The invention relates to the use of identification (ID) documents equipped with a picture of a document's holder, e.g., a driver's license, or a plastic card having the size of a credit card, or a passport. In a common use of such an ID document, a human operator compares the picture on the document with the face of the document holder to assess entitlements sought by the document's holder based on credentials as defined by additional data in the document. A passport, for instance, gives access to a country based on nationality of the document's holder.
A problem encountered with such documents is that they are frequently copied with false credentials or a false picture.
A common solution to this problem is the application of physical tamper detection methods such a sealing foil covering both the picture and the document, often combined with special inspection tools, like polarized light, to probe the tamper detection method. However, the use of such inspection tools often requires a skilled operator.
Another possible solution, referred to in paragraph [0002] of EP-B1-0.539,439, to tampering with the picture attached to the ID document is in using smart cards provided with a microprocessor having a processor and a memory. The memory in the card chip stores a digital copy of the picture on the card. A terminal is provided to read the content of the memory of the chip card and to display the stored image on a monitor to an operator. Then, the operator compares the displayed image on the monitor with the face of the actual card holder. This solution may even obviate the need to attach the picture on the card itself. However, this solution requires costly display equipment which, amongst other reasons, has made this solution unsuitable in particular areas of industry which offers great potential to the use of smart cards, such as public transit systems where ID smart cards are sought as efficient improvement of traditional discount passes.
A further problem encountered in ID systems is in protecting the privacy of the individual using the ID document. Especially in case such an ID document is realized as an electronically readable smart card protection may be required from uncontrolled and/or unapproved collection of data identifying the individual and his or her use of the smart card.
To protect the privacy of the card holder, cryptographic techniques, e.g., blind signatures, may be applied to the process of reading ID and credential data from the smart card. However, the use of pictures stored in a card memory and read by a terminal for display on a monitor to an operator in principle defeats such cryptograpnic privacy protection. In such a case, the terminal is not only able to collect uniquely and strongly identifying data about individuals, i.e. their pictures, but also the nature of this data poses an additional threat in which, for instance, the individual may be compromised through digital image manipulation techniques.
U.S. Pat. No. 5,748,763, column 58, line 24, to column 62, line 45, describes a method and an arrangement for enhancing the security of credit and debit cards. The arrangement disclosed has a computer arranged for receiving a digital image of the card holder. After having analyzed the digital image the computer generates a snowy image which is generally orthogonal to the digital image and adds this to the digital image to render an amended, unique image. The intended effect is to “texturize” the original digital image. It is not necessary that the snowy image itself is invisible to a person looking at the image. However, the image of the card holder may not be obscured by the snowy image. The amended, unique image is printed on the card. Moreover, tile unique information is also stored in a central accounting network.
In a steganographic embodiment the snowy image is such that it is hidden in the photographic image of the person on the card. More detailed information as to steganography can be found in U.S. Pat. No. 5,613,004 and the references cited in this document. For the sake of the present invention steganography will be understood to relate to any method of obscuring information that is otherwise in plain sight. The information is hidden in another medium. It is used as an alternative to encryption. E.g., spreadsheets or graphics files could contain a text message invisible to an unaware person. People unaware of the hidden information will not recognize the presence of steganographically hidden information even if the information is in plain view.
In U.S. Pat. No. 5,748,763, referred to above, a scanner is provided to scan the card when the card holder wishes to use his card for a predetermined transaction, e.g., automatic payment from his account to pay for a product. The scanner is connected to the central accounting network. By means of a secure communication protocol the image of the card scanned by the scanner is transmitted to the central network. The central network is arranged to receive the transmitted information and to authenticate the validity of the image on the card.
Additional security to the known system may be provided by requesting the card holder to input a PIN during the scanning process. Moreover, additional security is provided by letting a third party, during the scanning process, check whether or not the person trying to carry out a transaction with the card is the person who's photo is on the card.
A disadvantage of the system and method disclosed by U.S. Pat. No. 5,748,763 is that it is only to operate when a central network is provided having stored all unique images of all participating cards.