[Infowarrior] - Electronic Passports Raise Privacy Issues

Richard Forno rforno at infowarrior.org
Tue Jan 1 03:12:02 UTC 2008 

Electronic Passports Raise Privacy Issues

By Ellen Nakashima
Washington Post Staff Writer
Tuesday, January 1, 2008; A06

http://www.washingtonpost.com/wp-dyn/content/article/2007/12/31/AR2007123101
922_pf.html

The federal government will soon offer passport cards equipped with
electronic data chips to U.S. citizens who travel frequently between the
United States and Canada, Mexico or the Caribbean. The cards can be read
wirelessly from 20 feet, offering convenience to travelers but raising
security and privacy concerns about the possibility of data being
intercepted.

The goal of the passport card, an alternative to the traditional passport,
is to reduce the wait at land and sea border checkpoints by using an
electronic device that can simultaneously read multiple cards' radio
frequency identification (RFID) signals from a distance, checking travelers
against terrorist and criminal watchlists while they wait.

"As people are approaching a port of inspection, they can show the card to
the reader, and by the time they get to the inspector, all the information
will have been verified and they can be waved on through," said Ann Barrett,
deputy assistant secretary of state for passport services, commenting on the
final rule on passport cards published yesterday in the Federal Register.

The $45 card will be optional and cannot be used for air travel. Travelers
can opt for a more secure, if more costly, e-passport that costs $97 and
contains a radio frequency chip that can be read at a distance of only three
inches. Privacy and security experts said the new passport cards that
transmit information over longer distances are much less secure.

"The government is fundamentally weakening border security and privacy for
passport holders in order to get people through the lines faster," said Ari
Schwartz, deputy director of the Center for Democracy and Technology, which
submitted comments in opposition to the proposed rule, along with 4,000
others, the vast majority in opposition.

The problem with the card, Schwartz said, is that it uses a standard that
wasn't meant to track people. "It's not made as an identity document," he
said. "The technology they're using was designed to track goods -- pallets
of toilet paper at Wal-Mart," he said.

The government said that to protect the data against copying or theft, the
chip will contain a unique identifying number linked to information in a
secure government database but not to names, Social Security numbers or
other personal information. It will also come with a protective sleeve to
guard against hackers trying to skim data wirelessly, Barrett said.

The card is part of the Western Hemisphere Travel Initiative, aimed at
strengthening border security while easing entry for citizens and legitimate
visitors with standard identity documents.

Although the chip is passive and can be read only when a reader pings it, a
reader with a strong battery can detect the chip's signal from as far as 40
feet away, Schwartz said. It can easily be cloned, posing the risk that a
hacker could make a duplicate card to fool a border agent, he said.

Avi Rubin, a professor at Johns Hopkins University, said that two years ago,
he duplicated an RFID chip in his "speedpass" used for buying gas, copied
the information onto a laptop and, after extending a radio antenna from the
laptop out the car door, was able to buy gas with the cloned RFID chip.

Randy Vanderhoof, executive director of the Smart Card Alliance, represents
technology firms that make another kind of RFID chip, one that can only be
read up close, and he is critical of the passport card's technology. It
offers no way to check whether the card is valid or a duplicate, he said, so
a hacker could alter the number on the chip using the same techniques used
in cloning.

"Because there's no security in the numbering system, a person who obtains a
passport card and is later placed on a watchlist could easily alter the
number on the passport card to someone else's who's not on the watchlist,"
Vanderhoof said.

Last year, the Government Accountability Office reviewed technology similar
to that used in the passport cards. The report found low read rates and said
the technology should be used only to track goods, not to identify people.

The State Department hopes to begin issuing the cards in the spring. For
more information, go to http://www.travel.state.gov

More information about the Infowarrior mailing list