Schneier had some interesting comments on this in his latest CryptoGram. His one line summary "quite simply, it's a bad idea".

Quite apart from identity theft, some of the criminal abuses which will find this to be a handy "enabler technology" include muggers hanging around near airports or hotels, being able to remotely select victims on the basis of nationality; and terrorists building a bomb which detonates when approached by persons of a particular nationality or race.

Another issue is that this design may actually *lower* border security. If the data presented by the chip is not cryptographically authenticated in some way, then it will be trivial to present forged information - much easier than modifying an official paper document. One could, for example, present one's correct photograph with a false name. And if border control officials come to rely on the presented biometrics instead of the document, outright forgery will become much easier. Of course, if the contents *are* cryptographically signed (which doesn't seem to be under consideration at the moment), that raises the whole hairy issue of key management for hundreds of countries using the system, and tens of thousands of ports-of-entry distributed across the dusty corners of the globe.

As for identity theft - even in the unlikely event that everyone keeps their passports wrapped in foil (something which the public will probably associate with acute paranoia), a temptation will be created for those with legitimate access to record the data. A set of several million records would then be ideal for an identity forger: use face recognition algorithms to find the dataset which most closely resembles your client, and issue a smartcard with that data. Then you've got a pretty good fake ID even if it's digitally signed. The obstacle faced by the forger at this point is creating the paper to go with the chip - exactly the same problem he had before the chips were introduced, only now the paper probably won't be scrutinised as carefully.

To some degree these problems could be eliminated by encrypting the data as well as signing it. But this creates an even hairier key management issue than signatures alone. Now, every border control officer in the US at least - and probably internationally as well - needs access to decryption keys, or the system is useless. With such widespread access, it won't be long before you can download a "passport decryptor" from the 'net.

Most of these risks are created not so much by making the passport machine readable, as by allowing remote access to the data. You have to ask, if it is recommended that for safety we keep our passports shielded (thus eliminating the possibility of in-motion scanning), what is the point of creating all this security risk by using a contactless technology at all? True, contactless smartcards have a lower failure rate than conventional contact pads. But given the low frequency with which most people use their passports (annually, if that), is that really enough of an issue to be a major design driver?

However the bottom line issue with these is that they are solving the wrong problem. Spotting completely forged passports is already a manageable problem, and border control officials have an excellent record in doing so. The real issues are these:

1. Adequately verifying identities before issuing ID documents. In most countries, it's just too easy to get real, valid, officially issued ID documents in a false identity. Adding biometrics to your valid-but-fake passport will make no difference to this.

2. The penalties for presenting a false passport are too mild (usually, just deportation, so all you lose is the air fare), so it's worthwhile making the attempt even though the odds of success are low.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/9981/29162#29162