How They Work
The new U.S. passports have an international ePassport symbol on the cover, which is a rectangle with a circle inside (see photo); each page depicts a different American scene such as the Statue of Liberty, Boston Harbor, cowboys and a boat on the Mississippi. Each book contains a chip with the passport holder's name, address, date of birth and other biographical information and a digital photograph of the traveler. The chips are called RFID (radio frequency identification) chips; they're equipped with antennae and use radio waves to identify the passport holder. They're similar to chips used in bank cards, cell phones and automated payment systems.
Travelers who arrive at airport inspection booths displaying the international ePassport symbol will have their passport scanned by a biometric reader. Chagnon said the biggest change travelers may see at some airports is a camera that they will look into so airport officials can determine the passport holder is who the passport says he or she is.
Chagnon explained that encryption keys allow the immigration or security official to determine the passport isn't a forgery and to determine that the person in front of them is same as the one in the passport photo.
"What the coding and decoding does, is it takes hundreds of points, sets of two points all over the face, then it compares those to what the camera sees. So even though someone may look like someone else, they're not the same. The accuracy is such that by comparing these two points, the distance between the eyes isn't the same…it's very accurate," Chagnon said.
"It's really excellent in authenticating a document and a person," he added. "It doesn't replace the person [airport official], it's just an added feature to help authenticate the person, the travel, and the passport and the document."
A State Department official clarified that U.S. airports will not install cameras specifically for ePassport holders, but they may be used in some airports abroad. The benefit of RFID is that it requires no contact, meaning the user can simply wave the RFID embedded object close to a reader to get the information verified.
But that's a problem with RFID, come critics say, because anyone sitting nearby with a laptop can easily "skim" the data from the chip when the passport is swiped. Some cyber security gurus say they've actually cracked RFID and successfully stolen data from cards or other devices using the technology.
Tien likened the RFID swipe to that of punching in your pin number at and ATM with someone looking over your shoulder. Calling RFID an "inherently leaky technology," he said: "If you don't put in more controls, the data's going to be flying in the clear."
U.S. officials say the government has countered those concerns by including various encryption and digital signature devices, as well as a basic-access control in the chip, which essentially locks the chip's data and only allows someone with authorization to read the RFID signal and chip information after the printed lines of data are skimmed through the reader. That's opposed to the chip being an open book for anyone with a compatible reading device. The passport chips are also designed to operate only within 10 centimeters of a chip reader.
A piece of metallic material also covers the passport from front to back, and the chip is included on the third page, not the front.
"At the end of the day, you ended up what looks a lot to me like a swiping card, because you had to deal with the privacy issues," Tien said, adding that two dimensional barcode passports or laser cards using light technology not radio waves would work just as well.
"There's a lack of openness and accountability here that makes me very skeptical about the initial decisions to use RFID, and therefore, the whole policy question about 'should the U.S. government be promoting itself a technology that has known privacy and security issues when there appear to be equally if not better, more effective alternatives."
But Moss said the new passport "establishes a gold standard" for protecting privacy.
