Data and Radio Frequency Chip (a.k.a. e-passport)

Executive Summary

A Privacy Impact Assessment (PIA) was developed for the e-passport project of Passport Canada to evaluate compliance of the project with privacy requirements, as stated in the Privacy Act and other relevant legislation and policies. The assessment was preceded by the submission of a draft PIA Executive Summary with the initial e-Passport Treasury Board Submission for Preliminary Project Approval in June 2005. Although the project has not yet started, this Executive Summary reflects Passport Canada (PPTC)’s assessment of the privacy risks associated with the e-Passport project and outlines the steps to mitigate them. Also, due to substantial changes, a revised PIA is currently being developed and its Executive Summary will be posted on this website as soon as possible.

Passport Canada summarized the following actions taken to avoid or mitigate the privacy risks, and provide a status report when they will seek Effective Project Approval from the Treasury Board.

1.1 Project rationale and description

Following certain United Nations resolutions on combating terrorism, the International Civil Aviation Organization (ICAO) adopted new passport specifications that included a global blueprint for the integration of biometric identification information into passports and other machine-readable travel documents (MRTD). These new specifications require the inclusion of an embedded chip and the storage on that chip of the passport-holder’s photo. In 2004, the Canadian government instituted its National Security Policy and presented an implementation plan to pursue initiatives reinforcing border security.

It is within this context that the Government of Canada, set out an integrated approach to security issues across government. The National Security Policy articulates core national security interests and proposes a framework for addressing threats to Canadians. As part of this policy, the Government of Canada also committed to work with its international partners and international forums, such as the G8 and the World Customs Organization, to internationalize the Smart Borders model. In this context, Passport Canada researched the feasibility of adding a contactless chip into Canadian passports. Other projects that are part of this model, such as the facial recognition project, were subject to separate PIAs.

The e-Passport is a travel document that conforms to the standards established by ICAO and contains a contactless microchip embedded in the document. The chip conforms to International Standard Organization (ISO) standards as directed by ICAO. The chip will contain the same information as currently found on the Canadian passport’s data page. The encoded chip is locked to maintain the integrity of the travel document. Border security uses a reader to activate and interpret the chip to verify that the information on the data page matches that contained in the chip. The security features of the chip involve Public Key Infrastructure (PKI) technology and standards as directed by the ICAO standards. Compliance with the PKI requirements ensures the e-Passport is authenticated as a travel document produced by Canada.

This project provides enhanced security of the Canadian travel document and ensures compliance with recent changes to the ICAO standards. It will be more difficult for criminals to forge or alter passports and will provide a means to improve inspection capability at borders.

1.2 Conclusions and recommendations

By applying the following recommendations, the e-Passport project will comply with all of the privacy requirements prior to issuing the first e-Passport. The conclusions and recommendations of this report are summarized below.

Principle number 1: Accountability for personal information

Accountability for personal information will follow the existing accountability structure. Also, the existing extensive quality assurance performed to ensure the accuracy of data during the passport issuance process will be maintained. No further action is required.

Principles number 2: Collection of personal information

Passport Canada will amend the disclosure statement on the application form to include a notice indicating that personal information will be encoded on a chip. Passport Canada will also amend the disclosure statement to include the office to which applicants may forward their questions regarding collection of personal information. This risk was ranked as low.

Principle number 3: Consent

Passport Canada will conduct a Pilot project. Participants will be asked to acknowledge and consent to the inclusion of their biographical information and digitized facial image in a chip embedded in their e-Passport for the purpose of the Pilot. This risk was ranked as low.

Principle number 4: Use of Personal Information

The e-Passport project is compliant with Privacy Principle number 4. No further action is required.

Principle number 5: Disclosure and Disposal of Personal Information

The e-Passport project is compliant with Privacy Principle number 5. No further action is required.

Principle number 6: Accuracy of Personal Information

A number of quality control activities are performed throughout the existing entitlement and production processes. An additional step will be introduced to verify the accuracy of the information contained on the chip after the e-Passport is produced. This risk was identified as moderate.

Passport Canada will also investigate options regarding selection of a method of providing individuals with a means to access the data on their e-Passport chip without compromising access to information on the chip, and will implement that solution.

Principle number 7: Safeguard of personal information

A preliminary threat and risk assessment (TRA) has been conducted to ensure that the technology adequately safeguards personal information contained in the chip and that the technical solution is compliant to government policies and standards. Passport Canada will reassess IT security threats and risks before e-Passports are issued to reflect the technical solution implemented. This risk was ranked as moderate.

Training will be provided to government stakeholders on the new e-Passport. This should include a component regarding information security and privacy issues to reinforce the current culture of information security. This risk was ranked as low, since there is already a culture of information security within Passport Canada.

Skimming and eavesdropping are data access risks known to ICAO. They involve using specialized equipment without the bearer’s knowledge or agreement to read the information contained on the chip. This risk was ranked as moderate. To address this concern, Passport Canada selected Basic Access Control (BAC) chip authentication security mechanism for reading the chip as per ICAO standard. All other members of the Five Nations (Australia, New-Zealand, UK, and US) have adopted this mechanism to safeguard the personal information on their e-Passport.

Current methods used by Passport Canada to void or destroy passports will likely damage the antenna, but it is uncertain they will damage the chip. It may therefore be possible to read the data on the chip after the e-Passport is invalidated or destroyed. This risk was ranked as low. Passport Canada will investigate options regarding selection of a method for destruction of the chip and antenna, and that the solution be implemented. Passport holders should be apprised of an appropriate method to safely destroy their e-Passport, as and when required.

Principle number 8: Openness

A low-level risk associated with the e-Passport project is that the definition included in Info Source does not reflect the new use for the biographical data and facial images. Passport Canada will submit an update to Info Source accordingly before the first e-Passports are issued.

Principle number 9: Individual’s Access to Personal Information

The e-Passport project is compliant with Privacy Principle number 9. No further action is required.

Principle number 10: Challenging Compliance

The e-Passport project is compliant with Privacy Principle number 10. No further action is required.