Monday, December 31, 2007

RFID Chips in Passports

Despite widespread opposition to RFID technology being used in passports, the Department of State has approved its use in some new American passports.

The Center for Democracy and Technology reports:

Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep.

4 congressmembers, the Government of Canada, a Native American government, privacy interest groups, technology companies and dozens of city, county and municipal governments expressed their concerns about the new rule.

The Federal Register text of the rule states their concerns:

The opinion expressed by many commenters is that vicinity read technology is not as secure as the proximity read technology currently used in the United States e-Passport. In their opinion the use of vicinity read technology could result in the unauthorized reading of information that would lead to identity theft and tracking of United States citizens by terrorists (security groups) and the government (privacy groups). In addition, commenters asserted that employing two different technologies at the same border crossing is redundant, inefficient, and unnecessarily costly.

Click here to read the text in its entirety

The government has stated that in order to avoid identity theft they are going to take several precautionary measures.

The Washington Post Reports:

The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly.

Avi Rubin, a professor at Johns Hopkins University, said that two years ago, he duplicated an RFID chip in his "speedpass" used for buying gas, copied the information onto a laptop and, after extending a radio antenna from the laptop out the car door, was able to buy gas with the cloned RFID chip.

Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card's technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning.

Click here to read the text in its entirety

When it comes to protecting our privacy and identity, we should always expect and demand the government falls on the side of security. Unfortunately, as this program currently stands, the government has failed to take the necessary precautions to protect our privacy and guard us against identity theft.

No comments: