EU: "biometric passports": We will not just have to be finger-printed once but over and over again

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

On 29 June the European Commission announced the "second part" of the introduction of biometric passports under Council Regulation 2252/2004. In the jargon "Basic Access Control" means the storage of a person's "facial image" on a RFID "contactless chip" activated by reading the data in the "machine readable zone" (two lines of data already on all EU passports). The "second part" comprises sorting out the Public Key Infrastructure (PKI) which will give "Extended Access Control" (jargon for encrypted access) to the data on the two fingerprints of all passport-holders to be embedded in the RFID chip. The Commissioner, Mr Frattini, is "particularly proud" of this development which means: "the EU will be among the first worldwide to implement this system" (Press statement).

Access to the "machine readable zone" is already standard practice at EU point of entry (air, sea and land) and simply contains the data on the passport page. The "facial image" is not a biometric - it is a digitised image of the standard passport photo sent in to apply by post. As such it is a basic security check intended to prove that the person being checked is the same as the picture in the passport and in the "chip". In effect it works as a "one-to-one" check and but is not reliable for a "one-to-many" check (ie: to check the digital image against a database of millions).

The inclusion of a digitised "facial image" meets the standards laid down by the International Civil Aviation Organisation (ICAO). The taking of biometrics (finger-prints) from passport applicants is optional under the ICAO rules - the EU decided to make this mandatory.

The taking of a person's biometrics (unique personal physical data) requires the compulsory presence of the individual at an "enrolment" centre and the taking of their finger-prints - which are stored in the "chip".

However, as the Commission's press statement of 29 June 2006 admits for the biometric data to be "read" from the "chip" all border posts have to be equipped with "readers" - the projected date for this across the EU is 2009. This begs the questions: will all the "readers" have the same capabilities? Will they just check "one-to-one" or against national database "watch-lists"? Who is on each national "watch-list and why are they on it? Are people informed they are on a "watch-list" and how do they get off it?

The press statement also notes that: "only Member States will have access to the finger-print data". In fact until there is an EU-wide database of fingerprints (planned in the distant future for SIS II) only the national databases can be used for checks. This will mean that a UK finger-printed person can be checked "one-to-one" or "one-to-many" on re-entry but only "one-to-one" when entering another EU state - but checked "one-to-one" would mean taking their finger-prints again and again and again as they travel across the EU to prove that the prints on the chip are the same as the person presenting themselves.

It might reasonably be concluded that we will not just have to be finger-printed once but over and over again if the alleged security benefits are to work.

When an EU-wide database of finger-prints is established - as planned - it will contain millions and millions of records (quite how many is not known as the exact number of passports issued in the EU has never been established). The EU has decided to take just two finger-prints for a passport (though all ten for a visa) which will have a certain error rate at national level but this will grow exponentially as the EU-wide database grows. Errors can be either falsely matching the prints with another person (who may be a "suspect") or or failing to match them with correctly or with anyone.

EU - Passport specification - Working document: first part, 2005 (pdf)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error