US federal officials, eager to step up controls on people entering the country, are preparing to issue passports with embedded personal and face-recognition data. A good plan to increase security it may be, but poorly executed it will put individuals’ privacy at risk.
The US Department of Homeland Security has spent the past six months testing biometric passport prototypes and wants to roll out the new technology as soon as possible.
The passport's chip will store more than just the holder’s name. It will store biometric facial recognition scan data to help a computer recognise the holder by – for instance, the distance between their eyes. It'll also contain a passport photo in digital form, as well as personal data including name, birth date and birthplace, gender and passport number.
Other countries, as well, are adopting passports with electronic data, under a specification developed by the International Civil Aviation Organisation (ICAO). The organisation has created the specifications for most of the world's passports for more than 50 years.
US Homeland Security officials say that the new passports go a long way toward preventing people from using another person's passport. The passports also permit touchless data transfer, meaning that a passport agent can collect the data without connecting the passport's chip physically to a computer. The US wants all travel documents to have touchless technology by 2006.
Unfortunately, in the case of the US passports, the personal information is stored in unencrypted form. Worse, touchless technology might let someone with the right equipment read the personal information at a distance.
Officials are developing workarounds to prevent so-called skimming, but until they do, the contactless technology poses a threat. Instead, officials should use smart cards that must be physically connected before they'll divulge their data. Issuers should also encrypt the data included on a passport.