E-passports

Neemayani Kaduma Associate Director, PwC Tanzania 20/11/18

E-passports … great! But is my personal data secure?

E-passports are a recent example of a planned initiative by some governments across Africa to go more digital. The issuing of e-passports is expected to increase the security and efficiency of border- control points. Similarly, the issuing, renewal and replacement of passports will be more efficient, thus saving costs to government.

The benefits to travellers are clear, as they are no longer required to wait in long winding queues at border control and can quickly navigate the sleek ‘automatic border-control gates’.

Woman sitting on a red bench

In addition, e-passports enhance controls against illegal immigration and national security in general and are in line with many governments’ technology transformation projects, which aim at efficiency and greater customer satisfaction. However, they are not without their challenges.

One key challenge is how immigration departments will secure data to ensure its confidentiality, integrity and availability. Data that identifies you as a citizen will be stored on a system, including particularly sensitive, biometric data (such as fingerprints and iris scans) as well as movement and restriction records. This data is validated against a central database in order to authenticate your identity.

So have adequate measures been thought of to safeguard this sensitive data? Given the sophistication needed from the system to securely process travellers’ data at our borders and curb illegal immigration, you can imagine the value attached to the confidentiality and integrity of your personal data. What if your data falls into the wrong hands? What controls will be in place to prevent this from happening?

Where is all this data being stored? How is it protected? And, more importantly, can this information be centrally managed and shared across borders and common data protection legislation adopted for Africa? But this latter point is for another conversation; for now let’s focus on the data security risks.

Even where the process is automated, human intervention will still play a part in some of the risks mentioned above. Human intervention is required at the point of capture or update of details in the system, as well as maintenance of the system. It is this human element that is prone to making errors and can be compromised sometimes (with or without the person’s knowledge). In addition, the system in itself is made up of various components, such as the application, the database and the network. If any of these is not well secured, it can provide a loophole for data or the system to be manipulated. A good analogy is owning an expensive car (the system) that is full of gold (citizens’ data) and parking outside a house that has no fence or security guard. The in-built security of the car in itself does not prevent thieves from getting to the gold. It is the entire ecosystem that needs to be secured to ensure the gold is well protected. The same applies to the cybersecurity ecosystem required to address the challenges mentioned above.

Typically, organisations, including those in the public sector, think cybersecurity is the job of the IT department. But it’s not only IT that should be involved. We all have a part to play, as cybersecurity is an enterprise-wide issue. For e-passports, this includes the applicant, the junior immigration officers, right through to the most senior people who own the project. With more than 100 countries already using e-passports, the technology itself is likely to be robust. However, when we look at the ‘ecosystem’, and given that many African countries do not have national frameworks for cybersecurity risk management, are we ready to tackle and address the threats and vulnerabilities that come with such initiatives?

While we embrace these great initiatives, which will take Africa forward and bring about much-needed efficiency, we should also address the risks involved and, in particular, cybersecurity, which is a new norm.

The anticipated benefits of e-passport initiatives include more efficient administration at border-control points and better security, including enforcement of immigration controls. But what about the security risks? How should we ensure the integrity, confidentiality and availability of all our data?

Firstly, everyone has a part to play when it comes to cybersecurity. Gone are the days when this was an ‘IT’ problem only! Provided that you interact with a system or the internet through any device (smartphone, laptop, tablet etc.) you should take good measures to help safeguard information. We do not sleep with the front door of the house open just because there is a security guard outside. The same principle applies in cybersecurity. Every user has a role to play. Accordingly, all the people involved in the process of filling in, processing and maintaining data required for the e-passports need to be educated on how to be secure in cyberspace. This starts from the basics of having strong password controls to not clicking unknown links, as such links can be malicious and infect the user’s machine or give access to hackers. This education needs to be given continuously, and it has to stay current and relevant as technology and cyber threats keep evolving.

Secondly, the system that will be processing and storing data for e-passports must have robust features that will ensure that data integrity is maintained. This is where IT and the user departments converge and work together. As the system will be hosted in a network connecting it with various border points, this network must be designed with security in mind. The main objective is to protect the system from external and internal attacks. Secure protocols and encryption need to be in place when data is being transmitted between two points to prevent it from being intercepted. In addition, there need to be detection mechanisms that will alert immigration on a timely basis when an attempt is made to attack or access the system without proper authentication.

The above concepts cover ‘people’ and the ‘systems’. The third component that is key in addressing cybersecurity is ‘processes’. There need to be well-designed processes and controls in each activity that involves e-passports, be it creation, updates, renewals, etc. If not well designed, such processes can also provide a loophole for exploitation of the security threats and vulnerabilities mentioned earlier.

In addition, immigration departments must have processes for responding to ‘electronic-related’ incidents. Then there is the aspect of a good work ethic, which seems to be disappearing these days when it comes to maintaining confidentiality. This you can tell by the number of instances in which sensitive corporate information has made the rounds on social media (thanks to smartphones). So, in educating people, staff should also be sensitised (particularly the ‘young smartphone-savvy’ users) not to snap sensitive data and share it through social media platforms. This then brings me to the last point regarding the skillset required to address cybersecurity issues.

There is a significant shortage of experienced or qualified cybersecurity professionals in this field, both locally and globally (as noted by various reports by PwC, Information Systems Audit and Control Association-ISACA and Protiviti). Therefore, both the public and private sectors have a common interest in investing in the skills-set of those people needed to implement the control measures mentioned above to minimise cybersecurity risks.

So while we embrace these great initiatives, which will take Africa forward and bring about much-needed efficiency, we should also address the risks involved, and particularly cybersecurity, which is a new norm and will only increase in sophistication as we innovate and integrate more systems.

 

In addition, e-passports enhance controls against illegal immigration and national security in general and are in line with many governments’ technology transformation projects, which aim at efficiency and greater customer satisfaction. However, they are not without their challenges.

One key challenge is how immigration departments will secure data to ensure its confidentiality, integrity and availability. Data that identifies you as a citizen will be stored on a system, including particularly sensitive, biometric data (such as fingerprints and iris scans) as well as movement and restriction records. This data is validated against a central database in order to authenticate your identity.

So have adequate measures been thought of to safeguard this sensitive data? Given the sophistication needed from the system to securely process travellers’ data at our borders and curb illegal immigration, you can imagine the value attached to the confidentiality and integrity of your personal data. What if your data falls into the wrong hands? What controls will be in place to prevent this from happening?

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Neemayani Kaduma

Associate Director, PwC Tanzania

Tel: +255-22-2192000

Busi Mathe

Partner, PwC South Africa

Tel: +27 (0) 11 797 4875

Follow us