The biometric passport as an unintended privacy gift

The article below by Privacy First contributor Vincent Böhre appeared in this month's magazine The Philosopher (Utrecht University). Tomorrow, the Passport Act high on the political agenda: A debate with Minister Spies (BZK) will include the issue of compulsory fingerprinting for passports and identity cards. Privacy First recently urged all parties in the House of Representatives (again) to introduce (or have introduced) an identity card without fingerprints as soon as possible and to request the government to have the Passport Regulation reviewed at European level. This so that compulsory fingerprinting can be abolished or at least made voluntary for passports too. The following offers a quick recap with a positive twist. A digital version of the article can be found HERE (pp. 6-7, pdf).

The biometric passport as an unintended privacy gift

"In late 2001, the CDA proposed storing the fingerprints of all Dutch citizens through the passport for investigation purposes. However, this proposal was immediately binned by other parties because it would lead to a Big Brother society. Yet seven years later, an even more far-reaching proposal was made into law rather silently. Besides investigation and prosecution, under the new Passport Act, everyone's fingerprints and facial scan (biometric personal data) could also be used for counterterrorism, domestic and foreign state security, disaster relief and the implementation of statutory identification duties. This without these legal purposes having been discussed in parliament.[1] By the Senate, the new Passport Act was passed even without a vote. Media stood by and watched it. How could this have got this far?

'Bystander syndrome'

In a way, the new Passport Act was (and is) emblematic of the Dutch post '9/11' era. A juncture in which (supposed) anti-terrorism measures could effortlessly be piloted through our parliament. After all, such measures would enhance our security, we were constantly told. People by nature tend to follow authorities and conform to the status quo. In human rights terms, the post '9/11' era could be seen as a gigantic Milgram experiment: without too much resistance, various human rights were put on the social rack for years. Such was the case with the passage of the new Passport Act. Any Upper House member could at least have requested a parliamentary vote. Journalists and academics could have raised the alarm in time. But people stood by and watched. After all, this law would make the Netherlands "safer". But what was this assumption based on? Wouldn't the mass storage of fingerprints in travel documents and associated databases make the Netherlands precisely onbecome safer? This question had never been asked publicly, let alone discussed and answered.

Disproportionate

The Dutch government argument for the introduction of fingerprints in passports and identity cards has been going on since the late 1990s: this would lookalike hinder travel document fraud. At lookalike fraud, someone misuses another person's travel document with which they bear an outward resemblance. The extent of this type of fraud has hardly been questioned in parliamentary history. A recent Wob request by Privacy First revealed that it involves only dozens of cases per year (involving Dutch travel documents on Dutch territory)[2]. In light of this, the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. This is quite apart from the tens, if not hundreds, of millions of euros the government has invested in it.

Risks

With the introduction of a 'biometric identity infrastructure', a new form of fraud is emerging that is extremely difficult to detect and combat: biometric identity fraud, for example by hacking. Not only with unsuspecting citizens and companies, but also in the public sphere (espionage). In addition, it has now been shown that in 21-25% of cases, the biometric data in the chip of Dutch travel documents cannot be correctly read (verified). When checked, citizens therefore run a high risk of being wrongly suspected of fraud. Nor is the biometric passport suitable for counterterrorism purposes: terrorists generally use their own authentic travel documents. Unfortunately, little is known about the use of biometrics in the sphere of security and intelligence, although possible purposes are easy to guess: identification of silent suspects and "interesting" persons in public spaces, recognition of emotions, lie detection and the recognition or deployment of doubles. The same applies in the domain of investigation and prosecution, also in combination with public camera surveillance and automatic facial recognition. Moreover, RFID (Radio Frequency Identification) aspect of the chip in the document allows remote reading; citizens can thus be identified and tracked undetected. When it comes to legal identification requirements, one can also think of the possible introduction of finger scans in banks, social services, the internet, etc. (A Dutch pilot with mobile finger scanners for the police). And finally, there is the field of disaster management: biometrics as a logistical tool or to identify victims in large-scale disasters. All in all, these possibilities for the use of biometrics go at least ten, if not a hundred, steps further than merely combating lookalike travel document fraud. It should be borne in mind here that sooner or later all these possibilities will be used. In jargon, this is called function creep