RFID Will Be Set in Passports

The U.S. government will require nearly all of the passports it issues to have a computer chip containing the passport holder’s personal information by October 2006, according to regulations published this week.

Starting in early 2006, the U.S. Department of State will begin issuing passports with 64K byte RFID (radio frequency identification) chips containing the name, nationality, gender, date of birth, place of birth, and digitized photograph of the passport holder.

The chip would match the data on the paper portion of the passport and improve passport security by making it more difficult for criminals to tamper with passports, backers say. The U.S. government began looking at ways to make passports harder to forge in response to the terrorist attacks on the U.S. on Sept. 11, 2001.

After the State Department proposed RFID chips for passports in February, privacy groups such as American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) expressed concerns. Some RFID chips can be remotely scanned, allowing for criminals to covertly scan groups of passport holders at airports, the EFF said in April. The RFID passport could act as “terrorist beacons” because they could indiscriminately expose U.S. residents’ personal information to strangers.

In a letter commenting on the State Department proposal, the EFF argued that the agency lacked congressional authority to require RFID chips in passports.

“RFID in passports is a terrible idea, period,” said EFF Senior Attorney Lee Tien, in a posting to the EFF’s Web site. “But on top of that, the State Department is acting without the appropriate authority and without conducting any form of credible cost-benefit analysis. It’s asking Americans to sacrifice their safety and privacy ’up front’ for a dangerous experiment that it hasn’t even bothered to justify.”

The State Department received 2,335 public comments on its February proposal to introduce electronic passports. More than 98 percent of the comments were negative, the State Department said, with most raising concerns about security and privacy.

In the passport rules released Tuesday, the State Department said it was taking several security precautions. The RFID chips will use encrypted digital signatures to prevent tampering, and they will employ so-called passive RFID chips that does not broadcast personal information unless within inches of an RFID reader machine. The e-passports will protect against data leaks by putting an “antiskimming” material to block radio waves on the passport’s back and spine, the State Department notice said.

The new passports would comply with an International Civil Aviation Organization specification on e-passports, the State Department said.

Although the State Department changed its earlier proposal of a self-powered RFID chip to a passive one that relies on a reader machine’s power, privacy concerns remain, said Barry Steinhardt, director of the ACLU’s Technology and Liberty Program. Steinhardt called the State Department’s security measures a “step forward,” but he said bar codes could be used to match electronic data with paper data on passports.

“It still raises the question whether or not this is an appropriate technology,” Steinhardt said. “There are still some essential concerns about whether this is secure or not.”

But Neville Pattinson, director of technology and Government affairs for Texas RFID card vendor Axalto Inc., praised the State Department’s changes, including the passive chips and anti-skimming materials. “This is a fine example of the government listening to public opinion and adopting technology that protects citizen’s privacy,” he said. “With the changes, information cannot be extracted from it.”

State Department officials were unavailable for comment on this story.

By Grant Gross, IDG News Service