Update on RFID passports and traveller tracking

The USA State Department’s Passport Office has already issued some RFID passports to airline employees and plans to start issuing RFID passports to USA diplomats by the end of 2005 and to the general public in February 2006, according to August 2005 press reports.

The State Department claims to have mitigated the privacy-invasion and surveillance-facilitation aspects of the RFID passport scheme. But they’ve done nothing to address the scenario I posed to the head of the Passport Office following his presentation this spring at CFP. Even if most of the data on the RFID chips in passports is encrypted using so-called “basic access control”, the government-assigned unique identifying number of the RFID chip will still be transmitted in plain text in response to any query from any RFID reader, even a reader that doesn’t have the “basic access control” decryption key to the rest of the data.

As Bruce Schneier pointed at CFP, that unique passport RFID number “will be sold to Choicepoint for a dollar and added to your file the first time it is read”, so encryption and securing of the rest of the data will do almost nothing to limit the use of RFID passports (or any other similar government-mandated RFID credentials) for covert personal surveillance, tracking, compilation, aggregation, and correlation of lifetime dossiers of our movements, for government or commercial purposes, by anyone who can afford an RFID reader.

The State Department continues to claim that RFID passports for visitors to the USA are required by the USA Border Security Act of 2002. But the original author and sponsor of that law in Congress, Republican and House Judiciary Committee Chairperson James Sensenbrenner, has said in public remarks to European diplomats that the law doesn’t require RFID chips in passports, and that the choice by some European countries of RFID as the technology for machine-readable passports is “regrettable”.

Meanwhile, the USA Department of Homeland Security is also testing longer-range RFID chips embedded in I-94 (immigration entry/exit) cards which visitors are required by law to keep in their possession at all times throughout their stay in the USA, as part of the US-VISIT system for logging visitors’ movements across borders.

Neither the DHS Privacy Act notice nor privacy impact assessment mentions the range at which the DHS expects the RFID chips being used in I-94 cards can be read. But press reports quote DHS spokespeople as saying they can be read from up to 30 feet (9 meters) away, which is consistent with their intended use for automated recording of entry and exit data from passengers in moving vehicles crossing borders by road.

Each visitor (non-USA citizen entering the country) would be issued an I-94 form containing a “unique traveler identification number (i.e., the traveler’s RFID tag number)” which would be read and logged by the government each time they cross a USA border (and by anyone else with an RFID reader who gets within range of the chip at any time). “It is when this information on the RFID tag entries and exits along with the biographic information from TECS is sent to ADIS that the individual’s complete travel history is created,” according to the DHS Privacy Impact Assessment.

As with RFID chips in passports, the RFID chips in I-94 forms could also be read by any other RFID readers, and the records of these reading used by unregulated (in the USA) data aggregators to compile their own histories of people’s movements. The DHS privacy impact assessment claims this isn’t a significant threat because the RFID chip ID numbers in I-94 forms won’t be readily distinguishable from the ID numbers of other RFID chips. But that ignores the fact that visitors to the USA are required to carry their I-94 forms 9with the RFID chips) on their person at all times whilst in the USA, in contrast to any other RFID chips.

So far as I can tell, this is the first case in which anyone in the USA (even non-citizens), other than convicted criminals or those subject to specific restrictive court orders issued following adversary and evidentiary legal proceedings, will have been required by law to carry remote radio tracking devices.

EPIC has further criticisms of the RFID visitor tracking scheme in its comments on the DHS Privacy Act notice, but these appear to have been ignored.

For those travelling closer to home, the London transit bombings in July 2005 have been used to justify renewed initiatives for searches and surveillance of transit passengers in the USA, despite the lack of any evidence that such searches and demands for identification could or would have prevented the London bombings.

The New York Civil Liberties Union has sued the New York Police Department and the City of New York to stop the warrantless, suspicionless searches of passengers on public transit vehicles and in stations; see the legal complaint for full details.

But the greater emphasis in transit “security” seems to be on identification and tracking of passengers, rather than searches. As with the airline industry, there’s an unfortunate coincidence of interests between transit operators’ desire for automated passenger processing (especially fare and toll collection) and marketing and operational data collection, and governments’ desires for surveillance data collection and passenger movement logging. And as with air travel, the trend in transit and toll-road travel is toward “touchless” travel through RFID chips that serve as payment devices, entry/exit and vehicle boarding credentials, and unique personal identifiers inextricably bundled together.

In most cases these aren’t (yet) mandatory, but those who decline to choose them, and insist on paying cash to travel anonymously, are increasingly subject to longer queues, higher fares and tolls, and ineligibility for certain discounts or services. This is a key period for privacy and travel-rights activists to make their objections heard as these personally identifiable RFID payment-cum-surveillance cards are rolled out, especially by government-operated toll-road and mass-transit transportation systems.

In the Boston area, the MBTA claims (see, “Will I have to personalize my CharlieCard?”) that it will still be possible to travel anonymously by paying cash for a prepaid RFID “Charlie Card”, they neglect to mention that many currently available discounts, including those for seniors and people with disabilities, will be available only to holders of secretly and remotely trackable personally identified RFID credentials. So my mother, for example — a senior citizen who by reason of medical disability is not permitted to drive a car, and relies on the T as a primary mode of transportation — will have to choose between giving up her current fare discounts, as the price of anonymity, or getting a new-style RFID Transportation Access Pass that will enable the compilation of a comprehensive log of the times and places of all of her movements throughout Eastern Massachusetts by all modes of public transport.

In the San Francisco Bay Area, cash tolls and cash transit fares are already as much as 50% higher than tolls and fares paid by personally-identifiable Fastrak or Translink RFID payment accounts and cards. There is not (yet) any option for anonymous cash purchase of a prepaid Fastrak or Translink card, although this would be technically feasible with the current equipment, and is a choice offered by similar payment systems in other places such as the metropolitan Washington, DC, area.

In a recent local example of the ways that new features of transportation systems are being made available only to those who carry personally identified RFID chips, Federal and California law has just been modified to permit hybrid gas-electric vehicles to use highway, bridge, and tunnel lanes otherwise reserved for “high-occupancy vehicles” (HOV’s) — but only if any such hybrid vehicle registered in the San Francisco Bay Area gets a personally identified hybrid vehicle Fastrak account and tracking transponder . Fastrak is ostensibly a toll payment scheme, but the California Vehicle Code section 5205.5 subsection (i) requires hybrid vehicles to have Fastrak transponders to use even non-toll HOV lanes, and the Fastrak terms include consent to vehicle tracking (unless you put your Fastrak transponder in a tin-foil bag).

These may seem small steps and isolated examples, but the clear trend is toward widely used multi-system personally identified RFID payment devices and access credentials for all types of transportation charges including road tolls and transit fares — systems ripe for abuse by commercial aggregators of RFID scan records of our every movement. As Wendy Grossman points out in her latest “net.wars” column, the danger may be less in how such tracking data is now used, or intended to be used, or by whom, but whether such data is retained sat all, by anyone.

Any retention of this sort of data, especially when it contains unique identifiers (such as government-assigned RFID chip numbers) that permit its aggregation and correlation into a personal dossier, inevitably creates the risk of abuse of the detailed picture of our movements and associations that it enables to be created.

I’ve just come back from six weeks in South Africa, where I was forcibly impressed by the central role that ID requirements and controls on personal movement played in the evil of apartheid. And if there’s one resolution with which I returned from this latest trip, it’s not to let the USA repeat that error and evil of pass book laws.