http://www.wired.com/news/privacy/0,1848,65412,00.html
http://www.wired.com/news/print/0,1294,65412,00.html
By Ryan Singel
Story location:=20
<http://www.wired.com/news/privacy/0,1848,65412,00.html>http://www.wired.com=
/news/privacy/0,1848,65412,00.html
New U.S. passports will soon be read remotely at borders around the
world, thanks to embedded chips that will broadcast on command an
individual's name, address and digital photo to a computerized reader.
The State Department hopes the addition of the chips, which employ
radio frequency identification, or RFID, technology, will make
passports more secure and harder to forge, according to spokeswoman
Kelly Shannon.
"The reason we are doing this is that it simply makes passports more
secure," Shannon said. "It's yet another layer beyond the security
features we currently use to ensure the bearer is the person who was
issued the passport originally."
But civil libertarians and some technologists say the chips are
actually a boon to identity thieves, stalkers and commercial data
collectors, since anyone with the proper reader can download a
person's biographical information and photo from several feet away.
"Even if they wanted to store this info in a chip, why have a chip
that can be read remotely?" asked Barry Steinhardt, who directs the
American Civil Liberty Union's Technology and Liberty program. "Why
not require the passport be brought in contact with a reader so that
the passport holder would know it had been captured? Americans in the
know will be wrapping their passports in aluminum foil."
Last week, four companies received contracts from the government to
deliver prototype chips and readers immediately for evaluation.
Diplomats and State Department employees will be issued the new
passports as early as January, while other citizens applying for new
passports will get the new version starting in the spring. Countries
around the world are also in the process of including the tags in
their passports, in part due to U.S. government requirements that some
nations must add biometric identification in order for their citizens
to visit without a visa.
Current passports (which are already readable by machines that
decipher text on the photo page) will remain valid until they expire,
according to a State Department spokeswoman.
The RFID passport works like a high-tech version of the children's
game "Marco Polo." A reader speaks out the equivalent of "Marco" on a
designated frequency. The chip then channels that radio energy and
echoes back with an answer.
But instead of simply saying "Polo," the 64 Kb chip will say the
passport holder's name, address, date and place of birth, and send
along a digital photograph.
While none of the information on the chip is encrypted, the chip does
also broadcast a http://en.wikipedia.org/wiki/Digitally_Signed digital
signature that verifies the chip itself was created by the government.
Security experts said the U.S. government decided not to encrypt the
data because of the risks involved in sharing the method of decryption
with other countries.
RFID technology has been around for more than 60 years, but has only
recently become cheap enough to be adopted widely. Pass prepay toll
systems across the country run on RFIDs, pets and livestock around the
world have RFID implants, and businesses such as Wal-Mart plan to use
the tags to track their inventory.
But Electronic Frontier Foundation attorney Lee Tien argues that RFID
chips in passports are a "privacy horror" and would be even if the
data was encrypted.
"If 180 countries have access to the technology for reading this
thing, whether or not it is encrypted, from a security standpoint,
that is a very leaky system," Tien said. "Strictly from a technology
standpoint, any reader system, even with security, that was so widely
deployed and accessible to so many people worldwide will be subject to
some very interesting compromises."
Travel privacy expert Edward Hasbrouck argues that identity thieves
are not the only ones with an interest in recording the data remotely.
Commercial travel companies, including hotels, will capture the data
to create commercial dossiers when people check into hotels or
exchange currency in order to up-sell their customers, he argues.
While there are no laws in the United States prohibiting anyone from
snooping on someone's passport data, Roy Want, an RFID expert who
works as a principal engineer for Intel Research, thinks that the
possibility of identity theft is overblown.
"It is actually quite hard to read RFID at a distance," said Want.
A person's keys, bag and body interfere with the radio waves, and the
type of RFID chip being used requires readers equipped with very large
-- and obvious -- coils to capture the data, according to Want.
Still, he concedes that a determined snooper could create a snooping
system.
"In principle someone could rig up a reader, perhaps in a doorway you
are forcing people to go through. You could read some of these tags
some of the time," Want said.
But Want thinks that overall the chips will help cut down on passport
fraud.
"The problem with security is there is always a possibility of
attack," Want said. "RFIDs are not going to solve the problem of
passport forgery, but people who know about printing are not going to
learn about RFIDs."
Copyright 2004, Lycos,Inc. All Rights Reserved.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Lycos, Inc.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml