By John Carey
The U.S. is moving closer to requiring citizens to have an identity card that could be scanned from a distance. By the end of 2005, U.S. passports will come with embedded radio-tag chips -- and Congress is considering mandating similar technology in driver's licenses. The government argues that the changes will make America safer from terrorists. But privacy advocates are appalled, fearing that the information could be stolen and misused.
The story begins in 2002, when Congress passed the Enhanced Border Security Act. One provision requires that new passports be equipped with "biometric identifiers" capable of being read by machines -- in essence, a chip with personal identification information. The law also said foreigners who want to come to the U.S. without a visa (as is allowed for visitors from Europe, Japan, and some other countries) must carry a passport with the same technology.
But the law didn't specify what information should be on the chip, or what type of chip must be included. In what critics call policy laundering, that decision was ostensibly left to an obscure U.N.-affiliated agency, the International Civil Aviation Organization. For the Bush Administration, "the advantage of using the ICAO is that they have none of the transparency of a U.S. government agency," says Barry Steinhardt, director of the American Civil Liberty Union's technology and liberty program. Groups like the ACLU were shut out of the process.
The ICAO's decision, which is widely viewed as reflecting the State Dept.'s own views, turned out to be very troubling to privacy advocates. Critics charge that by using the excuse that the standard was set by an international body, the State Dept. can push a technology that wouldn't have been acceptable if openly debated in the U.S.
For one thing, the biometric identifier the ICAO picked was facial recognition, which is seen as less reliable than alternatives like retina scans. More worrisome, the ICAO specified that the information be stored in a "contactless" chip -- one that can be read from a distance. Many companies, such as Wal-Mart (WMT ), are using such radio frequency identification (RFID) chips to track inventory. Putting the chips in passports would enable the government to read personal information from more than 50 feet away.
"We do need passports with more data," says computer security expert Bruce Schneier. "But they chose a chip that can be queried remotely and surreptitiously. I can't think of any reason why the government would do that, other than that they want surreptitious access." And if airport and border security guards can read everyone's passports on the sly, so could anyone with a radio-chip reader, from terrorists to identity thieves.
State Dept spokesperson Angela Aggeler insists that privacy matters "are of very grave concern to the State Dept." It won't be possible to read the chips in passports with just any old reader, such as the technology being used at Wal-Mart, she says. Instead, it will take special readers that the bad guys won't have.
But critics aren't buying it. They figure that it will be possible to make or buy a reader. Then it could be used to scan a hotel to see which rooms the Americans are in, for instance, or to nab someone's identity from a distance.
And the controversy will grow, predicts Steinhardt. Congress and some states are debating whether to require the same type of chip in driver's licenses. "As we feared, the standard is migrating to domestic identity documents," he says. "It would be an identity-theft nightmare."
The timetable is pretty alarming, too. In mid-October the government awarded contracts to four companies -- Axalto, BearingPoint (BE ), Infineon Technologies (IFX ), and SuperCom -- to produce chips for testing in the new electronic passport. By the end of 2005, all new domestic passports will probably come with the chip.
To many, that means the Big Brother is coming one step closer.
Carey is a senior writer in BusinessWeek'se Washington bureau
Edited by Beth Belton