Second Wave of Biometric ID-documents in Europe: The Residence Permit for non-EU/EEA Nationals

The first implementation of biometric documents, called biometric passports, based on a regulation is running, the second implementation since end of CY 2008 is coming to Europe. The focus is on persons staying for business, study or leisure for more than 3 months in Europe and coming from a state outside Europe and not being a member of the Visa-Waiver-Program of the EU. This second wave increases the demand for the security industry for certified security microcontroller chips, secure smart cards, readers and supporting infrastructure on top of the biometric Passport business. It underlines the continuing advance of contactless identification technology in the public sector. The article gives an overview on the application, the technology, the EU regulation, the EU roadmap and the implementations. 1. EU policy on biometric ID-documents Back in June 20 th , 2003 the European Council decided in the “Thessaloniki Declaration” on a coherent approach in the EU to biometric identifiers and biometric data for all EU citizens ́ passports, for nonEU / European Economic Area (EEA) nationals and for the back office information system [1]. In the Council Regulation (EC) No 2252/2004 of 13 th of December 2004 the roadmap for the security features and biometrics in passports and travel documents, issued by the EU Member States (EU-MS) was published. Since June 2006 all 27 EU-MS have switched to this new technology and issued only passports with an embedded security microcontroller with a contactless RF interface (ISO/IEC 14443) combined with at least one biometric feature: The facial image of the holder. Currently the two EUMember States Latvia and Germany also store two fingerprint images in the chip. The deadline for implementation of two fingerprint images by all EU-MS in passports is June, 28 th , 2009. These data are protected by the Basic Access Control (BAC) and Extended Access Control (EAC) security protocols defined by International Civil Aviation Organization (ICAO) and Brussels Interoperability Group (BIG). About four years later the Council of the European Union published the regulation on the Residence Permits for third country nationals (EU 13502/2/07), on March, 7 th , 2008 [2]. The following key purposes have been addressed with this regulation: harmonised immigration policy uniform format in the EU very high technical standard, in particular as regarding safeguards against counterfeiting and falsification 2. Technology of the Residence Permit for nonEU/EEA nationals With the decision to select the technical standard for travel documents, according to ICAO document 9303, part 3 on size 1 and 2 (ID1 and ID2 format) the link between the holder and the residence permit is achievable. This approach supports the authenticity of the document and the identity of the holder. Two biometric data sets of the holder are defined, with face image and two fingerprint images, according to ISO/IEC 19794 stored on the Residence Permit card and protected with the EAC security protocol. The Residence Permit has the ICAO “chip inside” symbol printed on the card (top left corner of Photo 1) for machine readable travel documents with a contactless security microcontroller chip (eMRTP, RF-chip) The frontand rear side layout of the card is also defined by the EU [2]. Data content printed are as follow Name Given Name Validity of the Document Place and Date of Issuing Type of Permit Place and Date of Birth Sex Nationality MRZ (3-lines) Photo of the card holder Photo 1: Front-Side of the Residence Permit for ID1 documents; source [2]. 1: type of document; 2: unique number of permit document; 3.1: name of the card holder; 4.2 valid date of permit document; 5.3: type of permit; 7.5-9: remarks; 8: document code; 9: issuing state; 12: additional information; 14: photo of the card holder; 16: biometric chip holds MRZ, photo and (optional) two fingerprints of the card holder; The additional use of new technologies, such as e-Government and digital signature for access to eServices should be facilitated by the EU Member States. For this application, the Residence Permit card could have a contact-based interface (ISO/IEC 7816) in addition to the contactless interface (ISO/IEC 14443). 3. Processing, Lifetime and Biometrics Non-EU/EEA nationals, who are coming from a state outside Europe, which is not being a member of the Visa-Waiver-Program of the EU, needs a SCHENGEN Visa according the EU regulation (EC) 0269/2009, to travel to Europe. This SCHENGEN Visa has a maximum validity of 90 days. This SCHENGEN Visa is in a harmonized ID2-format, with printed photo, MRZ and name, given name, birth day and validity day. It must be pasted in the passport booklet of the visitor for travelling into SCHENGEN. European Commission has decided, that all immigrants must give there face photo and the ten fingerprints to the embassy of an EU-MS before travelling into SCHENGEN. Face photo and fingerprint data, name, given name, birthday and visa number move in a central data bank system and should be available cross border in Europe. The data of the holder and the face photo are printed on this self adhesive sticker. A huge data bank system, called VISA INFORMATION SYSTEM (VIS) must be placed on this. Persons, which would stay longer than 90 days, like students, need a residence permit card. To capture such residence permit card, the person must go to a local immigration registration office in the EU-MS, for example in which this person would stay longer. The validity of the residence permit card is up to 5 years. With the new European Regulation such electronic ID document migrates from a pure visible ID document to a visible and electronically ID document, include digital and biometric data of the card holder. The person needs a frontal photo and the immigration office could have fingerprint scanner for data capturing. The biometric passports have shown in the last three years two trends on biometrics data in opposite direction according the data quality, which are stored on the contactless chip: mainstream for face image data is to use data compression modes like JPEG or JPEG 2000. With this approach, the data frame size cut down from 18k byte (image) to 16k (JPEG compressed) respectively to 12k (JPEG 2000 compressed). Mainstream for fingerprint data goes in the other direction, high resolution image photos are requested. Examples are USA with the FBI specification EFTS/F (Electronic Fingerprint Transmission Specification 7.1, Appendix F) Germany with the BSI technical guideline TR 03104 (Technische Richtlinie zur Produktionsdatenerfassung, -qualitätsprüfung und –übermittlung) High resolution photos need 16k to 18k byte. The specification of the EU has defined 12k to 15k byte. 4. EU Roadmap and Outlook As same as for the electronic passport with biometric data, the EU Commission plan a two step implementation program [1]. The deadline for the first generation (face / BAC) implement would be 24 months after publication of the specification and the second generation (face and fingerprint / BAC and EAC) after 36 month. EU-MS are free to decide an earlier implementation date, as shown in for the e-Passport and the e-Residence Permit Card. Deadline for the first implementation of the e-Passport was August 2006. Frontrunner was Belgium with start the issuing in November 2004, followed by Sweden in October 2005, Germany in November 2005, United Kingdom March 2006, France April 2006, Iceland May 2006, Austria June 2006 and Portugal July 2006. Deadline for the second implementation was July 2009. Frontrunners are Germany with November 2007 and Latvia with March 2009. For the second implementation are finger scanners in the document issuing offices requested as well as the managing of digital data via a secure channel to the office of the personalizing place of the booklet. The specification of the Residence Permit Card was decided at an article-6-committee meeting in April 2009. Based on this, the EU-MS have the official deadline May 2011 for the implementation of the first generation (face / BAC) and May 2012 for the implementation of the second generation. In case of the Residence Permit program all person data and all fingerprints of all non-EU/EEA nationals should be stored centralized on EU-MS-level and should be needed for exchange of information cross border. This approach is similar to the SCHENGEN Visa policy. The annual run rate of all Residence Permit Cards in all 27 MS is expected in the quantity window of 15 to 18 Million cards. It is expected, that this program could be bridged in future with the European Asylum-Seeker Program, called EURODAC [6]. This program was created in the context of the “Dublin Convention” and is in place since January 2003, according the EU regulation 2725/2000. It is based on a harmonized registration and approval process and needs 10 fingerprints, collected with an AFIS system. All EUMS have access to this central data bank system EURODAC to avoid double bookings and to reduce time for the approval processing of the Asylum-Seekers.