-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <http://www.usatoday.com/tech/news/2004-11-22-hitech-passport_x.htm> USA Today Microchip passport critics say ID theft possible The Associated Press The United States hasn't issued any microchip-equipped passports yet, but as the Department of State tests different prototypes, the international standards for the passports are under fire from privacy advocates who worry the technology won't protect travelers from identity thieves. The American Civil Liberties union has raised alarms and even an executive at one of the companies developing a prototype for the State Department calls the international standards woefully inadequate. The international standards for "electronic" passports were set by the U.N.-affiliated International Civil Aviation Organization, which has worked on standards for machine-readable passports since 1968. On the latest passports, the agency has "taken a 'keep it simple' approach, which, unfortunately, really disregards a basic privacy approach and leaves out the basic security methods we would have expected to have been incorporated for the security of the documents," said Neville Pattinson, an executive at Axalto North America, which is working on a prototype U.S. electronic passport. As part of heightened security post-Sept. 11, all new U.S. passports issued by the end of 2005 are expected to have a chip containing the holders' name, birth date and issuing office, as well as a "biometric" identifier - a photo of the holders' face. The photo is the international standard for biometrics, but countries are free to add other biometrics, such as fingerprints, for greater accuracy. Privacy advocates have complained about the security standards for the passports, but Pattinson is the most prominent person involved in their creation to express concern that they could become prey for identity thieves if safeguards aren't standardized. A slide in a presentation he gives says, "Don't lose the public's confidence at the get go." Another asks, "Who is up for a black eye?" The international passport standards call for "a very sophisticated smart card device," that uses a chip and an antenna embedded in the passports' covers, Pattinson said. Unlike cheaper and dumber RFID tags, the passport chips would be microprocessors that could send one piece of information at a time in answer to queries from a machine reader. They could also be equipped with multiple layers of encryption for security. The international standards spell out ways the passports could incorporate more protection from identity thieves, but they make those methods optional. Under the standards, information on the chip could be picked up by someone who wires a briefcase with a reader, then swings it within inches of a passports, Pattinson said. Over a greater distance, an interloper could eavesdrop on border control devices reading the passports, he said. "There's no security built into it," said Barry Steinhardt, director of the technology and liberty program, at the American Civil Liberties Union. "This will enable identity theft and put Americans at some risk when they travel internationally." One rudimentary way to protect electronic passports from identity thieves is to wrap them in tinfoil, which blocks radio waves. A single size Doritos bag would do the trick. Protecting border control agents' readers with a metal shield would protect against eavesdropping. The International Civil Aviation Organization and State Department say they're looking at more organized methods. The privacy issues "have come up and they are being looked at," said Denis Schagnon, a spokesman for ICAO. "This is a process that is being implemented over the next few years, it is not something that happens overnight." One way to fight identity theft is already in the standards, he said: The passports will have built-in encrypted authentication to let electronic readers know they are original documents, not forgeries. The international standard "is obviously a baseline," said Angela Aggeler, spokesperson for the bureau of consular affairs at the State Department. "This is something we continue to develop and work on. (Privacy) is the thing that is driving a lot of our considerations. Personal privacy issues are of paramount consideration." Other countries are also making the switch to microchipped, biometric passports, at U.S. request. Under the Patriot Act, visitors from 27 countries whose citizens don't need visas to visit the United States will need electronic passports, too. The United States originally asked that visitors from those countries have the electronic passports by this October. President Bush in August gave the countries an extra year to issue them; they will be required by next October. In testimony before a House committee, Secretary of State Colin Powell said that other countries were finding the switch "daunting," as was the United States. The Government Printing Office is manufacturing test passports using chip packages provided by four companies, it said when the contracts were awarded in October. The National Institute of Standards will then test the prototypes to see if they meet durability, security and electronic requirements. The State Department and the Department of Homeland Security are also testing the passports, Aggeler said. One or more companies will win a contract for the passports by the end of the year, according to the printing office's schedule, and the U.S. government would begin issuing them to officials and diplomats starting early next year. The companies under contract are Axalto, whose parent company is headquartered in France, SuperCom, Infineon Technologies and BearingPoint, which have been awarded contracts worth a total of $373,000. BearingPoint is the only company headquartered in the United States. - -- - ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' -----BEGIN PGP SIGNATURE----- Version: 1308 iQA/AwUBQaJRlsPxH8jf3ohaEQJZcwCgm4/0wYTRd4NvCI4rx/Ii2/+nvMUAn3wB Iz4VwYjQJoZMuzFhm4LUPzGz =Y9yI -----END PGP SIGNATURE-----