Security Concerns Prompt Passport Redesign

By Sara Kehaulani Goo
Washington Post Staff Writer
Saturday, April 30, 2005

The State Department plans to improve technology that will be embedded in new U.S. passports after tests this month revealed that information in the documents could be vulnerable to identity theft.

Frank E. Moss, the State Department's deputy assistant secretary for passport services, said the agency will include new high-tech security features that will minimize the risk of identity theft, even if the change delays plans to start issuing the passports to new applicants later this year.

"We're going to take every step possible to make this passport as secure as we can," Moss said. "I'd rather take more time and do it right than stick to an arbitrary deadline."

The agency's decision was a small victory for civil libertarians and privacy groups who for years had warned the State Department that its plans to embed passports with radio frequency identification (RFID) technology were flawed. Travel groups and European countries including Germany also warned of the technology's security vulnerabilities, and the State Department received more than 2,400 comments from the public -- many of them critical.

Radio-frequency ID devices, known within the tech industry as "contactless smart cards," are used in many employee ID cards and Metro's SmartTrip cards that are passed over an electronic reader for entry to a building or passage through a turnstile. The passport chips will store information about passport holders and will contain digital photographs enhanced with face-recognition technology. The chips are so thin they will not alter the appearance of U.S. passports.

The radio-frequency chips will transmit data from the passport to electronic readers at U.S. airports and border crossings. The problem, some privacy activists say, is that identity thieves could use commercially available handheld readers to surreptitiously intercept the data on passports, identifying Americans overseas and stealing their private information.

Moss said earlier this month that there was only a slim chance that data on passport chips could be read from more than four inches away. Recent tests conducted by the National Institute of Standards and Technology concluded that he was wrong, he said. "We admit the chip, with a more powerful reader, can be read at a distance of 24 inches," Moss said.

The agency now plans to include metal inside U.S. passport jackets that will help shield the chip from being read by anyone except U.S. Customs and Border Protection agents. The data on the chip also will be encrypted, meaning that it must be scanned through a reader at an airport or a border to be read; it cannot simply be waved across an electronic reader. The additional security measures are not expected to result in any additional costs. The new system will be funded by fees paid by passport applicants.

Many critics such as the American Civil Liberties Union would prefer that the government not use RFID technology at all. The State Department said it wants to use it because it will be a standard around the world. Moss said earlier this month that the technology will also help to process visitors more quickly at borders and airports.

But Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a civil libertarian group that focuses on technology issues, questioned that rationale.

"If you have to have the passport physically scanned, then where's all the supposed convenience of being able to read the passport at a distance," he asked. The argument for having the technology "is sort of falling apart," he said.

© 2005 The Washington Post Company