[Federal Register Volume 70, Number 205 (Tuesday, October 25, 2005)]
[Rules and Regulations]
[Pages 61553-61555]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-21284]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF STATE

22 CFR Part 51

[Public Notice 5208]
RIN 1400-AB93


Electronic Passport

AGENCY: Department of State.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule amends the passport regulations to incorporate 
changes related to introduction of the electronic passport. The rule 
defines ``electronic passport,'' includes a damaged electronic chip as 
an additional basis for possible invalidation of a passport and 
provides for no fee issuance of a replacement passport if an electronic 
chip fails.

DATES: This rule is effective October 25, 2005.

FOR FURTHER INFORMATION CONTACT: Sharon Palmer-Royston, Office of 
Passport Policy, Planning and Advisory Services, Bureau of Consular 
Affairs on 202-663-2662.

SUPPLEMENTARY INFORMATION: This rule was originally published in the 
Federal Register on February 18, 2005 (70 FR 8305) as a proposed rule 
that included changes to the passport regulations needed due to the 
pending introduction of the electronic passport, as well as changes 
related to passport amendments, replacement passports, and unpaid fees 
that did not relate exclusively to electronic passports. Because of the 
volume of comments, we separated the proposed rule into two final 
rules. The first rule, RIN 1400-AC11, incorporated the provisions of 
the proposed rule on passport amendments, replacement passports, and 
unpaid fees. We received only two comments on those provisions. The 
second, and instant, rule focuses on electronic passports.

Analysis of Comments

    We received a total of 2,335 comments on the introduction of the 
electronic passport. All comments have been read, sorted, and tabulated 
according to primary concerns. Comments opposing the proposed rule 
primarily focus on security and/or privacy, the adequacy of Radio 
Frequency Identification (RFID), technology, and religious concerns. 
Specifically, concerns focused as follows: 2019 comments listed 
security and/or privacy; 171 listed general objections to use of the 
data chip and/or the use of RFID; 85 listed general objections to use 
of the electronic passport; 52 listed general technology concerns; and 
8 listed religious concerns. Overall, approximately 1% of the comments 
were positive, 98.5% were negative, and .5% were neither negative nor 
positive.
    The comments are available for review at http://www.travel.state.gov/, under the passport section, or at the Department 
of State (Department) reading room.

Security and Privacy

    Passports must be globally interoperable--that is, they must 
function the same way at every nation's border when they are presented. 
To that end, the International Civil Aviation Organization (ICAO) has 
developed international specifications for electronic passports that 
will ensure their security and global interoperability. These 
specifications prescribe use of contactless smartcard chips and the 
format for data carried on the chips. They also specify the use of a 
form of Public Key Infrastructure (PKI) that will permit digital 
signatures to protect the data from tampering. The United States (U.S.) 
will follow these international specifications to ensure its electronic 
passport is globally interoperable.
    The Department intends to begin the electronic passport program in 
December 2005. The first stage will be a pilot program in which the 
electronic passports will be issued to U.S. Government employees who 
use Official or Diplomatic passports for government travel. This pilot 
program will permit a limited number of passports to be issued and 
field tested prior to the first issuance to the American traveling 
public, slated for early 2006. By October 2006, all U.S. passports, 
with the exception of a small number of emergency passports issued by 
U.S. embassies or consulates, will be electronic passports.
    The ICAO specification for use of contactless chip technology 
requires a minimum capacity of 32 kilobytes (KB). The U.S. has decided 
to use a 64KB chip to permit adequate storage room in case additional 
data, or biometric indicators such as fingerprints or iris scans, are 
included in the future. Before modifying the definition of ``electronic 
passport'' to add a new or additional biometric identifier other than a 
digitized photograph, we will seek public comment through a new rule 
making process.
    The contactless smart chip that is being used in the electronic 
passport is a ``passive chip'' that derives its power from the reader 
that communicates with it. It cannot broadcast personal information 
because it does not have its own source of power. Readers that are on 
the open market, designed to read Type A or Type B contactless chips 
complying with International Standards Organization (ISO) 14443 and ISO 
7816 specifications, will be able to communicate with the chip. This is 
necessary to permit nations to procure readers from a variety of 
vendors, facilitate global interoperability and ensure that the 
electronic passports are readable at all ports of entry.
    The proximity chip technology utilized in the electronic passport 
is designed to be read with chip readers at ports of entry only when 
the document is placed within inches of such readers. It uses RFID 
technology. The ISO 14443 RFID specification permits chips to be read 
when the electronic passport is placed within approximately ten 
centimeters of the reader. The reader provides the power to the chip 
and then an electronic communication between the chip and reader occurs 
via a transmission of radio waves. The technology is not the same as 
the vicinity chip RFID technology used for inventory tracking of items 
from distances at retail stores and warehouses. It will not permit 
``tracking'' of individuals. It will only permit governmental 
authorities to know that an individual has arrived at a port of entry--
which governmental authorities already know from presentation of non-
electronic passports--with greater assurance that the person who 
presents the passport is the legitimate holder of the passport.
    The personal information that will be contained in the chip is the 
information on the data page of the passport--the name, nationality, 
sex, date of birth, place of birth, and digitized photograph of the 
passport holder. The chip will also contain information about the

[[Page 61554]]

passport itself--the passport number, issue date, expiration date, and 
type of passport. Finally, the chip will contain coding to prevent any 
digital data from being altered or removed as well as the chip's unique 
ID number. This coding will be in the form of a high strength digital 
signature. The contents of the data page of the traditional passport 
have been established by international usage and by ICAO. The chip will 
not contain home addresses, social security numbers, or other 
information that might facilitate identity theft.
    In terms of the comments received in response to our proposed rule, 
a small minority of comments welcomed the rule because of the 
enhancements to passport security the electronic passport will provide, 
including better authentication of the document, proof of its link to 
the bearer and protection against data alteration than is provided by 
the current, traditional non-electronic passports. The vast majority of 
comments, however, opposed the introduction of the electronic passport 
on security and privacy grounds, specifically concerns that skimming or 
eavesdropping would permit surreptitious reading of the data contained 
in the passport chip. Skimming is the act of creating an unauthorized 
connection with a readable chip in order to gain access to the data 
contained therein. Eavesdropping is the interception of the electronic 
communication session between a passport chip and an authorized reader.
    Comments reflected a concern that the data in the electronic chip 
could easily be read by portable devices available on the open market. 
Many of these comments expressed a belief that the information could be 
read at distances in excess of ten feet. The majority of the comments 
were concerned that terrorists could identify and target them as U.S. 
citizens. Identity theft was of grave concern, focusing on the 
potential for criminal activity resulting directly from identity theft. 
Some comments expressed fears that criminals could acquire and use the 
personal information included in the passport to target them for theft, 
con artist schemes and/or kidnapping. Still others expressed fears that 
the U.S. Government or other governments would use the chip to track 
and censor, intimidate or otherwise control or harm them. Some comments 
called for the inclusion of a fail-safe anti-skimming device.
    The Department is sensitive to the security and privacy concerns 
raised by the comments. To address these concerns, the Department and 
the Government Printing Office (GPO) have worked with the National 
Institute of Standards and Technology (NIST) to evaluate the passport's 
vulnerability to skimming and to test physical devices that can be put 
in a passport to reduce its likelihood.
    Based on that testing, the Department, in cooperation with the GPO, 
will include an anti-skimming material in the front cover and spine of 
the electronic passport that will mitigate the threat of skimming from 
distances beyond the ten centimeters prescribed by the ISO 14443 
technology, as long as the passport book is closed or nearly closed.
    The Department will also implement Basic Access Control (BAC) to 
mitigate further any potential threat of skimming or eavesdropping. BAC 
recently has been adopted as a best practice by the ICAO New 
Technologies Working Group and will soon be formally added to the ICAO 
specifications. BAC utilizes a form of Personal Identification Number 
(PIN) that must be physically read in order to unlock the data on the 
chip. In this case, the PIN will be derived from the printed characters 
from the second line of data on the Machine-Readable Zone that is 
visibly printed on the passport data page. The BAC also results in the 
communication between the chip and the reader being encrypted, 
providing further protection.
    Shielding the reader or other measures associated with the chip 
reader can also minimize the possibility of eavesdropping. The 
Department of Homeland Security (DHS) is responsible for border 
inspections of travelers, and the provision and use of the equipment at 
U.S. ports of entry that will read the electronic passports. The DHS is 
working with NIST on reader security and communications issues.
    We believe that the measures described in this rule adequately 
address the concerns raised by comments regarding security and privacy.

Objections to the Use of the RFID Technology

    Some comments discussed a belief that the RFID technology is too 
faulty or otherwise inadequate to be used in passports. In particular, 
some comments asserted that the RFID technology could easily be hacked 
into or counterfeited, which would defeat its usefulness as a security 
measure. The Department is taking every measure to ensure that the RFID 
chips it uses are resistant to hacking and counterfeiting. The devices 
used in the U.S. electronic passport must be Evaluation Assurance Level 
4+ certified or better. This third party certification is commonly used 
with other government smartcard initiatives and it provides assurance 
that the manufacturing process is auditable and secure.
    Additionally, the government conducts regular security audits of 
its vendor partners and their processes to maintain the security of its 
travel documents. Finally, the contactless smartcard chip used in the 
electronic passport will be securely inserted into a highly tamper 
proof, newly redesigned travel document. The new passport document is 
itself highly tamper resistant.
    According to certain comments, use of a contact chip would be 
preferable. However, contact chip technology was assessed and 
specifically excluded by the ICAO subcommittees during the development 
of their electronic passport specifications. Contact chip technology is 
primarily used in card formats, and does not easily adapt to 
fabrication in book-type formats. Contact technology requires the use 
of exposed contacts that need to make precise contact when inserted in 
a reader. Fabricating this technology in a book format in a way that 
facilitates reliable reading is problematic. Passports must be durable 
over their ten-year life. Passports using contact technology where a 
part of the passport book must be inserted into a reader would lead to 
enhanced wear and tear on the passport, thereby fostering unreliable 
passport book reading.
    Other comments suggested that the passport data should be 
encrypted. The passport data on the chip does not require encryption in 
order to be secure and protected. It is the same data that is visually 
displayed on the passport data page. Instead of encrypting data, BAC 
will permit an encrypted communication session with the reader that 
will provide a similar protection while not requiring administrative 
key control issues.
    Consequently, we have decided not to change the basic 
characteristics of the chip that we will use in the electronic passport 
or the data that it will contain. We will, as explained above, 
incorporate additional technology, including the anti-skimming material 
and BAC, to address concerns about skimming and eavesdropping. This 
will not require any change in the general definition of ``electronic 
passport'' contained in the proposed regulation. In this final rule, we 
have made a technical change to the language of the proposed definition 
to state that the chip will digitally carry information from the data 
page, a biometric version of the bearer's photo and coding protections.

[[Page 61555]]

    Again, we believe that the measures described in this rule 
adequately address the concerns raised by comments regarding RFID 
technology.

Religious Objections

    A small number of comments objected to the electronic passport due 
to religious beliefs. Without in any way passing judgment upon their 
beliefs, we do not consider these objections a basis for not proceeding 
with the proposed rule.

General Objections To Use of the Electronic Chip and Passport

    Some comments stated that they objected to use of the electronic 
chip and passport, but did not give specific reasons for their 
objections. As a result, the Department is unable to formulate a useful 
response to their objections.

Regulatory Findings

Administrative Procedure Act

    The Department is publishing this rule as a final rule, after 
publishing a proposed rule, allowing a 45-day provision for public 
comments, and consideration of all comments received. The Department 
provided for a shorter comment period than the 60 days suggested by 
Section 6(a) of E.O. 12866 because we believed 45 days would provide 
the public with a meaningful opportunity to comment while advancing 
important national security and foreign policy goals. We believe that 
the 2,335 comments received within that 45-day comment period validates 
this strategy. In order to protect the security of U.S. borders, it is 
essential that the Department implement the electronic passport program 
as soon as possible. In addition, a prompt launch of the program will 
increase our credibility and good will with other countries, which are 
implementing similar biometric passport programs.

Regulatory Flexibility Act/Executive Order 13272: Small Business

    These changes to the regulations are hereby certified as not 
expected to have a significant impact on a substantial number of small 
entities under the criteria of the Regulatory Flexibility Act, 5 U.S.C. 
601-612, and Executive Order 13272, section 3(b).

The Small Business Regulatory Enforcement Fairness Act of 1996

    This rule is not a major rule, as defined by 5 U.S.C. 804, for 
purposes of congressional review of agency rulemaking under the Small 
Business Regulatory Enforcement Fairness Act of 1996, Public Law 104-
121. This rule will not result in an annual effect on the economy of 
$100 million or more; a major increase in costs or prices; or adverse 
effects on competition, employment, investment, productivity, 
innovation, or the ability of United States-based companies to compete 
with foreign based companies in domestic and export markets.

The Unfunded Mandates Reform Act of 1995

    Section 202 of the Unfunded Mandates Reform Act of 1995 (UFMA), 
Public Law 104-4, 109 Stat. 48, 2 U.S.C. 1532, generally requires 
agencies to prepare a statement before proposing any rule that may 
result in an annual expenditure of $ 100 million or more by State, 
local, or tribal governments, or by the private sector. This rule will 
not result in any such expenditure nor will it significantly or 
uniquely affect small governments.

Executive Orders 12372 and 13132: Federalism

    This regulation will not have substantial direct effects on the 
States, on the relationship between the national government and the 
States, or the distribution of power and responsibilities among the 
various levels of government. Nor will the rule have federalism 
implications warranting the application of Executive Orders No. 12372 
and No. 13132.

Executive Order 12866: Regulatory Review

    The Department of State has reviewed this rule to ensure its 
consistency with the regulatory philosophy and principles set forth in 
Executive Order 12866 and has determined that the benefits of the 
regulation justify its costs. The Department does not consider the rule 
to be an economically significant regulatory action within the scope of 
section 3(f)(1) of the Executive Order since it is not likely to have 
an annual effect on the economy of $100 million or more or to adversely 
affect in a material way the economy, a sector of the economy, 
productivity, competition, jobs, the environment, public health or 
safety, or State, local, or tribal governments or communities. However, 
the rule does have important policy implications and involves a 
critical component of upgrading border security for the United States. 
Accordingly, it has been provided to the Office of Management and 
Budget (OMB) for review.

Executive Order 12988: Civil Justice Reform

    The Department has reviewed the regulations in light of sections 
3(a) and 3(b)(2) of Executive Order No. 12988 to eliminate ambiguity, 
minimize litigation, establish clear legal standards, and reduce 
burden.

The Paperwork Reduction Act of 1995

    The portion of the proposed rule contained in this final rule does 
not impose any new requirements for the collection of information under 
the PRA.

List of Subjects in 22 CFR Part 51

    Passports and visas.

0
Accordingly, the Department amends Part 51 of 22 CFR as follows:

PART 51--[AMENDED]

0
1. The authority citation for part 51 continues to read as follows:

    Authority: 22 U.S.C. 211a, 213, 2651a, 2671(d)(3), 2714 and 
3926; 31 U.S.C. 9701; E.O. 11295, 3 CFR, 1966-1970 Comp., p 570; 
sec. 236, Public Law 106-113, 113 Stat. 1501A-430; 18 U.S.C. 
1621(a)(2).


0
2. Amend Sec.  51.1 to add a new paragraph (j) to read as follows:


Sec.  51.1  Definitions.

* * * * *
    (j) Electronic passport means a passport containing an 
electronically readable device, an electronic chip, encoded with the 
information printed on the data page, a biometric version of the 
bearer's photograph, a unique chip number, and a digital signature to 
protect the integrity of the stored information.

0
3. Revise Sec.  51.6 to read as follows:


Sec.  51.6  Damaged, mutilated or altered passport.

    Any passport which has been materially changed in physical 
appearance or composition, or contains a damaged, defective or 
otherwise nonfunctioning electronic chip, or which includes 
unauthorized changes, obliterations, entries or photographs, or has 
observable wear and tear that renders it unfit for further use as a 
travel document may be invalidated.

0
4. Amend Sec.  51.64 to add a new paragraph (e) to read as follows:


Sec.  51.64  Replacement passports.

* * * * *
    (e) When a passport is issued for the balance of the original 
validity period to replace a passport with a failed electronic chip.

    Dated: October 19, 2005.
Maura Harty,
Assistant Secretary for Consular Affairs, Department of State.
[FR Doc. 05-21284 Filed 10-24-05; 8:45 am]
BILLING CODE 4710-05-P