panopticon - a circular prison with cells distributed around a central surveillance station; proposed by Jeremy Bentham in 1791 (www.thefreedictionary.com)

Part I

Several years ago word got round that the US government was going to put an RFID chip into a passport. Privacy advocates rallied and ranted about the insecurity of the technology, the lack of standards, the foibles of technological advance, and the massive infrastructure expenses required to build a system to support an RFID passport, and pronounced the idea Dead On Arrival. Congratulations are due to those intrepid folks, because their voices were heard, their concerns noted, and the International Civil Aviation Organization (ICAO) returned to the drawing board and has now issued specifications for an RFID-enabled biometric passport that focuses on the technical concerns and addresses them quite handily. The concept remains intact and is now much stronger for the technical tests it was subjected to, rather than weaker for its violations of human rights principles. I found myself with the opportunity to dig deep into the issue directly from the horse’s mouth, so to speak, and if you’re interested, I’ll tell you all about it.

First, the players:

ICAO – International Civil Aviation Organization. This is, for lack of a better reference, the United Nations Air Travel Overlord. It is a multi-national, transnational organization that sets the standards and rules by which international flights are conducted. One of their top mission priorities is to regulate border crossings by airplane. As such, they have taken on the task of developing the standards which all nations will adhere to when sending or receiving international passengers on flights across their respective borders. This scope has been expanded to the entire design of specifications for passports worldwide.

Interpol – International Criminal Police Organization. If you weren’t aware, this is an international police force that focuses on crimes that cross borders, specifically terrorism, human trafficking, and smuggling, among others. They have been very busy bees, setting up the I-24/7 global network of databases which governments and police agencies are using to track criminals internationally.

IATA – International Aviation Travel Association. A trade alliance of airlines that regulates everything from what seats will be available on a plane to the price-fixing rules airlines must adhere to when selling you a ticket. In our story, they are one of the victims, though I would hardly call this enemy of my enemy a friend. They are desperate to get in on the whole scheme in order to get their piece of the power-pie and feel more than a little snubbed that they weren’t invited to the party earlier.

ISO – International Standards Organization. If you’re into computers, you’ve heard this acronym thrown around. This is the organization that decides technical specifications for all technologies. If you’ve ever heard the term, “ISO standard,” this is who they are talking about. In this case, they set the base standards of the RFID chip that is being embedded into passports.

Our story actually starts some 30 years ago, when ICAO first recommended that passports have a Machine Readable Zone (MRZ) at the bottom of the data page.

The bit in red is the machine readable zone.

Probably 90% of today’s passports have this, and it’s not a big deal, really. It’s just a way for a scanner to read the same data on the front of the passport and push it into a computer screen with a wee bit of check-digits to verify on. But it set the stage for the universalization of the passport internationally.

Today, ICAO has revealed its mandated specifications for the new generation of passports.

But why does ICAO feel the need for a new passport? Their justifications are quite simple and obvious.

1. Terrorism

2. International Crime

3. Holistic Transnational Identity Integrity

Holista-what? Yeah, that’s the one they snuck in there and it’s a fun, fun phrase. Holistic, as in broadly viewed, all encompassing, well-rounded. Transnational as in global, not limited to national borders. Identity integrity, as in verifying that you really are who someone thinks you should be.

If you’re worried about National Id or Real Id, baby, you got another thing coming.

So what they want, right there, is the ability to identify any traveler by any number of means, from any angle, in any country, with as much absolute certainty as can be had; and not a negative identification, as in, “Whoever you are, you’re not Osama.” But positive identification, “You are not Osama. You are Joe Paxer.” Positive identification, worldwide, at any time, by all governments, even ones that won’t claim you.

But there are obvious problems with trying to identify all the traveling citizens of all the governments in all the countries in the world. All these governments have different databases, some don’t have any databases of the citizens at all, and if they do, they are in different formats with different purposes and different abilities. The logistics of trying to interconnect 189 governments’ databases quickly escalates well beyond the realm of “nightmare” into some kind of Lovecraftian singularity of technological horror.

Enter Interpol, stage right. The I-24/7 network constructed by Interpol is more than just network. It is in its third year of operation and they’ve got the bugs worked out. There are several databases behind the I-24/7 network, of which 189 countries including the United States are members of and are connected to. I’ll just list a few:

· NCB – a database of criminal data currently containing the information on over 170,000 international criminals, including their biometric data such as fingerprints, iris scans, and photographs.

· SLTD – a database tracking lost and stolen passports around the globe. Countries that have blank passports stolen can register them here, and whenever they pop up again, Interpol can track them.

· DNA – a database of individuals, not necessarily criminal that I’m aware of, that contains DNA records. Thirty-six nations currently routinely submit DNA records to this database. Yup, a global DNA database.

· ICAID – International Child Abuse Image Database. Images of abused children are stored here for the purposes of identifying them and prosecuting their tormentors.

Interestingly, all governments are connected to these databases, except Somalia. Of all the countries, the U.S. is the least connected. It has Interpol stations at only two entry points in the US--the border of Mexico and Texas, and in New York. I presume that many national border police and Customs offices simply connect to those stations for Interpol access instead of directly to the Interpol I-24/7 network.

But Interpol is more than just an international police force or a police networking agency. They have the ability to request that an identity (remember, you aren’t a person, you are a holistic, transnational identity) be denied international travel by simply making the request to the UN. That request is propagated out to the member countries, who are obliged to comply and detain whoever matches that identity they can find and turn them over to Interpol.

So Interpol and the UN are in bed together, and ICAO is a branch of the UN responsible for determining passport specifications. A passport that is universally similar can be universally added to a single database, even if that passport contains biometrics, and Interpol has a global network of databases already in operation. Nice convergence, don’t you think?

Now, this is no conspiracy. None of this is secret stuff and Interpol really is interested in catching criminals and beating up child molesters and ICAO really is interested in giving people better methods to guarantee they are who they say they are. There is no “We’re gonna get the peasants now!” mentality. The problem is not insidious intent, but typical scope creep and a basic assumption that differs from those of us in the freedom movement.

That scope creep is nothing more than, “Let’s try this one more thing,” over and over again. And the assumption is, quite simply, that we, the peasants, can and should trust them and all of their actions implicitly. There are lots of discussions on privacy of the passport holders, but always privacy between me and you. Not once do they mention privacy from the government or the police forces. It simply doesn’t enter their minds. The concept is as alien as a revolution without dancing.

This is not to excuse any of their actions. On the contrary, pointing out that they do not have evil intentions only emphasizes what the road to hell is actually paved with. And let there be no mistake, this road is indeed paved. Not planned, not under discussion, paved. It’s a done deal. The e-Passport specification is law. You never got to vote on it. There were no legislators to petition. No letters to write. No recourse other than a newspaper, if they would even bother with such dry material. ICAO is not an elected organization, and they developed their mandate with only the input they specifically sought. They are not beholden to whatever government claims you, rather that government is beholden to them. That is why I called them a transnational organization, as their authority exceeds the nations that are a part of it.

So while we were complaining about Real ID, and National ID, and Piggly-Wiggly Grocery store cards, ICAO simply took the entire debate out of the public view and made it happen. E-Passports, passports with an embedded RFID chip are here and they are here to stay. As of the end of 2006, 16 nations including the United States will be issuing the e-Passport according to ICAO specifications. Another 43 nations will be compliant by the end of 2007. And by 2010, all 189 member nations are required to be compliant.

Today, right now, as you are reading this, there are already more than 50 million e-Passports in circulation, and most people who have them don’t even know it. It seems that ICAO wanted to avoid the much maligned “RFID” stigma, so they dropped it from open discussion, changed the name, and the entire thing slipped beneath the radar. So much so that, when they had a trial run of the technology at LAX, folks carrying e-Passports didn’t get into the express e-Passport lines, because they didn’t know what they were carrying, or what the symbol on their passport meant. ICAO has since tasked their PR department to promote and education the public on their e-Passports.

The e-Passport symbol and its suggested location on international passports.

If you want a non-chipped passport, you’d better get it now. 2010 may seem like a long way off, but the countries that struggle to meet that deadline are the same ones that struggle for things like food and water. Germany has already fully implemented the e-Passport. Most of the European Union members are geared up for it as we speak and will have it in 2007. As I mentioned earlier, the US is already issuing them. Every day that passes increases your chances of getting a chip in your passport.

And even if you do get one without a chip, all you’ve done is buy some time. Many of the countries are scaling back the validity of their passports to five years instead of the more common ten. What this means is that by 2020, every legal international traveler will have an e-Passport, as all the non-chipped passports in the world will have expired by then. Many travelers will have had three passport issuances or renewals by then, one every five years.

The e-Passport is here and it’s here to stay.

Doesn’t bother you? You don’t travel internationally? Pay attention. Interpol and ICAO both have openly stated that e-Passport is the first step, not the last. Airports are a convergence of security issues as you have people, property, airplanes, airports, and national and international borders all sardined into little aluminum tubes on air. Of course that’s the priority. Of course air travel is the focus today. But the specification for biometrics and the RFID chip structure has been specifically designed to be suitable for use in all travel documents, National IDs, and social service IDs. Indeed, the passport specification itself allows the issuing country flexibility to include any additional functionality they want, including additional biometrics, cross references to social service records such as Social Security, or even allowing the bearer to add in his loyalty shopping cards and bank accounts, if the country allows it. All of it tied directly to your biometric data and uploaded to national and international databases for tracking. Fully implemented, the ICAO specification could be used to secure identity not only at airports, but land and water borders, concerts, sports events, critical infrastructure and industry, and even your local shopping mall. Cameras recording your every public move are passé, last year’s news. The problem with camera recordings is that there aren’t enough people to watch them. And that brings us to the brilliantly logical and effective piece of the ICAO specifications for biometric RFID passports, facial recognition biometrics. Stay tuned!

Picture of the Swedish e-Passport and chipped National ID.

Part II

In Part I, I covered the basic premise of the e-Passport. The International Civil Aviation Organization and Interpol have collaborated to create a universally accepted and trackable passport with biometrics stored in the RFID chip embedded into the passport. Fifty million e-Passports are already in circulation, and most people don’t know they have them. The US is already issuing them. Most of the EU will be issuing them next year. And by 2010, all 189 member nations will be issuing e-Passports to international travelers. In this part, we cover the biometrics in the passport, a digital photo of your face.

Facial Recognition

Two years ago the community was up in arms over the idea that a chip in a passport would contain an iris pattern or a retina pattern or even a DNA pattern for anyone to scan. And then that faded out and it appeared to be scaled back to a simple digital version of the photograph of the bearer stored in it. And that is exactly true. Doesn’t seem insidious at all, really. But there are reasons, very good reasons, why there is a photo instead of a fingerprint or an iris scan in the chip data. And that’s because your face is a biometric. Not only is it a biometric, it is the universal biometric standard of the human race. Every day you yourself use facial recognition to identify people. You don’t need a computer, special training or even working eyeballs (ask a blind person to identify you by touch).

Facial recognition technology has quietly matured to the point where software can scan live video feeds in real-time, find faces in the video stream, capture them, and match them against photographs in databases in merely a few seconds. I was shown a demonstration where software was real-time scanning and matching multiple people walking across a lobby. A large LCD display showed the video stream with little red boxes zooming in on heads, freezing good frames whenever the software detected a face turned towards the camera, and a second computer monitor was matching up to six faces simultaneously to a database of photographs. I matched someone in their test database at 54%. A low match, for certain, but if the tolerance is turned up to 80%, agents have a reliable method of determining if you look close enough to a wanted person to be stopped for questioning.

The company doing this demonstration told me they recently implemented the system at the 2006 US Open Golf Tournament, where their camera scanned crowds and incoming fans’ faces and matched them against criminal watch lists. They had probable matches on 23 people, and ended up refusing entry to three of them.

Their software is production worthy, not a beta-test or a concept or a trial run. Write them a check, and they’ll plug it in for you wherever you like. They even had some great suggestions for capturing close up images for even better profiling, such has hiding cameras at eye level behind seductive advertising. Even a quick glance up to the boobs in your face gets your head framed perfectly for capture and matching to the photographic databases.

No problem, you say. You’ll just grow a beard and get a tan. Sorry, but superficial facial features are given superficial weight. The key features facial recognition uses are written in bone structures. Good luck changing the size of your eye sockets, the distance between your eyes, the width of your head, or the corners of your mouth without having your skull smashed by a Freightliner first. I suspect your best bet at foiling these cameras requires stealing an idea from Claire Wolfe’s book, Rebelfire: Out of the Gray Zone , and start a fashion trend in wide-brimmed floppy hats.

The blue dots indicate features the software looks for. The orange lines are the measurements it takes to plot your face’s unique characteristics.

Of course, when you enter a place where you are presumed to volunteer your face for biometric examination, you will be required to remove hats and facial coverings (except prescription eyeglasses, as the software compensates for those). So a wide-brimmed, floppy hat will be great at the basketball game, but won’t do you any good checking in for your flight, bus, or train.

And this is established technology. What’s next? Since facial recognition works by plotting distances between key features, such as the center of the eyes, it is merely an application of formula to take those measurements into three dimensions, thus allowing for facial recognition software to compensate for distance, rotation, and tilt of the head. That’s right, 3-D facial recognition is on the very near horizon. There are some sweaty little programmers working on it right now.

And here’s the fun, fun, fun part of why facial recognition was chosen to be the biometric standard around the world. How many of you readers have had an iris scan taken? Anybody? Bueller? What about fingerprints? Okay, a few more of you. Has the government ever take a photo of you? Maybe before you woke up to freedom? Driver’s license? Old passport? Mug shot? See what I mean? It’s an obvious choice when you consider the costs of enrolling the world into an iris scan. Chances are, they already have a mostly viable photograph of you on file. It is an elegant convergence of technology and opportunity. An e-Passport reader demo I viewed scanned the passport, pulled the physical image up, scanned the chip and pulled the digital image up, placed the two side by side for comparison, verified they were identical, took a picture of the person standing in front of them, used facial recognition to compare the person to the pictures, all while comparing the pictures to a watch-list database for a match. Four points of comparison keyed on one photograph, with three comparison methods engaged: visual comparison by the operator, one-to-one match against the photos on the passport, and one-to-many match against the watch-list databases.

You could already be “enrolled” into the international comparison databases by your government without having to volunteer your biometric data. There are companies who have facial recognition software specialized to finding matches from imperfect mug shots and old photographs. The vast majority of populations have had their picture taken and those photos are on file, or will be soon. Now, the folks doing the matching definitely want higher quality source photos, so they want to recapture everyone’s picture as best as they can, but that merely improves the quality of the result. Not getting your picture ever taken again doesn’t foil the system. The idea is to have a computer simply flag an operator, “Hey I got an 80% match on this fella, check and make sure for me,” and the operator can do that final 20% analysis on your face visually, without special training in fingerprints or iris scans. The computers and the software are used to discount the 80 or 90% negative matches they expect so the operators can visually verify more people in less time.

Additionally, the biometrics stored in the e-Passport is generic. It’s not a formula of your facial characteristics, because ICAO did not want to limit the specification to any particular technology or proprietary format. It’s a simple digital image, like any of the billions found on the internet today. Store the image, and use whatever the latest, greatest software package is available to process it. This means that if a software application is compromised, the country can simply replace it without having to reissue passports or recapture photos. However, this does leave room for discrepancy and inconsistent results between countries as they employ different vendors or different facial recognition algorithms to process and recognize e-Passport photographs.

With today’s technology, a decent source photo such as a passport or driver’s license photo has a 95% success rate to match the subject, regardless of any superficial facial features. Ninety-five percent. It’s going to get more effective with time.

Part III

In Part II, I covered the basics of facial recognition, the biometric piece of the e-Passport, and how the technology works and is implemented. Unless you have never had a government photo taken of you in your adult life, or are willing to alter the bone structure of your face, the technology will probably be able to match you fairly accurately. In these parts, I cover the technical details of the e-Passport itself. It gets a bit dry. I cover document security, chip technology, encryption, and data security. So if the technical readouts of this battle station are of no interest, I won’t get my feelings hurt if you skip parts III and IV. Neither will the dead Bothans. Promise.

The Passport

The goal of the passport specifications as developed by ICAO are meant, quite simply, to create the most secure document in the world. No small undertaking, and quite a distant goal to meet, but that’s the goal, and they’ve made some effective decisions to try and reach it.

Now, anyone who has studied security in any depth probably realizes that nothing is secure. Security is a measure of how expensive it is to thwart the security measures. Previously, thwarting passport security was a fairly cheap endeavor. My current passport is a simple printed booklet with a paper photo laminated into the inside cover. I could probably create one with a decent photo copier, some scissors, and a laminating machine. But the new passport specs are designed to be more difficult to forge, tamper with, or steal than ever before. It will be easier to counterfeit money than to counterfeit a passport.

The physical e-Passport.

There are three threats to the security of the e-Passport; forgeries, falsifications, and illegal issuance. Forgeries involve the complete creation of a false passport. Falsifications take an existing legally issued passport and change the data on it. And illegal issuance is to convince the government to actually issue a legal passport to someone they didn’t want to, or to steal blank passports and issue them fraudulently.

The substrate of the passport, or the paper, is highly recommended to include several features that you’ll probably recognize from all the Monopoly™ money floating around the globe nowadays. UV reactive paper lights up all special and pretty under an ultraviolet lamp. Dual-tone watermarks are difficult for all but the top-end photocopiers to duplicate. Chemical reactions like those special pens they use to check a $20 can be built into the paper. Fluorescent fibers, colored flecks, and plastic threads are all options to make it difficult to reproduce legitimate looking passport paper.

An example of UV reactive, chemically sensitive substrate with security threads.

The printing on the passport is also subject to a wide variety of security methods. These include background art and text, often in rainbow colored print. There can be UV printing that is invisible to the naked eye but shows up clearly under the same UV lamp. Micro printing and printed watermarks are also included. In addition, today’s printing techniques allow all of the above to be personalized to the passport. So there could be the bearer’s name micro-printed or UV-printed into the paper. Or perhaps the background art includes a UV version of the photograph. Personalization makes it impossible to get a generic template for the printer to run off a bunch of legitimate looking passports, because each one must be customized. And printing the data for the passport is not printing on the paper, but into the paper, laminate, or plastic. The result is that an ink-jet printed passport actually has ink injected into the substrate. You can’t scrape the ink off without damaging the paper, and the paper changes color and shows tampering very easily. Laser engraving into the laminate offers the same challenges, particularly when that laser engraving is personalized.

An example of laser engraving into the laminate.

And of course, there are the neat-looking OVDs, or Optical Variable Devices such as holograms and foil printing. Previously we’ve seen OVDs on credit cards where they are a generic template. But on the passport, the OVDs can also be personalized, commonly to be either a hologram of the photo or even the entire visual passport. Another twist on this is using lasers to print refractive OVDs into the laminate of the data page. Obviously this all requires some very specialized equipment. Not so obviously, the equipment isn’t very big, and would fit fully assembled onto an average sized dinner table.

An example of a personalized OVD.

Obviously these measures make forging or altering a passport much more expensive and difficult than previously. And that leads us to the weakest link in the chain, by ICAO’s own admission, fraudulent issuance of a real passport.

As in all automated systems, and all security systems, and indeed, all systems anywhere and everywhere, human beings can be both the strongest or weakest links in the chain. In order to secure against the fraudulent issue of legitimate passports, governments are encouraged to greatly tighten their issuance security at every point. From the ordering and storage of passport materials to the printing process to the application processing agents, they need to maximize security. They are also encouraged to make multiple people responsible for the approval of a passport so that anyone wanting to bribe their way into a fraudulent passport must bribe two or three or five people instead of just one.

Additionally, governments are encouraged to track all passports from cradle to grave, including spoiled and blank passports. Interpol’s I-24/7 Stolen and Lost Passport database will track any and all non-valid passports and is already in operation catching criminals with false passports today. And the passport itself is protected against unauthorized issuance by the RFID chip embedded within it. And that, in turn, leads us to the digital technology.

Part IV

Part III covered the physical design and security of the e-Passport. In Part IV, I cover the RFID chip, the logical data system, and the digital security features. More technical read-outs. No wamp-rats.

ISO 14443 Contact-less Integrated Chip

The International Standards Organization has specification 14443 for contact-less chip design for identification. The detailed technical specs of this design are available on their site for a fee, if anyone is interested. ICAO took this specification and narrowed it down to make the passport specifications universally applicable across all the member nations.

It is a radio-frequency ID chip, that’s the contact-less part. Mandatory minimum data size is 32K, although 64K is recommended, and some countries are implementing even larger storage capacities for their own purposes.

ICAO has specified the LDS, or Logical Data System so that all countries will implement data on the chip the same way. The LDS consists of 16 data groups. And here they are:

1. MRZ – the same data that is in the Machine Readable Zone visible on the passport. Mandatory.

2. Facial image sample – this is the mandatory digital photograph sample to be used for facial recognition. Usually about 20K in size. Conforms to ISO image standard SC37.

3. Fingerprint image sample – Optional storage for fingerprint biometrics, should the issuing country choose to include it. Also ISO SC37 standard.

4. Iris image sample – Optional storage for iris biometrics, should the issuing country choose to include it. Also ISO SC37 standard.

5. Secondary facial image storage – Optional storage of a second image. This is for profile images, angled images much like the multiple angles taken for mug shots. Not SC37 standard as this will be country-specific (think National ID images).

6. Reserved.

7. Signature image storage – Optional image of the bearer’s signature.

8. Substrate security features – Optional. This tells a chip reader what security measures to look for in the paper.

9. Data structure security features – Optional. This tells a chip reader what security measures to look for in the data structure.

10. Data security features – Optional. This tells a chip reader what security measures to look for in the data itself.

11. Additional personal details – Optional name, alias, address, or document numbers. This is stored in national characters (whereas the rest of the document is stored in the Latin alphabet). This means that Arabic language names or Kanji could be reproduced accurately in the native alphabet and length here.

12. Additional details about the document – Issuing agency, issue date, image of the document, observations, and amendments. Also in national alphabet instead of Latin.

13. Optional data field – Anything the country wants to put here.

14. Reserved.

15. Active Authentication Public Key (in the future, this will be used to verify an authorized reader is attempting to access the chip).

16. Emergency contact information – People to contact in case of emergency and their contact information.

In addition, there are six Secure Object Data fields that are stored in the protected memory of the chip. This is where the hash values and private keys for the encryption are stored.

So as you can see, there’s quite a bit of potential in these chips. Lots of room for governments to add what they want, and many of them are taking advantage of it. Germany is using the fingerprint field and the optional fields to tie their e-Passport to their National ID. Other governments will use them to tie into social service accounts and records. We can probably expect that someone will tie it into medical records.

But how is this chip authenticated and secured? So glad you asked.

Hashes, Encryption and Keys, Oh My!

The data on a passport includes a hash value of the data in the MRZ (Machine Readable Zone). What is a hash value? Pretty simple concept. A hash takes a string of characters and performs a calculation on them to get the hash value. For example, if we say each letter of the alphabet’s numeric value is its position, A = 1, B = 2, C = 3, and we have a hash formula of +4, then the hash value of “ABD” = 568, because A (1) + 4 = 5, and B (2) + 4 = 6. Usually hash formulas are far more complicated than that, but that’s the idea.

So the passport contains the data, plus the hash value of the data. If you want to verify that the data hasn’t been changed, you take the data, perform the hash calculation on it, and check and see if it is the same as the hash value stored on the passport. So in our example, if the hash value presented is 568, but the data on the passport is ABC, when we apply +4 to ABC we get 567 as a result, which is different than 568, and we know the data has been changed. Of course, the key to this, is keeping the hash formula a secret. If the formula gets out, a counterfeiter could alter the data, apply the formula, and then alter the hash value to match the forged data.

So the next step is to secure the hash value. This is done by encrypting the hash value with a 2048 bit encryption scheme. If you’re familiar with PGP, this stuff is the same. The hash is encrypted with a 2048 bit private key, which can only be unlocked using the appropriate public key. So when a government issues a passport, it calculates the hash value, and then encrypts it with its ultra-secure private key. That private key is recorded in the inaccessible-to-all-but-itself private memory of the chip (any hackers feel their Spidey-sense tingling?).

When a reader wants to validate a passport, it looks at the data on the passport and applies the hash calculation. Then it takes the country’s public key and uses it to try and open the encrypted hash value stored in the passport. The chip matches the public key presented by the reader to the private key stored in secured memory and if they match, decrypts the hash value. The reader then compares the two hash values to see if they match.

So who secures the public keys? I am utterly ecstatic that you asked.

The public keys are shared among the issuing countries and to ICAO in what is called the Public Key Directory (PKD). This is a wide open directory of keys and anyone can download all the keys. Anyone. You, me, Joe Blow. This is because the keys are used to authenticate the data on the passport, not provide privacy protection.

Did you get that?

The idea is that anyone who needs to validate your passport can download these keys and use them to check that the passport was authentically issued and that the visible and machine readable data matches the data stored on the chip.

What’s to keep someone from using the public keys to reverse engineer the private keys and make their stolen passports authenticate? Fantastic question. My giblets quiver with joy. The ICAO PKD also keeps the Country Certificate Authority, which validates that the public keys are still valid. The recommendation is that each key be used for 90 days or a couple hundred thousand passports. When using a public key to decrypt a passport, the software should validate the key is still usable with ICAO. If the key is compromised, the validation fails and the software notifies the operator that the passport may be compromised as well. Yes, this means that if someone hacks a public key, several hundred thousand people will get pulled aside when they try to use their passports for extra special questioning.

So who secures the Country Certificates? Lots of men with lots of guns, knives, and sharp, pointy sticks. You knew it would come to that. It always does.

So what about privacy, now that I’ve brought it up?

Privacy was one of the biggest complaints about RFID-enabled passports brought to bear by critics. And while the solution is not perfect, it does appear to satisfy at least some of the complaints.

ICAO recommends (recommends, not mandates) that e-Passports be designed with Basic Access Control (BAC) in mind. Basic Access Control is designed to prevent skimming of the passport. Skimming is what they call it when someone with a chip reader in their pocket waves it over you hoping to trigger the RFID chip and capture its data surreptitiously. BAC consists of two protections. One is that the front and back cover of the passport be lined with aluminum to shield the chip; an honest-to-goodness, official, tinfoil hat. This means that the book must be opened in order to transmit energy to the chip. The other part is the implementation of a read key consisting of the MRZ. The idea is that not only does the book have to be opened, but the Machine Readable Zone must be scanned and transmitted to the chip accurately before the chip will respond to requests. So even if your passport is open in your pocket, a skimmer wouldn’t be able to send the right sequence of characters to open the chip except if they were able to accurately predict the data in your passport right down to the check digits in the MRZ. Most countries are including BAC in their passport design. Some are not.

The other threat to privacy that ICAO acknowledges is the threat of eavesdropping, this being where, while a legitimate authority (boy, do I hate that phrase) is reading your passport’s chip, someone with a hidden reader nearby is also receiving the transmission. Unfortunately, the recommendation to protect against this threat is a little weaker and consists of, “Make sure you buy passport readers that are shielded from eavesdropping”, thus putting you and me at the mercy of government competence and forethought. You can sense my confidence all the way over there, can’t you.

Unfortunately, ICAO, being a governmental agency, seems to have a rather convenient blind spot regarding privacy. Yes, they’ve selected standards and recommended guidelines that help protect my passport data from you, and you from me, but nothing, absolutely nothing, addresses the fact that a few million government agents at entry-level grunt-work border and security jobs will have access to our data through one of the most potentially abusive data networks in the world. They simply assume that each and every one of us can trust each and every one of them with our absolute holistic transnational identities. And considering the security levels in place, how hard to you think it will be prove “them” wrong if someone on the inside abuses the system?

Yeah, that’s my thought too.

Part V

Part III and IV covered the details of the e-Passport, including the security measures of the physical book and the digital design of the chip. In this concluding part, I speculate, postulate, and theorize on where it’s all going and what we can do about it. You might want to have a drink handy. No, not that drink, a real drink.

The Crystal Ball

This is the fun part. Speculation, rhetoric, paranoia. Love it, love it, love it.

All of this will be implemented from two directions. Scratch that, is being implemented from two directions. From one direction you will get the “justified” version: International arrivals on flights and border control. From the other side you’ll get security around social events and infrastructure. How ubiquitous is the corporate ID badge? It’ll get there too, eventually.

On the travel side you will soon see e-Passport readers on Customs agents’ desks. That’s guaranteed. Also guaranteed within the next two or three years is that you will see kiosks to check-in for flights where you put your e-Passport into the slot and it automatically takes your picture, validates, and prints your boarding pass. Most likely, your boarding pass will include your biometric data as well, so that you don’t give it away before you board the plane, you naughty, naughty boy.

IATA, the International Air Travel Association, AKA, the Airline Cartel, is miffed with this whole development, because they were never invited to the party. Airlines are seen as the first line of defense against international travelers criminals, and so they are expected to take on the expense of outfitting every check-in terminal and border station with e-Passport readers, e-Passport enabled kiosks, biometric boarding passes and who knows what else. This will put an even greater burden on your airline employees as they take on an ever burgeoning role as border-agents-with-a-union-paid-smile. Of course, IATA, which decides how much all airlines will charge for international travel (Can you say price-fixing? I knew you could.) will have to pay for these multi-million dollar infrastructure upgrades and angry, frustrated, impatient passengers somehow. The costs are already being reflected in the cost of the e-Passport itself, which is leaning towards a near universal doubling in price. You and I will pay for it through higher prices on the ticket and possibly service fees and aggravation and profiling. But folks who trust their government will love the faster lines and easier check-in, even if it costs them their privacy, dignity, and pocketbooks.

And where it’s implemented internationally, it’s only a hop and skip and reach-around to require it domestically, although this might be harder in the US since Real ID doesn’t conform to the e-Passport specifications. Give it time. Once there are enough e-Passports for the airlines to justify their business cases, the model will be developed and it will scale up and down to all different areas and settings.

Almost all major sports events and social gatherings will soon have real-time cameras scanning faces and matching against criminal databases. It’s been field tested and it works. The Olympics, the US Open, the Super Bowl have all had successful facial recognition profiling systems in operation in the past two years.

What is really disturbing is that ICAO openly admits that the facial recognition and watch-lists are effective on their own. In fact, they recommend that countries use negative facial recognition testing as a solution to criminal border crossings. In other words, they recommend that, in the interim, while they only have criminals and not everyone in the system yet, countries simply use the system to make sure you’re not on the watch-list. This strongly suggests that, if the purpose of facial recognition is to catch criminals, the mug shots and negative testing against the watch-lists are all that is necessary. But ICAO emphatically wants everyone to move forward with positive identification of this holistic, transnational identity. All that they need is, “You are not Osama.” That’s all they need. But they want, specifically, to positively identify you, even if you don’t remotely match anyone on a watch list. Why is that, do you think?

Non-digital databases of mug shots will eventually be digitized and added to the global databases. Political rights activists may be able to slow down the adding of driver’s license and other state-created photo IDs, but eventually, I bet it happens.

The technology needs some improvements (speed), but it’s only a road bump to facial recognition on the highways. On the plus side, this might reduce the number of minor traffic stops to fish for criminals, as the cameras will simply notify the cops which cars to chase when they get a near match. Joe American will love it because he gets surveilled more but probably hassled less, and that’s just cool with him. But that assumes your normal traffic stop is actually to fish for criminals and not just a revenue generator. (Was that a collective sigh I heard?)

In fact, so far, everyone I’ve discussed this with seems to love the idea of just scanning their passport and walking onto a plane. The efficiency it provides far, far outweighs any concerns they have over privacy or tracking, even when they are the ones to mention “Big Brother” first. Apparently Big Brother is just fine and the hash result of 2 + 2 is five.

What can you do?

To be honest, I’m not sure. They’ve covered many of the bases. There is no public recourse for this, it’s a done deal. There’s no one to punish, these aren’t elected officials. Anyone who needs or wants a passport that doesn’t reflect their day-to-day identity better already have their alias identity well established. That is the weakest point in the system. Somehow, they have to get those initial biometrics and identities matched up. That’s the opportunity, and you get only one shot at it. Did I mention that one of the checks they do when issuing an e-Passport is to validate that no other e-Passport has been issued with matching biometrics? No double-issuance here.

Even if you get your assumed identity set up with an e-Passport, you’ll only be able to travel under that identity. It will become your holistic, transnational identity, even if it’s not the name your kids call you. Your false identity could easily eclipse the validity of your real identity, and I can only guess at the kind of craziness that could generate. I can just see a bevy of private individuals with successfully false e-Passports on the day the e-Passport and the national driver’s licenses are married together with the bank records and IRS tax rolls and the same biometric shows up on three identities and trips several dozen alarms across a thousand government and corporate databases while they fill up the tractor at the bio-diesel station that just installed a networked photo camera to comply with their insurance policy.

For myself? I came in late to the game, and my state has had digital photos on driver’s licenses for years. I can only assume I’m already compromised. So I’m going to try and stay away from airports and buy a big, floppy, sexy hat.





