Security concerns at immigration database launch

The European Commission's controversial new biometrics-based system for combating illegal immigration and processing asylum...

The European Commission's controversial new biometrics-based system for combating illegal immigration and processing asylum requests, Eurodac, was launched on 14 January amid security and data protection concerns.

Eurodac is based on a central database in Brussels containing fingerprints of asylum seekers, a central processing unit to enable immigration authorities in 16 countries including the UK to compare fingerprints against the database, and a system for sending digitised fingerprints electronically.

Protecting this sensitive data and ensuring the secure transmission of data electronically between the participating states and the central database are key issues.

Frank Paul, head of the large-scale IT projects unit at the EC, said security had been a major concern. "For reasons of credibility of the system, security was one of our main concerns," he said. "We think we have implemented the maximum security you can have."

Encryption is used at the application and network level and PKI is used in all the transactions handled by the electronic fingerprint image transmission system.

Paul said the great strength of the system was that if it was hacked into (which he claimed could never happen) the hackers would only have access to case numbers and fingerprints - no personal details such as names are held on the system.

But hacking is not the main threat. David Birch, director at Consult Hyperion, said the biggest danger would be from people bribing EC staff to access the database or buy data. "The worry about fingerprint databases is that someone can steal your fingerprint and assume your identity. You wouldn't want your fingerprints on an EC database where anyone can get hold of them."

Birch also cast doubt on Paul's assurance that bodies other than immigration, such as law enforcement agencies, would not be able to access the fingerprint database. "It is hard to see how they would not have access to it," he said.

Considering the high volumes of transactions Eurodac will carry out, an accuracy rate of 99.9% would still produce a significant number of false positives, Birch added.

All asylum seekers entering the EU will be registered in the country where they first asked for protection and have their digitised fingerprints stored in the central database. The Eurodac system has already processed "a couple of hundred" submissions from asylum seekers, said Paul, and it is expected to hold details of two million immigration applicants by 2004.

"Eurodac will bring about huge economies of scale," Paul said. "There will be no more multiple asylum requests. In overall terms you'll have a huge saving at member state level."

The project is based on technology from US firm Cogent, implemented by IT services firm Steria. It cost €6.5m (£4m) and will cost about €500,000 a year to run. The cost of a transaction will be €2.76.

ID card plan needs focus >>

Read more on Privacy and data protection