US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage

from the total-failures dept

Ron Wyden is at it again. Sending pesky letters to government officials who appear to be completely falling down on the job. The latest is asking Customs and Border Patrol why it's still not verifying the e-passport chips that have been in all US passports -- and in all countries on the visa waiver list -- since 2007 (hat tip to Zach Whittaker). The letter points out that the US government pushed hard for these chips... and then never bothered to check to make sure no one has tampered with them.

The U.S. government played a central role in the global adoption of e-Passports. These high-tech passports have smart chips--which store traveler information--and cryptographic signatures, an important security feature that verifies the validity and legitimacy of the passport and its issuing government agency. For more than a decade, the United States has required that countries on the visa-waiver list issue machine-readable e-Passports. Since 2015, the United States has further required that all visitors from countries on the visa-waiver list enter the United States with an e- Passport. Despite these efforts, CBP lacks the technical capabilities to verify e-Passport chips.

To be clear: it's not that CBP doesn't use the chips at all. It does download the info from the chips. But it ignores the cryptographic signatures and doesn't verify that the information hasn't been tampered with. Incredibly, the letter notes that CBP was informed of this problem all the way back in 2010 by the GAO, but has still not done anything about it.

CBP has deployed e-Passport readers at many ports of entry, which CBP personnel use to download data from the smart chips in e-Passports. However, CBP does not have the software necessary to authenticate the information stored on the e-Passport chips. Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged. CBP has been aware of this security lapse since at least 2010, when the Government Accountability Office (GAO) released a report highlighting the gap in technology. Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in e-Passports.

As with a number of recent letters that Wyden has been sending that touch on areas around the government falling down when it comes to encryption, I'm assuming that this latest one comes from the work that Chris Soghoian is doing since being hired full time to work for Senator Wyden. Soghoian spent years calling out bad encryption practices of all sorts of organizations in the past, and it's nice to see that he's now able to (hopefully) shame the government into doing things better as well.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cbp, e-passports, passports, ron wyden, smart chips, verification