Machine-readable
passports would allow border inspectors to check traveler's
personal information more quickly and efficiently than they do
today. Post-9/11 legislation required new standards for
machine-readable passports, including the use of biometrics
(physical identifiers like finger prints or facial features) for
U.S. passports and passports from countries whose citizens do not
require a visa to visit the United States. The State Department
needs to create security standards to protect these E-Passports
from identity thieves and should work with other nations to make
these standards common.
The State
Department proposes to enhance the traditional passport by
embedding in it a computer chip carrying personal information. Data
stored on the chip is likely to include the passport holder's name,
date, and place of birth, and a digitized photo. Machines would
read the chip when travelers passed through checkpoints at ports of
entry and exit.
The Radio
Frequency Identification (RFID) technology that these passports
would use is similar to that used by the E-Z Pass at tollbooths and
SmartTrip Cards at Washington Metro stations, but with one notable
difference. Many such commercial systems encrypt the data when it
is stored on a card and when it is transmitted. Others, such as
those used for inventory control, do not. The State Department does
not plan to encrypt the data on E-Passports.
In a recent
Wired News article, "No
Encryption for E-Passports," Ryan Singel reported "The lack of
encryption baffles privacy advocates and security researchers, who
say the new passports are vulnerable to 'skimming,' an attack that
uses an unauthorized reader to gather information from the RFID
chip without the passport owner's knowledge."
The State
Department acknowledges these concerns but argues the information
is nothing more than the standard information printed on the
passport. In addition, encrypting data would slow down processing
time and make it harder to coordinate and implement passport
standards with other nations.
The State
Department's position is unacceptable. The personal information of
U.S. citizens should be safeguarded. If a conventional passport is
lost or stolen, its owner is aware of the loss and can take
appropriate measures to protect him- or herself. But with an
unencrypted RFID chip, a passport owner would never know that his
or her personal information had been "skimmed" by identity thieves
or terrorists.
The federal
government needs to do a better job of stopping terrorist travel,
and it also must safeguard citizens' privacy. And the government
should do both equally well. In "E-Passports:
A Strategy for Long-Term Success," The Heritage Foundation's Ha
Nguyen, Paul Rosenzweig, and James Jay Carafano argued for
encrypting the information on E-Passports' RFID chips so that only
authorized individuals could access it. This should be a
requirement. Just because it would be more difficult to do does not
mean the U.S. government should not put forth the effort.
James Jay Carafano,
Ph.D., is Senior Research Fellow for National Security and Homeland
Security in the Kathryn and Shelby Cullom Davis Institute for
International Studies at The Heritage Foundation. Paul Rosenzweig
is Senior Legal Research Fellow in the Center for Legal and
Judicial Studies at The Heritage Foundation and Adjunct Professor
of Law at George Mason University. Alane Kochems is a Research
Assistant in the Kathryn and Shelby Cullom Davis Institute for
International Studies at The Heritage Foundation. Heritage
Foundation intern Thomas Weiss contributed to this paper.