Identity fraud in an information society:
the case for a chain approach
by Jan Grijpink
Abstract
Two new developments in information technology will have a profound effect on the identity issue in our society: multifunctional smartcards and biometrics. The widespread use of chipcards will in the future facilitate electronic identities and identity documents. This places identity fraud in a new light because multi¬functional smartcards make it possible to provide a false identity or pseudo-identity that is difficult to detect during transactions. The fact that identity fraud often forms part of other (serious and organised) crime makes this situation particularly trying.
The new information technology not only poses threats, it also provides new weapons in the fight against identity fraud. Recognition of personal biometric characteristics makes security in physical and electronic environments truly person-based and can prevent identity fraud. The current verification techniques used to ascertain a person's identity are not person-related. Passwords and Pincodes can be passed on to others, so that knowledge of the number leads only to the presumption of involvement. In an information society, a weak form of ascertaining people's identity such as this will increasingly fall short when the law requires indisputably established personal involvement. Consider for example a summons, a penal provision to a person, a contract, a government order: they are legally invalid or ineffective when the person(s) concerned cannot be established with certainty. In a strategic alliance biometrics and chipcards can be a powerful weapon for card holders and issuers in the fight against identity fraud and other misuse of cards. But we must then regard identity as the product of a chain in which hundreds of organisations co-operate in preventing identity fraud. This memorandum outlines this identity chain and highlights a number of important shortcomings in the Dutch identity chain as it stands today. To conclude, an outline will be given of an improvement programme.
Contents:
Identity as a social issue
Identifying, verifying and some related concepts
The multifunctional smartcard and identity
A person’s identity and biometrics
Smartcard and biometrics: a strategic alliance against identity fraud
Prevention of identity fraud
The identity chain
An improvement programme for the Dutch identity
1. Identity as a social issue
There are countless moments in everyday life when it is necessary to know who somebody is or to ascertain whether an identity document being presented is genuine and unaltered. The same question arises regarding documents in general and numbered goods and uniquely identifiable equipment. In an information society identity issues take on an entirely new dimension.
Scott Charny, head of the Computer Crime and Intellectual Property Section of the Ministry of Justice in the US: “ On the Internet there is an absence of biometric proof, there are no characteristics that are unique to a person [...] Users are virtually anonymous. [...] The world of commerce is all for digital signatures, a password in combination with a mathematical formula, an encryption algorithm. That's all very well for commerce, but useless for investigation purposes because a person's digital signature can easily be found by other people using the same computer [...] Criminals would then be able to claim that their digital signature was used by somebody else.”
The widespread use of chipcards will facilitate electronic identities and identity documents, with all the accompanying known and as yet unknown forms of misuse and fraud , . Identity fraud is not a new phenomenon. A recent book about identity falsification from the Crime Investigation study series: "Various analyses conducted in recent years by the police together with the Central Criminal Information Department have shown that the use of false or forged identity documents has assumed sizeable dimensions." . The new information technology not only poses threats, it also provides new weapons in the fight against identity fraud. Recognition of biometric personal characteristics make security in physical and electronic environments truly person-based and can prevent identity fraud. None of the methods used up to now has achieved that.
These developments justify reviewing the way in which we approach the phenomenon of identity. The chain approach offers a suitable starting point for this review. The identity chain can be viewed as a number of consecutive actions and interim products that make it possible to ascertain, register and then verify an identity or an identity document within the context of everyday life, a legal act or an electronic transaction. There are however already so many imperfections in the Dutch identity chain that an integral, chain-wide improvement programme seems necessary, preferably before electronic identities slip through our fingers. This memorandum was drawn up against this background.
2. Identifying, verifying and some related concepts
Identifying
Ascertaining who somebody actually is is what we call identification. Identification requires research. An important aspect of identification is that the person is actually present. The appearance of a person can then be compared accurately with a photo in his passport; the identifying personal details in that passport must in turn correspond to those in his birth certificate. It is sometimes necessary to compare physical personal characteristics (fingerprints, DNA profile, etc.). Documents and devices must also be available in their original form so that their authenticity can be ascertained. In the Netherlands, there is neither a general obligation to prove one’s identity nor a general authority to ascertain someone’s identity . According to Dutch law, the power to investigate a person's identity is reserved to only a few public authorities, the police in particular, the Aliens Police and the registrar of births, deaths and marriages , their power being limited by law. Their identity investigations for criminal and non-criminal use are essential because verification procedures without good quality prior identification are not resistant to malicious intent. The anticipated flood of electronic identity documents will lead to extra pressure being exerted on these few public bodies that are allowed to investigate people's identity.
Verifying
Other bodies and organisations (public and private) are only allowed to verify a person's identity. In comparison with identification, however, verification is of a different order. One does not investigate who a person is, but merely ascertains that two details relate to the same person. Personal numbers and identifying personal details are usually compared for this purpose. Even if a person can be directly compared with his photo on an identity card, this verification cannot however ever provide certainty that the person in question is actually what he claims to be. Unfortunately, people are not generally aware of this limitation, so that verification is in practice often put on par with identification. Wrongly so.
Verification is generally sufficient for legal acts in private law. If a bank agrees to give somebody credit, it is then sufficient to ask for proof of identity and to check the validity of the proof of identity shown. By means of simple verification registers private organisations can see whether the proof of identity bears any irregularities. They do not have to know what is wrong with the proof of identity. Neither does the verification register give any information about the identity of person holding the proof of identity: it ascertains the soundness of the document, not the person of the holder. This limited information can therefore be used for all sorts of social purposes. In the near future all organisations that are legally obliged to check a person's identity will be able in legal and practical terms to check the soundness of the proof of identity shown. At the moment this is not yet the case. If the Dutch policy in this matter remains unchanged, organisations depending on voluntary verification of identity will not be able in legal and practical terms to check the soundness of the proof of identity shown. Unfortunately, most issuers of smartcards with an identity function belong to this category of organisations. This is a major threat to the prevention of identity fraud. Verification is generally sufficient for legal acts in private law even if a person’s identity is wrong as long as it is accepted by the parties involved. As soon as a person’s identity is disputed by one of the parties who then discovers that the presumed identity is mistaken or frauded, verification is no longer sufficient for legal acts in private law.
Verification in criminal law is never sufficient. The police are expected to ascertain beyond dispute the identity of a person involved when a criminal offence comes to light. If errors are made in this process, the judicial intervention runs aground further on in the criminal law enforcement chain. A case in point here is the question of undeliverable legal documents sent by registered mail. It frequently turns out that the person involved has given the police a false name without their realising it. An erroneous identification cannot be later rectified by means of verification. It is only if the police have conducted a successful identification at the beginning of the criminal law enforcement chain that other bodies can make do with verifications in subsequent processes.
Proving one’s identity
People prove their identity by showing identity documents on the basis of which their identity can be verified. This verification process can also form part of a more extensive investigation by which a person's true identity is eventually ascertained.
Authentification
The above analysis is applicable by analogy to documents, chipcards and devices such as card readers. Multifunctional chipcards and card readers have advanced authentication means. A document, a chipcard or a device can have a unique identifying number. We therefore see that documents, chipcards and devices can - just like people - have an identity of their own. For the verification of the identity of a document, a chipcard or a device we use the term 'authentication', i.e. making something legally valid or recognising it as truly genuine. There are advanced ways of verifying the identity of multifunctional smartcards and card readers (encrypted handshaking with asymmetrical keys, for instance). But technology is not the only determining factor. Means of authentication are frequently not applied in day-to-day practice.
3 The multifunctional smartcard and identity
Many applications in a multifunctional smartcard need to ascertain whether the person using this particular function of the card is authorised to do so. For this purpose the card needs a function with which a person can be recognised. This is what we call an identity function. Some smartcards are intended for anonymous use. In such cases, the card does not have an identity function. Other smartcards are intended for identity purposes only: the identity function is then the main application in the smartcard.
Smartcards will introduce new electronic identities and new electronic proof of identity. However, not every smartcard has an identity function and the scope of a card’s identity function, if present, differs. Three card categories can be distinguished . Any smartcard can be classified under one of these three cate¬gories on the basis of the card's identity function:
I. Impersonal anonymous smartcards, such as prepaid cards, non-loadable chipcards, prepaid phonecards, non-personal customer cards, prepaid non-load¬a¬¬ble electronic purses (gift vouchers) or prepaid GSM-cards. If a password can be used for 'opening and closing' an impersonal card or an application in it, these codes are anony¬mous, known only to the cardholder himself and not to the card issuer or a third party. Anonymous is not a synonym for unsecured, as you can see.
II. Smartcards with a contractual (pseudo-)identity function: personal cards which do reveal a person’s true identity only to the card issuer, not to somebody else. Examples are the Dutch payment card (PIN-card), the loadable electronic purse, the GSM-card, the asylum seekers identity card and before long the Dutch municipal city card (with or without biometrics). While the card can be of an anonymous nature to third parties, the card issuer must know the correct identity of the cardholder at least at the moment of card issue. In later transactions with the card, third parties usually only need to know whether the person involved is the authorised person. The person's true identity does not affect the transaction, so any number (PIN) or nickname will do.
III. Smartcards with a general identity function for third parties: personal cards which serve as an electronic proof of identity to be used by third parties, e.g. city card with personalised biometrics intended for general use, the Dutch aliens identity card and in the future perhaps also the electronic driving licence. The most important difference with card category II is that a third party at any later transaction or other use of the card wants to know precisely who a particular person really is. It is not sufficient to know that the person is the same as the authorised person, nor is it sufficient to establish someone’s true identity only at the moment of card issue.
In the course of time, a smartcard may shift to a different category when at a later stage a function is added which affects the identity function of the smartcard.
The importance of the multifunctional smartcard for identity issues goes hand in hand with the ability to acquire a new electronic identity with the card's identity function or to be able to pass oneself off as somebody else. It will be difficult to detect this new identity or double later because person recognition techniques in use are generally not person-based. Examples include passwords, Pincodes and signatures. Information technology does of course make it possible to analyse person-based characteristics for a true person recognition. But these biometric techniques are still only being used to a limited extent. The issue of biometric person recognition is discussed in the following section.
4 A person’s identity and biometrics
Important questions, such as which law is applicable, who are the parties, what has happened, etc., cannot be answered if it is not possible to ascertain who has carried out the (legal) act. These civil and criminal proof problems go hand in hand with the nature of electronic signals, which are not connected to physical persons, places and (local) times and leave no traces behind. In an electronic environment, (legal) acts and criminal behaviour must therefore be 'pinned down' artificially, so to speak. To give an example: an e-mail is regarded as having originated from the holder of the password with which the message was sent. But that is not of course necessarily the case, when a PO Box or a password are used jointly for instance. If, as in this example, we wish to avoid the excessive use of legal fictions or presumptions in electronic legal transactions, we need reliable verification of persons and authentication of documents, devices and electronic transactions. The authentication of electronic transactions cannot take place without the reliable verification of the natural person who is acting. The customary pincode protection does not verify a person’s identity but merely performs an administrative verification of a person-unrelated number. To verify somebody’s identity this needs to be done on the basis of a unique biometric personal characteristic (e.g. the shape of the palm of a hand or a dynamic signature), the owner of which has been reliably identified in advance. An electronically verified identity is thus given the required indisputable character.
The biometric recognition works as follows. At the moment that the card issuer allocates the chipcard to a person (this is known as personalisation), the shape of the palm of the recipient's hand can for example be converted with an algorithm into a number (this is called a template). That number is registered in the chipcard instead of a picture of the palm of the hand . If the same algorithm is repeated later, the two numbers can be directly compared. The safest way of doing this is to compare the numbers in the chipcard itself, not in the card reader. This makes it more difficult to imitate a verification. But in neither of the two cases can the real shape of the palm of the hand be retrospectively calculated from the number. Because it is only possible to establish a person's identity indisputably by means of a person-based characteristic, biometrics plays a major role in the fight against identity fraud.
Why is such little use being made of biometrics? One of the reasons is its lack of familiarity. The information technology needed for this was only recently developed. There are also prejudices against biometrics. The position of the fingerprint in criminal law enforcement is not conducive to the use of biometrics in ordinary legal processes. There are also uncertainties about its legal permissibility. Many view person-based biometric characteristics as ‘personal details’ in the sense of the privacy legislation. They therefore feel that biometric person recognition is subject to considerable limitations. To understand the social significance of biometrics, it is therefore important to make a distinction between a person-based detail and a personal detail (= a detail that can be traced back to a person). A biometric personal characteristic is by definition person-based (= derived from the body), but is not necessarily a detail that can be traced back to the person. A separate biological characteristic without further references, for instance, cannot be considered a personal detail as long as it can only be traced back to a person with disproportionate effort. To give an example: used glasses in a pub are covered in fingerprints, but there is little point in tracing back a fingerprint to a customer who can no longer be found. The specific laws and regulations with regard to personal details are therefore not applicable to a separate biometric detail of this nature. Biometric verification of a person’s identity using such a biometric template is therefore freely applicable . If, however, biometric details are related to other identifying personal details, they do form personal details within the scope of the privacy legislation. When using these biometric details the primary aim of the data processing determines what is legally permissible. There are special regimes for sensitive personal details, especially for those revealing a person's race or ethnic origin .
In actual practice we therefore see that in most EU-countries there are no legal obstacles to using separate biometric templates, e.g. a biometric number in combination with a number without further references. This can be regarded as anonymous biometrics. Storing and using a biometric template on a multifunctional smartcard for off-line verification is possible without restrictions. That is very important because this anonymous biometric verification of a person’s identity can easily be used in all sorts of situation for which it is sufficient to establish during a transaction that the person conclusively is the same as the authorised or expected person. That is usually the case. It can therefore be expected that the application of anonymous biometrics will gain momentum as soon as its possibilities become more familiar. The technology is available and the costs are low.
5 Smartcard and biometrics: strategic alliance against identity fraud
Biometrics can be used without a chipcard, either controlled by a remote information system (on-line) or stand alone locally (off-line). The biometric characteristic is then linked to a pincode or a random number. When used with a chipcard the link with a number is not needed. The biometric number calculated on site is compared directly with the number stored in the chipcard.
The chipcard facilitates off-line anonymous biometric verification of a person’s identity, both inside and outside of the card. 'Inside' means making a chipcard unusable to anyone other than its holder by means of an internal biometric security system, which also prevents others from using the card's identity function. 'Outside' the chipcard refers to a large number of verification variants within the scope of authorisation and access, in which the biometric number calculated on site is compared locally off-line with the number stored in the chipcard. The person’s true identity is kept hidden from third parties, so that no harm is done to the card's pseudo-identity function. Only the card issuer knows who the holder really is. The locally calculated biometric number remains anonymous to others, because it cannot be traced back to a person. For this purpose, it is necessary to ensure that a biometric characteristic is not linked to personal details that can be recognised by third parties, for instance on the exterior of the smartcard. The card holder thus enjoys the benefit of the extra person-based protection of his biometric characteristic whilst remaining anonymous to others. Anonymous biometrics places a powerful weapon in the hands of card holders and issuers that they can use to combat identity fraud and the misuse of the smartcard.
6. Prevention of identity fraud
Biometrics contributes to secure multifunctional smartcards, but can only provide part of the prevention needed. This section examines additional preventive measures. Self-regulation by the card issuers should provide the basis for prevention, requiring a code of conduct and a voluntary security certification system, both of which are to be established by the industry. The government should stimulate the development of the code of conduct and of the security certification system.
If the multifunctional smartcard contains an identification function, extra preventive measures are required:
a) With regard to cards with a contractual pseudo-identification function, the government should facilitate the personalisation of smartcards by means of compulsory identification for card issuers, the obligation to submit proof of identity for potential cardholders at the moment of card issue and the legal right of card issuers to check the validity of a submitted identification document.
b) With regard to multifunctional smartcards with a general identification function, the government should introduce a licensing system with direct supervision geared to preventing false and double electronic identities in society.
The more risks that the use of a certain smartcard throws up, the greater the efforts of the card issuers, application controllers and the government will have to be in limiting or preventing them. This concept is represented in diagram 1.
card category • self-regulation • self-regulation
• identification obligation for card issuers; obligation to submit proof of identity for card holders; for card issuers a legal right to check the validity of a submitted proof of identity • self-regulation
• identification obligation for card issuers; obligation to submit proof of identity for card holders; for card issuers a legal right to check the validity of a submitted proof of identity
• licence system and government supervision of the issuing process
I impersonal cards light regime
prepaid phonecard, prepaid non-loada¬ble electronic purse (gift voucher), prepaid GSM-card
II personalised cards with a contractual
(pseudo-)identity function
(not to be used by third parties) normal regime
PIN-card, loadable electronic purse, GSM-card, asylum seekers identity card, city card (with or without biometrics)
III personalised cards with a
general identity function
(intended for use by third parties) heavier regime
city card with personalised biometrics intended for general use, aliens identity card, electronic driving licence
7. The identity chain
As mentioned in section 2, it is only possible to properly ascertain a person's identity by means of an identity investigation if the person himself is involved. This process is entrusted only to a few authorities and is not conducted systematically, and often only in special cases. All other ways of establishing a person's identity amount to verifications in which we ascertain whether personal details are consistent with other - usually administrative - personal details. In most cases the authorities that carry out these verifications do not have the authority, instruments and knowledge to carry out that verification. This is not a strong starting point in combating identity fraud.
The product 'identity' comes about in a chain consisting of a number of actions that each lead to an interim product, which then is used by the following link in the chain. A legal, general identity document is made on the basis of a source document; and this can be taken in turn to personalise a contractual pseudo-proof of identity (a bank pass, for instance), which in turn can be used for a transaction (e.g. remitting payment, gaining access or having the pseudo identity checked). The quality of the end product 'identity' can be adversely affected in each of those links, but problems at the beginning of the chain are the most disruptive: once wrongly identified, always wrongly verified! A chain approach is therefore desirable for locating weak spots in the identity chain and establishing the priorities of improvement actions.
The chain approach is also suitable for highlighting the fact that new identities and fraud can come about at each link in the chain. A new Dutch identity can be created in the Netherlands with a legal identity document based on a fake or forged foreign document. With a forged legal Dutch identity document a new pseudo-identity can be acquired (e.g. a bank pass with a pincode), and with a forged or counterfeited (electronic) pseudo proof of identity a fraudulent transaction can be made. This is outlined in diagram 2.
In the bottom section of the columns in the diagram the subsequent links (stages) of the identity chain are shown (bold printing):
1 source documents (domestic and foreign)
2 legal general identity documents (domestic and foreign)
3 contractual identity documents (smartcards included) or identifying numbers
(domestic and foreign)
4 transaction (e.g. a legal act, an access or a payment)
In the top of the columns the sources required are indicated (normal printing), while in the middle section of the diagram the competencies and powers and the required knowledge and skills are listed (italic printing). These knowledge, details, skills, authority and instruments are needed to prevent the process from turning into a ritual.
There are problems inherent to each link in the above chain ; the following is a brief summary.
tools, knowledge and skills
required • Collections of models and of counterfeits of source and identity documents;
• Knowledge of do¬mes¬tic and foreign source and identity docu¬ments, and of their counterfeits
• Support in verify¬ing source and identity documents (including foreign ones)
• Collections of models and of counterfeits of source and identity documents;
• Knowledge of do¬mes¬tic and foreign source and identity docu¬ments, and of their counterfeits
• Support in verify¬ing source and identity documents (including foreign ones)
• base registers (persons, documents, cards)
• public verification registers of items not to be used for proof of identity
• support when verifying identity documents (also foreign ones) • verification registers of blocked documents and cards
• pattern recognition of transactions
authority
and capacity
required a) Authority to carry out identity investi¬ga¬tion;
b) Capacity for identity investiga¬tion;
a) Authority to carry out identity investigation;
b) Capacity for identity investigation;
c) Government control of the process of issue a) Card or number issuer:
• Compulsory identification
• Authority to:
a. ask for proof of identity
b. check the validity of a proof of identity.
b) Card or number holder:
• Compulsory iden¬tification for those involved. Security checks during transaction:
a) verification of pseudo-identities (PIN or biometric personal detail)
b) authentication of technical means or documents (e.g. smartcard and card reader)
links in the identity chain 1
source document
==> 2
legal identity document for general use
==> 3
contractual (pseudo-) identity document or personal number
==> 4
transaction
examples birth certificate passport, driving licence, aliens
identity card PIN card, asylum seekers identity card, tax and social insurance number (SoFi-nr) payment, access,
authorisation
Link 1 Source document
Source documents such as birth certificates can be based on a new fact, another (foreign or domestic) source document and on (foreign or domestic) legal identity documents of the people involved.
In contrast with the very few legal identity documents, there are many source documents, mostly of local origin with numerous variations depending on time and place.
Tools:
In the Netherlands, the available knowledge about models of valid foreign source documents and collections of counterfeit foreign source documents is limited and spread out over many specialised authorities, each of them focused on its own particular set of relevant documents. The same holds true for the available knowledge about models of valid foreign identity documents and collections of their counterfeits. See the remarks about knowledge of documents and co-ordination with regard to the subsequent link 2.
Link 2 Legal identity document for general use
Dutch legal identity documents (passport, driving licence, aliens identity card) are based on an identity investigation during which Dutch or foreign source documents, available personal details and foreign or domestic legal identity documents are scrutinised.
Source documents and legal identity documents (link 1 and link 2) can in practice be mutually dependant: a source document can be used in the process of issuing a legal identity document, while this legal identity document in turn can be used to draw up another source document. Undetected forgeries and other errors made in the first two links of the identity chain can have a considerable impact on subsequent links. Bearing in mind this interdependence, the following remarks about co-ordination and knowledge of documents are relevant to the previous link, too.
Knowledge and co-ordination:
In the Netherlands, the available knowledge about models of source and legal identity documents and collections of their counterfeits are spread out over many specialised authorities. To combat identity fraud in an information society, more co-ordination is needed. A whole range of public authorities and private organisations must be given the available knowledge they need in good time. A national co-ordinating centre from which the exchange of knowledge and related information can be improved would make electronic and physical collections of models and their counterfeits more effective. This centre can organise courses on important aspects calling upon the relevant experts. The centre can also stimulate and support research projects and information gathering. In the long run the national centres in the EU can develop information exchange and support on a larger scale. The various authorities seem perfectly willing to co-operate, but it is difficult to bring about more intensive co-operation and a national centre on the initiative of only one of the parties. What is lacking is a neutral, authoritative 'sponsor'.
Capacity:
The increase in mobility and electronic transactions is placing this link of the identity chain under pressure. The legally established authorities that carry out identity investigations (the police, the alien police and the registry of births, deaths and marriages) have very limited capacity to do so. This activity should be given a higher priority and more capacity. A review of the legal structure for identity investigations (number of authorities), their capacities and their procedures is desirable.
Procedures:
Additional problems are generated by procedural shortcomings. Documents which are no longer valid are not taken out of circulation, thus leaving a huge inventory of raw material for counterfeiters. People are not encouraged to notify without delay the authorities of a missing passport to prevent it being used by somebody else. They are obliged to get an official police report and to pay for a new passport. They tend therefore to postpone its replacement until a trip abroad makes the replacement urgent. In this way an enormous number of valid missing or stolen passports are readily available for fraudulent purposes. When identity documents are lost or stolen, new documents must be issued without the previous document. The risk of a mistaken identity can be effectively reduced by biometrics. Voluntary use of biometrics should be considered as part of the issuing process of a legal identity document even if the identity document itself makes no use of the biometric characteristic.
With regard to the enormous quantity of free floating identity documents available for fraud it is a tantalising option to remove in one go all identity documents floating around in the black and grey circuit by making it compulsory to exchange them within a very short period.
Link 3 Contractual (pseudo-)identity document or personal number
Contractual documents and smartcards with a pseudo-identity function abound. Examples are payment cards and membership documents. Personal identifying numbers are used in an even greater number. In the public administration we see a Justice number, an education number, a welfare number, a health care number, to name just a few. In private life, too, numbers are used in all formats and types. Think of your bank, grocer, library or employer. Some of these documents and numbers are more important than others. It would therefore be desirable to extend the Dutch compulsory identification and proof of identity only to socially important contractual documents and smartcards with a pseudo-identity function and to personal identifying numbers. At present, the Compulsory Identification Act (1993) only applies to the tax and social insurance number (SoFi-nr).
Tools:
'Bare' public verification registers are needed to verify the validity of legal (Dutch) identity documents. That will only work out well if the holder of a legal identity document can temporarily block its use for identification purposes. At the moment, this is not possible.
Authorities:
Issuers of socially important contractual documents and smartcards with a pseudo-identity function and of personal identifying numbers should be legally obliged to check their client’s identities, who must be obliged to present proof of identity. The issuer should then be able, practically and legally, to check whether the proof of identity has been blocked for any reason.
Capacity:
This improvement of the quality of the work done in link 3 of the identity chain will only be worthwhile if the capacity available for identity investigations is enlarged.
Link 4 Transaction
In this link of the identity chain, tools and authority to verify a person’s (pseudo-)¬identity or personal identifying number must be there to cash in the value of the chain’s product “identity”. The same holds for the authentication of documents and equipment.
In this link the problem arises that in electronic environments all verifications of a person’s identity are based on techniques that are not person-based. Biometrics can provide person-based verification techniques. Promoting the use of anonymous biometric personal identification in vulnerable social situations is therefore important.
The most important drawback in this link is fall-back options present in any verification procedure. If the process doesn’t work properly, people tend to fall back on old procedures of visual inspecting any given document. Insiders know how easily the human mind sees what it expects to see and how difficult it is to distinguish between look-alikes.
8. An improvement programme for the Dutch identity chain
The following measures are needed for a chain-wide improvement programme for identification management:
Link 1
1. A national expertise centre for source and identity documents (foreign and domestic) from which better co-ordination can be achieved and the available information can more effectively be made available to public authorities and private organisations. The exchange of knowledge, collections and related information in the European Union can also be promoted from this centre.
Link 2
2. A review of the legal structure relating to identity investigations with the aim of expanding the capacity for identity investigations and making them more accessible to the authorities involved.
3. The systematic withdrawal of all legal identity documents that have become invalid from society (collect and destroy); remove in one go all identity documents floating around in the black and grey circuit by making it compulsory to exchange them within a very short period.
4. Use of voluntary biometric personal verification in the procedures for issuing legal identity documents (most effective following the clean-up operation called for in the previous point). To promote the voluntary use of biometrics the replacement of the first missing or stolen document could be made faster, cheaper and easier (no official police report for instance).
Link 3
5. Extension of the existing compulsory identification and proof of identity for socially important smartcards with a pseudo-identity function and for important personal identifying numbers (whether or not with the use of chipcards).
6. Evaluation of the effect of the Compulsory Identification Act (1993) in practice.
7. Extension of the ability to verify the validity of legal Dutch identity documents with 'bare' public verification registers.
8. Verification registers for socially important smartcards with an identity function.
Link 4
9. Promoting the use of anonymous biometric verification of a person’s identity in vulnerable social situations.
The Hague
September 1998
the case for a chain approach
by Jan Grijpink
Abstract
Two new developments in information technology will have a profound effect on the identity issue in our society: multifunctional smartcards and biometrics. The widespread use of chipcards will in the future facilitate electronic identities and identity documents. This places identity fraud in a new light because multi¬functional smartcards make it possible to provide a false identity or pseudo-identity that is difficult to detect during transactions. The fact that identity fraud often forms part of other (serious and organised) crime makes this situation particularly trying.
The new information technology not only poses threats, it also provides new weapons in the fight against identity fraud. Recognition of personal biometric characteristics makes security in physical and electronic environments truly person-based and can prevent identity fraud. The current verification techniques used to ascertain a person's identity are not person-related. Passwords and Pincodes can be passed on to others, so that knowledge of the number leads only to the presumption of involvement. In an information society, a weak form of ascertaining people's identity such as this will increasingly fall short when the law requires indisputably established personal involvement. Consider for example a summons, a penal provision to a person, a contract, a government order: they are legally invalid or ineffective when the person(s) concerned cannot be established with certainty. In a strategic alliance biometrics and chipcards can be a powerful weapon for card holders and issuers in the fight against identity fraud and other misuse of cards. But we must then regard identity as the product of a chain in which hundreds of organisations co-operate in preventing identity fraud. This memorandum outlines this identity chain and highlights a number of important shortcomings in the Dutch identity chain as it stands today. To conclude, an outline will be given of an improvement programme.
Contents:
Identity as a social issue
Identifying, verifying and some related concepts
The multifunctional smartcard and identity
A person’s identity and biometrics
Smartcard and biometrics: a strategic alliance against identity fraud
Prevention of identity fraud
The identity chain
An improvement programme for the Dutch identity
1. Identity as a social issue
There are countless moments in everyday life when it is necessary to know who somebody is or to ascertain whether an identity document being presented is genuine and unaltered. The same question arises regarding documents in general and numbered goods and uniquely identifiable equipment. In an information society identity issues take on an entirely new dimension.
Scott Charny, head of the Computer Crime and Intellectual Property Section of the Ministry of Justice in the US: “ On the Internet there is an absence of biometric proof, there are no characteristics that are unique to a person [...] Users are virtually anonymous. [...] The world of commerce is all for digital signatures, a password in combination with a mathematical formula, an encryption algorithm. That's all very well for commerce, but useless for investigation purposes because a person's digital signature can easily be found by other people using the same computer [...] Criminals would then be able to claim that their digital signature was used by somebody else.”
The widespread use of chipcards will facilitate electronic identities and identity documents, with all the accompanying known and as yet unknown forms of misuse and fraud , . Identity fraud is not a new phenomenon. A recent book about identity falsification from the Crime Investigation study series: "Various analyses conducted in recent years by the police together with the Central Criminal Information Department have shown that the use of false or forged identity documents has assumed sizeable dimensions." . The new information technology not only poses threats, it also provides new weapons in the fight against identity fraud. Recognition of biometric personal characteristics make security in physical and electronic environments truly person-based and can prevent identity fraud. None of the methods used up to now has achieved that.
These developments justify reviewing the way in which we approach the phenomenon of identity. The chain approach offers a suitable starting point for this review. The identity chain can be viewed as a number of consecutive actions and interim products that make it possible to ascertain, register and then verify an identity or an identity document within the context of everyday life, a legal act or an electronic transaction. There are however already so many imperfections in the Dutch identity chain that an integral, chain-wide improvement programme seems necessary, preferably before electronic identities slip through our fingers. This memorandum was drawn up against this background.
2. Identifying, verifying and some related concepts
Identifying
Ascertaining who somebody actually is is what we call identification. Identification requires research. An important aspect of identification is that the person is actually present. The appearance of a person can then be compared accurately with a photo in his passport; the identifying personal details in that passport must in turn correspond to those in his birth certificate. It is sometimes necessary to compare physical personal characteristics (fingerprints, DNA profile, etc.). Documents and devices must also be available in their original form so that their authenticity can be ascertained. In the Netherlands, there is neither a general obligation to prove one’s identity nor a general authority to ascertain someone’s identity . According to Dutch law, the power to investigate a person's identity is reserved to only a few public authorities, the police in particular, the Aliens Police and the registrar of births, deaths and marriages , their power being limited by law. Their identity investigations for criminal and non-criminal use are essential because verification procedures without good quality prior identification are not resistant to malicious intent. The anticipated flood of electronic identity documents will lead to extra pressure being exerted on these few public bodies that are allowed to investigate people's identity.
Verifying
Other bodies and organisations (public and private) are only allowed to verify a person's identity. In comparison with identification, however, verification is of a different order. One does not investigate who a person is, but merely ascertains that two details relate to the same person. Personal numbers and identifying personal details are usually compared for this purpose. Even if a person can be directly compared with his photo on an identity card, this verification cannot however ever provide certainty that the person in question is actually what he claims to be. Unfortunately, people are not generally aware of this limitation, so that verification is in practice often put on par with identification. Wrongly so.
Verification is generally sufficient for legal acts in private law. If a bank agrees to give somebody credit, it is then sufficient to ask for proof of identity and to check the validity of the proof of identity shown. By means of simple verification registers private organisations can see whether the proof of identity bears any irregularities. They do not have to know what is wrong with the proof of identity. Neither does the verification register give any information about the identity of person holding the proof of identity: it ascertains the soundness of the document, not the person of the holder. This limited information can therefore be used for all sorts of social purposes. In the near future all organisations that are legally obliged to check a person's identity will be able in legal and practical terms to check the soundness of the proof of identity shown. At the moment this is not yet the case. If the Dutch policy in this matter remains unchanged, organisations depending on voluntary verification of identity will not be able in legal and practical terms to check the soundness of the proof of identity shown. Unfortunately, most issuers of smartcards with an identity function belong to this category of organisations. This is a major threat to the prevention of identity fraud. Verification is generally sufficient for legal acts in private law even if a person’s identity is wrong as long as it is accepted by the parties involved. As soon as a person’s identity is disputed by one of the parties who then discovers that the presumed identity is mistaken or frauded, verification is no longer sufficient for legal acts in private law.
Verification in criminal law is never sufficient. The police are expected to ascertain beyond dispute the identity of a person involved when a criminal offence comes to light. If errors are made in this process, the judicial intervention runs aground further on in the criminal law enforcement chain. A case in point here is the question of undeliverable legal documents sent by registered mail. It frequently turns out that the person involved has given the police a false name without their realising it. An erroneous identification cannot be later rectified by means of verification. It is only if the police have conducted a successful identification at the beginning of the criminal law enforcement chain that other bodies can make do with verifications in subsequent processes.
Proving one’s identity
People prove their identity by showing identity documents on the basis of which their identity can be verified. This verification process can also form part of a more extensive investigation by which a person's true identity is eventually ascertained.
Authentification
The above analysis is applicable by analogy to documents, chipcards and devices such as card readers. Multifunctional chipcards and card readers have advanced authentication means. A document, a chipcard or a device can have a unique identifying number. We therefore see that documents, chipcards and devices can - just like people - have an identity of their own. For the verification of the identity of a document, a chipcard or a device we use the term 'authentication', i.e. making something legally valid or recognising it as truly genuine. There are advanced ways of verifying the identity of multifunctional smartcards and card readers (encrypted handshaking with asymmetrical keys, for instance). But technology is not the only determining factor. Means of authentication are frequently not applied in day-to-day practice.
3 The multifunctional smartcard and identity
Many applications in a multifunctional smartcard need to ascertain whether the person using this particular function of the card is authorised to do so. For this purpose the card needs a function with which a person can be recognised. This is what we call an identity function. Some smartcards are intended for anonymous use. In such cases, the card does not have an identity function. Other smartcards are intended for identity purposes only: the identity function is then the main application in the smartcard.
Smartcards will introduce new electronic identities and new electronic proof of identity. However, not every smartcard has an identity function and the scope of a card’s identity function, if present, differs. Three card categories can be distinguished . Any smartcard can be classified under one of these three cate¬gories on the basis of the card's identity function:
I. Impersonal anonymous smartcards, such as prepaid cards, non-loadable chipcards, prepaid phonecards, non-personal customer cards, prepaid non-load¬a¬¬ble electronic purses (gift vouchers) or prepaid GSM-cards. If a password can be used for 'opening and closing' an impersonal card or an application in it, these codes are anony¬mous, known only to the cardholder himself and not to the card issuer or a third party. Anonymous is not a synonym for unsecured, as you can see.
II. Smartcards with a contractual (pseudo-)identity function: personal cards which do reveal a person’s true identity only to the card issuer, not to somebody else. Examples are the Dutch payment card (PIN-card), the loadable electronic purse, the GSM-card, the asylum seekers identity card and before long the Dutch municipal city card (with or without biometrics). While the card can be of an anonymous nature to third parties, the card issuer must know the correct identity of the cardholder at least at the moment of card issue. In later transactions with the card, third parties usually only need to know whether the person involved is the authorised person. The person's true identity does not affect the transaction, so any number (PIN) or nickname will do.
III. Smartcards with a general identity function for third parties: personal cards which serve as an electronic proof of identity to be used by third parties, e.g. city card with personalised biometrics intended for general use, the Dutch aliens identity card and in the future perhaps also the electronic driving licence. The most important difference with card category II is that a third party at any later transaction or other use of the card wants to know precisely who a particular person really is. It is not sufficient to know that the person is the same as the authorised person, nor is it sufficient to establish someone’s true identity only at the moment of card issue.
In the course of time, a smartcard may shift to a different category when at a later stage a function is added which affects the identity function of the smartcard.
The importance of the multifunctional smartcard for identity issues goes hand in hand with the ability to acquire a new electronic identity with the card's identity function or to be able to pass oneself off as somebody else. It will be difficult to detect this new identity or double later because person recognition techniques in use are generally not person-based. Examples include passwords, Pincodes and signatures. Information technology does of course make it possible to analyse person-based characteristics for a true person recognition. But these biometric techniques are still only being used to a limited extent. The issue of biometric person recognition is discussed in the following section.
4 A person’s identity and biometrics
Important questions, such as which law is applicable, who are the parties, what has happened, etc., cannot be answered if it is not possible to ascertain who has carried out the (legal) act. These civil and criminal proof problems go hand in hand with the nature of electronic signals, which are not connected to physical persons, places and (local) times and leave no traces behind. In an electronic environment, (legal) acts and criminal behaviour must therefore be 'pinned down' artificially, so to speak. To give an example: an e-mail is regarded as having originated from the holder of the password with which the message was sent. But that is not of course necessarily the case, when a PO Box or a password are used jointly for instance. If, as in this example, we wish to avoid the excessive use of legal fictions or presumptions in electronic legal transactions, we need reliable verification of persons and authentication of documents, devices and electronic transactions. The authentication of electronic transactions cannot take place without the reliable verification of the natural person who is acting. The customary pincode protection does not verify a person’s identity but merely performs an administrative verification of a person-unrelated number. To verify somebody’s identity this needs to be done on the basis of a unique biometric personal characteristic (e.g. the shape of the palm of a hand or a dynamic signature), the owner of which has been reliably identified in advance. An electronically verified identity is thus given the required indisputable character.
The biometric recognition works as follows. At the moment that the card issuer allocates the chipcard to a person (this is known as personalisation), the shape of the palm of the recipient's hand can for example be converted with an algorithm into a number (this is called a template). That number is registered in the chipcard instead of a picture of the palm of the hand . If the same algorithm is repeated later, the two numbers can be directly compared. The safest way of doing this is to compare the numbers in the chipcard itself, not in the card reader. This makes it more difficult to imitate a verification. But in neither of the two cases can the real shape of the palm of the hand be retrospectively calculated from the number. Because it is only possible to establish a person's identity indisputably by means of a person-based characteristic, biometrics plays a major role in the fight against identity fraud.
Why is such little use being made of biometrics? One of the reasons is its lack of familiarity. The information technology needed for this was only recently developed. There are also prejudices against biometrics. The position of the fingerprint in criminal law enforcement is not conducive to the use of biometrics in ordinary legal processes. There are also uncertainties about its legal permissibility. Many view person-based biometric characteristics as ‘personal details’ in the sense of the privacy legislation. They therefore feel that biometric person recognition is subject to considerable limitations. To understand the social significance of biometrics, it is therefore important to make a distinction between a person-based detail and a personal detail (= a detail that can be traced back to a person). A biometric personal characteristic is by definition person-based (= derived from the body), but is not necessarily a detail that can be traced back to the person. A separate biological characteristic without further references, for instance, cannot be considered a personal detail as long as it can only be traced back to a person with disproportionate effort. To give an example: used glasses in a pub are covered in fingerprints, but there is little point in tracing back a fingerprint to a customer who can no longer be found. The specific laws and regulations with regard to personal details are therefore not applicable to a separate biometric detail of this nature. Biometric verification of a person’s identity using such a biometric template is therefore freely applicable . If, however, biometric details are related to other identifying personal details, they do form personal details within the scope of the privacy legislation. When using these biometric details the primary aim of the data processing determines what is legally permissible. There are special regimes for sensitive personal details, especially for those revealing a person's race or ethnic origin .
In actual practice we therefore see that in most EU-countries there are no legal obstacles to using separate biometric templates, e.g. a biometric number in combination with a number without further references. This can be regarded as anonymous biometrics. Storing and using a biometric template on a multifunctional smartcard for off-line verification is possible without restrictions. That is very important because this anonymous biometric verification of a person’s identity can easily be used in all sorts of situation for which it is sufficient to establish during a transaction that the person conclusively is the same as the authorised or expected person. That is usually the case. It can therefore be expected that the application of anonymous biometrics will gain momentum as soon as its possibilities become more familiar. The technology is available and the costs are low.
5 Smartcard and biometrics: strategic alliance against identity fraud
Biometrics can be used without a chipcard, either controlled by a remote information system (on-line) or stand alone locally (off-line). The biometric characteristic is then linked to a pincode or a random number. When used with a chipcard the link with a number is not needed. The biometric number calculated on site is compared directly with the number stored in the chipcard.
The chipcard facilitates off-line anonymous biometric verification of a person’s identity, both inside and outside of the card. 'Inside' means making a chipcard unusable to anyone other than its holder by means of an internal biometric security system, which also prevents others from using the card's identity function. 'Outside' the chipcard refers to a large number of verification variants within the scope of authorisation and access, in which the biometric number calculated on site is compared locally off-line with the number stored in the chipcard. The person’s true identity is kept hidden from third parties, so that no harm is done to the card's pseudo-identity function. Only the card issuer knows who the holder really is. The locally calculated biometric number remains anonymous to others, because it cannot be traced back to a person. For this purpose, it is necessary to ensure that a biometric characteristic is not linked to personal details that can be recognised by third parties, for instance on the exterior of the smartcard. The card holder thus enjoys the benefit of the extra person-based protection of his biometric characteristic whilst remaining anonymous to others. Anonymous biometrics places a powerful weapon in the hands of card holders and issuers that they can use to combat identity fraud and the misuse of the smartcard.
6. Prevention of identity fraud
Biometrics contributes to secure multifunctional smartcards, but can only provide part of the prevention needed. This section examines additional preventive measures. Self-regulation by the card issuers should provide the basis for prevention, requiring a code of conduct and a voluntary security certification system, both of which are to be established by the industry. The government should stimulate the development of the code of conduct and of the security certification system.
If the multifunctional smartcard contains an identification function, extra preventive measures are required:
a) With regard to cards with a contractual pseudo-identification function, the government should facilitate the personalisation of smartcards by means of compulsory identification for card issuers, the obligation to submit proof of identity for potential cardholders at the moment of card issue and the legal right of card issuers to check the validity of a submitted identification document.
b) With regard to multifunctional smartcards with a general identification function, the government should introduce a licensing system with direct supervision geared to preventing false and double electronic identities in society.
The more risks that the use of a certain smartcard throws up, the greater the efforts of the card issuers, application controllers and the government will have to be in limiting or preventing them. This concept is represented in diagram 1.
card category • self-regulation • self-regulation
• identification obligation for card issuers; obligation to submit proof of identity for card holders; for card issuers a legal right to check the validity of a submitted proof of identity • self-regulation
• identification obligation for card issuers; obligation to submit proof of identity for card holders; for card issuers a legal right to check the validity of a submitted proof of identity
• licence system and government supervision of the issuing process
I impersonal cards light regime
prepaid phonecard, prepaid non-loada¬ble electronic purse (gift voucher), prepaid GSM-card
II personalised cards with a contractual
(pseudo-)identity function
(not to be used by third parties) normal regime
PIN-card, loadable electronic purse, GSM-card, asylum seekers identity card, city card (with or without biometrics)
III personalised cards with a
general identity function
(intended for use by third parties) heavier regime
city card with personalised biometrics intended for general use, aliens identity card, electronic driving licence
7. The identity chain
As mentioned in section 2, it is only possible to properly ascertain a person's identity by means of an identity investigation if the person himself is involved. This process is entrusted only to a few authorities and is not conducted systematically, and often only in special cases. All other ways of establishing a person's identity amount to verifications in which we ascertain whether personal details are consistent with other - usually administrative - personal details. In most cases the authorities that carry out these verifications do not have the authority, instruments and knowledge to carry out that verification. This is not a strong starting point in combating identity fraud.
The product 'identity' comes about in a chain consisting of a number of actions that each lead to an interim product, which then is used by the following link in the chain. A legal, general identity document is made on the basis of a source document; and this can be taken in turn to personalise a contractual pseudo-proof of identity (a bank pass, for instance), which in turn can be used for a transaction (e.g. remitting payment, gaining access or having the pseudo identity checked). The quality of the end product 'identity' can be adversely affected in each of those links, but problems at the beginning of the chain are the most disruptive: once wrongly identified, always wrongly verified! A chain approach is therefore desirable for locating weak spots in the identity chain and establishing the priorities of improvement actions.
The chain approach is also suitable for highlighting the fact that new identities and fraud can come about at each link in the chain. A new Dutch identity can be created in the Netherlands with a legal identity document based on a fake or forged foreign document. With a forged legal Dutch identity document a new pseudo-identity can be acquired (e.g. a bank pass with a pincode), and with a forged or counterfeited (electronic) pseudo proof of identity a fraudulent transaction can be made. This is outlined in diagram 2.
In the bottom section of the columns in the diagram the subsequent links (stages) of the identity chain are shown (bold printing):
1 source documents (domestic and foreign)
2 legal general identity documents (domestic and foreign)
3 contractual identity documents (smartcards included) or identifying numbers
(domestic and foreign)
4 transaction (e.g. a legal act, an access or a payment)
In the top of the columns the sources required are indicated (normal printing), while in the middle section of the diagram the competencies and powers and the required knowledge and skills are listed (italic printing). These knowledge, details, skills, authority and instruments are needed to prevent the process from turning into a ritual.
There are problems inherent to each link in the above chain ; the following is a brief summary.
tools, knowledge and skills
required • Collections of models and of counterfeits of source and identity documents;
• Knowledge of do¬mes¬tic and foreign source and identity docu¬ments, and of their counterfeits
• Support in verify¬ing source and identity documents (including foreign ones)
• Collections of models and of counterfeits of source and identity documents;
• Knowledge of do¬mes¬tic and foreign source and identity docu¬ments, and of their counterfeits
• Support in verify¬ing source and identity documents (including foreign ones)
• base registers (persons, documents, cards)
• public verification registers of items not to be used for proof of identity
• support when verifying identity documents (also foreign ones) • verification registers of blocked documents and cards
• pattern recognition of transactions
authority
and capacity
required a) Authority to carry out identity investi¬ga¬tion;
b) Capacity for identity investiga¬tion;
a) Authority to carry out identity investigation;
b) Capacity for identity investigation;
c) Government control of the process of issue a) Card or number issuer:
• Compulsory identification
• Authority to:
a. ask for proof of identity
b. check the validity of a proof of identity.
b) Card or number holder:
• Compulsory iden¬tification for those involved. Security checks during transaction:
a) verification of pseudo-identities (PIN or biometric personal detail)
b) authentication of technical means or documents (e.g. smartcard and card reader)
links in the identity chain 1
source document
==> 2
legal identity document for general use
==> 3
contractual (pseudo-) identity document or personal number
==> 4
transaction
examples birth certificate passport, driving licence, aliens
identity card PIN card, asylum seekers identity card, tax and social insurance number (SoFi-nr) payment, access,
authorisation
Link 1 Source document
Source documents such as birth certificates can be based on a new fact, another (foreign or domestic) source document and on (foreign or domestic) legal identity documents of the people involved.
In contrast with the very few legal identity documents, there are many source documents, mostly of local origin with numerous variations depending on time and place.
Tools:
In the Netherlands, the available knowledge about models of valid foreign source documents and collections of counterfeit foreign source documents is limited and spread out over many specialised authorities, each of them focused on its own particular set of relevant documents. The same holds true for the available knowledge about models of valid foreign identity documents and collections of their counterfeits. See the remarks about knowledge of documents and co-ordination with regard to the subsequent link 2.
Link 2 Legal identity document for general use
Dutch legal identity documents (passport, driving licence, aliens identity card) are based on an identity investigation during which Dutch or foreign source documents, available personal details and foreign or domestic legal identity documents are scrutinised.
Source documents and legal identity documents (link 1 and link 2) can in practice be mutually dependant: a source document can be used in the process of issuing a legal identity document, while this legal identity document in turn can be used to draw up another source document. Undetected forgeries and other errors made in the first two links of the identity chain can have a considerable impact on subsequent links. Bearing in mind this interdependence, the following remarks about co-ordination and knowledge of documents are relevant to the previous link, too.
Knowledge and co-ordination:
In the Netherlands, the available knowledge about models of source and legal identity documents and collections of their counterfeits are spread out over many specialised authorities. To combat identity fraud in an information society, more co-ordination is needed. A whole range of public authorities and private organisations must be given the available knowledge they need in good time. A national co-ordinating centre from which the exchange of knowledge and related information can be improved would make electronic and physical collections of models and their counterfeits more effective. This centre can organise courses on important aspects calling upon the relevant experts. The centre can also stimulate and support research projects and information gathering. In the long run the national centres in the EU can develop information exchange and support on a larger scale. The various authorities seem perfectly willing to co-operate, but it is difficult to bring about more intensive co-operation and a national centre on the initiative of only one of the parties. What is lacking is a neutral, authoritative 'sponsor'.
Capacity:
The increase in mobility and electronic transactions is placing this link of the identity chain under pressure. The legally established authorities that carry out identity investigations (the police, the alien police and the registry of births, deaths and marriages) have very limited capacity to do so. This activity should be given a higher priority and more capacity. A review of the legal structure for identity investigations (number of authorities), their capacities and their procedures is desirable.
Procedures:
Additional problems are generated by procedural shortcomings. Documents which are no longer valid are not taken out of circulation, thus leaving a huge inventory of raw material for counterfeiters. People are not encouraged to notify without delay the authorities of a missing passport to prevent it being used by somebody else. They are obliged to get an official police report and to pay for a new passport. They tend therefore to postpone its replacement until a trip abroad makes the replacement urgent. In this way an enormous number of valid missing or stolen passports are readily available for fraudulent purposes. When identity documents are lost or stolen, new documents must be issued without the previous document. The risk of a mistaken identity can be effectively reduced by biometrics. Voluntary use of biometrics should be considered as part of the issuing process of a legal identity document even if the identity document itself makes no use of the biometric characteristic.
With regard to the enormous quantity of free floating identity documents available for fraud it is a tantalising option to remove in one go all identity documents floating around in the black and grey circuit by making it compulsory to exchange them within a very short period.
Link 3 Contractual (pseudo-)identity document or personal number
Contractual documents and smartcards with a pseudo-identity function abound. Examples are payment cards and membership documents. Personal identifying numbers are used in an even greater number. In the public administration we see a Justice number, an education number, a welfare number, a health care number, to name just a few. In private life, too, numbers are used in all formats and types. Think of your bank, grocer, library or employer. Some of these documents and numbers are more important than others. It would therefore be desirable to extend the Dutch compulsory identification and proof of identity only to socially important contractual documents and smartcards with a pseudo-identity function and to personal identifying numbers. At present, the Compulsory Identification Act (1993) only applies to the tax and social insurance number (SoFi-nr).
Tools:
'Bare' public verification registers are needed to verify the validity of legal (Dutch) identity documents. That will only work out well if the holder of a legal identity document can temporarily block its use for identification purposes. At the moment, this is not possible.
Authorities:
Issuers of socially important contractual documents and smartcards with a pseudo-identity function and of personal identifying numbers should be legally obliged to check their client’s identities, who must be obliged to present proof of identity. The issuer should then be able, practically and legally, to check whether the proof of identity has been blocked for any reason.
Capacity:
This improvement of the quality of the work done in link 3 of the identity chain will only be worthwhile if the capacity available for identity investigations is enlarged.
Link 4 Transaction
In this link of the identity chain, tools and authority to verify a person’s (pseudo-)¬identity or personal identifying number must be there to cash in the value of the chain’s product “identity”. The same holds for the authentication of documents and equipment.
In this link the problem arises that in electronic environments all verifications of a person’s identity are based on techniques that are not person-based. Biometrics can provide person-based verification techniques. Promoting the use of anonymous biometric personal identification in vulnerable social situations is therefore important.
The most important drawback in this link is fall-back options present in any verification procedure. If the process doesn’t work properly, people tend to fall back on old procedures of visual inspecting any given document. Insiders know how easily the human mind sees what it expects to see and how difficult it is to distinguish between look-alikes.
8. An improvement programme for the Dutch identity chain
The following measures are needed for a chain-wide improvement programme for identification management:
Link 1
1. A national expertise centre for source and identity documents (foreign and domestic) from which better co-ordination can be achieved and the available information can more effectively be made available to public authorities and private organisations. The exchange of knowledge, collections and related information in the European Union can also be promoted from this centre.
Link 2
2. A review of the legal structure relating to identity investigations with the aim of expanding the capacity for identity investigations and making them more accessible to the authorities involved.
3. The systematic withdrawal of all legal identity documents that have become invalid from society (collect and destroy); remove in one go all identity documents floating around in the black and grey circuit by making it compulsory to exchange them within a very short period.
4. Use of voluntary biometric personal verification in the procedures for issuing legal identity documents (most effective following the clean-up operation called for in the previous point). To promote the voluntary use of biometrics the replacement of the first missing or stolen document could be made faster, cheaper and easier (no official police report for instance).
Link 3
5. Extension of the existing compulsory identification and proof of identity for socially important smartcards with a pseudo-identity function and for important personal identifying numbers (whether or not with the use of chipcards).
6. Evaluation of the effect of the Compulsory Identification Act (1993) in practice.
7. Extension of the ability to verify the validity of legal Dutch identity documents with 'bare' public verification registers.
8. Verification registers for socially important smartcards with an identity function.
Link 4
9. Promoting the use of anonymous biometric verification of a person’s identity in vulnerable social situations.
The Hague
September 1998
