Coming Soon to Borders: E-Passports
You know that dog-eared passport sitting in a drawer? Get ready to say goodbye. It's the last of its kind. Since mid-August, U.S. immigration authorities have been issuing tourists a new breed of high-tech passport that includes hard-to-crack electronic chips loaded with an encrypted digital version of the carrier's identity. And as goes the U.S., so go 27 other nations, which have to adopt the new standard in order to maintain the right of visa-free entry into the U.S.
For security-minded immigration officials, this is all good news. Electronic passports, or e-passports, are the latest step in a battle to stymie bad guys trying to sneak across borders. For others, e-passports are meeting with mixed reviews.
Privacy experts argue that in a rush to switch to digital passports, the U.S. ramrodded a de facto world standard without sufficient review and may have unleashed serious security flaws. For travelers, early reports indicate that the new e-passports pass through immigration about as fast—or slow—as the old model.
HARD TO HACK.
Indeed, for an international traveler, the experience of using an e-passport will be only a little different. As usual, a border control agent will take the passport, scan it, and then compare the photo laminated inside with the traveler. The new twist is that agent will then also be able to check a computer screen and view a digital mug shot along with standard passport information, such as date and place of birth, all wirelessly downloaded. If the photo on the passport, the image on the computer, and the person in front of the agent all match, no problem. If not, there's trouble for the holder.
The encrypted digital data are the centerpiece of this upgrade. In the past, dexterous counterfeiters could simply substitute a new photo into a stolen passport, stealing the carrier's identity. The digital data in the new design is much harder to fake because it requires that the counterfeiter hack not just the physical picture but an encrypted chip also.
The chips in U.S. passports are based on radio frequency identification, or RFID, and for now, they include just the digital photo and the same basic information printed in the passport: gender, date, and place of birth, plus the date of issue for the passport, its number, and its expiration date.
But the passport chips come with enough spare memory to include additional biometric data that is harder still to replicate (see BusinessWeek.com, 3/28/06, "Biometrics: Payments at Your Fingertips"). Fingerprint images are included in Europe's e-passports, though not yet in U.S. documents. A scan of the bearer's iris can also be included.
To keep this biometric data secret from prying eyes, the U.S. State Dept. has added layers of security not present in the originally proposed design. "The U.S. passport is an exemplar of data protection and security," says Frank Moss, who, as deputy assistant secretary of state for Passport Services, has been using one of the new passports over the past year.
Replacing all the world's passports promises to be an enormous enterprise, if one that will grow relatively slowly. Worldwide, the total number of passports stands at around 500 million. Of that total, as many as 350 million travelers come from the 28 nations that have adopted the new design. Only a fraction of those will be replaced each year, as old passports expire. In the U.S., for example, adult passports expire in 10 years, so it will take a decade to replace the entire pool.
Not an exploding market, but for the makers of the advanced chips embedded in these travel documents, it's one that may prove lucrative. Compared with the low-end RFID tags used in stores to track goods, which go for pennies apiece, the passport chip package is among the most advanced of its breed, says Sara Shah, industry analyst at ABI Research.
Indeed, the RFID chips in the passports have more in common with the advanced circuitry used in wireless payment cards issued by banks and credit card companies. "Retail chips have to be low cost, work at a distance, and have minimal security," adds Shah. "Passport chips are at the other end of the spectrum."
While only a bit thicker than a sheet of paper, the passport chips are more like highly specialized computers. They must be able to use ultra-low levels of power, drawn from radio waves sent from the reader, to decrypt inbound signals, then retrieve and broadcast back to the reader very large chunks of data. And they have to do this all very quickly, with a host of security features, and all for a few dollars a pop, according to industry estimates.
To cover the cost of the passport enhancements, as well as to pay for the installation of readers and related gear at border crossings, the State Dept. upped the price of passports by $12, to $97 for adults, or $67 for a replacement. While he won't reveal the per passport cost of the new technology, Joerg Borchert, vice-president of chip card and security ICs at Infineon North America, says, "These are extremely sophisticated chips."
Thin as it is, the e-passport is a complex device. Making one involves connecting the RFID chip to an antenna, programming encryption routines, layering in radio-wave insulators, and then bonding it all together in a durable blue cover. This cover is in turn sent to a U.S. printing office where it's bound into a finished passport. Germany's Infineon (IFX) is one of two companies approved to produce the high-tech passport covers and uses its own RFID chips. Gemalto, of the Netherlands, is also approved to assemble the covers, but is using RFID chips from Dutch chipmaker NXP Semiconductors (until recently Philips Semiconductor). From virtually nothing a year ago, the market for complete e-passport chipsets and related software is forecast to hit $3 billion in 2009, says Shah.
RISKY RADIO WAVES.
The demand for new passports in the U.S. is accelerating. Today, some 70 million passports are in circulation, carried by 23% of the population. That's up from just 11%, or about 32 million travelers, 10 years ago. The penetration is likely to grow further because of new federal rules that, effective Jan. 1, 2008, require passports for travelers entering the U.S. from the Caribbean, Bermuda, Panama, Mexico, and Canada. Together, these make up the vast majority of external destinations for U.S. tourists. Due to the rules, the State Dept. predicts passport requests will see a one-time spike in 2007, growing by 31%, to 16 million.
Privacy experts are the first to acknowledge that the new e-passports are an improvement. Yet they're equally quick to add that no matter how good its high-tech mug shots, iris scans, or fingerprint templates, the new design is only as secure as the digital precautions they rely on. Any foe who can crack these can substitute other photos and data.
And since the passport data is broadcast over radio waves, even for short distances, it is more vulnerable than if relayed via direct contact. In lab tests, this information can be picked off using sophisticated antennas and detectors. While this trick would be very difficult to repeat in an airport immigration area, the proof of vulnerability concerns privacy experts.
Indeed, the reliance on RFID opens the passports to a host of potential troubles, many of which have been demonstrated on early versions of e-passports at privacy conferences and in labs. "On security grounds, this is a potential disaster," says Barry Steinhardt, director of the Technology and Liberty Program at the American Civil Liberties Union and a vocal critic of the new standard.
A whole lexicon has sprung up to describe the types of abuses that could arise. The vulnerabilities include eavesdropping. That's when a foe might intercept data as it's being broadcast from a passport to the reader at the immigration desk. "Scanning" is similar but can occur at a distance, even in public, using powerful, hidden RFID transmitters. Once the data is in hand, a counterfeiter can clone the passport information by copying it onto a blank chip. Then there's "tracking," which exploits the signal that RFID chips send out when scanned by a reader. By snagging this unique identifier, a single traveler or even a class of travelers—say, all Americans—could be identified and tracked remotely.
Even though Moss initially dismissed such demos as mere "parlor tricks," the State Dept. and the industry in time took steps to counter each one. For example, a thin layer of aluminum was added to the passport's cover to insulate it from remote scanning and tracking.
Conceding that unencrypted data flowing to and from the passport was a problem, the State Dept. also encrypted the data in the RFID chip and added an extra precaution. Words and numbers printed on the passport's information page are scanned to create a key that unlocks the encrypted RFID information.
Welcome changes all. But for now, it's impossible to know if the moves fix all the vulnerabilities, says Steinhardt. The State Dept. did not circulate test versions with outside experts before they were released into widespread use. "We know it was flawed," he says, "Now we can't be certain if it actually works."
Worries persist in Europe, too. There, privacy officials, intent on minimizing the amount of private data held by the state, are butting heads with their counterparts in immigration departments. Just as the passport standards are being applied, there's renewed pressure in a number of European states to issue mandatory national identity cards with security and data features similar to those found in electronic passports.
As more data is collected by different agencies, privacy advocates worry about data "creep." That's when governments—or private players who license the information—compare and unify data from different databases to build detailed profiles of citizens. "We have to make sure that the information stored on a passport doesn't leak out into different areas of people's lives," says Simon Davis, the director of Privacy International in London.
And while the new e-passport standard was set by the U.N.-affiliated International Civil Aviation Organization, there's a perception that the U.S. forced through its security standard without weighing other nations' wishes. Steinhardt calls it "policy laundering": when a government ramrods its policy through the U.N. and declares it an international mandate. While the U.S. requires biometric data from incoming travelers, "it's not introducing a corresponding requirement for the personal papers of its own citizens," Peter Schaar, Germany's Federal Data Protection Commissioner said in a written statement.
For all the concerns circling around the new passports, any real vulnerabilities will likely surface very soon. The percentage of travelers carrying the e-passports, while still low, is growing steadily. Tourists in Europe started using them earlier this summer—so far, with no widely publicized failures. In the U.S., of the nation's 15 passport printing centers, only the Denver office is currently issuing the new model. Until the remaining 14 centers switch over—a process due to be completed by early next year—tourists getting new or replacement passports have a good chance of receiving the old, analog version.
Until then, the old-style passports will not pose a problem in immigration lines, says Moss. For tourists using the pre-digital model passports, including those from the 160-plus nations that are not part of the e-passport regime, travel procedures are unchanged. Border control agents here and overseas will continue to rely on photo and data printed in the cover page, and will keep processing visitors as fast—or slow—as always.