EE Times

U.S. e-passport plan raises tech, diplomatic hackles

July 16, 2004

By Junko Yoshida

PARIS — The U.S. Department of Homeland Security will host a testing event for electronic passports featuring biometric data next week, opening a can of technological worms that will tax the ingenuity, patience and diplomacy of dozens of national governments, chip vendors and reader manufacturers.

Foremost among the questions raised by the three-day meeting in West Virginia is whether the world is ready to meet even the extended deadline — a little more than one year from now — that the U.S. government has set for 27 visa-waiver countries to issue biometrically enabled, machine-readable passports if their citizens are to visit the United States.

Acknowledging that two past deadlines were unrealistic, the U.S. House of Representatives last month voted to grant visa-waiver countries — which include most of Europe, Japan, Singapore, Australia and New Zealand — until Oct. 26, 2005, to deploy biometrically enabled passports. The bill has yet to be debated in the Senate. Because of the difficulty of marshaling the appropriate technology, the Bush administration favors a deadline of November 2006. "Rushing a solution to meet the current deadline virtually guarantees that we will have systems that are not interoperable," said Secretary of State Colin Powell in urging Congress to delay the legislative deadline by two years. Testifying before the House Judiciary Committee in April, Powell added, "Such a result may undercut international acceptance of this new technology as well as compound rather than ease our overall challenge."

Indeed, implementing biometrics technologies on a global scale "is a huge task," said Joseph Kim, senior consultant at International Biometric Group, an independent consulting firm based in New York. Congress, he added, passed the legislation based on "a misconception of how standardized the technology is."

The biometric industry aggravated the problem by overpromising its technology amid the national post-9/11 angst. That contributed to unwarranted optimism among U.S. policymakers about the availability of bug-free electronic passports. Vendors eager to win contracts insist on the readiness of their wares, but the biometric products in question have undergone no field-testing. "Without gaining real experience and getting more data, we won't know how far we are and how good we are," said Andreas Raeschmeier, general manager of the financial and ID division of STMicroelectronics.

In addition, the unilateral U.S. mandate has ruffled feathers among U.S. allies. Because 20 of the 27 countries in the Visa Waiver Program are in Europe, the European Commission is expected by year's end to develop new specifications for European passports that will, like those issued by the United States, adhere to standards set by the International Civil Aviation Organization (ICAO).

However, Europe is determined not to be railroaded by Washington in the areas of data protection and privacy, said industry sources and policymakers here, who spoke on the condition of anonymity. "Europe cannot stop the [U.S.] train, but at least we want to be able to decide what to put in the train," said Detlef Houdeau, senior director of the Secure Mobile Solutions business group at Infineon Technologies AG in Germany.

Some technical elements for biometric passports are in place. ICAO last year defined such basic frameworks as what biometric technology is to be incorporated in next-generation travel documents. It specified the inclusion of face images, plus mandatory biometric data of some sort (fingerprints and iris recognition are optional). Two months ago, ICAO issued more detailed technical specifications defining data structures, command sets and communication between a passport and a reader terminal, all necessary for biometrics data stored in E2PROM inside a contactless chip to be read by a reader.

Infineon's Houdeau said 95 percent of ICAO specs on the table today are "frozen." In parallel, the International Organization for Standardization is working on a certification program for the technology.

But industry and government agencies have barely begun tackling issues related to implementing the technology. No one knows how accurately the ICAO specs will be implemented on chips, readers and passports. The pretest to be held July 27-29 in West Virginia will be the maiden voyage for most of the crucial components. A field trial involving thousands of real people carrying electronic passports won't happen until next year.

The industry hasn't yet had a chance to optimize these products. Companies have yet to develop benchmarks to gauge the speed, performance and acceptance ratio of the biometrics technology.

Budesdruckerei, originally Germany's state-owned security printing house and now a supplier of security documents such as ID cards, passports and banknotes, reported that it is using Philips Semiconductors' contactless chip with 32 kbytes of memory in its prototype passports. But the 64-kbyte chips the company wants — for storing a facial image (20 kbytes) plus two index fingerprints (10 kbytes each) — are unavailable in volume. Infineon recently announced a contactless chip with 64 kbytes of storage space, plus a cryptographic engine said to comply with ICAO specs. Infineon is eager to submit the chip for testing in trials, but "We only have a couple of samples," said Hartmut Hemme, sales manager for Bundesdruckerei. Aside from chips is the issue of packaging. In general, the interoperability of passports "is feasible," thanks to the ICAO standards, said ST's Raeschmeier. "But my key concern is on the reliability of passports." Raeschmeier said he is worried about how well the packaging and antenna embedded in a passport can withstand the mechanical stress of being handled, stamped, read, reread and crushed over the standard 10-year life cycle.

"The challenge is how much thinner we can make the package while ensuring its stability," said Michael Ganzera, marketing manager, e-government and smart identity, at Philips Semiconductors. Philips will roll out in the third quarter a controller chip in a new package just 320 microns high, against the previous 390-m standard. The thinner package is designed to be integrated in a polycarbonate holder page. A feasibility study on the reliability of thinner packaging is ongoing.

Nor has a decision been made on the security of a communication link between a chip and a reader. ICAO gives a range of options, but it's up to each country to determine how tight to screw this down in its own passports. The choice of an operating system for a passport chip is also each country's individual choice.

An even bigger issue is the handling of biometric data. ICAO "says nothing about the backbone system," said Infineon's Houdeau. Developing rules and regulations on "what to do with the [biometrics] data" once it's collected and stored on a chip is up to each government. The EC is now debating access control — whether to allow unlimited access, or to specify restrictions — to the biometric data stored on a passport chip. One proposal is that the biometric data cannot be unlocked, or made available for reading, unless an optical-character number used in the passport is first read by an optical-machine reader. This extra layer of data protection would prevent biometric data from being "skimmed" without the knowledge of the passport holder, according to Bundesdruckerei's Hemme.

Beyond access control, some European countries are reportedly considering the use of a crypto coprocessor that permits the calculation of elliptical curves in passports, so that the raw biometric data inside the chip can be encrypted. The United States, in contrast, is opting for a much lower level of security for data communication, said Infineon's Houdeau.

"Europe is taking a measured approach," said Sadhbh McCarthy, managing director at the European Biometrics Forum. Based in Dublin, Ireland, and initially funded by the EC and the Irish government, the EBF is a network of experts and organizations charged with establishing a realistic vision of the future of the biometrics industry in Europe. "The data protection and privacy will be foremost in the minds of the member states and the European Commission," she said.

Almost every key player will be participating in the West Virginia tests. They will explore such basic issues as detecting whether chips are within reading range; the type of a contactless chip involved (whether using ISO/IEC 14443 Type A or Type B, which differ in the data transmission protocols used); and whether the chip uses basic access control; how many chips are in range.

The U.S. Government Printing Office last week issued the final request for proposals for electronic U.S. passports, with an Aug. 12 response deadline. The government plans to create "vehicles" for testing terminals and passports. Prototypes must be submitted by the end of the year.