Minister Knops answers parliamentary questions ragen of member Verhoeven (D66) on the message 'Passport scanner on cell phone poses risk of identity fraud'.
Question 1
Are you familiar with the message "Passport scanner on cell phone poses risk of identity fraud"?(1)
Answer 1
Yes, I am familiar with this message.
Question 2
Do you recognize the risks to identity fraud that arise now that there are simple phone apps that can scan and read the chip on a passport? If so, what are you doing to minimize these risks? If no, why not?
Answer 2
More and more phones today have the technology to read chips via NFC.(2) With this development have come apps that enable chip reading on passports. However, the existence of these phone apps does not introduce any new risks. When reading the chip, the same personal information is visible as when showing a passport or providing a copy. When providing information from a passport, careful attention must be paid to whom the information is provided to and why. This is regardless of whether the passport is shown, copied or scanned.
The chip in passports (and identity cards) is set up and secured according to internationally agreed standards. As a result, the chip can be consulted worldwide for identification at border crossings, for example. In addition, the chip in passports is consulted by many government agencies for efficient and error-free processing of personal data.
The chip on passports can only be read using a key based on the machine-readable strip (also called MRZ). This key can only be accessed when the MRZ is visible, which requires showing or handing over the document. This prevents these chips from being read by any random person from a distance. Phone apps also use the key based on the MRZ to open the chip. The fingerprints cannot be read, which are extra encrypted according to the agreements within the European Union.
Question 3
What is your response to the position of the Autoriteit Persoonsgegevens that reading the citizen service number (bsn) is particularly risky, where, for example, a bank account number could be opened under a false name?
Answer 3
No rights can be derived from just a citizen service number (BSN). When identity fraud is involved, more personal data are known and involve, for example, the combination of NAW data (name, address and place of residence) and/or bank data. The BSN is an administrative number and cannot in itself determine the identification of individuals.
In the case of opening a bank account, a bank must always conduct a customer due diligence and as part of this, verify the identity of the applicant. All banks doing business in the Netherlands are required to do this. The purpose of this is to prevent money laundering and terrorist financing. This identity check is broader than just checking the BSN.
Question 4
After scanning a passport, do the app makers themselves possess the passport data? Can a database of personal data of Dutch citizens in fact be created on the basis of this type of scan? Do you see a risk of identity fraud here? If not, why not? If so, what are you doing to counter this?
Answer 4
It is possible that app makers could have passport data in this way. As with any app, there is a possibility that the creator could build up a database of information about individuals who use the app. In the case of malicious parties, this could lead to identity fraud. Currently, I am not aware of any case of identity fraud as a result of using an app that scans the chip in passports. Obviously, it is important to pay close attention to what kind of apps are placed on a phone and whether it is necessary to use them to read identity documents or to enter personal data in them.
Processing of personal data must comply with the AVG. The AVG also applies to parties offering apps for cell phones. So in the terms of use, app makers must clearly state whether and what personal data they process and how they handle it.
As I mentioned in my September 30 parliamentary letter,(3) I see that with the increase in digital reading of passports and identity cards, it is not always clear whether the BSN is being processed or not. This is especially the case when digitizing processes at organizations that process personal data from passports and identity cards for their records. Therefore, when moving the BSN to the QR code, I decided not to include the BSN in the chip either. The QR code is then the only way to process the BSN automatically and there is no other data in the QR code other than the BSN. This makes it clearer when the BSN is processed or not. Of course, I will continue to monitor developments in the area of identity fraud to determine if any measures are needed.
Question 5
Can you explain why you do not consider certification or authorization for the marketing of these chip readers necessary?
Answer 5
Passport and identity card scanning equipment is used at many different agencies that need to identify individuals or process the personal data from a passport or identity card. Processing personal data is governed by the AVG. Apps that process personal data must also comply with the AVG.
Certification or consent of scanning equipment / chip readers means additional regulations and oversight in addition to the AVG. This leads to a large increase in administrative burden disproportionate to the risk involved. To date, I have received no signals of identity fraud as a result of the use of this equipment.
Question 6
How do you assess the risk of identity theft when placing a QR code on passports? Do you agree with the statement of Maarten Wegdam, ceo of ReadID, that this increases the risk of identity theft because it is easier to forge than a chip? If not, why not?
Answer 6
The QR code itself is not a security feature, but it is part of an identity card or passport with multiple security features. The moment the QR code is forged or manipulated, the information read no longer matches the information on the passport or identity card. Therefore, I disagree with the statement that the QR code increases the likelihood of identity theft because a QR code is easier to forge than a chip.
Question 7
What is your reaction to Privacy First's Vincent Böhre's statement that a QR code is still easy to read and that the bsn should disappear completely from passports and other identification documents?
Answer 7
The BSN appears on Passports and identity cards because BSN-processing agencies are required by law to verify that a BSN belongs to the person whose personal data is being processed. Omitting the BSN on these documents shifts the risks to the alternative that is then used to fulfill this legal verification requirement.
The QR code is intended to allow the BSN to be read easily and efficiently by BSN-processing agencies while eliminating the need for the BSN to be listed in the MRZ on the front of the holding page of passports. Citizens would no longer have to make the BSN illegible on a copy of the passport when the BSN is not necessary for the receiving agency. I have tested this proposal with the Autoriteit Persoonsgegevens. I have shared the results with your Chamber on in my letter of September 30 this year(3).
As I noted in Question 3, no rights can be derived from the BSN alone. When identity fraud occurs, more personal data are known. For that matter, completely omitting the BSN does not help solve identity fraud with data from passports and identity cards. Identity fraud mainly results from incorrect or incomplete identification processes. For example, basing identification on a copy of a passport. Combating identity fraud must first be sought in the robustness of identification processes. Within these processes, sufficient attention must be paid to verification of identity and authenticity features on a passport or identity card.
(1) FD, October 16, 2019.
(2) NFC: 'Near Field Communication' or the technology also used, for example, for contactless payments and the ov chip card.
(3) TK2019/20 25764 no. 121
(4) TK2019/20 25764 no. 121
This policy document can also be found in the Information Security file
