Despite a scathing critique by the American Civil Liberties Union, a U.S. State Department official promised his agency was taking measures to protect data on proposed U.S. electronic passports.
Late last week, the ACLU accused the U.S. government of rushing the rollout of insecure, RFID-enabled passports in hopes of creating a de facto global identification standard that could be used for surveillance.
On November 1, 2004, the Government Printing Office awarded four contracts to produce prototypes of RFID-enabled passports for initial tests. The new passport will contain an active RFID tag containing all the data found on printed passports, including a digital photo.
"We have an elaborate process of testing underway," said Frank Moss, Deputy Assistant Secretary of Passport Services for the State Department's Bureau of Consular Affairs. He said the four contractors will provide test quantities of passport covers containing RFID chips that will be evaluated for durability both in the printing process and during actual use, for the ability to write data to them and what he called "security considerations."
The ePassport initiative complies with requirements of the Enhanced Border Security and Visa Act, enacted in 2002. Twenty-five countries are required to provide machine-readable passports that include biometric identifiers. The four contractors participating in the first phase of the three-phase project are the team of consulting firm BearingPoint and SuperCom, an Israeli company; Axalto, a French supplier; and SuperCom on its own. Executives of the companies did not immediately respond or were not available to comment.
Moss said the ePassports will conform to an international standard for electronic identification data approved by the International Civil Aviation Organization (ICAO). The ICAO's standard specifically precludes encryption of the data or the use of authentication methods to access it -- and it's the combination of unencrypted data and the contactless reading system that has privacy and security experts up in arms.
The ACLU criticized the State Department for insisting over the objections of other countries that data written to the chips be clear and unencrypted, publishing documents obtained under the Freedom of Information Act in support of that claim.
But Moss denied that the U.S. had asserted its own agenda for unencrypted RFID data, saying that encryption would get in the way of global interoperability. "ICAO for decades has had a program to improve travel document security. One way to do that is through standardization," he said.
Bruce Schneier, a security technologist and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World , doesn't buy the State Department's explanation.
"Using RFID instead of contact chips is a really bad thing," Schneier said. "The U.S. snuck that in. They take a policy they can't sell at home, push it in international standards organizations, and then go back to the U.S. and say we have to do this because it's a standard."
Moss pointed out that the information to be contained in the chips is exactly what is already printed on the passport paper and contained in the magnetic strip. "In no way does including an integrated circuit make it into a homing or tracking device," he said.
However, according to Schneier, unencrypted data from an ePassport can easily be "skimmed" by anyone in the area with a reader, because the passports are continuously broadcasting their name, nationality, age and address.
Worse, the ACLU points to the Pentagon's controversial Total Information Awareness initiative aims to create "ultra-large-scale" database technologies with the goal of "treating the world-wide, distributed, legacy databases as if they were one centralized database." With the data standardization in electronic passport chips planned by ICAO, privacy advocates fear individual countries' border control information could easily be transferred into such an ultra-large-scale data repository.
If ePassports became commonly used for identification when shopping, the way we now use driver's licenses for a multitude of authentications that have nothing to do with automobiles, the ACLU warned, information on people's daily habits could be drawn into that ultra-database.
Moss said the skimming issue definitely would be addressed, even if it hadn't been part of the first RFP.
"We will only go into passport production when the issue of skimming is resolved -- and not just because the ACLU brought it up." He said recognition of the problem was converging with what appear to be viable means of addressing the problem, such as embedding fibers in the passport that physically block the chip's transmission unless it's in very close proximity with a reader.
Privacy experts say the incorporation of a mechanical blocking element in the wrapper of U.S. passports would help a lot - as long as you're a U.S. citizen.
"Providing a foil envelope or some sort of protection into the cover doesn't address the adoption of such strategies worldwide," said Beth Givens, executive director of the Privacy Rights Clearinghouse, an international privacy advocacy.
Givens and others say that the U.S. hasn't demonstrated why contactless technology is better than a method that requires physical contact between chip and reader, such as the magnetic strip used on today's passports or smart cards that must be inserted into readers.
"The State Department should answer the question of whether there are there any alternative technologies that could produce the same results as RFID with less potential risk to privacy and civil liberties," Givens said.
Many of the electronic privacy and security advocates contacted by internetnews.com said they could think of only one reason why the U.S. preferred a contactless chip that can be read from a distance: surveillance.
Said security expert Schneier, "The only reason I can think of for using contactless chips is that they want surreptitious access themselves. It's the only thing that makes sense."