Schneier on Security
A blog covering security and security technology.
« Fear and the Attention Economy |
| Attack Mitigation »
April 26, 2012
Biometric Passports Make it Harder for Undercover CIA Officers
Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents.
Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a particular name. Likewise, the increasing use of biometric passports, which are embedded with microchips containing a person's face, sex, fingerprints, date and place of birth, and other personal data, are increasingly replacing the old paper ones. For a clandestine field operative, flying under a false name could be a one-way ticket to a headquarters desk, since they're irrevocably chained to whatever name and passport they used.
"If you go to one of those countries under an alias, you can't go again under another name," explains a career spook, who spoke on condition of anonymity because he remains an agency consultant. "So it's a one-time thing -- one and done. The biometric data on your passport, and maybe your iris, too, has been linked forever to whatever name was on your passport the first time. You can't show up again under a different name with the same data."
Posted on April 26, 2012 at 6:57 AM
• 53 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Maybe that's not so bad? If nobody can get away with all this cloak & dagger stuff any more, perhaps there will be less demand for it.
At least, that's what I'd like to think. I'm sure reality will end up being more complex than that.
Substitute "CIA" with "MI6", "Mossad" or "Al-Qaeda" and the above is equally true. Biometric identifiers have pretty much the same effect state-sponsored bad guys such as CIA just as much as on J. Random Terrorist. Obviously, CIA think see that as a bad thing - for the rest of us, it's success.
"If you go to one of those countries under an alias, you can't go again under another name,"
... and when countries start sharing said databases? ...
I believe the idea is that they store a copy of your passports info on them.
But aren't those bio-metrics an approximation of reality and wouldn't it be rather easy to make a passport with some differences, small enough so they still fit the person, but large enough to make hard to compare them against a database of previously copied/stolen metrics?
This has nothing to do with passports. It is about countries storing the biometric data of the person at initial entry and then reusing it later.
The "nice" way of doing this is to just check whether the presenter of the passport is the person whose biometric info is stored in the passport. Ideally the biometric info is never seen "in the clear" by the system, you just look for the two to match.
The problem described would also occur even without the use of biometric passports, as long as immigration controls use some sort of biometric capture AND retains the data for future use. This is for example done for refugee applications to avoid the same person to apply for refugee status over and over again. No passport needed.
How long before spooks start having cosmetic iris surgery? Maybe simply injecting ink dots here and there?
It may be a little harder if they start recording retinal patterns.
The CIA just needs to alter the databases.
Another interesting (and admittedly ill-informed) question... since biometric systems typically "boil down" the actual measured properties to salient features and encode them somehow, how frequently are there legitimate collisions?
Will Grandpa be disappeared by foreign intelligence for a statistically-unlikely but possible collision with some spook's biometrics?
Unique Identity for all was always a good concept in the modern world. But sometimes, its
a challenge. Nobody wanted bigbrother in her privacy. Maybe in the coming time LEPs would not be misused for personal benefits by the disgruntled/privileged. No need for spyware, societies would have faith on systems and vice versa. No wars, No intrusions, No cyberwars...
No....No.....Further comments needed.
Insert person with real name (or false name they'll never use ever again). Take them out of the country secretly, and replace them with another person using their name. Do stuff. Leave secretly, either repeating the switch or just abandoning the name.
A little more expensive, but cheaper than retina surgery.
Yeah, shame biometrics aren't easily forgable or anything. You'd have to be some kind of intelligence agency to pull something like that off.
Am I hugely out of date here? I thought that the biometric data was merely a way of confirming the passport was being carried by the correct person. Rather like an MD5 of a download, there may be several people with the same (hash of) biometric data, but if it's a one in a million chance, reliably finding someone to swap passports with is impractical.
Finding however measurements accurate enough to differentiate between all 7 billion of us on the planet with no chance of collision, readable with the reliability and speed required to keep a passport check queue moving surprises me if it's practical.
It's currently not as bad as people are talking it up to be.
First off biometrics are notoriously unreliable and often the data stored is effectivly little more than a 15bit hash. Thus you would expect colisions between different peoples data sets.
What happens with passports is in effect similar to what happens with usernames and passwords. There is a unique key / identifier such as the passport number (ie the user name) which has a set of one or more hashes stored under it (password / passphrase). The person presenting the passport should when their biometrics are read "aproximate" the hashes.
What you cannot do reliably is take a set of biometric hashes (pass phrase) and work backwards reliably to a unique key / identifier (user ID). What you actually end up with when you try doing this is a set of probable matches, the size of which depends on the effective number and bit strength of the hashes.
If you try and tighten up the biometrics (ie increase the number of bits in each hash) to reduce the set of probable matches you will find that the person will fairly quickly stop matching their own biometrics from a year or so ago. So the failure rate at passport control would break the system (if it is not already so as in the case of the UK Boarder Agency at major UK airports and ports).
Thus there is a degree of "wriggle room" in the biometric system.
Obviously the more different biometrics you use on each person then then the smaller the match set gets.
But when you add to the natural wriggle room the fact that some biometrics (fingerprints for instance) are possible to forge sufficiently to pass routien inspection by the less expensive or more portable equipment then you open up a whole different match set for any given individual.
Then when you consider the very many ways in and out of a country (think pleasure sailing across the English channel etc) there are going to be very many ways of entering where the "biometric checking" is going to be little more than the immigration officers MK1 Brain behind their MK1 eyeballs.
The fly in the ointment is that some biometrics (iris scan, DNA) supposadly have very very small match sets, effectivly removing the natural wriggle room. But currently these are not in common usage on pasports (for instance the first generation of UK bio-passports which are still valid only have a digitised copy of the photograph).
So I realy don't think the CIA et al have to much to worry about currently.
Also I suspect that many of the biometric sensors could with a little thought be hamstrung at the sensor hardware level and as much of this (ie the silicon) is only made in just a handfull of Fab Labs in the world...
Sorry, but am I really the only one that doesn't mind our spooks being spooky. Yes the trade off is obvious, what you lose for your own is that you improve your tracking of other peoples spooks but I don't view spies as evil or scary and that many do some very important functions which I do *actually* believe make me safer.
I thought making it harder to use false papers/identities was the WHOLE POINT of biometric passports?
So what they're complaining about?
Did someone just realize they can't play by their own rules anymore?
It shouldn't be too hard to find a workaround for this.
Construct several different contact lenses with embedded data that each provide a separate identity, and make a new passport identity for each of them, and never use your 'real' iris except for the 'real' identity to be able to identify you as a member of your 3 letter agency...
@ glenner003, Reader, Terry Cloth, ..., ..., et al,
NOTE to self, don't start typing a response and go get a cup of hot brown stuff otherwise other people will say what you are going to say :)
Sorry, but am I really the only one that doesn't mind our spooks being spooky?
It depends on what you mean by "spooks" (officers, contractors, agents) and what they are doing (reading news papers and journals, talking to local people, black bag jobs, sabotage, wet work or terrorism).
As a point of interest the general idea of "Spooks" being the "James Bond" types is very far from the truth. Most "officers" are more like investigative journalists than that. Also quite a few countries have got around the problem of "officers" doing compromising activites by using "agents" these can be people in the country concerned, or people from other countries that visit legitamatly on business all the time. In both cases they are usually coerced (blackmailed) or payed for (bribed) in one way or another. Those that do it for idealistic or conviction reasons generaly aren't trusted and usually best avoided because they usually have deficient "risk evaluation". The newish game in town (since 1970's) is "contractors" or "freelancers" who are effectivly "off book" part time employees with the benift of full deniability.
However a simple question is,
If APT is all it's "talked up to be" why do we need human spookes any more?.
Can a spook wear contacts that provide a different iris scan?
Oh, the poor little kittens. They might just have to, you know, obey the law like all the rest of us do.
APT likely means Advanced Persistent Threat here.
Because surely there are secrets that won't be accessible to an APT style attack. For instance a secret that is not stored on a computer or communicated through a electronically penetrate-able system.
@Clive Robinson - depends on the volume of people, yes they could sneak into the USA or UK with an old digital photo only passport.
But if you know you are a "country of interest" it wouldn't take too much work to take fingerprints and iris scans of all western looking arrivals and check them rather more carefully against people who have entered in the past.
I disagree, Clive. If you look at just the computer side of the equation yes right now this second it's less than ideal. But as technology improves so will the biometrics. We are not that far away, a decade at most, so the concern remains legitimate. Second, just because there is a computer collision doesn't mean there is a collision to the human. For example, in facial recognition faces that look similar to the computer (which is just using a programed formula) look obviously different to the human mind (which uses yet a different programmed formula). So when you combine the two you can get results in the 90% range. Is that perfect? No. But what three letter agency is going to send an undercover agent into the field with only a 10% chance of success. None.
That's the heart of the matter. A country doesn't need a 100% biometric match every time to stop the practice of covert spying. A country just needs to up the risk/reward profile to the extent that its adversary concludes its not worth it.
APT means (in this context) Advanced Persistant Threat it's the latest 'scare the money out of them' tactic used by those who want to build up empires.
Put simply there is a group of war hawks in the US who I call the "China APT mob", for some reason they want to blaim anything and everything to do with cyber- crime / espionage onto China and talk it up as being equivalent to "hot warfare" when it is anything but...
Yest APT is a significant issue but it's not just the Chinese at it the US is also at it against various of their (supposed) NATO allies and presumably just about everybody else. Likewise just about any nation that has the technology and people are at it as well so what is clasified as "China APT" could well be comming from Australia, Britain, France, Germany, Israel, Japan, Russia, Sweden etc, all of whom have "been caught at it" at one time or another. But unlike the US make no pretence of being "moraly outraged" by such activities, they simply say nothing but continue to "keep their enimies close, but their friends closer".
Because surely there are secrets that won't be accessible to an APT style attack.
My g0d you mean our enemies are not as vulnerable as us... ;)
My original comment was ment to be a little sarcastic over the outlandish claims made for APT by some of those "climbing up the hill" in DC with buckets full of FUD to get appropriations from the gullible to get the FUD exchanged for pork.
I'm old enough to remember when various people (who I shall not name) decided the CIA etc did not need "Humint" as "Elint" and "Sigint" would do it all much better. The result was very much a disaster in amongst other places the Middle East, and the resulting mess we are still seeing played out today.
A more recent example would be Somalia where the intel was so far off base it still makes the WMD fiasco caused by amongst others "Curveball" look good.
At the end of the day you need boots on the ground with the brains to work out which way the wind is blowing, to put everything else in context.
Sounds like the system is working.
After all the difference between CIA and a terrorist group are minimal.
As others have noted this is more about biometric collection at the border (as per US-VISIT) or biometric visas; rather than biometric passports per se.
Whilst a number of people have been pointing out, incorrectly in my view, the innacuracy of biometrics at this scale; the key here is correlation of errors and how secondary is managed at a border.
Say I'm a little old man who's fingerprints are mistakenly flagged as belonging to some previous traveller with a different ID. I get sent to secondary where they pull the photo of the previous traveller and see it looks nothing like me. They then double check my passport and send me on my way. Yes its irritating and if the false positive rate is too high it will swamp the system, but it doesn't lead to being whisked off to gitmo as more fanciful comentators have suggested.
If on the other hand I'm a spy travelling on a second set of documents and I get flagged (pretty likely on 10-fingerprint capture at records up to 100m people), when I go to secondary the previous photo is also likely to be a pretty close match as are many of the demographic details (e.g. I'm not going to have switched my claimed age by more than 5-10 years). That will lead to a lot more scrutiny and a high likelyhood of something bad happening.
Presumably spys are valuable, therefore if the risk of getting caught goes much above 50% it will cease to be worth risking this approach.
Also note that the other complaint about ePassports is (despite Bruce's claims) they're very hard to forge in a way that can be used at the border (rather than on some test tool) due to the use of country signing certificates; this makes it much harder for Mosad to use Irish passports and limits spys to passports from less well trusted countries (which often need visas) or to passports of their country of origin (which takes away the point).
Thank you and I've got to ask whether your UK 'Boarder' Agency was intentional or not... anyway, it amused me!
Either way, the UK's ability to invest in systems that are broken before they've even begun is a constant in an unconstant world.
I would just note the recent uptick in CIA recruitment of eyeless amputees.
- this has less to do with biometric passports, and more to do with storing entries for later comparison ... they could have done this long ago with fingerprints if they wanted
- what, the CIA* has never hacked a database before?
* or MI6, KGB, Mossad, al Queda, Boeing, Stratfor, insert agency/company here ...
I don't agree 'After all the difference between CIA and a terrorist group are minimal'.
Yeah, the psychological profiles of both groups (e.g. risk taking level, locus of control, etc.) are very similar, but goals are different. That is the key.
As soon as CIA is following its so called jurisdiction, i.e. acting outside the US and targets real enemies of the country, not of particular group of interest, only then spooks are on the right side.
Methods could be similar, but not goals.
By the way, I guess offshore banks are still tolerated, because spooks need money for their operations as bad guys.
One-time use agents? Better security all round with less risk of cross-assignment leakage.
parachutes dont require authentication.
@ Ann Agent
Those are called cut-outs.
Hmmm, as with all things this seems like a tool that can be used against an enemy. If they believe they have located a spy, do they refuse entry, thereby showing their hand, or simply schedule extra surveillance. Now if I send in 10 Known dummy spies I can exhaust their surveillance capabilities and know that the rest of my operatives get a free pass to go about their business unhindered. see like a bit of an own goal.
Biometrics might improve, but biology will not.
So, even if your 21st-century fingerprint reader captures every whirl and groove with nanometric precision, your 'match' still needs to be fuzzy enough to match you next year (when you've lost weight, oh, and taken a couple of papercuts too). Make it fuzzy enough to work in a practical setting, and likely someone else will match too...
And why are we expecting Nature to provide cryptographically secure, collision-resistant randomness anyway?
How many countries actually collect fingerprints and iris scans from all visitors?
The USA does, but how many others do?
And wearing fake fingerprints seems not too difficult from what I understand.
The assumption seems to be that spies always enter the operative country through the official point of entries. There are other approaches as evidenced by numerous illegal immigrants.
The problem also is not the availability of biometric information, but that the records of biometric information can be retrieved and searched in the time needed to process a person at a immigrantion check point. Normal cameras, fingerprint scans and similar easily obtained biometric data (height, weight, ear print, etc) can be made relatively easily and can be matched at a second visit.
You seem to be suggesting that biometrics at scale dont work, but without citing any evidence or engaging with that point that biometrics work in concert with other processes. I'd just point out that the US has at least 3 massive (>100m) fingerprint systems that all have well publicized successes, India now has a system of over 250m, Japan, UK and the Schengen states all have working border systems.
Sorry I missed the sarcasm. I agree 100%.
The results of NIST's (independent) evaluation of Iris imaging/recognition has been released.
You might want to have a "look" at one viewpoint on it,
Importantly is the trade off between speed and accuracy, the latter ranging from 90% to 99%.
Iris recognition is supposed to be one of the "gold standards" of biometrics with DNA and other tests that take considerable time being the platinum standards.
90-99% is not a result I'd be cheering about, to be quite honest.
I'll let others do the maths on the number of passangers flying to or through US airspace each year...
Between the development of air transport and the development of pervasive data collection, there has been a window of opportunity during which espionage agencies have grown used to just fly agents to their destinations, presumably without significant preparation and on short notice, able to enter a country only with a forged passport and maybe a disguise.
The end of this commoditization of undercover activity is simply making espionage a bit more adventurous and skill-intensive, as it should be.
As to "practical advice", I'm unsure about hacking databases: erased or altered records are likely to be detected, attracting attention to certain people, while a temporary DOS attack is too hostile (at least for the case of CIA vs. European countries) and bouncing all travellers for a few hours can be a reasonable response.
@ UK Visa,
@Clive Thank you and I've got to ask whether your UK'Boarder' Agency was intentional or not... anyway it amused me
Hi long time no chat :)
I should take the "5th" after all as ladies are oftern heard to remark "you have to have a little mystique in a relationship". The sad truth is even with a spell checker my "dislexei ruels ko" :(
@Winter I've never had my iris scanned or fingerprints collected in the dozens of times I've travelled to the US from Canada.
It's amazing how many people jumped almost immediately to contact lenses and cosmetic surgery. Only 1 response (@miw) who pointed out that spies have other ways to get in/out of a country. To the extent the new iris scanners prevent people from falsely entering a domain, they are no different from stronger fortifications and deeper moats... and those have been foiled repeatedly, simply by bypassing them, by bribing, threatening or appealing to someone. Even at an airport, a corrupted guard can help someone get through the scanners. No big deal...
India is implementing a Unique Identity for all residents using multi-modal biometrics (10 fingerprints and 2 Iris). Project is about providing "unique" identity combined with "online biometric authentication". There are no smart cards or books or anything. It's just a 12-digit random number that can be authenticated online. This project (named "Aadhaar" meaning "foundation") has covered around 200 million people already. It is now the world's largest biometric identity system. Over the next 2 years, it will cover 600-800 million people of India. It's expected that several existing domain specific identifiers such as income tax number, passport, driver's license, etc. will use UID as the basis and then extend to their purposes as necessary. Several papers including the strategy, biometric accuracy details, etc are available at http://uidai.gov.in/ (Govt of India website).
I still don't get it - why can't they just make up a second photo? The machines are going to be dumb if in operation and will only be able to look for exact matches (I'm assuming whatever selective hashing of biometrics they have cannot infer what the hashes of similar fingers are), and as such, if you produce two fake passports from two sets of data from the same person, the slight variation in how it, say, encodes the thumbprint (like a slight displacement of the finger during the scan) - won't that create a document that looks different when scanning against their database of matches?
So why do spooks go through the Dubai airport when there are a few thousand miles of sandy borders that they can just walk through?
It will be interesting to see how they find a way around this problem, but I imagine it largely depends on the ability of the biometric scanners to cross reference data and store information. It also depends on why the airports are employing these scanners. In the UK electronic passport controls seem to be largely used to speed up the passport control process, rather than being seen as a better option to a human checking your picture.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.