Security issues in epassports : ICAO standard and national implementations as part of the US visa-waiver program

Abstract

After the 9/11 terror attacks against the US there have been concerns about how to positively identify every individual entering a country. As a direct result ePassports are now being issued in several countries all over the world. The International Civil Aviation Organization (ICAO) has developed the internationally applied standard for ePassports. The ICAO standard provides a guideline for what features that could or should be implemented in these passports. During the process of updating the standard several experts within security and privacy have argued that the standard is to weak. The ePassports include biometrics and other personal information on a RFID chip. The fact that the information is now available on an RFID chip provides more security concerns than if the information had only been available in the machine-readable zone and at the data page. The chip itself provides some possible security and privacy problems like issuance, encryption, read range and so on, but there are also other aspects to consider with implementation of RFID. If RFID is implemented it is very likely that a national or international database containing personal information about passport holders will also be implemented. This is because it is easier and faster to check travel history, criminal records and so forth if the passport is electronic crosschecked against the database. In addition, it will greatly increase the difficulty of passport fraud. If this database is to be implemented it is highly important that the security around it is the best it can be. In our studies we have found that the continuous work with the ICAO standard for Machine Readable Travel Documents will probably give a thorough revised and considered result. Even though we find it somewhat disturbing that there are so many aspects brought to the group’s attention by other security and privacy experts. As the US has pushed for use of biometrics in passports through the US VISA-Waiver Program, more and more countries find it useful to implement biometrics. Biometric features in passports will give a fairly accurate identification rate; especially if the applied biometric is fingerprints or iris scan. All ICAO members have to implement Machine Readable Passports (MRPs) by 2010, and we believe that many of these countries, if not all, will enhance it with biometrics in that period of time.