Back in September 2006, Bruce Schneier wrote about the The ID Chip You Don’t Want in Your Passport in the Washington Post:
If you have a passport, now is the time to renew it — even if it’s not set to expire anytime soon. If you don’t have a passport and think you might need one, now is the time to get it. In many countries, including the United States, passports will soon be equipped with RFID chips. And you don’t want one of these chips in your passport…
RFID chips don’t have to be plugged in to a reader to operate…
The risk to you is the possibility of surreptitious access: …
Your passport information might be read without your knowledge or consent by a government trying to track your movements, a criminal trying to steal your identity or someone just curious about your citizenship.
At first the State Department belittled those risks, but in response to criticism from experts it has implemented some security features. Passports will come with a shielded cover, making it much harder to read the chip when the passport is closed. And there are now access-control and encryption mechanisms, making it much harder for an unauthorized reader to collect, understand and alter the data.
Well it appears the Bush administration decided to outsource the manufacture of your RFID passport to a company in Thailand that has, in the past, been vulnerable to Chinese espionage. So the bad idea of having RFID chips in our American passports just got worse.
According to a response to a question by the U.S. State Department:
Q: Describe the State Department’s role, if any, in the decision by the Government Printing Office to use a factory in Thailand for assembling the components of U.S. passport. Can the Department reject a manufacturer selected by the GPO?
A: GPO and Department of State employees jointly evaluated proposals from several companies to supply the unprinted passport cover (which contains the chip and antenna and the only part of the passport not produced or assembled by GPO). The GPO/State evaluation committee recommended the two companies selected as there were no American manufacturers who could provide the needed product. GPO signed the contracts with these companies on behalf of the U.S. Government.
Q: When the Department began its e-passport program, were there any American companies that produced the electronic chips needed for those passports?
A: We are not aware of any U.S. companies that made the chips that could satisfy the requirements of the e-Passport Request for Proposal at the time we launched our e-Passport program and we received no acceptable proposals from them.
The Bush administration proceeding with the RFID chipped passport plan fully knowing that no U.S.-based company could manufacture the chips they required. The Bush administration deliberately compromised the security of American citizens abroad by out-sourcing the production of the already dubious “secure” RFID chipped passports.
But, it gets worse. According to Bill Gertz of the Moonie Times, er Washington Times, which seems to have broken the story, the outsourced passports are netting government profits by risking national security.
And just like the Bush administration belittled concerns about the RFID chipped passports when they were announced, once again the administration is again is belittling criticism that the passports are being manufactured overseas.
Officials at GPO, the Homeland Security Department and the State Department played down such concerns, saying they are confident that regular audits and other protections already in place will keep terrorists and foreign spies from stealing or copying the sensitive components to make fake passports.
In the past years we’ve seen how little oversight the Bush administration actually provides over their contractors from pallets of cash going missing en route to Iraq, to slave labor being used to build the Baghdad embassy, to Blackwater mercenaries shoot-to-kill tactics in Iraq. So, when officials in the Bush administration says “trust us”, that’s the last thing I would do. Especially when they offer no supporting evidence there are even any protections in place or practices being audited. The GPO’s own inspector general does not even believe the Bush administration’s assurances either.
But GPO Inspector General J. Anthony Ogden, the agency’s internal watchdog, doesn’t share that confidence. He warned in an internal Oct. 12 report that there are “significant deficiencies with the manufacturing of blank passports, security of components, and the internal controls for the process.”
The inspector general’s report said GPO claimed it could not improve its security because of “monetary constraints.”
But then the cash-strapped GPO is actually profiting from the overseas outsourcing of the passport manufacture. Security is being compromised for the sake of profits.
Of course, Democratic members of the House, such as Rep. John D. Dingell (D-MI) and Rep. Bart Stupak (D-MI), are concerned about both the outsourcing and the profits being accrued by the GPO, but the Congressional hearings and investigation may not come soon enough.
Rep. Bennie Thompson, Mississippi Democrat and chairman of the House Homeland Security Committee, criticized the GPO for using foreign components in new electronic passports.
“It is just plain irresponsible to jeopardize the gold standard in document security by outsourcing production when U.S. companies ought to be able to do the same work here,” said Mr. Thompson, who announced that his panel is investigating the outsourcing…
“Questions alone about the production and chain of custody of blank U.S. passports can send shock waves through our homeland security infrastructure,” he said.
For the GPO, the profits from ignoring security were large and the incentives from compromise were grand. According to the Washington Times story:
The Government Printing Office’s decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them…
The profits have raised questions both inside the agency and in Congress because the law that created GPO as the federal government’s official printer explicitly requires the agency to break even by charging only enough to recover its costs.
So, under the Bush administration the GPO is possibly breaking federal law by making $100 million in profits on the outsourcing of passport manufacture all the while not having adequate security for the already security-vulnerable RFID chipped passports. According to another Washington Times story, the GPO profits go to bonuses and trips. Big bonuses worth a total of $181,593 were given to twenty-five GPO officials in amounts ranging between $2,000 and $12,920, “Public Printer Robert C. Tapella paid close to $10,000 for photographs of himself for his office”, and expensive trips to Paris, London, Tokyo, and Las Vegas were taken.
Officials at the GPO and your new RFID chipped passport may be more well traveled than you are. According to the Washington Times story:
After the computer chips are inserted into the back cover of the passports in Europe, the blank covers are shipped to a factory in Ayutthaya, Thailand, north of Bangkok, to be fitted with a wire Radio Frequency Identification, or RFID, antenna. The blank passports eventually are transported to Washington for final binding, according to the documents and interviews.
Your passport has traveled from the Netherlands to Thailand to the United States before you even leave the country. This is what the U.S. State Department advises about Thailand to Americans traveling to that country.
The State Department is concerned that there is an increased risk of terrorism in Southeast Asia, including in Thailand… They should remain vigilant with regard to their personal security and avoid crowds and demonstrations…
In September 2006 a military group calling itself the Council for National Security (CNS) seized control of the Thai government and declared martial law… The Department of State advises all American citizens residing in or traveling to Bangkok to continue to monitor events closely…
The far south of Thailand has been experiencing almost daily incidents of criminally and politically motivated violence, including incidents attributed to armed local separatist/extremist groups…
That’s just a brief excerpt from the thirteen paragraphs cautioning Americans about their security in Thailand. Just earlier this month, the international arms dealer, Viktor Bout, the Russian “Merchant of Death” was captured in Thailand. Plus as recently as 2002, Thailand has been questioned as a safe haven for al Qaeda and today the Thai government is battling a “deadly insurgency in its predominantly-Muslim southern provinces.” Thailand is hardly a stable and secure place to manufacture U.S. passports and the manufacturing company agrees:
The Netherlands-based company that assembles the U.S. e-passport covers in Thailand, Smartrac Technology Ltd., warned in its latest annual report that, in a worst-case scenario, social unrest in Thailand could lead to a halt in production.
Smartrac divulged in an October 2007 court filing in The Hague that China had stolen its patented technology for e-passport chips, raising additional questions about the security of America’s e-passports.
Taken altogether, this is an incredible debacle once again perpetrated by short-sighted, unimaginative officials in the Bush administration. I wonder if it is simply just greed and corruption or worse, complete stupidity? I think RFID chipped passports need to be abandoned and the potentially compromised passports that have already been issued to American citizens need to be replaced with traditional, chip-free passports.
Democrats in Congress are planning to investigate the passport debacle, but such investigations and hearings take time, especially when butting up against an uncooperative and secretive administration. Action needs to be taken now, not in ten months when a new administration is in power.