The Department of Homeland Security (DHS) has been slow to deploy devices at ports of entry that can read digital information stored in electronic-Passports that would help a Customs official verify the identity of the document holder, the Government Accountability Office (GAO) said in a report issued this week.
More needs to be done so that the e-Passport readers know if the data stored on the electronic chip inside the passports have not been changed since they were originally authored, it added.
The State Department began issuing e-Passports to United States citizens in 2005 and the DHS US-VISIT program began deploying electronic readers the following year. However, 237 readers have been deployed to just 33 airports, which account for about 97 percent of travelers from Visa Waiver countries, although “the majority of lanes at these airports do not have e-passport readers,” GAO says in its report, Border Security: Better Usage of Electronic Passport Security Features Could Improve Fraud Detection (GAO-10-96).
Since 2006, DHS hasn’t deployed any more e-Passport readers although a total of 500 of the devices have been purchased. The unused ones are currently in storage. After the initial deployments, US-VISIT transferred the responsibility for deployment of the readers to Customs and Border Protection.
Citing CBP officials, GAO says the reasons that more readers have not been deployed is because of a failure to allocate funding to the effort and because the read times are slower than expected.
Now CBP is planning to acquire new e-passport readers although it hasn’t been decided if these will replace the 500 currently deployed and stored readers, GAO says. It also says that the new procurement is planned so that full deployment of the readers will occur in FY ’11.
At a port of entry checkpoint, a CBP officer can used a reader to access the biographical information and digitized photograph stored on a computer chip embedded in the passport. However, GAO says that a “key step that is missing is that the CBP workstation does not validate the legitimacy of the public key used to verify the digital signature” that is part of the e-passport. “Without this verification, CBP does not have reasonable assurance that the e-passport data being protected by the digital signature were written by the State Department because forgers or counterfeiters could simply generate the keys necessary to digitally sign the forged data and include their own certificate in the e- passport for verifications purposes. Checking the legitimacy of the certificate containing the public key that is used in the digital signature validation process would effectively mitigate this risk.”