US to issue RFID-enabled passports

The US State Department is on track to start issuing passports containing radio frequency identification (RFID) chips this week, despite warnings from some security experts that such systems could be accessed or tracked by hackers.

The new program will start in the Denver passport office and be in full production through the agency's 17 passport facilities across the country by mid-2007. All US passports are expected to include RFID chips containing personal biometric information by 2017.

Congress passed legislation in 2002 to add security to the Visa Waiver program, and in 2005 the US Department of Homeland Security required that passports include digital photos and conform to international electronic passport standards. The State Department set the August deadline.

State Department personnel successfully beta-tested the electronic passports over the past year, deputy assistant secretary for passport services, Frank Moss, said.

He contended that electronic passports improved security by making it harder to forge or alter such documents. All personal information on a chip must precisely match that in the printed portion of the electronic passport.

In addition, if an electronic passport was stolen, the chip had a unique identifying number that could be tracked by law enforcement agencies worldwide, Moss said.

Extra memory space on the RFID chip might be used in the future to store biometric information such as fingerprint images, he said. However, no decision had been made on how to use the extra space.

Some security experts expressed concern over the use of a so-called contactless chip, which doesn't require contact with a scanner.

The new passport's RFID chip could be read by a scanner, but it must be within 10cm of the device, Moss said.

Given the fast pace of technology changes, and the 10-year life of a passport, it was inevitable the RFID chip would become hackable and that technology would be built to access it from long distances, chief technology officer at Counterpane Internet Security, Bruce Schneier, said.

He suggested the State Department could have used an RFID chip that required contact with a reader but other experts downplayed potential flaws.

"The only vaguely legitimate arguments I have heard against e-passports is that they might permit someone two feet away to learn you are American and blow you up, or learn whatever might be stored on the e-passport," a professor who specialises in security issues at Carnegie Mellon University in Pittsburgh, Michael Shamos, said.

"It's a balancing of risks. The e-passport will be much more difficult to forge and thus ought to reduce the prospect of terrorists getting hold of valid ones," he said.

The new passports will also meet specifications set by the Montreal-based International Civil Aviation Organisation, a United Nations standards body, and are supported by some 27 other countries.