Tuesday, 29 March 2005
Deadlines loom for RFID tracking chips in USA passports
There’s still time for USA citizens to get a new passport without an embedded RFID remote tracking chip — but if you want one, you should apply at once. The Department of State is moving as fast as it can (slowed down only by technical difficulties — RFID chips are proving more difficult to manufacture, more fragile, and less reliable than their boosters have claimed) toward the rollout of the new “electronic passports”. And there’s still no plan to encrypt any of the information on the RFID chip. Each chip will be digitally “signed” by the State Department, but that’s for authentication, not as a control on access to the data.
Anyone who gets close enough to your passport with an RFID reader will be able (without your knowing the chip has been read) to determine your nationality, name, gender, date of birth, place of birth, passport number, etc. as well as receive a digital copy of your passport photo, for the convenience of identity thieves in forging a duplicate passport (with a clone of the RFID chip, including the digital signature) or other identity documents in your name and with your image, but perhaps with a signature in their handwriting (the signature, which might be slightly harder to forge, won’t be digitized or digitally signed) for the use of criminals, terrorists, or anyone else who resembles your appearance.
RFID chips in passports would also be available for use by merchants, marketing companies, and commercial data aggregators who could use them (secretly and remotely) at entrances and exits to commercial establishments, checkin and checkout counters, cash registers, etc.) as unique personal identifiers to compile logs of consumers’ (travellers’) movements, purchases, and other behavior. Since international travellers almost always have to carry their passports, embedding RFID chips in passports would effectively remove any possibility to opt-out of such tracking (especially in jurisdictions, such as the USA, where such data collection, usage, and “sharing” is unregulated), much less to require consent or “opt-in”.
The USA State Department is currently accepting public comments through Monday, 4 April 2005, on new proposed regulations related to passports with RFID chips, which they are referring to as “electronic passports”.
These are not the regulations to establish the inclusion of RFID chips in passports. That requires no change in regulations, and has already been decided. But the new regulations are critical to enforcing the requirement that holders of passports issued with RFID chips allow themselves to be tracked. The crucial element of the new regulations is a new clause which would allow the State Department to invalidate any passport issued with an RFID chip if the chip was no longer functioning for any reason. The point of this rule is to prevent citizens from defeating the tracking function of the RFID chip embedded in their passport. Use of any “technical fix” to prevent reading of the passport would, under these proposed regulations, invalidate the passport (in the same way that physical mule or alteration of the photo or any other essential element of the passport currently invalidates it).
A new Web site, RFIDkills.com , offers more information about the proposed regulations, including links to denunciation so of them by the Association of Corporate Travel Executives and the Business Travel Coalition .
Anyone can submit comments on the proposed regulations. Comments must be received by 5 p.m. Washington, DC, time on Monday, 4 April 2005. You can either send your comments by e-mail to PassportRules@state.gov or use the form on the RFIDkills.com Web site . (All submitted comments will become part of the public record, but you don’t have to give any further information than your e-mail address and perhaps a name.)
[Addendum, 20 August 2005: The format doesn’t make them easy to navigate or browse, but the State Department has posted more than 2000 of the comments they received on their Web site. I didn’t read them all, but all those of the comments I sampled were opposed to the RFID passport proposal.]
Link | Posted by Edward on Tuesday, 29 March 2005, 12:39 (12:39 PM)If we are not allowed to "fry" the RFID chip by, for example, sticking the passport in a microwave oven or inside a strong magnetic field, can we, instead, wrap the passport in an RF-resistant cover (maybe metal foil?) and thus defeat the reading of data from a distance? We have not actually tampered with the passport by doing that.
Yes, under the proposed rules you would still be permitted to keep your passport in an RF shielding cover or case, *except* when you have to get it out and oppen it to display the passport for visual inspection: at customs, immigration, or other government checkpoints; at duty-free shops (with your tickets to prove your eligibility for duty-free purchases); at check-in counters, boarding gates, and other inspection points for international flights, trains, buses, etc.; at banks and foreign exchange counters when changing money or cashing travellers checks; at hotel check-in in many countries; when claiming "post restante" or "general delivery" mail; and in other circumstances depending on local laws.
In repsonse to criticism, the USA Department of State may even decide to issue RFID passports with a full or partial metal film or metal mesh shield in the outer layer of the passport cover, to make them more difficult to read except when opened. This appears likely to be their major "compromise" with critics of unencryped RFID chips in passports.
But that won't solve many of the problems. Data from RFID passport chips would still be vulnerable to interception (eavsdropping on the chip-reader exchange) during reading by "legitimate" readers, or to surreptitious reading at places where passports must be opened for visual inspection, such as those I've listed.
Posted by: Edward Hasbrouck, 2 April 2005, 13:50 ( 1:50 PM)Consider yourselves lucky, at least in the USA you have the opportunity to make your views known about RFID tagged "Biometric" Passports. Here in the UK they are just going ahead with similar plans anyway, and putting the price of the passport up as well.
Has the State Department revealed whether, as seems likely, the validity period of the new passports will only be 5 years, as opposed to the more usual 10 years ? This is primarily driven by the fact that no chip manufacturer will guarantee that their chips will not physically de-bond from the plastic after 5 years.
Effectively this doubles the cost of your Passport, and doubles the amount of inconvenience, lost work time and lost holidays involved in inflexible, face to face, biometric registration or re-registration.
Obviously Faraday cage radio frequency shielding with metal foil or mesh will work, but it will have the extra consequence of making you a suspect, wherever the new "see under your clothes" Passive Millimetre Wave or Low Intensitry Backscatter X-Ray imagers are used, like at Heathrow Airport Terminal 4.
http://www.spy.org.uk/spyblog/archives/2004/11/heathrow_termin.html
I have seen no indication as yet that the USA intends to reduce the standard passport validity period from the present 10 years. The RFP for manufacture of RFID passports requires that prospective vendors be able to provide passports with embedded chips that will last for 10 years. I do not know if this will prove possible. There have been reports of difficulty in meeting the performance specifications in the RFP, but I don't know whether that is in durability or in reliability of reading and/or writing, read range, or other attributes.
Posted by: Edward Hasbrouck, 3 April 2005, 00:00 (12:00 AM)wouldnt that invading my privacy?
Posted by: Eric Cozzart, 17 May 2005, 10:32 (10:32 AM)
