Biometric Identification Gaining in Recognition Stakes*

Currently, more and more biometric data are demanded by state organizations
and commercial companies all around the world. The theory is that they
provide better identification and higher security for confidential materials
or financial transactions. But are they secure enough?

Most commonly, a state agen-cy or private company that wants you to provide
biometric data, such as a fingerprint, an iris or retinal scan or a facial
scan, acquire these from you and save them onto a chip implanted into a
so-called "smart card," a multipurpose plastic card similar to a debit card.
Fingerprints and other data used are unique for each person. Some items such
as fingerprints are preferable because they don't change over time and are
easy to collect, while items such as faces, voices or signatures can change
or be altered

When you verify your identity, you insert your smart card into a reader that
downloads your biometric data. Then you are asked to provide, for example,
your current fingerprint or iris pattern to a scanner. Those two data are
compared, and if they are the same, your identity is confirmed and you are
permitted to do what you have requested, such as complete a financial
transaction.

The most widespread biometric information currently in use is the
fingerprint. It has a long history of utilization, mainly in police
forensics. But it is not the only data that can be used. "We differentiate
between the physiological and the behavioral biometric. Physiological are
for instance the fingerprint, iris, face, retina, or hand, and behavioral
could be your voice, signature or key stroke dynamics," said Petr Merka,
solutions manager of Bull, a company specializing in information and
communication technologies

While fingerprinting technology is highly developed, the technology for
processing most other forms of biometric data still are in an early stage.
"The cost of those solutions is still too high for a widespread use," Merka
said. Even so, the field is expanding into new areas of measurement. "The
shape of the lips, vascular structure and teeth could be used in the future,
but since the major requirement is rapid data processing regarding
identification with biometrics, using those [measurements] is not the topic
of the day," Merka said.

Pressure from the U.S.

After the 2001 terrorist attacks on the World Trade Center and Pentagon, the
U.S. started to implement biometrics into personal documents of its
citizens, such as passports, in an effort to prevent future terrorism. The
country also started to pressure other countries including members of the
European Union (EU) to include biometric data in their travel documents and
identity cards, and it intends to demand those data and other information at
border check points. Karel Neuwirt, chairman of the Office for Personal Data
Protection (ÚOOÚ), said that according to some U.S. proposals, authorities
would keep this data in databases for 100 years. ÚOOÚ is an independent body
that provides consultation on personal data protection.

Under some pressure from the U.S., the European Commission (EC) issued a
directive requiring member states to start issuing passports with one piece
of biometric data as of Aug. 28, 2006, at the very latest. According to this
directive, two biometric data, a fingerprint and digital image of the face,
have to be included in passports issued after June 28, 2009.
These concerns over storing biometric data come on top of concerns over the
data required about plane passengers going from the EU to the U.S., and how
long that data can be held. The two sides reached a compromise July 24,
which allows the U.S. to keep 19 items of data for up to seven years, and
store it even longer as inactive data. The compromise still has to be
approved by the individual member states.

Controversy aside, the program to introduce biometric data to Czech
passports is on track. "In the new Czech passports, issued as of Sept. 1,
2006, the biometric image of the face is already included," said Petr
Vorlícek, spokesman for the Ministry of Interior. " We can generally say
that the [biometric passport] project has been quite technologically and
financially demanding, but despite some complications, the whole
[implementation] was pretty successful," Vorlícek added. Issuing passports
with a second biometric element, a fingerprint, will be in accordance with
EC deadlines, he said.

According to Tomáš Holenda, director of the department for the
informatization of public administration in state-run securities printing
office Státní Tiskárna Cenin (STC), which was authorized to issue new
passports, the biometric passports should secure a definite and undisputable
link between a travel document and its holder (see "New biometric passports
costly, but 'secure'" CBW, Aug. 14, 2006).

Security concerns

With the introduction of passports and other documents that include
biometric data, many people are worried about the protection and security of
their personal data. The main concerns focus on the chips where data are
stored. First, data stored in radio-frequency identification (RFID) chips
can easily copied, according to Future of Identity in the Information
Society (FIDIS), an EU sponsored project made up of companies and
universities active in the digital identity area and privacy. Because the
RFID chip is designed to send data when requested, it is "relatively easy to
build a duplicate of it," FIDIS said in a June 2007 report.

Unauthorized copying can be prevented by using metal securitization or a
special wrapping for passports. If this is insufficient, various data
encrypting methods are available. Then, data could be copied, but a special
certificate will be needed for their decryption, FIDIS added.

"The Czech Republic has implemented a complete array of security
precautions," said Markéta Šiková, project specialist for travel documents
with biometric data from the STC. "For example, basic access control (BAC)
protects the chip from unauthorized data reading without [possession] of a
specific electronic key. As for changing the data stored on the [RFID] chip,
they are protected by special cryptographic methods," she said. However,
there is an additional problem regarding RFID chips. Scientists from the
Netherlands claim that viruses can be stored on the chip. This virus would
than be copied via the scanner to the controlling system, which could be
then disabled or made to work improperly.

Other concerns include the possibility of generating databases of sensitive
personal data, which EU countries have not excluded as an option yet.
"Verification, where data are copied from a passport and then checked with
data scanned by a scanner at passport check points, is all right with our
organization," said Hana Štepánková, spokeswoman for the ÚOOÚ. "But the
creation of vast databases, serving to [store] personal identification, is
much more problematic," she adds. This is due to the fact that no technology
is 100 percent safe, and databases can be broken into and the data copied.
Experts agree that the risk of misuse of this information is high and should
be minimized.

And data security is in the hands of many individual countries. "None of the
European bureaus is able to protect the data in a [non-EU] country," Miloš
Šnytr, an inspector of the ÚOOÚ told news and information server
digiweb.ihned.cz. And the rules for data are not evenly applied across the
globe. "We oblige [EU] citizens to have chips in passports, but we do not
demand this from non-EU countries," Šnytr said.

The last worry is the question of whether requirements for this kind of data
do not collide with constitutional rights for privacy. "It definitely
violates those rights, mainly by transforming biometric data into a digital
form and saving them on easily readable media, which creates a technical
basis for cheap acquirement of vast biometric databases," said Marek Tichý
from Iuridicum Remedicum (IuRe), an organization for the monitoring and
observation of human rights and freedoms. "According to [IuRe], this is the
main reason for implementing biometry into documents. Talk about
higher-quality passports and preventing fraud is ridiculous," Tichý said.