department of foreign affairs and trade & australian customs

PRIVACY ACT 1988 (CTH)

SECTION 27(1)(h)

ePASSPORT & SMARTGATE TRIAL DEPARTMENT OF FOREIGN AFFAIRS AND TRADE AND

AUSTRALIAN CUSTOMS SERVICE

UNCLASSIFIED FINAL AUDIT REPORT

INFORMATION PRIVACY PRINCIPLES AUDIT

AUDIT UNDERTAKEN: April/May 2005

DRAFT REPORT ISSUED: June 2005

FINAL REPORT ISSUED: October 2005

Office of the Privacy Commissioner Final Audit Report 2

Classified Content

This is an unclassified version of the final audit report completed by the Office of the Privacy Commissioner in October 2005. The report has been amended to withhold some details regarding the assessment criteria used by Customs when processing persons entering Australia. These details were withheld, as requested by Customs, to protect the integrity of Australia’s border control processes. No amendments have been made to the Findings and Recommendations section of the report.


TABLE OF CONTENTS

1 SUMMARY OF RECOMMENDATIONS .....................................................................4

2 OVERVIEW: BIOMETRICS FOR BORDER CONTROL.............................................5

3 OVERVIEW OF AUDIT ...............................................................................................6

3.1 Timing and location.............................................................................................6 3.2 Purpose ..............................................................................................................6 3.3 Scope and focus .................................................................................................6 3.4 Opinion ...............................................................................................................7 3.5 Follow up review and reporting ...........................................................................8

4 DESCRIPTION OF OPERATIONS .............................................................................8

4.2 ePassports ..........................................................................................................8 4.3 Passport Application Process .............................................................................9 4.4 Passport Production..........................................................................................10 4.5 Passport Document Security.............................................................................11 4.6 SmartGate Trial.................................................................................................12 4.7 Operation of the SmartGate Kiosk ....................................................................12 4.8 SmartGate Trial Transaction Log ......................................................................13

5 FINDINGS AND RECOMMENDATIONS ..................................................................13

Findings and recommendations in respect of DFAT’s ePassport trial .......................13 5.1 Notice................................................................................................................13 5.2 Security of information held on the chip ............................................................16 Findings and recommendations in respect of Custom’s SmartGate facial recognition trial 17 5.3 Managing biometric templates as personal information ....................................17

6 OBSERVATIONS......................................................................................................18

6.1 DFAT’s Retention and Storage of Hard Copy Passport Applications................18


1 SUMMARY OF RECOMMENDATIONS Findings and recommendations in respect of DFAT’s ePassport trial Recommendation 1

The auditors recommend that DFAT take steps, in accordance with IPP 2, to ensure that individuals are appropriately advised of the additional biometric purposes for which passport photographs are being collected by DFAT. It is recommended that, if possible, DFAT include a brief notice to this effect in all relevant passport application forms to complement the biometrics pamphlet to be produced. If it is not practicable to amend the application form before the implementation of the ePassport, the auditors recommend that DFAT take additional steps to ensure that passport applicants are made aware of the availability of information regarding the introduction of biometric technology into Australian passports and passport processes. Recommendation 2

The auditors recommend that DFAT consider implementing the highest level of passport chip security suggested by ICAO, to ensure that a best practice approach to data security is maintained. The auditors recommend that DFAT adopt Basic Access Control as a minimum standard to protect the information held on the ePassport chip from the possibility of data skimming and eavesdropping. Findings and recommendations in respect of Customs’ SmartGate trial Recommendation 3

The auditors recommend that Customs treat biometric templates as personal information unless Customs can be assured that this information is de-identified and cannot be re-identified.

Observations in respect of DFAT’s retention and storage of hard copy passport applications

Recommendation 4

The auditors recommend that DFAT review the physical security of hard copy passport applications held at Australian Passport Offices to ensure that adequate safeguards are in place to protect the security of this information. Such safeguards may include: ensuring that hard copy passport applications are retained for the minimum period necessary; further limiting access to passport application storage areas; and implementing a system to track the movement of hard copy passport applications that are removed from the storage area for use by passport office staff.


2 OVERVIEW: BIOMETRICS FOR BORDER CONTROL 2.1.1 In the 2004-05 financial year, the Australian Government provided $9.7 million to

the Department of Foreign Affairs and Trade (DFAT), the Australian Customs Service (Customs) and the Department of Immigration and Multicultural and Indigenous Affairs (DIMIA) for research and development projects related to the development of biometric technologies for border control purposes.

2.1.2 Under this biometrics for border control project, DFAT extended its biometric passport (or ‘ePassport’) trial, issuing prototype ePassports to select volunteer Qantas crew and testing ePassport compatibility with US border control equipment. Customs also extended the trial of its automated facial recognition system, SmartGate, introducing new SmartGate kiosks at Sydney and Melbourne international airports capable of reading the Australian prototype ePassport. Additionally, DIMIA received funding to research and test biometric technologies with regard to their possible use for identity management purposes in respect of immigration processes.

2.1.3 The Office of the Privacy Commissioner (OPC) was also involved in this cross agency project and was funded by Customs for the 2004-05 financial year to provide advice and oversight regarding privacy issues arising from the Biometrics for Border Control projects undertaken by Customs, DFAT and DIMIA. Under the 2004-05 Development of Biometrics for Border Control Implementation Plan, the OPC committed to conduct a privacy audit of an aspect of the tri-agency Biometrics for Border Control project.

2.1.4 The OPC decided, in consultation with the three agencies, to conduct an audit of the information flows relating to DFAT’s ePassport trial and the corresponding use of the prototype ePassports by Customs in its trial automated facial recognition system, SmartGate.

2.1.5 Notably, in the 2004-05 financial year DFAT and DIMIA each conducted an assessment of the privacy impact of their respective Biometrics for Border Control projects utilising the Privacy Commissioner’s draft privacy impact assessment guidelines, Managing Privacy Risk – An Introductory Guide to Privacy Impact Assessment for Australian Government and ACT Government Agencies (Consultation Draft). Customs advises that it conducted an initial privacy impact assessment of the SmartGate trial in 2002 and intends to conduct another assessment to inform the development of its complete automated border processing system for implementation. DFAT’s assessment of the privacy impact of its ePassport project, Privacy Impact Assessment: Biometrics and ePassports, is included as background to this Audit at Attachment A. Please note that this report is produced by DFAT and reflects its own assessment of the privacy risks and controls associated with its biometrics program.


3 OVERVIEW OF AUDIT

3.1 Timing and location

3.1.1 Between April and May 2005, the OPC conducted an audit of DFAT’s ePassport trial and Customs’ SmartGate trial, under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Privacy Act). The auditors conducted a range of site visits over this period. Specifically, the auditors reviewed:

• passport database access and security at DFAT’s Canberra Office on 28 April 2005;

• passport production at the Royal Australian Mint on 28 April 2005; and

• the processing of passport applications at the Sydney Passport Office on 4 May 2005.

3.1.2 The auditors also included a previously undertaken inspection of Customs’ trial SmartGate facial recognition system at Melbourne international airport on 23 February 2005 within the scope of the audit.

3.1.3 The auditors interviewed senior operational and/or technical staff at each of the sites and were also provided with policies and procedures relating to the DFAT and Customs trials.

3.2 Purpose

3.2.1 The principle purpose of the audit was to ascertain whether Customs and DFAT are handling the personal information collected in the course of the ePassport and SmartGate trials in accordance with the Information Privacy Principles (IPPs) in the Privacy Act. In doing so, the auditors also sought to identify differences in information collection and management between current systems and the systems demonstrated in the respective trials and to consider how any emergent privacy risks might be alleviated in the future development and implementation of these systems.

3.3 Scope and focus

3.3.1 The auditors focused on the management of personal information by DFAT and Customs in the issuing of prototype ePassports and their use at SmartGate kiosks at the border and how this differs from current processes. In particular, the auditors focused on the:

• proposed introduction of biometric technology for identity and entitlement verification purposes in the passport application process;

• collection and management of personal information for inclusion in the prototype ePassport;


• security of personal information recorded on prototype ePassports; and

• collection and management of personal information from prototype ePassports by Customs for its automated facial recognition trial.

3.3.2 It should be noted that the auditors did not consider the collection and management of personal information by Customs in respect of the first phase of the SmartGate trial which utilised a centralised database of facial images to test facial recognition technology at the border. Rather, the auditors limited the scope to consider the second phase of the trial only, which uses the facial image stored on the prototype ePassport, as this more closely reflects the system that Customs ultimately intends to implement.

3.3.3 Importantly, the auditors did not, within the scope of this audit, consider the overall benefits or disadvantages of the introduction of biometric technology into border control systems. Rather, the audit seeks to consider how any privacy risks revealed through consideration of the trial biometric systems can be minimised prior to the broader implementation of such systems.

3.3.4 Finally, it is understood that DFAT and Customs will seek to comply with International Civil Aviation Organisation (ICAO) standards in respect of the use of biometrics in passport documents. Assessment of the privacy impact of these standards is also outside the scope of this audit.

3.4 Opinion

3.4.1 The audit revealed that the personal information collected by DFAT and Customs in respect of the ePassport and SmartGate trials was generally managed in accordance with the IPPs in the Privacy Act. In particular, the auditors observed DFAT to have a strong culture of privacy protection in respect of its passport issuing functions, reflecting the importance of data quality and data security to its core business in this area. The introduction of biometric technology into the passport issuing process, specifically in respect of identity and entitlement verification, appears to be generally consistent with DFAT’s current processes and protections in this regard.

3.4.2 However, the introduction of a contactless chip into Australian passports, as trialled by DFAT, and the use of images recorded on such chips to allow for automated facial recognition at the border, as demonstrated by Customs’ SmartGate trial, presents potentially significant changes in the management and use of personal information. It is less clear, at this stage, how significant the privacy risks will be in respect of these changes. As such, it is the opinion of the auditors that a conservative approach should be taken in the future implementation of ePassports and associated biometric systems, allowing for significant data security controls and limitations on information use. In this regard, the auditors are encouraged by a recent decision made by DFAT to increase the security controls built into the ePassport chip.

3.4.3 It is the auditor’s opinion that in taking such an approach and by addressing the other recommendations made in this report, DFAT and Customs will be better


placed to implement a model of biometric use that complies with the IPPs and reflects good privacy practice.

3.5 Follow up review and reporting

3.5.1 The OPC has received additional funding over the next four years (2005-06 to 2008-09) to allow it to pursue an audit program of the biometrics for border control projects undertaken by DFAT, Customs and DIMIA as they continue to be developed and implemented. It is anticipated therefore that the OPC will conduct a follow-up audit of both the ePassport and SmartGate projects within this timeframe.

4 DESCRIPTION OF OPERATIONS 4.1.1 This section provides a brief overview of the information flows associated with

DFAT’s ePassport trial and the use of ePassports in Customs’ trial facial recognition system, ‘SmartGate’, as observed by the auditors. This is described by consideration of the current processes of passport application, production and use at Australian borders so as to highlight the impact the introduction of an ePassport and associated biometric capability may have on such processes.

4.2 ePassports

4.2.1 The prototype ePassport produced by DFAT for the purposes of the trial differs from the current Australian passport by the inclusion of a contactless chip inserted within the passport document. The chip (which operates using Radio Frequency Identification (RFID) technology) holds the same information as is currently recorded in the machine readable zone of the passport (and that also appears on the passport bio-data page) as well as an electronic copy of the individual’s passport photo. The electronically held photograph of the individual provides a facial biometric which can be used for automated identity confirmation processes using facial recognition technology.

4.2.2 Both the adoption of facial biometrics as the biometric identifier included in the ePassport and the use of a contactless chip to store this information are consistent with the standards adopted by ICAO in 2003 in respect of Machine Readable Travel Documents1. The ICAO standard requires facial biometrics to be used as the primary biometric identifier for passports with the use of additional biometric identifiers such as fingerprints or iris scans optional. The prototype ePassport produced by DFAT includes a single biometric identifier only: the facial biometric. DFAT advises that it does not anticipate including further biometric identifiers in the Australian ePassport at this time, though it is notable that the chip used in the prototype document would appear to have sufficient excess capacity to allow for such inclusions in the future.

1 See: ICAO (2004) Technical Report: Biometrics deployment of Machine Readable Travel Documents Version 2.0; or summarised in ICAO May 2003 Press Release Biometric Identification to Provide Enhanced Security and Speedier Border Clearance for Travelling Public [documents available at: http://www.icao.int/mrtd/download/technical.cfm]


4.2.3 Approximately 2500 prototype ePassports were issued to select volunteer Qantas crew during the course of the trial. The ePassports were issued in accordance with standard passport application processes and as such were able to be used as authorised travel documents at the Australian border.

4.3 Passport Application Process

4.3.1 Throughout the trial, all applications for prototype ePassports were processed at the Sydney Passport Office. The auditors reviewed the operations of the Sydney Passport Office and were advised of the additional processes that had been implemented for the processing of ePassports in the context of the trial. However, at the time of inspection, the processing of ePassport applications for the trial had ceased.

4.3.2 The passport application process is the principle mechanism by which DFAT collects individuals’ personal information for its passport functions. Information is primarily collected directly from the individual via the various passport application forms to which the applicant is also required to attach supporting proof of identity and citizenship.

4.3.3 Information that may be collected in an application for a new Australian passport includes: full name of applicant (both current and former names); date and place of birth; citizenship details; mother’s maiden name; approximate height; previous passport details; contact and address details; guarantor information; for child applicants, parents’ details and any relevant court orders; and a passport photograph of the applicant. The auditors were advised that no further information was collected from individuals applying for an ePassport under the ePassport trial, with the passport photo adopted as the biometric to be used for automated identity and entitlement verification purposes.

4.3.4 Completed application forms are either collected directly from the individual at a DFAT passport office or are sent to the relevant passport office in daily batches from external authorised agents (specifically Australia Post) or from Australian consulates overseas. An initial interview is conducted by the DFAT processing officer, Australian consulate officer or authorised agent which includes manual comparison of the presenting applicant to the passport photograph provided.

4.3.5 Application forms and attached documents are scanned at the passport office. Picture files of the scanned documents (including colour scans of the passport photo and signature) are recorded on a centralised database; Delta. The hard copies of the application documents are securely destroyed approximately three months after the passport is issued, with the scanned electronic files retained as a record of the source application. The Delta database has been in operation since 1995. However, DFAT advised that only photos collected from May 2000 onwards have been recorded in a format that allows the photo to be used for biometric purposes. DFAT advises that this existing collection of photos has been used for internal research and development projects involving biometric facial recognition technology.


4.3.6 A separate database, Passport Issuing Control System (PICS), is used to record and manage the data provided in the application form. Access to both databases, including read access, is recorded in an electronic audit trail with physical access to the databases highly restricted.

4.3.7 Once the applicant’s information has been recorded, approximately 124 checks are conducted to verify the information provided and confirm the individual’s identity and entitlement to receive an Australian passport. For example, the application data is checked against existing passport allocations recorded on PICS to confirm that the applicant does not have an existing passport and to confirm that new passport details are consistent with previous passports. Checks are also conducted with external agencies such as State Offices of Births, Deaths and Marriages to verify date of birth and name details. Such checks require the disclosure of identifying information to the external agency to allow the external agency to match the information with its source records. DFAT advises that where possible, this is an automated process which reports a ‘yes/no’ response. Where a ‘no’ response is received or issues are otherwise identified in this process, the application is queued for manual checking and amendment or further investigation.

4.3.8 The auditors were advised that the introduction of biometric technology will allow for the introduction of a further set of tests at this stage of the application process. It is anticipated that the colour scan of the applicant’s photograph will be converted to a biometric template which will be matched against a separate database of biometric templates derived from photographs of current and/or former passport holders. In this manner, DFAT aims to be able to identify any individual applying for multiple passports under different names. The auditors were advised that where any such additional tests are introduced it is anticipated that they will be integrated into the existing checking procedure whereby issues identified through automated checks are referred to a manual review process. As such, where a possible facial biometric match is identified, the matter will be referred to a manual assessment process, and, if deemed necessary, to the fraud investigation team.

4.3.9 The auditors were advised that this identity verification process, using biometric technology, is still under development and was not implemented in the context of the ePassport trial. However, the auditors observed that a trial system of facial recognition, comparing the facial biometric of specific individuals to a database of facial biometrics (‘one to many’ matching) is currently operationally in use for specific fraud investigation purposes. DFAT has advised that it hopes to be able to implement automated matching using facial biometrics into the passport application process concurrently with the implementation of epassports.

4.4 Passport Production

4.4.1 Blank passport booklets are currently produced for DFAT by Note Printing Australia in Melbourne. The blank prototype epassport documents developed for the trial were also manufactured at Note Printing Australia with the unwritten contactless chip built into the document at this time.

4.4.2 Blank passports are securely transported to passport offices around Australia and to the primary passport printing location at the Royal Australian Mint (the Mint) in


Canberra. The auditors observed the passport printing area at the Mint and at the Sydney Passport Office. Both had strict security controls that limited and regulated access to the printing area.

4.4.3 During the printing process, batches of passports are tracked as they move from one staff member to the next. Therefore, if a document were to go missing through the process, it could be identified where in the chain of actions the document was situated before its disappearance.

4.4.4 The bio-data page and machine readable zone are printed onto the passport document from an electronic list of approved applications and final manual quality assurance checks are undertaken. The personalised passports are then either sent by registered mail directly to the applicant, are transferred to select overseas consulates for distribution to applicants outside of Australia or are held for collection at Australian Passport Offices.

4.4.5 All prototype ePassports produced for the trial were personalised (the document printed and the chip written to) at the Mint. However, at the time of the audit, production of the prototype ePassport had ceased and as such, the auditors did not view first hand the process by which the Passport (and specifically the chip) was personalised. Nevertheless, operational staff at the Mint were able to advise the auditors of the additional production processes that had been used to write to the chip during ePassport production.

4.4.6 The auditors were advised that once the ePassport document had been personalised by the printing of the bio-data page, including the machine readable zone, the ePassport would be diverted to a chip writing process. Authority to write to the chip was provided by use of an encrypted PIN recorded on a Smartcard. The PIN activates the ‘write’ process allowing the individual’s bio-data and electronic photograph to be recorded on the chip. Importantly, DFAT advised that the PIN activates the ‘write’ process only once, that is, the PIN cannot be used to subsequently rewrite or amend the information on the chip. However, DFAT advised that there is capacity for further information to be written to the chip, to allow for possible future policy or technological developments that may require further information to be included, such as electronic visa information. DFAT has a separate code that allows it to re-write to the chip. This code is held separately on the mainframe, to which access is highly restricted. Whilst information could be added to the chip using this code, there is no mechanism for amending information once written to the chip. DFAT advised that if a chip has been written to incorrectly or if the information otherwise requires amendment, the chip and passport document would need to be destroyed and a new passport document created. This is consistent with current procedures whereby a new passport document is created if the information on the bio-data page of the passport is printed incorrectly or requires amendment.

4.5 Passport Document Security

4.5.1 Supplementing the document security features included in the current passport document (such as watermarks, holograms and latent images), the auditors were advised that additional security features have been introduced with the


development of the prototype ePassport, to protect the chip. Specifically, DFAT advises that tamper evidence controls have been developed including insertion of the chip in the centre page of the passport booklet which also encloses the booklet stitching and design of the centre page to disintegrate if attempts are made to remove the chip, limiting any capacity for the chip to be removed without the booklet showing clear evidence of tampering.

4.5.2 DFAT also advises that the chip included in the prototype ePassport is secured using Public Key Infrastructure (PKI) technology consistent with the minimum ICAO standard for chip security 2. Using PKI technology, digital signatures are encoded on the chip allowing the reader to confirm that the chip has been written to by an authorised source (in this case, DFAT) and that no unauthorised modifications have since been made.

4.6 SmartGate Trial

4.6.1 To test the prototype ePassports Customs extended its SmartGate facial recognition trial to introduce new SmartGate kiosks at Melbourne and Sydney airports. The new kiosks are designed to read the prototype Australian ePassport and use biometric technology to verify that the person presenting at the kiosk is the person whose image is captured in the ePassport. Customs stated that the objective of the new SmartGate kiosks was to test the automated border clearance system for aircrew using the prototype ePassport. However, Customs advised that this test does not represent a simulation of a fully automated border processing system.

4.7 Operation of the SmartGate Kiosk

4.7.1 The auditors observed the operation of the SmartGate kiosk at Melbourne airport and compared this with the current manual border processing system. In the current process the personal information recorded on the bio-data page of an individual’s passport is retrieved from the machine readable zone on the individual’s passport via an automated system. The processing Customs officer then conducts a manual face to photo match to verify that the presenting individual is the rightful owner of the passport document. Processing via the trial SmartGate system is similar though the bio-data is read from the contactless chip in the ePassport rather than from the machine readable zone and importantly the face to photo match is automated.

4.7.2 The auditors observed that the prototype ePassport holder commences his or her interaction with the SmartGate system by placing his or her ePassport closed on the chip reader. When SmartGate registers that the passport has been placed on the reader, the individual is directed to look at an identified point on the kiosk and to remain still. A video stream is collected from one of the three cameras depending on the person’s height . SmartGate generates biometric template from this video stream. Simultaneously, a biometric template is generated from the image retrieved from the chip in the ePassport. These templates are then compared.

2 For information on the ICAO standard see: ICAO (2004) Technical Report: PKI for Machine Readable Travel Documents offering ICC Read-Only Access Version 1.1 [available at: http://www.icao.int/mrtd/download/technical.cfm]


4.7.3 In addition to the automated matching of the live photo to the ePassport image, SmartGate conducts a number of other checks of the information retrieved from the chip that are consistent with checks conducted from information retrieved from the machine readable zone in current Customs processes. Checks are also conducted as to the authenticity and validity of the chip itself.

4.7.4 Failure of any of these checks including the facial match, chip validity or procedural failure (e.g. poor quality of live image due to movement, or unable to read the chip due to incorrect placement on the reader) results in the individual being directed to a Customs Officer for manual processing. Where the transaction is successful, the barrier gates opens and the individual is directed to walk through the kiosk.

4.8 SmartGate Trial Transaction Log

4.8.1 The trial SmartGate system generates a log for each SmartGate transaction which includes two images (the image retrieved from the ePassport and the ‘best image from live acquisition’) and the respective biometric templates generated for each image. Customs advises that this log is collected for the principle purpose of assessing the trial allowing Customs to analyse the timeliness and accuracy of transactions.

4.8.2 Also included in this log is a record of whether the transaction was successful or unsuccessful with the reason for any failure identified. Customs advises that the information collected in the log is stored on a central server to which access is limited to the SmartGate project team and support staff. An audit trail is retained of all logins to the system.

4.8.3 Customs advises that certain information from the log has been disclosed to the Defence Science and Technology Organisation (DSTO) to allow it to undertake a technical assessment of the SmartGate trial. Specifically, Customs advises that DSTO were provided with the biometric templates generated from the ePassport image and the image taken at the kiosk, the date and time of the transaction and the transaction and record identifications.

4.8.4 Customs advised that a decision has not yet been made as to whether, and to what extent, personal information would be collected in a transaction log beyond the context of the trial. Customs advised that the OPC would be consulted in respect of any decision in this regard.

5 FINDINGS AND RECOMMENDATIONS

Findings and recommendations in respect of DFAT’s ePassport trial

5.1 Notice

5.1.1 The auditors note that no further personal information was collected by DFAT in the production of prototype ePassports than is currently collected to produce standard passports. Further the auditors understand that DFAT does not, at this stage,


intend to collect any further personal information from passport applicants with the proposed broader implementation of the ePassport.

5.1.2 However, with the introduction of biometric technology into DFAT’s passport issuing processes and the introduction of an ePassport with biometric capability, the personal information collected by DFAT (and specifically the passport photo) will be subject to different uses by DFAT and other agencies. That is, DFAT has, with the introduction of biometric systems, an additional purpose in collecting individual’s passport photos than was previously the case.

5.1.3 Information Privacy Principle 2 states that:

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

(c) the purpose for which the information is being collected;

(d) if the collection of the information is authorised or required by or under law - the fact that the collection of the information is so authorised or required; and

(e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

5.1.4 DFAT has recently amended its passport application forms to reflect changes in

passports legislation. Notable, the application form previously used (for example Form PC1_503) included the following notice:

I hereby authorise: …

• the use of my photograph for biometric purposes (biometrics are a mathematical description of a person’s physical characteristics that enable enhanced automated methods of identity verification).

5.1.5 The new application forms (for example, Form PC1_0705) do not include any such

notice and make no specific reference to the introduction of biometric technology into DFAT’s passport processing functions. The notice included does refer to a privacy pamphlet produced by DFAT. However, the privacy pamphlet also does not refer specifically to the use of personal information by DFAT for biometric purposes.

5.1.6 DFAT has advised, however, that it intends to produce a specific biometrics pamphlet which will explain the changes to the Australian passport and the passport application process with the introduction of biometric technology. DFAT advises that this pamphlet will be made available with all passport applications forms.


Risk

5.1.7 There is a risk that DFAT may breach IPP 2 if biometric matching processes are implemented without sufficient notice being provided to passport applicants about the additional purpose for which DFAT is collecting their passport photographs (that is for the purpose of authenticating the applicant’s identity using biometric technology). This risk is, in part, heightened by the fact that there is no obvious change in the passport application process that would alert an applicant to the fact that DFAT’s procedures and passport document specifications may have changed.

5.1.8 The auditors acknowledge that in producing a biometrics pamphlet DFAT is taking steps to notify individuals of the changes to the use of their personal information as well as the changes to the passport document itself and the implications of this for passport use at the border in Australia and overseas. Nevertheless, the auditors consider that the inclusion of a brief notice in passport application forms in conjunction with the production of a pamphlet providing more detailed information would reflect better privacy practice in this case as the passport application form remains the only essential document required for the application process.

Recommendation 1

5.1.9 The auditors recommend that DFAT take steps, in accordance with IPP 2, to ensure that individuals are appropriately advised of the additional biometric purposes for which passport photographs are being collected by DFAT. It is recommended that, if possible, DFAT include a brief notice to this effect in all relevant passport application forms to complement the biometrics pamphlet to be produced. If it is not practicable to amend the application form before the implementation of the ePassport, the auditors recommend that DFAT take additional steps to ensure that passport applicants are made aware of the availability of information regarding the introduction of biometric technology into Australian passports and passport processes.

DFAT’s Response

5.1.10 The exclusion in the new passport application forms (for example Form PC1_0705) of the biometrics authorisation by the applicant to the use of his or her photograph for biometric purposes was a conscious exclusion. The ePassport information brochure that will accompany all new passport applications will elaborate on the biometric principles of the new ePassport scheduled for introduction in October 2005. The information which will be contained within that brochure replaces that authorisation. DFAT will seriously consider the re-introduction of the written authorisation within the next run of application forms, so as to augment the ePassport Information brochure and ensure that best privacy practice is adopted. In anticipation and in support of that pending inclusion, DFAT has plans to produce a video to be aired in all Passport Offices in Australia to inform applicants that their biometric data will be included on the contactless chip located in the centre page of the ePassport booklet.

Auditors’ Comments


5.1.11 The auditors appreciate the steps being taken by DFAT to notify individuals of the additional features of the ePassport and the commitment made to consider the re-introduction of some type of notice regarding the collection and use of biometrics in the application form. The Auditors may revisit this issue in future audits.

5.2 Security of information held on the chip

5.2.1 The contactless chip technology used in the DFAT prototype ePassport allows the chip to be read without direct contact with the chip reader and, importantly, with the passport booklet closed. Concerns have been raised as to whether data on the chip could therefore be covertly collected by means of ‘skimming’ (reading the chip without the presentation or opening of the passport booklet) or ‘eavesdropping’ (covert collection of information at the point at which it is transmitted from the chip to the chip reader)3. The risk of eavesdropping is somewhat ameliorated by the surveillance environment in which border transactions occur, though it is not clear, particularly as border control processes become more automated, that this will ultimately prevent covert collection of passport data in this manner.

5.2.2 DFAT also advised that it does not consider that current technology would allow for the practical application of skimming as a covert means of collecting passport information; and indeed the auditors observed that the prototype ePassport developed by DFAT could only be read by the readers trialled by DFAT when the closed passport was placed directly on the reader panel. Nevertheless, the level of future risk presented by skimming remains unclear given that skimming appears to be technically possible (though currently impractical). Considering the likelihood of rapid and significant developments in such technology and the ten year life of the standard Australian passport, the auditors consider that it is advisable for DFAT to take a conservative approach to data security in this regard to ensure that the security controls protecting the information on the chip will not prove insufficient in the future.

5.2.3 Whilst it appears that the prototype ePassport may comply with the minimum standard for data security and integrity required by ICAO, ICAO has also referred to additional, optional security controls that can be applied without compromising interoperability4. In particular, ICAO suggests that national governments could introduce Basic Access Control to epassport chips as a means of ameliorating the risk of skimming and eavesdropping.

5.2.4 Importantly, since the audit was conducted, DFAT has advised that it intends to increase the data security controls built into the chip technology, introducing Basic Access Control security. By introducing Basic Access Control, the ePassport will no longer be able to be read unless the chip reader has first derived an access code from the machine readable zone on the bio-data page of the passport. This means that the passport will need to be open, with the machine readable zone visible to the reader in order for it to be read (which is more consistent with the process by which current (chip-less) passports can be read).

3 See for example: ICAO (2004) Technical Report: PKI for Machine Readable Travel Documents offering ICC Read-Only Access Version 1.1, paragraph 2.4 [available at: http://www.icao.int/mrtd/download/technical.cfm] 4 As above (see also paragraph 2.6 and Annex G3)


Risk

5.2.5 It is unclear that the data security controls included in the prototype ePassport satisfactorily protect against the possibility that the data could be read from the chip without the consent or knowledge of the passport holder. Failure to take specific steps to protect the data held on the chip issued by DFAT in Australian ePassports from the future possibility of data skimming or eavesdropping could put DFAT at risk of breaching IPP 4 in the Act.

Recommendation 2

5.2.6 The auditors recommend that DFAT consider implementing the highest level of passport chip security suggested by ICAO, to ensure that a best practice approach to data security is maintained. The auditors recommend that DFAT adopt Basic Access Control as a minimum standard to protect the information held on the ePassport chip from the possibility of data skimming and eavesdropping.

DFAT’s Response

5.2.7 Basic Access Control (BAC) is being fully implemented and all chips that will be used in the full implementation phase of the ePassport project will be BAC-enabled to eliminate the risk of skimming.

Auditors’ Comments

5.2.8 The auditors understand that since the audit field work was conducted, DFAT has committed to the adoption of Basic Access Control to provide further protection of the data held on the epassport chip.

Findings and recommendations in respect of Custom’s SmartGate facial recognition trial

5.3 Managing biometric templates as personal information

5.3.1 Customs advises that it contracted DSTO to conduct a technical assessment of the SmartGate trial and as such provided DSTO with information sourced from the log of SmartGate to allow it to perform this function. Customs advises that it withheld the identifying details of the test subjects including name, date of birth and the original biometric (i.e. the photograph) for privacy reasons. However, Customs advises that DSTO was provided with the biometric templates generated from the passport photo and live capture photo for each SmartGate transaction.

5.3.2 It is unclear in this case whether biometric templates alone could be considered personal information under the Act. Personal information is defined in section 6 of the Act to mean:

information or an opinion… about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.


5.3.3 There is conflicting information available as to whether a biometric (in this case a facial image) can be reconstructed from a biometric template5. If such a reconstruction could occur, the biometric template itself could be considered personal information under the Act. Further, a biometric template could also be considered personal information if the template can reasonably be matched with another template for which there is an associated source identifying biometric.

Risk

5.3.4 The auditors acknowledge that the provision of biometric templates to DSTO poses a significantly lesser privacy risk than the provision of the original biometric and/or other identifying information. However, there is a risk that Customs may handle personal information in a manner that is inconsistent with the Privacy Act if biometric templates are managed as de-identified or non-personal information.

Recommendation 3

5.3.5 The auditors recommend that Customs treat biometric templates as personal information unless Customs can be assured that this information is de-identified and cannot be re-identified.

Customs’ Response

5.3.6 Customs accepts recommendation 3.

6 OBSERVATIONS

6.1 DFAT’s Retention and Storage of Hard Copy Passport Applications

6.1.1 Consideration of the physical security of hard copy passport applications is outside the scope of this audit, the focus of which is the introduction of biometric technology into border control processes as reflected in the ePassport and SmartGate trials. However, the physical security of hard copy passport applications is an essential component of general privacy compliance in respect of DFAT’s passport issuing functions and reflects on the integrity of the data management system as a whole. As such, the auditors wish to take this opportunity to report on observations made in respect of the current security controls in place at the Sydney Passport Office regarding hard copy passport applications.

6.1.2 At the Sydney Passport Office, the auditors observed that hard copies of passport applications are filed on site in a lockable storage room after the documents have been scanned and an electronic copy recorded. Whilst the application is still being reviewed staff will, on occasion, consult the original hard copy documents when the

5 See for example the International Biometric Group’s 2002 White Paper, Generating Images from Templates [available at: http://www.biometricgroup.com/reports/public/reports/templates_images.html]; or Adler A, (2003) ‘Sample images can be independently restored from face recognition templates’, Proc. Canadian Conference on Electrical and Computer Engineering Montreal, Canada, May 2003. 1163-1166 [available at: http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf].


details on the electronic scanned version are unclear. As such, the stored passport applications are accessible to staff in the passport application processing area. However, if a passport application is taken from the storage area, no record is made of who has taken the application, the purpose for which it was taken or whether it has since been returned.

6.1.3 The auditors were advised that the Sydney Passport Office has a policy of retaining hard copy passport applications for a period of three months following finalisation of the application, though in practice forms are sometimes retained for longer periods before destruction. The auditors observed that, as of 4 May 2005, the Sydney Passport Office held hard copies of passport applications dating from 3 August 2004.

Risk

6.1.4 The auditors appreciate that an objective of DFAT’s biometrics program is to reduce the risk of identity theft and fraud in the Australian community. If such an outcome is to be achieved, it is essential that a consistently high standard of personal information security is implemented across all aspects of DFAT’s passport processes, including the physical security of hard copy applications. There is a risk that by retaining hard copies of passport applications unnecessarily and by failing to monitor staff access to this information, DFAT may undermine the higher security controls implemented elsewhere in its passport processing system and may risk breaching IPP 4 in the Privacy Act.

Recommendation 4

6.1.5 The auditors recommend that DFAT review the physical security of hard copy passport applications held at Australian Passport Offices to ensure that adequate safeguards are in place to protect the security of this information. Such safeguards may include: ensuring that hard copy passport applications are retained for the minimum period necessary; further limiting access to passport application storage areas; and implementing a system to track the movement of hard copy passport applications that are removed from the storage area for use by passport office staff.

DFAT’s Response

6.1.6 The retention of hard copy passport applications is determined under Section 24 of the Archives Act 1983 by the Departmental Agency Functions Disposal Authority (DAFDA) January 2004. Entry 7200 within the Function Passport Services and the Activity Travel Document Processing specifically states that ‘hard copies of approved applications (including amendments) for the issue of travel documents that have been scanned’ have a disposal action of ‘destroy 60 days after scanning completed’.

6.1.7 As detailed in the Introduction to the DAFDA: the authority may include specific requirements to destroy records, but generally retention requirements indicate a minimum period for retention. The agency may extend that minimum retention period if it considers that there is an administrative need to do so.


6.1.8 The retention of hard copy passport applications by individual passport offices is an administrative decision and hinges on the realities that passport officers encounter concerning the retrieval of hard copy information in support of scanned images. Measures to ensure the safe custody of passport applications and secure destruction of those applications in accordance with the National Archives of Australia (NAA) approved minimum destruction guidelines will be investigated and a strategy to track access to those hard copy applications during this retrieval period will be implemented.

Attachment A

1

DEPARTMENT OF FOREIGN AFFAIRS AND TRADE PRIVACY IMPACT ASSESSMENT: BIOMETRICS AND ePASSPORTS

Part 1 – Overview of the ePassport project 1. The Department of Foreign Affairs and Trade’s (DFAT) use of facial biometric technology in the Australian passports system and the introduction of ePassports is fundamentally about protecting the identities of Australians while meeting the needs of Australian travellers. It is as much about protecting the privacy of passport holders as it is about improving the security of Australia’s passport-issuing processes.

2. Facial biometric technology compares the unique facial features of each applicant for a passport (or other travel document) to ensure: (a) the applicant is the same person who was issued with a previous passport with the same identity; (b) the applicant was not issued a passport for a separate and undisclosed identity; and (c) once issued, the holder remains the person to whom the passport was issued. In the proposed system, the information necessary for the creation of a person’s biometric profile is obtained from the photograph of that person provided with an ordinary passport application. Therefore, applicants will provide no more personal information than under the current system. 3. The “SmartGate” system operated by the Australian Customs Service at the Australian border will be able to match the information contained in the chip to the facial features and structure of the passport holder. In essence, this means that the only difference in the new system in the way personal information will be accessed is that the passport holder will be matched to an image of themselves by a machine rather than a person. 4. All information collected by DFAT in the performance of its passport functions will continue to be managed within DFAT under the Passport Issue and Control System. Information technology security for passport information is provided under DFAT’s Information Management Strategy. This brings passport information within the system used to protect the Secure Australian Telecommunications and Information Network. 5. The personal information set out on the data page of a passport, including the photograph, will be stored on a contactless microchip embedded in the passport. It is secured on the chip using Public Key Infrastructure. This technology is designed to verify the authenticity and integrity of the information stored on the chip. In this way border control authorities will be able to determine if the chip has been tampered with. Access to the information on the chip will be controlled through Basic Access Control.

Attachment A

2

6. The new Australian Passports Act 2005 (Australian Passports Act) provides the framework for facial biometric technology to be introduced into Australian passports (section 47). It regulates the use of technology for the purpose of confirming the validity of evidence of the identity of an applicant for an Australian travel document, or a person to whom an Australian travel document has been issued. The Australian Passports Act does not override the obligations on DFAT to comply with the Privacy Act 1988 (including Information Privacy Principles 1 and 4 in section 14) in respect of the collection, storage and security of information. In addition, the Criminal Code ‘cybercrime’ provisions apply to unauthorised access to the information (section 478.2). 7. DFAT has undertaken extensive consultation in developing the new passports legislation, including with privacy, human rights and consumer advocates, the Privacy Commissioner, state governments and the travel, banking and technology industries. Key details of the legislation directly reflect their input. The legislation was thoroughly considered and debated by Parliament, and was passed with bipartisan support. Application forms for all travel documents set out, in considerable detail, the purpose for collecting the personal information, the agencies to which the information may be disclosed and purpose for such disclosure. The comprehensive public information program to accompany the commencement of the Australian Passports Act includes privacy issues as a key theme. Part 2 – Collection of information What information will be collected, and how? 8. In the proposed system, DFAT will only collect the information necessary to verify the identity and entitlement (including citizenship) of applicants for Australian travel documents. The information necessary for the creation of a person’s biometric profile will be obtained from the photograph of that person provided with an ordinary application. Therefore, applicants will provide no more personal information than under the current system. 9. Applicants for an Australian travel document must undertake an interview. These interviews are conducted by a DFAT officer, a member of staff at an Australian diplomatic mission or consulate, or an Australia Post officer. This interview is to confirm the applicant’s identity and entitlement (including citizenship). The interviewer will confirm the physical identity of the applicant, and confirm that they have correctly completed an application form and provided all necessary information and supporting documentation. Applications which are not preceded by an interview will only be accepted where the applicant is outside Australia and the local postal service is assessed as secure in accordance with DFAT’s usual administrative practices, or the document is being sought in extraordinary circumstances. 10. The information required is set out in the application forms, which must be approved by the Minister. The information and supporting documentation currently accepted as evidence of identity and entitlement are:

Attachment A

3

• documents establishing citizenship such as a birth or citizenship certificate; • documents which provide evidence of identity:

− photograph, − guarantor statement, − combinations of:

: driving licence or birth card, : Commonwealth benefits cards or Australian financial

institution card, and : other documents showing address,

− name change documents (such as marriage or divorce certificate), − mother’s maiden name, and − signature;

• contact and address details; and • for child applicants, parents’ details and any relevant court orders.

11. In addition, the Minister (or a delegate of the Minister) may request an applicant to provide further information which the delegate considers is necessary to establish the applicant’s identity and entitlement (including citizenship). Purpose of collection 12. Approximately 1 million passports are issued annually and around 40 per cent of Australians have a current passport. The Australian passport is acknowledged as a world class identity document. The integrity of information collected from applicants is central to this reputation. Collection of this information is central to DFAT’s function of issuing and administering Australian passports, and ensuring that they can be used as evidence of identity and citizenship by Australians travelling internationally. Legislative basis for collection 13. The new passports legislation is designed to ensure that Australians can continue to rely on a travel document of the highest integrity which clearly establishes their identity and entitlement (including citizenship). Accordingly, it is important that detailed measures for the protection of the privacy of that information are integrated into the implementation of the Australian Passports Act. 14. The Australian Passports Act sets out powers for the Minister (or a delegate of the Minister) in relation to the collection of personal information for the purpose of issuing, and administration of, Australian passports. The Minister must be satisfied of a person’s citizenship and identity before issuing them an Australian passport (section 8). In this regard, the Minister may request information about an applicant for, or holder of, an Australian passport (section 42). The Australian Passport Determination 2005 (Australian

Attachment A

4

Passports Determination) specifies what information may be requested to establish a person’s identity and entitlement (including citizenship) (section 7.2). For travel-related documents, the Minister must be satisfied of a person’s identity and citizenship before issuing them such a document (section 10 and Australian Passports Determination, subsection 6.5(4), respectively). 15. In addition, the Australian Passports Act does not prevent the Minister (or a delegate of the Minister) from requesting information not specified in a determination for the purposes of performing his or her function under the Act (subsection 43(2)). 16. These provisions have been designed to comply with the information collection provisions of the Privacy Act 1988, in particular the Information Privacy Principles (IPP) set out in section 14 of that Act. IPP 1 authorises DFAT to collect such personal information as is necessary for, or directly related to, the purpose of issuing Australian passports. How often will information be collected? 17. Information will be collected at intervals to be determined by the validity of each passport. An ordinary adult ePassport will be valid for 10 years. This period is well within accepted parameters for reliability of facial biometric technology. Other categories of travel document are valid for shorter periods. These validity periods will ensure that photographic and other information provided by applicants remains accurate and up-to-date. How is the collection of information privacy-enhancing? 18. Collection of personal information at these intervals ensures that information in the passport remains accurate. This is fundamentally privacy-enhancing, as it will enable DFAT to assess that an applicant is the same person who was issued with a previous travel document with the same identity, and that an applicant was not issued a travel document for a separate and unrelated identity. Once the information is recorded in the data page and embedded in the chip, it will also enable border control authorities to assess that the holder is the person to whom the passport was issued. Assistance for people with disabilities/poor English skills 19. Summaries of the notes on completing the application forms in a range of commonly used languages are available at Australian diplomatic missions and consulates overseas. DFAT is considering making these summaries available in Australia as well. 20. The Australian Passport Information Service, a telephone service, is able to provide comprehensive assistance to applicants with disabilities who might be experiencing difficulty completing their application. Alternative means of collection

Attachment A

5

21. The proposed method of collection of information for the purpose of applications for ePassports will not differ from that which has been in place since 1989 (Passports Regulations 1939, subregulation 5(2)). Subregulation 5(2) requires that an application for an Australian travel document must be in accordance with a form approved by the Minister. This system has worked efficiently and effectively. The Australian Passports Act retains this obligation (subsection 7(1)). Part 3 – Use of information Uses to which biometric information will be put 22. The information necessary for the creation of a person’s biometric profile will be obtained from the photograph of that person submitted with an ordinary passport application. The photograph is digitised, and used to ensure: (a) the applicant is the same person who was issued with a previous passport with the same identity (if any); (b) the applicant was not issued a passport for a separate and undisclosed identity; and (c) once the passport is issued, the holder remains the person to whom the passport was issued. 23. This use of biometric information will ensure that the Australian passport continues to be acknowledged as a world class identity document, and that Australians can continue to rely on a travel document of the highest integrity which clearly establishes their identity and entitlement (including citizenship). Uses to which other information provided with an application will be put 24. As outlined in Part 2 of this document, all personal information collected during the application process is to be used to establish the identity and entitlement (including citizenship) of the applicant prior to a passport being issued. Once the passport has been issued, the personal information is to be retained in DFAT’s Passports Issue and Control System as an essential safeguard against passport fraud. 25. Under the Australian Passports Act, the Minister may request certain persons to provide personal information for the purposes of performing functions under the Act (section 42). This information may be requested from the applicant, a person mentioned in the application, a relevant competent authority or a person specified in a Minister’s determination. In practice, the section is intended to continue DFAT’s ability to match information provided by applicants with information held by other agencies in order to be satisfied with an applicant’s identity. 26. For example, the department currently verifies information provided by applicants with the NSW Birth, Deaths and Marriages Registrar and the Australian Electoral Commission. These exchanges operate under written arrangements in a manner consistent with the Privacy Act 1988. Both arrangements operate electronically.

Attachment A

6

27. In addition, the Minister (or a delegate of the Minister) may request a competent authority to confirm information relating to its request for the Minister to refuse to issue a travel document is still current. For example, advice that a person is subject to an arrest warrant may be provided by a police officer months or years before the person applies for a passport (in accordance with subsection 12(1)(a) of the Australian Passport Act). DFAT will seek confirmation that this advice is still accurate in accordance with its administrative procedures (section 19 of the Australian Passport Act). Expected future uses 28. DFAT does not anticipate that in the future, passport information will be put to different or additional uses to those which occur now. The Government has a strategy to detect and prevent the use of lost, stolen or otherwise invalid passports outlined below. The number of organisations which may be provided with information as part of this strategy will increase. 29. The Australian Passports Act has been constructed to provide a framework for the Minister to bring to the Parliament major new uses of technology for a thorough consideration of all policy and practical implications. The Act does this by providing for the Minister to set out methods (including technologies) that are to be used for the purpose of confirming the identity of an applicant for an Australian passport or a passport holder in a determination (section 47). This determination is subject to Parliamentary scrutiny as a disallowable instrument. Secondary use and data linkage 30. In December 2004, the Minister for Foreign Affairs and the Minister for Immigration and Multicultural and Indigenous Affairs agreed to develop a strategy to detect and prevent the use of lost, stolen or otherwise invalid passports. As part of this strategy, DFAT is establishing data sharing arrangements with countries with which Australia shares a high volume of travellers, including through Interpol. The strategy is designed to combat terrorism and other transnational crime by allowing Australia to better detect the use of, and seize invalid Australian and foreign travel documents. 31. Australia and New Zealand entered into a passport information sharing arrangement on 17 December 2004. This has recently been upgraded to provide for mutual electronic access to each country’s passport information. Australia entered into a similar arrangement with the United States on 7 March 2005. A data exchange arrangement with the Australian Federal Police, as Australia’s National Central Bureau in Interpol, was entered into on 27 May 2005. 32. These arrangements draw from a model “Memorandum of Understanding for the sharing of passport information” produced by DFAT, whose terms are consistent with the strategy agreed between Ministers in December 2004. It is

Attachment A

7

designed to ensure consistent application of access procedures to Australian passport data. Secondary use of passport information 33. The data sharing arrangements listed above contain provisions limiting the secondary use of Australian passport information. They provide that airlines may be provided passport information in order to verify, if necessary, the validity of Australian passports held by their passengers. However, this information will be limited to the information printed on the data page of the passport. The arrangements establish clear notification and oversight procedures to accompany such a transfer of information. Part 4 – Disclosure of information 34. The Australian Passports Act contains detailed provisions regulating the purposes for which the Minister (or a delegate of the Minister) may disclose passport information and the persons or organisations to whom he or she may disclose it. Lost or stolen passports can provide criminals with the potential to assume another identity, to carry out criminal activity in another name, and to travel illegally. Disclosure of information relating to lost, stolen or otherwise invalid travel documents 35. Section 45 allows the Minister to disclose specified information for the purpose of informing specified persons that an Australian travel document is lost, stolen or otherwise invalid. Minimising the problems caused by lost, stolen or suspicious passports is a key policy objective for the revision of the Australian passports legislation. 36. The information and recipients are set out in the Australian Passports Determination. The information disclosed is the minimum necessary to achieve this purpose, taking into account operational needs and possible technology constraints. The recipients will include Commonwealth and State law enforcement authorities and courts, road traffic authorities, registrars of births, deaths and marriages and the Secretary of the Department of Defence. Internationally, this information will be available to foreign and international immigration and law enforcement agencies with whom DFAT has signed arrangements for the exchange or provision of passport information, in line with the strategy to detect and prevent the use of lost, stolen or otherwise invalid passports described in Part 3. These arrangements are designed to ensure that the recipient will effectively uphold the principles for fair handling of the information in a manner substantially similar to the Privacy Act 1988. Disclosure of information for particular purposes 37. Section 46 sets out limited purposes for which it is reasonable to disclose passport information. The Minister may disclose specified personal information to specified persons for any of the following purposes:

Attachment A

8

a. confirming or verifying information relating to an applicant for an Australian travel document or a person to whom an Australian travel document has been issued;

b. facilitating or otherwise assisting the international travel of a person to whom an Australian travel document has been issued;

c. law enforcement; d. the operation of family law and related matters; or e. the purposes of a law of the Commonwealth specified in a

Minister’s determination. 38. The Australian Passports Determination sets out information which may be disclosed, and recipients of that information, in respect of disclosures for certain purposes listed in section 46. 39. Under subsection 46(a), the Minister may disclose information for the purpose of confirming or verifying information relating to an applicant for an Australian travel document or a person to whom an Australian travel document has been issued to the same recipients as those to whom information regarding lost, stolen or otherwise invalid passports may be disclosed. Arrangements are in place (or are planned) to do so to Registrars of Births, Deaths and Marriages; Road Traffic Authorities; Police in Australian States and Territories; the Department of Defence, Australian Federal Police; and Australian courts. 40. Under subsection 46(b), the Minister may disclose information for the purpose of traveller facilitation. Arrangements are in place to do so to the Secretary of the Department of Immigration and Multicultural and Indigenous Affairs, the Secretary of the New Zealand Department administering the Immigration Act 1987 (NZ), and the Chief Executive Officer of the Australian Customs Service. Details of arrangements with New Zealand are set out in Part 3. 41. Examples of traveller assistance and facilitation are consular assistance and passenger processing arrangements. A determination in relation to consular assistance arrangements will be based on the Public Interest Determination No 7, 21 October 1997, issued by the Federal Privacy Commissioner to the department under the provisions of the Privacy Act 1988. Traveller facilitation arrangements make immigration processing faster and smoother for travellers and more effectively assure passenger safety and border security. A current example is DIMIA’s use of passport information for the Advance Passenger Processing System, under the Migration Act 1958. 42. Under section 46(c) the Minister may disclose information for the purpose of law enforcement. Arrangements are in place (or are planned) to do so to any person who has responsibility for, or powers, functions or duties in relation to, law enforcement under a law of the Commonwealth or a State or Territory.

Attachment A

9

General conditions on disclosure 43. In all instances the information disclosed is the minimum necessary to achieve the particular purpose, taking into account operational needs and possible technology constraints. 44. It is intended that the disclosure of this information will be subject to memoranda of understanding (or similar arrangements) to ensure that the recipient will effectively uphold the principles for fair handling of the information in a manner substantively similar to the Privacy Act 1988. 45. Information disclosed under section 46 must be handled in accordance with section 14 of the Privacy Act 1988, which contains the Information Privacy Principles (IPP). IPP 4 requires the holder of personal information to protect it against unauthorised access or other misuse. IPP 11 prohibits disclosure of personal information, except in certain listed circumstances. Personal information collected under the Australian Passports Act will be disclosed under paragraph 11.1(d), which permits disclosure if required or authorised by law. 46. IPP 11.3 further prohibits the recipient from using or disclosing the information for a purpose other than the purpose for which it was given the information. This requirement is reflected the Australian Passports Determination, which provides for confirmation or verification of information relating to a travel document (subsection 7.5(1)). The standard situation when an organisation may request this information is when the passport is presented as identification for another service. The organisations which may currently request this information are also set out in the Determination (Schedule 3 Part 2). Each organisation will be required to agree to a memorandum of understanding (or similar arrangement) which satisfies the statutory requirements set out above. Consent to disclosure 47. The disclosure provisions in the Australian Passports Act address the limitation under general privacy law which requires specific consent for a disclosure that was not for the purpose the information was collected. Consent is a difficult issue in relation to passport information. Any consent is largely illusory because the Minister could retain the discretion not to issue a passport in the absence of consent, if it would interfere with the reasonable operations of the passport system. Secondly, obtaining specific consent in relation to disclosure of information collected from 1 million applicants each year over the 10 year period between applications is impractical. The disclosures permitted under the Act, in particular section 46, are necessary to efficiently verify information provided by applicants. This verification is central to DFAT’s principal function under the Act, namely to issue passports establishing the identity and citizenship of Australians and ensure the integrity of these passports.

Attachment A

10

48. In recognition of these constraints, the procedures for disclosure of passport information are addressed in the Australian Passports Determination (which must be approved by Parliament), which sets out the exact information which is to be disclosed and details of the recipient. Part 5 – Access to and correction of information 49. Personal information shown on the data page of a travel document cannot be amended. A person who requires an alteration must complete a full application form and apply for a new passport. The person must provide all necessary information and supporting documentation. 50. DFAT relies on applicants to provide it with accurate personal information, in order that the Australian passport continues to serve as a world class identity document. To ensure this occurs, applicants are required to provide originals of the documents that they wish to use as evidence of their identity and entitlement (including citizenship). If information provided by a holder of a travel document becomes incorrect, for example because of a change of name, he or she can only correct it by applying for a new travel document, and presenting an original document proving that the change has occurred. 51. The Australian Passport Determination sets out circumstances in which an applicant for a replacement passport who has changed his or her name due to marriage, divorce or the death of his or her spouse is eligible for a waiver of the application fee (section 8.2). 52. If the fault in the information stored on the chip, or elsewhere on the data page of the travel document, is the result of an error by DFAT, the holder will be provided with a replacement travel document and the fee will be waived. 53. DFAT will put in place arrangements for holders of travel documents to access the information held on the chip in accordance with obligations under the Privacy Act 1988 (IPP 6). Part 6 - Security of information Framework 54. All information collected by DFAT in the performance of its passport functions will continue to be managed within DFAT under the Passport Issue and Control System. Information technology security for passport information is provided under DFAT’s Information Management Strategy. This brings passports information within the system used to protect the Secure Australian Telecommunications and Information Network. 55. Information set out on the data page of a passport, including the photograph, will be stored on a contactless chip (or Integrated Circuit Chip (IC)) embedded in the passport. It will be secured on the chip using Public Key Infrastructure (PKI). The PKI application under development is designed to comply with the requirements specified in the ICAO “Technical Report: PKI

Attachment A

11

for Machine Readable Travel Documents offering ICC Read Only access – version 1.1, 1 October 2004” (ICAO PKI TR). It will place Australia at the forefront of the development of privacy-enhancing PKI technology for international travel. 56. PKI technology incorporates Public Key encryption techniques which verify the authenticity and integrity of the information stored on the chip, thus protecting it against loss, unauthorised access, modification or disclosure. The PKI application in Australian ePassports performs two distinct privacy-enhancing functions in relation to passport information: authenticity and integrity, and confidentiality. Authenticity and integrity 57. Public Key encryption techniques require a user, in this case DFAT, to have two encryption keys - a Private Key and a Public Key. These keys are related to each other and are generated together. The Private Key is used encode the data on the ePassport chip into digital signatures, and the corresponding Public Key is required to verify those digital signatures. 58. The Private Key will be highly protected and known only to certain authorised personnel within DFAT. In contrast, the Public Key needs to be distributed to all ICAO member country border controls, so that they can check the validity and integrity of passport documents by verifying the digital signatures stored in ePassports. In practice, the “SmartGate” system, operated by the Australian Customs Service, will use the Public Key to check passports at the border. ICAO member country border controls, including the Australian Customs Service, will obtain the Public Key from the ICAO Public Key Directory, as defined in the ICAO PKI TR, paragraphs 2.2.4 and 2.4). 59. Public Key encryption provides strong protection against modification or tampering. It will inherently provide an integrity check of the data on the chip, as modification of the data will result in a corrupt decrypted reading when the passport is next presented at the border. In this way border control authorities will be able to determine if the data on the chip has been tampered with. Confidentiality 60. The other proposed privacy-enhancing feature is the use of a “Basic Access Control” application in the ePassport to protect information stored on the chip against unauthorised access through the use of remote eavesdropping reading devices (sometimes known as “skimming”). DFAT concurs with ICAO’s assessment that “skimming” is not a serious threat in the context of ePassports (ICAO PKI TR Annex G). However, DFAT is concerned about the perceived risk and has decided to mitigate it. 61. Basic Access Control in the ePassport would ensure that the chip could only be read when the bearer voluntarily offers his or her passport to be read. A chip that is protected by Basic Access Control denies access to its contents unless the inspection system can prove that it is authorised to access the

Attachment A

12

chip. This proof is given in a challenge-response protocol, where the inspection system proves knowledge of the Document Basic Access Keys, which are derived from the Machine Readable Zone on the data page. 62. Basic Access Control requires that the MRZ in the ePassport be directly visible to the reader. In other words, the passport bearer must open the passport in order for the reader to access the information on the chip. Therefore the bearer must voluntarily offer his or her passport to be read. In this way, Basic Access Control will severely limit access to the information held on the ePassport chip. Criminal conduct 63. In addition, causing unauthorised impairment of the security of electronic data stored in an ePassport by means of remote access is a criminal offence. The Criminal Code provides that it is an offence for a person to intentionally cause unauthorised impairment of the security of data held on a device to store data by electronic means, where that device is owned by the Commonwealth (Section 478.2). The maximum penalty is 2 years imprisonment. As this offence was not drafted with “skimming” in mind, the Department will consider criminalising the specific circumstances of this practice in a regulation under the Australian Passports Act 2005. OFPC Guidelines 64. The proposed use of PKI in the ePassports project complies with all relevant Guidelines set out by the OFPC in “Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to communicate or transact with individuals”, published pursuant to the Privacy Act 1988 (subsection 27(1)(e)). The ePassport project will be introduced under the Australian Passports Act, which provides for the issue and administration of Australian passports to be used as evidence of identity and citizenship by Australian citizens who are travelling internationally (section 3). 65. While the Minister, through the department, is ‘transacting with individuals’ (passport applicants and bearers), the prime use of PKI is in internet transactions. Nevertheless, comparison of the ePassports PKI application with the OFPC Guidelines confirms its privacy-enhancing features. 66. In particular, DFAT’s role in the ePassport project incorporates an awareness and education program regarding the proposed use of biometric technology in ePassports (Guideline 2); DFAT will ask only for the minimum evidence of identity necessary to issue a passport (Guideline 4); DFAT does not create or use an aggregation of personal information gained from PKI transactions (Guideline 5); and no public key directory will be published as part of the ePassport project (Guideline 8) [PST to advise exact arrangements for access to the ICAO PKD, these are summarised under ICAO PKI TR at 2.2.3]. This document satisfies the requirements of Guideline 3 (undertaking a Privacy Impact Assessment).

Attachment A

13

67. In DFAT’s view, compliance with Guidelines 1, 6, 7 and 9 is not practical in the context of maintaining a secure passport-issuing system. These Guidelines cover agency/client choice on the use of PKI applications (Guideline 1); the choice by passport bearers of single or multiple certificates (Guideline 6) [PST advice please]; subscriber (passport holder) generation of keys (Guideline 7); and pseudonymity and anonymity (Guideline 9). Collection and use of information by service providers 68. DFAT has contracted Australia Post at designated outlets to provide certain services in relation to passport applications. Australia Post employees and agents who are accredited under the contract make an initial assessment of applications that are submitted at these locations, and conduct passport interviews. In performing these functions, these Australia Post employees and agents come into contact with information provided by applicants. Under this contract, Australia Post is required to comply with the provisions of the Privacy Act 1988 (including the Information Privacy Principles) concerning the security, use and disclosure of information, to co-operate with any reasonable demands or enquiries made by the Privacy Commissioner, and to notify DFAT immediately of any breach of these requirements on its part. As a result, personal information provided by applicants is handled in accordance with the Information Privacy Principles whether they submit their application to DFAT directly, or via Australia Post. 69. Under a Memorandum of Understanding which commenced on 27 March 2000, Centrelink provides passport information call centre services for the Australian Passport Information Service (APIS). Centrelink employees or contractors, who are trained as operators for APIS under the Memorandum, are able to access individuals’ passport information in order to respond effectively to inquiries from members the public. The Memorandum imposes the same privacy obligations as DFAT’s contract with Australia Post. Destruction of information 70. Destruction of information (including biometrics) will be undertaken in accordance with the procedures set out in Records Disposal Authority – Department of Foreign Affairs and Trade – 2 December 2003, prepared for DFAT by the National Archives of Australia under the Archives Act 1983. Specifically, the scanned passport application, including the electronic image from which the biometric of the applicant was created, will be archived between 10 and 15 years after the issue of the travel document. Hard copies of approved travel document applications will be destroyed after 60 days if scanned, and after 10 to 15 years if not scanned. These proposed periods take account of the 10-year validity of the ordinary adult passport, and the desirability of obtaining a new photograph for passport applicants at 10-year maximum intervals to ensure that the information sought from applicants remains up-to-date. See Part 7 for further details on how information will be kept up-to-date. Part 7 – Quality of information

Attachment A

14

How information will be kept up-to-date 71. Information will be collected at intervals to be determined by the validity of each travel document. An ordinary adult passport is valid for 10 years. Other categories are valid for shorter periods. These validity periods will ensure that photographic and other information provided by applicants remains accurate and up-to-date. Consequences to individuals if information is not up-to-date 72. The negative consequences will be minimal for individuals in the event that the information stored on the chip becomes out-of-date during the validity of the ePassport. 73. The 10-year validity of the ordinary adult passport reflects accepted parameters for reliability of facial biometric technology. In cases where a damaged chip is not accepted by the electronic reader, the holder will be referred to manual processing (as currently occurs for all travellers) at minimal inconvenience. DFAT is developing standards to assist in rare cases where an individual’s appearance changes sufficiently during the validity of the passport for their digitised photograph to become inaccurate. 74. In addition, the manufacturer of chips for ePassports (Sharp Corporation) has warranted the chips for a 12-year period. The Australian Passports Determination provides that DFAT will waive the fee for replacing a passport which is faulty as a result of error by DFAT (subsection 8.2(e)). DFAT is developing measures and procedures to ensure that negative consequences for holders of faulty ePassports are minimal. 75. Australian Government policy is that an ePassport with a non-functioning chip would be considered as a valid travel document unless it was cancelled or otherwise invalid for other reasons.