The E-Passport Paradox: How a Security Upgrade Creates Deeper Risks

The Wire

2 days ago

Rights
Abhishek Baxi
5 minutes ago
The e-passport is neither free of security vulnerabilities nor is focussed on protecting the privacy of the person from the world.
Illustration: Pariplab Chakraborty.
The Government of India has initiated a significant modernisation of its travel documentation system with the introduction of the chip-based electronic passport, or e-passport. This move, part of the government's Passport Seva Programme 2.0, began in April 2024 and is already rolling out in select cities.
This move places India among more than 120 nations that have adopted this International Civil Aviation Organisation (ICAO)-compliant technology. The idea is to offer enhanced security, faster immigration processing and seamless global travel.
But behind the glossy pitch of digital convenience – and a gold chip symbol below the national symbol – lies a bigger concern: privacy without protection and innovation without oversight.
What's on the chip?
Each e-passport is equipped with a radio-frequency identification (RFID) chip embedded in the back cover. This chip securely stores biometric information such as facial data and fingerprints, and personal details, all encrypted with advanced security protocols like Basic Access Control (BAC; which restricts chip access to authorised scanning devices) and Extended Access Control (EAC; which adds an extra security layer for sensitive biometric information).
When an immigration officer scans the e-passport, the chip's digital signature confirms authenticity; a live biometric scan then matches the data on-chip to the traveller. According to India's Passport Seva FAQ, 'the underlying technology supporting the security of the e-passport is the Public Key Infrastructure solution, which is the foundation for safeguarding sensitive information and confirming the integrity and origin of the personal and biometric data stored on the chip'.
But the FAQs stop short of outlining who beyond immigration authorities – if anyone – may lawfully scan or store this data.
Can e-passports be scanned without consent, transparency or oversight – can private entities like airlines or banks access this information? Which devices qualify as certified readers? Are there limits on how long the scanned data may be retained?
When MP R. Dharmar raised a question in the Rajya Sabha asking for 'the steps being taken to ensure the security and privacy of personal data stored in chip-based e-passports', the response from Kirti Vardhan Singh, minister of state for external affairs, on April 3, 2025 focused on the security aspect of e-passports, skipping the privacy question.
'The main benefit of the e-passport,' the minister said, 'is its enhanced ability to maintain the integrity of its data'. He added: 'Since the e-passport has the data in printed form on the booklet, as well as encrypted in the chip, it makes it harder to forge.'
On other occasions too, responses to related questions have been unsatisfactory.
Chinks in the armour
The government's public messaging and parliamentary statements have consistently framed the e-passport initiative around two primary benefits: enhanced security and greater convenience.
Beneath the surface of official assurances lies a complex and troubling landscape of technological vulnerabilities. The very features that deliver the e-passport's promised convenience are also the source of its most significant privacy risks.
The use of RFID technology for contactless communication is the e-passport's primary architectural weakness. This design choice exposes the passport to several well-documented attack vectors, including skimming (the clandestine reading of the chip's data by using a concealed RFID reader), eavesdropping (a passive attack where an adversary intercepts the wireless communication between a legitimate immigration reader and the e-passport during an official inspection), and cloning (creating a perfect, bit-for-bit digital copy on a blank RFID chip).
The vulnerabilities are not limited to the hardware but extend to the very protocols mandated by the ICAO 9303 standard, which India's e-passport adheres to. A 2021 research paper – titled ' Discovering ePassport Vulnerabilities using Bisimilarity ' – points out significant privacy flaws in the standard's core authentication protocols, BAC and its more advanced successor, Password Authenticated Connection Establishment.
These protocols are meant to ensure "unlinkability", meaning an adversary should not be able to track a passport holder by linking their presence at different checkpoints. However, the research demonstrates that these protocols fail to meet this requirement.
Then there's the biometric paradox. The inclusion of biometric data is marketed as a definitive security enhancement, tying the document irrevocably to its owner. This perception, however, is dangerously flawed.
Biometric identifiers are immutable: once compromised, they cannot be reset like passwords. And as public-facing attributes, they can be captured without an individual's consent. Storing these unchangeable biological traits on a cloneable RFID chip creates a permanent and high-value target for identity thieves.
The security posture of the e-passport is further weakened by its long operational lifespan. Indian passports for adults are valid for ten years. A ten-year validity period creates a substantial window for advances in cryptanalysis.
Encryption algorithms considered secure at the time of the passport's issuance may become vulnerable to being broken by more powerful computers and new analytical techniques before the passport expires. The data that is secure today may not be secure five or ten years from now, yet it will remain on the chip for the document's entire lifecycle.
Gaps in the data protection regime
The government's narrative strategically conflates two distinct security concepts: data integrity and data confidentiality. The heavy emphasis on ensuring data integrity (the idea that the data can be neither hacked nor copied) effectively sidesteps the more critical privacy question of who can read this authentic, unaltered data (ensuring data confidentiality).
This focus on thwarting counterfeiters creates a public perception of a holistically secure document, while leaving the more subtle but profound risks of surveillance and unauthorised data access largely unaddressed.
And there's the question of who the ultimate controller of an Indian citizen's e-passport data is.
In theory, the Digital Personal Data Protection (DPDP) Act, 2023 designates the citizen as the "data principal", the owner of their personal data. In practice, however, the e-passport system sets up the state as the de facto controller with ultimate and overriding power – essentially, the "data fiduciary". Moreover, the vast exemptions under the DPDP Act mean it can process this data without the consent or knowledge of the citizen.
In the event that a citizen's e-passport data is misused – whether it is cloned by a criminal organisation, shared improperly with a foreign government or collected for domestic surveillance by a national agency – the path to legal recourse is unclear and likely non-existent.
Such systems expose citizens to new forms of digital harm with no effective means of holding the powerful to account. Writing for The Statesman, consumer rights advocate Shrey Madaan calls it 'paternalism, packaged in a chip'.
(As an aside, a widely appreciated move is the decision to remove key personal information like the residential address (to safeguard privacy) and parents' names (to accommodate diverse family situations) from the physical booklet. This too serves to concentrate power. The citizen loses the ability to passively share their details from the document and becomes entirely dependent on the state's infrastructure to verify their own information.)
Citizen vs the state
In a way, the e-passports mark a paradigm shift in the relationship between the Indian citizen and the state. A traditional passport is a static document, a piece of property over which the citizen exercises near-total control, revealing its contents only when they choose to physically present it. An e-passport can be queried and tracked silently.
When combined with a legal framework that grants the state sweeping powers to access its data, the passport is transformed from a tool of the citizen into an instrument of the state.
The system's architecture is overwhelmingly focused on proving the authenticity of the document to the state, not on protecting the privacy of the person from the world. It is engineered to stop someone from altering the data on the chip, but not to stop them from copying it wholesale or tracking its movements.
This prioritisation of state-level verification over individual privacy transforms the passport from a private document owned by the citizen into a trackable digital token controlled by the state.
The transition to e-passports is an irreversible global trend, and India's participation is not misplaced. The issue lies in the implementation. The current approach has created a system where the promise of convenience is overshadowed by the peril of unchecked surveillance and unmitigated security risks.
The absence of clear privacy rules, oversight mechanisms and citizen rights threatens to erode trust in the new system. Without sufficient guardrails, the promise of secure e-passports risks giving way to a surveillance architecture invisible to the very individuals it's meant to protect.
Abhishek Baxi is an independent technology journalist exploring the intersection of technology, culture and society. He writes on consumer tech and enterprise innovation, analyses Big Tech, unpacks technology policy and shares unsolicited opinions on X as @baxiabhishek.
The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.