How to abuse biometric passport systems

The purpose of this paper is to show that most, if not all RFID/biometric passports have clear technical and social problems in their intended use and that there are clear problems with the databases into which biometric data are being collected, due to use of this data for other (publicly), non‐intended uses.

The approach of this paper is both a meta‐study of the flaws in the technological specifications as well as the social implementation of RFID/biometric passports. Finland is used as a case, but the results extend beyond Finland in most, if not all the topics presented – not necessarily all results to all implementations, but all to some others.

The current implementations of RFID/biometric passports are lacking in both technical and social implementations and pose clear risks to their use, both due to lax implementation of the technology itself but specifically due to the social changes brought about. These problems cause both erosion of privacy and trust.

Further research into other potential social implications on a national level is required. The authors fear that the cases presented do not necessarily reflect all the potential problems, but just the most evident ones.

The problems with the technological implications can be averted by using the best technological solutions, and thus the best technological solutions should be used instead of the ones proven to be lacking.

The social implications should at least be brought forth for public discourse and acknowledged, which currently does not seem to happen.

The paper contributes to the understanding of problems with current RFID/biometric passport implementations as well as inherent social problems that are hard, if not impossible to avoid. The problems belong under the category of critical eGovernment applications, and similar issues are visible in other eGovernment applications.