On 9 June 2009 the Dutch Upper House of Parliament approved a new Passport Act without a vote. The proposal was, however, the topic of critical debate in the House where numerous questions were posed about purpose limitation, margins of error, susceptibility to fraud, invasion of privacy and other relevant issues. As it stands now more than 6 million Dutch citizens have had their fingerprints taken, at times reluctantly or under protest. Currently, the Minister of the Interior and Kingdom Relations has promised the Dutch Lower House of Parliament that the practice of storing fingerprints in a database – centrally or at municipal level – will be abandoned. The fingerprints will be stored on the passport chip only.
The study ‘The biometric passport in The Netherlands: crash or soft landing’1 was performed as part of iOverheid, a wider project for the Scientific Council for Government Policy (WRR), and presented to the Minister of the Interior and Kingdom Relations Piet Hein Donner by WRR council member Professor Corien Prins on 15 March this year. The main conclusion of the study is that the introduction of the biometric passport has resulted in a large gap between policy and execution because still little is known about the use of biometrics at this unprecedented scale, not to mention the fact that the biometrics industry is not mature enough yet for large-scale application in numerous essential areas. Advancing understanding of the technique along with changing relationships between the partners participating both within and outside the chain (due in part to the introduction of this technique) is actually resulting in the need for a phased introduction. Regular periods of reflection are necessary to test the compatibility of the results against the original objectives and implement new solutions for proven risks. This is particularly appropriate for a biometric passport but difficult to achieve due to the nature of the document. However, the reality is that the ambitions for the biometric passport are nonetheless high and that The Netherlands wants to take it a step further than what is required by the European Union.
The Netherlands surpasses EU requirements
One of the subjects of the debate that took place in the Upper House of Parliament on 9 June 2009 was ‘tied selling’: if you voted in favour of the European regulation – which requires that The Netherlands uses biometrics to verify that the person presenting the passport is in fact the holder of the passport – you automatically agreed to store fingerprint data centrally and allow for the data to be used for tracing and prosecution purposes. The EU verification objective requires 1:1 matching of the passport and holder. To do so the fingerprints stored digitally in the passport can be biometrically compared with the fingerprints of the person presenting the passport. Even though it is not prescribed by the EU regulation, it is also necessary for the fingerprints to be stored locally in the passport administration system so that by means of verification (1:1) the application and issuance can be checked and passport abuse can be detected. For 1:n matching, i.e. identification, a central storage system is necessary because a fingerprint needs to be matched against all the other stored fingerprints to be able to identify who someone is.
Tied selling of verification and identification has put a lot of pressure on the political decision-making process in The Netherlands and has made it impossible for sufficient debate to take place in order to reach a concensus on each individual objective. In addition, this tied selling led to a lot of confusion about terminology during the debates, also among the general public, as both objectives were usually referred to as ‘passport biometrics’ in the general debate, accompanied by a reference to the European regulation.
Verification and identification
The difference between verification and identification is not only great in technical terms but also as regards the combination of the function and objective. That brings us to the question of which problem we actually want to resolve. In the course of the decision-making process, which took more than a decade all in all, there was an important shift in this respect. It was not until around 2004 that identification became an increasingly important objective in addition to verification, the original objective. Biometric identification systems (1:n matching) do, however, make many more recognition errors – both in relative and absolute terms – than verification systems and are therefore a much greater risk to the security of the people registered. Fraud could even be easier to commit. And with a national biometric system citizens quickly lose sight of who is using the data or will be using it in the future. Abuse has life-long implications for citizens who are registered because it is impossible for people to change their biometrics (e.g. fingerprint or iris). That means that a huge responsibility lies in the hands of policymakers to specifically include the possible long-term risks in their considerations.
Where the studies and tests on the verification options of biometrics seriously lacked details, identification has barely been tested nor critically studied. And if this has in fact been the case, then the results have not been released to the wider public. Around 2005 it was put forward in the debate, however, that it would be necessary to store fingerprints centrally to ensure they are used effectively. The word ‘effectively’ is, however, left virtually undefined in terms of measurable objectives and criteria. And critical in-depth analysis about the possible risks to processes, security and privacy was missing. The emphasis was on the introduction of the technology while impacting the existing procedure as little as possible. This is a risky starting point for applying biometrics in critical systems such as the application and issuance procedure for identity documents.
Key questions remain unanswered, criteria undefined
It is interesting to note that certain government and non-government experts had already drawn attention at an early stage to various risks and uncertainties, also as regards the centralised storing of biometric data. A study performed by Tilburg University in The Netherlands in 19973 touches on virtually every issue for which many questions remain unanswered to this day: is the measure proportional, has the principle of subsidiarity been sufficiently applied, are civil rights in danger, which new risks are emerging, etc. In 1999 an independent Dutch research organisation TNO raised a number of important questions, such as how a counter assistant is able to judge whether or not a refusal based on biometrics is justified. In other words, how do we deal with the intrinsic margins of error and risks of fraud ensuing from the large-scale use of biometrics?
What are the exact criteria that we need to comply with to achieve our primary objective? Instead of answering these questions, the focus has mainly been on the practical aspects of the introduction of biometrics, whereas security should have been the main issue.
At the same time the goal of ensuring centralised storage swept aside other options including verification with local storage. In our opinion the pinnacle of social unrest was the resolution which the municipal council of Utrecht passed by a large majority on 10 March 2011. The municipality decided it no longer wished to store the fingerprints of its residents for any purpose other than the passport chip. Whether that is wise from the point of view of combating identity fraud or what it means constitutionally are totally different matters. It does, however, send out a clear message from society.
Opinion of Dutch DPA has little impact
It will come as no surprise with all the aforementioned uncertainties that in March 2007 the Dutch Data Protection Authority (CBP) was critical about the new passport legislation pending at the time. The Data Protection Authority raised the point that “in the CBP’s opinion, the legislative proposal does not comply with article 8 of the ECHR” for reasons including the fact that “alternatives such as a decentralised system with a central reference index have not been discussed”4. We must note that this criticism was based on an accumulation of arguments. Had adequate choices been given with convincing arguments, then the CBP’s opinion would surely have been different. In any case this made no difference to the proposed legislation; it merely led to additional explanation and not an amendment of the proposal. The fact that those discussions were not sufficient or detailed enough is also starting to cause problems in day-to-day practice.
Beside the resistance from within society (e.g. from the municipality of Utrecht and other legal actions), there are also big challenges with regard to the technical implementation. That means that it is difficult to go forward or backward: the law is a fact (albeit not ratified as yet) but translating the functional requirements ensuing from this legislation into technical, functional and procedural specifications is virtually impossible without making fundamental changes. When the privacy argument becomes more important certain objectives will clash. Another option is to eventually have a system which does not meet its objectives and may ultimately need to be replaced.
Passport Act after six months: everything is going pretty well. But how well is well?
During the half-year assessment of the Passport Act in March 2010 the Lower House of Parliament was painted a favourable picture, with statements such as “the enrolment process goes well in the vast majority of passport applications”5. However, no facts are mentioned which prove that the criteria are being met or which can be measured to prove we are on the right track. The fact that at the strict request of the Ministry of the Interior and Kingdom Relations no biometric verification takes place when a passport is issued which would be necessary to ensure that the right person has come to collect the passport, actually means that the most primary objective – namely making the application and issuance procedure safer – cannot be assessed. Are people unaware of how to deal with biometric rejection? Is the low average quality of the registered biometric data a problem? If we are not even allowed to verify data at the municipal population affairs department, it means we are not able to assess or improve the technical and procedural quality of even the comprehensible application and issuance procedure of biometrics, let alone the use of passport biometrics at foreign border controls. After all, this was of course what it was meant for. That means that the assessment has provided few insights and we can wonder what we have learned so far.
The Minister of the Interior and Kingdom Relations has promised the Dutch Lower House of Parliament that the actual practice of additional storage of fingerprints in a database at municipalities will be abandoned. This leaves the storage of fingerprints on the passport chips. Within the next few months the software programmes used to create travel documents are expected to be adjusted in such a way that fingerprints for new applications are deleted as soon as the travel document is issued. The introduction will take place gradually to prevent possible risks. If it goes well in a limited number of municipalities, other municipalities will quickly follow. Fingerprints that have been stored since 2009 will subsequently be deleted from the start of 2012. This is expected to take longer due to the more complex technical aspects of the process6.
Let us start by restricting the use of biometrics to its original purpose: combating look-alike fraud, a serious type of identity fraud. The application and issuance procedure for identity documents is top priority in this respect. The first step now has to be the implementation of European regulation EC2252/2004, with the addition of local storage as an extra 1:1 means of verification. Because the control infrastructure at European external borders will not be capable of verifying fingerprints for the time being, we have ample time to work out the details. We can go about this by working together with other European countries as well as the European Commission which, after all, is facing similar problems with the new Visa Information System (VIS) which is supported by biometrics as well.
The European directives is the only one we know of that connects us all, both in The Netherlands and elsewhere in Europe. Many social institutions and citizens benefit from a reliable link between passport and holder. The same applies to a reliable passport administration system. Once this is in place we will be able to identify any remaining problems. We will only be successful at this if we first lay a strong foundation – bit by bit – for biometric verification, instead of starting to build the floors on a swampy foundation.
1 Snijder, J.M. (2010). Het biometrisch paspoort in Nederland: crash of zachte landing (The biometric passport in The Netherlands: crash or soft landing): The Hague: Scientific Council for Government Policy (WRR).
2 Grijpink, J.H.A.M. (2002). Informatiestrategie voor Ketensamenwerking (Chain analysis for better information strategies). The Hague: Centrum voor Keteninformatisering (go to www.keteninformatisering.nl).
3 Van Kralingen, R., Prins, J.E.J. & Grijpink, J.H.A.M. (Centrum voor Recht, Bestuur en Informatisering (now part of Tilburg University)) (1997). Het lichaam als sleutel (The body as the key): Alphen a/d Rijn: Samson.
4 CPB (2007). Adviesaanvraag wijziging Paspoortwet i.v.m de herinrichting van de
reisdocumentenadministratie (Request for formal opinion on amendment to Passport Act in conjunction with the restructuring of travel document records): Reference: 2007, z2007-00010.
5 Bijleveld-Schouten, A.T.B. (2010). Brief aan de Tweede Kamer over evaluatie van de invoering van de vingerafdrukken in de Nederlandse reisdocumenten (Letter to the Dutch Lower House on the evaluation of the introduction of fingerprints in Dutch travel documents). Parliamentary documents II 2009-2010, 31 324 no. 23.
6 http://www.denhaag.nl/home/bewoners/to/Vingerafdrukken-in-uw-reisdocument.htm (consulted on 15 August 2011).
Max Snijder is one of the leading independent biometrics experts in Europe. His expertise includes strategic aspects of biometric deployments, as well as issues on functional and operational requirements, use cases, processes and procedures. During his 15 years+ experience he has built up an in-depth knowledge of border control, national security, e-Passports, airport security, electronic services, access control and mobile security. Max has lectured at the NATO Centre of Excellence-Defence Against Terrorism (CoE-DAT) and is co-founder and Secretary of the European Association for Biometrics.