RFID passports at CFP

[Photo by Cory Doctorow, some rights reserved, CC BY-SA 2.0; more]

The next move is the RFID-enabled passport, which this week has provided the classic Computers, Freedom, and Privacy blood-on-the-carpet moments and which garnered for itself a couple of Big Brother Award nominations.

The personae: Frank Moss, deputy assistant secretary for passport services at the Department of State, and, among others, Ed Hasbrouck, who probably knows more about travel industry data practices than anyone. With quivering intensity Hasbrouck endeavoured to explain to Moss exactly why the RFID plan was so dangerous and how it could percolate throughout air travel. Moss was impervious. Hasbrouck was not atypical.

(Wendy Grossman, from her net.wars syndicated column)

Moss’s appearance at CFP was partly an admission that the USA Department of State’s Passport Services Office has a problem with its RFID passport scheme , partly an exercise in damage control, and partly an attempt to assess the minimum of cheap, quick, and insubstantial concessions that would appease his critics.

As one who believes that “The truth will out”, especially with a group as savvy and skeptical as at CFP, I commend Moss for showing up to take the heat in person instead of ducking or delegating the flack-catching to an underling. His prepared presentation (most of which he didn’t have time for during the panel discussion) is worth reading. But we weren’t buying his spin control, and you shouldn’t either.

In his closing CFP keynote, Bill Scannell of RFIDKills.com asked for voice votes by the audience on whether a series of government measures including the use of secretly and remotely-readable RFID chips in passports were stupid or evil. “Both” seemed to be the predominant response. I and some others (including Ryan Singel of Wired News and Kevin Bankston of EFF have framed the question a little more harshly: are the architects of the travel panopticon incompetent, or are they lying?

Here’s how some of the things Moss said compare with the facts:

Will you be allowed to disable the tracking chip in your passport?

Speaking to a small crowd in the lobby after his presentation (to Moss’s credit, he stuck around for more than an hour of intense interrogation, without a single “no comment”), Moss said that, “If you wish to put your passport in the microwave, you will still have a valid travel document that we will recognize.”

In fact, that’s the opposite of what it says in the regulations his office is proposing. No new regulations would be needed to add RFID chips to passports. A primary purpose of the proposed new rules is to close the loophole that would have allowed privacy and security-conscious citizens to zap the chips in their passports. According to the summary in the Notice of Proposed Rule-Making (NPRM):

The proposed rule … would include a damaged electronic chip as an additional basis for possible invalidation of a passport…. Under the proposed rule, a passport that contains a damaged, defective, or otherwise nonfunctioning electronic chip … may be invalidated by the Department of State…. If the damage were caused deliberately, the passport would be invalidated upon discovery. [emphasis added]

The proposed regulation itself provides as follows:

Sec. 51.6 —Damaged, mutilated or altered passport: Any passport which has been materially changed in physical appearance or composition, or contains a damaged, defective or otherwise nonfunctioning electronic chip, or which includes unauthorized changes, obliterations, entries or photographs, … may be invalidated.

Was Moss ignorant of the proposed regulations published by the office he heads in the Federal Register , and for which he has been the spokesperson to Congress and the press? Or was he just trying to appease the opinion leaders and technical experts at CFP with a lie they won’t figure out until they have to pay to replace the passports they’ve invalidated by disabling the RFID chips — by which time it will be too late to stop the deployment of RFID passports?

Who is responsible for requiring RFID chips in USA passports?

Moss claimed, as the USA and other national governments have all been claiming, that RFID chips are required by International Civil Aviation organization standards. (For more on this, see the excellent new ACLU/Privacy International/Statewatch PolicyLaundering.org Web site launched during CFP.) But, to my considerable surprise, the actual design of all the sample RRFID passports Moss passed around violated the ICAO specifications.

ICAO Document 9303 (“Machine Readable Travel Documents”), Part 1 (“Machine Readable Passports”), Annex F (Normative) to Section IV, provides as follows:

F.4. Location of the contactless IC (s) — … [I]t is recommended that, where possible, the IC (s) be incorporated into the same leaf, page or part of the cover of the MRP [Machine Readable Passport] that forms the data page, and measures employed to ensure that the VIZ [Visual Inspection Zone], the MRZ [Machine Readable Zone, two lines of OCR type] and the contactless IC (s) cannot be separated without evidencing physical tampering.

In Moss’s sample RFID passports, the visual data and OCR lines (currently on the inside front cover of the passport) had been moved to the first inside sewn-in page, separate from the cover with the RFID chip. When I asked Moss why, he said it was for “increased security”, which makes no sense: the reason for the ICAO standard is obviously that binding together the different elements of the passport increases the difficulty of forgery or alteration. When I asked Moss what would prevent the cover (and RFID chip) from being separated from the inside pages (and visually-readable data), he replied, “That stitching wasn’t done on your mother’s Singer.”

The reason the Passport Office is planning to use a non-ICAO compliant passport design is, I presume, that they had too much trouble getting the RFID chips to withstand the mechanical processes involved in manufacturing the visual data page, with its printed-in photo and layers of lamination and holograms. In other words, the Passport Office has decided that getting RFID chips into passports as soon as possible — no matter what it takes in security compromises — is more important than compliance with ICAO standards. Which seems to put the lie to the claim that the reason for the whole exercise is to comply with ICAO standards.

How far away can the RFID chips in passports be read?

Moss brought along some test passports with RFID chips embedded in the covers, some with and some without an experimental outer RF-shielding layer in the covers to prevent the RFID chip from being read except when the passport is opened. Moss claimed that, even when opened these could be read from no more than 10 cm (4”) away, as he demonstrated with a tiny RFID reader attached to the CF-card slot of a PDA, which he had to press firmly against the passport to read the passport data and digital photo.

Next up on the CFP panel, Barry Steinhardt of the ACLU demonstrated reading of an ISO 14443 chip (the same type of RFID chip specified by ICAO, and which the Passport Office claims to be using) taped to a passport, using a jury-rigged reader that would fit easily in a daypack, from more than half a meter (18”) away, on a stage cluttered with enough RF-emitting equipment to qualify as electronic counter-measures. (This was CFP, after all, where even some of the conference bags contained wireless “sousveillance” cameras.) At a press conference later in the day, with only slightly more time to set up his equipment, Steinhardt was able to read the passport-type RFID chip with the same reader from more than a meter.

Moss claims that the Passport Office has had trouble reading the RFID chips reliably at any but the shortest distances. That’s probably true, but should we care? And should we be reassured by the unreliability of the technology, especially when RFID passports will be valid 10 years, the same as current passports?

For efficient mass processing, governments would need, I would guess, at least 90% reliability, probably higher. Identity thieves and terrorists can tolerate a high failure rate: they can afford to keep trying with different prospective victims until they succeed with any one of them. 90% unreliability would probably serve their purposes just fine. An unreliable system thus is more useful to thieves and terrorists than to legitimate users.

(For more on the technical issues, see the lengthy thread of comments in the Freedom to Tinker blog of Ed Felten, who was honored with an EFF Pioneer Award during CFP.)

What’s the risk of secretly and remotely readable RFID chips in passports?

Despite his professed commitment to make sure that RFID passports don’t pose an unwarranted or unnecessary risk, Moss didn’t really seem to understand the specific threats they posed.

Here’s the scenario I posed him: Suppose I’m a terrorist or ID thief who wants to assume someone else’s identity, and get credentials in their name. I send an accomplice who knows what my face looks like, with an RFID reader in a large piece of wheeled luggage or a big backpack, to hang out in an airport or hotel lobby until they spot someone who looks similar enough to me. When they see a suitable victim, they follow them up to the check-in counter, and stand right behind or next to the victim when they open their passport — with a 40kg (100 lb) RFID reader within 50-70 cm (18”-24”) of the victim’s passport . Then I use that data and photo (a thief might be able to get the data from a non-RFID passport with a hidden camera, but they wouldn’t get a sharp, perfectly posed and framed ID photo, and it would likely be obscured by the overprinting and holograms) to forge or acquire either a “cloned” duplicate passport (with a bitwise copy of the RFID chip, including the valid digital signature) or some other easier-to-get identity credential.

What’s to stop this scenario? “That’s risk I never considered”, Moss told me. “Send me that scenario in an e-mail, and I’ll think about it.” What risks was he thinking about? I don’t know.

Is the Passport Office really willing to consider changing its RFID passport proposals and specifications?

In his platform talk, Moss said firmly that, “We won’t roll this out until we are sure we’ve addressed the risk of skimming” of data from passport RFID chips by terrorists, identity thieves, and the like.

But later, John Gilmore asked Moss if he would turn over sample RFID passports to independent testers, to verify the feasible read range. “How much time would you like for testing?” Moss asked. “A couple of months,” Gilmore answered. “We don’t have a couple of months”, Moss came back. “I’ve got to start issuing these by August.”

So which is the real commitment? RFID passports ASAP, or RFID passports only if and when the privacy and security risks can be addressed, and a considered judgment made as to whether they are worth the inevitable tradeoffs?

Who will be allowed to read the RFID passport data?

Moss said that the USA Department of State will require the companies that supply the USA government with readers to build them in such a way as to minimize the range at which other (clandestine) readers could eavesdrop on the chip-reader exchange.

Supposing that to be possible, what about the readers used by “private” companies that require presentment of passports? Moss says that’s a non-issue: “The largest purchaser of [RFID passport] readers will be the US government”, he claims. The readers used by airlines in the USA will be purchased for them by the government (?), and no one (anywhere in the world?) will find it worthwhile to manufacture readers that the USA State Department won’t buy.

But passports are routinely required in a wide variety of commercial (and, in other countries — such as where all foreign-exchange banks are state owned) governmental settings:

1. Airlines, airports (in some countries, you aren’t allowed into the international airport or terminal unless you already have a passport and ticket), and other transportation companies, which aren’t subject (in the USA and many other countries) to the same data protection rules as might apply to government agencies. Airlines and airports are the real force behind RFID passports, as part of a business process automation vision for “touchless” passenger processing that also includes IATA’s resolution to abolish paper tickets (in favor of exclusively electronic ticketing) by the end of 2007, and the Airports Council International’s push for standardization of unattended check-in kiosks that can be shared between airlines.
   
   
2. Duty-free shops, where passports and tickets are required, and routinely checked at the entrances and exits, to prove eligibility for duty-free purchasing. For a variety of reasons, I expect that these will be the first large-scale globally networked users of RFID passport chip numbers as customer identifiers for “loyalty” and marketing programs.
   
   
3. Hotels, where passports are required in many countries.
   
   
4. Banks and currency exchanges, where passports are required in most controlled-currency countries (and some others) for foreign-exchange transactions. Moss claimed he’d never heard of the machine-readable zone of a passport being scanned at a bank or currency exchange, but I’ve seen it often, and others in the small group around Moss told of having the OCR lines on their passports read at, among other places, banks in Uzbekhistan and, on their way to CFP, at an ATM in Narita Airport, Japan.

So if I’m a bank in China that wants to automate the preparation of currency exchange forms, and I have a choice of an expensive made-in-the-USA passport RFID reader that satisfies State Department standards for broadcast power, RF leakage, and potential eavesdropping; or a cheaper, unshielded, made-in-Shenzhen model (which, perhaps, uses higher broadcast power to enable reading at longer ranges, which I find convenient even if it threatens my customers’ privacy); how is the USA going to induce me to spend more for the reader that reduces the risk of RFID eavesdropping? Moss’s only answer, was, “That just won’t happen.” But he couldn’t say why.

And even in the USA, how would I be able to verify whether a demand to present my passport (by an airline, for example, rather than the government) was authorized or required by law — given that the government has refused to disclose, what law, if any, requires the production of identity credentials in order to travel by airline common carrier? Or what sort of reader they were using? Or with whom they might “share” the identifying data? Moss couldn’t say.

In the end, this may be the most intractable problem with “chipped” passports, even if they used chips that required contact with, or insertion in, the readers. Unless there are legal or technical restrictions on reading of the chips and use of the data (even reading and use of an arbitrary but persistent unique identifying number that, as Bruce Schneier said at the start of the CFP panel, “will be sold to Choicepoint for a dollar and added to your file the first time it is read”) the government will, in effect, be administering and providing, for the unlimited and unregulated use of private companies, a global system of unique personal identifiers that can be used to integrate and correlate all manner of personal information databases.

How easy to forge are non-RFID passports?

Moss claims that non-RFID chips are too easy to forge, so it’s necessary to add the RFID chips to increase the difficulty of passport forgery. Which sounded sort of reasonable, until I asked him what will keep someone who captures the data read from the RFID chip — which includes everything printed on the passport, including a digital photo — from using the RFID data to clone an identical forged passport copy for the use of a thief or terrorist of similar facial appearance to the passport holder. Oh, that won’t happen, Moss said, because passports already are so hard to forge: the paper, the lamination, the holograms, etc. Almost nobody tries to forge a USA passport any more, since we did the last previous redesign. (That’s probably true.) So remind me: Why do we need the RFID chip in the first place, if USA passports already are so hard to forge?

How can the public participate in the standards-setting and decision-making process?

Moss claims he’s open to suggestions — but that the decision has already been made, years ago, by ICAO. Were any privacy or civil liberties NGO’s ever included in the delegations the USA sent to these ICAO meetings? No, said Moss, because, “None of them ever asked.” Barry Steinhardt of the ACLU says “I couldn’t even get ICAO to take my phone calls, respond to my e-mail messages, or tell me where in Cairo they were meeting”. Gus Hosein says Privacy International never even got an acknowledgement of the joint letter against RFID passports they sent ICAO on behalf of several dozen privacy and civil liberties organizations around the world.

Stupid or evil? Incompetent or lying? You be the judge.

If you want to get a new chip-free USA passport, while you still can, apply right away: Moss says he currently expects the first RFID passports to be issued in August 2005, and he admits that there’s already a run on the Passport Office because of the latest proposal to require passports for travel across the Canadian and Mexican borders with the USA, where they haven’t previously been needed.

There’s no plan to invalidate existing passports, which are good for 10 years from the date of issuance, but Moss says he expects that holders of non-RFID passports will face increasingly second-class treatment (longer lines, slower processing, more intrusive searches) once most USA passports in circulation are chipped.

[More: Follow-up to CFP debate on RFID passports]