Department of State Begins Issuing Electronic Passports to the Public

[Human]

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

http://www.state.gov/r/pa/prs/ps/2006/70433.htm

 

To enhance border security and to facilitate travel, the Department of State began issuing Electronic Passports (e-passports) to the public today. Production has started at the Colorado Passport Agency and will be expanded to other production facilities over the next few months.

 

Consistent with globally interoperable specifications adopted by the International Civil Aviation Organization (ICAO), this next generation of the U.S. passport includes biometric technology. A contactless chip in the rear cover of the passport will contain the same data as that found on the biographic data page of the passport (name, date of birth, gender, place of birth, dates of passport issuance and expiration, passport number), and will also include a digital image of the bearer’s photograph.

 

 

The Department of State has employed a multi-layered approach to protect the privacy of the information and to mitigate the chances of the electronic data being skimmed (unauthorized reading) or eavesdropped (intercepting communication of the transmission of data between the chip and the reader by unintended recipients). Metallic anti-skimming material incorporated into the front cover and spine of the e-passport book prevents the chip from being skimmed, or read, when the book is fully closed; Basic Access Control (BAC) technology, which requires that the data page be read electronically to generate a key that unlocks the chip, will prevent skimming and eavesdropping; and a randomized unique identification (RUID) feature will mitigate the risk that an e-passport holder could be tracked. To prevent alteration or modification of the data on the chip, and to allow authorities to validate and authenticate the data, the information on the chip will include an electronic signature (PKI).

 

 

The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level.

[Freedom]

The American Civil Liberties Union hereby comments on and formally opposes the Department of State's proposed rule creating "electronic passports" by including radio frequency identification chips (RFIDs) in US passports. [1] The proposed rule is outlined at 70 Fed. Reg. 8305-8309, "Electronic Passports," RIN 1400-A893. These chips compromise Americans' privacy, expose them to danger from terrorists and criminals and provide a limited security benefit. Instead, US passports standards should employ a contact chip -- one that can only be read through contact between a reader and chip. This solution would mitigate many of the concerns raised below and better serve the privacy and security interests of US passport holders.

 

The proposed rule contemplates that the data will not be encrypted. As a result, the US passport will broadcast individual identity information for anyone with an RFID reader to steal, a process called "skimming."

 

Passport holders have always had the ability to decide to whom they will show their passports. This gives them the opportunity to shield their personal information from other people, such as terrorists, criminals and any other individual who may bear them ill will.

 

Passports contain extremely valuable information including an individual's date and place of birth. This data would be invaluable for an identity thief because it could be used to gain access to an individual's birth certificate. Recent disclosures of personal information by ChoicePoint Inc. highlight the danger that can result from improper disclosure of these types of personal information.

 

In addition to skimming RFIDs are susceptible to the problem of third parties intercepting information when it is being transmitted from the chip to the reader -- what the State Department calls eavesdropping.

 

The State Department has not conclusively demonstrated that RFID chips would last for the full 10 years for which U.S. passports are valid. As the ICAO states, "most Chip applications assume a chip/smartcard validity of 2-3 years - how such technology will perform over 5-10 years is yet to be tested in real world applications as the technology typically has not been deployed with consumers for that length of time."

 

Nothing in the proposed rule prevents "cloning" these passports - skimming the data off of a passport chip, and then copying it in its entirety onto another RFID chip. Thus, this proposed rule is a recipe for counterfeiting disaster. As we noted above, skimming and eavesdropping are very real possibilities with RFIDs. A counterfeiter, therefore, could copy the data on a passport holder's chip and reproduce it exactly. The data skimmed from a passport could also be used to forge a duplicate of the actual physical passport, since all the information needed to do so, including the subject's photograph, will be stored "free and clear" on the RFID tag.

 

The proposed rule does not address the significant new costs associated with including an RFID chip in passports. According to documents obtained by the ACLU through a Freedom of Information Act request, Frank Moss, Deputy Assistant Secretary, Passport Services, stated in a 2003 speech that RFID chips are likely to increase the government's costs of producing passports from $2.40 to a passport range of $6 to $10. Additionally, the State Department has stated that it will replace any passport that has a chip failure. This commitment represents a significant unknown cost because, as noted above, the long-term viability of RFID chips has not yet been tested in a real world application and may not be realistic over a 10-year period.