Security experts and civil libertarians reacted with skepticism to the governments recent decision to reconsider data protection measures for new RFID passports. The "e-passports," as theyve been nicknamed, were originally slated for spring release in the Los Angeles Passport Agency but are now planned for issuance in August beginning with diplomatic passports, according to a spokeswoman for the Bureau of Consular Affairs.
Frank Moss, deputy assistant secretary for passport services at the U.S. State Department, on Monday told news outlets that the rollout of proposed radio frequency identification technology for passports will be delayed until RFIDs privacy and security vulnerabilities are resolved.
The State Department has previously claimed that the data on the 64-bit RFID tags—name, date of birth, place of birth (a datum that the ACLU claims is a key to identity theft), a digital photograph and a digital face recognition template—can only be read at a distance of 10 centimeters. That has been disproved by a demonstration in April at the Computers, Freedom and Privacy conference in Seattle and by studies that prove that the radio tags readable distance is as far away as 30 feet.
The question, privacy advocates say, is why the RFID technology is needed at all. "Why do they feel they need to use an RFID chip?" asked Ari Schwartz, an associate director at the Center for Democracy and Technology, in Washington. "Theyre saying [e-passports] can be read 3 to 4 inches away. To me, why be 3 to 4 inches away? When you could just have [a chip that required reader] contact?"
The State Department is now considering two means of protecting data: encryption and metal threads in the passport booklet cover that would hamper data reading unless the booklet were to be opened. Data would be encrypted as its transmitted from the radio chip to a reader. In addition, the reader would be required to provide a key or password before being enabled to read data on the RFID chip.
In other words, privacy advocates said, the government is opting to render hands-free radio technology into hands-on technology.
"Whereas before they had this wonderful dream of people being able to walk along and ping people as they walked along through airports and other areas and suck information off passports—which would be fine and wonderful, [because thats] what RFID is for; its radio frequency—now theyve moved away, and theyre putting little tin cover hats on the covers of passports and encrypting the data on the chip," said Bill Scannell, a publicist, freelance privacy activist and former government intelligence officer who recently launched an Internet campaign called RFID Kills to stop the government from deploying RFID in passports.
"In order to get access, theyll scan the [machine readable code on the passport cover], which is what they do now, and take off a number, and beam that at the chip, and it would dump information back to you," he said.