New 'e-passports' raise security issues

A new generation of United States passports, equipped with short-range radio tags, are arriving in mailboxes across the country. More than 15 million Americans are expected to apply for and receive the high-tech document in the next year. Within a decade, every US passport will contain an RFID (radio frequency identification) chip.

But privacy advocates are voicing concerns that the passport makes Americans more vulnerable to attacks from thieves and terrorists – and perhaps will allow the government to snoop on them as well.

"It clearly is not a secure document," says Barry Steinhardt, director of the technology and liberty project at the American Civil Liberties Union. The new "e-passports," he says, provide "one-stop shopping for terrorists who want to single out Americans for kidnapping or worse."

The State Department, which issues US passports, insists that these kinds of concerns are groundless.

"It's the most secure passport we've ever issued," says Ann Barrett, acting deputy assistant secretary for passport services at the State Department. "It has the next generation of security features."

In August, Denver became the first regional passport office to issue the new passports. Other regional offices will switch over in stages in the weeks ahead. By February or March, all new passports will contain the RFID feature, Ms. Barrett estimates.

The tiny chip, embedded in the back cover of the passport, contains in digital form the same information printed on the biographical page of the passport: the person's name, date of birth, gender, place of birth, issue and expiration dates, and the person's passport photo. When the e-passport is opened and placed within a few inches of a passport "reader" at a US Customs station, it reveals its information.

By displaying the personal data in two forms, print and digitally, an e-passport should be much harder to alter or forge. The digital file is "locked" and unable to be changed even if accessed, the State Department says. Metallic shielding material in the cover and spine make the chip impossible to read illegally, or "skim," unless the passport is opened, and then only from a few inches away.

But not all privacy advocates and security experts have been won over. At a security conference in August, a German hacker showed how he could copy and transfer information from a German e-passport that employs similar RFID technology. And tests made by the American security company Flexilis show how the RFID signal can be read even if the e-passport is opened only a fraction of an inch, such as might happen while it was being carried in a purse or briefcase.

As part of an international agreement, more than two-dozen countries are converting to similar chip-bearing passports – an effort that has been pushed along by the US, Mr. Steinhardt says. All citizens of so-called "visa waiver" countries – those, who in most cases don't need visas to visit the US – must carry e-passports by Oct. 26. The Department of Homeland Security is in the process of installing e-passport RFID readers at airport security checks around the country.

Even though a thief might not be able to decipher the contents of an encrypted RFID chip, simply being able to learn that a person is carrying a passport constitutes a security breach, a Flexilis report says. It also may be possible to identify a unique property of the RFID signal that would indicate it came from an American passport. What if over the 10-year life of the passport, critics ask, remote RFID readers become more powerful and hackers become more expert at breaking in? A proposed worst-case scenario imagines using an American e-passport to set off a hidden bomb as it passes in close proximity.

"The security experts out there and the academic community that studies RFID have raised, I think, some very serious and legitimate questions about whether it's a good idea to have this [passport] information accessible in this way," says Katherine Albrecht, coauthor of "Spychips: How Major Corporations and Governments Plan to Track Your Every Purchase and Watch Your Every Move."

1 | 2

Next