Vendors Taken To Task Over E-Passport Flaws

A special committee of the International Civil Aviation Organization formed in December to fix stubborn interoperability problems besetting biometric passports is laying down the law to vendors.

The committee, which met in last month in Berlin, has issued a set of core requirements for contactless chip and especially reader manufacturers. If vendors fail to meet the core standards, they can forget about being invited to future live tests of their products by government passport authorities.

The hard line came after the latest round of tests showed that border control agents had big problems obtaining data from the chip-based passports. The results have U.S. officials talking about another one-year extension of the deadline for widespread introduction of the electronic documents.

Frank Moss, deputy assistant secretary for passport services in the U.S. State Department, says that a deadline extension is something officials are "looking at very seriously."

Any further delay would be a significant setback for contactless smart card technology. Officials in several countries are preparing to issue passports embedded with contactless chips and antennas, and vendors are hoping some 500 million passports worldwide will be issued over the next decade with tap-and-go radio frequency technology.

The chips will store a digital photograph and, in some cases, fingerprint images to enable border control agents to better verify the identity of travelers presenting their passports. The U.S. government has set an October 2005 deadline for the 27 countries whose citizens can enter the United States without a visa to have a biometric passport program in place.

'Extremely Disappointed'
The core expectations, contained in a document approved by the ad hoc committee Jan. 11 and titled "Guide to Interfacing e-MRTD's and Inspection Systems," is a response to results of the last live test of sample passports, conducted in late November and early December at Baltimore/Washington International Airport.

In addition to the United States, Australia, New Zealand, Sweden, France, Italy, Germany, Belgium and Japan brought prototype e-passports to test. Finland, Netherlands, the United Kingdom, Canada, Austria, Singapore and Brunei, also participated.

Government officials from a number of the countries were "extremely disappointed" by the results, which showed the vendors had made little progress since tests conducted earlier in the year in Morgantown, West Virginia, says Barry Kefauver, who heads the main committee of the International Organization on Standardization assisting ICAO in drafting the biometric passport guidelines.

The test at the Washington, D.C.-area airport revealed several factors that prevented readers from properly receiving data from passports. These included the size and type of contactless chip in the passport, its location in the passport booklet, and the power of the reader's signal. There were also problems verifying digital signatures on the chip and reading facial biometrics.

"Apparently, there are vendors still either not reading the standards or reading the standards incorrectly or interpreting them incorrectly," says Kefauver, a former U.S. State Department official and member of the special or ad hoc committee. "It's not gotten through to some vendors what needs to be done."

Three of the readers tested could successfully read the chips only 58%, 43% and 31% of the time, respectively, according to a U.S. government report. It's not known how many readers were tested in all.

A Versus B
Part of the problem seems to stem from differences between the two options allowed in the international contactless smart card standard, ISO 14443. Those option are known as types A and B, and contactless smart card and chip vendors have typically focused on one or the other.

"It became ap- parent that some readers had been developed with a focus on either type A or type B chips and that their ability to handle the 'other' type was not as good or as consistent," according to an e-mail from the U.S. Homeland Security Department to other government agencies and vendors regarding the test.

"Readers that are used in live inspection environments must be able to handle all e-passports, regardless of the power requirement, chip and antenna location, chip type or size, data speed, access control method ... and retrieve and validate the data correctly."

Those inconsistencies came as no surprise to Stuart Fiske, a director at U.K.-based Consult Hyperion. He says the ISO 14443 standard is "immature" and offers vendors too many choices.

"It is common for different vendors to make differing decisions, which all conform to the standards, but are inconsistent with each other," he says.

A New Ball Game
Cards and readers based on the ISO 14443 standard are popular among transit operators, and generally work well in this market because cards and readers tend to be supplied by the same vendor, Fiske adds. But passports must work the same worldwide, which means products from different suppliers must communicate.

The Washington, D.C.-area airport test also found the technology interfered with the inspection process. In some cases, agents found they had to press down firmly on open passport booklets for the readers to communicate with the chip; in other cases, they could not tell when to remove the document.

Kefauver, speaking at the recent Omnicard conference in Berlin, says government passport bureaus face other problems besides interoperability of the technology. Many require their passports to last 10 years. "Durability is probably the single most critical unknown," he says. "The vendors do not know how long a contactless chip will last."

Still Optimistic
But Kefauver points out the global biometric passport project is the first of its kind, and vendors, standards makers and government agencies are "charting new territory."

Another member of the ad hoc committee, who asked not to be name, agreed: "This is the first global contactless application; this is really new. For manufacturers, they have to rethink their strategies. "

Leaving the durability question aside, both say they are confident the interoperability problems will be fixed in time for the late October U.S. deadline.

But vendors who don't comply with the core expectations won't be along for the ride.

They will have to perform tests on sample passports sent to them by various governments and report the results to the sponsors of the next live interoperability text, scheduled for Japan in March.

Among the requirements are strict adherence to the ISO 14443 standard and to ICAO's specifications for logical data structure, that is, the way files are organized on the chip and read by the readers. Those vendors whose results do not "clear the bar" will not be invited to the upcoming test in Japan.

Loading