Sweden and Norway began deploying biometric passports in October but privacy and security issues may limit the potential of the new systems.
Both Norway and Sweden will store digital facial images on smart cards embedded into the passports. The digital image will be used as an additional safeguard against fraudulent passports.
While so far few if any passport control centers in the world have the readers necessary to read the chips in the biometric passports, in the future, a passport control official could check that the printed photograph, the digital image and the live person all match, said Tommi Nordberg, senior vice president of sales and marketing for Setec.
Setec, a Gemplus International company, is supplying the passports in Norway and Sweden, Setec announced on Thursday. The countries are among the first in Europe to introduce biometric passports.
To allay the fears of Swedish people concerned about the security of the system and their privacy rights, the digital image on the chips won't be stored in any database, said Lars Karlsand, principal administrative officer at the Swedish National Police Board. "There is no kind of national register for this kind of information," he said. In addition, when readers are installed at passport control centers, the data won't be stored there either, he said.
That means that the digital images aren't compared against any sort of database that might identify people who may be wanted by law enforcement agencies. "The idea of the passports is really to verify that the passport holder and the passport belong to one package," said Nordberg. While the biometric passports may help in cutting down on some types of passport fraud, they won't help officials identify people they may be looking for.
Placing this limitation on the data saved to the smart chip is in keeping with recommendations issued in a report adopted in September by the Data Protection Working Party, a European Commission initiative studying the security repercussions of biometric passports and travel cards. The group supports a European Parliament decision from December 2004 that prohibits the creation of a central database of biometric information collected from European Union passports and travel documents.
The chips being used in Norway and Sweden employ a security feature recommended by the International Civil Aviation Organization (ICAO) but the method isn't entirely secure, according to the Working Party's findings. Passport control officials must first scan the machine readable portion of the passport to obtain a key that is made up of the passport number, date of birth of the passport holder and the expiration date of the passport. Once that key is created, the information stored on the chip can be unlocked and accessed.
However, the Working Party points out that the information that makes up the key is increasingly available to companies that ask passport holders for the information. For example, some ticket brokers ask buyers for passport numbers. The Working Party warns that with such information available combined with the algorithm for the key, which could leak out to the public, the data stored on the cards could be fraudulently accessed.
While such fraud may not be a major issue with just a digital image stored on the chips, the next step of the biometric passports is to store fingerprints on the chips. ICAO recommends a slightly stronger security mechanism be implemented once fingerprint data is included on biometric passports. The Working Party recommends such security mechanisms become mandatory because they are currently only recommended.
Sweden is developing plans to add fingerprints to the chips by December 2007, but there is one roadblock to the plan: current law in Sweden says that biometric passports can include a facial image but nothing else, Karlsand said. That law will have to change before the fingerprint initiative can be implemented.
A number of civil liberties groups in Europe have expressed displeasure at plans to implement biometric passports. This first type of implementation, including just the facial image, is largely a waste of government money, said Ross Anderson, a spokesman for the Foundation of Information Policy Research, a U.K. body that studies the impact of technology on society. "The fundamental objection is that they're doing the wrong thing," he said. "The issue with terrorism isn't identity." He suggests that the money would be better spent on hiring more intelligence agents and police.