[IP] RFID Passports

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] RFID Passports
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 4 Oct 2004 09:21:27 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Bruce Schneier <schneier@xxxxxxxxxxxxxxx>
Date: October 4, 2004 8:45:41 AM EDT

I had an op ed published in today's International Herald Tribune:

        http://www.iht.com/articles/541711.html

**********************

Does Big Brother want to watch?

PARIS Since the terrorist attacks of 2001, the Bush administration -specifically, the Department of Homeland Security - has wanted theworld to agree on a standard for machine-readable passports. Countrieswhose citizens currently do not have visa requirements to enter theUnited States will have to issue passports that conform to the standardor risk losing their nonvisa status.

These future passports, currently being tested, will include anembedded computer chip. This chip will allow the passport to containmuch more information than a simple machine-readable character font,and will allow passport officials to quickly and easily read thatinformation. That is a reasonable requirement and a good idea forbringing passport technology into the 21st century.

But the Bush administration is advocating radio frequencyidentification (RFID) chips for both U.S. and foreign passports, andthat's a very bad thing.

These chips are like smart cards, but they can be read from a distance.A receiving device can "talk" to the chip remotely, without any needfor physical contact, and get whatever information is on it. Passportofficials envision being able to download the information on the chipsimply by bringing it within a few centimeters of an electronic reader.

Unfortunately, RFID chips can be read by any reader, not just the onesat passport control. The upshot of this is that travelers carryingaround RFID passports are broadcasting their identity.

Think about what that means for a minute. It means that passportholders are continuously broadcasting their name, nationality, age,address and whatever else is on the RFID chip. It means that anyonewith a reader can learn that information, without the passport holder'sknowledge or consent. It means that pickpockets, kidnappers andterrorists can easily - and surreptitiously - pick Americans ornationals of other participating countries out of a crowd.

It is a clear threat to both privacy and personal safety, and quitesimply, that is why it is bad idea. Proponents of the system claim thatthe chips can be read only from within a distance of a few centimeters,so there is no potential for abuse. This is a spectacularly naïveclaim. All wireless protocols can work at much longer ranges thanspecified. In tests, RFID chips have been read by receivers 20 metersaway. Improvements in technology are inevitable.

Security is always a trade-off. If the benefits of RFID outweighed therisks, then maybe it would be worth it. Certainly, there isn't asignificant benefit when people present their passport to a customsofficial. If that customs official is going to take the passport andbring it near a reader, why can't he go those extra few centimetersthat a contact chip - one the reader must actually touch - wouldrequire?

The Bush administration is deliberately choosing a less securetechnology without justification. If there were a good offsettingreason to choose that technology over a contact chip, then the choicemight make sense.

Unfortunately, there is only one possible reason: The administrationwants surreptitious access themselves. It wants to be able to identifypeople in crowds. It wants to surreptitiously pick out the Americans,and pick out the foreigners. It wants to do the very thing that itinsists, despite demonstrations to the contrary, can't be done.

Normally I am very careful before I ascribe such sinister motives to agovernment agency. Incompetence is the norm, and malevolence is muchrarer. But this seems like a clear case of the Bush administrationputting its own interests above the security and privacy of itscitizens, and then lying about it.

Bruce Schneier is a security technologist and the author of "BeyondFear: Thinking Sensibly About Security in an Uncertain World."

_______________________________________________
EPIC_IDOF mailing list
EPIC_IDOF@xxxxxxxxxxxxxxxx
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_idof

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Don't act "suspicious" -- TSA testing SPOT "observation" program
Next by Date: [IP] more on 35th Anniversary of the Internet (well the start of the Arpanet anyway djf)
Previous by thread: [IP] 35th Anniversary of the Internet (well the start of the Arpanet anyway djf)
Next by thread: [IP] RFID Passports
Index(es):
- Date
- Thread