Since the publication of the last edition of the eUpdate,
there has been no shortage of significant market developments.
Perhaps the most controversial of these - the passage of the REAL ID ACT in the
US - has engendered both ardent support and passionate opposition.
"The REAL ID is vital to preventing foreign terrorists from hiding in plain
sight while conducting their operations and planning attacks. By targeting
terrorist travel, the REAL ID will assist in our War on Terror efforts to
disrupt terrorist operations and help secure our borders."
House Judiciary Committee Chairman F. James
Sensenbrenner, Jr. (R-Wis.), the author of the REAL ID Act
The REAL ID "will become the most valuable fraudulent ID documents available,
and the black market supplying them will flourish in unprecedented splendor.
Criminals will get them. Terrorists will get them. Illegal aliens will get
"The dwindling privacy of US citizens will be eroded dramatically for no real
gain in security. Much money will be spent, much privacy will be lost, and states
will lose a significant measure of sovereignty, for no purpose but making a
collection of middle-class control freaks in Congress feel important. The whole
project would be a sad waste of money and effort, if it wasn't actually
Congress passes Gestapo ID legislation by Thomas C Greene, The Register (UK)
Needles to stay, the prospect of introducing universal standards for the two
hundred million State issued driver's licenses in the US - especially machine
readable and biometrically enabled ones - has a good part of the ID Solutions
community celebrating. However, Acuity's take is that extreme caution is advised.
Given the specifics of the legislation and the process by which it became law,
the Real ID Act is likely to create a heated environment rife with controversy
for all constituencies involved.
Other recent developments in the marketplace worth a serious look include the
release of two reports in the EU - the analysis of the UK Passport Enrollment
Trial and the EU Commission's Report on the Social Acceptability of Biometrics -
as well as the state of progress on biometrically enabled passport programs in
Europe and Asia.
As always, your feedback is welcome.
And please feel free to forward your copy of the eUpdate
to collegaues and encourage them to subscribe.
C. Maxine Most
*For more in-depth analysis and strategic market development
expertise, Acuity provides highly targeted custom
research and consulting services and
also publishes comprehensive biometric and identification solutions
market reports and forecasts.
C. Maxine Most
Acuity Market Intelligence
Acuity Market Intelligence | 640 W Linden St | Louisville, C0 80027| USA
+1 303 449 1897     www.acuity-mi.com.com
Beware The US REAL ID Act
Straight to the point on this one. The passage of the REAL ID Act as a rider to an Iraqi appropriations bill is bad news for the biometrics and broader identification solutions marketplace. Rather than celebrating and counting dollar signs, vendors should be expressing strong opposition to both the proposed structure of the REAL ID program and the back door process by which is was introduced.
No one wins when this type of controversial program is legislated in an under handed way without proper debate and public and commercial engagement. It requires testing, testing, and more testing to define the parameters in a way that ensure successful deployment and that appropriate identity technologies support the enhancement of civil liberties, privacy and data protection not become the tools to violate them. We might learn something from our friends on the other side of the pond on this one.
Those of you who clearly saw much of the post 9/11 industry hype for what is was - damaging opportunistic rhetoric - take a deep breath now. How much genuine revenue has flowed to biometric core technology companies from the post 9/11 ID frenzy? While much of this first wave focused on non-US citizens and faced little domestic opposition, the REAL ID act will likely throw ID related players squarely in the middle of a polarized political debate. A debate with little opportunity for genuine discussion and debate about how ID technology can and should be used in an appropriate, proportional way. This bill may have passed quietly but the storm of discontent is coming. State governors and legislators are likely to offer strong, unified opposition to this un-funded Federal mandate that places the burden of responsibility as well as the budgets and resources squarely on their shoulders.
Here's the gist of the REAL ID Act:
- By 2008 federally approved ID cards will be required to travel on airplane, open bank accounts, collect Social Security payments, or take advantage of nearly any government service. Your current driver's license will not be adequate so even if it is set to expire at a later data, you will have to get a new one to meet federal standards.
- The Department of Homeland Security will set the standards for all drivers' licenses and determine whether each state's licenses or other IDs meet the standards. Only ID cards approved by Homeland Security can be accepted for official purposes.
- The strangest requirement is that you need a photo ID to get a driver's license or other state ID card that indicates your birth date and address. The only other document I have that does this is my passport which I used my driver's license to obtain. In addition, you have to prove that your Social Security number is what you claim it is. I recently had to get a new copy of my Social Security card, as I had not seen mine since sometime in the mid-seventies when I applied for one to get my first job at the Junior High School library. When I went to get a replacement card last year, I believe I was asked for my driver's license and passport to prove my identity. Furthermore, U.S. citizens will have to prove that they are indeed citizens - so now I am back to my passport or perhaps an "official" birth certificate which is laughable as every couty or parish in every state issues their own birth certificates any one of which I could easily create at home with my ink jet printer. Is it just me or our we doing a circle dance?
- State Departments of Motor Vehicles (DMVs) will be responsible for managing all of this (organizations not particularly well known for their physical or logical security). They will not only have to verify the legitimacy of the identity documents used to obtain a driver's license but also have to store permanent digital copies of them within their IT infrastructures. Social Security numbers will be verified with the Social Security Administration, which as mentioned above are verifying identity based on DMV issued license.
- At a minimum cards must include: name, birth date, gender, ID number, a digital photograph, address, and a "common machine-readable technology" that the Department of Homeland Security (DHS) will decide on. The card must also support "physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes" again to be specified by the DNS. Finally, the DHS will be permitted to add additional requirements - read that biometrics - on top of these.
Even those within the ID community that agree with the intended outcome of the legislation - attempting to turn the US driver's license system into a reliable national ID system - must admit that the process is at best ill conceived. In addition, given the requirements, it seems that REAL ID Act's legislative proponents have a limited understanding of the finer points of developing a reliable ID system which requires the establishment of reliable breeder documents ... let alone the complexity, costs and technological and human factor issues that must be addressed to successfully implement a program of this scope and scale.
The only good news is that this unfunded federal mandated is likely to face such strong opposition from States struggling with sky rocketing Medicare costs, onerous (and expensive) federal education testing requirements and significantly lower tax bases due to federal income tax cuts, it will die a painful death long before it has the opportunity to become a total debacle.
If the US is serious about creating a national identity system, perhaps we ought to start at the beginning and at least introduce a secure, federally standardized birth certificate. Hospitals are required to submit these documents to county governments at the birth of a child and parents are required to apply for a social security number at this time (unlike the old days when this wasn't done until you applied for your first job). In fact, the hospital provides the Social Security application form and is technically required to make sure it has been completed before the child is released (though this is not strictly enforced). Given that this process is already in place, wouldn't it make sense to take this data and create a secure machine-readable document at this point in someone's life so we can at the very least have an initial breeder document with some level of trust and security?
The local government could keep a digital record and the parents could hold the secure document. Even without a photo ID or biometric data - both fairly useless for infants - or suggesting the collection of DNA (which I would not advocate), the ability to link an individual to an initial identity makes sense. Granted, there are many issues that would need to be addressed to make this process work well and maintain privacy and civil liberties protections. But at least when someone born in the US applied for a driver's license, passport or other government or commercial ID there would be some way link them to an initial identity. Meanwhile, beware the REAL ID Act bandwagon. It is likely a long and treacherous trail fraught with resource draining side trips to nowhere that ultimately will not reveal the hoped for pot of gold.
EU Test and Research Efforts Shed Little New Light
Two reports recently released it the EU - the results of the UK Passport Enrollment Trial and the EU Commission's Report on the Social Acceptability of Biometrics - proved to be somewhat disappointing. Not because they conveyed anything particularly negative about biometrics, but because they failed to fully exploit the opportunity that this type of large-scale government funded research offers.
In 2004 the UK Passport office completed an 8-month trial of 10,000 participants to study the process of biometric enrollment and verification for fingerprint, iris and face recognition. Passport office officials were not looking for data on technology performance but were genuinely interested in understanding how well UK citizens would handle the process of enrollment and how they would feel about it. In May, they released their findings.
The good news here is that while the application of biometrics for citizen identification appears to be no less controversial in the UK than in the US, at least the UK government is actively engaging their citizenry while pursuing legislative options. Initial efforts to piggyback National IDs on top of the biometrically enabled Passport program faced such stiff opposition that the Tony Blair's Labour government was forced to separate the two issues. With Labour back in power after the recent elections (though with a smaller majority), the issue is back on the table. However, it is at least being taken up in the context of open debate not back-doored through an urgent, yet unrelated legislative agenda (ala the US REAL ID Act).
The not so good news is that it seems the UK government spent a great deal of time and money without learning all that much that is new. Except for the data related to the experience of the disabled where little research to date has been completed (and even here there were no real surprises), we pretty much found out what we already knew ....
- The majority of folks can enroll though there are variations among ethnic groups because of specific physical traits.
- Enrollment ease varies across technologies.
- Environmental conditions impact enrollment.
- Disabled people have more trouble enrolling than non-disabled people.
- And, of course, further research is required to actually figure out how to handle large-scale enrollment.
The UK is to be commended for taking on a large-scale test of this nature. However, it seems in many ways this was an opportunity lost. Had human factors experts been engaged in the process rather than just relying on the usual gang of technology vendors, IT consultants, etc, this test could have been constructed in a way that yielded more in depth insight into how populations interact with the technology and specific recommendations/solutions for managing some of the problems that had previously been identified.
Similarly, the key findings of a report
released in March by the EU Commission that provided analyses of how the same three biometric technologies - finger, iris and face - will impact the daily lives of Europeans was a non event. According to the report, biometrics will substantially help in making Europe's borders more secure and contribute to the creation of a secure knowledge-based society. A pro-active strategic approach that embraces a number of policy areas - security, industrial policy, competitiveness and competition policy - is advised so that Europe reaps the full benefits of such initiatives.
The report makes the following key recommendations, none of which are particularly new or insightful:
- 'Function creep' and false expectations should be avoided by clearly defining the purpose of all biometric initiatives.
- Biometrics should be used to enhance privacy.
- Governments should support market development by fostering user adoption.
- Fallback procedures should be adopted when biometric systems fail.
- And, of course, more research is needed in the following areas: interoperability, standards, performance data, multi-modal biometrics, and large-scale field trials.
The findings and recommendations of the reports do present biometrics in a positive light, confirm fundamental issues that must be addressed to create large-scale citizen ID programs, and do so in a format that is widely accessible beyond the biometrics and broader identification solutions community. However, somewhere in between the extremes of slamming programs through without adequate consideration and testing (ala the US), and engaging in research that offers little in the way of new insight (ala the EU), is a middle path that incorporates the best available knowledge and data, minimizes redundancy and harmonizes research projects in a way that accelerates positive, productive and profitable market development. Proactive collaboration among all constituents worldwide - government agencies, commercial enterprises, civil liberty and data protection organizations, citizen advocacy groups - will ensure that research is defined and conducted in this way and that precious resources are not squandered learning the same lessons over and over again.
Worldwide Progress on Biometrically Enabled Passports
First, let's get up to speed on where the EU stands ...
In February 2005, the European Commission established the technical specifications for the integration of facial images in EU passports with an implementation deadline of August 28 2006. The Commission committed to establishing a similar specification for the integration of fingerprints into passports in the near future, after which EU Member States will have 36 months to comply. Previously, in October 2004, the EU Justice and Home Affairs Council agreed to the inclusion of fingerprints as a second mandatory biometric identifier - instead of an optional one - in future passports issued by Member States.
Then, in late March 2005 the European Justice, Freedom and Security Commissioner, Franco Frattini, officially asked the US Congress to extend the deadline for introducing biometric passports until the August 28 2006 deadline agreed upon by the Commission. The request for an additional deadline extension was made after became clear that only six EU Member States - Austria, Belgium, Finland, Germany, Luxembourg and Sweden - were in a position to meet the US congressional deadline for visa waiver countries to start issuing biometric passports to their citizens (Though it now looks as if Finland, and Germany will not be able to meet the October 2005 deadline...see below).
While the Commissioner's request was formally denied, a recent legal interpretation made by US Congressional Representatives Sensenbrenner and Hostettler calls into question the need for Congress to extend the deadline (see below).
And now the latest from some of the countries committed to developing biometrically
According to Dutch Government Reform Minister Alexander Pechtold, new biometric passports will be phased in mid-2006 in order to meet the August 2006 EU deadline. Per EU requirements, the first biometric identifier to be introduced will be a facial image, followed by fingerprints at a later stage. Photographs submitted when applying for a passport will be digitized and stored on a chip embedded in the document which will also store the holder's name, nationality, date of birth, national insurance number, document number and expiry date. Inital biometric passport trials were conducted from August 2004 to February 2005 in the municipalities of Almere, Apeldoorn, Eindhoven, Groningen, Rotterdam and Utrecht. The government also intends to make online verification of travel documents possible by setting up a national passport database that will include biometric data. Until now, records of travel documents have been kept locally by the issuing authorities (i.e. mostly municipalities, embassies and consulates).
Belgium - the first country in the world to start issuing electronic passports in late 2004 - began issuing biometric passports containing a facial image of the holder stored in an embedded chip at a number of Belgian cities and consulates between November 2004 and January 2005. Fingerprints are due to be incorporated based on the deadlines set by the EU legislation. This new generation of travel documents is now being phased in throughout the country. The Belgian Government has contracted French smart card specialist Oberthur to manufacture and personalize 500,000 electronic travel documents per year.
The Immigration and Checkpoints Authority (ICA) of Singapore plans on introducing biometric passports in October 2005. The passports will incorporate facial and fingerprint biometrics in accordance with the standards set by the International Civil Aviation Organization (ICAO). The new passport will be valid for five years with a different number from the holder's identification card number to curb passport abuse. The city-state expects the high-tech passports to enhance the country's security by combating alien smuggling and terrorist activities through the use of forged and tampered travel documents. The contract worth 9.7 million Singapore dollars (5.9 million US dollars) was awarded to a consortium of companies including NEC Solutions Asia Pacific Pte Ltd, NCS Pte. Ltd., SNP Security Printing Pte Ltd. and Gemplus Technologies Asia Pte Ltd.
New passports introduced by the Slovakian government in April 2005 have greater security features than the previous travel document and - although they do not currently include any biometric identifier - are 'biometric-ready'. A digital facial image of the holder will be included in the passports starting in September 2006, while a fingerprint scan will be included from March 2008. The biometric passports will provide Slovakia with further arguments to negotiate visa-free travel to the United States for its citizens. Despite an official request by the European Commission in 2004, the US Administration has so far refused to extend its Visa-Waiver Program (VWP) to the new EU Member States.
Unexpected legal problems are delaying the implementation of the new Finnish passport after identification solutions provider Setec decided to challenge the passport contract awarded to its Dutch and Swedish competitors SDU Identification and XPonCard Group. According to press reports, the Finnish Government - which originally planned to start issuing biometric passports before the summer - could now be forced to postpone the start date to early 2006
The future Finnish electronic passport will have high-tech security features, including a polycarbonate data page containing a 'contactless' crypto processor chip storing the holder's personal details and biometric identifiers. In addition to the facial image of the holder, a second biometric identifier - fingerprint scans - will be introduced in 2006-2007. A new passport information system, including a centralized database of digital facial images, will be introduced. Once production begins, the Finnish government expects to issue approximately 400,000 documents per year over a 4-year period.
Germany's Federal Minister of the Interior Otto Schily is pressing ahead to start issuing biometric passports by November 1, 2005. The Bundesdruckerei (Federal Printing Office) recently placed orders with Munich-based chip manufacturer Infineon and the Dutch electronics group Philips to supply semiconductor elements for the new biometrically enhanced German passports. The chips and the antennas required for reading them will be integrated invisibly into the front of the passport. A range of security mechanisms including an electronic signature and RAS encryption will protect the digital data stored on the chip. To prevent the data from being read stealthily via the RFID interface the cryptographic principle of Basic Access Control, an ICAO approved, German developed security standard will be applied to the data. The Federal Office for Information Security guarantees the technical reliability and safety of the e-passports.
Meanwhile in April, Federal Data Protection Commissioner Peter Schaar called for a moratorium on the introduction of biometric passports in light of the still immature state of the technology and of a number of unresolved data protection issues. Though Schily shot back stating that assessing technology and making political decisions were not part of the Data Protection Officer's missions, two MPs from the ruling Social Democratic Party publicly expressed their support to the proposed moratorium. "Passports with biometric features are becoming a personal obsession of the Ministry of the Interior's, and in the process he is disrespecting the German Parliament, data protectionists, and scientific experts", Ulla Burchardt and Jörg Tauss wrote in a statement against what they labeled a "knee-jerk" introduction of a still underdeveloped technology.
Russia plans to begin introducing biometric passports with personal data stored on an electronic chip in 2007. The new 32-page passports will have digitally stored data and digital photographs. The changeover from current passports, which will remain valid until their date of expiry, will cost the state about 500 million USD and include re-equipping 400 passport control points across the country.
Finally, an interesting development in the US ...
US lawmakers question need for microchips in European passports
Members of the US Congress are questioning the assumption that in order for visa-waiver program (VWP) countries to meet US passport requirements they must issue passports that contain embedded chips. In late April, the US House Judiciary Committee's Immigration, Border Security and Claims subcommittee held a hearing on the ability of VWP countries to meet the October 26, 2005 deadline for issuance of passports with biometric features, the risks to American security of extending the deadline for the second time at the request of the European Union, as well as the current deadline's impact on travel to the United States from visa waiver countries.
In written comments, both the committee and subcommittee chairmen said that VWP countries could comply with the US Border Security Act as long as their passports contain a "printed, secure digital photograph of the holder". This means that citizens of the 27 VWP countries - which include many EU Member States - would be able to enter the United States after the October 2005 deadline without biometrically enabled passports as long as they carry a machine-readable passport featuring a digital facial image.
"A chip is not essential to enforcing the requirement established by Congress", said subcommittee chairman John Hostettler. Committee chairman Sensenbrenner stated that "the Enhanced Border Security and Visa Entry Reform Act of 2002 only called for the inclusion a biometric identifier, which could thus be a digital photograph and does not require passports to store the digitized photograph in a microchip". According to congressional staff at least one European country - Ireland - has plans to comply with US biometric passport requirements on time by simply including a digital photograph in its passports.
For custom research, analysis or strategic market
development consulting, visit Acuity Market
Intelligence or call +1 303 449 1897
Comments, criticisms, corrections & kudos!
We welcome all feedback:
You're welcome to reprint BMI eUpdate articles. Just email with a link to your publication.
or email include
name, company, country phone & email
New email: send to
include your previous and new email addresses
Copyright 2005 Acuity
Market Intelligence, LLC. All Rights Reserved.
makes no guarantees on the opinions expressed herein. This
publication may be forwarded electronically in it's entirety.
However, no part of this publication may be published in any form
without explicit consent of the publisher.