Proposed repository will aid law enforcement across Europe – but at what cost to citizens’ data security?
The European Parliament voted last week to create a massive biometrics database by unifying individual national records, known as the Common Identity Repository (CIR).
The CIR will contain personal information such as names, dates of birth, and passport numbers, as well as biometric data such as fingerprints and facial scans. The data will be made available to law enforcement bodies across the region.
“This will facilitate the tasks of border guards, migration officers, police officers, and judicial authorities by providing them with more systematic and faster access to various EU security and border-control information systems,” says the EU.
The merged repository will include data from the Schengen Information System, Eurodac, the Visa Information System (VIS), and three new systems: the European Criminal Records System for Third Country Nationals (ECRIS-TCN), the Entry/Exit System (EES), and the European Travel Information and Authorisation System (ETIAS).
However, previous efforts to create such biometric databases have been fraught with problems. Most notably, India’s Aadhaar – the world’s second-largest identity repository in the world after China’s – has been plagued by errors and security failures.
One only needs to look at the work of French security researcher ‘Elliot Alderson’, who has catalogued a series of holes in the database.
According to an EU spokesperson, CIR data will be stored in Strasbourg, France, with a back-up in Austria. It will be managed by EU-Lisa, an agency specialising in large-scale digital infrastructure systems that has been storing other EU data for years.
Biometric data will be stored in a ‘templatized’ format, says the spokesperson, making it impossible to re-translate a template back to the original biometric data.
According to Tyler Moffitt, a security analyst at Webroot, such hashing should indeed make it impossible to reverse engineer any fingerprint images. However, he says, there are still significant risks associated with the storage of so much personal information.
“Shared databases mean more access, which equates to more exposure and more risk that everyone’s data could be exposed or compromised. It becomes a numbers game,” he says.
“There are more machines and accounts with access to the data, making more opportunities for cybercriminals to find a vulnerability.
“No government, or company for that matter, is infallible when it comes to security.”
Questions have also been raised over the personal privacy aspects of the CIR – not least by the EU’s Article 29 Working Party, which voiced its concerns (PDF) in a report last year.
The EU spokesperson insists that the system has been designed with GDPR in mind, and that the data it contains can only be seen by those who have explicitly been given access for specific purposes.
However, says Moffitt: “I also question how the rights of individuals will be upheld. Most residents of a country don’t grant permission to share their personal information with foreign governments, for example.”