By Declan McCullagh, 26 October 2005 09:05
NEWS
All US passports will be implanted with remotely readable computer chips starting in October 2006, the Bush administration has announced.
Sweeping new State Department regulations issued on Tuesday say passports issued after that time will have tiny RFID chips that can transmit personal information including the name, nationality, sex, date of birth, place of birth and digitised photograph of the passport holder. Eventually, the government contemplates adding additional digitised data such as "fingerprints or iris scans".
Over the last year, opposition to the idea of implanting RFID chips in passports has grown amidst worries that identity thieves could snatch personal information out of the air simply by aiming a high-powered antenna at a person or a vehicle carrying a passport. Out of the 2,335 comments on the plan that were received by the State Department this year, 98.5 per cent were negative. The objections mostly focused on security and privacy concerns.
But the Bush administration chose to go ahead with embedding 64KB chips in future passports, citing a desire to abide by "globally interoperable" standards devised by the International Civil Aviation Organization, a United Nations agency. Other nations, including the United Kingdom and Germany, have announced similar plans.
In regulations published on Tuesday, the State Department claims it has addressed privacy concerns. The chipped passports "will not permit 'tracking' of individuals", the department said. "It will only permit governmental authorities to know that an individual has arrived at a port of entry - which governmental authorities already know from presentation of non-electronic passports - with greater assurance that the person who presents the passport is the legitimate holder of the passport."
To address citizens' concerns about ID theft, the Bush administration said the new passports will be outfitted with "anti-skimming material" in the front cover to "mitigate" the threat of the information being surreptitiously scanned from afar. It's not clear, though, how well the technique will work against high-powered readers that have been demonstrated to read RFID chips from about 160 feet away.
A State Department official, who did not wish to be identified by name, said on Tuesday: "The shielding in the passport is a physical device that basically, when the passport cover is closed, it's very difficult to read the chip." The official was unable to provide details about the material's composition. The National Institute of Standards and Technology, which has been working to evaluate the chip's vulnerability to skimming, was unable to provide further information on Tuesday.
Privacy advocates said the anti-skimming device was a decent start. But if the cover of the passport happens to be open, all bets are off, said Bill Scannell, a privacy advocate who founded the site RFIDkills.com. He said: "They've built little baby radio stations into peoples' passports and covered it with concrete but when the little hatch is open, you can still hear the music."
"It's better than nothing," Scannell went on, "but why take this risk?"
In addition, the passports will use "Basic Access Control", a reference to storing a pair of secret cryptographic keys in the chip inside. The concept is simple: the RFID chip disgorges its contents only after a reader successfully authenticates itself as being authorised to receive that information.
Computer scientists, however, have criticised that encryption method as flawed. In a recent paper, RSA Laboratories' Ari Juels, and University of California's David Molnar and David Wagner, warned that the design of the encryption keys is insufficiently secure. They said that the use of a "single fixed key" for the lifetime of the e-passport creates a vulnerability.
The Bush administration could face an eventual legal challenge. A letter to the State Department from privacy groups says there is "no statutory authority" for the RFID passport because Congress has not authorised it.
Lee Tien, staff attorney for the Electronic Frontier Foundation, which co-authored the comments, said: "Our point is, whatever Congress may have meant in giving the State Department authority to issue passports was probably to issue passports that were like the old passports.
"But at some point you are doing something that is significantly different, which should probably require some sort of additional congressional authorisation. The argument is how broadly does that authority go, and honestly, it's something no one knows."
Declan McCullagh writes for CNET News.com
Comments
There are 9 comments. Join the discussion
1. anonymous
A couple of seconds in a microwave oven should stop any identity thieves.
2. anonymous
Hopefully this initiative will significantly reduce the small number of Americans who possess a passport and do travel.
Don't suppose it will hinder the ones who travel as part of occupational forces though.
3. Winston Smith
Excellent tech development! Made better by the clever use of the passport cover to "screen" the RFID from malicious scanning. Presumably someone such as the Cusoms official will have to open the passport to allow the remote scanner to do its work, while the official kills time and reads the passport ...
4. Richard
How do I know when it's broken?
With a paper passport, I can see when the photo page of my passport is torn.
How can I tell whether the RFID chip is faulty or damaged: Before travelling and being refused entry?
What happens if the RFID chip fails to work: Will it just mean me queuing for even longer, or will it lead to being refused entry by busy or lazy staff?
5. anonymous
Brilliant Idea!! Until..... Some clever terrorist designs a bomb that will detonate when some poor inocent carrying an RFID equipped passport happens to walk or drive by. Talk about making it easy to target a particular group of people. Utter stupidity.
6. Kelly LeDott
Democracy in action. 98 percent surveyed were against it so they get it anyway. A smashing success
7. Zakala
An "anti-skimming device"? Come on 'fess up - it's a lead-lined passport isn't it?
Presumably to match the cast-iron guarentees that the US administration would never, ever walk all over the human rights of anyone.
Probably about as believable too.
8. Richard A.
Not remotely useful...
A remote readable passport that can't be read remotely unless it is opened for inspection...?
And it is justified by stating it only does what existing passports do? Why bother then?
How can they tell as soon as somebody arrives in a port if the passport is closed?
Not even remotely sensible.
9. anonymous
The Basic Access Control works by requiring the scanner to have optical access to the passport page which has the key printed on it. It then uses that key to authenticate itself to the RFID chip in the passport so that it can read the details. So the border control operative still needs to open the passport and place it in a reader, but they themselves don't need to be literate (a benefit in the US).
What's more, just because the US are putting shielding on their passports so Americans can't be targetted abroad, doesn't mean they will allow other countries to put shielding in their own passports if they want their citizens to have entry to the US. Watch this space!