State bolsters passport security
- By Mary Mosquera
- Apr 29, 2005
The State Department released this photo of what new passports would look like.
The State Department has declared that electronic passports will be safe from identity thieves.
The department has decided to adopt metallic shields and is seriously considering 'basic access control' as a further means of preventing the skimming of personal data stored on a passport's chip.
One form of basic access control under consideration is to imprint data on a passport's machine-readable zone. The data would exchange an algorithm with a reader at the border station, which in turn would unlock the chip embedded in the passport.
A government source said that some observers consider encryption of the signal emitted by the chip as a form of basic access control as well. A spokeswoman for State's Bureau of Consular Affairs said that State has not made a final decision on the security technology because it has not chosen a vendor.
Privacy organizations have criticized State for not integrating more security features early in the design of the electronic passport's radio frequency identification technology. They worried that someone equipped with a card reader close to the passport holder could skim personal data.
'We will not issue a new-designed U.S. passport to the public with a chip until we have successfully addressed the risk of skimming,' said Frank Moss, deputy assistant secretary of State for consular affairs. 'The technology we're looking at with the most intensity is putting on the front cover metallic or some type of material, which serves as a Faraday shield, and prevents the reading of the book while it's closed or mostly closed.'
A Faraday shield is a general name for an electrostatic shield.Put to the test
The National Institute of Standards and Technology has been testing various shields included in e-passport procurement proposals. They are all based on the principle that the shield will prevent the chip and the reader from communicating as long as the passport is closed, he said.
NIST by sometime this month expects to complete testing of the chips for normal wear-and-tear durability and electromagnetic durability and security. The results will carry a lot of weight in State's decision to award the contracts, Moss said.
'This issue of security of personal information written into the chip is one we take very seriously. We are looking at it from a variety of angles, and we will produce a passport that will not endanger the privacy of those carrying it,' Moss said.
The passports will work much like building-access cards. The chip, which would let Customs agents quickly process passengers entering the country, will hold a digital record of the information contained on the paper passport, such as name, document number and a photograph, agency officials have said.
The chip has a built-in antenna that uses radio waves to transmit information when it comes close to a machine reader, for contactless reading of the information. The reader will grab the data from the chip from up to four inches away, State officials have said.
Critics, such as the American Civil Liberties Union, have said that identity thieves or terrorists could capture information, even from a distance greater than four inches, with readers equipped with more powerful antennae.
The more a passport has to be used and removed from its protective cover, the more opportunities others have to skim the information, said Jay Stanley, spokesman for ACLU's technology and liberty program.
Even implementing a shield, State should come up with a new standard that does not include an unencrypted RFID tag and should include privacy protections, Stanley said.
But supporters of the e-passport shield discount critics' fears.
'These have been proven to be inaccurate statements,' said Randy Vanderhoof, executive director of the Smart Card Alliance, a trade group in Princeton Junction, N.J.
With a higher-powered antenna, the reader could not read the contents of the passport, but only know that an e-passport was in the room.
'This standard RFID was chosen because the technology operates within a prescribed range of only 10 centimeters, or four inches,' Vanderhoof said.
Mary Mosquera is a reporter for Federal Computer Week.