RFID in Passports Could Lead to Identity Theft

[R.A. Hettinga]

<http://www.crmbuyer.com/story/RFID-in-Passports-Could-Lead-to-Identity-Theft-37595.html>


CRM Buyer

 THE ESSENTIAL GUIDE
 FOR CRM SYSTEM PURCHASERS


RFID in Passports Could Lead to Identity Theft
By John Jerney
The Yomiuri Shimbun
 10/31/04 5:00 AM PT

Privacy advocates, by and large, are not against the idea of using a chip
in identity documents to store additional information. But many are asking
about the wisdom of including information that can be read remotely,
without the document holder being aware.

Personal privacy is fast becoming a thing of the past. And helping secure
its demise is a technology called Radio Frequency Identification (RFID).

I wrote about RFID systems a few months ago, at which time I proposed a
scenario in which these diminutive devices begin to appear in all sorts of
objects, ranging from currency, postal mail, and even our shoes and
clothing.

RFID systems typically consist of a small tag containing a microprocessor,
a small amount of memory, and an antenna. An RFID device communicates with
an external system using radio waves. These external systems can then, in
turn, be connected to networks of computers, enabling rather sophisticated
information processing of the collected data.

The core application of RFID systems is to enable the tracking of objects
and people. The beef industry, for example, was an early adopter of RFID
technology, using it to monitor the movement of cattle from grazing to
slaughter. Governments also are planning to use RFID, in this case to
monitor the movement of people by embedding RFID technology into our
principal systems of identification.

 Embedding in Passports

 The most recent news on this front came from the U.S. State Department,
which revealed that it would begin including RFID devices into all new
passports starting around the middle of next year.

The State Department says the idea is to make passports more difficult to
forge, and to ensure that the bearer of the document matches the
identification.

This means that each RFID device, in each passport, will contain at least
the name, address, and birthplace of the holder, along with a digital
photo. The first set of devices, equipped with 64 kilobyte, of memory, will
likely be capable of storing additional information, as required.

Immigration and border officials will no longer need to physically swipe
the document through a reader. Instead, since the RFID device uses radio
waves to communicate, the passport only needs to come within reasonable
proximity of a listening device in order for the information to be read.

And herein lies the chief problem, as identified by privacy advocates.
Without requiring the passport to be physically handled in order to
retrieve information, just about anyone will be able to read your passport
contents, remotely, and without your knowledge.

It all seems like a massive recipe for disaster.

 Abuse Opportunities

 Encryption could help the situation, slightly, but none of the data stored
on the RFID device in the proposed new U.S. passport will be scrambled,
either on the device itself or as it passes through the air.

Instead, the device will communicate a special digital signature
identifying it as an official government document.

Imagine the possibilities for abuse. As you walk through the main door,
hotels will immediately be able to determine your name, nationality, and
place of birth, beginning the profiling of guests even before reaching the
counter.

Sophisticated thieves, or even those less clever but with a few dollars to
spare on an RFID reader, will be able to comb crowds of people, searching
for individuals of a specific nationality or, by extension, those of a
particular religion.

Identity theft will become orders of magnitude easier, and stalkers at
overseas shops and boutiques will be able to quickly collect personal
information on targets of interest.

 Remote Access Concerns

 Privacy advocates, by and large, are not against the idea of using a chip
in identity documents to store additional information. But many are asking
about the wisdom of including information that can be read remotely,
without the document holder being aware.

Proponents of the new technology and security-minded individuals point out
that the RFID devices proposed for use in U.S. passports will be passive,
meaning without a self-contained power source, thereby restricting the
range through which information can be transmitted.

But that hardly addresses cases where people are either forced to pass
close to a reader, as when they are walking through a doorway to enter a
building, or when a reader is unknowingly brought close to them, as an
identity thief or stalker might do.

Once collected, the information can easily be processed and correlated
using any of a number of commercially available databases. The best-case
scenario is that enterprises will use this unknowingly mined information to
sell you additional services, based on existing marketing and behavioral
profiles.

More sinister scenarios could easily involve confidence schemes or other
serious trickery.

With the inclusion of RFID in passports, governments could turn to using
the system as a means of monitoring not only entry and exit, but also
movements within a country.

 Our Vulnerabilities Increase

 Today, so-called FastPass systems that enable motorists to speed through
tollbooths on highways and bridges are also being used in certain
metropolitan areas to monitor traffic patterns and automobile use, far from
the bridge or highway. Few motorists are aware of this additional use of an
otherwise helpful RFID system.

Interestingly, it's not really clear to me that the inclusion of RFID
devices will make passports that much harder to forge. The information on
each chip will remain unencrypted, making it straightforward to reverse
engineer.

In fact, as is often the case, our reliance and belief in advanced
technology may make us even more vulnerable to deception. Put another way,
the more we believe that technology is the answer to personal and national
security, the more we leave ourselves open to being fooled when those
systems are inevitably compromised.

Adding RFID technology to passports, and making the information available
unencrypted to anyone with a simple reader seems like folly on both sides
of the technology equation.

It's highly unlikely that it will contribute to our safety and security in
any meaningful way, and may instead open us to a new type of criminal, well
versed in the simple uses of high technology and ready to pounce on
unsuspecting travelers.

All you can ask is, what were they thinking?

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'