Biometric passports introduced in Sweden and Norway

Sweden and Norway have become the second and third European countries to start issuing biometric passports compliant with the standard recommended by the International Civil Aviation Organization (ICAO). In addition, Sweden has also introduced biometric ID cards valid as travel documents across the Schengen area.

Following Belgium (in November 2004) and ahead of Germany (on 1 November 2005), Sweden and Norway have become the second and third countries in Europe to start issuing biometric passports. The new Swedish passport introduced on 1 October 2005 has an RFID (Radio Frequency Identification) microchip embedded in its polycarbonate data page. The chip contains a digital photo and personal information of the holder. The digital photo in the chip can be measured against the facial features of the person travelling with the passport, which will make it easier to authenticate passport holders and reduce risks of theft and fraud.

The new Swedish passport thus complies with the ICAO recommendations for biometrics in machine-readable travel documents (use of facial recognition technology and of high-capacity, contactless integrated circuit chips). It also complies with the EU Council Regulation on standards for security features and biometrics in passports and travel documents issued by Member States. This Regulation, adopted on 13 December 2004, mandates the inclusion of a digitised facial image of the holder stored on a microchip in all EU passports issued at the latest 18 months after the date of adoption of technical specifications for the implementation of the Regulation, and of fingerprints after 36 months. Since the European Commission adopted a Decision establishing these technical specifications on 28 February 2005, the deadline for Member States to implement the digitised facial image in their passports is 28 August 2006, and the deadline for the inclusion of fingerprints is 28 February 2008. No date has yet been set for the inclusion of fingerprints in Swedish passports.

The main reason for the speedy introduction of biometric passports in Sweden is that the previous contract for the supply of Swedish passports came up for renewal last year, said Lars Kalsand, head of the passport department at the National Police Board. This gave the opportunity to make the shift to the new, biometric technology sooner rather than later. Another reason was the Swedish Government’s will to comply with the US Visa Waiver Programme (VWP) requirements. Under US legislation, countries whose citizens can enter the US without visas were given until 26 October 2005 to start issuing biometric passports. However, on 15 June 2005 the US Department of Homeland Security (DHS) announced that VWP countries would only be required to produce by 26 October 2005 machine-readable passports containing digital photographs, even if not stored on microchips. On that date, however, all VWP countries will also be required to present an “acceptable plan” to issue passports with integrated circuit chips within one year.

The new Swedish biometric passports require more advanced equipment for the offices that handle passport applications. Instead of introducing new technology in the existing 246 police offices across Sweden, the number of offices dealing with passport applications has been cut down to 100. Since the new passports are only valid for 5 years, compared to 10 years previously, these 100 offices will have to deal with an amount of applications that is expected to increase to 1.4 million per year. The combination of fewer offices dispatching passports and rising demand has met with some criticism in Sweden, especially as the price of passports has also risen from SEK 270 to 400 (EUR 29 to 43).

The introduction of biometric passports in Norway on 3 October 2005 also met with some criticism. The Norwegian Data Inspectorate expressed serious concerns regarding the security of the new passports, and in particular the fact that the data stored on the RFID chips is not encrypted. This represents a potential threat to personal privacy and could lead to forgery and identity theft, the Inspectorate said, adding that uncertainties also remain concerning the storage of biometric information in a central database and the use of such database. The Data Inspectorate stressed that 40 European personal information protection authorities recently issued a joint resolution calling for biometric information included in passports, identity cards and travel documents to be secured efficiently, and noted that the data stored on the chip of the future UK passports would be protected against eavesdropping (or ‘skimming’) by an advanced digital encryption technique.

The Swedish and Norwegian biometric passports are based on the same technology and manufactured by the same supplier, smart card and security printing company Setec (recently acquired by Gemplus). Setec has also been selected to produce the future Danish biometric passports, which distribution is due to start shortly. The Belgian e-passport is manufactured by Oberthur Card Systems, while German biometric passports will be produced by the German Federal Printing Office (Bundesdruckerei), using chips supplied by Philips and Infineon Technologies. Data stored on the German e-passport chips will be encrypted using the RSA public-key cryptosystem. According to the suppliers, it is estimated that a billion standard PCs operating in parallel would have to keep computing for about a million years if hackers wanted to attempt to access data encrypted with this system simply by trial and error.

In addition to starting issuing biometric passports, Sweden has also introduced on 1 October 2005 a national ID card containing biometric data. The new ‘national identity card’ (nationellt identitetskort) is not compulsory and does not replace previous paper ID cards. It can be used as a proof of identity and citizenship and as a valid travel document within the Schengen area. It complies with ICAO standards, is issued by the passport offices and manufactured by the same supplier as the e-passport. In addition to the contactless chip containing a digital picture of the holder, it also has a traditional chip that may be used to securely access e-government services in the future. So far Swedish citizens can use non-official electronic ID Cards issued by the Swedish Post and based on standards approved by the Swedish Standards Institute to access some e-government services, as well as software-based electronic IDs (in particular the BankID developed by the largest Swedish banks).

To date there is no regulation at EU level mandating the introduction of biometric data in identity documents. However, since most people living in the Schengen area use their ID cards as travel documents within this area, some Member States argue that ID cards should be embedded with RFID tags containing biometric information. On 11 July 2005 the UK Presidency of the Council of the EU presented a proposal that common security standards should be agreed for all national identity cards issued by the EU Member States, in particular concerning the use of biometrics and taking into account the ICAO standards and the work done on EU passports. According to civil liberty group Statewatch, if a dual biometric system of fingerprint and facial recognition is mandated for EU ID cards, and since fingerprints have already been made compulsory for passports, visas and residence permits, it will effectively mean that almost everyone living in the EU will end up having to be fingerprinted.

© European Communities 2005 – eGovernment News