Passport photos: Use of AWS cloud by private photo providers draws criticism

Since May, digital passport photos have been mandatory for documents such as ID cards and passports – provided the local authority has a certified photo-taking system. Otherwise, a paper photo can be submitted. Private providers are another alternative. Security experts have analyzed the first two providers already participating in the procedure in more detail. Among other things, they criticize the fact that the cloud provider Amazon Web Service (AWS) has been entrusted with the temporary storage of the images.

The Federal Office for Information Security (BSI) does not yet list the two providers Dm and Ringfoto among the approved providers. However, when asked, a BSI spokesperson stated that "two cloud providers have received a provisional operating license". However, the completion of certification procedures for the technically operational systems is "expected soon"."Compliance with the requirements of TR-03170 will be checked as part of the certification process," the BSI said.

According to the directive, providers must "process, secure and store the data in a cloud in an EU country" and "be subject to the jurisdiction of a country of the European Union". The provider of the cloud service MUST declare that the processing, backup and storage of data for the provision of the cloud service takes place on system components in a country of the European Union and submit a concept of how it technically ensures this," explains the BSI spokesperson.

"Encryption is quantum secure"

In order to store the images after they have been taken, they are first stored end-to-end encrypted in an intermediate cloud, with the key for decryption contained in the Data Matrix Code that citizens bring to their authorities. According to the BSI spokesperson, cloud providers "have no way of decrypting the photographs. The encryption is also considered to be appropriately quantum-safe".

Although AWS has a location in Luxembourg, it belongs to the US company Amazon. The fear is therefore that the Cloud Act could ensure that US authorities could force access to the stored data. "We consider it questionable if millions of biometric passport photos are stored on the servers of US providers. Even if they are encrypted – because encryption is only ever temporary protection," says Tim Philipp Schäfers, security expert at Mint Security.

"Even encrypted data remains personal as long as it can in principle be assigned to a person - for example, if there is a way to decrypt it again", says Mint Security. As an alternative, the experts recommend having the images taken directly at the authority. So far, not all authorities are equipped with appropriate photo recording systems. This is due to happen in August, but there has recently been talk of delays in delivery, which is why an exemption is in place in the affected municipalities until the end of July. Paper photographs will then continue to be accepted.

Digital sovereignty?

There is currently a lot of talk about digital sovereignty. Schäfers therefore finds it incomprehensible that providers "choose such hosters for an almost sovereign task". This raises the question of how to deal with US services, especially in public authorities. So far, no statistics have been published that show how many authorities in Germany use US cloud services. At least the license costs for Microsoft products are increasing from year to year. The services of US providers are also often used in many critical areas. The discussion about the use of Palantir in police authorities is currently ongoing, to name just one more example. Recently, for example, the Charité hospital began testing and training AI-supported software from Microsoft for documenting doctor-patient conversations in everyday clinical practice – although there are various European alternatives.

(mack)