By Detlef Houdeau and Chris Shire, Infineon Technologies
Currently, the EU policy for cross border control processes cannot be described as harmonized. When looking at this topic, it is important to note that the Schengen Area is not a geographic area but rather a list of twenty-five states within a cooperative framework. In addition, there are often specific bilateral contracts between two states (Schengen area compliant and non-Schengen) in place. This reality is also reflected by the policy on the travel functionality in national ID cards. Many different configurations are known. For a unified design and function to be put in place it will require a clear justification and strong political will – as was the case, for example, with the ePassport scheme. Should an EU mandate be agreed, it should be noted that most national ID documents have a validity of 10 years. In the face of these circumstances, Europe will need many years to harmonize the majority of ID documents in the public domain and allow for interoperable travel functions, thereby easing the freedom of movement of its citizens. This article gives an overview of the particular aspect of travel function policy for national ID cards in the EU, with a snapshot at the beginning of 2011.
Freedom of movement is a fundamental human right enshrined in European Union treaties. It is realized through the area of freedom, security, and justice without internal borders. Interoperability of personal identity is therefore a key pillar of the EU Commission (EC) policy. Many programs have been sponsored by the EC to facilitate interoperability cross-over tests of travel documents (Brussels Interoperability Group, 2006 – 2008), eID-services cross border (STORK, 2008 – 2011), eSignature application cross border (PEPPOL, 2008 – 2011) and eHealth-services cross border (epSOS, 2008 – 2012).
EU regulations on national travel documents
Back on June 20, 2003 the European Council decided in the “Thessaloniki Declaration” on a coherent approach in the EU to biometric identifiers and biometric data for all EU citizens’ passports, for non-EU/European Economic Area (EEA) nationals and for the back office information system. In the Council Regulation (EC) No 2252/2004 of December 13, 2004 the roadmap for the security features and biometrics in passports and travel documents issued by the EU Member States (EU-MS) was published. Since August 2006 all 27 EU-MS have switched to this new technology and issued only passports with an embedded security microcontroller with a contactless RF interface (ISO/IEC 14443) combined with at least one biometric feature: the facial image of the holder. The deadline for implementation of two fingerprint images by all EU-MS in passports was June 28, 2009. This data is protected by the Basic Access Control (BAC) and Extended Access Control (EAC) security protocols defined by International Civil Aviation Organization (ICAO 9303, part 1) and Brussels Interoperability Group (BIG), a working group under the article-6-committee. To increase the security and the privacy a new specification was defined and published by ICAO in May 2010, called ICAO-SAC (Supplemental Access Control), which allows higher entropy than with a single Machine Readable Zone (MRZ)-line and so increases the security of ICAO-BAC protocol. The deadline for implementation of these 3rd generation travel documents is defined by the EC for all 27 EU-MS as December 31, 2014.
Travel in the Schengen Area
Back in 1985, the first EU member states signed a contract on an area free of border controls. The agreement was signed in a small village in Luxembourg called Schengen and the area without border controls was from then on named the SCHENGEN AREA. Today 25 states in Europe are members of this program affecting 440 million citizens. This program fosters more convenience for travellers by reducing waiting times at the border and citizens do not need to carry ID documents with ICAO functionality. All EU citizens have the right to enter another member state by virtue of having an identity card or valid passport. Residence permits have been abolished for EU citizens.
However, a EU-MS may require them to register with the competent authorities within a period of not less than three months as from the date of arrival. Proof of registration will be issued immediately on presentation of an identity card or valid passport and justification that they do not present a burden to the local state. In this area a specific travel function of an ID document is not mandated, but is often included.
If a citizen travels from the Schengen Area to other states in the EU or the European Free Trade Area, they may need a valid machine-readable passport or ID document. For example, German citizens may travel to the UK with a valid German ID card. However, in states outside the Schengen Area and the EU, which have EU Visa Waiver status, a full passport with a minimum remaining validity on the travel document of at least 6 months may be required.
Besides this international agreement of an area free of border controls, some bilateral agreements are in place to cross borders without ICAO travel documents, such as the frequent travelling program between the Ukraine and Poland. Some states are not member of the EU, and yet have also done away with a control process for crossing the border, e. g. Switzerland.
Overview of national ID documents with travel functions
In Europe, there are three main types of national ID documents in use:
- States without national ID documents; e. g. Norway, UK, Denmark
- States with voluntary national ID documents; e. g. France, Sweden, Finland
- States with mandatory national ID documents; e. g. Italy, Spain, Germany, Poland
In the states without national ID documents, the driving license typically assumes the function of an ID document. Within the scope of implementation of travel functions six configurations are known:
- National ID is not in use; Example: UK, since 1951
- National eID, without MRZ, or ICAO biometrics; Example: Italy, since 2006, called CIE;
- National eID, with MRZ, but without ICAO biometrics; Example: Portugal, since 2007, called PEGASUS;
- National eID, with MRZ, and ICAO-BAC (Face); Example: Sweden, since 2005;
- National eID, with MRZ and ICAO-BAC (Face), and BIG-EAC (Fingerprints); Example: Netherlands, since 2009;
- National eID, with MRZ, and PACE (Face), and BIG-EAC (Fingerprints, optional); Example: Germany, from November 2010, called nPA
Along with the functionality, the optical design of these ID cards varies from state to state. If in future such a card is to become an easily recognisable travel token, the design and functionality must be aligned. There are already EU design guidelines for common ID documents, such as the residence permits for non-EU citizens. From May 2011 these must be issued to classes of foreigners such as students or workers planning to reside inside in an EU state for more than three months. This design has been taken up by a few states for their own national ID cards but is far from universal. The outline design, as seen below, indicates the inclusion of a chip using the same symbol as on an electronic passport complying with ICAO 9303 specifications.
In the case of compliance with ICAO biometrics, the national ID document needs an embedded contactless crypto-controller with a minimum of 32k non-volatile memory space to store face data and a minimum 64k non-volatile to store face and two fingerprint data. The device must comply with the security protection profile as agreed across the EU and authored by the German BSI.
It is clear, therefore, that it is technically possible to produce an eID card with travel functions which can be used across states. The political perspective, however, is somewhat different: The unique design of government issued identity documents, just like currency and postage stamps, is often the first visible output when a new sovereign state comes into existence or there has been a change of regime. This happens, if for no other reason, as a way of reinforcing the identity and authority of the new government. These documents are also likely to be the last to be replaced should a state become unified with some larger international scheme.
The most likely scenario is for the bilateral agreements to be slowly expanded to allow citizens freedom of travel across borders based on simple rules of acceptance of various eID documents rather than full interoperability; this happened in the past with passports. However as more electronic ID verification tools are used by authorities to improve efficient and secure delivery of citizen services, the need for cross-EU compatible identity and travel
documents will increase. The likely increase in illegal immigration will also drive the need to identify valid EU citizens in whatever EU-MS they reside, so that resources can be correctly focussed. But there must be balance with the need to increase security and the right to freedom of movement for EU citizens, as has been said before “we must plan for freedom, and not only security”(1).
(1) The Open Society and its Enemies (1945) Sir Karl Popper