Its welcome news that the State Department is now rethinking its ill-advised effort to embed RFID tags in U.S. passports, but by all indications, the government isnt backing off the idea completely and is looking instead for ways to soothe the concerns of security experts and civil libertarians.
There is, however, only one right way to treat the concept of these de facto national identification cards in the form of high-tech travel documents: Put a spike in them.
Since last year, the State Department has said it wants RFID chips in new U.S. passports by next year. The idea is to make it harder to forge or alter a passport, as well as to speed processing of travelers at customs checks. But the plan ignores significant risks to privacy and security and not just a few technical hurdles the feds have yet to address.
Maybe the best reason to nix the idea of the chip-laden passport is the real question of its usefulness. If the feds get their way, the chip will include essentially the same personal data that is on the passport, along with, maybe, some biometric data such as a fingerprint.
The sum of the data being about even, the issue becomes whether falsifying such information is a real threat in our effort to secure our borders. Last year, the State Departments Diplomatic Security office investigated about 3,000 cases of alleged passport fraud, which resulted in 615 arrests.
Consider that the department issues some 7 million passports per year, and the incidence of fraud is revealed to be insignificant relative to the number of these documents in circulation at any given time.
If Sept. 11, 2001, is our touchstone for such matters, it should be noted that none of the hijacker terrorists was using altered U.S. documentation, though two of them were using stolen Saudi Arabian passports, something the State Departments proposal wont address.
That said, the price we could pay for a questionable amount of added safety is too high. What began as a program to read RFID data with special scanners from a maximum distance of 10 centimeters has now been shown to be a system with an effective range of closer to 30 feet.
Add to that the governments initial insistence that the data not be encrypted—an effort not to share our advanced encryption with the rest of the worlds customs authorities—and the stage is set for private information to be stolen and misused.
The American Civil Liberties Union weighed in on the matter last month, asking the government to release test data on RFID passport prototypes to determine the readable distance.
"One of the key questions we want to answer is: How far away can these chips be read?" said Barry Steinhardt, director of the ACLUs Technology and Liberty Project. "A press account from last year reported that in government tests the chips could be read from 30 feet away. The government has denied this, but since theyre keeping the actual test results secret, its hard to know what to believe. The American people deserve to know, and we intend to find out just what the capabilities of this technology will be."
I have never in my career sided with the ACLU so completely. But in this case, it is the voice of reason.
In published reports last month, federal officials said such complaints about potential identity theft and concerns about the security of the RFID system are what led them to reconsider the program. But the State Department still seems intent on burying chips in passports, assuming it can answer those questions, even though the payoff remains in doubt.
But what should really be informing the debate of RFID-enabled passports is the inherently un-American concept of a new and distasteful form of national identification card—this idea that all of our personal data will be carried with us to be read, mined and used absent consent by folks who just want to know who we are and where were going.
In calling for further investigation, Steinhardt said the RFID passports have "the potential to leave us vulnerable to identify theft, to terrorists interested in singling out Americans traveling overseas, or to the emergence of routine tracking by the government or private sector." He added that the passports must "be subject to the full, informed national debate they deserve."
E-mail eWEEK Executive Editor/News Chris Gonsalves at email@example.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.