Indonesia to introduce bio metric passports

Adi Tedjasaputra, Singapore

Biometric passports have recently been touted as cutting-edge technology able to prevent travel document forgery using a secure authentication process. These passports carry digital data about the physical characteristics of their respective holders, such as face shape and fingerprints. These physical characteristics, and their combinations, are the parameters or the determining factors in an authentication process known as biometric authentication.

Before the biometric authentication process can be performed, a recording process that transforms human physical characteristics into digital biometric data, or a biometric signature, is required to set an authentication reference. These digital data are usually encrypted and stored in a Radio Frequency Identification (RFID) chip embedded or inserted into each biometric passport.

During the biometric passport authentication process, a passport-reading machine will read the biometric data stored in the RFID chip. After a successful contactless access, the data retrieved from the chip will then be authenticated against the initial, presumably genuine, biometric data stored in a database. In addition, a physical authentication process can also be integrated to increase the trustworthiness of the authentication process.

Most countries in the world are currently implementing or planning to adopt biometric passports for security purposes, including Indonesia.

As the world’s fourth-most populous nation with more than 200 million people, Indonesia has decided to venture into the world of biometrics. Since February 2006, the country has been issuing what the government calls “new biometric passports”. According to the article, Justice ministry clarifies biometric passport prices, published by The Jakarta Post on July 21, 2006, the government says the biometric system, which scans fingerprints and photographic data into a bar code, has helped it detect 1,800 attempted passport frauds since its introduction in February 2006.

In addition, a press release issued by the sole contractor for the Biometric Indonesian Passport project, Digital Identification Solutions AG of Germany, dated July 12, 2006, from Stuttgart, claims that on average the new biometric passport system processes thousands of on-line passport applications daily and issues the passports in full color, and with numerous security features, on the spot where people apply for the passports.

“Being a German national, I sometimes would love to have my own government provide such user-friendly service to the public”. says the CEO of the company in the press release.

Does this sound like an overstatement? I believe so.

However, I agree that the Biometric Indonesian Passport project is indeed one-of-a-kind in the world.

While developed countries are implementing or planning biometric passports with RFID chips embedded or inserted into them, the biometric Indonesian passports resort to bar code technology (the Post, July 21, 2006), which defeats the purpose of anti-counterfeit measures. Basically, it is easier to clone bar codes than the encrypted identification stored in an RFID chip.

Besides the security issue, it is also essential to guarantee that certain information in biometric passports is kept from unauthorized parties and specific privileges granted or assigned to the right people, which is almost impossible with the application of bar code technology. The biometric Indonesian passport system designer apparently forgets that secure authentication is the fundamental assumption for privacy protection and authorization.

In addition, the use of bar code technology also means that there is no unique identification system due to the limitation of the bar code numbering system. Bar code technology was originally designed only to identify a class of generic products, not a unique item, compared to RFID technology, which can support a unique identification system despite the numbering system being used.

Biometric (+RFID) passports and ID cards are definitely better, not having the basic security issues posed by bar code technology.

Nevertheless, the recent demonstration of biometric (+RFID) passport data cloning performed by a security consultant at the Black Hat security conference in Las Vegas could indicate that security risks in the use of biometric (+RFID) passports and ID cards still exist. However, the consultant could not change the information stored in the chip due to cryptographic protection.

In reality, there is no 100 percent security guarantee in this networked world. When you become part of a “network” voluntarily or involuntarily, there is always a chance that your security will be compromised. One sensible action you can take is to assess your state of security continuously, take several appropriate security measures and prepare recovery plans in the event of a security breach (RFID Security Threats: Your Cat is Probably Safe … for Now, RFID Asia, https://www.rfid-asia.info/2006/03/rfid-security-threats-your-cat-is_20.htm).

During a government forum on national IDs and e-passports for Indonesia held last June in Jakarta, the director for international cooperation at the Directorate General of Immigration unveiled a plan to decentralize the issuing of biometric Indonesian passports throughout Indonesian embassies.

Until now, there has been no country in the world planning or implementing a decentralization plan similar to the one proposed by the Indonesian government. It is certainly not about technological barriers. It is simply based on common sense and the assumption that the security risks of such decentralization outweigh the benefits of such a system in terms of efficiency. There is simply no country in the world that is willing to put its nationals and citizens on the front line of security risks and threats.