Friday, 26 September 2014

The Amazing Race 25, Episode 1

New York, NY (USA) - St. Thomas, U.S. Virgin Islands (USA)


["Hey mister customs man, there's a flea in my passport!"]

I got a new personal radio tracking beacon this month. I'll be carrying it with me, wherever I go, whenever I leave the USA for the next ten years.

Almost ten years ago, the USA began issuing passports that contain radio-frequency identification (RFID) chips, each of which broadcasts a globally unique personal identification number that anyone, not just government agencies, can receive and use to track the passport. (I like the connotations of the French word for an RFID or similar electronic micro-chip, "puce", which translates literally as, "flea".)

You can tell if your passport has an RFID chip by whether it has the international standard e-passport logo on the cover.

The more I learned about the technical capabilities of the "e-passport" system, the more I came to see it as a threat to personal safety, security, and privacy. E-passports are intended to be used by governments, and can also be used by businesses or criminals, for surveillance, tracking, and the construction of ID-linked movement and event logs. E-passports make it possible to build bombs triggered by the proximity of passports of a specified nationality or nationalities -- or of a specific target person or persons. (Targets of domestic violence, have I gotten your attention?) And "skimming" or interception of communications with "legitimate" e-passport readers -- by the person behind you in line at the check-in counter or kiosk at the airport, for example -- facilitates touchless digitally-perfect remote passport cloning by identity thieves.

Like many of my readers and other savvy travellers, I tried to delay getting a chipped passport as long as possible: I renewed my passport in early 2005, the last year before the State Department began issuing RFID-chipped passports to ordinary citizens.

It turned out to be more difficult than the State Department had expected to embed an RFID transceiver chip and attached antenna into the cover of a passport and get them to work reliably enough for the ten-year validity period of a standard passport.

To protect the RFID chip and antenna, the State Department eventually decided to embed them in a thicker passport-book cover, and print the photo and other personal information on a separate inside page of the passport book. This violates the ICAO standards that the State Department had falsely claimed "required" adding RFID chips to passports in the first place. ICAO standards don't require RFID chips in passports at all, but do specify that, if a passport has an RFID chip, the chip should be embedded in the same sheet that has the personal information printed on it, to reduce the risk of separation and tampering.

The transition to RFID-chipped passports went more slowly than had originally been planned. Some unchipped 10-year USA passports were issued as late as 2007. But so far as I can tell, no unchipped standard 10-year USA passports have been issued since then.

To cover the additional cost of adding RFID chips to passports, the State Department dramatically increased the fees for passport issuance and other passport-related services.

And far more USA citizens need passports than a decade ago, as a result of other changes to State Department and DHS regulations and practices that now require passports for all crossings of USA borders, even for land travel by USA citizens to and from Mexico and Canada.

Over the next couple of years, the last of the unchipped USA passports will be expiring. People like me who've put it off as long as possible will be forced to decide whether we are willing to carry government-issued radio tracking devices whenever and wherever we travel outside the USA.

In practice, frequent international travellers like me will have to decide six months or more before our passports expire, over the next year or so. Many countries won't admit visitors unless their passports are valid for at least six months after their intended departure from the country. This rule is intended to reduce the risk to the destination country that your passport will expire while you are in their country, you won't be able to obtain a new passport, and they will be unable to deport you because you have become stateless, and as a result they will be forced to allow you to stay, perhaps indefinitely, as an unwanted and undocumented immigrant.

Airlines sometimes won't allow you to board an international flight if your passport expires in less than six months, regardless of the actual requirements of the country to which you are travelling.

A passport that is about to expire is thus of limited usefulness, and renewing a USA passport by mail takes an unpredictable amount of time from a couple of weeks to several months. As a rule of thumb, therefore, you should start thinking about renewing your passport as soon as it has less than a year of validity remaining.

Sending your passport in for renewal by mail is risky if you might need to travel abroad in less than about six months. You might get your passport back in days if you pay for both expedited processing and round-trip Express Mail shipping. But even if you pay for expedited service, it might take weeks or months.

If you can, the best way to get or renew a USA passport is to go to one of the State Department's dedicated passport issuance offices. There used to be only a handful of these, but in response to the need generated by the passport requirement for crossing the Mexican and Canadian borders, many more have opened. You have to pay the "expedited processing" fee to apply for a passport at one of these offices, but you save the cost of round-trip Express Mail, you find out immediately if your application is approved or if you are going to be asked to fill out the long form in addition to the standard short application form. If you apply in person, and have evidence of imminent departure, you can pick up your new passport at the same office later the same day if necessary.

You need to make an appointment by phone in advance, but you can usually get an appointment at most of the passport offices within a few days. With an appointment, you can expect to be in and out in less than hour, unless there's a problem with your application. You'll be given a receipt and a time to pick up your new passport, most often a day or two later unless you are leaving sooner. You have to apply in person, and if you are applying for passports for several family members, they all need to show up for the initial appointment. But you can sign the receipt to authorize someone else to pick up your new pasport for you.

I was headed to Cancún, Mexico, for the TBEX travel bloggers' conference earlier this this month, and my old passport had slightly less than six months of validity remaining. I called the passport office appointment phone line on Wednesday evening, got an appointment at the San Francisco passport office for Thursday morning, and picked up my new, RFID-chipped passport at noon Friday. It could have been quicker than that if necessary.

If you can't get an appointment at a passport office before your planned departure, don't despair. Go to a passport office anyway, as early as possible, with a copy of your airline ticket or e-ticket confirmation. Be prepared to spend all day waiting if you don't have an appointment. In practice, applicants without appointments but with evidence of imminent departure are usually accommodated as space permits, although you wouldn't know that from anything the State Department says publicly. It's possible to get a same-day passport even without an appointment.

Do yourself a favor and check the box at the top of the application form to request a new passport with extra visa pages, which currently means 52 pages for visas and entry and exit stamps rather than the standard 28. One trip around the world can fill up a standard passport book. As a rule of thumb, you'll need a full page for each visa, plus half a page per country for quarter-page entry and exit stamps. There's no extra charge for the extra-thick passport book, if you request it when you apply.

It used to be possible to have blank pages added to a USA passport for free. But it's harder to add pages to an RFID-chipped passport (the number of pages is coded into the chip, to make it harder to tamper with the passport), and having pages added to your passport now costs almost as much and takes just as much time and hassle as getting your passport renewed. "We see too many people who come in to get extra pages in their passports," the passport examiner who processed my renewal said. "They should have asked for the bigger book when they first applied."

The sooner you are leaving, the more quickly your new passport will be produced. You have to show tickets or an itinerary as evidence of imminent intended international travel. It's not clear what you are expected to show as evidence of imminent travel if you plan to drive, walk, or bicycle from the USA to Canada or Mexico, and don;pt have tickets or an itinerary to show.

It's a crime to lie to a any Federal employee, and a felony to lie on a passport application. But it's not a crime to change or cancel your international travel plans. The USA Department of Transportation requires airlines to allow you to cancel a ticket purchase and receive a full refund if you do so within 24 hours. Amtrak does the same, and fully refundable Amtrak tickets between e.g. Seattle and Vancouver, for a side trip to Canada during a visit to Seattle, are quite inexpensive. So it's possible to buy a ticket today to leave the country tomorrow, show the passport office a bona fide purchase receipt and valid e-ticket confirmation, and cancel your purchase for a full refund as soon as you leave the passport office -- as long as you don't make any false statements on your application or to the passport office staff.

Despite misleading threats about the REAL-ID Act by the US Department of Homeland Security, US citizens don't need a passport for domestic air travel within the USA, and that isn't about to change..

Most USA passport applicants still pay to have "professional" passport photos taken. At a typical price of US$10-15 for two passport photos, this is an unnecessary and excessive expense. You can take perfectly adequate photos with your digital camera or smartphone, and have them printed for pennies at a local drugstore or other photo processor. The State Department doesn't know or care if they were taken digitally, or by whom, as long as they are properly focused, framed, and cropped. The only difficulty is getting the portrait properly scaled, framed, and cropped.

I had my friend take some face-on digital photos of me against a plain white wall, picked one I liked, and used the free online tool from Epassportphoto.com to scale, frame, and crop the image to satisfy passport requirements.

Epassportphoto.com generates a 4" × 6" image with 4 passport photos, and the other third of the sheet taken up with an ad for their service. There's no need to waste photo paper on their ads or use their overpriced printing service, though. I used the free irfanview image editor to cut and paste 2 of the passport images over the ad, giving me a 4" × 6" image with 6 passport photos. Then I sent them to Walgreens like any other digital photos, and picked them up at a local Walgreens store an hour later. Each sheet cost me 30 cents, or 5 cents per passport photo. You only need one photo for a USA passport application, but I always get extra prints for future visa applications -- especially when it's so cheap to do so.

If you want a backup ID card the size of a credit card or drivers' license, you can request a "passport card", in addition to the familiar passport booklet, for an additional $30. A passport card is not valid for international travel by air, but can be used for domestic flights in the USA, for crossing the USA-Canada and USA-Mexico borders by land, and for many other purposes.

The drawback to a passport card is that it has a long-range RFID chip that broadcasts a uniue ID number and that is designed to allow remote drive-by radio identification and tracking of passengers in cars and other vehicles\. If you get a passport card, keep it in a foil sleeve or enveloipe.

The advantages to a passport card are that it can be used for almost all purposes other than crossing borders and, of course, driving, and that it is the best possible starting point for getting your passport, drivers license, credit cards, or other ID replaced if any of them are lost or stolen. Some people carry their passport card separately from their passport. Others leave their passport card with a trusted friend who can send it if needed in an emergency.

The teams on The Amazing Race 25 didn't even need their U.S. passports for this first leg of the race. They went only as far as the U.S. Virgin Islands, a U.S. colony under the authority of the Office of Insular Areas of the Department of the Interior. Yes, these are discontiguous external island colonies, but in its Orwellian imperial majesty the USA calls its non-self-governing territories "insular" and "interior". Anyway, it's the first time a season of of The Amazing Race other than the Family Edition hasn't left the territories of the USA in its first episode, or that the racers haven't yet needed their passports.

The tourism industry in the USVI makes a virtue of necessity with respect to the islands' status as a U.S. colony. The fact about the USVI most prominently advertised to potential visitors is that no passport is required for U.S. citizens.

Tourism to the USVI has benefited from U.S. rules that now require U.S. citizens to have a passport for all international travel, even within the Americas where most Caribbean countries want U.S. tourists and their money enough to let them in without passports. The requirement for U.S. citizens to have passports to visit any Caribbean islands except the U.S. colonies of Puerto Rico and the USVI comes from the U.S. government, not other countries. And it leaves the USVI tourism industry little choice but to look to the U.S. as a source of visitors from outside the islands: Because the USVI is a U.S. colony, non-U.S. citizens need permission from the USA (visas or the electronic equivalent) to visit the USVI. That makes it much harder and more expensive for Europeans or Latin Americans to get permission to visit the USVI or Puerto Rico than any other Caribbean Islands. I've heard "never again" stories from Europeans about the hassles and humiliating fingerprinting and mug shots they had to go through, as ordinary tourists, to take their Caribbean vacation on a U.S.-governed island. Instead, most tourists to the Caribbean other than from the USA go to Cancún, Cuba, or other islands.

Link | Posted by Edward on Friday, 26 September 2014, 23:59 (11:59 PM) | TrackBack (0)
Comments

Would it be correct to assume I could limit the RFID passport's transceiver by carrying it in a metal casing?

Posted by: anonymous, 29 September 2014, 07:32 ( 7:32 AM)

Yes, you can reduce your risk by keeping your passport, as much of the time as possible, in a metal enclosure such as wrapped in metal foil. REI, Eagle Creek, and other stores sell RFID-blocking passport cases, money belts, wallets, etc. with an inner metal layer.

But this does nothing to reduce the risk of interception of communications between the chip in your passport and "legitimate" readers.

Posted by: Edward Hasbrouck, 29 September 2014, 07:35 ( 7:35 AM)

On our way back from Europe this summer we rendezvoused with friends from Sweden in Frankfurt, and they accompanied us back to
Canada for a holiday.

My friend realized that his Swedish passport had expired 3 days before their travel, and then he further realized that his national identity card, required to obtain a passport, had also expired. Needless to say that he was mired in bureaucracy for several days, the end result being a hot-pink "one time use only" passport that, I believe, was RFID-less.

It received extra scrutiny at passport control in Canada, but he was admitted without issue, so it worked ;-)

Posted by: Peter Rukavina, 29 September 2014, 07:54 ( 7:54 AM)

The USA also issues temporary passports with shorter validity in some cases, as well as special travel documents valid only for one-time use for return to the USA. Some of these may be unchipped.

Posted by: Edward Hasbrouck, 29 September 2014, 07:57 ( 7:57 AM)

What are the likely practical effects of failure of this fragile microprocessor that is protected only by paper and is subjected to a decade of being crammed into backpacks and back pockets, rained on, perspired on, laundered, and subjected to various electromagnetic and other forces?

I, too, acquired a United States passport in 2005, hoping then that over the next 10 years we would solve the potential privacy problems related to the RFID chip in newer versions.

Posted by: Phil Mocek, 30 September 2014, 11:26 (11:26 AM)

See my discussion of, "Will you be allowed to disable the tracking chip in your passport?"

https://hasbrouck.org/blog/archives/000558.html

RFID chips can and do fail, and it's even more common for the wire filament embedded in the passport cover between the chip and the antenna to break.

Passport inspectors, US or foreign, aren't surprised by a passport with the e-passport logo on the cover, and no functioning RFID transponder. But they might subject the holder of such a passport top additional scrutiny.

US officials can seize such a passport on the spot as void. Usually, if they don't have any other animus against you, they will merely give you a lecture about the need to get it replaced (renewed) before you use it again.

Posted by: Edward Hasbrouck, 30 September 2014, 12:17 (12:17 PM)

I see a little too much alarm about RFID chips.

If you are carrying your wallet in a RF sealed wallet the only time the chip can be read is when you open it. And the range you can read a RFID chip is very limited without extra equipment that is not easy to hide.

At the airport and border crossings I open my wallet when I get to the custom officer, there is no-one else near me. Maybe it is different in Europe.

And if the Customs Officer is the person stealing the info then you never had a chance no matter how the passport is protected.

Posted by: Earl Colby Pottinger, 10 October 2014, 17:18 ( 5:18 PM)

ePassports are protected somewhat by Basic Access Control(BAC), you need the data from the machine readable zone on the bio page of the passport for the data on the chip to accessible.

This can be hacked by computer algorithims if the passport number is 'predictable', but it is certainlynot open slather for skimmers though.

Usually an aluminium foil cover is sufficient to stop any contact with the chip.

Of course take it out of the cover at border crossings - in my country if it is a known epassport and they can't read the chip, you will be delayed a bit while the reason why is investigated.

Posted by: Nathan, 22 October 2014, 23:57 (11:57 PM)

This link provides some info about BAC

http://en.wikipedia.org/wiki/Biometric_passport

Posted by: Nathan, 22 October 2014, 23:59 (11:59 PM)

@Nathan - "Basic Access Control" encrypts most of the data stored on the RFID chip (bot *not* the globally unique chip ID number), using the data printed on the picture and data page of the passport as the encryption key.

That protects against remote radio "skimming" of the entire contents of the passport by an attacker who has never had access to the printed data page.

BUT it does nothing to protect against:

(1) Remote reading by anyone, anywhere of the unique ID number. (You are correct that keeping the passport completely enclosed in a metal foil or fine mesh cover can protect against this, but only if the enclosure is complete.)

(2) Remote reading by anyone nearby of the unique ID number whenever the passport is opened for display or reading at a border crossing, airport check-in counter, duty-free store, etc.

(3) Interception by anyone nearby of the entire contents of the communication between the chip and any "legitimate" reader.

(4) Retention, compilation, sale, and use of data obtained from authorized or unauthorized reading of RFID passports, including the chip ID number, decryption key, and complete data set obtained oin the course of a transaction (e.g. at a duty-free shop) in which the passport is displayed. No law in the USA restricts or regulates such retention or use, or requires that it be disclosed to data subjects.

Posted by: Edward Hasbrouck, 23 October 2014, 06:57 ( 6:57 AM)

Fair enough, so obtaining the chip number would allow that particular chip to be tracked without knowing the data contents of the chip?

Given that most reading of the chip (in my country anyway- Australia) is at passport control or Visa issuing officers and the power output of the chip, to intercept the comms between a chip and reader one has to be very close to the transaction, which would be noticeable nearly all of the time. I had some involvement in the introduction of chip reading passport scanners, and tests of this nature were done to check the probabilities of this. Many a lively discussion was had.

In Australia, the Privacy Act, restricts the retention and use the data by Govt and (I think) industry

Posted by: Nathan, 23 October 2014, 12:44 (12:44 PM)

@Nathan -- I don't know what basis you have for the claim that, "Most reading of the chip (in my country anyway- Australia) is at passport control or Visa issuing officers." There is no indication to the passport holder that the chip is being or has been read, and I know of no effort to survey how often, or at what locations, passports are opened for visual inspection and their RFID chips exposed to reading or actually read. Most of the times I have to show my passport are at airline check-in counters or kiosks (often in crowded circumstances where I am surrounded by people with luggage large enough to conceal RFID readers), banks, hotel reception desks, etc. -- not border control points.

I have seen a chip of the same type as is used in passports read from a distance of a meter with a reader that could easily fit in a daypack or carry-on sized rollaboard suitcase:

https://hasbrouck.org/blog/archives/000558.html

I am not familiar with the scope of applicability of Australia's Privacy Act to private companies or individuals, but there is no law whatsoever in the USA that places any restrictions on the surreptitious nonconsensual reading of RFID chips by private entities, or the retention, use, sharing, or sale of the data so obtained.

This could include the sale to, or resale by, data aggregators of data captured from visual scanning and RFID-chip reading of passports at e.g. a duty-free store. There's nothing in current law in the USA to prevent Acxiom or Choicepoint from adding passport chip ID numbers to their databases about individuals.

Purchasers of such data (such as other stores wanting to profile customers), or attackers obtaining it, could use it to map chip ID numbers to identities and other information without needing to see the visual data printed in the passport.

Posted by: Edward Hasbrouck, 23 October 2014, 13:20 ( 1:20 PM)

Hi Edward,

All epassports have the chip read crossing the border (in and out) at an airport here. While there are no signs up saying the chip will be read, its not classified information and when asked an officer will say words to that effect, it may even feature in some annual reports. (some links below) I was part of the team that implemented the readers currently in use. I believe similar readers are used at Visa issuing posts both Immigration department. I don't suggest that the 'system' is foolproof, but I don't agree that it is as 'open' as what you suggest, I don't know though.

I don't see the value in airlines and duty free shops etc in scanning in the method you outline, as they either swipe the MRZ on the data page or photocopy (probably the worst of all) the bio page, so why bother with fancy electronic scanner?

Businesses with a turnover of more than $3 million have to abide by our federal Privacy Act, but I'm not familiar enough to say what can and can't be disclosed, but bio data would be covered.

Does similar issue would occur with chipped credit cards? People (including me) treat them with much less caution than a passport.

Having had discussions with USCBP etc, the border agencies are (and hopefully will continue) to be a bit more open in the area of use of chip data etc from epassport.

I find this quite fascinating and interesting and could go on,but my wife wants the computer.

https://www.passports.gov.au/images/epassport.pdf

http://www.customs.gov.au/aboutus/annualreports/2012/part02/1_1_program_1.1_passenger_facilitation.html

Posted by: Nathan, 24 October 2014, 01:41 ( 1:41 AM)
Post a comment









Save personal info as cookie?