There is a lot of miscommunication regarding the security and privacy of the U.S. governments new RFID-based e-passports, according to ABI Research Analyst Sarah Shah.
ABI Research released a report July 25 that suggests that the Department of Homeland Security, which will issue the e-passports in conjunction with the State Department starting in August, should speak out to reassure the public about the safety of contactless technologies.
The U.S. government plans to implement contactless technology, which is essentially data transmission that is activated by waving a reader over an RFID (radio-frequency identification) chip that has a tiny embedded antenna, in all electronic passports by the end of 2006.
“There are uneducated claims being made by some privacy advocates,” said Shah, in Oyster Bay, N.Y. “They make claims such as, If you have a contactless chip in your passport [the government] can track you everywhere and theyll know everything about you. This is simply not true, and the DHS should publicly explain what the technology is capable of, and why its secure.”
Since the State Department announced in 2005 that it would issue RFID-chipped passports by the end of 2006 to all passport agencies, security and privacy advocates have been up in arms.
The concern is that the data stored on the chips—including name, address, nationality and date of birth—will be accessible not only to customs agents, but to anyone with the wherewithal to hook up a reader and go scanning (or skimming, as the case may be) for information. The tiny silicon-based RFID chips that will be embedded in the passports themselves contain embedded antennas, which transmit data once a specially designed RFID reader is waved in front of it. One issue is the range at which the readers can access data.
“Our concerns extend beyond the passports,” said privacy advocate Katherine Albrecht, co-author of “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID,” during a May 26 interview with eWEEK. “At a recent conference calling for RFID tags in identity documents [some speakers] were talking about the tags being read from 20 to 30 feet away. We were actually quite stunned by that.”
Kevin Ashton, the co-founder of MITs Auto ID-Labs, the research center that essentially founded a global RFID network and standard that has since become EPCglobal, is against the idea of using RFID chips in passports.
“The idea of storing all this sensitive data [in passports] is horrible. You can take the chip off one passport and stick it on another. No one will know the difference,” said Ashton, now vice president of marketing at ThingMagic, in Cambridge, Mass., and who also teaches RFID classes at MIT. “My big issue is it is truly a stupid idea to store any information on an RFID tag other than a unique number. Otherwise there is always the risk of data change.”
Ashton suggested that the way the e-passports RFID technology should work—if it has to be there at all—is to have a chip that stores a unique number that can only be authorized by those people who should have access to it. The number would refer back to data stored in a secure database. The only information anyone should be able to find on the passport, he said, is a photo.
With respect to security, according to Ashton, the government needs more due diligence. “Any system can be broken into,” he said. “The only thing to do is make it more difficult than its worth. Theres nothing that cant be broken with enough time, patience, skill…”
Bruce Schneier, a well-known security technologist and author, said during a May 26 interview with eWEEK that eavesdropping will only get easier.
The DHS has implemented some security and privacy devices on the e-passport chips: a metal shielding device on the passports front cover that prevents the data from being read when its closed, and BAC [basic access control] technology to prevent skimming and eavesdropping of data. Schneier said the precautions are good, but not good enough.
“Shielding is good. Basic access control is good. Putting a switch would be great,” said Schneier, in Mountain View, Calif. “But if you dont have RFID you dont need any of this. I havent seen any compelling reasons why we are doing this. If we [the government] did it out in the open then everyone would scream.”
The public, during an open comment survey initiated by the State Department, overwhelmingly rejected the notion of RFID in passports; nearly 99 percent of respondents said the government should not proceed.
“The public has pretty overwhelmingly said they dont want RFID in documents, yet [the government] plowed ahead with it anyway,” Albrecht said.
ABI Research said the bottom line is that the ongoing security and privacy debates probably will not have an impact on the DHS decision to issue e-passports in August.
“We feel that the DHS should take steps to mitigate public concerns today,” Shah said.
Editors Note: This story was updated to correct information about Kevin Ashtons connection to MIT.