A study by a group of experts has shot down government plans to include fingerprints on Belgium’s electronic identity cards, describing the idea as “unnecessary and dangerous”. The change is due to come into force in April, after the former federal home affairs minister Jan Jambon pushed the measure through despite a negative advice from what was then the Privacy Commission, now known as the Data Protection Authority. The prints stored on the card will be kept in a central database for a maximum of three months.
But a study by the Computer Security and Industrial Cryptography (COSIC) research group at the university of Leuven was scathing in its condemnation of the measure, using terms like unclear, excessive, disproportional and “especially risky”.
The measure is questionable on security grounds, the group found. “The technology used at present offers insufficient guarantees on the prevention of fingerprints being legible by unauthorised parties,” the study says.
The change is disproportional because the existing data contained on the card, such as a digital photo and signature, are not being exploited. “As far as is known, the chip on the eID is hardly ever read at identity checks, and not at all to read the digital photo, let alone compare it with the holder.”
Furthermore, a check of the digital fingerprint would only be of use when a person presents a valid eID card that is not their own, which would be evident from the photo. Other possibilities, such as a forged card or one where the chip has been interfered with, would either be undetectable in the former case, or arouse suspicion in the latter case, regardless of the presence or otherwise of a fingerprint.
In a statement, the current home affairs minister, Pieter De Crem, said his office had “taken note” of the report from KULeuven, but had not yet analysed it in detail. The ministry would hand the report over to specialists to be read and analysed, he said.