Because of lack of time, the security management topic was not fully discussed.
There was a discussion on whether oversight on issuance on an EU/Schengen level was appropriate for this workshop. Some participants felt that this topic should be discussed from a policy
perspective at the European Commission.
The US has partially based its Visa Waiver Program (VWP) on trust in the security of other countries‘ travel documents. Not all EU/Schengen countries are included in the VWP. This
indicates a possible difference in the level of trust the US places in some EU/Schengen countries‘ e-passports.
13 Stolen and Lost Travel Document
It was indicated by one of the participants that there exists an inter-country review of border control at an EU/Schengen level. This inter-country review set-up might also be interesting for issuing14.
6.3.3. Detailed results of the issuance workshop 6.3.3.1. General feedback
In the issuance workshop, the following topics were discussed:
List of threat agents
Rating of hypothetical vulnerabilities related to Topic #1 (Application and Entitlement)
Rating of hypothetical vulnerabilities related to Topic #2 (Production, Delivery and Invalidation)
Rating of hypothetical vulnerabilities related to Topic #3 (Security Management) Threat agents
The following threat agents were identified in the life cycle document:
Non-deliberate threats
Examples: Programming errors, system failure, human errors, etc.
Internal malfeasants
Example: Officials actively seeking to sell blank e-passports
(Unorganised) private individuals
Goal: Crossing a border checkpoint without being correctly identified
Organised criminal and terrorist organisations
Goal: Crossing a border checkpoint without being correctly identified, e.g. human trafficking or criminals going abroad to escape detention
Foreign governments
Goal: Crossing a border checkpoint belonging to a foreign country, without being correctly identified
Hackers
Goal: Generating publicity about security issues related to e-passports
On this list, the threat agent ―internal malfeasants‖ was added during the workshop. Although they are usually in the service of one of the other threat agents, they can also autonomously seek
monetary gain with their insider access. The other threat agents were supported by the participants.
It was remarked that (unorganised) private individuals are usually responsible for the bulk (i.e.
high volume) of the incidents, while the terrorist organisations are responsible for the incidents with the highest impact.
14 After the workshop, we looked into this further and discovered relevant European legislation on setting up a Standing Committee on the evaluation and implementation of Schengen (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:41998D0026:EN:NOT), which gives this committee powers to investigate the application of the Schengen Code in Member States.
6.3.3.2. Topic #1: Application and Entitlement
The following potential incidents were discussed and rated in the issuance workshop:
# Hypothetical vulnerabilities Average
risk rating [1-25]
11 Application and entitlement officers do not receive formal training on assessing the authenticity of breeder documents.
15 7 The procedures for verifying the identity of the applicant are not documented
or not comprehensive.
13
13 Frequently losing a passport is no ground for investigation before or refusal of a new passport.
13
12 Application and entitlement procedures do not incorporate ―segregation of duties‖ – one person is able to issue passports under single control.
13
9 Insufficient data is available for officers on exclusion data for passport issuance (e.g. criminal records or trial pending, renouncement of nationality, tax debt, excessive loss history).
12
15 Procedures for and quality of national ID documents – used as breeder
documents for e-passports – are less stringent than those for passports. 12 14 Application and entitlement need to rely on hard copy breeder documents
(e.g. birth certificates, electricity bills) provided by the applicant.
12 10 Application and entitlement officers do not receive formal training on
procedures.
11
6 Application and entitlement procedures abroad (e.g. embassies) are less secure than domestic.
11
8 The procedures for verifying the identity of the applicant are based on ―happy
flow‖ and do not deal with exceptions. 10
3 Application and entitlement officers are not screened. 10
2 Insufficient network and computer security in the systems used for application and entitlement.
10
20 Insufficient quality biometrics (facial, fingerprints) is captured. 10
23 The instruction to produce a passport (based on entitlement decision) can be manipulated.
9
17 Application and entitlement procedures allow photos brought in by applicant to be of insufficient quality.
9
5 Application and entitlement officers have many other civil servant tasks. 9
16 Application and entitlement procedures are not more scrutinised for first-time applicants or for applicants with passport/ID expired over two years.
9 18 Application and entitlement officers do not receive formal training on
assessing the quality of biometric data (photos, fingerprints).
8 22 The entitlement decision is non-traceable (e.g. no audit trail). 8 19 It is not possible to extract fingerprints of sufficient quality from some people. 8
4 Security guidelines (e.g. on clear desk, locking workstations) for application and entitlement officers are not formalised.
8 1 Insufficient physical security in the application and entitlement environment. 7 21 Application and entitlement procedures do not incorporate check on ―gummy
fingers‖, i.e. glued fake fingerprints. 7
Table 5 - Average risk ratings issuance Topic #1
The following charts were produced based on the attendee responses. Per hypothetical
vulnerability, the ratings are displayed as a 25% percentile to 75% percentile box, with the average displayed as the border between the light and dark red box. The minimum and maximum ratings are depicted in error bars. Thus, 50% of the respondents rated the risk within the range of the box (and 25% below and 25% above), while the average is the change in colour of the box.
Figure 11 - Issuance Topic #1 risk rating
In the chart above, it can be observed that although the average risk ratings are quite stable, the individual responses (indicated by the maximum and minimum error bars) vary a lot.