Overview

On 11th December 2020, the law „Gesetz zur Stärkung der Sicherheit im Pass-,Ausweis- und ausländerrechtlichen Dokumentenwesen“, was published in the Federal Law Gazette (Bundesgesetzblatt). The aim of the law is to establish appropriate security measures to ensure the secure transmission of electronic photographs to passport, identity card and immigration authorities. The Ordinance „Verordnung zur Änderung der Personalausweisverordnung, der Passverordnung, der Aufenthaltsverordnung sowie weiterer Vorschriften“ of 30th October 2023 enshrines the legal basis for using a cloud-based transmission procedure for photographs in accordance with BSI TR-03170.

Risk of Morphing

Morphing is a technique for electronically manipulating photographs (i.e. passports,identity cards and identity documents under foreign national law) by digitally fusing several facial images into a single image and thus showing the facial features of different persons in one photograph.

Morphing manipulation threatens the core of the passport or identity card as an identity check tool, so that the previous practice, according to which applicants submit printed photographs to the passport, identity card or foreigners authority, no longer meets the current security requirements.

Strengthening security through procedures for the digital transmission of photographs

The Act on Strengthening Security in Passport, Identity Card and Foreigner Documents provides for changes in the laws and regulations on passport and identity card matters as well as in the Residence Act and the Residence Ordinance, according to which manipulation of government documents by morphing is to be specifically countered in the future by creating the photograph exclusively digitally and transmitting it to the authority in a secure electronic way from 1st May 2025. Until then, the previous process of creating and transporting the photographs will be retained by the photographers.

Subject of the Technical Guideline

The Technical Guideline BSI TR-03170 regulates the digital transmission of biometric photographs of service providers (e.g. photographers) to passport, identity card or foreigners authorities via a secure cloud service and defines requirements for the certification of services for this procedure. All responsible authorities will be able to retrieve the photographs from service providers certified in accordance with BSI TR-03170.

Contact:

The Federal Office for Information Security (BSI) is responsible for the supervision of these Technical Guidelines.

Federal Office for Information Security
D 15 - eID solutions for digital administration
P.O. Box 20 03 63
53133 Bonn
E-mail: resiscan@bsi.bund.de

Technical guideline and interface specification

The technical guideline is divided into three normative documents and a specification of the interface according to the target group:

BSI TR-03170 is divided into a framework document, Part 1 – ‘Requirements for thecloud service’ and Part 2 – ‘Requirements for the software’ and is aimed at providers of photo services for biometric photographs that transmit digitally via a cloud to the passport, identity card and immigration authorities.

Certifications according to Part 1 or Part 2 of the Technical Guideline BSI TR-03170 prove the data protection-compliant and tamper-proof transmission of biometric photographs required by law.

The interface specification associated with the Technical Guideline enables the interoperable retrieval of biometric photographs by the responsible authorities andis aimed at cloud providers and process manufacturers.

Main document

• BSI TR-03170 Sichere digitale Übermittlung biometrischer Lichtbilder von Dienstleistern an Pass-, Personalausweis- und Ausländerbehörden - Rahmen-TR, Version 1.2

• BSI TR-03170 Sichere digitale Übermittlung biometrischer Lichtbilder von Dienstleistern an Pass-, Personalausweis- und Ausländerbehörden - Teil 1 - Anforderungen an den Cloud-Dienst, Version 1.2

• BSI TR-03170 Sichere digitale Übermittlung biometrischer Lichtbilder von Dienstleistern an Pass-, Personalausweis- und Ausländerbehörden - Teil 2 - Anforderungen an die Software, Version 1.2

Interface specification

• BSI TR-03170 Schnittstellenspezifikation (v1.0.2)

Test specification

• BSI TR-03170 Prüfspezifikation (v1.2)

Certification process according to TR-03170

The certification process of BSI TR-03170 can be divided into two parts. For a complete implementation of the Technical Guideline in accordance with the requirements of the Ordinance, both a certification according to BSI TR-03170-1 and a certification according to BSI TR-03170-2 are required.

With BSI TR-03170-1, the cloud to which the photographs are transferred and from which they are retrieved is certified.

BSI TR-03170-2 is used to certify the application used to transfer the photographs to the cloud.

The two certifications can be carried out jointly or separately.

Contacting auditors and certification bodies

For the certification process according to BSI TR-03170-1, which is carried out as management certification, auditors for BSI IT-Grundschutz or CC-Evaluators with experience in the field of ALC (Assurance: Life-Cycle) of recognised CC certification bodies have to be used.

The certification according to BSI TR-03170-2, which is carried out as product certification, must be executed by recognized test bodies for the certification according to TR-03170.

Information on the course of certification and application to the BSI

Specific information on the procedure for certification according to TR can be found here.

Application information and contact details for certification can be found here.

Overview of successfully certified products/systems

After successful certification, all certified products are listed as such on the BSI website. If you would like to find out which certifications are available according to TR, you can find this information here.

FAQ

The FAQ is currently under construction and will be published here shortly.