Passports go electronic with new microchip
Next year, new US passports will have a chip slipped under the cover, containing biometric and personal data. But privacy advocates worry about surveillance.
The US passport is about to go electronic, with a tiny microchip embedded in its cover. Along with digitized pictures, holograms, security ink, and "ghost" photos - all security features added since 2002 - the chip is the latest outpost in the battle to outwit tamperers. But it's also one that worries privacy advocates.
The RFID (radio frequency identification) chip in each passport will contain the same personal data as now appear on the inside pages - name, date of birth, place of birth, issuing office - and a digitized version of the photo. But the 64K chip will be read remotely. And there's the rub.
The scenario, privacy advocates say, could be as simple as you standing in line with your passport as someone walks by innocuously carrying a briefcase. Inside that case, a microchip reader could be skimming data from your passport to be used for identity theft. Or maybe authorities or terrorists want to see who's gathered in a crowd and surreptitiously survey your ID and track you. Suddenly, "The Matrix" looks less futuristic.
The State Department maintains that such scenarios are outright fiction.
"A person can't be tracked," says Kelly Shannon, spokeswoman for the Bureau of Consular Affairs at the State Department. "It's not as if the information is going to broadcast and anyone with a receiver can be picking up that signal. There isn't a signal."
The passport, issued to officials and diplomats in early 2005 and to the public by the end of the year, is accessed using a reader that "pings" the microchip in order to release the data, much like proximity cards used for workplace ID badges. What prevents surveillance is that "the passport can only be read at a distance of 10 centimeters or less," explains Randy Vanderhoof, executive director of the Smart Card Alliance, an industry association that represents the four companies that produced prototype chips for the State Department.
Concerns of privacy advocates have "no validity," he says. "The purpose of the passport is to create a more secure travel document. The introduction of contactless chip technology has accomplished that."
The response of technology experts and privacy advocates is simply: "Rubbish."
"It's perfectly reasonable that the government wants a machine-readable photograph," says Bruce Schneier, a security guru and author of "Beyond Fear." "I just worry that they are building a technology that the bad guys can surreptitiously access."
The idea that the chips cannot be read beyond 10 centimeters (four inches) doesn't fly with him. "There is no impossible," Mr. Schneier says. "So they [the manufacturers] guarantee that there will be no technological advances in the next 10 years that will change that? It's absurd."
In fact, data skimming is already common in other arenas, says Richard Doherty, research director for the Envisioneering Group, a technology-assessment company out of Seaford, N.Y. "Bluejacking," where someone with the right equipment can hijack your phone, grab your directory, history of calls, and electronic serial number just by walking past you while you're on the phone, and "war-driving," where an individual drives down the street with a computer that maps all the networks that are free along with their IDs - these are already significant security issues, he says.
"This whole world of wireless is one that, yes, it has tremendous convenience, but it's increasingly threatened by a cloud of easy-to-exploit criminal means," Mr. Doherty says.
But why not choose a contact chip, where there would be no possibility of skimming, asks Barry Steinhardt, director of the ACLU's Technology and Liberty Project. "You don't have to have a 'contactless' integrated circuit," he says. "There was another way to go, which was to put an electronic strip in the passport that would require contact. It would make theft far less likely."
The State Department says it's just following international standards set by the International Civil Aviation Organization (ICAO), under the umbrella of the United Nations. In May 2003, the ICAO specified the RFID and facial biometric or digitized head shot now being adopted by other countries at the behest of the United States. All countries that are part of the US visa-waiver program must use the new passports by Oct. 26, 2005.
Mr. Steinhardt calls the State Department's approach "policy laundering," and says the US pushed through the standards against the reservations of the Europeans. "Bush says at the G8 meeting, 'We have to adhere to the global standard,' as though we had nothing to do with it. It was masterful from a political perspective," he says in exasperation.
But even the ICAO, in the small print of a document published last May titled, "Use of Contactless ICs in Machine Readable Travel Documents," acknowledges the new RFID chips won't be foolproof: "... it is unlikely that unauthorized reading will occur. However, this cannot be completely ruled out."
Although the data on the chip will not be encrypted, for the sake of easing "interoperability" across international borders, Ms. Shannon says, the government does plan to incorporate a security feature that will largely prevent skimming. Embedded fibers in the front and back covers will shield the passport from electronic probing, at least while it is closed. Other security features in the new passports include a digital or electronic seal that will ensure the document is authentic and smart-card technology that renders the chip inoperable if it is tampered with using energy waves or radio waves.