Wired News by Ryan Singe: New U.S. passports will soon be read remotely at borders around the world, thanks to embedded chips that will broadcast on command an individual's name, address and digital photo to a computerized reader.
The State Department hopes the addition of the chips, which employ radio frequency identification, or RFID, technology, will make passports more secure and harder to forge, according to spokeswoman Kelly Shannon.
"The reason we are doing this is that it simply makes passports more secure," Shannon said. "It's yet another layer beyond the security features we currently use to ensure the bearer is the person who was issued the passport originally."
But civil libertarians and some technologists say the chips are actually a boon to identity thieves, stalkers and commercial data collectors, since anyone with the proper reader can download a person's biographical information and photo from several feet away.
"Even if they wanted to store this info in a chip, why have a chip that can be read remotely?" asked Barry Steinhardt, who directs the American Civil Liberty Union's Technology and Liberty program. "Why not require the passport be brought in contact with a reader so that the passport holder would know it had been captured? Americans in the know will be wrapping their passports in aluminum foil."
Last week, four companies received contracts from the government to deliver prototype chips and readers immediately for evaluation.
Diplomats and State Department employees will be issued the new passports as early as January, while other citizens applying for new passports will get the new version starting in the spring. Countries around the world are also in the process of including the tags in their passports, in part due to U.S. government requirements that some nations must add biometric identification in order for their citizens to visit without a visa.
Current passports (which are already readable by machines that decipher text on the photo page) will remain valid until they expire, according to a State Department spokeswoman.
The RFID passport works like a high-tech version of the children's game "Marco Polo." A reader speaks out the equivalent of "Marco" on a designated frequency. The chip then channels that radio energy and echoes back with an answer.
But instead of simply saying "Polo," the 64 Kb chip will say the passport holder's name, address, date and place of birth, and send along a digital photograph.
While none of the information on the chip is encrypted, the chip does also broadcast a digital signature that verifies the chip itself was created by the government. Security experts said the U.S. government decided not to encrypt the data because of the risks involved in sharing the method of decryption with other countries.
RFID technology has been around for more than 60 years, but has only recently become cheap enough to be adopted widely. E-Z Pass prepay toll systems across the country run on RFIDs, pets and livestock around the world have RFID implants, and businesses such as Wal-Mart plan to use the tags to track their inventory.
But Electronic Frontier Foundation attorney Lee Tien argues that RFID chips in passports are a "privacy horror" and would be even if the data was encrypted.
"If 180 countries have access to the technology for reading this thing, whether or not it is encrypted, from a security standpoint, that is a very leaky system," Tien said. "Strictly from a technology standpoint, any reader system, even with security, that was so widely deployed and accessible to so many people worldwide will be subject to some very interesting compromises."
Travel privacy expert Edward Hasbrouck argues that identity thieves are not the only ones with an interest in recording the data remotely. Commercial travel companies, including hotels, will capture the data to create commercial dossiers when people check into hotels or exchange currency in order to up-sell their customers, he argues.
While there are no laws in the United States prohibiting anyone from snooping on someone's passport data, Roy Want, an RFID expert who works as a principal engineer for Intel Research, thinks that the possibility of identity theft is overblown.
"It is actually quite hard to read RFID at a distance," said Want.
A person's keys, bag and body interfere with the radio waves, and the type of RFID chip being used requires readers equipped with very large -- and obvious -- coils to capture the data, according to Want.
Still, he concedes that a determined snooper could create a snooping system.
"In principle someone could rig up a reader, perhaps in a doorway you are forcing people to go through. You could read some of these tags some of the time," Want said.
But Want thinks that overall the chips will help cut down on passport fraud.
"The problem with security is there is always a possibility of attack," Want said. "RFIDs are not going to solve the problem of passport forgery, but people who know about printing are not going to learn about RFIDs."
Link to story - www.wired.com/news/privacy/0,1848,65412,00.html?tw=rss.PRV
Found this while searching for something else. Thoughts? Comments? Debates of the merit of ? My Two Cents
:I've worked very closely with a Tool/Equipment accountablility system when I the Air Force (stationed at Luke AFB, AZ), and I saw how fast you can read and process items with an RFID chip in them, It has the potential to speed up returning US Citizens when coming back from abroad. They also can not effectively be read more than a three feet away regardless of the power of the reader. We routinely had to swipe the tool, book, bottle or item over the top of the reader, and if it wasn't within 6 inches it wouldn't pick it up. RFID chips can be active or passive, active chips require a power supply...these I believe will be passive from the gist of the article, so they are only limited to the power of the reader. The biggest negative thing I can think of though is like it was stated in the article about others creating commercial dossiers on people or up-sell this information. I think the US goverment ought to go with encrypting the information.