Are security documents secure?

Next year Norway will have its first National ID Card. At the same time, the new generation of passports will be introduced. These documents will contain a number visible and invisible features which shall prevent forgery and misuse.
Published: 6/6/2017

They will also be made in a way that enables detection of attempts of manipulation.

The new documents are highly technological, electronic and machine readable. This means that they can be checked automatically and more efficiently. Along with the biographical information, they contain biometric data like fingerprints.

The term ‘security documents’ is often used about this type of documents, as opposed to e.g. a birth certificate. Birth certificates rarely contain security features, and are in general poorly protected against misuse. Birth certificates and other similar documents are called ’breeder documents’.

Acccording to this definition, there is no douvt that both the new Norwegian passport and the ID card are security documents.

The crucial and challenging question is:

Is a security document in reality a secure document?

If this question is about the document in itself, the answer is yes. Even if even the most modern security documents are subject to manipulation and need to be improved continuously, they are at a level of security that constitutes a high threshold for manipulation.

On the other hand, - if one is talking not only the document in itself, but also includes such secumstances as application and issuanc eroutines, ID control linked to issuance and the risk of unauthorized issuance, the answer is a different one.

In an overall perspective, the security document is not necessarly a secure document.

This is bad news for the technolocy optimists among us and a neverending challenge to issuing authorities.

Even the most modern and advanced passport will have a low credibility if the issuer is not in control of whom the passport is really being issued to.

A document that is well secured against manipulation is obviously an instrument for linking a person to the document. The expression used is that the identity is ‘locked’.

The link between the document and the correct identity of the person is far weaker. The more sure the issuer is that the receiver of the document is really is who he or she claims to be, the stronger the link to the real identity will be.

The problem is that passports and national ID cards are often issued on the basis of breeder documents that are not as well protected against forgery or other forms of misuse. Therefore, the application and issuance procedures are the weakest link of the ID chain.

As long as this link is weak, there is proof to the claim that a security document is not a secure document. The fact that the identity is locked does not mean that it is correct.

The paradox of ever more secure documents is the possibility of establishing a biometrically confirmed, false identity. I.e. a false identity based on a technically genuine, advanced security document. Security documents have high credibility and are used in most cases where identity needs to be clarified.

The document laboratory of the Norwegian ID Centre frequently sees examples of persons having presented a technically genuine passport along with falsified breeder documents. If the breeder documents were the basis of the issuance of the passport, this tears apart the credibility of the passport, since it will then have been issued on false pretenses.

In this years’s edtion of ‘Misuse of ID Documents 2016’, the Norwegian ID Centre points out a clear tendency of other documents in addition to passports having been subject to manipulation. This is an expected development, obviously due to the fact that passports are becoming increasingly difficult to falsify. Of the total number of false documents detected in 2016, only 23% were passports.

No matter what measures one chooses to take to make security documents secure documents in an overall perspective, the phase prior to the issuance is the critical one. Ultimately, the degree of security is determined by what has been the basis of the issuance.