Document Security and Identity Management in Ukraine

STRENGTHENING MIGRATION MANAGEMENT AND COOPERATION ON READMISSION IN EASTERN EUROPE (MIGRECO)

DOCUMENT SECURITY AND IDENTITY MANAGEMENT IN UKRAINE

John Stienen, Msc.

Kyiv - 2015

This Study was prepared with the financial assistance of the European Union. The contents of this publication are the sole responsibility of its author and can in no way be taken to reflect the views of the European Union, the U.S. Department of State, the U.S. Agency for International Development, the Royal Danish Ministry of Foreign Affairs, the Immigration and Naturalisation Service of the Ministry of Security and Justice of the Netherlands, or the International Organization for Migration.

Delegation of the European Union to Ukraine IOM Mission in Ukraine

101, Volodymyrska Str., Kyiv, Ukraine, 01033 8, Mykhailivska Str., Kyiv, Ukraine, 01001 Tel.: +38 044 390 80 10 Tel.: +38 044 568 50 15 E-mail: [email protected] Fax: +38 044 568 50 16

http://eeas.europa.eu/delegations/ukraine e-mail: [email protected] http://www.iom.org.ua

TABLE OF CONTENTS

ABBREVIATIONS AND ACRONYMS ...... 5 EXECUTIVE SUMMARY ...... 7 1 INTRODUCTION ...... 8 2 APPLIED METHODOLOGY ...... 9

2.1 INTERNATIONAL STANDARDS ...... 9 2.2 EUROPEAN STANDARDS ...... 10 2.2.1 Technical security of passports, including biometrics ...... 10 2.2.2 Reporting lost and stolen passports ...... 11 2.2.3 Reliability of breeder documents ...... 11 2.2.4 Exchange of information on false and authentic documents ...... 12 2.2.5 Security of residence permits and visas, including biometrics ...... 12 2.2.6 Protection of personal data ...... 12 2.2.7 Population registration ...... 13 2.2.8 Minimal standards expected from Ukraine for establishment of a visa-free regime ...... 13 2.3 PAST STUDIES AND ANALYSES OF THE DOCUMENT SECURITY, CONCLUSIONS AND RECOMMENDATIONS ...... 13 3 REVIEW OF THE DOCUMENT SECURITY AND IDENTITY MANAGEMENT IN UKRAINE ...... 15

3.1 IDENTITY MANAGEMENT FOR UKRAINIAN NATIONALS AND DOCUMENT SECURITY ...... 15 3.1.1 Legal framework and strategic initiatives ...... 15 3.1.1.1 Legal framework for the central population register ...... 15 3.1.1.2 Legal framework for identity, travel and other documents ...... 16 3.1.1.3 The “blue” passport issued under Passport Resolution 1992 and Passport Issuance Rules 1995 ...... 16 3.1.1.4 The new generation of biometric travel documents of 2015 ...... 18 3.1.2 Security of Ukrainian travel documents: fraud and its prevention ...... 18 3.1.2.1 Production ...... 19 3.1.2.2 Application ...... 19 3.1.2.3 Personalisation ...... 20 3.1.2.4 Obtainment ...... 21 3.1.3 Security of internal passports ...... 21 3.1.4 Certificates of civil status ...... 21 3.1.5 Population registration ...... 22 3.2 IDENTITY MANAGEMENT FOR FOREIGN NATIONALS AND STATELESS PERSONS IN UKRAINE ...... 22 3.2.1 Legal framework and strategic initiatives ...... 22 3.2.2 Security of visas: fraud and its prevention ...... 23 3.2.3 Security of identity documents issued to foreigners and stateless persons and residence permits fraud and its prevention ...... 24 3.3 BIOMETRICS ...... 24 3.4 INFORMATION DATABASES AND SYSTEMS, INTERAGENCY INFORMATION SHARING ...... 24 3.5 INFORMATION SHARING WITH EXTERNAL COUNTERPARTS ...... 25 3.6 BUDGET ALLOCATIONS AND PLANNING ...... 25 3.7 PROTECTION OF PERSONAL DATA ...... 25 4 ANALYSIS, RESULTS AND CONCLUSIONS ...... 27

4.1 COMPLIANCE WITH ICAO/INTERNATIONAL AND EUROPEAN STANDARDS, NORMS AND RECOMMENDATIONS ...... 27 4.1.1 Technical security of passports, including biometrics ...... 27 4.1.1.1 Secure production and personalisation ...... 27 4.1.1.2 Security of the “blue” passport issued under Passport Resolution 1992 and Passport Regulation 1995 ...... 28 4.1.1.3 Security of the new generation of biometric passports of 2015 ...... 29 4.1.1.4 Biometrics...... 30 4.1.2 Reporting lost and stolen passports ...... 31 4.1.3 Reliability of breeder documents ...... 32 4.1.4 Exchange of information on false and authentic documents ...... 32 4.1.5 Security of residence permits and visas, including biometrics ...... 32 4.1.6 Protection of personal data ...... 32 4.1.7 Population registration ...... 33 4.1.8 Minimal standards in document security ...... 34 4.2 CONCLUSIONS ...... 34

5 RECOMMENDATIONS FOR FURTHER DEVELOPMENTS ...... 35

5.1 TECHNICAL SECURITY OF PASSPORTS, INCLUDING BIOMETRICS ...... 35 5.1.1 Policy and legal framework ...... 35 5.1.2 Compliance with EU and international standards ...... 35 5.1.3 Prevention of fraud, crime and illegal border crossing ...... 36 5.1.4 Capacity building...... 36 5.2 REPORTING LOST AND STOLEN PASSPORTS ...... 36 5.3 RELIABILITY OF BREEDER DOCUMENTS ...... 36 5.4 INTERAGENCY INFORMATION SHARING ...... 37 5.5 EXCHANGE OF INFORMATION ON FALSE AND AUTHENTIC DOCUMENTS ...... 37 5.6 SECURITY OF RESIDENCE PERMITS AND VISAS, INCLUDING BIOMETRICS ...... 37 5.7 PROTECTION OF PERSONAL DATA ...... 38 5.8 POPULATION REGISTRATION ...... 38 6 ANNEXES ...... 39

ANNEX 1. BREAKDOWN OF WORK ...... 39 ANNEX 2. LIST OF CONSULTED INDIVIDUALS AND ORGANISATIONS ...... 40 ANNEX 3. EUROPEAN LEGISLATION ...... 41 Council Regulation (EC) No 2252/2004 of 13.12.2004 (as amended by Regulation (EC) No 444/2009 0f 28.06.2009) ...... 41 Annex to Commission Decision C(2006) 2909 of 28.06.2006 ...... 45 ANNEX 4. TRANSLITERATION OF UKRAINIAN ON TRAVEL DOCUMENTS ...... 50

ABBREVIATIONS AND ACRONYMS

ANSI American National Standards Institute BIG Brussels Interoperability Group BSI German acronym for “Federal Office for Information Security”(in German: Bundesamt für Sicherheit in der Informationstechnik) CA Certification Authority CCI Common Consular Instructions CMU Cabinet of Ministers of Ukraine DIS Ukrainian acronym for “State Information System for the Registration of Individuals and Their Documentation”(in Ukrainian: Державна інформаційна система реєстраційного обліку фізичних осіб та їх документування) DOVID Diffractive Optically Variable Image Device DP Data Protection EAC Extended Access Control being according to ICAO the combination of chip authentication and terminal authentication ДСТУ Ukrainian acronym for “State Standards of Ukraine” (in Ukrainian: Державні стандарти України) EAC-PKI Extended Access Control Public Key Infrastructure EC European Communities EF.SOD Document Security Object of the e-Passport chip (data integrity and authenticity information) e-MRtd Electronic MRtd ETS European Treaty Series EU European Union EURODAC European Dactyloscopy - the European fingerprint database FADO False and Authentic Documents Online - a European image-archiving system FBI Federal Bureau of Investigation IAI IAI industrial systems B.V. IC Integrated Circuit ICAO International Civil Aviation Organisation (Ukrainian acronym - “ІКАО”) ID Identity Document ID-1 Credit card size (ISO/IEC 7810) IEC International Electrotechnical Commission INTERPOL International Criminal Police Organization IOM International Organization for Migration ISO International Organization for Standardization ITL Information Technology Laboratory JHA Justice and Home Affairs (Council configuration) JPEG Joint Photographic Experts Group, an image format LASP Lost and Stolen Passports LDS Logical Data Structure MFA Ministry of Foreign Affairs of Ukraine MIA Ministry of Internal Affairs of Ukraine MIGRECO Strengthening Migration Management and Cooperation on Readmission in Eastern Europe MRP Machine-Readable Passport MRtd Machine-Readable Travel Document MRZ Machine-Readable Zone NGO Non-Governmental Organisation NIST National Institute of Standards and Technology, USA 5

NTWG ICAO’s New Technologies Working Group OCR Optical Character Recognition ODIHR OSCE’s Office for Democratic Institutions and Human Rights OSCE Organisation for Security and Cooperation in Europe OVD Optically Variable Device PACE Password Authenticated Connection Establishment PKI Public Key Infrastructure PRADO Public Register of Authentic Identity and Travel Documents Online RF Radio Frequency SBGS State Border Guard Service of Ukraine SIS Schengen Information System SLTD INTERPOL’s Stolen and Lost Travel Documents SMS State Migration Service of Ukraine SOD Document Security Object SOG-IS Senior Officials Group Information Systems Security of the European Commission SOP Standard Operation Procedures SSDR Single State Demographic Register TAG/MRTD Technical Advisory Group on Machine Readable Travel Documents TR German acronym for “Technical Guidelines” (German: Technische Richtlinien) UAH Ukrainian hryvnia UN United Nations UV Ultraviolet light VIS Visa Information System VIZ Visual Inspection Zone VLAP Action Plan on Visa Liberalisation WSQ Wavelet Scalar Quantization

EXECUTIVE SUMMARY

The review of the situation with identity management and document security in Ukraine carried out in this study coincided with the new government of Ukraine giving priority to the soonest establishment of a visa-free regime for Ukrainians travelling to the European Union (EU). The issuance of machine-readable biometric travel documents in full compliance with highest International Civil Aviation Organisation (ICAO) standards on the basis of secure identity management and with adequate protection of personal data is one of the core preconditions for that. The Cabinet of Ministers of Ukraine on 20 August 2014 adopted a new National Action Plan to implement the second phase of the EU-Ukraine Action Plan Visa Liberalisation (VLAP1). The analysis demonstrates that the Ukrainian authorities already had successful experience in using state-of- the-art equipment and technologies for both identity management and issuance of secure travel documents, and that the introduction of the new ICAO-compliant Ukrainian travel documents under the National Action Plan, starting with the passport, is on schedule. Issuing of the first biometric passports has started in January 2015. While Ukrainian passports proved to be technically secure – as the representatives of the law-enforcement agencies informed there were no cases of forging booklets and data pages – attention now shall be paid to issuance security and usage security. Hence, separate recommendations have been formulated for the stage of initial identification of applicants when they apply for passports and determination of reliability of breeder documents before secure passports are issued on their basis. This is also in support of the requirements under phase two of the VLAP, which Ukraine has entered on 27 May 2014. Part of the study is devoted to security of Ukrainian visas and residence permits for foreigners, and a need for capacity building in this segment was identified in the process of the assessment. The study recommends designing trainings on verification of validity of foreign passports for consular officers issuing visas and migration officers issuing residence permits. Ukrainian border guards have a good tradition of capacity building activities in this field; their experience can be effectively applied.

1 http://register.consilium.europa.eu/pdf/en/10/st17/st17883.en10.pdf (in English), http://zakon4.rada.gov.ua/laws/file/text/16/f401732n5.pdf (in Ukrainian)

1 INTRODUCTION

The Action Plan on the Implementation of the Concept of State Migration Policy of Ukraine2 refers to the need for regular conduct of academic research in the field of migration. The present assessment is a study on the identity management and identification document security including biometrics in Ukraine that was conducted within the component B1.1 of the MIGRECO (Strengthening Migration Management and Cooperation on Readmission in Eastern Europe) Project, funded by the EU and implemented by the International Organization for Migration (IOM). The overall objective of the MIGRECO Project is to enhance migration management and foster cooperation on readmission in Ukraine, Moldova and Belarus in line with EU standards. The objective of the present assessment is to provide the Ukrainian government (and other interested stakeholders, like members of the Parliament, civil society, academia, EU Member States) with an analytical product and recommendations for substantial advancement in the level of document security, including biometrics, and identity management in Ukraine in line with (ICAO, international and EU standards. This study consists of three main components, starting with an overview of relevant international and EU standards and good practices, followed by a review of the identity management and document security in Ukraine, which is then assessed for their compliance with ICAO/international and European standards, resulting in an evaluation of progress made in implementation of the VLAP2.1. Block1. These lead to recommendations for further development of the specified areas and elements. It is expected that in the future, when the government bodies and the Verkhovna Rada, the Parliament of Ukraine, draft/adopt amendments to laws and practices in the area of document security and identity management, such amendments can be made on the basis of the present assessment and its recommendations. Such amendments are pivotal for a sustainable EU visa-free regime for Ukrainian citizens – among the top priorities of the current Ukrainian government – which can only be established once the relevant conditions are put in place. According to the VLAP, visa liberalisation is conditional upon, inter alia, significant improvements in the level of document security, including biometrics. Thus, the study aims to facilitate implementation of the VLAP by the Ukrainian side. Furthermore, an upgrade in security of travel documents, reliability of identity management, and effectiveness of information sharing will increase Ukrainian enforcement authorities’ capabilities to tackle irregular migration, transnational crimes and terrorism. The study identifies capacity building needs for the staff of the selected governmental partners on security level of existing Ukrainian breeder documents, passports and other travel documents, biometrics capture and storage, and documentation procedures for foreign citizens.

2 Approved by the Decree of the Cabinet of Ministers of Ukraine of 12 October 2011 No. 1058-r http://zakon4.rada.gov.ua/laws/show/1058-2011-%D1%80

2 APPLIED METHODOLOGY

Secure travel documents, reliable identity management, and effective information sharing decrease risks of irregular migration, transnational crimes and terrorism. With a lack of comparative academic research into the implementation of document security and identity management in the EU Member States, the countries of the Western Balkans and the Eastern Partnership countries alike, this study is, by nature, empirical. The assessment was carried out in accordance with the work breakdown provided in Annex 1 by means of examination of the relevant legislation in force, existing practice patterns through consultations with the representatives of the state institutions involved into regulation and implementation of the subject matter of this study, e.g. the Ministry of Foreign Affairs of Ukraine (MFA), the Ministry of Internal Affairs of Ukraine (MIA), the State Migration Service of Ukraine (SMS), the State Border Guard Service of Ukraine (SBGS), the Secretariat of the Ombudsperson of Ukraine, the State Registration Service, the Ministry of Finance, the State Service for Protection of Personal Data (an exhaustive list of the institutions concerned can be found in Annex 2). The results of these consultations are reflected in Chapter 3. Additionally, relevant information was received from third parties and online resources, particularly ICAO, the Directorate-General Migration and Home Affairs of the European Commission, and EU Member State competent authorities (mainly the Netherlands).

2.1 International Standards ICAO is the only UN Specialised Agency that has the mandate and responsibility to develop international specifications for passports, visas and ID cards used for travel, in order to ensure interoperability, enhance facilitation, increase confidence in the reliability of travel documents, and contribute to national and international security. ICAO-compliant travel documents and a robust identity management regime are powerful tools in preventing and combating terrorism and serious transnational crime. Any remaining weaknesses in identity management or travel document security flaws tend to be exploited by irregular migrants, criminals and terrorists worldwide and present a weak link in global efforts to ensure security, stability, good governance and the rule of law. ICAO technical specifications of travel documents are contained in Document 9303 and its Supplements3, taking advantage of the latest and most efficient technologies available. In practical terms, ICAO Document 9303 is the “body of knowledge” that outlines specifications for machine-readable passports, visas and ID cards, including biometric travel documents. Today Document 9303 is comprised of three comprehensive parts that elaborate on the state-of-the-art technical specifications:  Part 1 - Machine Readable Passports. Volume 1 - Passports with Machine Readable Data Stored in Optical Character Recognition Format;  Part 1- Machine Readable Passports. Volume 2 - Specifications for Electronically Enabled Passports with Biometric Identification Capability;  Part 2 - Machine Readable Visas;  Part 3 - Machine Readable Official Travel Documents. Volume 1 - MRtds with Machine Readable Data Stored in Optical Character Recognition Format;  Part 3 - Machine Readable Official Travel Documents. Volume 2 - Specifications for Electronically Enabled MRtds with Biometric Identification Capability. The document defines two storage mechanisms: “machine readable data stored in optical character recognition format” (also referred to as machine-readable passport (MRP) or machine-readable travel document (MRtd) respectively) and “electronically enabled with biometric identification capability” (also referred to as “biometric passport”, “e-passport”, or “ePassport”, “eMRtd”).

3 http://www.icao.int/Security/mrtd/Pages/Document9303.aspx

ICAO Document 9303 Part 1, Volume 1, which is the general part on Passports with Machine Readable Data Stored in Optical Character Recognition Format, also gives guidance on secure production and on lost, stolen and revoked passports. Inter alia, it states: “The State issuing the MRP shall ensure that the premises in which the MRP is printed, bound, personalized and issued are appropriately secure and that staff employed therein have an appropriate security clearance. Appropriate security shall also be provided for MRPs in transit between facilities and from the facility to the MRP’s holder. Appendix 3 to this Section provides recommendations as to how these requirements can be met.” “States should provide specific information on lost or stolen passports, such as passport or booknumbers, to the central database operated by INTERPOL at the appropriate time and according to agreed procedures. This includes details of any unpersonalized MRPs which may be stolen from a production or issuance facility or in transit.” Part 1 Volume 2 is entirely dedicated to the inclusion of biometrics in passports. It identifies the requirements that are unique to travel document issuance and inspection, after which the face was recommended as the primary biometric, mandatory for global interoperability in passport inspection systems, while the finger and iris were recommended as secondary biometrics to be used at the discretion of the passport-issuing State. As we will see later on, Europe chose the fingerprints as secondary biometrics, mandatory to be provided in biometric passports and travel documents issued by the EU countries. Next it identifies the appropriate medium for electronic data storage on the document, which would have to offer enough data storage space for facial images and possibly other biometrics. The technology that met all of these requirements was the contactless integrated circuit (IC), and after further study it was decided that of the two International Organization for Standardization (ISO) standard options, the “proximity” type (ISO/IEC 14443) should be specified. This is specified in Section II. Next, a standardized “logical data structure” for programming the chip was specified to ensure that chips programmed in any country could be read in any other country. Finally, because data written to a chip can be written over, a public key infrastructure (PKI) scheme was required, in order to give the reader of the chip confidence that the data had been placed there by the authorized issuer and that it had not been altered in any way. These are discussed in Section III. Furthermore an expert group within the New Technologies Working Group (NTWG), the Technical Advisory Group on Machine Readable Travel Documents (TAG/MRTD), developed specifications for a specialized PKI for application to travel document issuance and inspection.

2.2 European Standards In the aftermath of the events of 11 September 2001, the European Commission was asked by Member States to take immediate action to improve document security, hence the Commission made proposals with the aim to secure travel and migration, notably by integrating biometrics in European passports, but also by other means. 2.2.1 Technical security of passports, including biometrics On 17 October 2000, the Council of the European Union adopted a Resolution introducing minimum security standards for passports4. The Thessaloniki European Council on 19 and 20 June 2003 confirmed the need to take common measures on biometric identifiers and data for documents for third-country nationals, EU citizens’ passports and information systems. Having regard to the proposal from the Commission and the Thessaloniki Council’s conclusions, the Council later adopted the respective Regulation5 No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States. The biometric identifiers consist of a facial image and fingerprints, making it possible to combat fraud and falsification more effectively. In addition, the introduction of biometrics in passports and travel documents reflects the need for Member States participating in the United States Visa Waiver Program to align themselves with the relevant US legislation, so that their nationals may enter US territory without a visa. The Regulation, which entered into force on 18 January 2005, defines minimum security levels regarding material, the (biographical) data page, printing techniques, copy protection and issuing technique. Further it

4 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:42000X1028 5 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32004R2252

10 describes the requirement of a storage medium that contains a facial image (18 months after entry into force) and fingerprints in interoperable formats (36 months after entry into force). Specifications of security features can be public, or “secret and not published”6. In 2009 the regulation was amended7 adding more specific requirements for issuing passports to children and regarding fingerprints. The regulation requires compliance with Part 1 of ICAO Document 9303 (on machine-readable passports), and the (amended) Commission Decision C(2006) 2909. Commission Decision C(2006) 2909 focuses on compliance with international standards, especially ISO standards, ICAO recommendations on Machine Readable Travel Documents, and German BSI8 Technical guidelines and accommodates the following (with notable standards mentioned):  Specifications for biometric identifiers: face and fingerprints: ISO/IEC 19794-4 (Part 4: Finger image data) and ISO/IEC 19794-5 (Part 5: Face image data);  Storage medium (chip): ISO/IEC 14443 (Identification cards, Contactless integrated circuit cards, Proximity cards);  Logical data structure on the chip: Part 1 of ICAO Document 9303 (on machine-readable passports);  Specifications for the security of the digitally stored data on the chip: BSI TR-03110 Technical Guideline Advanced Security Mechanisms for Machine Readable Travel Documents;  Conformity assessment of chip and applications: ISO/IEC 7816-4 (Organization, security and commands for interchange) and ISO/IEC 7816-8 (Commands for security operations);  RF compatibility with other electronic travel documents: BSI TR-03110 Technical Guideline Advanced Security Mechanisms for Machine Readable Travel Documents, Common Criteria Protection Profile “Machine Readable Travel Document with ICAO Application Extended Access Control with PACE”. An overview of consolidated versions of Council Regulation (EC) No 2252/2004 of 13.12.2004 and the Annex to Commission Decision C(2006) 2909 of 28.06.2006 are presented in Annex 3. Commission Decision C(2008) 8657 introduces a common certificate policy of the EU Member States for the Extended Access Control Public Key Infrastructure (EAC-PKI) based on the (German) technical guidelines BSI TR- 031109. The certificate policy describes requirements and rules to achieve trust and interoperability within the EAC- PKI. 2.2.2 Reporting lost and stolen passports Pursuant to Common Position 2005/96/JHA, EU Member States are required to report information on stolen and lost passports to INTERPOL. The objective of the Common Position is to prevent and fight organised crime, including terrorism, committed through the misuse by criminals of lost or stolen passports. In practice, national authorities, once they become privy to such information, must enter the data in their national database and in the Schengen Information System (SIS), and then forward the information to INTERPOL10. 2.2.3 Reliability of breeder documents For the purpose of this study breeder documents mean documents that can serve as the basis to obtain passports or other travel documents.

6 Commission Decision C(2005) 409 of 28 February 2005 establishing the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States (not published), Commission Decision C(2006) 2909 of 28 June 2006 establishing the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States (amended by Commission Decision C(2008) 8657 of 22 December 2008, Commission Decision C(2011) 5499 of 4 August 2011 and Commission Implementing Decision C(2013) 6181 of 30 September 2013) and Commission Decision C(2008) 8657 of 22 December 2008 laying down a certificate policy as required in the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States and updating the normative reference documents (amended by Commission Decision C(2009) 7476 of 5 October 2009 and Commission Implementing Decision C(2013) 6181 of 30 September 2013) 7 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009R0444 8 The Federal Office for Information Security (in German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) 9 https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03139/index_htm.html 10 http://europa.eu/rapid/press-release_IP-08-1228_en.htm

It was recognised that the objective of enhancing the security of passports may be undermined if passports are issued on the basis of unreliable “breeder documents”11. The passport in itself is only one link of a security chain starting from the presentation of the breeder documents, to the enrolment of biometric data and ending with the matching at the border checkpoints. This chain will only be as secure as its weakest link. The European Parliament and the Council noted that there was a great diversity of situations and procedures in the Member States regarding which “breeder documents” should be produced in order to request the issuing of a passport and that normally these documents have less security features than the passport in itself, and are more likely to be subjected to forgery and counterfeiting. 2.2.4 Exchange of information on false and authentic documents The proliferation of genuine and false documents means that frequent updating is essential. Ever more sophisticated techniques are being used to produce both genuine documents and forgeries; the European Fraud Bulletin and the Handbook of Genuine Documents can no longer keep up with the speed and exactness of modern reproduction techniques. A European Image Archiving System12 – FADO (False and Authentic Documents) has been set up to facilitate exchanges of information between EU Member States. It provides for the rapid validation, storage and exchange of information on genuine and false documents by computerised means. Part of the information from the FADO system is released to the general public via PRADO, Public Register of Authentic Identity and Travel Documents Online13, which is hosted by the General Secretariat of the Council of the European Union. 2.2.5 Security of residence permits and visas, including biometrics Council Regulation (EC) No 1030/2002 of 13 June 2002 lays down a uniform format for residence permits for third-country nationals14. A uniform format for residence permits for third-country nationals contributes, first of all, to preventing irregular immigration and residence. The use of biometric identifiers, in turn, protects the residence permits against fraudulent use by connecting the permit and its holder in a more reliable manner. All EU Member States as well as Iceland, Norway, Switzerland and Liechtenstein also use a uniform format for visas15. However, the visa holder's biometric identifiers are not stored in the visa sticker itself, but in a database (Visa Information System – VIS), which allows Schengen States to exchange visa data. VIS connects consulates in non-EU countries and all external border crossing points of Schengen States. It processes data and decisions relating to applications for short-stay visas to visit, or to transit through, the Schengen Area. The system can perform biometric matching, primarily of fingerprints, for identification and verification purposes. In the field of asylum, Council Regulation (EC) No 2725/2000 of 11 December 2000 concerning the establishment of “Eurodac” for the comparison of fingerprints for the effective application of the Dublin Convention16 introduces common standards for examining an asylum application by comparing fingerprint datasets. 2.2.6 Protection of personal data It is important not to lose sight of the need for a proper balance between the reinforcement of security and due regard for the individual rights of the persons concerned, notably the right to data protection and privacy, as guaranteed by Directive 95/46 EC17 and the national laws of Member States transposing it. Ukraine is a member of the Council of Europe and signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108), and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (ETS 181), which entered into force in Ukraine on 1 January 2011.

11 Proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) Nº 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%205190%202009%20INIT 12 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.1998.333.01.0004.01.ENG 13 http://prado.consilium.europa.eu/ 14 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002R1030 15 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995R1683 16 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32000R2725 to be replaced with regulation (EU) No 603/2013 of 26 June 2013 (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2013.180.01.0001.01.ENG) 17 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046

2.2.7 Population registration Relevant work in the field of Population Registration was performed by OSCE’s Office for Democratic Institutions and Human Rights (ODIHR), which has published the Guidelines on Population Registration18 to provide practitioners, relevant authorities and political decision-makers in OSCE participating States with a tool for assessing the efficiency of their national population-registration systems and, when necessary, in reforming them. 2.2.8 Minimal standards expected from Ukraine for establishment of a visa-free regime A separate block of the VLAP is devoted to document security, including biometrics (2. Elements of the Action Plan / 2.1. Block 1). It contains the following elements: 1st phase (legislative and policy framework): • Adoption of a legal framework for the issuing of machine readable biometric international passports in full compliance with highest ICAO standards on the basis of secure identity management (civil registry and breeder documents) and taking into account adequate protection of personal data; • Adoption of an Action Plan containing a timeframe for the complete roll-out of ICAO-compliant biometric international passports, including at Ukrainian consulates abroad, and the complete phasing out of non-ICAO compliant passports; • Establishment of training programmes and adoption of ethical codes on anti-corruption targeting the officials of any public authority that deals with international passports, as well as domestic passports and other breeder documents. 2nd phase (benchmarks for effective implementation): • Gradual roll-out of biometric international passports in compliance with ICAO standards, including at Ukrainian consulates abroad, and phase-out of non-ICAO compliant passports; • High level of integrity and security of the application, personalisation and distribution process for international passports, as well as domestic passports and other breeder documents; • Prompt and systematic reporting to Interpol/LASP data base on lost and stolen passports; • Regular exchange of passport specimens and cooperation on document security with the EU.

2.3 Past studies and analyses of the document security, conclusions and recommendations The VLAP reflects systematic conclusions of the EU experts by calling on Ukraine to adopt a legal framework for and effectively implement the issuing of machine readable biometric international passports in full compliance with highest ICAO standards on the basis of secure identity management (civil registry and breeder documents) and taking into account adequate protection of personal data. An important first step has already been taken, as noted in the First Progress Report19 on the VLAP implementation, regarding breeder documents, with the adoption of the Regulation on the State Registration Service of Ukraine. While the Second Progress Report in 2012 noted that “[l]imited progress was achieved”, in the Third Progress Report provided at the end of 2013 20 the European Commission notes that substantial progress was made in the last two years, including a legal framework that was laid for issuing biometric passports21. It further noted that in these two areas some additional efforts are needed to complete the first phase benchmarks: the Action Plan and the Programme for the complete roll-out of ICAO-compliant biometric passports and the complete phasing out of

18 Organization for Security and Co-operation in Europe. Guidelines on Population Registration. Warsaw: 2009 19 See http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/international-affairs/eastern-partnership/visa-liberalisation-moldova-ukraine-and- georgia/index_en.htm 20 Commission assesses the implementation of Visa Liberalisation Action Plans by Moldova, Ukraine and Georgia – http://europa.eu/rapid/press-release_IP-13- 1085_en.htm 21 After publication of the Second Progress Report in September 2012 major changes in the legal framework happened: the Law on demographic register was adopted and the new specimens of the blanks of the documents confirming citizenship of Ukraine, identity of person and his/her special status, as well as procedures for processing of such documents, their issuance, renewal, transmittal, seizure and return to the State were published and then revoked. See: http://eeas.europa.eu/ukraine/docs/third_joint_report_eu_ua_association_agenda_nov2012_en.pdf

13 non-ICAO-compliant passports have still to be adopted22. The Fourth Progress Report, which was published on 27 May 2014, concluded “that Ukraine has put in place the necessary legislative, policy and institutional framework and meets the first-phase requirements of the visa dialogue”23. The expert and academic studies in this domain are not numerous. In 2011, the NGO “Europe without Barriers” published a study “Documents Security and Migration Policy: Assessment and Recommendations of the International Working Groups for Ukraine”24. The publication includes analysis and evaluations of the conformity level of current state policy with the standards of the European Union in the sphere of migration and readmission, identity document security as basic requirements for implementing the tasks and criteria of the VLAP. The experts representing Ukraine, EU Member States and Western Balkan countries made the following recommendations as of what shall be achieved:  adoption of adequate legal framework that would establish clear and transparent procedures of personalisation, production, storage and delivery of ICAO-compliant identity documents;  upgrading the norms regulating the standards of production, storage and application of identity documents from the level of by-laws (Resolution of the Cabinet of Ministers) to the level of law, primarily by adopting the Law on identity documents;  phasing out the production and gradual withdrawal out of circulation all identity documents, whose technical characteristics are not incompliance with ICAO rules and the EU standards;  introduction of biometric technologies into identity documents on the basis of strict adherence to the EU standards of personal data protection;  arranging the whole system of identity documents, legislative confirmation of its comprehensive list and removal of the documents that are inherited from former times (primarily, “internal passport” of the citizen of Ukraine);  ensuring transparency and accountability of the public procurement in terms of identity documents production and related services;  creation and maintenance of functioning systems for international information exchange (primarily with the EU Member States)concerning the stolen, lost and forged identity documents. Other sparse publications cover criminological aspects of document security, including protection measures, forgery techniques and applicable methods for revealing forgery25,26,27.

22 In terms of phasing out of non-ICAO compliant passports, the National Action Plan on implementation of the second stage of the VLAP (the Decree of the Cabinet of Ministers of Ukraine No 805-r of 20 August 2014) defines a deadline for withdrawal from circulation of documents noncompliant with ICAO standards – January 2025, which derives from 10 years validity period of issued old passport and planned launching issuance of biometric passports from January 2015 23 http://europa.eu/rapid/press-release_IP-14-613_en.htm 24 http://novisa.com.ua/upload/file/SECURITY%20OF%20DOCUMENTS%20ENG.pdf 25http://papers.univ.kiev.ua/jurydychni_nauky/articles/Basic_methods_of_defence_of_documents_from_an_imitation_and_their_technical_criminalistics_rese arch_17684.pdf 26 http://ena.lp.edu.ua:8080/bitstream/ntb/8259/1/39.pdf 27 http://archive.nbuv.gov.ua/e-journals/FP/2011-2/11piidvp.pdf

3 REVIEW OF THE DOCUMENT SECURITY AND IDENTITY MANAGEMENT IN UKRAINE

3.1 Identity management for Ukrainian nationals and document security While the scope of the study is the whole identity management chain for Ukrainians and non-Ukrainians residing or staying in Ukraine together with their travel documents and breeder documents issued by Ukraine, inevitably – given the political priorities of the government – the focus of the consultations was on travel documents and biometrics. The two identity documents of Ukrainian nationals in that respect are the “passport of the citizen of Ukraine” (hereafter “the internal passport”, which as of 2015 still is an identity document in the shape of a booklet, for use inside the country) and the “passport of the citizen of Ukraine for travel abroad” (hereafter “the passport”28, which is an ICAO-compliant Machine Readable Travel Document, a passport intended for travel purposes). 3.1.1 Legal framework and strategic initiatives The central legal document that regulates travel documents and identity management for Ukrainian nationals is the Law of Ukraine “On the Single State Demographic Register and the Documents that Confirm the Citizenship of Ukraine, Identify a Person or its Special Status” adopted on 20 November 2012, № 5492-VI (hereafter the “Law on Demographic Register”29). The Law on Demographic Register basically introduces a “single state demographic” (i.e. population) register (Section II, art. 4-12) and 15 types of documents (Section III, art. 13, further specified in art. 21-35), which are, as per article 19, issued based on the information held in the Demographic Register. Secondary legislation, the CMU Resolution of 13 March 201330 approved specimens and rules of issuance for the abovementioned 15 types of documents, specified in the Law on Demographic Register. Later, in June 2013 this implementing act had been suspended due to changes in the supply mode of identity documents blanks and presently has been replaced with the respective legal acts only with regard to Ukrainian passports and other travel documents. During his inauguration on 7 June 2014 the newly elected president Petro Poroshenko called for a “speedy introduction of visa-free regime with the EU for Ukraine.”31 This statement followed the Fourth Progress Report for Ukraine on the VLAP32, by which Ukraine moved from phase one to phase two. These developments gave a new impetus to Ukraine’s desire to meet the requirements set for visa-free travel. The Cabinet of Ministers of Ukraine on 20 August 2014 adopted a new National Action Plan to implement the second phase of the VLAP (CMU Decree № 805-r). In 2014 the respective CMU resolutions were adopted that define the specimens and procedures of issuance of Ukrainian passports and other travel documents. Hence various changes were introduced to the legal framework, the (technical) requirements for the travel documents were fixed, and production test runs for biometric documents were organised. Issuing of ICAO-compliant biometric passports has started in January 2015. The changes to other types of biometric travel documents are being gradually implemented. 3.1.1.1 Legal framework for the central population register The basis for the creation of the Demographic Register is laid in art. 4-6 of the Law on Demographic Register, defining the register and giving the structure and principles of operation. Article 7 defines the data that will be stored: 1) name of the person; 2) date of birth / death; 3) place of birth; 4) gender; 5) the date of entry of the personal data into the register; 6) information about parents (adoptive parents), guardians, trustees and other representatives;

28 Some Ukrainian sources sometimes refer to this document as “foreign” or “international” passport.) 29 Further amendments of the law, such as those of 13 May 2014, № 1262-VII and of 22 July 2014, № 1601-VII have not been considered in this paragraph. 30 CMU Resolution “Some issues of implementation of the Law of Ukraine “On the Single state demographic registry and the documents confirming citizenship of Ukraine, identity of person and his/her special status” No. 185 of 13 March 2013. 31 http://www.president.gov.ua/en/news/30488.html 32 http://europa.eu/rapid/press-release_IP-14-613_en.htm

7) information on citizenship or lack thereof and the reasons of acquiring the citizenship of Ukraine; 8) details of documents issued to the person (type, document name, serial number, date of issue and the authorised entity that has issued it, the period of validity of the document); 9) information on the documents confirming the death of a person or declaring a person dead or missing; 10) digitised specimen of the signature of the person; 11) digitised facial image; 12) additional variable information (place of registration, marital status, refusal of acceptance of a taxpayer's registration number, the issuance of privatisation certificates, (optional) additional biometric data33); 13) data from departmental/sector information systems. Article 8 declares requirements on protection of personal data and information security. The rights of the citizens/residents whose data are entered are given in article 9. Article 10 gives the procedures of operation of the register, articles 11 and 12 define how and by whom information may be retrieved from, or entered into the register. At the time of the study the Demographic Register was still in its inception phase. 3.1.1.2 Legal framework for identity, travel and other documents The Law on Demographic Register (Article 13) divides 15 documents into two groups, which are further specified in Art. 21-35: i) Documents that identify a person and confirm the citizenship of Ukraine: see Table 1; ii) Documents that identify a person and confirm a special status (or capacity): see Table 2.

Internal Passport Diplomatic Service Seaman's Crew Identity Temporary passport passport passport book Member certificate certificate of Certificate for return to Ukrainian Ukraine citizenship Article 21 22 23 24 25 26 27 28 Chip Yes Yes Yes Yes Yes Yes No Yes Fingerprints34 No Yes Yes Yes Yes Yes No No Travel doc No Yes Yes Yes Yes Yes Yes No Table 1: Documents that identify a person and confirm the citizenship of Ukraine

Driving Stateless Permanent Temporary Refugee Refugee Migrant’s license person’s residence residence certificate travel card travel permit permit document document Article 29 30 31 32 33 34 35 Chip Yes Yes Yes Yes Yes Yes Yes Fingerprints No Yes No No No Yes No Travel doc No Yes No No No Yes No Table 2: Documents that identify a person and confirm a special status (or capacity)

The documents in group i) are issued to Ukrainian citizens, while the documents in group ii) will be issued to different categories of Ukrainian residents, as the respective document names suggest. According to the Law all but one document (shall) contain a chip, which can be used to store information on the holder. 3.1.1.3 The “blue” passport issued under Passport Resolution 1992 and Passport Issuance Rules 1995 With the exception of the passport the new documents defined in the Law on Demographic Register – especially those with a contactless integrated circuit – have not (yet) been rolled out as of spring 2015. The old type passports were issued until 31 December 2014 with a 10 years validity period. This creates a hybrid situation that

33 Article 7 was (later) amended by the law № 1601-VII of 22 July 2014 deleting “(optional) additional biometric data” from point 12 and adding a new point 11.1 “with the consent of the person - digitised fingerprints (in the case of issuance of a passport of a citizen of Ukraine for travelling abroad, a diplomatic passport, a service passport, a seaman’s book, a crew member certificate, a stateless person’s travel document, or a refugee travel document);” 34 As introduced by the law № 1601-VII of 22 July 2014

16 until January 2025 in Ukraine besides the newly introduced biometric passports the old type ICAO compliant non- biometric passports will be in circulation. These were issued under the Resolution of the Verkhovna Rada of Ukraine “On the approval of the regulations regarding the passport of Ukraine and the Ukrainian passport for travel abroad” of 26 June 1992 № 2503-XII (hereafter “the Passport Resolution 1992”, last modification 18 September 2012, № 5294-VI) and the CMU Resolution “On approval of rules for processing and issuing passports Ukraine for travel abroad and travel documents of the child (...)” of 31 March 1995 № 231, (hereafter “the Passport Issuance Rules 1995”). Points 5, 6, 8, and 10 of the respective Regulation, approved by the Passport Resolution 1992, describe some high level security features of the passport:  Point 5: “a booklet size 88 x 125 mm, consisting of covers, 32 (or 64) paper pages and pages made of multilayer polymer material (data page) stitched between the inner left side cover and the first page of the passport.” (…) “At the top of the data page adjacent to the first page of the passport, printed across the word “Ukraine”, below left – the word “Passport” under which there is a place for a digitised facial image of the passport holder (image size – no more than 35 x 45 mm), to the right – the captions of the information fields: type, country code, passport number and further full name, citizenship, date of birth, personal number, gender and place of birth of the holder of the passport, date of issue and the name of the body issuing the passport, date of expiry of the passport. The lower part contains a wide strip across the page for entering machine readable information. Labels and data about the passport holder are placed there in accordance with the recommendations of the International Civil Aviation Organization (ICAO Document 9303). The data on the data page of the passport are entered by means of laser engraving and laser perforation.” (…) “Additional information (including biometrics) about the bearer of the passport, the content of which is determined in accordance with the legislation, can be placed on a contactless integrated circuit embedded into the passport.”  Point 6: “All captions printed in the passport and data introduced in the data page, are in the Ukrainian and English languages, except for the text printed on the inner right cover – information on customs, currency, medical and consular requirements, in Ukrainian language – the text of which is determined by the Cabinet of Ministers of Ukraine. The name and first names are indicated in the Ukrainian language and separated by a forward slash in Latin script corresponding to the Ukrainian in accordance with Article 28 of the Law of Ukraine “On State Language Policy” and the recommendations of the International Civil Aviation Organization (ICAO Document 9303).”  Point 8: “Blank passports are produced to order by the central executive body that implements the state policy in the field of citizenship, and the Ministry of Foreign Affairs of Ukraine. The procedure for storage of blank passports and destruction of passports whose validity has expired is determined by the central executive body that implements the state policy in the field of citizenship. The central executive body that implements the state policy in the field of citizenship, and the Ministry of Foreign Affairs of Ukraine keep the overall record of blank passports.”  Point 10: “Citizens should securely store their passport. In case of loss of passport the citizen is obliged to immediately inform the authority that issued it, or the nearest foreign diplomatic missions of Ukraine.” The relevant legal framework on old type travel documents is completed by, inter alia:  The Law of Ukraine on Amendments to Certain Legislative Acts of Ukraine Regarding Return of State Control and State Production of Documents and Forms that Require Specialised Protective Elements adopted on 4 July 2013 № 399-VII;  The Law of Ukraine on the State Registration of Civil Status Acts adopted on 1 July 2010, № 2398-VI, last modification 16 October 2012, № 5461-VI. (This deals mainly with registration of civil statuses and issuance of breeder documents);  The Law of Ukraine About the order of departure from Ukraine and entrance to Ukraine of citizens of Ukraine adopted on 21 January 1994, № 3857-XII;

 The Law of Ukraine On citizenship of Ukraine adopted on January 18, 2001 № 2235-ІІІ (last modification on 20 November 2012, № 5492-VI);  The Decree of the President of Ukraine implementing of the Law of Ukraine “On citizenship of Ukraine” from 27 March 2001 № 215/2001 (last modification on 30 May 2012, № 367/2012);  Law of Ukraine On administrative services adopted on 6 September 2012, № 5203-ІV;  Regulation of 17.07.2003 № 1111 “On approval of rules for processing and issuing a temporary certificate of citizen of Ukraine”;  Resolution of 07.04.1998 № 465 “On the procedure for removal of invalid diplomatic and service passports Ukraine at checkpoints across the state border”;  Resolution of 27.11.1998 № 1873 “On issuance, issue, return, storage and destruction of diplomatic and service passports Ukraine”;  Resolution of 17.11.2004 № 1531 “On approval of the registration of Ukrainians abroad”;  Resolution of 25.08.2004 № 1079 “On identity certificate to return to Ukraine”;  Order of 03.04.2008 № 284/287/214/150/64/175/266/75 “On the approval of an integrated interagency information-telecommunication system for the control of persons, vehicles and goods crossing the state border”. 3.1.1.4 The new generation of biometric travel documents of 2015 Following the signature of the Ukraine–European Union Association Agreement on 27 June 2014, the Cabinet of Ministers of Ukraine on 20 August adopted an Action Plan on “the introduction of documents with an embedded contactless electronic medium which prove the citizenship of Ukraine, identify persons, or their special status, and the establishment of a national system of biometric verification and identification of citizens of Ukraine, foreigners and stateless persons in the years 2014-2017” № 780-r. Point 13 of the plan lays down the basis for the introduction of new and roll-out of old passports, diplomatic passports, service passports, seaman's books, crew member certificates, stateless person’s travel documents, and refugee travel documents between 2015-2017. The second part of the same point calls for the maintenance of the register of residence or actual stay of individuals. Secondary legislation (Specimens and Procedures for the design, issuance, exchange, transfer, removal, return to the state, and destruction) was introduced for the following travel documents:  Passport: CMU Resolution of 07.05.2014 № 152;  Travel documents for stateless persons and refugees: CMU Resolutions of 07.05.2014 № 153 and № 154 respectively;  Service passport: CMU Resolution of 23.09.2014 № 486;  Diplomatic passport: CMU Resolution of 23.09.2014 № 487;  Crew member certificate: CMU Resolution of 12.11.2014 № 622. The draft of a similar CMU Resolution has been presented35 on 19 November 2014 regarding the seaman's book, but the Resolution has not been adopted yet due to the need of coordination with the newly appointed Cabinet. . In November 2014 two further resolutions were adopted: on 5 November 2014 (Resolution № 613) a budget of 150 million UAH was released for the realisation of IT support systems and a secure network, and on 26 November (Resolution № 669) the Cabinet of Ministers approved the procedure for obtaining, extracting from the demographic register, and destruction of digital fingerprints, which entered into force on 1 January 2015. 3.1.2 Security of Ukrainian travel documents: fraud and its prevention Various distinct phases are considered here: from the production of blanks, via application, personalisation and issuance to waste disposal and registration of revoked and other defunct travel documents. The description below is given for the passports (travel documents) which are issued under the auspices of the SMS. The generic

35 http://www.kmu.gov.ua/control/uk/publish/article?art_id=247767254&cat_id=244274160

18 process is similar for two other types of Ukrainian travel documents issued to Ukrainian citizens: the service passports and diplomatic passports, both of which are issued by the MFA. Ukrainian Seaman's books, Crew Member Certificates, and Identity Certificates for Return to Ukraine have not been discussed in the same detail as the travel documents. The Identity Certificates for Return to Ukraine only entitle Ukrainian citizens to travel back to Ukraine. 3.1.2.1 Production The state enterprise Polygraphy plant “Ukrayina”, that is functioning under the National Bank36, is the sole producer of the blank passports, for which the SMS is their sole customer (with the MFA as the customer for the blanks for service passports and diplomatic passports). These documents are produced in their secure production facility in Kyiv. The plant is specialised in secure printing and has various certifications37. The whole production process is certified: from ordering to delivery and destruction. Following the adoption on 4 July 2013 of the Law of Ukraine on Amendments to Certain Legislative Acts of Ukraine Regarding Return of State Control and State Production of Documents and Forms that Require Specialised Protective Elements № 399-VII they have been producing the Ukrainian travel documents (as defined in the Passport Resolution 1992) and the Ukrainian internal passport. As a matter of fact they produce all documents, blanks and secure paper which are in scope of this study. Blank passports are individually accounted for and are securely transmitted to the personalisation centre (see section 3.1.2.3). Contacts have been established with the German “Fogra Forschungsgesellschaft Druck e.V.” and other EU- partners regarding testing. “Ukrayina” also participates in tenders globally and has strategic partnerships worldwide with for example “HID Global”, “PWPW S.A.” and “Gemalto”.38 3.1.2.2 Application Typically a Ukrainian citizen residing in Ukraine will apply for a passport at one of the offices of the SMS. Passports, unlike internal passports – which are usually issued at the place of residence – may be applied for at any location. The generic steps in the application process for a passport are the following:  The citizen (either individually or accompanied by a legal representative when required) arrives with the identity and other documents prescribed in the respective Rules. Personal appearance is mandatory;  When it’s the citizens’ turn, s/he takes place at the desk of the passport officer, who checks the identity of the person according to the document;  While it is possible, upon request of the citizen, to have a second passport, at the time of application the passport officer checks the status of all passports held by the citizen. Partially these are already present in the automated system (in case the passports were issued using that system, i.e. from 2008), partially this can be done by verifying the stamp(s) in the internal passport, which is put there upon issuance;  The passport officer enters the required data into the system: o Transliteration of Ukrainian names is done automatically by the system in accordance with Article 28 of the Law of Ukraine “On State Language Policy” of 03.07.2012 № 5029-VI and the Resolution “On harmonisation of transliteration of the Ukrainian alphabet to Latin” of 27.01.2010 № 55; o The system does various background checks for consistency of the data entered;

36 By its decision of 2 October 2014 the Constitutional Court of Ukraine refused to initiate constitutional proceedings of the petition of 51 People's Deputies of Ukraine on the constitutionality of (inter alia) point 8 of Article 15 of the Law on Demographic Register, which regulates that blanks are purchased from state companies functioning under the National Bank of Ukraine [Case № 2-75/2014] 37 ISO 9001:2008 Quality management systems, ISO 14001:2004 Environmental management systems, BS OHSAS 18001:20072004 Occupational Health and Safety Management, ISO/IEC 27001:2005 information security management system, CWA 14641:2009 (Security Management System for Secure Printing) 38 By the end of 2013 “Ukrayina” announced their readiness to switch over to new specimen including a contactless integrated circuit, according to specifications by the SMS. Discussions were on-going with various suppliers including MaskTech and MTCOS regarding contactless integrated circuits such as Infineon (v7) or NXP (v5).

 Several digital images (of the applicant’s face) are taken on the spot, from which the citizen chooses one;  The digital facial image and the citizen’s signature are stored into the system;  The finger prints are scanned (with the consent of the citizen);  All data is printed on a form, which the citizen signs;  The citizen receives a receipt of the amount required to pay, depending on the procedure (normal procedure – 20 days, or fast-track procedure – 7 days);  The citizen can pay the amount due (usually at a payment terminal);  In the back office the data from the internal passport are verified against the original. This is still a paper process that requires interaction by non-computerised means;  All data collected by the passport officer is transferred electronically, by a secure system, to the personalisation centre (see section 3.1.2.3). Besides the procedure explained here, the SMS offers a value-added issuing of passports through the affiliated state enterprise “Dokument”. For an additional fee of 250 UAH the citizen can apply with almost no queue and with extended opening hours, also during weekends. Application at embassies of Ukraine abroad follows the above steps with some notable differences:  Citizens can apply using their passport, national passport or a birth certificate. These documents, if they have been issued at the same representation of Ukraine abroad, can be checked locally;  In order to be able to apply for a (full) passport, citizens need to prove their residence in the country they apply;  [For non-residents only Identity certificates for return to Ukraine are issued;]  Data are not entered into the system immediately, but the citizen fills out a form39 and pays the (consular) fee;  The data from the application form is entered into the online system connected via a secure network, along with scans of the supplied documents provided as proof (including breeder documents);  Pictures and signatures are not recorded, but scanned;  Latin transliteration which is suggested by the system can be overruled, for example in case the person is registered in the country of residence using a different, country-specific, transliteration of his or her Ukrainian names;  All data are sent to the MFA, who will check before the data is sent to the personalisation centre. At the date of publishing of this report, the new generation of passports is being rolled out at embassies of Ukraine abroad40. Initially these will be the new generation of passports, but without contactless electronic medium. The new generation of passports with contactless electronic medium will gradually be introduced following procurement and distributions of the fingerprint scanners. This will also lead to changes in the process as described above. Most notably this will affect the on-line entering of data in the presence of the citizen, which hitherto was done in the back office of the consulates, based on the data entered on the application form. The MFA is preparing the consular offices at the representations abroad for these new tasks. 3.1.2.3 Personalisation The State Centre for Personalisation of Documents, which was part of the SMS and whose supervision was delegated to the National Bank of Ukraine on 27 May 2014 (CMU Decree № 525-r), opened in 2004 and started using laser techniques in 2007. It is equipped with fully automated systems for the personalisation of passports and identity cards from the BookMaster series produced by IAI from the Netherlands. At the end of 2013 personalisation only took place for documents defined by the Passport Resolution 1992, so without biometrics. Technically speaking personalisation of biometric travel documents has been possible since 2008.

39 http://mfa.gov.ua/mediafiles/01_anketa_hi.pdf 40 http://mfa.gov.ua/ua/news-feeds/consular-news-feed/34739-shhodo-dokumentuvannya-gromadyan-ukrajini-zakordonnimi-pasportami

The capacity for personalisation of passports is up to 9,000 per day, while the current demand is typically 5,000 per day. The premise has various layers of physical security for access to building including verification of weight, video, use of biometrics for physical access control. As per December 2013 no theft had yet been reported. The centre operates physically separated IT networks and has certification by “Bureau Veritas Ukraine”. All identity and travel documents with biometrics are planned to be personalised in this facility, but the personalisation of driver’s licences and vehicle licenses will be decentralised. The steps in personalisation are the following: after the application has been received via a secured network, the personalisation centre checks its compliance (e.g. quality), personalises the passport based on the data, registers it, and sends it to the passport office where the applicant applied for the document by courier. Any defective passports are destroyed in a shredder and then burned. The staff at the plant have lots of experience on the current processes. A need for more personnel and extra training was noted for the production of the new documents. 3.1.2.4 Obtainment Passports are distributed from the personalisation centre by secure transport to the passport offices and to the MFA, who sends the issued passports to the representations of Ukraine abroad via diplomatic pouch. After the passport has been delivered to the office where the application was lodged, it is handed out to the citizen. Initial verification of the biometrics stored on the travel document is made when issuing the passport, to make sure the passport is issued to the person whose biometrics were taken at the time of application. Upon issuance a stamp or a handwritten record is placed in the internal passport of the citizen. 3.1.3 Security of internal passports Internal passports are issued in accordance with the Passport Resolution 1992 and the MIA Order of 13.04.2012 № 320 “On the approval of the procedure for processing and issuance of the passport of the citizen of Ukraine”. Internal passports are first issued based on a birth certificate when the Ukrainian citizen reaches the age of 16, a proof of citizenship if the applicant is a naturalised Ukrainian. The citizen can only apply at the offices of the SMS at his place of residence registration. For an application two identical passport pictures are required – one will be used for issuing the passport, one will be attached to the Ф1 form (a paper index card that is held at the office where the passport is issued). The blanks for the internal passport are securely produced by state enterprise Polygraphy plant “Ukrayina”. The data page of the internal passport is mechanically printed, after which the picture is affixed. Up-to-date passport photos are added to the booklet at the age of 25 and 45. The Law on Demographic Register prescribes that the internal passports (in the shape of an ID-3-size booklet) will be replaced by an ID-1-size card made from multilayer polymer material, which will be personalised centrally41. The data on the data page will be entered by laser techniques. This new document is referred to in the Law as “passport of the citizen of Ukraine”. On 31 March 2015 the Deputy Head of the Presidential Administration Dmytro Shymkiv at a press briefing stressed the need to enhance security of the internal passport and announced that the Cabinet of Ministers has adopted legislation for the introduction of the new document 42. With the lack of the text of this new legislation it could not be assessed how the various indications, which are currently written into the internal passport (civil statuses such as marriage, divorce or children, issuing of passports, place of legal residence) will be registered elsewhere, possibly in automated systems, and how citizens will be informed about these changes. 3.1.4 Certificates of civil status The State Registration Service coordinates and supervises activities of the Departments for the State Registration of Civil Status Acts who conduct the state registration of birth, marriage, divorce, change of name, and

41 ID-1 (85.60 × 53.98 mm) and ID-3 (125 × 88 mm) are international formats for travel documents according to ISO/IEC 7810 42 http://www.president.gov.ua/news/32587.html and http://www.ukrinform.ua/ukr/news/vnutrishni_pasporti_v_ukraiini_zaminyat_na_kartki_2038250

21 death in Ukraine. The state registration of civil status acts of the citizens of Ukraine who reside or temporarily stay abroad is conducted by the diplomatic missions and consular posts of Ukraine. Since 2009 the Departments for the State Registration of Civil Status Acts have been maintaining the State Register of the Civil Status Acts which is the state electronic information system containing data on the civil status acts, changes made in the civil status acts, their renewal and annulment and information on issuance of certificates of the state registration of the civil status acts and extracts from the Register. Enrollment of data on birth of a person and his/her origin, marriage, divorce, change of name and death is performed by the Departments for the State Registration of the Civil Status Acts by drawing up a civil status record in electronic form in the State Register of the Civil Status Acts and in hard copies. Issuance of relevant certificates is carried out by means of the Register. For the state registration of the civil status acts the internal passport of a citizen of Ukraine shall be submitted. Secured blanks of certificates of the state registration of the civil status acts are produced by the state enterprise “Polygraphy plant “Ukrayina”. A person can change his/her surname at the time of the state registration of marriage or divorce. A citizen of Ukraine also can, of his/her own volition, to change his/her surname or first name. When the change of name (surname, first name, patronymic name) is registered a Department for the State Registration of the Civil Status Acts makes a note on the first page of the internal passport of a citizen of Ukraine that the passport is subject to change within one month. An internal affairs authority at the applicant’s place of residence is also informed. The search in the State Register of the Civil Status Acts is conducted after one of these categories of personal data: surname, first name, patronymic name, date and place of birth of a person, or a serial number of the certificate of the state registration of the civil status acts, date of its issuance or the registration number of the civil status act. Currently the State Register of the Civil Status Acts is being filled with data from the civil status records which were drawn up prior to its establishment in hard copies only. 3.1.5 Population registration The Law on Demographic Register introduces a Single State Demographic Register (SSDR). In practice this SSDR will replace processes which hitherto were (primarily) paper processes. Until the introduction of the SSDR there was no general purpose electronic national population register in Ukraine. The Central Election Commission of Ukraine operates the State Register of Voters, which was introduced in 2007 by the Law of Ukraine on the State Register of Voters adopted on 22 February 2007 № 698-V, which has been operational since 29 September 2009. The register contains data on voters and their right to vote and includes all information that is necessary for that purpose, such as personal data of the voter, the place of vote, the address where they are registered and various fields with administrative data which define the voting rights (e.g. the death of the citizen or a court order that would both lead to a loss of voting rights needs to be registered there). The Central Election Commission implemented a decentralised system on three levels: the level of the districts (raion), oblasts and nationally. It is a 2-tier system which combines 754 districts via 27 oblasts/regions to one nationwide information source, in which is there is also functional separation. The database was constructed based on information from 11 organisations, both electronic and on paper. The main donors are the SMS and the Ministry of Justice. The software, which is based on oracle architecture, uses 19 checks on the data, for example to check for common typing errors in names.

3.2 Identity management for foreign nationals and stateless persons in Ukraine Besides travel documents, for foreign nationals and stateless persons there are issued other kinds of documents: 2 types of residence permits (permanent and temporary) and an identity card for refugees. 3.2.1 Legal framework and strategic initiatives As per December 2014, the legal framework was formed by the following documents: 22

 Law of Ukraine of 08.07.2011 № 3671-VI “On refugees and persons in need of subsidiary or temporary protection”;  Law of Ukraine of 22.09.2011 № 3773-VI “On the Legal Status of Foreigners and Stateless Persons”;  Regulation of 01.06.2011 № 567 “On approval of rules for issuing visas to enter Ukraine and transit through its territory”;  Resolution of 07.08.1995 № 610 “On approval of the certificate stateless persons to travel abroad”;  Resolution of 14.03.2012 № 196 “On confirmation of the identity of the person who needs subsidiary protection”;  Resolution of 14.03.2012 № 197 “On approval of the travel documents of persons granted subsidiary protection”;  Resolution of 14.03.2012 № 199 “On confirmation of the identity of persons granted temporary protection”;  Resolution of 14.03.2012 № 202 “On approval of the refugee certificate”;  Resolution of 14.03.2012 № 203 “On approval of the refugee travel document”;  Resolution of 27.05.2013 № 437 “Questions of issuance, extension and revocation of a permit for the employment of foreigners and stateless persons”;  Resolution of 28.03.2012 № 251 “On approval of the design, manufacture and issue of permanent residence and a temporary residence permit and technical description of forms and amendments to the Cabinet of Ministers of Ukraine dated December 26, 2002 р. № 1983”;  Order of 03.04.2008 № 284/287/214/150/64/175/266/75 “On the approval of an integrated interagency information-telecommunication system for the control of persons, vehicles and goods crossing the state border”;  Order of 26.07.2011 № 196 “On the approval of an instruction for issuing visas to enter Ukraine and transit through its territory for foreigners and stateless persons”. Relevant sections from this legal framework shall be discussed below. 3.2.2 Security of visas: fraud and its prevention The number of fake or fraudulent visas reported is rather limited: only 7 in 2013. Meanwhile between 1,000- 2,000 visas were refused on the border for other reasons. Based on EU standards the definition is that any long stay surpasses 90 days and that a short stay is defined as maximum 90 per each and any 180 days. Previously the number of types of long duration visas was basically one (work permit), which has been replaced with 9 categories who can have long duration (students, marriage, foreign companies, banks, foreign experts, etc.). For risk countries extra requirements have been introduced for insurance, and proof of subsistence. The applicant will receive the decision in writing and can appeal and get a result in 1 month. Visas are registered in the electronic visa system, a new system, now also in pilot version (test), which will be rolled out in phase 2 with online applications and inclusion of biometrics in phase 3 (no earlier than 2015). Visa іtickers are EU-type stickers with security features. As of December 2013 visa information was stored in separate systems. The system of visas will be connected to Arkan, the central system introduced by the Order of 03.04.2008 № 284/287/214/150/64/175/266/75 “On the approval of an integrated interagency information-telecommunication system for the control of persons, vehicles and goods crossing the state border” in future. Currently the Arkan system, however, only registers individuals entering and leaving Ukraine, based on the passport they provide, and verifies whether the individual is on the list of foreigners banned to enter Ukraine or is a wanted person, to whom appropriate measures should be taken. Annex 2 of the Order of 26.07.2011 № 196 “On the approval of an instruction for issuing visas to enter Ukraine and transit through its territory for foreigners and stateless persons” defines a list of countries whose nationals and stateless persons residing on their territory require visas to enter Ukraine. This list is an amended of the common list used by the Schengen countries. Annex 3 of the order lists the possible grounds for refusal:  Threat to the national security or public order;

 Threat to public health, the protection of rights and legal interests of the citizens of Ukraine and other persons residing in Ukraine;  Presence of data of the applicant in a database of people denied the right to enter Ukraine;  Presentation by the applicant of a forged or defective travel document, a document that does not meet the required format, or a travel document belonging to another person;  Presentation by the applicant of knowingly false information or falsified supporting documents;  Failure to present a valid medical insurance;  Absence of sufficient financial means to support the stay in Ukraine;  Lack of confirmation of the purpose of stay supplied by the applicant;  Lack of documents confirming the intent of the applicant to leave the territory of Ukraine before the expiration of the visa;  The applicant’s request to terminate the visa application. The validity of visas cannot be extended. In cases of force majeure, defined in the Rules, approved by the Cabinet of Ministers of Ukraine on 15 February 2012, № 150, stay on the territory of Ukraine can be extended by the SMS units. In these cases extension of stay takes the form of a stamp in the foreigner’s passport (no new visa sticker). 3.2.3 Security of identity documents issued to foreigners and stateless persons and residence permits fraud and its prevention The Law on Democratic Register defines 5 identity documents for non-Ukrainians:  Stateless person’s travel document (art. 30);  Permanent residence permit (art. 31);  Temporary residence permit (art. 32);  Refugee certificate (art. 33);  Refugee travel document (art. 34);  Migrant’s card (art. 35). Secondary legislation (Specimens and Procedures for the design, issuance, exchange, transfer, removal, return to the state, and destruction) was introduced for the following travel documents:  Stateless person’s travel document: Resolution of 07.05.2014 № 153;  Refugee travel document: Resolution of 07.05.2014 № 154; The technical security of these documents is the same as in UA passports. Specimens and the procedures of issuance of the rest of documents are not adopted yet. It is assumed that the technical security of these documents will be similar to the corresponding documents issued to Ukrainian citizens.

3.3 Biometrics On 26 November 2014 the Cabinet of Ministers of Ukraine approved the procedure for obtaining, extracting from the demographic register, and destruction of digital fingerprints, which has entered into force on 1 January 2015 (Resolution of 26.11.2014 № 669). The resolution gives high level requirements.

3.4 Information databases and systems, interagency information sharing The Resolution “On approval of the Concept of the Unified State automated passport system” of 20.01.1997 № 40, which was only partially implemented because of lack of funding from the state budget introduced a State information system for the registration of individuals and their documentation (“DIS”, by its Ukrainian acronym), which has been introduced only for issuing Ukrainian passports. It also registers information on loss, theft and revocation of those documents. The system is meant to be integrated into the Single State Demographic Register,

24 but various attempts to procure services to modernise and incorporate the system have failed43. The modernisation is thus behind schedule. Furthermore the old system was set up and run by the MIA, whereas the duties of issuing passports have been transferred to the SMS. Whereas the MIA was exchanging information electronically between entities within its own structure, despite the need for modernisation of the legacy system, by the end of 2013 exchange of information on passports was severely obstructed by the impossibility to exchange information between the agencies, based on concerns of data protection. Part of the information exchange was reverted back to enquiries on paper. Back-office verification of information on the status and genuineness of internal passports, the so-called Ф1 form, still dating from the Soviet times and stored on index cards nationwide is still an offline asynchronous process involving fax, or – at best – e-mail. The same is true for the information on legal residence of citizens, which at the time of the study was still partly operated by the passport officers of the Housing Offices. Also the notification of decisions on entry bans to the territory of Ukraine is a paper process. The information exchange is not being done electronically. Orders by a court, the MIA and the Security Service of Ukraine are transferred on paper, which harms the effectiveness of the measure. In case of the Arkan system point 6 of the Order of 03.04.2008 № 284/287/214/150/64/175/266/75 “On the approval of an integrated interagency information-telecommunication system for the control of persons, vehicles and goods crossing the state border” defines that besides to its owner, the SBGS, access to the system is granted to the following agencies: the Security Service of Ukraine, the Foreign Intelligence Service of Ukraine, the Ministry of Internal Affairs, the State Customs Service, the State Tax Administration, the Ministry of Foreign Affairs of Ukraine, and the Ministry of Labour and Social Policy44.

3.5 Information sharing with external counterparts The issues described in section 3.4 regarding “DIS” had an equal problematic effect on information sharing with external counterparts. Ukraine as of January 2014 lacked an operational agreement with INTERPOL regarding exchange of information and INTERPOL was reviewing where they stand in order to create a Memorandum of Understanding (because of data protection law, which was still not adopted). There are concerns about the interoperability of national systems for information exchange with external partners (EU, etc.). Work is underway to improve the interoperability of the national systems with the standards used by INTERPOL. Exchange of information on specimens is currently done with ICAO and – as of the introduction of the new biometric passports per January 2015 – with the EU. As of January 2014 there was no online access to the INTERPOL Stolen and Lost Travel Documents (SLTD) database at the points of entry to Ukraine.

3.6 Budget allocations and planning As was the case with the Unified State automated passport system proposed in 1997, which was only partially introduced because of budgetary constraints, the budget allocation for the Law on Demographic Register has been problematic from its inception well into 2014.

3.7 Protection of personal data The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows entered into force in Ukraine on 1 January 2011. Data protection in Ukraine is governed by the Law of Ukraine on the Protection of Personal Data of 01.06.2010 № 2297-VI. The law appointed the State Service of Ukraine on Personal Data Protection as supervisory authority.

43 See http://www.kmu.gov.ua/control/publish/article?art_id=247779896 44 Since 2008 the names of some ministries and other governmental agencies have changed, but the Order was not amended

In July 2013, following recommendations of the Council of Europe, the Parliament adopted amendments to the legislation on protection of personal data (Law of Ukraine of 03.07.2013 “On Amendments to Certain Legislative Acts of Ukraine on improving the protection of personal data” № 383-VII). The changes took effect on 1 January 2014. In particular, the supervisory authority (authorised state body on protection of personal data) was replaced, following concerns that a “state service” such as the State Service of Ukraine on Personal Data Protection could not be independent by definition. Therefore the Ombudsperson of Ukraine was appointed to the role of supervisor. While minimum safeguards regarding data protection are defined in articles 9 and 10 of the Law on Demographic Register, some of the interlocutors of the study voiced concerns regarding data protection, specifically regarding the roles of “controller” and “processor”, which had partially become inconsistent in relation to legacy systems (such as “DIS”) and regarding the transfer of powers regarding the issuing of passports from the MIA to the SMS.

4 ANALYSIS, RESULTS AND CONCLUSIONS

In this chapter the situation described in chapter 3 will be compared to the European and international standards described in chapter 2. A full assessment could not be completed within the timeframe of the present study. Therefore a more in-depth analysis of the actual travel and other documents being issued as per 2014 and as discussed with the Ukrainian experts involved will be given alongside a mere “desk research” type of legal analysis of the new biometric travel documents which are issued from 2015.

4.1 Compliance with ICAO/international and European standards, norms and recommendations 4.1.1 Technical security of passports, including biometrics Some of the interlocutors of this study voiced their concern over the planned use of multiple biometrics of one individual and storing them centrally. Others would be interested in broader use of the fingerprints, for example the definition for “one-to-many” searches is provided in Article 3.5 of the Law on Demographic Register, but there are not any provisions regarding such type of search. This level of relative uncertainty was caused by the lack of secondary legislation during most of 2013 and into 2014. Council regulation No 2252/2004 does not provide a legal base for storage, and the Court of Justice ruled that “The regulation not providing for any other form or method of storing those fingerprints, it cannot in and of itself be interpreted as providing a legal basis for the centralised storage of data collected there under or for the use of such data for purposes other than that of preventing illegal entry into the EU.”45. Central storage, however, of fingerprints is not incompatible with European standards if a legal base for storage is provided elsewhere, e.g. in the law that defines the travel documents itself. Usually, and in line with the ruling of the Court, fingerprints can be temporarily stored for the production of the travel document and then removed. If multiple biometric documents are issued to one and the same person, this increases the risk of false negatives. In this respect it should be noted that the latest amendments to Ukrainian legislation (Law on Demographic Register, art 7 and the CMU Resolution of 26.11.2014 № 669) envisage that captured fingerprints after inclusion into contactless integrated circuit, should be removed from the Demographic Register and destroyed. One-to-many searches of biometrics stored for the own population are not common practice in the EU, neither for facial images, nor for fingerprints, and are highly controversial as far as fingerprints are concerned. There needs to be a solid legal base in order to allow this, with the usual checks and balances required by Data Protection law. The respective action plans, approved by the CMU Resolution of 20.08.2014 № 780-r and the CMU Resolution of 20.08.2014 № 805-r refer to the establishment of a national system of biometric verification and identification of citizens of Ukraine, foreigners and stateless persons. However, there are not any conceptual documents or legal acts defining purposes, scope of tasks, operational aspects of the system to be created. Part of complying with European standards would be to minimise the possibilities for corruption. In its ruling of 3 December 2013 № 21-416а13 the Supreme Court upheld a decision by the Court of Cassation that the fee for a passport should be 170 UAH as defined by law, and hence not the fee of UAH 170, a service fee of UAH 87.15 and a fee for a passport blank of UAH 120 as mentioned on the website of the SMS46. The SMS also proposed to the CMU to combine all the fees mentioned above in one duty47. 4.1.1.1 Secure production and personalisation Further to the high level requirements described in paragraph 2.2.1, ICAO is working on providing more guidance in the field of secure production. A draft put forward by ICAO’s New Technologies Working Group considers the following elements to be considered in the establishment of production and issuance facilities: 1) Resilience o Use of distributed production and issuing facilities; o Secondary production sites when production is centralised;

45 Case C-291/12 Michael Schwarz v Stadt Bochum, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0291 46 http://dmsu.gov.ua/posluhy/dokumenti-dlya-vijizdu-za-kordon/710-vydacha-pasporta-hromadianyna-ukrainy-dlia-vyizdu-za-kordon 47 http://dmsu.gov.ua/novyny/novyny-dms-ukrainy/2477-persha-tysiacha-ukraintsiv-staly-vlasnykamy-biometrychnykh-pasportiv1

o Emergency issuing facilities; o Rapid access to spare parts and support; o Second sourcing of all MRTD components 2) Physical security and access control o Wire cages or solid walls to segregate production areas; o Strong rooms for storage of finished, un-personalised MRTDs and key security components for MRTD production; o Token-based access control between zones; o Video surveillance inside and outside the facility; o Perimeter security; o Full time security personnel. 3) Production materials and MRTD accounting o States should ensure that all material used in the production of MRTDs is accounted for and that MRTD production is reconciled with MRTD orders, so that it may be demonstrated that no MRTDs and no MRTD components are missing. 4) Transport o States are advised to use secure methods to transport MRTDs and MRTD components; 5) Personnel o States should ensure that all personnel are subject to a security clearance process, which confirms their identity and suitability for employment in an environment where high-value assets are produced. Staff should be provided with credentials to enable them to identify themselves and to gain access to secure areas which they need to access in connection with their role. 6) Cyber security. Production and issuance facilities are vulnerable to a variety of cyber attacks: o Viruses and other malware, both in conventional computing facilities and in production machinery; o Denial of Service attacks through online MRTD application channels and web services exposed by production and issuance systems; o Compromise of issuing systems to enable attackers to issue passports or steal personal data or cryptographic assets (such as private keys for eMRTD production). 7) Application fraud.

The (secure) production chain of Ukrainian documents generally meets the requirements regarding physical security and access control, production materials and MRTD accounting, transport, and personnel. Both production facilities (State enterprise Polygraphy plant “Ukraina” and State Centre for Personalisation of Documents) have multiple quality certifications. Some risks may be involved regarding Resilience (specifically the lack of secondary production sites) and Cyber security, which would require further assessment. 4.1.1.2 Security of the “blue” passport issued under Passport Resolution 1992 and Passport Regulation 1995 The Ukrainian passport (the so-called “blue passport”) was, until 2014, produced in accordance with “the Passport Resolution 1992”. Rather than attempting to operationalise the ICAO requirements, notably the ones in part 1 of Document 9303, the Ukrainian legal framework more than once simply states that a document is produced “in accordance with the recommendations of the International Civil Aviation Organization (ICAO Document 9303)” (e.g. Passport Resolution 1992, in points 5 and 6 of the provisions in its annex). Similarly this logic was introduced in the documents that have been adopted from the spring of 2014 onwards. A mere reference to ICAO recommendations in the law is undeveloped and not precise enough. Reference should be made to specific ICAO documents such as, for example “ICAO DOC 9303 Part 1 Vol 1” for the passports, or even to underlying standards48. Such reference is necessary to further assess technical compliance of the

48 E.g. Doc 9303 refers to ISO 1073/II: 1976 Alphanumeric character sets for optical character recognition — Part 2: Character set OCR-B — Shapes and dimensions of the printed image; ISO 1831: 1980 Printing specifications for optical character recognition; ISO 3166-1: 1997 Codes for the representation of names of countries and their subdivisions — Part 1: Country codes; ISO/IEC 7810: 1995 Identification cards — Physical characteristics; ISO 8601: 2001 Data

28 documents. It would be more meaningful indeed to either refer to the underlying standards that ICAO Doc 9303 refers to, or to describe the way these standards are actually met. Let us have a look at the example of point 6 of the provisions in the annex to Passport Resolution 1992. Regarding transliteration point 6 mentions “The name and first names are indicated in the Ukrainian language and separated by a forward slash in Latin script corresponding to the Ukrainian in accordance with Article 28 of the Law of Ukraine “On State Language Policy” and the recommendations of the International Civil Aviation Organization (ICAO Document 9303).” If we look what actually happens regarding transliteration, we see that the Passport Regulation 1995 in annex 2, which was amended by Resolution “On harmonisation of transliteration of the Ukrainian alphabet to Latin” of 27 January 2010 № 55, actually deviates from the ICAO recommendations on 6 points, as is demonstrated in Annex 4. So where the higher order legislation, namely the Resolution, requires the documents to be issued with transliteration “corresponding to (...) the recommendations of the International Civil Aviation Organization (ICAO Document 9303)”, the lower level Regulation implements a Ukrainian “standard” that differs from the ICAO recommendation. This makes it very difficult to verify compliance. Ukrainian passports generally comply with the basic principles and security features and techniques set forth in Appendix 1 to Section III of ICAO Document 9303, Part I Volume I. This is also supported by the statements provided by the interlocutors that “the blue passport is almost impossible to fake”. Most cases of fraud detected were based on the previous generation passports with a laminated (rather than a polycarbonate) data page. The only possibility there seems to be for criminals, is to try to get genuine documents based on fake breeder documents (See paragraph 4.1.3). 4.1.1.3 Security of the new generation of biometric passports of 2015 According to the VLAP inclusion of finger prints is only required for the Ukrainian ICAO-compliant machine- readable travel documents, i.e., as specified in the Law on Demographic Register, the passport (art. 22), diplomatic passport (art. 23), service passport (art. 24), seaman's book (art. 25), crew member certificate (art. 26), stateless person’s travel document (art. 30), and refugee travel document (art. 34). The 2014 legislation that defines the machine-readable travel documents with biometric identification capability indeed focuses on these seven documents. It is difficult, but not completely impossible to assess the actual situation regarding biometrics included in these seven documents and compliance with ICAO Doc 9303 Part 1 Volume 2 and Commission Decision C(2006) 2909 as no biometric documents have been issued in Ukraine until the distribution of the draft report of the present study, and thus compliance cannot be proven. Hence some highlights will be given based on a comparison of the legislation for the biometric passport that was proposed in 2014 and ICAO Doc 9303 Part 1 Vol 2 and Commission Decision C(2006) 2909. The CMU Resolution № 152 of 07.05.2014 gives the definition of the new Ukrainian biometric passport. The document incorporates almost all of the features described for the blue passport issued under Passport Resolution 1992 and Passport Resolution 1995. It even codifies some of the practices described in paragraph 4.1.1.1 which had hitherto not been codified. In general – as is the case with the current passport – the procedures and features described are in line with ICAO Doc 9303 Part 1, Volume 1. The following issues were noted regarding the annexes to Resolution № 152:  Points 1-12 of Annexes 2 and 4 define dimensions, materials, paper, security features, most of which have been retained from the blue machine-readable passport generally in line with paragraph 5 “Security features and techniques” of informative appendix 1 to Section III of Doc 9303 part 1, vol. 1, but:

elements and interchange formats — Information interchange — Representation of dates and times. In addition, among others, Commission Decision of 28 June 2006 laying down the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States [C(2006) 2909 final] prescribes the following non-ICAO standards: ISO/IEC 19794-5:2005 Biometric Data Interchange Formats – Part 5: Face Image Data; ISO/IEC 19794-4:2005 Biometric Data Interchange Formats – Part 4: Finger Image Data; ANSI/NIST-ITL 1-2000 Standard “Data Format for the Interchange of Fingerprint, Facial, Scarmark& Tattoo (SMT) Information”; FBI: Wavelet Scalar Quantization (WSQ); ISO/IEC 14443, Identification cards – Contactless integrated circuit(s) cards – Proximity cards.

o point 1, dimensions of the passport booklet (88x125 mm.) lacks the tolerance (88.0 mm ± 0.75 mm × 125.0 mm ± 0.75 mm) provided by Doc 9303 Part 1, Volume 1 based on ISO/IEC 7810; o point 2 lacks reference to the correct part(s) of the standard(s): They should be ISO/IEC14443 Type A and ICAO Doc 9303 Part 1, Volume 2 respectively. o The schematic diagrams at the end of annexes 2 and 4 lack tolerance and a specification of the radius as provided by Appendix 2 to Section IV of Doc 9303 Part 1, Volume 1, as explained in the notes (“To allow for variations during manufacture of the MRP, a tolerance of ± 1.0 mm (± 0.04 in) is allowed for the 23.2 mm (0.91 in) dimension of the machine readable zone (MRZ) and within that overall tolerance the boundary between the visual inspection zone (VIZ) and the MRZ shall not be skewed more than 0.5 mm (0.02 in) over the 125.0 mm (4.92 in) dimension.”) Regarding the “procedure” laid down in Resolution № 152 the following may be noted:  Point 1-19: General part: o Point 11 of the general part refers to ICAO Doc 9303 (arguably Part 1, Volume 2) regarding the contactless integrated circuit; o Point 14 introduces the possibility to apply for a second passport; o Point 19: the citizen securely stores the passport;  Point 20-41: Application, exchange and issuance of passport for travel abroad, with art. 34-40 procedures on loss, theft and replacement;  Point 42-46: Grounds for the refusal;  Point 47-61: Returning to the state, seizure, destruction or temporary revocation;  Point 62-64: Appeal and review of refusal, issuance, seizure or temporary revocation;  Point 65-84: Data entry: o Point 66 refers to the “rules of transliteration”. Whereas the claim of ICAO compliance was removed here, that of course does not mean that the problem of the lack of compliance with Appendix 9 to Section IV of Part 1 of Document 9303 no longer exists; o point 67 “At the written request of the person their name may be specified in accordance with the Latin letters you write a document issued by a foreign state.”; o Point 70 “The data page of the passport for travel abroad filled in accordance with the recommendations IKAO Doc 9303” (arguably Section IV of Part 1, Volume 1); o Point 72 seems in line with Section IV of Part 1, Volume 1, except that it has “Запис №/Record No” where Doc 9303 uses “Personal number”; o Point 77 and point 78 refer to “ДСТУ ISO 3166-1-2000” and “ДСТУ ISO 3166-95” respectively, which both should be “ДСТУ ISO 3166-1-2000 alpha 3”; o Point 80 defines that images (of the holder and his signature) are affixed to the data page in accordance with ICAO Doc 9303 and Ukrainian standard 1303-94 (black and white and colour photo prints. General specifications); o Point 83 specifies that MRZ is constructed and filled in accordance with the recommendations ICAO Doc 9303. What is meant is Point 9 Section IV of Part 1, Volume 1 and this could be much more extended to prevent any kind of misinterpretation. 4.1.1.4 Biometrics The Resolution of 26.11.2014 № 669 gives the procedure for obtaining, extracting from the demographic register, and destruction of digital fingerprints, which entered into force on 1 January 2015. These are less specific than the European equivalent Council Regulation (EC) No 2252/2004 of 13 December 2004 (as amended by Regulation (EC) No 444/2009 of 28 May 2009). Notably Council Regulation 2252/2004 is more specific/explicit regarding the people who are exempt from giving finger prints (art. 1 (2a) children below the provisional age limit of 12, and persons whose fingerprinting is physically impossible). Ukrainian law implicitly has the same effect. Furthermore the same article art. 1 (2a) introduces the possibility of issuing passports with limited up to 12 months validity to persons where fingerprinting is physically impossible. The Ukrainian law does not provide this second possibility. 30

The Law on Demographic Register provides for the (temporary) storage of the fingerprints in the Demographic Register (Art. 7). Unlike in the European situation (under Council Regulation 2252/2004), the Ukrainian legislation provides a possibility of issuing Ukrainian travel documents without inclusion of information into contactless integrated circuit or without contactless integrated circuit to “a citizen of Ukraine, who because of their religious beliefs refused registration of information (including digitised fingerprints)” (amendment of 26 November to Resolution № 152 of 07.05.2014). Per 22 July 2014 point “111” was introduced into article 7 of Law on Demographic Register, which requires “the individual's consent” for storing fingerprints. Furthermore Resolution № 152 introduces specifications for two different kind of blanks (point 2 of the general part): one with contactless integrated circuit (Annexes 1 and 2 to the resolution) and one without contactless integrated circuit (Annexes 3 and 4). The possibility for EU citizens to receive a passport without fingerprints stored on a contactless integrated circuit does not exist, as Article 1(2) of Council Regulation (EC) No 2252/2004 states that “[p]assports and travel documents shall include a highly secure storage medium which shall contain a facial image [and] two fingerprints”. The European Court of Justice ruled49 that “[e]xamination of the question referred has revealed nothing capable of affecting the validity of Article 1(2) of Council Regulation (EC) No 2252/2004”. Point 73 of the “procedure” laid down in Resolution № 152 introduces the information to be stored on the integrated circuit to be “in accordance with the regulations on technical and cryptographic protection of information in Ukraine” and “as recommended by ICAO”: 1) the information contained in the data page of the passport; 2) additional variable information (place of registration, marital status, refusal of acceptance of the taxpayer's registration number, the issuance of privatisation certificates; 3) biometric parameters (Digitised image of the face, Digitised signature of the person, and, with the consent of the person - Digitised fingerprints); 4) security data, as recommended IKAO Doc 9303. As a matter of fact ICAO states “The minimum mandatory items of data to be stored in the Logical Data Structure (LDS) on the contactless integrated circuit (IC) shall be a duplication of the machine readable zone data in Data Group 1 and the holder’s facial image in Data Group 2. In addition, the IC in a compliant ePassport shall contain the Security Data (EF.SOD) that is needed to validate the integrity of data created by the issuer — this is stored in Dedicated File No 1 as specified in the LDS (See Section III). The Security Data (EF.SOD) consists of the hashes of the Data Groups in use. Refer to Section IV for detailed information.” The “procedure” laid down in Resolution № 152 doesn’t specify which information is stored where, or how the information is protected. Point 4.2 of the “EU Passport Specification” defines that the data stored on the chip should correlate with the data printed in the MRZ of the passport. Generally, since the introduction of the blue passport in 2007, Ukraine has gained a lot of experience in the secure production and personalisation of ICAO-compliant passports with machine readable data stored in optical character recognition format. In general there is too little secondary legislation that regulates the facial image and fingerprints. These should be based on “EU-Passport-Specification” (Decision C(2006) 2909) and Part 1, Volume 2 of ICAO Doc 9303. 4.1.2 Reporting lost and stolen passports A draft put forward by ICAO’s New Technologies Working Group considers the following elements to be considered regarding Lost, Stolen and Revoked Travel Documents: “The exchange of information on lost, stolen or revoked travel documents is a key strategy to strengthen border control and mitigate the impacts of identity theft and immigration fraud. Accordingly, States should consider implementing the following operational procedures to offset the threats that work to undermine border management and national public safety: 1) Communicating proactively with document holders;

49 Case C-291/12 Michael Schwarz v Stadt Bochum, op. cit.

2) Maintaining National Lost, Stolen and Revoked Travel Document Databases; 3) Sharing information about lost, stolen and revoked travel documents with INTERPOL and verifying documents against INTERPOL databases systematically at primary inspection; 4) Installing checks to determine whether a holder is presenting a lost, stolen or revoked document at border crossing”. Concerns were voiced by some interlocutors regarding the fact that Ukraine has more than one system where the abovementioned status of Ukrainian travel documents is registered, one of them being “DIS”, which by 2014 was partially dysfunctional for this purpose. Furthermore, because of alleged data protection concerns, information on lost and stolen documents was not proactively shared with or circulated to the Ministry of Internal Affairs, who was by then the only agency in Ukraine with operational cooperation with INTERPOL. By January 2014 discussions between SMS and INTERPOL had not yet been concluded. This lead to the impossibility to share information with INTERPOL. SBGS reported that first line check of travel documents against lost/stolen/revoked databases at the points of entry to Ukraine was not possible at the time of the study. 4.1.3 Reliability of breeder documents Most reported cases of fraud and fake were the cases where people would get genuine passports based on fake breeder documents. Various interlocutors mentioned various (possible) use cases, such as:  Illegal naturalisations based on faked documents that would prove the person was residing in the Ukrainian SSR during Soviet times, completed by false witness statements supporting such claims;  Use of fake breeder documents (internal passports, birth certificates);  Identity theft by attempts to apply for a second passport by using a falsified internal passport;  Various ways of bribery and corruption. Solving these issues was hampered by the use of labour intensive non automated back office verification services. Clearly the breeder documents (internal passports, birth certificates, certificate of change of name, naturalisation) are the weakest link in the system. 4.1.4 Exchange of information on false and authentic documents Unlike other countries in the Eastern Neighbourhood of the EU, such as Georgia and Moldova, Ukrainian travel documents were not present in PRADO as of 2014. 4.1.5 Security of residence permits and visas, including biometrics Biometrics are not yet used for control at the border. The new generation of Ukrainian visas generally comply with the basic principles and security features and techniques set forth in the Annex to Section III of ICAO Document 9303, Part 2. This is also supported by the statements provided by the interlocutors that “number of fake or fraudulent visas reported is rather limited”. It is impossible to assess the actual situation regarding biometrics as no biometric visas or documents have been issued in Ukraine during the course of the present study. Some of the interviewed NGOs pointed at inconsistencies between the documents introduced by Law on Demographic Register and the corresponding legislation in the field of asylum and migration. 4.1.6 Protection of personal data The Demographic Register also poses genuine challenges regarding the “legitimate purpose” of data collection. The NGOs involved in this study warned for the data protection implications of the law that has been introduced50, especially its article 4 which defines the Register and notably article 4.2, which rules to incorporate information from departmental information systems. It is unclear what legal basis will be used for the incorporation of these data. There is a huge risk of function creep. Similarly unclear is how such external data is meant to be

50 “How to minimise the harmful outcomes of the Law of Ukraine ‘On the Unified State Demographic Register’?” http://novisa.com.ua/yak-zmenshiti-shkody- vid-zakony-pro-demografichnii-reestr/

32 updated, especially in the case that the authentic source, the relevant departmental information system itself, also keeps a copy of the data. The DP legislation in Ukraine defines the roles of “controller” and “processor”. The issue of which agencies have which role in the Law on Demographic Register is still open. As a result of the different administrative reforms under the previous government, by which the issuance of passports was transferred from MIA to SMS and the data protection supervision transferred from the State Agency to the Ombudsman, various flaws appeared in the legislative base, most of which had been repaired by the autumn of 2014. 4.1.7 Population registration There is no clear European standard on how to deal with Population Registration. Examples of fully centralised systems exist (Netherlands, Inconsistencies in data between register and documents Estonia) as well as fully decentralised The Law on Demographic Register defines various Ukrainian travel (Germany) or even countries with no documents: the passport (art. 22), diplomatic passport (art. 23), service automated population registration (notably passport (art. 24), seaman's book (art. 25), crew member certificate (art. the UK). OSCE recommendations are given 26), stateless person’s travel document (art. 30), refugee’s travel document (art. 34). During personalisation, the data pages of these to support democracy; the OSCE guidelines documents, as well as the contactless integrated circuits shall be filled with are largely met by the Voter register of the the data from the register defined in Section II. Article 7 defines which data Central Election Commission in Ukraine. is (to be) held in the Register. It is unclear which data is meant in Art 7:12 (“additional variable The new Demographic Register information (place of registration, marital status, decision to refuse the defined by the law was not put into registration of the number of the taxpayer's registration card, the issuance operation in 2014. The old system relies on of privatization certificates)”) and the whole of Art. 7:13 (“Information legacy systems and paper processes. The from [departmental information systems]”). During this study some inconsistencies were noted between the data that gap may be too wide to bridge, for which is present in the register and the data that shall be introduced on the travel the problems with the procurement of a documents. successor system for “DIS” may be Examples of these are: exemplary.  It is not sufficiently clear where the information on Ukrainians residing abroad (Art: 22:7, point 17) comes from; In line with the worries mentioned in  The service passport (art. 24) doesn’t have a date of birth; the previous paragraph, it was particularly  The crew member certificate (art. 26) doesn’t have a place of unclear how the system is meant to be birth, document type, country of birth, date of issuance; populated. Information provided by the  A stateless person’s travel document (art. 30) doesn’t have a facial image of the bearer; Central Election Committee on the way  The facial image is also not mentioned in articles 29, 31, 32, 34, 35 they have realised their online voters’ register may indicate that the idea of a single demographic register is way too ambitious. The inclusion of various types of documents (travel documents, internal passports, documents for asylum/migration, driver’s licences) as well as it being a central population register without incorporating the State Registration Service, makes it a very complicated task to accomplish, which will drain on the state budget. The OSCE ODIHR Guidelines on Population Registration (Warsaw, 2009) state “Travel and identification documents, such as passports, are usually issued on the basis of data registered in the population-registration system. A population register that is kept up-to-date and clean of multiple entries provides the most reliable data for issuing of travel documents thus lowering security risks resulting from attempts to obtain multiple documents based on false identities.” (emphasis added, JS). There seems to be a lack of consistency between Sections II (register) and III (documents) of the Law on Demographic Register, making it unclear if data is entered and stored only once. Besides there are multiple semantic issues between these two sections (e.g. regarding the “place of residence”). The law is partially inconsistent even regarding the data fields (see text box). All in all it is unclear which type of (relational) database structure would be envisaged by the legislator in this law, which is something that needs to be clarified in secondary legislation. Whereas there is a genuine need to modernise the paper processes and legacy systems, one may ask oneself if such a complicated and all-encompassing system that partially duplicates information stored elsewhere is appropriate at this moment. 33

4.1.8 Minimal standards in document security On 27 May 2014 the European Commission announced that Ukraine moved on to the second phase of the visa liberalisation process, which included the following benchmarks for effective implementation:  Gradual roll-out of biometric international passports in compliance with ICAO standards, including at Ukrainian consulates abroad, and phase-out of non-ICAO compliant passports;  High level of integrity and security of the application, personalisation and distribution process for international passports, as well as domestic passports and other breeder documents;  Prompt and systematic reporting to Interpol/LASP data base on lost and stolen passports;  Regular exchange of passport specimens and cooperation on document security with the EU. Ukraine is moving at full steam to meet the requirements under the first indent, especially regarding rollout of biometric passports. The issues regarding the finger prints to be taken for example, noted by earlier progress reports, has been solved by the introduction of secondary legislation.

4.2 Conclusions The analysis demonstrates that the Ukrainian authorities already have successful experience in using state-of- the-art equipment and technologies for both identity management and issuance of secure travel documents. The former can be illustrated by the Register of Voters and the latter by the machine readable international passports with a polycarbonate holder page. While the Ukrainian passports proved to be technically secure – as the representatives of the law- enforcement agencies informed there were no cases of forging booklets and data pages – attention now shall be paid to issuance security and usage security, also to fulfil the requirements of the second phase of the VLAP. The Cabinet of Ministers of Ukraine on 20 August 2014 adopted the action plans on “the introduction of documents with an embedded contactless electronic medium which prove the citizenship of Ukraine, identify persons, or their special status, and the establishment of a national system of biometric verification and identification of citizens of Ukraine, foreigners and stateless persons in the years 2014-2017” that contributes to the Action Plan to implement the second phase of the VLAP adopted the same day. New biometric passports have been introduced in Ukraine in January 2015, while the other types of biometric travel documents will be introduced later during 2015-2017. Part of the study is devoted to security of residence permits and visas for foreigners, and a need for capacity building in this segment was identified in the process of the assessment.

5 RECOMMENDATIONS FOR FURTHER DEVELOPMENTS

The assessment results in many recommendations and it may not be feasible to implement them all at once. The appreciation of the assessment shall be conducted in close coordination with main government partners: SMS, MIA, MFA, and SBGS to ensure full ownership of results. For this reason, recommendations shall be prioritised jointly with government partners and subsequently could be incorporated into an action plan, so that the most urgent ones, in particular those which will lead to achievement of goals stipulated in the VLAP, and those which are comparatively easy and painless to implement shall be implemented first. The recommendations can also be classified into thematic categories or according to the target audience: policy makers, individual drafters or action officers.

5.1 Technical security of passports, including biometrics 5.1.1 Policy and legal framework

 Citizens of Ukraine should be made aware of the fact that only holders of biometric Ukrainian passports are targeted for possible visa-free travel to the EU51 and equally that obtaining a biometric passport does not mean immediate visa-free travel to the EU;  Consider removing the information on travel documents from the Demographic register, or consider a phased approach first focusing on the issuance of travel documents and later on improving the quality of the data on citizens before moving over to a central online population register;  Consider storage of data on issued driver’s licenses in a separate data base beyond the Demographic register, or consider centralised personalisation;  Consider not to introduce contactless integrated circuits on non-travel and on non-identity documents;  Clarify the issue on the price of the passport in line with Ukrainian legislation, respective court decisions and factual costs of production and issuance;  Reduce the inconsistencies in the Law on Demographic register regarding the data stored regarding persons (on the one hand) and the data stored for inclusion onto travel and identity documents (on the other);  Consider specifying the issuance of limited validity documents (maximum 12 months) for persons who are temporarily incapable of having their fingerprints recorded. 5.1.2 Compliance with EU and international standards  Specify, in secondary legislation, the way in which compliance is envisaged with ICAO, EU, or international (ISO) standards, or underly standards referred to by the EU or ICAO, and specify which exact standard is meant and how compliance is foreseen or when it is achieved;  Create more specific rules and specifications, in line with ICAO Doc 9303 Part 1, Volume 2 and Commission Decision C(2006) 2909, for the definition, capturing, (temporary) storage, transfer to the documents, and destruction of the primary and secondary biometric (face and fingerprints). These could be implementing rules based on Resolution № 669 of 26 November 2014;  Improve the resilience of the production phase;  When referring to ICAO the Ukrainian legislator should choose to refer to ICAO either by its international acronym (“ICAO”) or its Ukrainian acronym (“ІКАО”). It is not recommended to refer to ICAO using a latinized version of its Ukrainian acronym (“IKAO”) as is the case in some legal texts52.

51 The VLAP says “Fulfilment of all benchmarks will allow the Commission, taking into account the overall relations between the EU and Ukraine, to make a proposal to the European Parliament and to the Council for the lifting of the short-stay visa obligation for Ukrainian citizens, through an amendment of Regulation 539/2001 (such amendment should be limited to the holders of biometric passports issued in accordance with ICAO standards).” 52 A query for the latinized “IKAO” in the legal database of Ukraine yields 61 hits, “ICAO” gives 109, while “ІКАО” returns 287 documents. In the field of migration and document security thelLatinized form “IKAO” is used inter alia in the Decree of the Ministry of Internal Affairs of Ukraine of 15.07.2013 № 681, Resolution of 07.05.2014 № 152 (as well as Resolution of 26.11.2014 № 682 that amends it), Resolution of 07.05.2014 № 153, Resolution of 07.05.2014 № 154, Resolution of 23.09.2014 № 486, and Resolution of 12.11.2014 № 622.

 Use Regulation 2252/2004, Commission Decision C(2006) 2909, and Commission Decision C(2008) 8657 as guiding documents for the specification of biometrics;  Verify if the contents of the MRZ are in line with Point 9 of Section IV of Doc 9303 Part 1, Volume 1;  Define rules on transliteration of the Ukrainian alphabet for use on passports in accordance with Appendix 9 “Transliteration recommended for use by States” to Section IV of Part 1 of Document 9303;  Clarify the issue of transliteration of the Ukrainian letter “г” with ICAO via the Technical Advisory Group on Machine Readable Travel Documents (TAG/MRTD), while the revision of Doc 9303 is still in process;  Seek pro-active cooperation and exchange of knowledge and expertise with European and international counterparts, such as in the Senior Officials Group Information Systems Security (SOG-IS) of the European Commission, the German Federal Office for Information Security (BSI), the ICAO Machine Readable Travel Documents Programme and the ICAO Technical Advisory Group on Machine Readable Travel Documents;  Further recommendations and good practices may be found in: Diana Ombelli and Fons Knopjes, Documents: the Developer’s Toolkit. IOM and Via Occidentalis: 2008. 5.1.3 Prevention of fraud, crime and illegal border crossing

 Minimise the risk of fraud by creating clear rules on the procedure for applying for a second passport;  If one-to-many searches are foreseen based on centrally stored biometric information of citizens of Ukraine, create a specific legal basis for this, in line with the highest standards of data protection. A good source on guidance for implementing Privacy by Design Solutions for Biometric One-to-Many Identification Systems is given by the Information and Privacy Commissioner of Ontario, Canada’s paper on the topic of 20 June 201453;  Introduce of the use of biometrics at the points of entry to Ukraine for identification or verification. 5.1.4 Capacity building

 Capacity building and training programmes for all staff regarding biometrics in all phases: production, application, personalisation and issuance;  Capacity building in the field of recognising forged breeder documents and fraudulent internal passports.

5.2 Reporting lost and stolen passports

 Make sure there is a sound and non-duplicated system where information on lost and stolen passports is registered. Gradually migrate and phase out “DIS”, but not before a new system is working;  Improve the exchange of information on Lost and Stolen passports with INTERPOL, with appropriate safeguards for data protection, and based on interoperable electronic systems.

5.3 Reliability of breeder documents

 Implement the scenario when and how the “old” internal passport will be replaced with a new document;  Since the validity of old internal passports is unlimited, and they need to be changed only in case of loss, name changes, mistakes, or unsuitability for use, a forced revocation can be considered. A lack of validity timelines of old internal passports in conjunction with their poor security features, is one of the main a risk factors in terms of securing issuance of passports (for travel abroad), as internal passports are breeder documents in this respect;

53 See https://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1417

 Inform the citizens on how the various indications which are currently written into the internal passport (civil statuses such as marriage, divorce or children, issuing of passports, place of legal residence) will be registered elsewhere upon the renewal of the internal passport, and what this means for their everyday need to prove civil statuses or place of legal residence;  Co-operation can be sought with countries like Georgia, which have successfully replaced the post- Soviet internal passport with a modern, full-featured, identity card;  Phase out, in due time, the Ф1 forms and index cards, but not before a working alternative is available. This could take 10-15 years at least. Some intermediate solution should be sought for the efficient back office verification of issued internal passports at the place of registration of the citizen;  Capacity building at the stage of initial identification of applicants when they apply for passports and determination of reliability of breeder documents before secure passports are issued on their basis.

5.4 Interagency information sharing

 Allow for the exchange of information between SMS and MIA on lost and stolen passports, while safeguarding data protection, based on secondary legislation and/or an interagency Memorandum of Understanding. This should include exchange of information on lost and stolen passports for law enforcement purposes;  Replace legacy systems (such as “DIS”) with functioning new systems, based on actual needs;  Clarify in the legal framework, which agency will be responsible for the registration of the place of residence, and improvement on the exchange of information between agencies, while safeguarding data protection;  Introduce an “authentic source” principle, which means that if one agency is responsible for certain data, others can retrieve such information, while safeguarding concerns of data protection. This is meant to prevent duplication of data and increase data quality;  Improve the exchange of information regarding decisions on bans of entry to or departure from the territory of Ukraine to SBGS.

5.5 Exchange of information on false and authentic documents

 Continue the erstwhile successful cooperation with INTERPOL on False and Authentic documents;  Exchange of information on Ukrainian Authentic Travel and Identity Documents (such as held in PRADO, FADO, and similar databases) with the EU.

5.6 Security of residence permits and visas, including biometrics

 Introduce biometrics on visas, to allow biometric matching for identification and verification purposes;  Make information on issued visas available to the SBGS through their existing automated systems, allowing them to verify the genuineness of the visas when used by a foreigner to enter Ukraine;  Make biometrics information on persons to whom visas were issued available to the SBGS through their existing automated systems;  Make information on (foreign) Authentic Travel and Identity Documents (such as held in PRADO, or at a later stage FADO, and similar databases) available to the SBGS at the entry points to Ukraine;  Make information from the Interpol SLTD available to SBGS at the entry points to Ukraine;  Design trainings on verification of validity of foreign passports for consular officers issuing visas and migration officers issuing residence permits. Ukrainian border guards have a good tradition of capacity building activities in this field; their experience can be effectively applied.

5.7 Protection of personal data

 Capacity building in the field of data protection, not only among the supervisors, but also among those working with the population register;  Clarify the roles of “controller” and “processor” in the Law on Demographic Register;

5.8 Population Registration

 Clarify how the Demographic Register shall be populated. Specify by means of secondary legislation which information is exchanged with which agencies pursuant to articles 7:12 and 4:2/7:13 of the Law on Demographic Register. Ensure a high level of data quality without redundancy or keeping copies of data held by other agencies; exchange of such information based on a sound legal basis is preferred to duplication of data that exists elsewhere.

6 ANNEXES

Annex 1. Breakdown of work Phase 1: Collection of relevant data, study of previous researches and published expert opinions, gathering and reviewing legal documents (primary and delegated legislation). Preparation of the review of the legislation in force. Identification of all relevant Ukrainian institutions whose staff should be interviewed; preparation of questions for the interviews (to be sent beforehand and/or to be asked at the time of the interviews).

Phase 2: Interviewing staff (officials) in the governmental agencies and other relevant institutions.

Phase 3: Evaluation of the current identity management system and level of document security and assessment of their compliance with international/ICAO and European standards (based on a review of the legislation and analysis of the content of the interviews). Reviewing legal documents (primary and delegated legislation).

Phase 4: Drawing up conclusions and recommendations, giving advice on follow-up capacity building activities based on the produced recommendations, and drafting the first version of the assessment.

Phase 5: Peer reviewing of the draft by the IOM Mission in Ukraine; translation of the draft into Ukrainian and submission of the draft for the governmental partners’ comments (by the IOM Mission in Ukraine); revision of the draft with account to the expressed comments and suggestions.

Phase 6: Presentation of the final draft of the study to the government/project partners.

Phase 7: Layout and print of the English and Ukrainian version of the study; distribution of the study among interested institutions and persons.

Annex 2. List of consulted individuals and organisations

 NGO “Europe without Barriers”, 18 November 2013  State Border Guard Service of Ukraine, 19 November 2013  State Migration Service of Ukraine, 20 November 2013  State Registration Service, 21 November 2013  Ministry of Foreign Affairs of Ukraine, 21 November 2013  State Centre for Personalisation of Documents, 22 November 2013  State enterprise Polygraphy plant “Ukrayina”, 10 December 2013  State Service of Ukraine on Personal Data Protection, 10 December 2013  Central Election Committee, 12 December 2013  State Enterprise “Dokument”, 12 December 2013  “Passport Service” Kyiv, 12 December 2013  Office of the Ombudsman of Ukraine, 13 December 2013  Ministry of Internal Affairs of Ukraine, 13 December 2013  NGO “Centre for Political and Legal Reforms”, 20 January 2014  Ministry of Finance, 22 January 2014  Passport Centre of Sviatoshyn Raion in Kyiv, 22 January 2014  State Service for Special Communication and Information Protection, 23 January 2014  Passport Centre of the city of Boryspil, 24 January 2014  Consular section of the Ukrainian embassy in the Kingdom of the Netherlands, 20 June 2014

Annex 3. European legislation This annex aims to provide an overview of Council Regulation (EC) No 2252/2004 and the Annex to Decision C(2006) 2909 as well as their subsequent amendments. Council Regulation (EC) No 2252/2004 of 13.12.2004 (as amended by Regulation (EC) No 444/2009 0f 28.06.2009)

Article 1

1. Passports and travel documents issued by Member States shall comply with the minimum security standards set out in the Annex. They shall be issued as individual documents. The Commission shall present a report on the requirements for children travelling alone or accompanied, crossing the external borders of the Member States not later than 26 June 2012 and propose, if necessary, appropriate initiatives in order to ensure a common approach regarding the rules for the protection of children crossing the external borders of the Member States.

2. Passports and travel documents shall include a highly secure storage medium which shall contain a facial image. Member States shall also include two fingerprints taken flat in interoperable formats. The data shall be secured and the storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data.

2a. The following persons shall be exempt from the requirement to give fingerprints: (a) Children under the age of 12 years. The age limit of 12 years is provisional. The report referred to in Article 5a shall contain a review of the age limit, if necessary accompanied by a proposal to amend the age limit. Without prejudice to the consequences of the application of Article 5a, Member States which, in their national law adopted before 26 June 2009, provide for an age limit below 12 years may apply that limit during a transitional period until 4 years after 26 June 2009. However, the age limit during the transitional period may not be below 6 years of age; (b) persons, where fingerprinting is physically impossible.

2b. Where fingerprinting of the designated fingers is temporarily impossible, Member States shall allow the fingerprinting of the other fingers. Where it is also temporarily impossible to take fingerprints of any of the other fingers, they may issue a temporary passport having a validity of 12 months or less.

3. This Regulation applies to passports and travel documents issued by Member States. It does not apply to identity cards issued by Member States to their nationals or to temporary passports and travel documents having a validity of 12 months or less.

Article 1a

1. The biometric identifiers shall be taken by qualified and duly authorised staff of the national authorities responsible for issuing passports and travel documents.

2. Member States shall collect biometric identifiers from the applicant in accordance with the safeguards laid down in the Council of Europe’s Convention for the Protection of Human Rights and Fundamental Freedoms and in the United Nations Convention on the Rights of the Child. Member States shall ensure that appropriate procedures guaranteeing the dignity of the person concerned are in place in the event of there being difficulties in enrolling.

Article 2

Additional technical specifications in accordance with international standards, including in particular the recommendations of the International Civil Aviation Organisation (ICAO), for passports and travel documents relating to the following shall be established in accordance with the procedure referred to in Article 5(2): (a) additional security features and requirements, including enhanced anti-forgery, counterfeiting and falsification standards; (b) technical specifications for the storage medium of the biometric features and their security, including prevention of unauthorised access; (c) requirements for quality and common technical standards for the facial image and the fingerprints.

Article 3

1. In accordance with the procedure referred to in Article 5(2) it may be decided that the specifications referred to in Article 2 shall be secret and not be published. In that case, they shall be made available only to the bodies designated by the Member States as responsible for printing and to persons duly authorised by a Member State or the Commission.

2. Each Member State shall designate one body having responsibility for printing passports and travel documents. It shall communicate the name of that body to the Commission and the other Member States. The same body may be designated by two or more Member States. Each Member State shall be entitled to change its designated body. It shall inform the Commission and the other Member States accordingly.

Article 4

1. Without prejudice to data protection rules, persons to whom a passport or travel document is issued shall have the right to verify the personal data contained in the passport or travel document and, where appropriate, to ask for rectification or erasure.

2. No information in machine-readable form shall be included in a passport or travel document unless provided for in this Regulation, or its Annex, or unless it is mentioned in the passport or travel document by the issuing Member State in accordance with its national legislation.

3. Biometric data shall be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents. For the purpose of this Regulation the biometric features in passports and travel documents shall only be used for verifying: (a) the authenticity of the passport or travel document; (b) the identity of the holder by means of directly available comparable features when the passport or travel document is required to be produced by law;

The checking of the additional security features shall be carried out without prejudice to Article 7(2) of Regulation (EC) No 562/2006 of the European Parliament and of the Council of 15 March 2006 establishing a Community Code on the rules governing the movement of persons across borders (Schengen Borders Code) ( 14 ). The failure of the matching in itself shall not affect the validity of the passport or travel document for the purpose of the crossing of external borders.

Article 5

1. The Commission shall be assisted by the Committee set up by Article 6(2) of Regulation (EC) No 1683/95.

2. Where reference is made to this paragraph, Articles 5 and 7 of Decision 1999/468/EC shall apply.

The period laid down in Article 5(6) of Decision 1999/468/EC shall be set at two months.

3. The Committee shall adopt its rules of procedure.

Article 5a

The Commission shall, not later than 26 June 2012, submit to the European Parliament and the Council a report based on a large scale and in- depth study carried out by an independent authority and supervised by the Commission, which shall examine the reliability and technical feasibility, including through an evaluation of the accuracy of the systems in operation, of using the fingerprints of children under the age of 12 for identification and verification purposes, including a comparison of the false rejection rates occurring in each Member State and, based on the results of that study, an analysis of the need for common rules regarding the matching process. If necessary, the report shall be accompanied by proposals to adapt this Regulation.

Article 6

This Regulation shall enter into force on the 20th day following that of its publication in the Official Journal of the European Union.

Member States shall apply this Regulation: (a) as regards the facial image: at the latest 18 months; (b) as regards fingerprints: at the latest 36 months; following the adoption of the additional technical specifications referred to in Article 2. However, the validity of passports and travel documents already issued shall not be affected.

The second subparagraph of Article 1(1) shall be implemented at the latest on 26 June 2012. However, the initial validity for the holder of the document shall not be affected.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaty establishing the European Community.

ANNEX

MINIMUM SECURITY STANDARDS OF PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY THE MEMBER STATES

Introduction

This Annex lays down the minimum level of security that the Member States’ passports and travel documents are required to provide. The provisions in this Annex are concerned primarily with the biographical data page. The generic security features also apply to the other parts of passports and travel documents.

The biographical data page may consist of various basic materials. This Annex specifies the minimum level of security for the specific material that is used.

1. Material

The paper used for those sections of the passport or travel document giving personal particulars or other data shall meet the following minimum requirements: — no optical brighteners, — duotone watermarks, — security reagents to guard against attempts at tampering by chemical erasure, — coloured fibres (partly visible and partly fluorescent under UV light, or invisible and fluorescent in at least two colours), — UV-fluorescent planchettes are recommended (mandatory for stickers), — the use of security thread is recommended.

If the biographical data page is in sticker form, the watermark in the paper used for that page may be dispensed with. The watermark may also be dispensed with in the paper used for the inside of the passport or travel document covers. Security reagents are required on the inside covers only if data are entered there.

Stitching thread should be protected against substitution.

If a card for inserting personal data in the passport or travel document is made entirely of a synthetic substrate, it is not usually possible to incorporate the authentication marks used in passport or travel document paper. In the case of stickers and cards, the lack of marks in the materials shall be compensated for by measures in respect of security printing, use of an anti copying device, or an issuing technique according to sections 3, 4 and 5 over and above the following minimum standards.

2. Biographical data page

The passport or travel document shall contain a machine-readable biographical data page, which shall comply with Part 1 (machine-readable passports) of ICAO Document 9303 and the way they are issued shall comply with the specifications for machine-readable passports set out therein.

The portrait of the holder shall also appear on this page and shall not be affixed but integrated into the material of the biographical data page by the issuing techniques referred to in Section 5.

The biographical data shall be entered on the page following the title page in the passport or travel document. In any event, an inside cover page must no longer be used for biographical data.

The layout of the biographical data page shall be such that it is distinguishable from the other pages.

3. Printing techniques

The following printing techniques shall be used:

A. Background printing: — two-tone guilloches or equivalent structures, — rainbow colouring, where possible fluorescent, — UV-fluorescent overprinting, — effective anti-counterfeiting and anti-falsification motifs (especially on the biographical data page) with optional use of microprinting, — reagent inks must be used on paper passport or travel document pages and stickers, — if the paper of the passport or travel document is well protected against attempts at tampering, the use of reagent inks is optional.

B. Form printing

With integrated microprinting (unless already included in background printing).

C. Numbering

On all pages inside the passport or travel document a unique document number should be printed (where possible with a special style of figures or typeface and in UV-fluorescent ink), or perforated or, in passport cards, a unique document number should be integrated using the same technique as for the biographical data. It is recommended that in passport cards the unique document number is visible on both sides of the card. If a sticker is used for biographical data the unique document number should be printed using fluorescent ink, and a special style of figures or typeface is obligatory.

If stickers or non-laminated paper inside pages are used for biographical data, intaglio printing with latent image effect, microtext and ink with optically variable properties and a DOVID (diffractive optically variable image device) shall also be employed. Additional optically variable security devices shall also be used on passport cards made entirely of a synthetic substrate, at least through the use of a DOVID or equivalent measures.

4. Protection against copying

An optically variable (OVD) or equivalent device, which provides for the same level of identification and security as currently used in the uniform format for visas, shall be used on the biographical data page and shall take the form of diffractive structures which vary when viewed from different angles (DOVID) incorporated into the hot-sealed or an equivalent laminate (as thin as possible) or applied as an OVD overlay, or, on stickers or a non-laminated paper inside page, as metallised or partially de-metallised OVD (with intaglio overprinting) or equivalent devices.

The OVD devices should be integrated into the document as an element of a layered structure, effectively protecting against forgery and falsification. In documents made of paper, they should be integrated over as wide a surface as possible as an element of the hot-sealed or an equivalent laminate (as thin as possible) or applied as a security overlay, as described in section 5. In documents made of a synthetic substrate, they should be integrated in the card layer over as wide a surface as possible.

If a synthetic card is personalised by laser engraving, and an optically variable laser written device is incorporated therein, the diffractive OVD shall be applied at least in the form of a positioned metallised or transparent DOVID, to achieve enhanced protection against reproduction.

If a biographical data page is made of a synthetic substrate with paper core, the diffractive OVD shall be applied at least in the form of a positioned metallised or transparent DOVID, to achieve enhanced protection against reproduction.

5. Issuing technique

To ensure that passport or travel document data are properly secured against attempts at counterfeiting and falsification, biographical data including the holder’s portrait, the holder's signature and main issue data shall be integrated into the basic material of the document. Conventional methods of attaching the photograph shall no longer be used.

The following issuing techniques may be used: — laser printing, — thermotransfer, — ink-jet printing, — photographic, — laser-engraving that effectively penetrates into the card layers bearing the security characteristics.

To ensure that biographical and issue data are adequately protected against attempts at tampering, hot-seal or equivalent lamination (as thin as possible) with an anti-copying device is compulsory where laser printing, thermo-transfer or photographic techniques are used.

Travel documents shall be issued in machine-readable form. The layout of the biographical data page shall follow the specifications given in part 1 of ICAO Document 9303, and the issuing procedures shall meet the specifications it sets for machine-readable documents.

Annex to Commission Decision C(2006) 2909 of 28.06.2006 (lastly amended by Commission Implementing Decision C(2013) 6181 of 30.09.2013) EU – Passport Specification [...] 1 Scope and Limitations This document describes solutions for chip enabled EU passports, based on the EU document [1] titled „Council Regulation on standards for security features and biometrics in passports and travel documents issued by Member States” The document is based on international standards, especially ISO standards and ICAO recommendations on Machine Readable Travel Documents, and accommodates: • Specifications for biometric identifiers: face and fingerprints • Storage medium (chip) • Logical data structure on the chip • Specifications for the security of the digitally stored data on the chip • Conformity assessment of chip and applications • RF compatibility with other electronic travel documents

The following considerations are out of scope of this document: • Specifications of the mechanical mounting of the chip in a passport book, durability and mechanical testing procedures. • Specifications on standard operation procedures (SOP) for the enrolment or the inspection process.

2 Biometrics

2.1 Primary biometric – Face

2.1.1 Standard compliance • ICAO NTWG, Biometrics Deployment of Machine Readable Travel Documents, Technical Report, Version 2.0, 05 May 2004 [3] • ISO/IEC 19794-5:2005, Biometric Data Interchange Formats – Part 5: Face Image Data [4]

2.1.2 Type The facial image must be stored as FRONTAL IMAGE54, according to [3, 4].

2.1.3 Format The face is to be stored as a compressed IMAGE FILE, not as vendor specific template. Although both JPEG and JPEG2000 compression is standard compliant [3], JPEG2000 is recommended for EU-Passports because it results in smaller file sizes compared to JPEG compressed images.

2.1.4 Storage requirements No. Option Remark Recommendation 1 JPEG compression Approx. 12-20 KByte per photo 2 JPEG2000 compression Approx. 6-10 KByte per photo recommended (see 2.1.3)

2.1.5 Other issues • Photograph Taking Guidelines taking into account the requirements of facial recognition technology have to be adopted according to ICAO standards [3]

2.2 Secondary biometric – Fingerprints

2.2.1 Standard compliance • ICAO NTWG, Biometrics Deployment of Machine Readable Travel Documents, Technical Report, Version 2.0, 05 May 2004 [3] • ISO/IEC 19794-4:2005, Biometric Data Interchange Formats – Part 4: Finger Image Data [5] • ANSI/NIST-ITL 1-2007 Standard “Data Format for the Interchange of Fingerprint, Facial, Scarmark& Tattoo (SMT) Information”, FBI: Wavelet Scalar Quantization (WSQ), www.itl.nist.gov/iad [15]

54According to ICAO standards, the “Face biometric data interchange image recorded in Datagroup 2 of the LDS shall be derived from the passport photo used to create the displayed portrait printed on the data page of the Machine Readable Passport; and shall be encoded either according to full frontal image or token image formats set out in the latest version of ISO 19794-5.”

2.2.2 Type The primary fingerprints to be incorporated into the European Passport shall be PLAIN IMPRESSIONS OF THE LEFT AND RIGHT INDEX FINGER. For each hand, if the index finger is injured or missing, or has an ISO/IEC 19794-4 score of 0 to 25, a plain impression of the middle finger, ring finger or thumb of the same hand shall be recorded where a higher ISO score is available. If all fingers on one hand are of the low quality score indicated above, a plain impression of the finger with the best score shall be taken.

2.2.3 Format and Quality The fingerprints must be stored as IMAGES, according to [5] and [15]. The quality of the fingerprint images shall, at the latest on 31 December 2014, be stated in accordance with [5] and recorded on the chip in the Biometric Data Block of the individual biometric image using the score of a suitable quality metric, ensuring mapping to the ISO score (0- 100). A compression of the images using the WSQ-algorithm according to [15] MUST be used in order to decrease file size."

2.2.4 Storage requirements The use of fingerprint IMAGES requires approximately 12 – 15 KByte per finger.

3 Storage medium (RF-Chip architecture)

3.1 Standard compliance • ICAO NTWG, Biometrics Deployment of Machine Readable Travel Document, Technical Report, Version 2.0, 05 May 2004 [3] • ISO/IEC 14443, Identification cards - Contactless integrated circuit(s) cards - Proximity cards [7] • ICAO NTWG, Use of Contactless Integrated Circuits In Machine Readable Travel Documents, Technical Report, Version 3.1, 16 April 2003 [8]

3.2 RF-Interface According to [3,7,8], both type A and type B RF-interfaces are considered to be ICAO standard compliant.

ICAO compliant passports will be equipped with either A or B type RF interfaces, requiring border inspection systems to accommodate both standards for passports.

3.3 Storage capacity According to the ICAO Logical Data Structure [10], alphanumeric data of the machine readable zone (MRZ) of the document and digital document security data (PKI) must be stored on the chip together with the biometric identifiers.

Member States are required to use appropriately sized RF chips to hold the personal data and biometric features according to the EU regulation [1]. See also chapter 2.1.4 and 2.2.4.

If, in accordance to the EU Regulation [1], a Member State wishes to include other data, extra storage capacity might be required.

4 Electronic Passport chip layout (data structure)

4.1 Standard compliance • International Civil Aviation Organization (ICAO), Machine Readable Travel Documents, Doc 9303, Part 1 Machine Readable Passports, Sixth Edition, 2006 [9] • Common Consular Instructions (CCI), Chapter VI No. 4 and Annex 10

4.2 Correlation with printed data The alphanumeric data, printed in the MRZ of the passport, according to [9], have to correlate to the data digitally stored in the chip according to [10].

4.3 Chip Logical Data Structure According to [10].

5 Data security and integrity issues The traditional passport document incorporates a number of anti-counterfeiting measures, including security printing and optically variable devices according to [1]. The integrity, the authenticity and confidentiality of the data, digitally stored in the passport’s chip, have to be equally secured.

5.1 Standard Compliance • Advanced Security Mechanisms for Machine Readable Travel Documents, Version 1.0, 2006 [13]

5.2 Digital data security No. Security Remark Use 1 Passive Proves that the contents of the SOD and the LDS are REQUIRED for all data (ICAO mandatory security feature) Authentication authentic and not changed. [11, 12] Does not prevent an exact copy or chip substitution. Does not prevent unauthorized access. Does not prevent skimming. 2a) Active Proves that the SOD is not a copy but has been read OPTIONAL Authentication from the authentic chip. [11, 12] Proves that the chip has not been substituted. Does not prove that the content of the LDS is authentic and not changed. Does not prevent eavesdropping on the communications between chip and inspection system b) Chip Proves that the SOD is not a copy and has been read Additional protection REQUIRED for all data at the time Authentication from the authentic chip. when fingerprint data are introduced or at the latest 36 [13] Proves that the chip has not been substituted. months after the adoption of the technical specifications. Prevents eavesdropping on the communications Such a protection MUST NOT be enforced by the chip but between chip and inspection system. EU-Inspection systems MUST use this mechanism, if supported by the chip. 3 Basic Access Prevents skimming. REQUIRED for all data Control [11, Mitigates the risk of eavesdropping on the PACE v2 according to [21] must be implemented at the 12] communications between chip and inspection system latest on 31 December 2014. (see 2 b). Does not prevent an exact copy or chip substitution (requires also copying of the conventional document). 4 Terminal Prevents unauthorized access to fingerprint data. Additional protection REQUIRED for fingerprint data Authentication Prevents skimming of fingerprint data. [13] Requires additional key management. Does not prevent an exact copy or chip substitution (requires also copying of the conventional document).

SOD Document Security Object (SOD). This object is digitally signed by the issuing State and contains hash representations of the LDS contents. LDS Logical Data Structure MRTD Machine Readable Travel Document MRZ Machine Readable Zone EAC Extended Access Control being according to ICAO the combination of chip authentication and terminal authentication

5.4 Public Key Infrastructure for Passports In order to ensure integrity and authenticity of the digital data stored on the chip, a PKI is introduced: Each Member State MUST set up only a single Country Signing CA acting as the national trust point for all receiving states and at least one Document Signer issuing passports. Details on this PKI infrastructure (including signature algorithms, key lengths, and validity periods) can be found in [11]. Every Member State MUST notify the name and contact details of the organization responsible for the operation of the Country Signing CA and the Document Signer(s) to the Commission.

5.5 Public Key Infrastructure for Inspection Systems To prevent unauthorized inspection systems to access fingerprint data another PKI is introduced: Each Member State MUST set up only a single Country Verifying CA acting a the national trust point for the passports issued by this Member State and at least one Document Verifier managing a group of authorized inspection systems. Details on this PKI infrastructure can be found in [13]. Every Member State MUST notify the name and contact details of the organization responsible for the operation of the Country Verifying CA and the Document Verifier(s) to the Commission.

5.5.1 Certificate Validity Periods The validity of issued certificates MUST be within the following time frames. Entity Minimum Validity Period Maximum Validity Period Country Verifying CA Certificate 6 months 3 years Document Verifier Certificate 2 weeks 3 months

Inspection System Certificate 1 day 1 month

These indications may be changed by the Article 6 committee according to the test results presented by BIG.

5.5.2 Certificate Scheduling To plan the scheduling of certificates the following processing and distribution times MUST be respected. Link certificates for the Country Verifying CA MUST be distributed at least 14 days before the certificate to be replaced expires.

Certification Authority Maximum Processing Time Maximum Distribution Time (Certificate Request) (Certificate) Country Verifying CA 72 hours 24 hours Document Verifier 24 hours 48 hours

These indications may be changed by the Article 6 committee according to the test results presented by BIG.

5.5.3 Certificate Policies [A common Certificate Policy is established as set out in BSI TR-03139 Version 2.1. https://www.bsi.bund.de]

The Country Verifying CA of each Member State SHALL publish a Certificate Policy and may set up a Certification Practice Statement in accordance with the requirements set out by the “BIG”, in particular indicating the conditions under which a certificate for a (foreign) Document Verifier will be issued. The Commission shall be informed about the adoption of the Certificate Policy.

6 Conformity Assessment A technical working group (“Brussels Interoperability Group”, BIG) will be established [18] to convey interoperability of passports conforming to the present specification.

6.1 Standard compliance • ICAO NTWG, RF Protocol and Application Test Standard for E-Passport; Parts 2&3 [19] • ISO/IEC 7816-4, Identifications cards – Integrated circuit cards – Part 4: Organization, security and commands for interchange [12] • ISO/IEC 7816-8, Identifications cards – Integrated circuit cards – Part 8: Commands for security operations [20] • Common Criteria Protection Profile Machine Readable Travel Document with „ICAO Application”, Basic Access Control, BSI-CC-PP-0055 [14] • Common Criteria Protection Profile for Machine Readable Travel Document with “ICAO Application”, Extended Access Control with PACE, BSI-CC-PP-0056-V2-2012 [17]

6.2 Functional Evaluation For the functional evaluation of MRTD chips the appropriate standard [19], which is currently under development, SHALL be used. Additional test cases required for the implementation of [13] MAY be defined by BIG. Every Member State MUST contract an accredited (national) test laboratory to certify functional compliance to the relevant standards on all ISO/OSI layers. Issued certificates MUST be notified to the Commission. ISO/OSI Layer Standard Scope 1-4 ISO 14443 [7] Hardware 6 ISO 7816 [12,20] Software (OS) 7 ICAO Application [10,11] Software (Application)

6.3 Common Criteria Evaluation Passport chips MUST be evaluated in accordance with the relevant Common Criteria Protection Profile [14,17].

7 Normative References [1] “Council Regulation (EC) No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States” [2] Deleted [3] ICAO NTWG, Biometrics Deployment of Machine Readable Travel Documents, Technical Report, Version 2.0, 05 May 2004 [ICAO Bio] [4] ISO/IEC 19794-5:2005, Biometric Data Interchange Formats – Part 5: Face Image Data [5] ISO/IEC19794-4:2005, Biometric Data Interchange Formats – Part 4: Finger Image Data [6] Deleted [7] ISO/IEC 14443, Identification cards – Contactless integrated circuit(s) cards – Proximity cards [8] ICAO NTWG, Use of Contactless Integrated Circuits In Machine Readable Travel Documents, Technical Report, Version 3.1, 16 April 2003

[9] International Civil Aviation Organization (ICAO), Machine Readable Travel Documents, Doc 9303, Part 1 Machine Readable Passports, Sixth Edition, 2006 [10] Deleted [11] Deleted [12] ISO/IEC 7816-4:2005, Identifications cards – Integrated circuit cards – Part 4: Organization, security and commands for interchange [13] Advanced Security Mechanisms for Machine Readable Travel Documents, BSI TR-03110 Part 1 and 3, Version 2.10 of 20 March 2012 [14] Common Criteria Protection Profile Machine Readable Travel Document with „ICAO Application”, Basic Access Control, BSI-CC-PP-0055 (https://www.bsi.bund.de) [15] ANSI/NIST-ITL 1-2007 Standard “Data Format for the Interchange of Fingerprint, Facial, Scarmark& Tattoo (SMT) Information”, FBI: Wavelet Scalar Quantization (WSQ), www.itl.nist.gov/iad [16] Deleted [17] Common Criteria Protection Profile for Machine Readable Travel Document with “ICAO Application”, Extended Access Control with PACE, BSI-CC-PP-0056-V2-2012 [18] Brussels Interoperability Group, Terms of Reference [19] ICAO NTWG, RF Protocol and Application Test Standard for E-Passport; Parts 2&3 [20] ISO/IEC 7816-8:2004, Identifications cards – Integrated circuit cards – Part 8: Commands for security operations [21] Technical report: Supplemental Access Control for Machine Readable Travel Documents, Version - 1.00 of 23 March 2010 [22] Test specifications are set out in BSI TR-03105 Part 3.2 Version 1.3 [https://www.bsi.bund.de]

Annex 4. Transliteration of Ukrainian on travel documents Table 3 gives the differences between the Ukrainian Resolution On harmonisation of transliteration of the Ukrainian alphabet to Latin of 27 January 2010 № 55 and Appendix 9 “Transliteration recommended for use by States” to Section IV of Part 1 of Document 9303.

Resolution Ukrainian 55 ICAO Аа Aа A Бб Bb B Вв Vv V Гг Hh G Ґґ Gg G Дд Dd D Ее Eе E Єє Ye55, ie56 IE Жж Zhzh ZH Зз Zz Z Ии Yy Y Іі Ii I Її Yi55, i56 I Йй Y55, i56 I Кк Kk K Лл Ll L Мм Mm M Нн Nn N Оо Oo O Пп Pp P Рр Rr R Сс Ss S Тт Tt T Уу Uu U Фф Ff F Хх Khkh KH Цц Tsts TS Чч Chch CH Шш Shsh SH Щщ Shchshch SHCH Юю Yu55, iu56 IU Яя Ya55, ia56 IA Table 3: Comparison of the Ukrainian transliteration rules with ICAO Doc 9303

Differences are especially noted regarding the so-called iotated vowels: Є, Ї, Ю, Я, which come in two variants in the Ukrainian regulation based on their position in the word, starting with Y- in the beginning of the word, but transliterated as i- in other positions. The same goes for the yot (Й). A special case is formed by the Г, which ICAO by default transliterates to “G”, with the exception of Belorussian and Serbian, where “H” is recommended57.

55 The Regulation states “At the beginning of the word” 56The Regulation states “In other positions” 57 Appendix 9 states “except Belorussian and Serbian = H” (it is not excluded that “Ukrainian” was meant here instead of ‘Serbian’, because in Serbian, at least as early as the nineteenth century per the Vienna Literary Agreement of 1850, the Latin “H” is used to represent the Cyrillic “Х” (which is transcribed as “KH” according to ICAO recommendations), while “Г” is transcribed as “G” and vice versa [JS]).