Mass storage of fingerprints violates the right to privacy 

Following the Court of Appeal of The Hague, today the Dutch Council of State (Raad van State) judged that municipal (‘decentral’) storage of fingerprints under the Dutch Passport Act is unlawful on account of violation of the right to privacy. The Council of State reached this conclusion in seven administrative law cases of Dutch individual citizens (supported by civil organization Vrijbit). At the start of 2014, the Court of Appeal of The Hague handed down a similar ruling in the civil Passport case by the Privacy First Foundation and 19 (other) citizens against the Dutch government. Subsequently however, our Passport trial was declared inadmissible by the Dutch Supreme Court and was redirected to the administrative judge: the Dutch Council of State. Privacy First then submitted its entire case file to the Council of State in order to reinforce the individual passport cases pending before this body. The Council of State (the supreme administrative court of the Netherlands) now rules similar to the way the Court of Appeal of The Hague has done before. Notwithstanding the later inadmissibility before the Supreme Court, the ban on the storage of everyone’s fingerprints in databases thus stands firm once again.

Faulty judgement and procedure

As was the case with the previous judgement by the Court of Appeal of The Hague, Privacy First regrets that the Council of State was unwilling to declare the storage of fingerprints unlawful on strictly principal grounds (that is, because of a lack of societal necessity, proportionality and subsidiarity), but merely on the basis of technical imperfections. Therefore, Privacy First will advise the concerned citizens to keep on litigating all the way up to the European Court of Human Rights (ECtHR) in Strasbourg. Considering the existing Strasbourg case law, there is a high likeliness that the Netherlands will still be condemned on principal grounds on account of violation of the right to privacy (art. 8 European Convention on Human Rights, ECHR). Privacy First also expects a condemnation on account of violation of the right of access to justice and an effective legal remedy (art. 6 and 13 ECHR). After all, civil litigation against the Dutch Passport Act proved to be impossible, and administrative legal action was possible only indirectly after the rejection of individual requests for new passports or ID cards (in case the applicants refused to have their fingerprints taken). In order to obtain their current victory before the Council of State, these citizens thus have had to get by for years without passports or ID cards, with all the problems and risks this entailed.

Exceptions for conscientious objectors

In today’s judgement, the Council of State also decided that the compulsory taking of two fingerprints for a new passport applies equally to everyone and that there can be no exceptions for people who do not want to have their fingerprints taken out of conscientious objections. Privacy First is doubtful whether this verdict will stand the scrutiny of the ECtHR. Apart from a violation of the right to privacy, it seems this decision is also in breach of the freedom of conscience (art. 9 ECHR). The fact that the European Passport Regulation does not include such an exception is irrelevant as this Regulation is subordinate to the ECHR.

RFID chips and facial scans

Privacy First also deplores the fact that the Council of State was not prepared to make a critical assessment of the risks of Radio Frequency Identification (RFID) chips (which include sensitive personal data that can be read remotely) in passports and ID cards. The same goes for the compulsory storage of facial scans in municipal databases. But these aspects, too, can still be challenged in Strasbourg.

Municipalities’ own responsibility

A small ray of hope in the judgement by the Council of State is that municipalities and mayors have their own responsibility to respect human rights (including the right to privacy) independently, even if this means independently refraining from applying national legislation because it violates higher international or European law:

"Insofar as the mayor claims that there is no possibility to deviate from the provisions (laid down in national law), the [Council of State] holds that pursuant to Article 94 of the [Dutch] Constitution, current statutory provisions within the Kingdom [of the Netherlands] do not apply if such application is not compatible with any binding provisions of treaties and of resolutions of international organizations.’’ (Source in Dutch, paragraph 6.)

This decision by the Council of State applies to all domains and could have far-reaching consequences in the future.

New ID cards for free

The ruling of the Council of State entails that for applications of new ID cards, fingerprints have been taken (and stored) on a massive scale but without a legal basis since 2009. Accordingly, Privacy First advises everyone in the possession of an ID card with fingerprints to change it (if desired) at his or her municipality for a free new one without fingerprints. If municipalities refuse to offer this service, Privacy First reserves the right to take new legal steps in this regard.

Published in Litigation

Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.

Cause for the ruling

In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.

Bright spot: ID card without fingerprints

The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.

EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights

The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!

Read the entire ruling of the EU Court HERE.

Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:

"Monstrosity.

A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.

The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.

Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.

Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced." 
Source: Telegraaf 17 April 2015, p. 2.

Published in Biometrics
Tuesday, 02 August 2011 14:06

Campaign: Municipality Guarantee Letter 2.0

Model Municipality Guarantee Letter 2.0

In case you are in need of a new Dutch passport or ID card even though you find it a problem having your fingerprints taken, you can protest against this and cover yourself against the possible consequences of how the Dutch government will deal with your personal data by using the letter below. You can download the Municipality Guarantee Letter for personal use in PDFpdfor in Word-format.

Privacy First has already filled in some possible objections in the model letter. However, you can alter or complete the letter to your own wishes.

At your request your municipality is obliged to accept this Municipality Guarantee Letter, according also to the Dutch National Ombudsman. See also the report about this in Dutch national newspaper De Telegraaf of 22 April 2010.

 

MODEL MUNICIPALITY GUARANTEE LETTER IN CASE OF A NEW PASSPORT OR ID CARD WITH FINGERPRINTS

REGISTER LETTER

Municipality [name of your municipality]
Attn [name of the mayor or the name of the authorised representative of the municipality]
[Address town hall]
[Postal code] [City]  

[Your place of residency], [Date]

Dear Sir/Madam [name of the mayor],

You, or one of your officials has stated that on account of the new Dutch Passport Act it is not possible for me to apply for a passport and/or ID card without me providing fingerprints. These fingerprints will be stored in an RFID-chip in my passport or ID card that can be read from a distance.  

I hereby protest against the taking of my fingerprints on the following grounds:

1) Having my fingerprints taken constitutes a violation of my human dignity. Fingerprints are to be taken of criminal suspects. Not of innocent citizens.
2) My fingerprints are, and remain, my property. The government has no say over this.
3) Current fingerprint technology (biometrics) does not work in 21-25% of cases. Going ahead with it is a waste of funds at the expense of citizens.
4) By having my fingerprints taken I risk becoming a victim of (biometric) identity fraud, for example after (the RFID-chip in) my passport or ID card has been stolen, lost or hacked into.

This situation constitutes an illicit restriction of my right to the protection of my private life as laid down in Article 8 of the European Convention on Human Rights. Therefore I only provide my fingerprints under protest of having to do so.

Moreover, I would like to point out to you that all actions carried out by the municipality with regard to my fingerprints have to comply with the rules of the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp).

I hereby request you to declare, by signing this letter, that the municipality has taken note of my objections and will only process my fingerprints in compliance with the Wbp. This implies, among other things, that the municipality:

1) will process my fingerprints in a fair and accurate way;
2) will not proceed to further process my fingerprints in ways incompatible with the purposes for which the fingerprints have been obtained (viz., the issuance of a passport and/or ID card);
3) will not provide my fingerprints to any third parties without my explicit prior approval;
4) will not store my fingerprints any longer than is necessary for the realization of the purposes for which the fingerprints have been collected or processed (viz., the issuance of a passport and/or ID card); and
5) will protect my fingerprints against any loss or any form of unlawful processing by means of suitable technical and organizational measures.

I would like to receive this signed letter five days from now at the latest at the address indicated below.

Nothing in this letter may be assumed to be a recognition of the right of the municipality to carry out the above-described actions with my fingerprints. The content of this letter does not restrict any of my rights, all of which are reserved. Furthermore, I would like to point out to you that in case the municipality will process my fingerprints without taking the Wbp into account, or in any other illicit way, the municipality is bound to reimburse any possible damage suffered by me as a consequence.

Yours sincerely,

 

Signed for agreement on behalf of the municipality,

Name:

 

Name:

Address:

 

Function:

Date:

 

Date:

Signature:

 

Signature:

Published in Actions

The appeal by Privacy First and 19 citizens against the Dutch government takes place today. Privacy First is of the opinion that the new Dutch Passport Act violates the right to privacy. Despite criticism from the Dutch House of Representatives, the Dutch government recently decided to push this controversial law ahead. The case of Privacy First primarily concentrates on the centralised storage of fingerprints. This lawsuit is the first of its kind.

Clarification
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in Luxembourg regarding the European Passport Regulation. In anticipation of the Court’s response, all Dutch administrative proceedings have been put on hold for at least one and a half years, which means that protesting citizens have to fend for themselves during that period without valid identity documents. Enough reason for Privacy First to again haul up the civil-law sails in the public interest and to appeal in our Passport Act lawsuit.

To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.

Urgent appeal
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 49.55.27.521 attn. Stichting Privacy First in Amsterdam, mentioning the following reference: ‘Paspoortproces’. We kindly thank you for your support!

Published in Litigation

The Privacy First Foundation has, with pleasure, just taken cognisance of 1) the announcement earlier today of a Dutch legislative proposal to abrogate fingerprints in ID cards and 2) the decision by the Dutch Council of State (Raad van State) to make a request for a preliminary ruling to the European Court of Justice in Luxembourg on the legality and interpretation of the European Passport Regulation in four administrative cases of individual Dutch citizens. The Privacy First Foundation hereby makes an appeal to Dutch Parliament to adopt the legislative proposal to abrogate fingerprints in ID cards as soon as possible. In anticipation of the expected adoption of this legislative proposal, taking people's fingerprints for ID cards must be halted immediately or at least become voluntary as a temporary solution. Privacy First also hopes that the European Court of Justice will swiftly deal with the preliminary reference and conclude that taking fingerprints for passports and ID cards is unlawful because it violates the right to privacy. Further comments by Privacy First will follow.    

Update 18.00h: listen to the interview (in Dutch) with Privacy First on Radio 1.

Update 29 September 2012: see also our reaction in the Dutch regional press.

Published in Biometrics

This Tuesday afternoon it is expected that the Dutch House of Representatives will vote in favour of two important motions. The first motion urges the Dutch government to have the European Passport Regulation critically discussed in Brussels. The second motion appeals to the government to take a firm stand in Brussels for there to be a critical reaction to American extraterritorial legislation, such as the notorious US Patriot Act. Both motions have come into being partly as a result of earlier reports by Privacy First about 1) the futility of taking fingerprints for passports and ID-cards and 2) the risk of Dutch fingerprints secretly ending up in foreign hands.  

The current taking of fingerprints is the result of the European Passport Regulation. This regulation dates back to the end of 2004 and primarily came into existence under pressure of the American Bush administration. Back then there was hardly any critical discussion about the benefits and necessity of taking people's fingerprints for travel documents. At the time the responsible rapporteur of the European Parliament wasn’t even able to bring out into the open statistics about this matter, as was recently revealed through a FOIA-request filed by Privacy First. Soon it will be up to the European Commission to still prove the effectiveness of the Passport Regulation. In case the Commission fails in doing so, the Regulation should be discarded immediately.

Apart from fingerprints, the long arm of the Bush administration has for years been reaching deep into the heart of Europe. With the American Patriot Act in force, the US government acquired, among other things, the power to obtain information from European companies that are situated in America as well. But this piece of legal imperialism was nothing new for the Americans: in the American 'war on drugs', American powers have been reaching far across US land and sea borders for decades. Since 2001, the Patriot Act has extended this extraterritorial circus to the American 'war on terror'. The 2002 The Hague Invasion Act has the same colonial touch to it: under this law the American administration reserves the right to keep Americans out of the hands of the International Criminal Court, if needed by invading The Hague. Another, more recent example is the National Defence Authorization Act: this law provides the US army with the power to arrest 'terror suspects' anywhere in the world and put them in military detention without any form of due process for an unlimited period of time.

In recent years Washington has hardly cared about the jurisdiction of other countries and international law. It has been generally known that in the long run this could only lead to excesses. Therefore it’s an absolute mystery to Privacy First what led the Dutch government to extend the contracts with the French passport manufacturer Morpho (partially situated in the US) without the guarantee that the fingerprints of Dutch citizens could not end up in American (or other foreign) hands. It is now up to the Dutch government to still protect its citizens and to request the European Commission to do the same thing at the European level.

Update: Both motions have been adopted by the House of Representatives with an overwhelming majority! You can find a video of it HERE (in Dutch, starting at 9m55s). Only the right-wing Party for Freedom (PVV) rejected the motions.

Published in Law & Politics

The following article by Privacy First employee Vincent Böhre was published this month in the periodical De Filosoof (‘The Philosopher’, University of Utrecht). Tomorrow the Dutch Passport Act will be high on the Dutch political agenda: in a debate with the Minister of the Interior Liesbeth Spies the compulsory taking of fingerprints for Dutch passports and ID cards will be discussed. Privacy First has recently (again) emphasized to all political parties in the Dutch House of Representatives to have passports without fingerprints introduced as soon as possible and to make a request to the government to have the Passport Regulation revised at the European level. This in order for the compulsory taking of fingerprints to be done away with also for passports, or at least to become of a voluntarily nature. The text below offers a quick recap with a positive twist. A pdf version of the original article in Dutch can be found HERE (pp. 6-7).

The biometric passport as an unintended privacy gift

‘‘Late 2001, the Christian-democratic political party CDA proposed storing the fingerprints of every Dutch citizen through passports for criminal investigation purposes. However, this proposal was immediately scrapped by other political parties because it would lead to a Big Brother society. Nonetheless, an even more far-reaching proposal became law seven years later almost inconspicuously. Under the new Dutch Passport Act, apart from criminal investigation and prosecution, everyone’s fingerprints and facial scan (biometric data) could also be used for counter-terrorism, domestic and foreign State security, disaster control and personal identification. However, none of these legal purposes had been discussed in Parliament.[1] In fact, the new Passport Act was accepted by the Senate even without a vote. The media merely stood by and watched how it happened. How could things have gotten this far?

‘Bystander syndrome’

In a certain way the Passport Act was (and is) emblematic for the Dutch era after '9/11'. An era in which (presupposed) anti-terrorism measures could be steered through Parliament with the greatest of ease. After all, such measures would enhance our security, we were continuously told. By nature people are inclined to believe the authorities and to accept the status quo. From a human rights point of view, one could consider the post-9/11 era as a huge Milgram experiment: without too much resistance many human rights have for years been put to the rack of society. The realization of the new Passport Act is no exception. Every Member of the Senate could at least have made a request for a parliamentary vote. Journalists and scientists could have blown the whistle on time. Instead, they all stood there and watched since, of course, the law would make the Netherlands a ‘more secure’ place. But what was this assumption based on? Wasn’t the Netherlands actually going to be less secure by the massive storage of fingerprints in travel documents and affiliated databases? This question has never been asked in public, let alone discussed and answered.

Disproportionate

The prime argument by the Dutch government for the introduction of fingerprints in passports and ID cards has, since the late 90s, been the following: it would prevent look-alike fraud with travel documents. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his or her appearance resembles. Questions about the scale of this type of fraud have hardly ever been asked in Parliament. From a recent FOIA-request filed by Privacy First, it appeared that we’re dealing with only a few dozen cases each year (with Dutch travel documents on Dutch territory).[2] In light thereof the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. Not to mention the dozens, if not hundreds of millions of Euros that the government has spent on this project.

Risks

With the introduction of a ‘biometric identity infrastructure’ a new form of fraud comes to life that is extremely difficult to trace and combat: biometric identity fraud, for instance through hacking. Not just with guileless citizens and companies, but also in the public sphere (espionage). Moreover, it has been pointed out that in 21-25% of cases the biometric data in the chip of Dutch travel documents cannot be read (verified). So in the event of passport control, there is a high risk that citizens become unjustly suspected of fraud. The biometric passport is no good for combating terrorism either: terrorists generally use their own, authentic travel documents. Unfortunately, little is publicly known about the way security and intelligence agencies use biometrics, even though some purposes are easy to predict: identification of suspects unwilling to speak and ‘interesting’ persons in public space, the recognition of emotions, lie detection and the recognition or use of doubles. The same applies to the domain of criminal investigation and prosecution, also in conjunction with camera surveillance and automatic facial recognition. In addition, the RFID (Radio Frequency Identification)-aspect of the chip in the document enables it to be read from a distance: citizens can be identified and tracked without it being noticed. With regard to personal identification, one could think of the possible introduction of fingerprints at banks, social services, the internet, etc. (Since the end of last year, a Dutch pilot project with mobile finger scanners for the police is ongoing.) Finally, there’s the domain of fighting disasters: biometrics used for the identification of casualties in the event of large-scale disasters or as a logistic means. All in all these possibilities for the use of biometrics go dozens, if not a hundred steps beyond the mere combating of look-alike fraud with travel documents. One ought to realize that all of these possibilities will sooner or later be put into practice. In jargon this is called ‘function creep’; historically seen it’s inevitable. Scientific research into future applications of biometrics continuously takes place. What’s more, even in our part of the world a democratic constitutional State is no invariable matter of fact. It is therefore very dubious whether our world will become ‘more secure’ by the large-scale use of biometrics.  

Positive change

It is exactly this concern which brought about a small Dutch revolution in the summer of 2009: at the time, the enactment of the new Passport Act led to a torrent of criticism and to the coming into being of the current Dutch privacy movement. New privacy organizations such as Privacy First proliferated, social coalitions were forged and lawsuits against the new Passport Act were filed.[3] This boomerang effect within society continues to this day. Since that time the right to privacy is ever higher on the societal and political agenda. In that sense the biometric passport has so far proved to be an unintended gift from heaven.''



[1]
See Vincent Böhre, Happy Landings? Het biometrische paspoort als zwarte doos (Happy landings? The biometric passport as a black box), Wetenschappelijke Raad voor het Regeringsbeleid, WRR (Scientific Council for Government Policy) October 2010, http://www.wrr.nl/publicaties/publicatie/article/happy-landings-het-biometrische-paspoort-als-zwarte-doos-46/.
[2]
See Privacy First, Revealing figures about look-alike fraud with Dutch travel documents (20 March 2012).
[3]
See Böhre supra footnote 1, p. 111 ff.
Published in Meta-Privacy

Thanks to a FOIA-request by the Privacy First Foundation, the official figures about look-alike fraud with Dutch passports and ID-cards have today, for the first time, become public. From these figures it emerges that the Dutch biometric passport with fingerprints is an absolutely disproportionate measure, the introduction of which should never have been allowed.

The primary argument from the Dutch government for introducing fingerprints in passports and ID-cards has for years been the same: fighting look-alike fraud. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his appearance resembles. This kind of swindler is also called an impostor. Questions about the scale of this type of fraud have hardly ever been asked, not by members of Dutch Parliament, nor by scientists or journalists. Those who raised a question about it in the last ten years were usually provided with an answer that left them none the wiser: figures about look-alike fraud would be ‘unknown’, ‘not publicly available’, ‘confidential’, or ‘secret’. The answer to the most recent parliamentary question in this respect dates back to October 2010:

- Question: ‘‘Is it true that the figures of look-alike fraud with ID documents are known, but that you are unwilling to provide them to the House of Representatives? Are you actually prepared to provide these figures to the House of Representatives?’’
- Answer by Dutch State Secretary Ank Bijleveld (Ministry of the Interior): ‘‘No, this is not true. Since such figures are unknown to me, it’s obvious I cannot send them to you.’’ (Dutch source)

Those who have been asking supplementary questions in recent years were often told we would be facing a massive phenomenon. In this way the idea of a 'dark figure' of crime of almost mythical proportions came into existence. That is to say, without any trace of evidence. So recently the Privacy First Foundation filed a FOIA-request to the department of the Dutch government that has been keeping track of the figures on look-alike fraud for years: the Dutch Expertise Centre on Identity fraud and Documents (Expertisecentrum Identiteitsfraude & Documenten, ECID) based at Schiphol Airport. The ECID falls under the Royal Netherlands Marechaussee (KMar) and is thus part of the Dutch Ministry of Defence. Privacy First knew from a reliable source that those figures could be found in the clear annual reports of the ECID from 2008 onwards. So recently we have simply made a request for those reports by email. Subsequently Privacy First received the Statistic Annual Overviews on Document Fraud (Statistische Jaaroverzichten Documentfraude) from 2008 to 2010 from the Ministry of Defence. (Update: the statistics from 2011 followed on 29 May 2012.) The following figures result from these annual reports relating to look-alike fraud with Dutch passports and ID-cards on Dutch soil:   

2008: 46 cases (source: Statistisch Jaaroverzicht Documentfraude 2008, p. 45)

2009: 33 cases (source: Statistisch Jaaroverzicht Documentfraude 2009, pp. 42-43)

2010: 21 cases (source: Statistisch Jaaroverzicht Documentfraude 2010, pp. 52-53)

2011: 19 cases (source: Statistisch Jaaroverzicht Documentfraude 2011, pp. 52-53).

The Netherlands has 17 million inhabitants. By now almost 7.5 million of those had their fingerprints taken to combat a handful of cases of look-alike fraud. By any standard this is a completely disproportionate situation and thereby forms a collective violation of the right to privacy of all Dutch citizens. Privacy First regards these figures as a strong backing in its lawsuit against the Dutch government regarding the new Dutch Passport Act and hereby makes a call to the government to immediately stop the compulsory taking of fingerprints for passports and ID-cards. Regardless of whether or not that’s against European policy.

Update 22 March 2012: At first Privacy First showed the numbers 63 (2009) and 52 (2010). However, those figures were based on a calculating error (they were counted twice), for which we apologise.  

Update 30 March 2012: internal documents from the Dutch Ministry of the Interior from 2004 also imply a relatively low figure for fraud and, moreover, high costs for introducing biometric technology in travel documents. Privacy First recently obtained these documents through a large-scale FOIA investigation that has been ongoing since April 2011.

Update 29 May 2012: Today Privacy First finally received the long-awaited Statistisch Jaaroverzicht Documentfraude 2011 from the Dutch Ministry of Defence. The number of cases of look-alike fraud with Dutch passports and ID-cards on Dutch soil (as far as the KMar is aware) according to this report were respectively... 11 and 8, so just 19 in total. We have updated the list of cases from 2008 to 2010 above with the figures from 2011. So the idea of look-alike fraud as a very small-scale phenomenon is once more confirmed. To burden the entire Dutch population with biometric passports and ID-cards as a countermeasure is and will be completely disproportionate and therefore unlawful.

Published in FOIA Requests
Wednesday, 26 October 2011 16:15

Mobile finger scanners? Not in my backyard.

This summer it was already announced (and commented on by Privacy First) but yesterday it again popped up in the media: this fall four regional Dutch police forces will carry out a pilot experiment with mobile finger scanners to track down illegal immigrants. In official jargon this experimental project is called a ‘learning park’, according to a long-awaited response (after three months) to earlier Parliamentary questions. What will our friends at the police learn in the 'park' called the Netherlands? Privacy First sheds some light on a number of possible 'learning moments':

1) collectively intruding upon other people’s privacy and physical integrity by taking fingerprints of everyone who, in the eyes of the policeman, could perhaps be ‘illegal’,

2) this is very likely to go hand in hand with discriminatory enforcement, ethnic profiling and increasing stigmatization of certain societal groups,

3) initially the scanners will mostly be used for ‘illegal’ immigrants (undocumented migrants) but will then be used for other groups and eventually for every citizen, for instance for the collection of outstanding fines or tax debts (so-called 'function creep'),

4) this year it already appeared that the current state of biometric technology (with current error rates in passports and ID cards of at least 21%) is still in its infancy and isn’t suitable for use on a massive scale,

5) with all the consequences this entails, among which are unjustified suspicions, unjustified immigration detention placements, mutual feelings of insecurity and risks of irritation, confrontations and aggression on the streets,

6) all of this not even considering possible data leakages and hacking of the used equipment,

7) and all of this without public Privacy Impact Assessments and cost-benefit analysis of the matter in hand.

Hence, these mobile finger scanners are dangerous toys. Our advice: don’t start using them. This ‘learning park’ is nothing less than a privacy swamp.

Published in Biometrics

Step 1: E-Gates at Schiphol Airport

Today a seemingly innocent article in Computable caught Privacy First’s attention. The title of the article is ‘‘Passport photo system is fraud sensitive’’ and its subtitle reads ‘‘Digital passport photo inadequate’’. The gist of the article is that the quality of the facial scans in passports (and ID cards) will have to be improved in order for the chance of mismatches in automated facial recognition at Schiphol Airport to be reduced. An experiment with facial recognition is currently planned for the fall of 2011. At Schiphol 36 so-called E-Gates will then be installed: gates for automatic border passage.    

On your way to the gate you will simply walk through one of those gates: the System verifies whether your face corresponds with the face on the chip of your passport. In case the System works 100% a 100% of the time then it’s enormously useful. In case it doesn’t, the System causes delays and irritation, long queues and new opportunities for identity fraud. And even if it does work faultlessly, there’s still a hidden 'catch': automatic screening of your security profile. Before coming to Schiphol you have already been completely screened on the basis of all possible databases that have been linked to you. Once at Schiphol it’s 'party time': without you knowing it your name has been assigned to a green, yellow, orange or red flag. More colors are possible. All of this remains unknown to you, which makes it all the more exciting. If you are taken apart from the queue at the E-Gate then it won’t be for a cup of tea and a biscuit, but to admire the color of your virtual flag once more. After all, it’s party time and the Royal Netherlands Border Police would rather not be color-blind. With a bit of luck you can still go aboard your plane, hoping of course that at the arrival in country X there’s no other feast of flags awaiting you.

Step 2: passport photo booth in the city hall

A few years later (on your return to the Netherlands) you need to renew your passport. For new passport photos you go to your local professional photographer. However, he redirects you to the city hall. For some time passports photos are still only allowed to be made there. You vaguely recall an article in Computable that already referred to this: ‘‘Mistakes [with passport photos] could be prevented by making a digital photo of the passport applicants in the city hall, at the moment they make their passport application.’’ At the time (2011) this seemed enormously useful to the government. Henceforth no more hassle with professional photographers but high definition 3D photos taken straight away in a special Big Brother booth at the town hall, easy as that. Designed initially for E-Gates at Schiphol, then used for automatic facial recognition in shops and on the streets, eventually worldwide. A comparable Dutch plan was rejected in 2007 under pressure from the sector of professional photographers. Since that time our country was hit by one recession after the other. Meanwhile the Dutch privacy movement flourished. But that wasn't meant to spoil the 'fun'. Therefore it took the Dutch government a lot of effort to convince photographers that they could very well do without their passport photo revenues. Not to mention the privacy of Dutch citizens.

Will this be our future? Not if it’s up to Privacy First. We’ll keep you posted.

Published in Profiling
Page 1 of 2

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
IIR banner

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon