Department of State Offers Update on Development of Electronic Passport

New rules apply to recording data on passport chip and reading data from that chip

   The contactless smart chip that is being used in the electronic passport is a "passive chip" that derives its power from the reader that communicates with it. It cannot broadcast personal information because it does not have its own source of power. Readers that are on the open market, designed to read Type A or Type B contactless chips complying with International Standards Organization (ISO) 14443 and ISO 7816 specifications, will be able to communicate with the chip. This is necessary to permit nations to procure readers from a variety of vendors, facilitate global interoperability and ensure that the electronic passports are readable at all ports of entry.

   The proximity chip technology utilized in the electronic passport is designed to be read with chip readers at ports of entry only when the document is placed within inches of such readers. It uses RFID technology. The ISO 14443 RFID specification permits chips to be read when the electronic passport is placed within approximately ten centimeters of the reader. The reader provides the power to the chip and then an electronic communication between the chip and reader occurs via a transmission of radio waves. The technology is not the same as the vicinity chip RFID technology used for inventory tracking of items from distances at retail stores and warehouses. It will not permit "tracking" of individuals. It will only permit governmental authorities to know that an individual has arrived at a port of entry--which governmental authorities already know from presentation of non-electronic passports--with greater assurance that the person who presents the passport is the legitimate holder of the passport.

   The personal information that will be contained in the chip is the information on the data page of the passport--the name, nationality, sex, date of birth, place of birth, and digitized photograph of the passport holder. The chip will also contain information about the passport itself--the passport number, issue date, expiration date, and type of passport. Finally, the chip will contain coding to prevent any digital data from being altered or removed as well as the chip's unique ID number. This coding will be in the form of a high strength digital signature. The contents of the data page of the traditional passport have been established by international usage and by ICAO. The chip will not contain home addresses, social security numbers, or other information that might facilitate identity theft.

   In terms of the comments received in response to our proposed rule, a small minority of comments welcomed the rule because of the enhancements to passport security the electronic passport will provide, including better authentication of the document, proof of its link to the bearer and protection against data alteration than is provided by the current, traditional non-electronic passports. The vast majority of comments, however, opposed the introduction of the electronic passport on security and privacy grounds, specifically concerns that skimming or eavesdropping would permit surreptitious reading of the data contained in the passport chip. Skimming is the act of creating an unauthorized connection with a readable chip in order to gain access to the data contained therein. Eavesdropping is the interception of the electronic communication session between a passport chip and an authorized reader.

   Comments reflected a concern that the data in the electronic chip could easily be read by portable devices available on the open market. Many of these comments expressed a belief that the information could be read at distances in excess of ten feet. The majority of the comments were concerned that terrorists could identify and target them as U.S. citizens. Identity theft was of grave concern, focusing on the potential for criminal activity resulting directly from identity theft. Some comments expressed fears that criminals could acquire and use the personal information included in the passport to target them for theft, con artist schemes and/or kidnapping. Still others expressed fears that the U.S. Government or other governments would use the chip to track and censor, intimidate or otherwise control or harm them. Some comments called for the inclusion of a fail-safe anti-skimming device.

   The Department is sensitive to the security and privacy concerns raised by the comments. To address these concerns, the Department and the Government Printing Office (GPO) have worked with the National Institute of Standards and Technology (NIST) to evaluate the passport's vulnerability to skimming and to test physical devices that can be put in a passport to reduce its likelihood.