39 Myths about ePassports

06 November 2009

This article uncovers the facts behind e-passports and RFID technology and is provided by Mike Ellis, CEO of Dynjab Technologies.

The article was first published in the Keesing Journal of Documents & Identity, issue 30, October 2009.

We have only published the top 12 myths here, but you can read the whole article by downloading the attached pdf.

---

The International Civil Aviation Organisation (ICAO) - and the NTWG1 in particular - first started work on what is commonly referred to as the biometric or e-passport in 1998. Its objective was to improve passport security by creating a stronger link between the passport and its holder. At the time, the use of forged passports - by for example, drug couriers and illegal immigrants - was increasing. One of the most common forging techniques was photo substitution, often in combination with data alteration (the date of birth, for example). At the same time, cases of look-alike fraud – requiring no photo substitution at all - had also risen.

As the NTWG started work on a biometric passport to establish a stronger link between the document and its holder, several issues needed to be resolved at an early stage. Which biometric should be used? Where should the biometric be stored? How should biometric data be read and authenticated?

There are currently more than 100 million e-passports in circulation, issued by over 50 countries. This number continues to grow every day, with 70 million new e-passports being issued every year. Almost all e-passports comply with ICAO standards. As a consequence, they are globally interoperable. A Public Key Infrastructure (PKI) system provides the certificates needed to check their authenticity. While the project was initially motivated by security considerations, several interesting facilitation schemes have emerged. These are based on facial, fingerprint or iris data and facilitate the efficient, high-speed processing of travellers at border control points.

Despite this success, some commentators have been critical of the e-passport. Most of this criticism is based on fiction, a misinterpretation of the facts, or a confusion of technologies. Some articles are written by hackers seeking recognition, others by security researchers working in pristine laboratories, a little divorced from reality. Journalists jump on the bandwagon, combine several false stories and report that the end of the world is fast approaching. There are also articles by activists writing for political gain. While we have no quarrel with other points of view, the twisting of technical data and communication of selective information is objectionable. Unfortunately though, a vast majority of the stories in newspapers and on the web are highly critical.

It is worth contrasting years of painstaking work by the TAG MRTD and the International Organisation for Standards (ISO), work that has resulted in the development of e-passport standards, with the short term publicity and hype circulated by some observers. This article looks to rebut some of the myths that surround the e-passport and that risk derailing the introduction of the more secure ID document unless debunked.

Myth #1
The e-passport replaces border officials
E-passports were not introduced to supersede the judgement of border officials. We have always trusted humans to intervene and determine whether an individual should be permitted to enter a given country, and the e-passport merely serves to assist them. The e-passport is a traditional passport with an electronic chip. It still has traditional security features -watermarks, special inks, etc. -features that need to be checked by a border official. The same official is trained to observe the person who presents the document (for signs of nease, for example). Moreover, any automated border control system will be supervised by a border official. In the absence of a perfect biometric match, or in the event of doubts about the document’s authenticity, the holder will automatically be referred to a order official.

Myth #2
The e-passport was introduced for reasons of facilitation and results in lax border control
The reasoning behind this yth may be summarised as follows: e-passports allow governments to introduce automated border control systems, facilitating the
passage of travellers at their borders. This gives rise to cost savings but also a lowering of standards (criminals would somehow trick the biometric system with plastic surgery, contact lenses or rubber finger tips).
As noted in the introduction, the e-passport was primarily introduced to combat forgery. A direct consequence of the more secure passport, with its definitive link to its owner, is that automated border control is made possible. All systems currently being introduced focus on security which is of paramount importance. The systems are supervised -e-passports do not supersede the judgement of border officials.

Myth #3
The e-passport was introduced in response to 9/11; or the US Government designed it for the visa waiver program
ICAO started work on the e-passport in 1998, well before 9/11 and the changes this event gave rise to, including the requirement of the e-passport for the US visa waiver program. The e-passport is able to accommodate the growing need for security that resulted from 9/11.

Myth #4
The e-passport was introduced as the smartcard/RFID industry were desperate for sales
The NTWG spent several years analysing the best way to incorporate biometrics in e-passports. The first step was to decide on the biometric. The facial image was an obvious candidate as photos were already included in passports and because this practice was widely accepted. For e-passports to be introduced, they must be accepted by all countries, covering a wide range of cultures.

As well there was the redundancy aspect -if automatic facial recognition failed then the normal inspection process could take place, which would not be the case with fingerprints or iris. Some countries consider the use of fingerprints an excessive breach of privacy and would never incorporate them in their passports. Mandatory face, with optional fingerprints and iris, were selected after an exhaustive study.

The NTWG subsequently reviewed how to incorporate the biometric in the passport (complicated by the need for considerable storage space -up to 10K bytes or more). These requirements placed some technologies, such as magnetic stripe, offside. Although the two dimensional bar code was an early favourite, it offered insufficient data storage capacity. The contact chip used in credit and telephone cards was also considered, but rejected because it proved too difficult to attach the contacts to the paper document. In the end, the short-range proximity radio-frequency chip was selected. It stores enough information (typically 75K) and can easily be integrated into the passport (either in the booklet, the covers or the inside pages). The NTWG wisely specified the ISO/IEC 14443 standard for the contactless chip. The smartcard industry became involved once that decision had been taken.

Myth #5
The e-passport was introduced as a plot by the UN (or ICAO, or the US Government, etc) to regiment the world by gathering biometrics
Conspiracy theories are often difficult to debunk as they seldom involve evidence. However, passports are issued by a country to its citizens to enable international travel. Most e-passports only contain a facial image, just like the traditional passport. E-passports that contain fingerprints or iris patterns are provided with greater privacy protection, severely restricting who can access the data. Countries have always collected photographs of the face, which have been stored in a database to catch out people who apply for passports in a different name. A country does not have to introduce an e-passport to collect biometrics from either its citizens or visitors -such biometrics can simply be obtained at the border.

These days, most countries have privacy laws that restrict the dissemination of biometrics to other organizations. The international exchange of biometric data is neither regular nor organised.

Myth #6
All countries must issue e-passports by 2015
ICAO forms part of the UN and has been charged with the development of international standards for passports (under the Chicago Convention of 1944). Most countries issue machine readable passports that comply with minimum recommended security standards. ICAO requires all countries that have signed up to the Chicago Convention (nearly all the countries of the world) to issue machine readable passports (MRPs) by 1 April 2010, and that all traditional non- MRP passports must be withdrawn from circulation by 2015. There is no requirement for countries to issue e-passports. However, most countries recognise the benefits of e-passports and it is expected that over 100 countries will issue them by 2010.

Myth #7
The e-passport was introduced by ‘a bunch of bureaucrats making decisions about technologies they don’t understand’
Nearly all NTWG members are either involved in passport production or border control. Between them they have many years of practical experience. Some are PKI experts. The NTWG is supported by technical experts from ISO. Under the ISO/IEC rules, members of the ISO technical committees share their professional expertise; they do not represent the commercial interests of their companies.

The ISO representatives that attend NTWG meetings include chemists, engineers, physicists, IT experts, and lawyers. They work for a diversity of companies -security printers, reader manufacturers, software development companies. The NTWG includes a number of observers from Interpol, International Air Transport Association (IATA) and the Airports Council International (ACI). It would be hard to describe the NTWG as ‘a bunch of bureaucrats’. The technologies are well understood, especially as they apply to travel documents.

Myth #8
E-passport chip data should be secret
Some of the more sensational newspaper articles to emerge in recent years have reported how security researchers have retrieved data from the chip. They typically obtain a copy of the ICAO standard, implement the reading process, and seem surprised when it works. This is exactly how e-passports are meant to work. If they didn’t, border officials in other countries would not be able to read them.

To prevent unauthorized reading, ICAO has specified the Basic Access Control (BAC), which most countries have implemented even though it is optional. Unauthorized reading involves either a hidden reader, which captures data at up to 10cm (this distance can be increased to about 75cm if the power and antenna size are increased) or a device that intercepts data in transit between the chip and a legitimate reader (a process known as eavesdropping). BAC uses a combination of printed data to generate a key that allows access to the chip data. In other words, any person who has access to the printed data is entitled to access the chip data. Journalists also seem surprised that the BAC procedure is in the public domain -but how else could international border control officials access the chip data?

Some countries also equip their e-passports with metal foil pages. The metal foil decouples the chip’s antenna whenever the booklet is closed, effectively disabling it. As soon as the e-passport is opened, the chip can be powered up again if it is close to the reading machine.
Although the chip data may be accessed by authorised parties, this does not mean that the data is insecure. Using passive authentication reveals whether data has been tampered with (photo substitution, for example). The issuing authority calculates the digital signatures using its private key and writes these to the chip; the border official authenticates the same digital signatures using the public key. This public key is contained in a certificate, which is often stored on the chip. The certificate can in turn be authenticated by reference to ICAO’s Public Key Infrastructure (PKI) directory, or by means of bilateral exchange.

It is recognised that some biometric data -including fingerprints and iris data -is more sensitive and therefore warrants greater security. To accommodate this requirement, use is made of Extended Access Control (EAC), which requires an inspection system to authenticate itself before the data is released.

Myth #9
Contact cards are more secure
This argument is often voiced by those who object to radio frequency technology, and the ability to intercept radio signals in particular (eavesdropping). Of course, contact cards have also been intercepted -criminals intent on capturing credit card details at ATMs have been very inventive. The NTWG has investigated eavesdropping and found that data can also be intercepted elsewhere in the computer system (the radio waves from a USB link, the modulation of the power supply, etc.). Eavesdropping is a pan-system problem and must be tackled as such. It does not affect radio frequency technology alone. The incorporation of shields in e-passports and the introduction of BAC and EAC have effectively resolved the problem of eavesdropping and unauthorized access. It has also been argued that bar codes are more secure. Again, system security would be no different. However, the problem with bar codes is that they do not offer enough capacity to store biometric data.

Myth #10
The e-passport chip transmits personal information continuously
The e-passport chip is powered by the electromagnetic field of the reader; it has no battery or other power source of its own. Until the chip is close to a reader and powered up, it cannot transmit data. When powered, the chip only responds to commands sent from the reader. Moreover, the data is at all times protected by BAC encryption.

E-passport chips are power hungry and draw power from the electromagnetic field. They work at a distance of up to 10 cm from the reader. While it is perfectly possible to build non-standard readers that supply more power and use large antennas, the law of diminishing returns applies. In our analysis, the practical range is limited to about 75 cm (30”).

Myth #11
The RF chip was chosen so that people could be tracked
The most radical version of this myth is that the RF chip can be queried from a great distance, even using satellites. This is not possible. While some RFID devices -including RF tags used in shops -can be tracked at a distance of up to tens of metres, such devices comply with other ISO standards. They are generally much smaller and have minute power requirements.

Even if an e-passport is within the range of an unauthorized reader, say within 75cm (30”), it takes about 3 or 4 seconds to retrieve the data. The e-passport must be within range for this whole time. Should the transmission be disrupted for any reason, the entire process will be aborted. This means that tracking is very difficult to achieve under the best conditions. This scenario is academic, however, as all e-passports now have BAC (which prevents unauthorized access), and this makes tracking impossible.

Some commentators have pointed out that the intention is to track the Unique Identifier (UID). When the e-passport is initially accessed by the reader, it identifies itself by sending a UID. In theory, the passport can be tracked once it has been associated with a UID (though no data can be read from the document itself). It should be noted, however, that most if not all countries use random UIDs. Each time the e-passport is accessed, it generates a different UID for that session. This prevents tracking.

Interestingly enough, the efficient tracking systems that are already widely used do not seem to raise the same concerns. Think of car registration numbers, mobile telephony, and public CCTV systems, each of which can be used to track our movements. While this does not justify tracking e-passports, the likelihood of the e-passport being used to track people is remote.

Myth #12
The contactless chip in the e-passport is prone to failure
The NTWG was concerned about chip failure. In response, most countries advise their citizens to care for their e-passports (by not bending, twisting or puncturing them). The warranty period of the chip was also an issue, not least because chips had not been used in combination with passports before. The preliminary evidence indicates that the chips are reliable. Some countries have reported no chip failure after 3 or 4 years. As the chip has been designed to operate in the field under adverse conditions, there is every reason to believe that the chip will survive for 5 to 10 years.

Related Files	Type	Size
39 Myths about ePassports	pdf	347.37KB	347.37KB	DOWNLOAD