Visa waiver changes miss real security gap
Passport must be bound to traveler via biometrics
03 December, 2015
category: Biometrics, Government
If you’re a resident of a visa waiver country but have visited Iraq or Syria, coming to the U.S. might not be as simple as it was in the past.
For more than a decade all foreign travelers to the U.S. have had to submit biometric data to gain entry to the country. These ten fingerprints and passport data are scanned at points of entry and run against databases to make sure travelers aren’t on a watch lists.
These precautions were put into place after the 2001 terrorists attacks on the U.S. but the Obama administration released new guidelines saying that further biometric screening may be required for travelers coming from any of the 38 visa waiver countries. Initially, the extra emphasis will focus on travelers that have visited Syria or Iraq in an effort to make sure that stolen travel documents aren’t used to enter the U.S.
Details of what this additional screening will look like are not yet known.
Biometrics are currently captured from all foreign visitors to the U.S., it’s just captured earlier in the process for visitors from non-visa waiver countries.
Here is what the processes looks like for someone requiring a visa: The traveler starts the process by applying at a U.S. embassy or consulate. During pre-screening they submit fingerprints and a facial image and that data is checked against databases to make sure the traveler is not a threat. If everything checks out the traveler is granted a visa. The biometrics are once again checked at the border crossing prior to entry into the U.S. to make sure that everything matches the original record.
For a visa-waiver traveler the process is simplified. The visitor doesn’t have to visit an embassy or consulate and can just plan a trip. But at the border crossing the individual must submit a passport and fingerprint data that is checked against watch lists. If everything checks out the individual is allowed entry into the country.
Here’s the problem with the current system. The fingerprints should ideally be checked against those stored in the travel document to ensure the presenter is the legitimate owner of the document. The problem is many countries don’t store a biometric, other than facial image, on the passport chip. This means the fingerprints can only be checked against watch lists – a process that works great to find known terrorists but does nothing to stop unknown terrorists.
If I were a UK resident and someone stole my passport and looked like me they could potentially waltz right into the U.S. Because I’m not on a watch list my passport would not be flagged. And as long as the individual that stole my passport has not had his fingerprints added to the watch list, he could pass. Homeland Security needs to be able to match the fingerprint presented at the point of entry with the biometric taken at the time of the passport’s issuance. After this match is made, then the document holder can be checked to make sure they’re not on a watch list.
This isn’t Homeland Security’s fault. Many countries put fingerprints on the chips embedded into passports but to date that data can only be accessed by the issuing country. Hopefully changes are on the horizon and access to this data will be made available.
The U.S. has been issuing ePassports for a decade, and security requires the ability to read the information stored on the embedded contactless smart card chips. While it took some time for the U.S. to rollout the infrastructure to read the chips in passports, systems have been in place for more than a year.
This technology enables a border agent to make sure the information printed on the data page is the same as that stored in the chip. In the U.S., the chip stores a facial image and the information printed on the data page. Other countries include additional biometrics and all of the information is secured with PKI.
So even is someone was able to obtain a legitimate document and alter the data page, unless they could also change the data stored on the chip it wouldn’t do them any good. The presenter’s face might match the falsified image on the data page, but it would not match the digital image stored in the chip.
It seems that the problem is we’re lacking a standardized, cross-country biometric that is stored on all ePassports and can be read and verified at all point of entry. While some would argue that the facial image is the standardized biometric it would seem that it only works if a strong, automated facial recognition system is put in place in addition to the in-person verification.
In the future it will be a necessity to change they way travelers enter the U.S. Fingerprints or iris will have to be added to passports that definitively link it with the traveler as well as the checks against existing watch lists.