A biometric passport is a traditional paper passport embedded with a microprocessor chip and antenna that contains biometric information used to identify the holder. The microprocessor chip and antenna combination is usually a radio-frequency identification chip (RFID) and uses radio waves to trade information with a reader. The RFID chip in a biometric passport typically contains all the information printed on the physical document as well as a digital facial image. This type of passport is believed to prevent forgery and make it faster and more secure for travelers to move between countries, but some argue that the use of RFID chips infringes on civil liberties.
The development and implementation of biometric passports began in approximately 2003. In that year, the International Civil Aviation Organization adopted a plan to roll out machine-readable passports with RFID chips. All 188 member nations, including the United States, were bound by the plan. The first American biometric passport was issued in 2005.
It is difficult and expensive as of 2011 to forge the chip embedded in a biometric passport because Public Key Infrastructure is the data authentication system in use. In addition to a digital facial image, RFID chips may also contain fingerprint and iris information. These images stored on the chip are compared to the features of the person claiming to be the holder during identification procedures at borders or in customs.
Due to concerns about forgery, all the information a biometric passport’s RFID chip contains is not public. Generally, the chip includes an identification number printed on its surface and a digital signature. These two numbers are stored in a database and associated with the passport holder’s personal information. The information stored in the RFID chip cannot be changed; if the holder’s data changes, he or she will need a new passport and may have to pay a processing fee.
The chip in a biometric passport is equipped with certain protections to deter forgery. Some chips are given random chip identifiers to prevent tracing. Basic Access Control requires the reader to provide a key before chip data can be accessed, while Passive Authentication prevents the data from being modified. Cloning of the chip is deterred with Active Authentication. If the chip includes fingerprint and iris data, Extended Access Control (EAC) will be used for its strong encryption; EAC became mandatory in the European Union in June 2009.
Despite these protections, there have been several demonstrated vulnerabilities in biometric passport chips. Marc Witteman revealed in 2005 that some passport document numbers are predictable, making it simpler to guess the chip’s encryption key. EAC, Passive Authentication, and Active Authentication have also been the targets of successful attacks in Britain and other nations.
Some organizations contend that the chips can be read wirelessly from a distance by anyone with the proper equipment. Such vulnerabilities have led privacy activists to argue that contact cards should be issued instead of biometric passports. A contact card is read by swiping it through a reader like a credit card, thus eliminating the possibility of someone reading chip information from far away. Other nations have adopted contactless smart card technology rather than the RFID chip.
A biometric passport issued in the European Union has digital imaging and fingerprint scan information on the chip as of 2011, with some exceptions for individual member states. Many other nations now issue biometric passports, including Canada, Switzerland, and Singapore. Nations without the required technological capability and infrastructure will necessarily delay implementation.