To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/government/0,39024677,39161399,00.htm

RFID-chipped passports cross the pond
Privacy, we hardly knew you

By Anne Broache

Published: Tuesday 15 August 2006

A first wave of US passports implanted with RFID tags will soon begin making their way into the hands of American travellers despite lingering privacy and security concerns, federal officials said.

Not long after researchers at a pair of security conferences in Las Vegas demonstrated potential risks associated with the new documents, the US State Department insisted the documents are tamperproof and said it had begun producing them at the Colorado Passport Agency, which serves applicants from that state and the Rocky Mountain region.

The agency said it plans to issue the documents through the nation's other passport facilities within the next few months, as part of its original plan to make all future passports electronic by October. It was unclear how many e-passports would be mailed out this year, although a State Department representative said Monday that the agency expects to distribute a total of 13 million passports by year's end.

The new passports, which have been undergoing testing for several months and have already been issued to some US diplomats, will be equipped with radio frequency identification (RFID) chips that can transmit personal information including the name, nationality, sex, date of birth, place of birth and digitised photograph of the passport holder. They employ a "multilayered approach" to protect privacy and reduce the possibility that passers by can skim data from the books, the agency said.

"The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level," the agency said in a statement.

State Department officials claim that a layer of metallic anti-skimming material in the front cover and spine of the book can prevent information from being read from a distance, provided that the book is fully closed. The document will also employ a cryptographic technique called Basic Access Control, which means the RFID chip unveils its contents only after a reader successfully authenticates itself as being authorized to receive that information.

State Department spokesman Kurtis Cooper dismissed recent concerns raised by security researchers that the passports could nevertheless be "cloned" - copied and used in a forged passport. The agency is confident that other security features built into the book would foil would-be imposters, he said.

The cloning technique demonstrated at the Las Vegas events is simple: it requires only a laptop equipped with a $200 RFID reader and a smart card programmer. The laptop's software scanned information from the RFID chip and wrote it to the smart card, which can then be embedded in a fake passport.

Security researchers have not, however, figured out how to alter the personal information, which is protected with a digital signature designed to enable unauthorised changes to be detected. Creating a fake passport therefore would be most useful to anyone who can forge the physical document and resembles the actual passport holder.

"The digital photograph of the passport holder embedded in the data page and the digital signature on the data, combined with our human US border inspection process, would prevent someone from using a forged passport to gain entry into the United States," Cooper said in a telephone interview.

The industry responsible for manufacturing the chips also said there wasn't much to be concerned about. Randy Vanderhoof, executive director of the Smart Card Alliance, said in a statement: "Even if someone could copy the information on your e-passport chip, it doesn't achieve anything, because all of the information is locked together in such a way that it can't be changed."

Since its inception, the idea of RFID-equipped passports has generated a great deal of ill will from privacy and security experts. By the time the State Department announced, last October, new regulations governing the documents, 98.5 per cent of the 2,335 comments were negative.

The Electronic Privacy Information Center in December urged officials to drop use of the chips. Citing assessments made by the US Department of Homeland Security in its own internal documents, the advocacy group argued that the process of monitoring e-passport scanners requires too much attention from border inspectors and could actually distract them from screening the travellers themselves for suspicious activity.

CNET News.com's Declan McCullagh contributed to this report.

Anne Broache writes for CNET News.com