Agency: STATE DEPARTMENT Title: Electronic Passport Subject Category: Passports: Electronic passport; definitions, validity, replacement, and expedited processing CFR Citation: 22 CFR 51 Published: 18 February 2005 Comments Due: 4 April 2005 Phase: PROPOSED RULES Regulations.gov #: EREG - 112 Submitted Apr 04, 2005 Public Notice 4993 (RIN 1400-AB93), proposing changes to 22 CFR 51 regarding the implementation of electronic passports presents a serious threat to individual privacy. The proposed standard for electronic storage and transmission of personal details can and should be updated so as to address this privacy concern. The notice states that even though the electronic data in the passport will be digitally signed in order to guard against fraud, these data will not be encrypted. The stated rationales for forgoing encryption are (1) "the personal data stored on the passport's electronic chip consists [sic] simply of the information traditionally and visibly displayed on the passport data page," (2) "encrypted data takes [sic] longer to read, increasing port of entry processing time," and (3) "in order to be globally interoperable, encryption would require a higher level of technology and more complicated technical coordination with other nations." None of these three concerns is valid. Point (1) would be valid if the data weren't potentially able to be read from the passport at a substantial distance. However, the nature of the proposed RFID technology precludes any guarantee of inability to read at a distance: RFID chips are passive devices, emitting signals in response to power sent from a transmitter. Although the amplitude of the emission declines as the square of the distance from the RFID chip and must therefore eventually become indiscriminable from background noise, there seems no theoretical guarantee that the signal will decline to absolutely unreadable levels at any particular distance from the chip. Given a senstitive enough receiver, the potential exists to activate and to read these devices at a substantial distance. Point (2) should not be an impediment given the speeds of today's computing technology. Even if speed of processing were a practical limit, at least that portion of the data that is particlarly sensitive could be encrypted. For instance, given that the passport holder's face is going to be publicly visible in any case, the digital image of the face could be excluded from encryption, whilst personal details in the form of alphanumeric strings could be encrypted. As string data are extremely compact in comparison to image data, such a partitioning of encrypted and unencrypted data would eliminate most of the processing burden. Point (3) makes little sense, since cryptographic technology is widely available and since technical coordination would be required anyway in order to verify the proposed digital signatures -- and also since the passport still would carry information in printed form which would be usable as an alternative to electronic verification in case the requisite technology were unavailable. In order to remedy these shortcomings, a revised proposal should take pains to specify a technology that precludes as much as practically possible the ability for a passport to be read at a distance, and which encrypts the personal details stored in the passport. In addition, if radio transmission is used, recipients of new passports should be provided with a physical means of blocking radio signals from the passport - for instance, each newly issued passport could come with a foil envelope opaque to radio frequencies. It is not enough to assert vaguely that "By the time the first electronic passport is issued, the Department intends to place an anti-skimming feature in the passport." This feature needs to be fully specified and described so that it can be evaluated by the public. Finally, given the privacy concerns detailed above, the provision allowing the State Department to invalidate passports whose RFID chips are damaged is objectionable because it prevents individual passport holders from opting out of this flawed system by intentionally destroying their RFID chips.