• United States



by Paul Kerstein

U.S. to Require RFID Chips In Passports

Oct 27, 20053 mins
CSO and CISOData and Information Security

The U.S. government will require nearly all of the passports it issuesto have a computer chip containing the passport holder’s personalinformation by October 2006, according to regulations published thisweek.

Starting in early 2006, the U.S. Department of State will begin issuingpassports with 64K byte RFID (radio frequency identification) chipscontaining the name, nationality, gender, date of birth, place ofbirth, and digitized photograph of the passport holder.

The chip would match the data on the paper portion of the passport andimprove passport security by making it more difficult for criminals totamper with passports, backers say. The U.S. government began lookingat ways to make passports harder to forge in response to the terroristattacks on the U.S. on Sept. 11, 2001.

After the State Department proposed RFID chips for passports inFebruary, privacy groups such as American Civil Liberties Union (ACLU)and the Electronic Frontier Foundation (EFF) expressed concerns. SomeRFID chips can be remotely scanned, allowing for criminals to covertlyscan groups of passport holders at airports, the EFF said in April. TheRFID passport could act as “terrorist beacons” because they couldindiscriminately expose U.S. residents’ personal information tostrangers.

In a letter commenting on the State Department proposal, the EFF arguedthat the agency lacked congressional authority to require RFID chips inpassports.

“RFID in passports is a terrible idea, period,” said EFF SeniorAttorney Lee Tien, in a posting to the EFF’s Web site. “But on top ofthat, the State Department is acting without the appropriate authorityand without conducting any form of credible cost-benefit analysis. It’sasking Americans to sacrifice their safety and privacy ’up front’ for adangerous experiment that it hasn’t even bothered to justify.”

The State Department received 2,335 public comments on its Februaryproposal to introduce electronic passports. More than 98 percent of thecomments were negative, the State Department said, with most raisingconcerns about security and privacy.

In the passport rules released Tuesday, the State Department said itwas taking several security precautions. The RFID chips will useencrypted digital signatures to prevent tampering, and they will employso-called passive RFID chips that does not broadcast personalinformation unless within inches of an RFID reader machine. Thee-passports will protect against data leaks by putting an”antiskimming” material to block radio waves on the passport’s back andspine, the State Department notice said.

The new passports would comply with an International Civil AviationOrganization specification on e-passports, the State Department said.

Although the State Department changed its earlier proposal of aself-powered RFID chip to a passive one that relies on a readermachine’s power, privacy concerns remain, said Barry Steinhardt,director of the ACLU’s Technology and Liberty Program. Steinhardtcalled the State Department’s security measures a “step forward,” buthe said bar codes could be used to match electronic data with paperdata on passports.

“It still raises the question whether or not this is an appropriatetechnology,” Steinhardt said. “There are still some essential concernsabout whether this is secure or not.”

But Neville Pattinson, director of technology and Government affairsfor Texas RFID card vendor Axalto Inc., praised the State Department’schanges, including the passive chips and anti-skimming materials. “Thisis a fine example of the government listening to public opinion andadopting technology that protects citizen’s privacy,” he said. “Withthe changes, information cannot be extracted from it.”

State Department officials were unavailable for comment on this story.

By Grant Gross – IDG News Service (Washington Bureau)