New 'e-passports' raise security issues
Despite official assurances, some worry that thieves might read chip-toting US passports.
A new generation of United States passports, equipped with short-range radio tags, are arriving in mailboxes across the country. More than 15 million Americans are expected to apply for and receive the high-tech document in the next year. Within a decade, every US passport will contain an RFID (radio frequency identification) chip.
But privacy advocates are voicing concerns that the passport makes Americans more vulnerable to attacks from thieves and terrorists – and perhaps will allow the government to snoop on them as well.
"It clearly is not a secure document," says Barry Steinhardt, director of the technology and liberty project at the American Civil Liberties Union. The new "e-passports," he says, provide "one-stop shopping for terrorists who want to single out Americans for kidnapping or worse."
The State Department, which issues US passports, insists that these kinds of concerns are groundless.
"It's the most secure passport we've ever issued," says Ann Barrett, acting deputy assistant secretary for passport services at the State Department. "It has the next generation of security features."
In August, Denver became the first regional passport office to issue the new passports. Other regional offices will switch over in stages in the weeks ahead. By February or March, all new passports will contain the RFID feature, Ms. Barrett estimates.
The tiny chip, embedded in the back cover of the passport, contains in digital form the same information printed on the biographical page of the passport: the person's name, date of birth, gender, place of birth, issue and expiration dates, and the person's passport photo. When the e-passport is opened and placed within a few inches of a passport "reader" at a US Customs station, it reveals its information.
By displaying the personal data in two forms, print and digitally, an e-passport should be much harder to alter or forge. The digital file is "locked" and unable to be changed even if accessed, the State Department says. Metallic shielding material in the cover and spine make the chip impossible to read illegally, or "skim," unless the passport is opened, and then only from a few inches away.
But not all privacy advocates and security experts have been won over. At a security conference in August, a German hacker showed how he could copy and transfer information from a German e-passport that employs similar RFID technology. And tests made by the American security company Flexilis show how the RFID signal can be read even if the e-passport is opened only a fraction of an inch, such as might happen while it was being carried in a purse or briefcase.
As part of an international agreement, more than two-dozen countries are converting to similar chip-bearing passports – an effort that has been pushed along by the US, Mr. Steinhardt says. All citizens of so-called "visa waiver" countries – those, who in most cases don't need visas to visit the US – must carry e-passports by Oct. 26. The Department of Homeland Security is in the process of installing e-passport RFID readers at airport security checks around the country.
Even though a thief might not be able to decipher the contents of an encrypted RFID chip, simply being able to learn that a person is carrying a passport constitutes a security breach, a Flexilis report says. It also may be possible to identify a unique property of the RFID signal that would indicate it came from an American passport. What if over the 10-year life of the passport, critics ask, remote RFID readers become more powerful and hackers become more expert at breaking in? A proposed worst-case scenario imagines using an American e-passport to set off a hidden bomb as it passes in close proximity.
"The security experts out there and the academic community that studies RFID have raised, I think, some very serious and legitimate questions about whether it's a good idea to have this [passport] information accessible in this way," says Katherine Albrecht, coauthor of "Spychips: How Major Corporations and Governments Plan to Track Your Every Purchase and Watch Your Every Move."
Unfortunately, she says, the State Department has gone ahead with the e-passport program despite receiving public comments that were more than 98 percent negative.
The proposal didn't receive the kind of open, public discussion that "I think would have led to more acceptance," says Ms. Albrecht, a privacy expert who has tracked how businesses and government use RFID tags for several years.
The apparel company United Colors of Benetton decided it was going to ship its clothing laced with RFID tags a few years ago, but changed its mind after a consumer boycott began.
"If it's a company, you can choose not to buy their products," Albrecht says. But if you need a passport, you'll have to carry the electronic version, like it or not. "You can't boycott the State Department," she says. "It's not like it's a free market where there's somewhere else to go if you don't like the policy."
As an extra layer of security, the e-passports first have to be touched to a conventional bar code-type scanner, the same kind used at grocery stores and on current passports, before the RFID chip can be read. This Basic Access Control "acts like a PIN number" to guard the chip, Barrett says.
But Steinhardt wonders, then, why bother with the contactless RFID scan? The State Department says the chip can contain more information than a bar code can, such as a digital photo. Some have speculated that it eventually may contain a fingerprint image, an iris scan, or other data as well.
Or does the chip have a more sinister purpose?
The State Department reneged on a promise to the ACLU that it could bring in independent experts to take a close look at the e-passport before it was issued, Steinhardt says. "There's clearly something else that they have in mind here, and we believe that they want the ability to track people without their knowledge," Steinhardt says. "That's the only explanation for why an RFID chip is in this passport."
Others who are familiar with RFID technology say the scenarios cooked up by e-passport opponents are far-fetched.
"A lot of these concerns, when you think about them in the real world, they start to become really silly," says Mark Roberti, editor of the RFID Journal. "Are there some scenarios where you could possibly skim some data? Well, yes, maybe. Anything's possible. But, logically, what's the real threat here?"
Terrorists, he says, have much easier ways to identify and attack Americans abroad than to try to employ e-passports. If they're close enough to skim the chip, they're close enough to read "United States of America" on the passport cover, he says.
"There's a lot of misinformation out there," Barrett says. "There are a lot of different RFID technologies, and we're certainly not using Wal-Mart inventory-tracking technology. It's a whole different technology."
For example, when read, the e-passport generates a random ID number. If someone is trying to track the movement of a passport by repeatedly scanning a chip, they'd get a different ID number each time.
"So they really wouldn't know it was you again," she says. "We really have put a lot of safeguards in place to protect the information that's on that ... chip."
If a government were to misuse the passport chip, say, to identify someone who had attended an antigovernment protest, Mr. Roberti concedes that "I think that is a legitimate concern."
The State Department's handling of the e-passport introduction has been "less than ideal and a negative for the RFID industry," he adds.
But the situation also been instructive. Companies that plan to use RFID tags to carry sensitive information need "to think about what data is on the tag, how it could be abused ... and then address those issues," Roberti says.