[Dave Birch] When we think about electronic identity, we tend to think in terms of the identity structures that we are familiar with from the physical world, so we talk about passports and borders. But the current system of passports, visas and border controls doesn't work terribly well -- see the discussions ad infinitum about the recent Dubai death squad's comedy disguises and simple faked passports -- so I'm not sure it's much of a basis for exploration. Why do I say this? Well, because I've been to a few presentations about the various systems involved recently and have been trying to understand some of the dynamics to help our customers develop some longer-term strategies around identity.
One of the problems is that there is so much going on. Start with moving on from SIS. The SIS2 (Schengen Information System 2) will store biometrics to prevent visa fraud. After a three year transitional period, SIS2 must check with the new Visa Information System (VIS). VIS will require fingerprints and these will be matched via AFIS (so that if, say, a Moroccan person applies for visas in both French and German consulates then this will be known). The fingerprints are currently kept for five years. The Central VIS will connect via a new secure network (S-TESTA) to the national VIS systems and these national systems are connected in turn to the national consulates overseas. Are you with me so far?
What's the point? Well, it's so that when a non-EU person applies for a visa in Schengen country, the details will be passed up to the central system and then they will be checked when the passport is presented at Schengen border control. The purpose of all this is to defeat a common immigration fraud, which is that a bona-fide Chinese businessman (say) gets a visa to come to a Schengen country, and gives it to someone else. That person enters Schengen and then sends the passport and visa back to China by DHL. The next Chinese person enters Schengen, and then posts it back again... Will SIS2 fix this? Surely the problem will shift to the feeder documents. It's impossible to imagine that an EU consulate somewhere can accurately verify and validate passports from 196 countries, but let's put that to one side for a moment. There are plenty of people who think that SIS will end up causing more problems than it is solving.
The number of computers with access to the Schengen Information System has doubled to 500,000 thanks to the extension of the EU.
[From Half a million PCs can access Schengen's 'secure' database • The Register]
Since half a million PCs around Europe can access the system, that means that to all intents and purposes everything on the system is public.
Statewatch, a group that monitors civil liberties in Europe, said it was aware of a case in Belgium where personal information extracted from the system by an official was sold to an organised criminal gang.
[From 500,000 EU computers can access private British data | Technology | The Observer]
There's another system coming online as well, the Euro Border Surveillance System, or Eurosur. This aims to reduce illegal migrants entering EU by sea, particularly aimed at Mediterranean). Good luck on that one. Spain has had some positive results from using satellite tracking (positive in the sense that the immigrants go to Italy instead) but I'm sure Eurosur will help further.
Then there's the new e-passport. As has been discussed many times before, the current e-passport is a complement to the physical passport: that's why it's a chip inside the passport, not a chip instead of a passport. Almost everywhere you go in the world, the chip is not used, but in the future it may be. There's security, naturally. The e-passports have Basic Access Control (BAC), which we've also discussed before. BAC locks the passport so that you have to physically read the passport MRZ in order to read the data from the chip (this is not strictly true, by the way, because the MRZ data isn't random, but that's a detail). Extended Access Control (EAC) is the next step: for one thing, it stops people from cloning the chips. But it adds additional functionality as well so, from 28th June 2009, member states have been required to issue EAC e-passports only.
Back to the difference between the chip and the book. If the e-passport is going to store data that isn't on the passport (eg, your fingerprints) then these must be encrypted so that they can only be read by authorised authorities. An EAC passport will therefore only give up data to readers that it can authorise through the use of asymmetric cryptography (the reader must present a certificate signed by a recognised authority) and the passport can then encrypt and sign its own data. There's something called Active Authentication as well, so the e-passport contains a key pair: the secret private key and the not secret public key (which appears in Data Group 14, DG14, in the data).
Unfortunately, shifting to EAC adds complexity because there are now two trust chains: the data trust chain (so that the readers can verify the passport data) and the terminal trust chain (so that the passport can verify the reader data). You can imagine that co-ordinating both of these chains across the globe has turned out to be something of a problem: every reader has to have every valid certificate from every country in it. The Brussels Interoperability Group (BIG) is responsible for harmonising the e-passport specification throughout the EU and has also been responsible for the certificate policies, protection profiles, conformance tests and interoperability tests. At ID World, Bob Carter from IPS said that the most difficult job was trying to work out how to exchange certificates between countries and he is, of course, right. One thing that is not yet in place is the protection profile from readers (a lesson from chip and PIN deployment in the UK: there's no point having secure chips and wholly insecure readers).
It would be nice to be able to set a date when we might move to a wholly e-passport world, but to get there we have to get rid of visa stickers. There's a name for this too: ESTA (Electronic System for Travel Authorisation). If this could be achieved, then there is no need to have manned border control, since introducing people into the loop could not improve the system in any way. This is a very appealing prospect to governments, but I think there is a real concern here: if a criminal is able to get a legitimate visa certificates, smart card, e-stamp or whatever else and is never questioned by a human security official, then once they are inside the perimeter they can operate with impunity.