Here's another case of technology being deployed for technology's sake without providing any significant security benefit, while at the same time, increasing the number of vulnerabilities present in such systems. I mean, they're not even using data or link encryption!!
-rick infowarrior.org American Passports to Get Chipped By Ryan Singel Story location: http://www.wired.com/news/privacy/0,1848,65412,00.html 02:00 AM Oct. 21, 2004 PT New U.S. passports will soon be read remotely at borders around the world, thanks to embedded chips that will broadcast on command an individual's name, address and digital photo to a computerized reader. The State Department hopes the addition of the chips, which employ radio frequency identification, or RFID, technology, will make passports more secure and harder to forge, according to spokeswoman Kelly Shannon. "The reason we are doing this is that it simply makes passports more secure," Shannon said. "It's yet another layer beyond the security features we currently use to ensure the bearer is the person who was issued the passport originally." But civil libertarians and some technologists say the chips are actually a boon to identity thieves, stalkers and commercial data collectors, since anyone with the proper reader can download a person's biographical information and photo from several feet away. "Even if they wanted to store this info in a chip, why have a chip that can be read remotely?" asked Barry Steinhardt, who directs the American Civil Liberty Union's Technology and Liberty program. "Why not require the passport be brought in contact with a reader so that the passport holder would know it had been captured? Americans in the know will be wrapping their passports in aluminum foil." Last week, four companies received contracts from the government to deliver prototype chips and readers immediately for evaluation. Diplomats and State Department employees will be issued the new passports as early as January, while other citizens applying for new passports will get the new version starting in the spring. Countries around the world are also in the process of including the tags in their passports, in part due to U.S. government requirements that some nations must add biometric identification in order for their citizens to visit without a visa. Current passports (which are already readable by machines that decipher text on the photo page) will remain valid until they expire, according to a State Department spokeswoman. The RFID passport works like a high-tech version of the children's game "Marco Polo." A reader speaks out the equivalent of "Marco" on a designated frequency. The chip then channels that radio energy and echoes back with an answer. But instead of simply saying "Polo," the 64 Kb chip will say the passport holder's name, address, date and place of birth, and send along a digital photograph. While none of the information on the chip is encrypted, the chip does also broadcast a digital signature that verifies the chip itself was created by the government. Security experts said the U.S. government decided not to encrypt the data because of the risks involved in sharing the method of decryption with other countries. RFID technology has been around for more than 60 years, but has only recently become cheap enough to be adopted widely. E-Z Pass prepay toll systems across the country run on RFIDs, pets and livestock around the world have RFID implants, and businesses such as Wal-Mart plan to use the tags to track their inventory. But Electronic Frontier Foundation attorney Lee Tien argues that RFID chips in passports are a "privacy horror" and would be even if the data was encrypted. "If 180 countries have access to the technology for reading this thing, whether or not it is encrypted, from a security standpoint, that is a very leaky system," Tien said. "Strictly from a technology standpoint, any reader system, even with security, that was so widely deployed and accessible to so many people worldwide will be subject to some very interesting compromises." Travel privacy expert Edward Hasbrouck argues that identity thieves are not the only ones with an interest in recording the data remotely. Commercial travel companies, including hotels, will capture the data to create commercial dossiers when people check into hotels or exchange currency in order to up-sell their customers, he argues. While there are no laws in the United States prohibiting anyone from snooping on someone's passport data, Roy Want, an RFID expert who works as a principal engineer for Intel Research, thinks that the possibility of identity theft is overblown. "It is actually quite hard to read RFID at a distance," said Want. A person's keys, bag and body interfere with the radio waves, and the type of RFID chip being used requires readers equipped with very large -- and obvious -- coils to capture the data, according to Want. Still, he concedes that a determined snooper could create a snooping system. "In principle someone could rig up a reader, perhaps in a doorway you are forcing people to go through. You could read some of these tags some of the time," Want said. But Want thinks that overall the chips will help cut down on passport fraud. "The problem with security is there is always a possibility of attack," Want said. "RFIDs are not going to solve the problem of passport forgery, but people who know about printing are not going to learn about RFIDs." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
