Biometric Passports Fail Early Privacy Tests
Personal information stored in the passport's chip is vulnerable to hacking.Andrew Brandt is a senior associate editor for PC World. You can send him e-mail at consumerwatch@pcworld.com.
Andrew Brandt
Federal officials, eager to step up controls on people entering the United States, are preparing to issue Americans passports with embedded personal and face-recognition data. It's a good plan to fight terrorists--but poorly executed, it will put your privacy at risk.
The federal Department of Homeland Security spent the past six months testing biometric passport prototypes and wants to roll out the new technology as soon as possible.
The passport's chip will store more than just your name. It will store biometric facial recognition scan data--the kind of information that could help a computer recognize you by, for instance, the distance between your eyes. It'll also contain your passport photo in digital form, as well as personal data including your name, birth date and birthplace, gender, and passport number.
Other countries, as well, are adopting passports with electronic data, under a specification developed by the International Civil Aviation Organization (ICAO). The organization has created the specifications for most of the world's passports for more than 50 years.
U.S. Homeland Security officials say that the new passports go a long way toward preventing people from using another person's passport. The passports also permit touchless data transfer, meaning that a passport agent can collect the data without connecting the passport's chip physically to a computer. The DHS wants all travel documents to have touchless technology by 2006.
Unfortunately, the personal information is stored in unencrypted form. Worse, touchless technology might let someone with the right equipment read your personal information at a distance.
Officials are developing workarounds to prevent so-called skimming, but until they do, I think we should stop using contactless technology. Instead, officials should use smart cards that must be physically connected before they'll divulge their data. We should also encrypt the data included on a passport.
There's still time to change the passport plan. If you're concerned, get in touch with both the ICAO and the State Department.