Smart Passports: Making Travel Safer?

Today, there is a worldwide push for “smart passports” — which incorporate RFID (Radio Frequency Identification) tags. RFID is a type of automatic identification that uses radio waves to automatically identify objects that have RFID tags or labels.

These RFID tags have been aptly described by Senator Patrick Leahy (D-VT), as “bar codes on steroids.”

Indeed, bar codes and RFID are quite similar conceptually, as both provide rapid and reliable item tracking and identification. The primary difference between the two technologies is the way in which they “read” objects.

The bar code reading device scans a printed label with optical laser or imaging technology. On the other hand, RFID scans a tag (consisting of a small computer chip and an antenna) using radio frequency signals.

RFID is a technology that already surrounds us. If you have an Exxon/Mobil SpeedPass — a “wand” that allows you to pay for gas by pointing it at a pump or register — or a toll tag on your car, you’re using RFID. If you have checked out a library book, you've likely used RFID.

You’ve most likely encountered RFID in the form of an EAS (Electronic Article Surveillance) tag if you've ever set off an alarm by walking out of a store with the EAS tag still attached to a purchase.

RFID is not a new technology. It dates back to World War II, when the British used it to identify aircrafts as friends or foes.

However, this technology — which had seen limited use in asset management, livestock tracking and transportation over the past three decades — has suddenly become “hot.”

As can be expected with electronics, the costs and size of the technology have sharply decreased and the capabilities and applications of it have rapidly increased.

Much of the current push for RFID has been propelled by mandates issued for RFID use in supply chain management. Various retailers — including Wal-Mart, Target, Best Buy, Metro (Germany) and Tesco (United Kingdom) — have issued RFID mandates.

In addition, the U.S. Department of Defense has mandated that its 60,000 suppliers begin using RFID tags on pallets, cases and individual products shipped to its facilities worldwide by 2007.

RFID tags can also track people — a far more controversial use than tracking rail cars or cans of soup.

Yet, in the wake of heightened global security concerns, the International Civil Aviation Organization (ICAO) has set a 2015 deadline for governments to equip passports with RFID chips.

In 2003, the ICAO adopted a global plan for the implementation of not just machine-readable passports, but also for the use of biometric identifiers in all of its 188 member countries.

By the end of 2005, the United States plans to begin issuing its own biometric passports to comply with the ICAO mandate.

Each year, the U.S. State Department issues approximately seven million passports.

In light of 9/11 and the increased emphasis on homeland security, the U.S. government is leading the way in the use of automatic identification technology in passports.

The State Department is looking to make passports more secure and harder to forge. Kelly Shannon, a Bureau of Consular Affairs spokeswoman, commented that RFID is “yet another layer beyond the security features we currently use to ensure the bearer is the person who was issued the passport originally.”

The “smart passport” will carry passive (without a battery) RFID chips in their covers, all of which will be printed by the United States Government Printing Office (GPO).

The RFID chip on U.S. passports will initially hold 64 kilobytes of data, but eventually, the State Department would like to increase capacity to 514 kilobytes. The chip will contain the passport holder's name, birth date and birthplace — and a digital image of the holder's face.

The digital image will be used to prevent passport forgery. When the traveler enters the United States, border-control officials will scan the passport data, snap a digital photo of the person and compare the chip's facial image with the current photo.

They will use a facial recognition software program to compare the two images.

Because the U.S. system will make use of WORM (write once, read many) passive tags, the information stored on the passport cannot be altered.

Because of this, the State Department will require citizens to obtain a new passport when any of their personal information changes. U.S. citizens will have one year from the time of the change (due to marriage, divorce, relocation, etc.) to receive a new passport free of charge.

To cover the cost of the RFID-enabled passports and the free issuance of new passports, the U.S. Congress authorized a $12 surcharge on all new passports, bringing the cost of new 10-year passports to $97.

Current U.S. passport holders do not have to convert to the smart passport until their current passport expires — so existing passports will be around for a full decade after the new policy's implementation.

The State Department initially planned not to encrypt the information contained in the smart passport, as some feared that encryption would make the system too expensive for poorer nations to use at their border crossings and in their passports.

Instead, the State Department decided to use physical blocking technology — covering the RFID tag in the passport with a metallic material to prevent clandestine readers from communicating with it.

However, without encryption, could passport data be surreptitiously read by criminals, data thieves or even terrorists with their own readers?

Jon Callas, the Chief Technical Officer for PGP, Inc., a leading encryption vendor, summed up the fear of unencrypted passports: “I don’t expect my country to actively protect me when I am abroad, but I do expect it to not put me actively in harm’s way. I don’t need a beacon that is an advertisement for my potential victimhood.”

The admittedly frightening prospect of smart passports being used to target U.S. citizens has created concern and opposition amongst an unusually diverse group.

The director of the American Civil Liberties Union’s Technology and Liberty Program, Barry Steinhardt, stated, “If you’re walking around in Beirut, it would be well worth Al Qaeda's money to use one of these readers to pick out the Americans from the Swedes without any problem.”

Kevin Mitchell, Chairman of the Business Travel Coalition (BTC), warned that “ultimately, such an ill-conceived policy would make the conduct of face-to-face business overseas for Americans exceedingly difficult.”

Bill Scannell, a self-described activist and blogger, runs a website (www.RFIDKills.com) dedicated to opposing the State Department's decision. He accuses the U.S. government of “putting an electronic bull’s eye on the back of every American citizen abroad.”

The President of the Association of Corporate Travel Executives (ACTE), Greeley Koch, believes that hackers, criminals and potentially terrorists will exploit the “false reliance on technology.”

He urged the ACTE membership to contact the U.S. State Department and their congressional representatives in opposition to RFID-equipped passports.

Responses from the U.S. government have not quieted such fears.

Deputy Assistant Secretary of State for Consular Affairs Frank Moss reportedly joked that U.S. citizens should consider wrapping their passport in a metallic Doritos™ bag or aluminum foil to disrupt potential prying signals — a practical (if comical) variation of the “Faraday Cage.”

Are skimming and eavesdropping possible from a technical perspective? The U.S. State Department believes that the limited read range of an e-passport makes unauthorized or nefarious skimming practically a non-issue.

They asked the United States National Institute of Standards and Technology (NIST) to determine if the read range was more than the 10 centimeters specified for the smart passports.

NIST found that, under certain conditions, the e-passport could be read from as far away as 30 feet.

Still, Gordon Hannah, the Program Manager and Technical Lead for BearingPoint's e-Passport Project, disputed such findings: “It would be very difficult to read these chips [from more than 10 centimeters away], in fact, it would be impossible in my experience.”

The U.S. State Department had a period for the public to make comments on the RFID proposal, which closed in early April 2005.

Under intense pressure from civil liberties groups, the media and bloggers, and with over 2,400 formal comments made by citizens during the month-long input period, the State Department has now relented on its refusal of security protection for the passport chips.

In late April 2005, Deputy Assistant Secretary of State Moss confirmed that his agency would be seriously looking at a privacy solution for the new RFID-enabled passports.

The U.S. government will likely pursue Basic Access Control (BAC), which has been endorsed by the ICAO and members of the European Union in their own e-passport plans.

BAC protects the e-passport information by only allowing the chip to be read after being physically scanned and opened by a government agent and by encrypting the communications between the tag and the reader.

This security, however, does come at a cost — as reading a tag with BAC takes twice as long as a non-encrypted tag. According to David Molnar of the University of California at Berkeley, “The bottom line is that BAC isn't perfect, but it’s better than what we have now [with no encryption].”

The push for more secure travel and e-passports is not only a U.S. concern — but a global one, led by the ICAO.

The final U.S. e-passport standard will be closely monitored, as the United States will require all 27 countries whose citizens do not need visas to visit the United States to begin issuing similar passports by October 2005 (although that date could slide if the U.S. e-passport is delayed).

In the end, smart passports will likely enhance national border security, while speeding border crossings and international arrivals for citizens.

If appropriate privacy protections are built into the e-passport and if sound public education efforts are undertaken, e-passports will become the standard in international travel.

In the process, governments around the globe will reap both tangible and intangible returns on their investment — decreasing the manpower and time necessary for traveler processing while keeping the “bad guys” from using fraudulent passports to gain entry.

However, there are limits to how far any government — even the United States — will go to enhance the protection of its borders.

At a recent meeting with the American Society of Newspaper Editors, U.S. President George W. Bush seemed to throw cold water on the State Department's proposal to require U.S. citizens to carry passports on any national border crossing, including the heavily trafficked borders with Canada and Mexico.

The President addressed the impracticality of the plan, stating, “When I first read that in the newspaper about the need to have passports I said, ‘What’s going on here?’ I thought there was a better way to expedite the legal flow of traffic and people.”

E-passports may indeed be a “better way” — and millions of dollars will be spent worldwide to upgrade this outdated travel document.

Yet, while other countries such as Great Britain and China are exploring some form of a “smart” national ID, it is unlikely that the same possibility exists in the United States.

According to the most recent (March 2005) RFID Consumer Buzz Report from BIGresearch, almost two-thirds of the approximately 40% of Americans who were aware of RFID had significant concerns about the potential for government abuse of the technology.

The fear of “Big Brother” is alive and well, and political leaders would be well advised to address the rational fears that smart passports could harm citizens abroad more than they protect the homeland.