Interpol makes first border arrest using Biometric Hub to ID suspect

European police have for the first time made an arrest after remotely checking Interpol's trove of biometric data to identify a suspected smuggler.

The fugitive migrant, we're told, gave a fake name and phony identification documents at a police check in Sarajevo, Bosnia and Herzegovina, while traveling toward Western Europe. And he probably would have got away with it, too, if it weren't for you meddling kids Interpol's Biometric Hub – a recently activated tool that uses French identity and biometrics vendor Idemia's technology to match people's biometric data against the multinational policing org's global fingerprint and facial recognition databases.

"When the smuggler's photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country," Interpol declared. "He was arrested and is currently awaiting extradition."

Interpol introduced the Biometric Hub – aka BioHub – in October, and it is now available to law enforcement in all 196 member countries.

Neither Interpol nor Idemia immediately responded to The Register's questions about how the technology and remote access works.

But Cyril Gout, Interpol's director of operational support and analysis, offered a canned quote: "The Biometric Hub helps law enforcement officers know right away whether the person in front of them poses a security risk."

That suggests Interpol member states' constabularies can send biometric data to BioHub from the field and receive real-time info about suspects' identities.

The multinational policing org has said that Hub's "biometric core" combines Interpol's existing fingerprint and facial recognition databases, which both use Idemia tech, with a matching system also based on Idemia's biometric technology.

Interpol and Idemia have worked together for years. In 1999, he police organization chose Idemia to develop its fingerprint database, called the Automated Fingerprint Identification System (AFIS). And then in 2016, Interpol inked another contract with Idemia to use the French firm's facial recognition capabilities for the Interpol Face Recognition System (IFRS).

According to Idemia, the latest version of its Multibiometric Identification System, MBIS 5, uses "new generation algorithms which provide a higher matching accuracy rate with a shorter response time and a more user-friendly interface."

In its first phase, Interpol will use MBIS 5 to identify persons of interest (POIs) for police investigations.

A second phase, which will take two years to become fully operational, will extend the biometric checks to border control points. During this phase the system will be able to perform up to one million forensic searches per day – including fingerprints, palm prints, and portraits.

• TSA wants to expand facial recognition to hundreds of airports within next decade
• UK policing minister urges doubling down on face-scanning tech
• ICE faces heat after agents install thousands of personal apps, VPNs on official phones
• Someone else has a go at reforming US Section 702 spying powers – and nope, no warrant requirement

Interpol expects the combined fingerprints and facial recognition system will speed future biometric searches. Instead of running a check against separate biometric databases, BioHub allows police officers to submit data to both through one interface, and it only requires human review if the "quality of the captured biometric data is such that the match falls below a designated threshold."

To address data governance concerns, Interpol claims BioHub complies with its data protection framework. Additionally, scans of faces and hands uploaded to the Hub are not added to Interpol's criminal databases or made visible to other users. Any data that does not result in a match is deleted following the search, we're told.

While The Register hasn't heard of any specific data privacy and security concerns related to BioHub, we're sure it's only a matter of time before it's misused.

America's Transportation Security Agency (TSA) over the summer also said it intends to expand its facial recognition program, which also uses Idemia's tech, to screen air travel passengers to 430 US airports. The TSA wants that capability in place within ten years.

The TSA announcement was swiftly met with opposition from privacy and civil rights organizations, along with some US senators who took issue [PDF] with the tech. ®