The concept of identity has evolved over the years, particularly with the development of technology and pervasive use of the Internet and social media. But to what extent can digital technology aid, as well as hinder, the identity document issuance processes? Charles de Couëssin examines this topic, as well as the susceptibility of ‘breeder’ documents to falsification, and highlights their role in the illegal issuance of genuine passports and other types of identification.
The evolution of society, particularly advances in information and communication technologies (ICT), poses a number of security challenges that can no longer be ignored. The increasing use of social networks and other forms of digital communication in everyday operations may lead us to question the future role of physical identities, and whether digital identities will change the ways in which people identify and authenticate themselves to obtain products and service.
The physical identification of people will not be easily replaced in the short term, even in future scenarios where many services, both private and public, become available only online. However, any society needs to be able to identify its members as clearly and efficiently as possible, and new digital approaches should be utilised to achieve this1. Indeed, with a larger number of states ready to embrace electronic identification means, physical documents can be substituted by their electronic counterparts. These changes will be even more effective if the relative legislations in the states are capable of promptly adapting to the evolutions we are witnessing; a concept that is the focus of the new eIDAS directive, which regulates online transactions, identification and authentication mechanisms.
eIDAS (and other national regulations) represents a significant step towards a single digital market, and paves the way for wider availability of digital services and a higher number of interactions between enterprises, governments and citizens. Despite the inherent advantages that a digitalised service ecosystem can bring to a society, it also provides new opportunities for criminal activities, and potentially leads to new forms of criminal organisations. In fact, we are already observing criminal threats, such as sophisticated and large-scale online financial fraud, in addition to the more traditional criminal activities that are now facilitated by ICT.
Following the recent tragic terrorist events, there are increasing reports of the sale of counterfeit passports and other physical identification documents at very low prices on the dark web. The presence of a virtual market offering specialised products and services is transforming the way in which cyber threats and other criminal activities are conducted. Criminal groups are now more geographically dispersed, fluid, and formed on the basis of specific plans. They tend to use professional cyber-criminal freelancers who sell skills and tools needed to carry out cyber-attacks. In other words, crime-as-a-service is emerging, leading to more advanced capabilities of both cyber-criminals and criminals who do not have the technological skills to carry out cyber-crimes by themselves.
Sensitive, identity-related data is a primary target for this new breed of criminal. Cloud storage, big data and Internet of Things paradigms, as well as the massive use of social networks and smart devices mean huge increases in data collection, processing and storage, and subsequently more points of access to the network and higher probabilities of intrusion. Typically, the infringement of these types of data is committed through traditional fraud related to credit cards or banks credentials, phishing, other blackmail operations or cyber-spying. It is also possible to obtain vast amounts of information about a potential victim simply by reading their social network profile. This information can then be exploited to commit crimes or to create fake accounts.
The United Nations Office on Drugs and Crime (UNODC) estimates that identity theft is the most common type of consumer fraud and the most profitable form of cyber threat, generating approximately one billion dollars per year. Understanding whether identity theft and similar crimes can be better prevented in a digital environment rather than in the physical dimension remains unclear. Certainly, the rapidness and pervasiveness of the digital world may require more sophisticated, accurate and smarter mechanisms of prevention of cyber threats against the identities of users.
Credentials and Cultural Variants
Civil registries in Europe date back to the 17th Century, and credentials traditionally constituted of three main pieces of tangible data – forename, surname, date of birth – are recognised globally as a means to authenticate an individual. The modern passport template represents a European vision of the world, in that it typically includes the father’s surname, a prefix (to indicate the individual’s position within the community), and the date of birth. However, this format does not at all reflect the variety of cultural variants that may affect the way individuals are (or are not) registered. Therefore, Europe has considerable issues in trying to transpose foreign credentials. In many geographic areas, for example, family names are not fixed and stable, since individuals are named after animals or natural phenomena, while what we consider a ‘surname’ is only a part of a longer sentence that designates an individual. Furthermore, ‘surnames’ and ‘forenames’ are not always written in the same order that we are used to in Europe.
In addition, the concept of a ‘date of birth’ is a construct of a society in which newly born babies are registered at birth. However, in certain countries, due to high mortality rates, babies are not immediately registered in civil records, but later on, when the child is more likely to survive. Additionally, in some cultures, the time of conception is considered more significant than the birth date. These are just a few examples of issues that arise when attempting to use the European method of registering credentials in the context of various cultural practices throughout the world, and the inconsistencies that can occur when transposing names and dates into our European system. These inconsistencies may lead foreigners to consider a credentialing scheme as unstable, or even unofficial, as it does not correspond to their own cultural encoding system. This mindset may lead to the undermining and exploitation of the ID an individual is issued when they come to Europe.
Therefore, the concept of identity fraud should be addressed carefully to match the various situations encountered by member states regarding migration issues.
As discussed by ICAO in their recent MRTD conferences, the manufacturing of travel documents has become increasingly complex to counter fraud and counterfeit attempts. Therefore, criminals will usually target the ‘identity’ itself – or the credentialing process – rather than the supporting documents themselves. This means that ‘breeder’ documents such as birth certificates are the cornerstone of illegal ID production, and should therefore be subject to higher standards and delivery procedures.
Breeder documents (notably birth certificates) are the basic designation of an individual’s relationship to their community. Since the introduction of electronic passports (e-passports) and the use of security features in their chips, such as biometrics, the security of these documents has greatly improved. However, they are issued based on documents, such as birth certificates, that do not offer the same level of security and are much easier to counterfeit.
In most European countries, and in the rest of the world, breeder certificates are unsecure documents. Therefore, the weakest link of the identity chain, and in particular of e-passport issuance, continues to reside in the entitlement process, in which the evidence of an applicant’s identity is evaluated.
Such evidence is often supported solely by breeder documents, which remain mainly paper-based without any form of security in their manufacturing or issuance processes. Most of these breeder documents are much easier to forge than ePassports, and by using forged breeder documents (via identity theft or fake ID) people can obtain genuine travel documents. To make matters worse there is, as yet, no standard format or standard issuance process for breeder documents throughout Europe or within many member states.
A Frontex study on the operational and technical security of ePassports2 confirmed that this breeder documents issue was crucial to the legitimacy of travel documents, which could be issued based on unreliable information. It is therefore of the utmost importance to ensure the reliability of the ePassport issuance process to ensure efficient European Union/Schengen border controls. The process must be founded on reliable breeder documents. ePassports are not the sole cause for concern related to breeder documents: stolen, counterfeit or altered birth certificates are often used to create new identities, paving the way for a variety of crime including the smuggling of migrants, drugs or weapons, trafficking in persons, terrorism, etc.
Approaches to counteracting the weaknesses of breeder documents have been implemented in certain countries. Centralised databases are often used to record the credentials of individuals to avoid relying purely on breeder documents during the issuance procedure. However, these solutions remain an insufficient answer to making breeder documents secure and trustworthy. In consequence, both ID cards and ePassports can be considered to be unreliable as the root of the issuance process can be compromised.
Breeder documents must be issued based on reliable data and using a secure process. A complete, secure chain, which can be securely accessed by issuance officers is required, starting from birth registers and encompassing life events (such as marriage, divorce, etc.) until death. A lack of standardisation of data records becomes a crucial issue, especially when citizens relocate to other countries and undergo family or social events. This situation will only increase as student exchanges, business mobility and relocation opportunities become more frequent.
The lack of interoperability and secure access to national registries, together with the provision of unregulated breeder documents issued by other states, might further increase vulnerability and suspicion. The existence of a common standard for breeder documents would simplify the verification process and the secure issuance of a passport anywhere when needed. The procedure and entitlement criteria for passport issuance is regulated at the national level as it is intimately linked to sensitive issues like national sovereignty and national citizenship.
Although the weaknesses of breeder document security have been well known for many years, there is not yet wide acceptance of a suitable solution at European levels to overcome this issue. However, in December 2010 the EU Council recommended that member states consider mechanisms on “preventing and combating identity-related crimes and on identity management, including the establishment and development of permanent structured cooperation between the member states of the European Union” for which breeder documents and birth certificates are an essential element.
For these reasons, the EC is currently funding a research project called ORIGINS to address the issue of how birth certificates should be part of a holistic approach to enhance border control procedures and effectiveness. The underlying idea of this initiative is to investigate how breeder documents are delivered and whether a consistent mechanism could be implemented to ensure the legitimate issuance of passports. It is constituted of a consortium of market-leading companies, relevant subject matter experts (SMEs), renowned public research institutes and universities, passport and breeder document manufacturers, end-users represented by public administrations, and legal, ethical and sociological issues experts. Partners come from various member states, external border countries (Estonia, Latvia, Poland), and associated countries (Norway, Turkey).
The consortium has carefully investigated the current state of breeder documents issuing practices in member states and associated countries. The main objectives of this initiative are to supply technical know-how and best practices to promote the need for a regulatory framework at a European level toward member states. A standardisation initiative on breeder documents as a new work item for the European Committee for Standardisation (CEN TC224) has been launched in response to the demand of the consortium.
The implications of this should be considered in the context of the existing situation where there is an on-going roll-out of millions of ePassports (valid for up to 10 years), and any innovative solution must be introduced gradually, ensuring backwards compatibility (i.e. compatible with existing standards, processes and infrastructure for the millions of ePassports already issued) in order to safeguard investments made.
A major impact of such initiatives will be to restore trust and confidence in ePassports and breeder documents by recommending solutions that deal with the identified security limitations, while protecting the privacy of document holders. This is important to enable the further deployment of both ePassports and other ID documents. As a matter of fact, other documents issued by member states rely on breeder certificates including: ID cards, residence permits, applications for naturalisation, applications for a marriage/divorce, and registrations in commercial registers.
Based on the project’s findings, ORIGINS will provide recommendations to leverage the security of the life cycle of critical documents. Emphasis will be placed on relationships with issuance officers (application, renewal and loss and robbery claims) to provide secure primary-line processes. Other parameters, such as the support of supplementary documents to breeder documents, will be considered. Advanced research will be conducted into state-of-the-art security mechanisms, cryptography and security features to be added to ID documents.
Although security features may be implemented based on a standard and secure format, there will always remain the need to ensure the reconciliation between applicants and their credentials during the issuance process. As for proof of identity, the integration of biometric technologies is investigated (in particular, biometric-related issues such as aging effects since childhood and template protection). The inclusion of biometrics from the breeder document holder’s parents will also be considered with a view to building a secure link to guarantee the identity of the individual since birth.
Concerning the provision of future breeder documents, the prevailing aim is to build upon existing/ongoing research (for instance, integrating compressed biometric data with birth certificates in the form of a bar code). A strong focus on existing or in-development security features will also be performed (bubble tag, data-matrix, laminated technologies, and secure paper) in order to determine which are the most appropriate methods of securing future breeder documents.
The consortium has set up an ambitious communication strategy to inform the European Commission and the broader ePassport, breeder documents, and policy communities on the outputs of the project on an ongoing basis. In order to exchange with related communities (ePassports, issuance bodies, policy, governments or border control) the consortium will organise a final workshop to present its results and recommendations on breeder documents security to external stakeholders. It is expected that the ORIGINS results will continue to be relevant beyond the end of the project, in particular via the standardisation activities initiated at CEN level and the promotion of recommendations to the breeder documents issuance community.
Charles de Couëssin, founder and general manager of ID Partners, is a former development director at SITA. He pioneered various programmes on passenger facilitation and aviation security based on cutting edge technology in the aftermath of 9/11, in particular, by launching s-Travel, the first EU funded initiative addressing biometrics processes together with IATA. He has also been an advisor to the French Government for its national identity project and the passenger data (API-PNR) initiative. Charles is currently involved in various R&D programmes funded by the EU addressing airport security and identity issues. Contact: firstname.lastname@example.org
- The author refers to the EKSISTENZ project funded by the EC under the FP7- SEC-2013.1.1-2 call: ‘Stronger Identity for EU citizens’ European Community’s Framework Programme (FP7/2007- 2013), Grant Agreement n° 607049. http://eksistenz.eu
- Operational and Technical security of Electronic Passports Warsaw, July 2011 http://frontex.europa.eu/assets/Publications/Research/Operational_and_Technical_Security_of_Electronic_Pasports.pdf