Another view: E-passports need security upfront, not later
Their unencrypted data might be difficult to steal now, but just wait 10 minutes
The State Department is committing one of the classic IT blunders with its proposed rules for electronic passports—focusing only on functionality and ignoring security when implementing a new technology.
According to the rules, a wireless chip in the passports, which State will begin issuing later this year, would contain unencrypted personal information.
This is, in a word, wrong.
The department’s heart is in the right place. The United States is requiring other countries to begin providing, by October, electronically readable passports for visitors to this country. And it is swallowing its own medicine by implementing the same technology.
According to proposed rules published Feb. 18 in the Federal Register, a passive 64K write-once chip will hold the same information as the printed data page, as well as a digital photo that could be used with an image recognition application to verify identity. It will be a contactless chip, meaning it will be read remotely using radio frequency.
The first of the new passports will be is- sued by midyear. Within one year, all new passports will contain the chips.
But they will also contain a big security hole.
There are plenty of examples of this kind of shortsightedness. Two that come immediately to mind are the Internet and the Microsoft Windows operating system. Both work more or less as intended, but security shortcomings identified only after deployment have produced a patchwork of imperfect fixes that frustrate systems administrators and leave users exposed.
The current mantra of software engineers and security professionals is that security must be incorporated from the beginning, not added later as an afterthought. The new passports would go against that grain.
They would not be completely unsecured. Data on the chip would be digitally signed, and the chips would have a very short read-range—four inches.
The department acknowledges privacy concerns about the unencrypted data. But it says data will not be encrypted for several reasons: the printed information is visibly displayed anyway; encrypted data takes longer to read and would slow the entry process; and encryption would complicate development of a globally interoperable system for reading passports.
In other words, it’s too much trouble.
But digital snooping is fundamentally different from reading a printed page. Digital reading puts a copy of the data in the reader’s hands. In the long run, it would be far simpler to implement full security now than to bolt it on later and re-engineer a worldwide system of readers.
State contends that eavesdropping or surreptitiously scanning an e-passport would be technically very difficult. It says it plans to add an anti-skimming feature, probably in the form of shielding around the chip or in the cover.
But tasks that are technically difficult today tend to become much easier tomorrow, and effortless by next week. Passports issued today will be valid for 10 years.
Encryption probably would increase the time it takes to read a passport. But verifying a passport holder’s identity electronically—even with encryption—should be more efficient than the current process of visual inspection. If the new electronic passport system is trustworthy, we could do away with visual inspection at entry points and speed travelers through the line electronically. If the technology is not trustworthy, why rush to deploy it?
Anything worth doing is worth doing right. It’s cheaper and more effective than doing it over. State is accepting comments on its proposed e-passport through April 4 at [email protected]
Connect with the GCN staff on Twitter @GCNtech.