A new patent application by Apple shows the company is working to make passports that are entirely digital. The application details software that could ensure the person holding an iPhone with digital ID is the actual owner. But ID theft isn’t the only issue with digital documents. “When you deploy a completely digital, paperless passport system, the entire threat model changes,” Attila Tomaschek, a researcher for the website ProPrivacy, said in an email interview. “A widespread global digital passport system would naturally involve a massive trove of personal traveler data, including names, dates of birth, passport numbers, photo, travel information, and so on. Such sensitive data can be incredibly valuable to cybercriminals, making any digital passport system a highly attractive target for hackers.”
Everything Goes Digital
The US already issues passports with a chip inside that contains the same information as the paper document. An entirely digital passport is a natural next step, and one that’s being considered for those who have been vaccinated for COVID-19, in addition to travel, observers say. Apple has long been trying to replace your cash, credit cards, wallet, and camera with iPhones, noted Victor Kao, a technology analyst at the consulting firm RSM, in an email interview. Digitizing government IDs, including driver’s licenses, passports, and even library cards, could offer even more convenience. “By removing the physical passport, you avoid the risks of losing [it] while you travel, or having it stolen, which could lead to identity theft,” he said. “Digital passports create a more frictionless transaction when traveling from country to country.” But along with the convenience comes risk. Users have to trust big tech companies like Apple to store their digital information securely. “Like surfing the internet, a digital passport could leave digital breadcrumbs on where you’ve been,” Kao said. “It sounds innocent, but when you cross-reference this data with location tracking, geo-tagging, digital wallets, social media posts, ride-sharing, and social media apps, you’ve all the sudden just opened up the possibilities of what people or even government agencies know about you.” The hurdles of implementing digital passports are not so much on Apple’s end, Kao said. “The roadblocks sit on the other half of the equation: government’s authentication and verification systems,” he added. “For digital passports to work, this assumes that every sovereign nation and state has the technology infrastructure and backbone to support a digital authentication process.”
Better than Paper?
Not everyone agrees that digital passports are a security risk. Android and iOS-based smartphones “have robust mechanisms to securely store credentials in ways that cannot be accessed through the use of tamper-proof hardware security modules and encryption that cannot feasibly be broken at scale,” Mike Joyce, a manager at innovation and engineering company Theorem, said in an email interview. Digital passports, unlike paper ones, can be made almost impossible to forge, Vinny Lingham, the CEO of software firm Civic, said in an email interview. His firm has developed technology that it claims can query a digital passport for information without requesting all the underlying data. “For instance, you could ‘ask’ the wallet if the holder was a US citizen, and it could confirm yes or no without revealing other information,” Lingham said. “It is also more secure because once facial recognition has been attached to a digital passport, you cannot replace the picture as you can with a physical passport.” Recent efforts to develop a COVID passport show the technology is ready for digital travel passports, Laura Hoffner, the chief of staff of cybersecurity firm Concentric, said in an email interview. “The primary roadblock is trust,” Hoffner said. “Especially when it comes to COVID, the entire pandemic has been so polarizing that whichever digital solution is going to have a hard time gaining trust by the public. The primary way to do this is to enable the individual the control over who accesses what information and how often.”
