US passports to be fitted with RFID chips

Sweeping new State Department regulations issued on Tuesday say that passports issued after that date will have tiny radio frequency ID (RFID) chips that can transmit personal information including the holder's name, nationality, sex, date of birth, place of birth and a digitised photograph. Eventually, the government contemplates adding additional digitised data such as "fingerprints or iris scans".

Over the last year, opposition to the idea of implanting RFID chips in passports has grown amid concerns that identity thieves could snatch personal information on them out of the air simply by aiming a high-powered antenna at a person or a vehicle. Out of the 2,335 comments on the plan the State Department received this year, 98.5 per cent were negative. The objections mostly focused on security and privacy concerns.

But the Bush administration chose to go ahead with embedding 64KB chips in future passports, citing a desire to abide by "globally interoperable" standards devised by the International Civil Aviation Organization, a United Nations agency. Other nations, such as Germany and the UK, have announced similar plans.

In regulations published on Tuesday, the State Department claims it has addressed privacy concerns. The chipped passports "will not permit 'tracking' of individuals," the department said. "It will only permit governmental authorities to know that an individual has arrived at a port of entry -- which governmental authorities already know from presentation of non-electronic passports -- with greater assurance that the person who presents the passport is the legitimate holder of the passport."

To address Americans' concerns about ID theft, the Bush administration said, the new passports will be outfitted with an "antiskimming material" in the front cover to "mitigate" the threat of the information being surreptitiously scanned from afar. It's not clear, though, how well the technique will work against high-powered readers that have been demonstrated to read RFID chips from about 50m away. (The State Department was not immediately available for comment.)

In addition, the passports will use 'Basic Access Control' -- a reference to storing a pair of secret cryptographic keys in the chip inside. The concept is simple: the RFID chip disgorges its contents only after a reader successfully authenticates itself as being authorised to receive that information.

Computer scientists, however, have criticised that encryption method as flawed. In a recent paper, Ari Juels, David Molnar and David Wagner warned that the design of the encryption keys is insufficiently secure and that the use of a "single fixed key" for the lifetime of the e-passport creates a vulnerability.

The Bush administration could face an eventual legal challenge. A letter to the State Department from privacy groups says that there is "no statutory authority" for the RFID passport because Congress has not authorised it.