By Larry Seltzer  |  Posted 2006-09-18 Print this article Print

Opinion: It's not hard to imagine privacy problems developing—and for what? Even the claimed benefits don't seem compelling.

Its hardly surprising that privacy and security advocates have raised concerns ever since the State Department announced that passports would soon include RFID technology. Some people are ready to oppose anything the government does.

But they have a point.
These passports, which the government began distributing in August, contain an RFID chip which transmits all of the data in the passport, including the picture, to a reader device.

Use a little imagination, throw in government incompetence and some malicious intent and its not hard to see abuses happening. Responsible analysts acknowledge that the government has taken at least some precautions to protect the privacy of the data, even if they argue that its not enough.

Im satisfied that many of the concerns about the technology stretch beyond reasonableness. Im especially unimpressed with the report from Flexilis on a vulnerability in the technology. (You might remember Flexilis as the company that designed the BlueSniper Bluetooth Rifle.)

Briefly put, they say that the RFID chip can be read in close proximity if the passport is slightly open, as it might be in a holders pocket. They envision Americans brushing by bombs that automatically explode when their passport is read. Make sure to view Flexiliss YouTube video on the subject.

As opposed as I am to the wanton murder of Americans, of which I count myself as one, it seems to me that recent history shows there are easier and simpler ways to murder us. And there are better reasons to oppose e-passports.

I have to agree with Kevin Ashton, the co-founder of MITs Auto ID-Labs, which gave birth to EPCglobal, the international network for tracking items through a supply chain using RFID. Click here to read more about the State Departments switch to RFID passports.

He argues that if RFID is in passports at all, it should be implemented the way EPCGlobal does it: all the chip stores is a unique code.

EPCGlobal defines a key numbering system, which is implemented in practice by Verisign, so that items can be tracked through out the supply-chain world-wide. Readers can read the chips anywhere and use the number as a database key for lookups, or simply report it on to some database for tracking of its movements.

The e-passports transmit all of the actual data in the passport, including the picture. Ashton argues, and I have to agree, that there is no need for a passport to transmit anything more than the unique key. Authorities with access to the database can do a lookup.

Ashton also says that theres no need for most of the printed data on a passport, just the photo, but this seems like an overreaction to me. There are plenty of authorities with a reasonable right to rely on the passport and with no access to the database.

The State Department says that Congress mandated some sort of electronic component in passports, storing at least the picture, in order to facilitate face recognition technology. They also claim that it will speed up travel procedures.

The convenience factor doesnt seem compelling. Surely someone has to scrutinize the data whether they are looking at a physical passport or at a screen. And passport printed data is in such a regular form that it could be scanned and OCRd quickly.

Im not sure I understand the face recognition goal either. Do they intend to compare the digital photo in the passport to the photo of the person holding it? That needs to be done by a person anyway. There is some logic to this argument, and it argues for having the data in the passport for performance purposes, but the logic is tenuous. If they mean to compare the photo to some database, that can be done offline, since the passport photos are clearly in some database at the State Department.

Im not usually as concerned with privacy issues as Bruce Schneier and that group, but I have to agree with him on this one: "I havent seen any compelling reasons why we are doing this."

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel