document

ACLU Comments on Electronic Passports to State Department

Document Date: April 4, 2005

April 4, 2005

Chief, Legal Division
Office of Passport Policy
Planning and Advisory Services
2100 Pennsylvania Ave., N.W.
3rd Floor
Washington, DC 20037

Re: Electronic Passports, RIN 1400-AB93

To the Chief of the Legal Division:

The American Civil Liberties Union hereby comments on and formally opposes the Department of State's proposed rule creating ""electronic passports"" by including radio frequency identification chips (RFIDs) in US passports. [1] The proposed rule is outlined at 70 Fed. Reg. 8305-8309, ""Electronic Passports,"" RIN 1400-A893. These chips compromise Americans' privacy, expose them to danger from terrorists and criminals and provide a limited security benefit. Instead, US passports standards should employ a contact chip -- one that can only be read through contact between a reader and chip. This solution would mitigate many of the concerns raised below and better serve the privacy and security interests of US passport holders.

RFIDs are tiny computer chips that, when they receive a radio signal from an RFID reader, use the energy of that signal to broadcast the data that they store. This technology is rapidly becoming familiar to Americans through such applications as tollbooth speed passes, building entry key cards, and other ""contactless"" applications. While the Enhanced Border Security Act of 2002 mandates the inclusion in passports of a machine-readable biometric, it doesnot specify that the United States utilize an RFID chip. We urge you to withdraw the proposed rule for reasons of security and privacy outlined below, and propose a new rule, consistent with the Enhanced Border Security Act that would employ in U.S. passports a contact instead of an RFID chip.

Privacy

Skimming

The Department does not address in a meaningful way the serious danger that placing RFIDs in passports represents for Americans' privacy. The sole purpose of contactless technology is to allow these chips to be read from a distance. The proposed rule contemplates that the data will not be encrypted. As a result, the US passport will broadcast individual identity information for anyone with an RFID reader to steal, a process called ""skimming.""

Skimming is a very real danger under the current US passport standards. The International Civil Aviation Organization (ICAO) standards (which form the basis for US regulation) make this clear. The ICAO's Use of Contactless Integrated Circuits In Machine Readable Travel Documents states ""[a]s the maximum strength of the electromagnetic field generated by the machine (RF) reader is set by regulations, taking into account safety considerations, reading distances of over 1m are not practical."" Version 4.0, pg. 12. The clear implication is that RFIDs can be read at distances far greater than 1 meter, if safety concerns are ignored. Worse initial testing demonstrated that the RFID technology the State Department intends to employ is readable from a distance of up to 30 meters; despite the State Department's claim that this technology can only have, ""a very short read distance, approximately four inches."" 70 Fed. Reg. 8305; Junko Yoshida, Tests reveal e-passport security flaw -- U.S. unfazed at copying of unencrypted data, ELECTRONIC ENGINEERING TIMES, August 30, 2004. The security dangers of this privacy breech are very real. Terrorists, foreign governments or criminals could engage in remote surveillance or target Americans. In effect, these passports would be painting giant bulls eyes on the backs of all who carry them.

The Department's declaration that this information does not deserve protection because it ""simply consists of the information traditionally and visibly displayed on the passport data page"" is disingenuous at best, and dangerous at worst. Passport holders have always had the ability to decide to whom they will show their passports. This gives them the opportunity to shield their personal information from other people, such as terrorists, criminals and any other individual who may bear them ill will. Passports contain extremely valuable information including an individual's date and place of birth. This data would be invaluable for an identity thief because it could be used to gain access to an individual's birth certificate. Recent disclosures of personal information by ChoicePoint Inc. highlight the danger that can result from improper disclosure of these types of personal information. ChoicePoint is a data aggregator that collects extensive dossiers of information American citizens for use by business and government. This company sold personal information on 145,000 Americans to identity thieves, resulting in more than 7,000 cases of identity theft. While ChoicePoint gathers much of its information from public records, it is clear that the collection of this information and its disclosure without proper authorization was nonetheless very damaging.

The Department's bland assurance that ""[b]y the time the first electronic passport is issued, the Department intends to place an anti-skimming feature in the passport"" is not reassuring. The dangers of skimming have already been the subject of serious public concern. Security experts, RFID manufactures and advocacy groups have all objected to the lack of measures adopted to assure the privacy and security of this information. See Matthew L. Wald, New high-tech passports raise snooping concerns, THE NEW YORK TIMES, November 29, 2004; John Carey, Big Brother's Passport to Pry, BUSINESSWEEK, November 5, 2004. Similarly, the ACLU has published a white paper summarizing many of the potential problems with RFIDs in passports. It is available at: www.aclu.org/passports. A feature that is central to the security of a document acquired by more than 7 million Americans annually should be subject to rigorous scrutiny and public comment, not imposed as an afterthought.

Eavesdropping

The State Department's ill-conceived decision to use unencrypted RFID technology cannot be ameliorated through the adoption of any conceivable anti-skimming measures. In addition to skimming RFIDs are susceptible to the problem of third parties intercepting information when it is being transmitted from the chip to the reader -- what the State Department calls eavesdropping. The State Department's security rationale, that eavesdropping is difficult to do in a port of entry environment because the necessary equipment would be visible, is unconvincing for three reasons. The first is the simple fact that technology inevitably continues to advance and this advancement almost always results in smaller, more powerful devices making surreptitious reading easier.

Second, the State Department's proposed rule also does not address the reality that ports of entry will likely not be the only place where passports will be electronically read. In other uncontrolled settings, readers could be obscured or hidden to allow for uninterrupted eavesdropping. As the ICAO's Technical Advisory Group noted in its report Biometric Deployment of Machine Readable Travel Documents, these new passports will likely have other uses. The report notes ""passport holders may wish to use their passport as proof of identity when opening a bank account, and invite the bank to inspect them [the chip] against their passport."" Version 2.0, pg. 51. Passports are also often used to verify identity for tasks like reserving hotel rooms. In general, it is likely that private sector ""piggybacking"" on these identity documents will increase over time, as it has with driver's licenses. When a passport is used for a non-border related function it is particularly vulnerable both to skimming and eavesdropping.

Third, the State Department's proposed rule implies that eavesdropping will be more difficult because of the need for ""a specially designed reader furnished with the proper public key."" In fact, the encryption key does nothing but allow for verification of the authenticity of the document by decrypting the ""hash"" of the original data. The digital signature can easily be copied without the public key, even if it cannot be authenticated. Use of a key would do nothing to prevent the wholesale skimming of the passport data - personal information, digital signature and all. Regardless, the proper public key will not be difficult to obtain. As the ICAO notes in its report PKI for Machine Readable Travel Documents Offering ICC Read-Only Access, the ICAO will make these keys available on a website and "there SHALL NOT be access control for reading the PKD [public key directory] (E.G. for the purpose of downloading PKD information)."" Version 1.1, pg. 14 (emphasis in the original). With thousands of readers in circulation throughout the world and the public key to access the chips downloadable from an unsecured website, it is difficult to agree with the State Department's conclusion that the information on passport RFID chips will remain secure.

Security

Beyond the intrinsic privacy dangers, RFID technology represents a poor security measure for a number of other reasons.

Chip Failure

The State Department has not conclusively demonstrated that RFID chips would last for the full 10 years for which U.S. passports are valid. As the ICAO states, ""most Chip applications assume a chip/smartcard validity of 2-3 years - how such technology will perform over 5-10 years is yet to be tested in real world applications as the technology typically has not been deployed with consumers for that length of time."" Biometric Deployment of Machine Readable Travel Documents, Version 2.0, pg. 47. In fact, the ICAO recommends that states might want to consider changing the validity of their travel documents from 10 to 5 years. Ibid. The U.S. is continuing its practice of making passports valid for 10 years and the proposed rule does not require that passport holders replace their passports if their chips fail. Thus, if the ICAO is correct and failure rates rise sharply over time, passports with non-operative chips will be common. Anyone wishing to defeat this security measure could simply disable the chip without attracting increased notice from security officials. Additionally, passengers who are not aware their passport RFID chips have failed until arrival at an airport or port of entry may be subject to extensive travel delays or disruptions. This could pose a substantial drain on the nation's economy and reduce tourism.

Cloning

Nothing in the proposed rule prevents ""cloning"" these passports - skimming the data off of a passport chip, and then copying it in its entirety onto another RFID chip. Thus, this proposed rule is a recipe for counterfeiting disaster. As we noted above, skimming and eavesdropping are very real possibilities with RFIDs. A counterfeiter, therefore, could copy the data on a passport holder's chip and reproduce it exactly. The data skimmed from a passport could also be used to forge a duplicate of the actual physical passport, since all the information needed to do so, including the subject's photograph, will be stored ""free and clear"" on the RFID tag.

Cost

The proposed rule does not address the significant new costs associated with including an RFID chip in passports. According to documents obtained by the ACLU through a Freedom of Information Act request, Frank Moss, Deputy Assistant Secretary, Passport Services, stated in a 2003 speech that RFID chips are likely to increase the government's costs of producing passports from $2.40 to a passport range of $6 to $10. Additionally, the State Department has stated that it will replace any passport that has a chip failure. This commitment represents a significant unknown cost because, as noted above, the long-term viability of RFID chips has not yet been tested in a real world application and may not be realistic over a 10-year period. Chip replacement is likely to be a real and ongoing cost. The limited security and efficiency benefits, when compared to the significant privacy and security costs associated with RFID's, make this increased cost a poor tradeoff.

Conclusion

The United States Department of State should abandon the use of RFIDs in passports. These dangerous electronic passports broadcast identity, increase risks for Americans abroad, and provide only questionable security and efficiency benefits. Instead, the State Department should withdraw the proposed rule and propose a new rule for passport standards that would contemplate use of a contact chip, one that can only be read through contact between the passport and the reader. Such a technology could mitigate most of the concerns raised above and represent a substantial improvement for Americans' privacy and security.

Sincerely,

Laura Murphy
Director, Washington Legislative Office

Christopher Calabrese
Counsel, Technology & Liberty Program

Barry Steinhardt
Director, Technology & Liberty Program

Timothy Sparapani
Legislative Counsel, Washington Legislative Office

[1] Technically, they are not RFID chips, but ""Contactless Integrated Circuit"" chips. True RFIDs broadcast only an identification number, while the chips that will be placed in passports will contain far more data. Nevertheless the term ""RFID"" is quickly becoming commonly known, so we will refer to these chips as RFIDs in these comments despite this technical difference in definition.