A major upgrade introduced last month to the Lebanese passport has been praised by officials as a modernizing step that will bring Lebanon in line with international passport norms and enhance national security. The so-called ‘biometric’ passports, already in use in over 100 countries worldwide, contain an electronic chip on which biological data such as fingerprint scans are stored, making them more difficult to forge than the comparatively low-tech paper-only predecessor.
At the same time, given the general weakness and corruption entrenched in the Lebanese state, the politicization of its security agencies, and the paucity of individual privacy and digital rights legislation, the program has also raised concerns among local activists that such intimately personal data could fall into unwanted hands – be they those of hackers, domestic political factions or foreign governments.
“Our main concern is data protection,” said Mohamad Najem, co-founder of the Social Media Exchange (SMEX) and a digital rights campaigner, who told NOW there was already a precedent in Lebanon of citizens’ government-handled personal information being exposed. “A few years ago, somebody stole all the driving registration data, and all these data [including names, addresses, phone numbers, and blood types] started to be used on phone apps.”
“How can we make sure this is not going to happen again?”
The data stored on Lebanon’s biometric passport chips comprise an image of the holder’s face; images of each fingerprint on both hands; and text detailing the holder’s name, birthdate, father’s and mother’s names, and dates of passport issue and expiry, according to a fax sent to NOW by the Media Affairs Office of the General Directorate of General Security, the government agency responsible for the program.
These data are exclusively stored with and accessible by General Security, according to the Media Affairs Office as well as a spokesperson for Beirut-based Inkript Technologies, one of two companies jointly tasked with producing the new passports (the press spokesperson for the second company, Gemalto, based in the Netherlands, did not respond to repeated calls and emails requesting comment). “There are no data stored with any company, Lebanese or foreign,” wrote General Security in response to NOW’s query.
Both General Security and Inkript insist the data are amply protected against hacks or other violations.
“[The] data are encrypted in a very secure manner with very sophisticated and certified platforms,” said Christel Abbas, Marketing Officer at Resource Group Holding, the parent company of Inkript. In its fax, General Security elaborated that “all the encryption keys exist exclusively with the General Directorate of General Security, which alone undertakes exclusively the use and management of the encryption system in accordance with the procedures of […] Public Key Infrastructure.”
“Therefore, the database of passports cannot be hacked and info cannot be leaked,” asserted Abbas.
Najem, however, believes such assurances are insufficient. Instead, he argues, a specific legal framework must be put in place to regulate access to and use of the data.
“We want to make sure that the government issues a law that allows judges to check that this data has been well protected,” he told NOW. “And if any security agency requires access to this data, they need to issue a request to a judge and the judge should approve or disapprove their request.”
“None of this is happening now. We’re starting with the passports, but there’s also the ID [card] that’s going to become biometric, and the driving license.”
Fail-safe, or safety failure?
The key selling point of the biometric passport is its purported invulnerability to forgery. As Abbas put it to NOW, “biometric data are so significant because, unlike personal information, they cannot be stolen. Since no two individuals on this earth are the same, biological data are extremely difficult to replicate.” It’s easy to imagine the potential security benefits for Lebanon, where criminal and militant networks routinely utilize fake identities, and where, for example, the high-profile jihadist fugitive Ahmad al-Assir was apprehended at Beirut airport in August 2015 attempting to flee the country with a forged Palestinian passport. In the wake of the recent series of Islamist attacks in western Europe, the US Department of Homeland Security decided in April 2016 to make biometric passports obligatory for travelers benefiting from the Visa Waiver Program, by which citizens of 38 mostly European nations may enter the USA visa-free.
Yet for all its advocates’ praise, a number of fraud security specialists have long maintained the biometric passport is anything but foolproof. In 2008, a man was able to pass the security checks at Amsterdam’s Schiphol airport using a forged biometric passport bearing the name and photo of Elvis Presley. In 2014, two Iranian passengers on board the Malaysian Airlines Flight 370 that disappeared mid-air were found to have boarded in Kuala Lumpur using stolen European biometric passports.
“Nearly every country issuing this passport has a few security experts who are yelling at the top of their lungs and trying to shout out: 'This is not secure. This is not a good idea to use this technology',” said German consultant Lukas Grunwald, who has himself ‘cloned’ biometric passport chips, in remarks to the BBC in 2006.
Among the key weaknesses is that the technology can only be as reliable as the human beings operating it. If airport employees do nothing more than see if the biometric scanning machine confirms the data in the passport chip matches the records in the government database, without also (for instance) visually confirming that the real-life passport holder resembles the person in the photo on their screen, then the technology is effectively useless, as the ‘Elvis Presley’ case vividly demonstrates.
As the man responsible for the Schiphol breach put it at the time, excessive reliance on automation may “actually [have] made the borders weaker, not stronger.”
Amin Nasr contributed reporting.