepares for the day when it does; this is the aim of this paper.

REFERENCES

[1] International Civil Aviation Organization – http://www.icao.int

[2] ICAO MRTD documentation, http://www2.icao.int/en/MRTD/Pages/Downloads.aspx

[3] International Civil Aviation Organization (2006), Machine Readable Travel Documents, ICAO/Doc 9303 vol. 1, http://www2.icao.int/en/MRTD/Downloads/Doc%209303/Doc%209303%20English/Doc%209303%20Part%201%20Vol%201.pdf

[4] Serge Vaudenay , “E-Passport Threats,” IEEE Security & Privacy, vol.5, no.6, pp.61-64, Nov.-Dec. 2007

[5] Jaap-Henrik Hoepman, Engelbert Hubbers, Bart Jacobs, Martin Oostdijk, and Ronny Wichers Schreur, “Crossing Borders: Security and Privacy Issues of the European e-Passport”, Advances in Information and Computer Security, Lecture Notes in Computer Science, vol. 4266/2006, pages 152-167, Springer Berlin / Heidelberg, 2006.

[6] Gaurav S. Kc and Paul A. Karger, “Security and Privacy Issues in Machine Readable Travel Documents (MRTDs)”, IBM Technical Report RC 23575, 2005.

[7] Wilde, Gerald J.S. (1994), Target Risk: Dealing with the danger of death, disease and damage in everyday decisions, First edition 1994, http://psyc.queensu.ca/target/

[8] Alan Ramos, Weina Scott, William Scott, Doug Lloyd, Katherine O’Leary, and Jim Waldo. 2009. A threat analysis of RFID passports. Communications of the ACM 52, 12 (December 2009), 38-42.

[9] Ari Juels, David Molnar, and David Wagner, “Security and Privacy Issues in E-passports,” Security and Privacy for Emerging Areas in Communications Networks, International Conference on, pp. 74-88, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM’05), 2005

[10] Ben Schouten and Bart Jacobs, Biometrics and their use in e-passports, Image and Vision Computing, Volume 27, Issue 3, Special Issue on Multimodal Biometrics – Multimodal Biometrics Special Issue, 2 February 2009, Pages 305-312.

[11] The Council of the European Union, Council Regulation (EC) No 2252/2004, 13.12.2004, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0001:0006:EN:PDF

[12] Finnish Social Insurance Institution, Law service – Hallituksen esitys laiksi passilain ja eräiden siihen liittyvien lakien muuttamisesta [Government’s proposal for changing passport act and certain other related laws], 9.6.2009, http://www.edilex.fi/kela/fi/mt/havm20090009

[13] Helsingin Sanomat, 22.2.2008, 1st edition, Poliisi haluaa passien sormenjäljet rikostutkijoille [Police request passport fingerprints to criminal investigation]

[14] Helsingin Sanomat, 27.11.2008, 1st edition, Rikostutkijat eivät saa vielä passien sormenjälkiä käyttöönsä [Criminal investigators do not acquire passport fingerprints yet]

[15] Yle [Finnish public service broadcaster] – Kotimaa – Poliisi haluaa suomalaisten sormenjäljet rikostutkintaansa [Police requests Finnish fingerprints to criminal investigation], 02.08.2010 at 06:03, updated 03.08.2010 at 09:06 http://www.yle.fi/uutiset/kotimaa/2010/08/poliisi_haluaa_suomalaisten_sormenjaljet_rikostutkintaansa_1870808.html

[16] Tietokone 16.8.2010, Poliisi saattaa saada passien sormenjäljet [Police may acquire the passport fingerprints], http://www.tietokone.fi/uutiset/poliisi_saattaa_saada_passien_sormenjaljet

[17] C.f. 14

[18] C.f. 15

[19] STT/Helsingin Sanomat, 15.8.2010, Sunnuntaisuomalainen: Passien sormenjälkirekisteri voi avautua poliisille [Fingerprint registry may be opened to the police] http://www.hs.fi/kotimaa/artikkeli/Sunnuntaisuomalainen+Passien+sormenj%C3%A4lkirekisteri+voi+avautua+poliisille/1135259348892

[20] Sisäasiainministeriö [The Ministry of Internal Affairs] – Miksi tarvitaan biometrinen passi? [Why biometric passport is needed?] Sisäasiainministeriö, 2010. http://www.intermin.fi/intermin/hankkeet/biometria/home.nsf/pages/BE9BF3243D995FF5C2256EB7003B014B?opendocument

[21] Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino. Impact of arti?cial gummy ?ngers on ?ngerprint systems. Proceedings of SPIE Vol.#4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002.

[22] Gillam, Lee and Salmasi Anna Vartapetiance (2008), A Database For Fighting Crimes That Haven’t Been Committed Yet, Ethicomp 2008, Mantua, Italy 24.-26.9.2008.

[23] Sunnuntaisuomalainen 15.08.2010, Passipoliisit, p. 14

[24] Otakantaa.fi, Finnish Ministry of Justice, [An open electronic forum provided by the government for polling citizen opinions about new legislation], http://otakantaa.fi

[25] Michael Cherry ; Edward Imwinkelried (2006) Cautionary Note About Fingerprint Analysis and Reliance on Digital Technology. Judicature, Volume:89 Issue:6 May-June 2006 Pages:334 to 338, http://www.ajs.org/ajs/publications/Judicature_PDFs/896/Cherry_896.pdf

[26] Mercuri, Rebecca (2001), Electronic Vote Tabulation Checks and Balances, Ph.D. Thesis, University of Pennsylvania 2001

[27] William M. Fleischman (2010) Electronic Voting Systems and the Therac-25: What have we learned? Ethicomp 2010, Tarragona, Spain 14.-16.4.2010.

[28] Heimo, Olli I, Fairweather, N. Ben & Kimppa, Kai K. (2010), The Finnish eVoting Experiment: What Went Wrong?, Ethicomp 2010, Tarragona, Spain 14.-16.4.2010.

[29] Larsen E & Elligsen G. 2010. Facing the Lernaean Hydra: The Nature of Large-Scale Integration Projects in Healthcare. Proceedings of the First Scandinavian Conference of Information Systems, edited by Kautz K. & Nielsen P., SCIS 2010. Rebild, Denmark, August 2010.

[30] C.f. 26, 28, 29

[31] C.f. 26, 28, 29