The United States government is notorious for taking a “better late than never” approach to its tech rollouts. Following that tradition, US Customs and Border Protection (CBP) confirmed today that after 16 years it has finally performed the necessary software upgrades to verify the cryptographic signatures stored in passport RFID chips.
Since 2006, the United States and many other countries have embedded these little chips in the back panel of their passports, or “e-Passports” as they’re known. The chip digitally stores the personally identifying information of the document’s owner, including name, date of birth, passport number, and biometric data like your photo, along with a cryptographic signature meant to act as a check against tampering or forgeries. For years, the US has required that Visa Waiver countries issue e-Passports to their citizens who want to enter the US. Yet in all this time, CBP hadn’t actually deployed the software to execute these validity checks.
In early 2018, US senator Ron Wyden of Oregon and former senator Claire McCaskill of Missouri wrote a letter to CBP calling on the agency to implement the cryptographic verification, given that the RFID e-Passport infrastructure had been in place for years. Last week, five years after that request, CBP informed Wyden’s office that it has had the e-Passport verification system up and running since June 2022.
CBP says that so far the validation process has checked more than 3 million passports from Visa Waiver program travelers and has “contributed” to the arrest of 12 people who were allegedly attempting to enter the US with “fraudulent” identification.
“During primary processing, the e-Passport technology alerted on the documents, and the travelers were referred to secondary where CBP officers determined that the travelers were in possession of fraudulent travel documents,” the agency says in a statement.
“Upgrading passport security is a commonsense way to ensure people entering our country are who they say they are. It is already making America safer, without resorting to invasive searches or massive databases of private data,” Wyden says in a statement to WIRED. “I commend CBP for following through and ensuring forgers and criminals can’t use fraudulent passports to skate through security at the border.”
Though the verification has been running since June, CBP says that it still can’t verify e-Passports issued by Andorra, the tiny nation between Spain and France that has a population of fewer than 80,000 people. Other than that, though, CBP is running the validation checks for all Visa Waiver countries.
“This was a major investment by the US, so I’m glad to see that they’re using these capabilities and that they work the way they’re supposed to,” says Matthew Green, a cryptographer at Johns Hopkins University. “This system is really just a basic check to help catch people traveling with forged documents, which is something we have an interest in doing. And it is not nearly as intrusive as face recognition or other systems being rolled out at the border, so overall this seems like a good system to have active.”
A 2010 Government Accountability Office report laid out the case for swiftly implementing signature verification for e-Passports. The US Department of Homeland Security (DHS) “does not have the capability to fully verify the digital signatures because it … has not implemented the system functionality necessary to perform the verification,” GAO wrote at the time. “The additional security against forgery and counterfeiting that could be provided by the inclusion of computer chips on e-passports issued by the United States and foreign countries … is not fully realized.”
More than a decade and a half later, e-Passport digital signature verification is finally something DHS can check off its to-do list.