<http://www.crmbuyer.com/story/RFID-in-Passports-Could-Lead-to-Identity-Theft-37595.html> CRM Buyer THE ESSENTIAL GUIDE FOR CRM SYSTEM PURCHASERS RFID in Passports Could Lead to Identity Theft By John Jerney The Yomiuri Shimbun 10/31/04 5:00 AM PT Privacy advocates, by and large, are not against the idea of using a chip in identity documents to store additional information. But many are asking about the wisdom of including information that can be read remotely, without the document holder being aware. Personal privacy is fast becoming a thing of the past. And helping secure its demise is a technology called Radio Frequency Identification (RFID). I wrote about RFID systems a few months ago, at which time I proposed a scenario in which these diminutive devices begin to appear in all sorts of objects, ranging from currency, postal mail, and even our shoes and clothing. RFID systems typically consist of a small tag containing a microprocessor, a small amount of memory, and an antenna. An RFID device communicates with an external system using radio waves. These external systems can then, in turn, be connected to networks of computers, enabling rather sophisticated information processing of the collected data. The core application of RFID systems is to enable the tracking of objects and people. The beef industry, for example, was an early adopter of RFID technology, using it to monitor the movement of cattle from grazing to slaughter. Governments also are planning to use RFID, in this case to monitor the movement of people by embedding RFID technology into our principal systems of identification. Embedding in Passports The most recent news on this front came from the U.S. State Department, which revealed that it would begin including RFID devices into all new passports starting around the middle of next year. The State Department says the idea is to make passports more difficult to forge, and to ensure that the bearer of the document matches the identification. This means that each RFID device, in each passport, will contain at least the name, address, and birthplace of the holder, along with a digital photo. The first set of devices, equipped with 64 kilobyte, of memory, will likely be capable of storing additional information, as required. Immigration and border officials will no longer need to physically swipe the document through a reader. Instead, since the RFID device uses radio waves to communicate, the passport only needs to come within reasonable proximity of a listening device in order for the information to be read. And herein lies the chief problem, as identified by privacy advocates. Without requiring the passport to be physically handled in order to retrieve information, just about anyone will be able to read your passport contents, remotely, and without your knowledge. It all seems like a massive recipe for disaster. Abuse Opportunities Encryption could help the situation, slightly, but none of the data stored on the RFID device in the proposed new U.S. passport will be scrambled, either on the device itself or as it passes through the air. Instead, the device will communicate a special digital signature identifying it as an official government document. Imagine the possibilities for abuse. As you walk through the main door, hotels will immediately be able to determine your name, nationality, and place of birth, beginning the profiling of guests even before reaching the counter. Sophisticated thieves, or even those less clever but with a few dollars to spare on an RFID reader, will be able to comb crowds of people, searching for individuals of a specific nationality or, by extension, those of a particular religion. Identity theft will become orders of magnitude easier, and stalkers at overseas shops and boutiques will be able to quickly collect personal information on targets of interest. Remote Access Concerns Privacy advocates, by and large, are not against the idea of using a chip in identity documents to store additional information. But many are asking about the wisdom of including information that can be read remotely, without the document holder being aware. Proponents of the new technology and security-minded individuals point out that the RFID devices proposed for use in U.S. passports will be passive, meaning without a self-contained power source, thereby restricting the range through which information can be transmitted. But that hardly addresses cases where people are either forced to pass close to a reader, as when they are walking through a doorway to enter a building, or when a reader is unknowingly brought close to them, as an identity thief or stalker might do. Once collected, the information can easily be processed and correlated using any of a number of commercially available databases. The best-case scenario is that enterprises will use this unknowingly mined information to sell you additional services, based on existing marketing and behavioral profiles. More sinister scenarios could easily involve confidence schemes or other serious trickery. With the inclusion of RFID in passports, governments could turn to using the system as a means of monitoring not only entry and exit, but also movements within a country. Our Vulnerabilities Increase Today, so-called FastPass systems that enable motorists to speed through tollbooths on highways and bridges are also being used in certain metropolitan areas to monitor traffic patterns and automobile use, far from the bridge or highway. Few motorists are aware of this additional use of an otherwise helpful RFID system. Interestingly, it's not really clear to me that the inclusion of RFID devices will make passports that much harder to forge. The information on each chip will remain unencrypted, making it straightforward to reverse engineer. In fact, as is often the case, our reliance and belief in advanced technology may make us even more vulnerable to deception. Put another way, the more we believe that technology is the answer to personal and national security, the more we leave ourselves open to being fooled when those systems are inevitably compromised. Adding RFID technology to passports, and making the information available unencrypted to anyone with a simple reader seems like folly on both sides of the technology equation. It's highly unlikely that it will contribute to our safety and security in any meaningful way, and may instead open us to a new type of criminal, well versed in the simple uses of high technology and ready to pounce on unsuspecting travelers. All you can ask is, what were they thinking? -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'