March 15, 2005 | WebMemo on Department of Homeland Security
Machine-readable passports would allow border inspectors to check traveler's personal information more quickly and efficiently than they do today. Post-9/11 legislation required new standards for machine-readable passports, including the use of biometrics (physical identifiers like finger prints or facial features) for U.S. passports and passports from countries whose citizens do not require a visa to visit the United States. The State Department needs to create security standards to protect these E-Passports from identity thieves and should work with other nations to make these standards common.
The State Department proposes to enhance the traditional passport by embedding in it a computer chip carrying personal information. Data stored on the chip is likely to include the passport holder's name, date, and place of birth, and a digitized photo. Machines would read the chip when travelers passed through checkpoints at ports of entry and exit.
The Radio Frequency Identification (RFID) technology that these passports would use is similar to that used by the E-Z Pass at tollbooths and SmartTrip Cards at Washington Metro stations, but with one notable difference. Many such commercial systems encrypt the data when it is stored on a card and when it is transmitted. Others, such as those used for inventory control, do not. The State Department does not plan to encrypt the data on E-Passports.
In a recent Wired News article, "No Encryption for E-Passports," Ryan Singel reported "The lack of encryption baffles privacy advocates and security researchers, who say the new passports are vulnerable to 'skimming,' an attack that uses an unauthorized reader to gather information from the RFID chip without the passport owner's knowledge."
The State Department acknowledges these concerns but argues the information is nothing more than the standard information printed on the passport. In addition, encrypting data would slow down processing time and make it harder to coordinate and implement passport standards with other nations.
The State Department's position is unacceptable. The personal information of U.S. citizens should be safeguarded. If a conventional passport is lost or stolen, its owner is aware of the loss and can take appropriate measures to protect him- or herself. But with an unencrypted RFID chip, a passport owner would never know that his or her personal information had been "skimmed" by identity thieves or terrorists.
The federal government needs to do a better job of stopping terrorist travel, and it also must safeguard citizens' privacy. And the government should do both equally well. In "E-Passports: A Strategy for Long-Term Success," The Heritage Foundation's Ha Nguyen, Paul Rosenzweig, and James Jay Carafano argued for encrypting the information on E-Passports' RFID chips so that only authorized individuals could access it. This should be a requirement. Just because it would be more difficult to do does not mean the U.S. government should not put forth the effort.
James Jay Carafano, Ph.D., is Senior Research Fellow for National Security and Homeland Security in the Kathryn and Shelby Cullom Davis Institute for International Studies at The Heritage Foundation. Paul Rosenzweig is Senior Legal Research Fellow in the Center for Legal and Judicial Studies at The Heritage Foundation and Adjunct Professor of Law at George Mason University. Alane Kochems is a Research Assistant in the Kathryn and Shelby Cullom Davis Institute for International Studies at The Heritage Foundation. Heritage Foundation intern Thomas Weiss contributed to this paper.