First US E-Passports Released, Privacy Activists Not Pleased

Privacy / Security

The Wall Street Journal (subscription required) recently hosted an email exchange between Assistant Secretary of State Maura Harty and American Civil Liberties Union attorney Barry Steinhardt to debate the security of the new e-passports.

The new passports have embedded chips containing personal data including name, date of birth and a digital photo and can be read by a scanner using wireless technology called radio-frequency identification (RFID). The idea behind these “e-passports” is that they will help in an effort to tighten immigration by making passports harder to counterfeit.

However, privacy advocates are not pleased by the use of these RFID chips, the same technology used by retailers such as Walmart to track merchandise. Some worry about the potential of identity thieves to take advantage of this technology. Or worse, could this be a silent move toward the U.S. eventually tracking its people?

Barry brings up some good issues while Maura struggles to explain exactly what we, as passport holders, gain from these new e-passports. Is this really a net positive for Americans? See what you think:

_________________________________________________________

Maura Harty begins: Good morning. It’s a pleasure to have the chance to discuss the integration of cutting-edge technology to supplement the security of one of the most important documents every American should have — a passport.

Last month we started issuing the next generation of passports — the e-passport, which incorporates biometric and electronic technology into the world’s most valuable travel document. With these enhancements, the U.S. passport will continue to be the gold standard among travel documents, and will strengthen our ability to ensure that only the authorized bearer of a U.S. passport can use it.

The e-passport enables a more efficient, accurate review of legitimate travelers. The passport contains biometric information — a digital photograph of the holder — to allow border inspectors to verify that travelers are who they say they are. It then uses several security features to defeat attempts to tamper with the document and compromise its integrity and security. A radio-frequency identification — RFID in tech-speak — chip is imbedded into the cover of the passport, and it contains only the same information that is printed on the passport’s data page. A digital signature electronically locks the chip so the information cannot be modified. The passport book contains material that shields the chip’s RFID signal, so it will lie inert and undetectable until it is opened, as when travelers present themselves at a port of entry. Finally, we use Basic Access Control technology so that the information on the chip can be read only after if it is unlocked by special readers at ports of entry.

Our new generation of passports provides a secure way to verify that travelers are who they say they are when they enter the country, answering one of the concerns raised by the 9/11 Commission, which recommended establishing this type of passport system. We have used overlapping layers of security to guard the information on the chip against illicit interception, while providing technology that boosts the ability of U.S. officials to access data needed to secure our borders.

This is a secure passport for insecure times.

Barry Steinhardt replies: I welcome this opportunity to discuss this important issue with the State Department and thank Maura for engaging in this exchange.

We can talk about the supposed security of these passports, but my first question is, why are we even having this debate? Why has the State Department been so fixated on using fundamentally insecure RFID technology in our passports?

Originally, the State Department introduced a passport design that included naked RFID tags with no security whatsoever — completely open and able to be read and cloned by anyone with an RFID reader. In fact, the U.S. steamrolled over the objections of other nations in requiring RFIDs as part of a new passport standard (see our white paper on that history). And it tried to steamroll over the objections put forward by the ACLU and other critics claiming that the RFID chip could only be read from a few centimeters away — relenting only when at a large conference in the presence of a State Department official, I provided a live demonstration of how easily data could be stolen from a distance.

Now the State Department is touting this “Basic Access Control” technology, which as Maura points out is supposed to block the chip from being read until a bar code physically printed in the passport has been scanned. But why then are RFIDs needed at all? The whole supposed advantage of the chips was that they are “contactless.” The traveler could supposedly get through immigration faster because they would not need to come into physical contact with a reader. (For a time, the government was calling these chips “Contactless Integrated Circuits,” which failed to obscure the fact that they are what everyone knows as RFIDs.) If the passport must be physically scanned now anyway, why not use a more secure *contact* technology like the bar code itself to store the data?

The insistence on RFID, even when the technology no longer serves its original purpose, is almost enough to make one wonder whether some in the government really are already planning to use this technology for expanded purposes, such as remote tracking of Americans.

Ms. Harty responds: Barry, I want to clarify some points to avoid any misconceptions among those who are following our debate.

International consensus, under the auspices of the International Civil Aviation Organization through discussions that began almost a decade ago, emerged on using RFID technology, as opposed to contact technology that requires touching the passport to a reader. RFID technology can store facial images or other biometrics, unlike two-dimensional (2D) bar codes, and is not proprietary. An RFID approach does not constrain countries’ options in constructing and producing their national passports to the degree contact technology would. Of interest to the frequent flyer, contactless technology is generally more reliable and durable than contact technology when used in a passport. Far from the U.S. “steam-rolling” other nations, a long, consultative effort involving many nations produced to apply the advantages of RFID technology to enhance secure e-passports.

We are confident that the current design of the U.S. e-passport — the combination of anti-skimming, Basic Access Control and Random Unique ID features, is the most secure e-passport issued around the world, designed to defeat any attempt to track travelers or otherwise surreptitiously read the data on the e-passport chip.

Mr. Steinhardt says: Maura, well, the documents obtained by the ACLU — available on our Web page and summarized in our white paper — show that the U.S. did, in fact steamroll the rest of the world. It’s quite clear that many other nations objected to RFID, which the U.S. insisted upon on the basis that skimming [unauthorized reading of a chip] couldn’t be done (which the State Department has now conceded is false, which is why you instituted the Basic Access Control).

As far as the BAC and the other measures you cite, their effectiveness is still very much in question. Security measures are always strengthened through openness and testing, and these passports could have benefited from more expert feedback BEFORE they went into production.

Frank Moss, the Deputy Assistant Secretary of State for Passport Services, actually promised several times to give us a demonstration of the new technology. That never happened. Had he come through, we expect we and the technological experts we work with could have started to do that.

Now that the technology has been finalized without that input, flaws are already being pointed out:

• A hacker has already demonstrated that the passports can be cloned.
• The shielding in the cover only works when the passport is closed — that still creates many opportunities for skimming, given how often one must show one’s passport while traveling.
• Experts have also raised questions about the technological soundness of the shielding.
• Experts have pointed out that RFID chips can still be identified by unique patterns in their radio exchanges. As it stands, the nationality of American’s traveling to potentially dangerous locations will be all too easily identified. It will be like putting a bull’s eye on their back for every terrorist or criminal to see.

And that’s just what’s been uncovered in the short time these chips have been available; who knows what will be achieved in the 10-year lifespan of the chips now being used?

Where’s the evidence that this RFID is more durable than a 2D barcode, which can also hold substantial amounts of information, but can’t be as easily skimmed? Common sense would indicate that a barcode will be far less fragile than a RFID chip — and would not carry with it all of the security problems and questions that RFIDs bring.

Ms. Harty says: Barry, we need to set the record straight on your last statement. The Department of State has designed a secure document, with comprehensive planning and coordination with industry and international partners. Your latest statement seized on individual pieces that I believe distort this program, just as focusing on individual aspects of the secure e-passport disregard the integral security system that makes this a very, very good travel document.

Your statement suggests that experts have identified flaws in the components of the e-passport security package. We have reviewed the important security and integrity issues with qualified leaders in the field and they simply disagree with your views. If an unscrupulous hacker were to clone, skim or identify a chip, there would still be a number of hurdles — from anti-skimming shielding in the passport cover, to a Basic Access Control lock on the chip, to a digital signature — to clear before accessing the traveler’s data.

The fact is that the RFID chip can be read only three to four inches away. Because the power needed to read data increases with the cube of the distance, my experts tell me, a reader strong enough to read an RFID chip across an airport terminal could generate enough power to damage the passport!

I have to disagree with how you characterize international diplomacy and negotiation. The Department of State brought a technologically sound proposal to ICAO, which was adopted by consensus. We remain convinced that the contactless e-passport offers important security advantages to the world of international travel. Many nations around the world have issued e-passports to their citizens without incident. The e-passport is so secure that it is being issued, or planned to be issued, by countries that are not part of the U.S. Visa Waiver Program, attesting to the importance of the e-passport to assuring border security around the world.

Like any major federal initiative, the e-passport was developed through a comprehensive rulemaking process that solicited and incorporated comments from the public as well as privacy advocates. As a result of some of the issues raised by the privacy groups, we made major changes to the passport: expanding the shielding material to cover the spine of the book, and adding basic access control and a randomized unique identification feature.

Readers may be more interested in the e-passport itself, and the ways it safeguards their information, than the process that led to its creation, so let me talk about that for a moment. There are many layers to the security in the new U.S. e-passport. The passport has been comprehensively redesigned to further enhance its physical security features and resistance to counterfeiting. There is new artwork, Intaglio printing [where an image is incised into a surface], and a suite of new security features including the chip and digital signature.

Additionally, as discussed, anti-skimming material along with Basic Access Control prevent the chip from communicating with a reader unless the book has been opened and the Machine Readable Zone [the characters on the passport page read with an electronic scanner] read. This mitigates the risk of inadvertently providing the data stored on the data page without the bearer’s knowledge. The data in the chip duplicates that printed in the book and in the Machine Readable Zone. If any of these elements is changed, that counterfeit change could be detected through a failure in the digital signature. Together these features present a book that significantly raises the bar on security and counterfeiting.

Mr. Steinhardt responds: Maura, plainly we have a disagreement about the technical issues.

Let me make a suggestion. Are you willing to abide by your point person Frank Moss’s original proposal to me and have our technical experts examine the passport and report on the potential vulnerabilities if any?

Ms. Harty replies: Barry, I would be happy to have an off-line conversation to convince you of the advantages of our passport.

In the meantime, it should interest travelers to learn that our colleagues at the Department of Homeland Security implemented the first e-passport readers in the U.S. yesterday (Sept. 27). Travelers who pass through San Francisco will be now able to experience firsthand the benefits of the secure e-passport!

I want to thank you, Barry, and especially Wall Street Journal Online, for giving me the opportunity to discuss the latest enhancement to the U.S. passport. I wish the Journal’s readers pleasant travel.

Mr. Steinhardt concludes: Maura — Many thanks, I would be happy to have an offline conversation. But, I remain very disappointed that the State Department has gone ahead and adopted the RFID-laden passport that not only threatens our privacy, but our safety as well. There is of course nothing wrong with reasonable efforts to increase the security of our passports. But RFID technology not only has the far-reaching potential to morph into a privacy-invading system for tracking individuals, but its use in passports may make us less safe outside the U.S., where every terrorist, identity thief or other criminal will be able to get surreptitious access to our nationality and other identifying information.

I am also disappointed that State reneged on its promise to allow for an independent evaluation of the technology and that Maura was unwilling to recommit to that evaluation as part of this debate.

Finally, I would like to conclude by observing that these passports must be viewed in a broader context — this administration has consistently placed undue emphasis on *identity* as a means of increasing our security. From RFID passports to the “Real ID” plan to federalize driver’s licenses to its string of failed airline passenger profiling systems, we have seen an unfortunate, consistent effort to protect against terrorism by emphasizing the tracking of identity. I would argue that this is a fundamental strategic error — a Maginot Line that will not stop terrorists who quickly adapt to these new systems, but will just lead to a more regimented society, alien to the traditional American way of life, and where at every turn we will be asked for our “papers please.”

Leave a Reply

Your email address will not be published. Required fields are marked *