AllieKat

I renewed my US passport last month and got the old version, from the US Embassy in London. I was a bit disappointed but oh well.

One thing I hope is that the new one will be easier for phones to read - apps that verify ePassports struggle with US passports it's so weak you have to get the phone exactly right. This may be a more significant issue in the years to come as more and more of our lives become app-based.

txviking

As far as I know, this is a feature, not a bug. You will find it easier to read the RFID chip if you hold the phone to the INSIDE of the rear cover — when I do that, I can read the chip in my US passport just as easily as the one in my Norwegian one. To be clear, just like you, I received the old-style US passport.

From what I have read about the new passport, it will have hard covers with stronger RFID shielding to prevent the passport from being read at a distance; you will need to open it. This is in addition to using the text in the MRZ as a key to decrypt the contents.

AllieKat

That's my understanding too that it's a feature - it's designed to be as weak and hard to read as possible and it's shielded. Given the contents are encrypted, I'm not really sure *why* though...

I was hoping they'd do away with that silliness in the new version.

txviking

Encryption can be broken. Much of the decryption key in this case can be guessed at, and narrowing down the number of possible keys makes brute force decryption of the unknown parts easier.

Since the decryption key is based in your passport’s MRZ, it is known to include your name, your gender, your DOB, your nationality, the expiration date and a few other data elements. On ordinary US passports, the first five letters will be P<USA and the end of line two will include your locator number. All of these elements appear in a fixed order, unused positions contain < and the algorithm for computing check digits is public knowledge. This makes decryption, while still hard, not quite as impossible as we might assume — particularly given the advances that are likely to happen in computing power over the next few decades.

Good security always employs multiple layers.

WilcoRoger

What information is on the chip that is not on the data page in cleartext? That data page, that's regularly photocopied e.g. in countless of hotels when checking in...

seawolf

I think people are concern about that same information being extracted remotely. Then again if you are in the US, all that info plus SSN has already been stolen when Equifax was hacked a number of years ago.

txviking

As far as I know, none, save for some digital certificates that help verify the authenticity of the passport but have nothing to do with you personally. This is not guaranteed to always be the case, though. The current chip can store 64KB of data, only some of which is currently used (mostly for the photo.) Some potential future uses could be fingerprints, vaccination status for various diseases, "page 27" information, etc.

That is not to say that the biodata page itself does not already contain sensitive information -- it absolutely does. But at least when you present your passport to a hotel, you're physically handing it over. Most people would be uncomfortable with the concept that their passport could just be read at a distance by any random stranger they pass on the street. Physical RF shielding in the cover pages is one defense against this. Encrypting the data using the MRZ as a key is another. It may seem like overkill insofar as the MRZ alone contains much of the same data, and a better system could no doubt have been devised. But it's better than nothing.

All that data is actually not in the Equifax breach. Equifax did not have your photo, your signature, your passport number or indeed your nationality, to mention a few. And while it's hard to see why anyone would go through the trouble, data from the Equifax breach could indeed be used to reconstruct large chunks of the MRZ.

That said, the Equifax breach was disastrous, and the fact that nothing was done about it is going to be a source of identity theft for years to come. There have been other terrible breaches as well, such as the OPM data breach that leaked highly sensitive information on literally every person who has undergone a federal government background check in modern times.

But we can't just throw our hands up and say the information has been compromised so many times that we might as well just make it all public. In the Equifax case, though, retiring social security numbers in favor of a more secure alternative would have been warranted.

GUWonder

GPO says everything is “on track” with the Next Generation passport program.

But you can look at the OIG report about some passport issues:

https://www.oversight.gov/sites/defa...Posting508.pdf

The online renewal is long delayed too. The “next generation” passport has had its delays due to some of the same dynamics, but GPO says the project is on track on its end.

Valerian

So I got three (tourist) passports renewed and just got them back. 2 were the old model. 1 was the next gen passport. So they are being issued. Probably next year before they are universally issued.

CX HK

Wonder if, like the UK passports, they will have to use up old stock before issuing the new passports? So it could really be a toss of the coin as to if you get the new passport for a few months.

cafeconleche

Oh you got a new one? Fascinating.

Yeah old stock is always used up first.

TWA884

There are several reports from the past week in the Current US passport wait? (Merged Threads) of members and family members being issued Next Generation Passports.

cafeconleche

So is the new one thinner? Are the pages less gaudy?

GUWonder

The new US passports have alphanumeric passport numbers, meaning they include at least one letter -- for now, it's the initial part of the number. Let's see if/when/how the use of alphanumeric ends up being an issue.

seawolf

Where do you see a concern? Other country passports have alphabetical characters. It’s part of ICAO standard.