Tuesday, 25 October 2005

The Amazing Race 8 (Family Edition), Episode 5 (RFID passports)

New Orleans, LA (USA) - Panama City (Panama)

Just when the families on The Amazing Race 8 finally left the USA in tonight's episode, the USA Department of State today took the latest in its recent series of regulatory actions to make it more difficult for other families like them to take that first step across the borders of the USA, and less likely that they ever will.

Under a final rule published today (70 Federal Register 61553-61555) and effective immediately, secretly and remotely readable RFID chips will be embedded in all USA passports:

[T]he first issuance to the American traveling public [is] slated for early 2006. By October 2006, all U.S. passports, with the exception of a small number of emergency passports issued by U.S. embassies or consulates, will be electronic passports.

The Passport Office's attempt to sell its critics on the "e-passport" scheme was an unsuccessful fiasco , and public comments on the proposal were overwhelmingly negative:

We received a total of 2,335 comments on the introduction of the electronic passport.... Specifically, concerns focused as follows: 2019 comments listed security and/or privacy; 171 listed general objections to use of the data chip and/or the use of RFID; 85 listed general objections to use of the electronic passport; 52 listed general technology concerns; and 8 listed religious concerns. Overall, approximately 1% of the comments were positive, 98.5% were negative, and .5% were neither negative nor positive.

As had been rumored (leaked?) over the summer, the State Department has made some changed to its original plan. Most of the data on the RFID chip in the passport (except, crucially, a fixed globally unique serial number) will be encrypted to reduce the risk of identity theft or passport cloning, and "anti-skimming material" (presumably a layer of metal foil or mesh) will be laminated into the passport cover to reduce the risk of surreptitious reading (except, crucially, whenever the passport is opened for even the briefest and most cursory visual inspection).

Those changes might be sufficient to assuage those people whose primary concerns were about the ways RFID passports would facilitate identity theft, fraud, terrorism, passport forgery, smuggling, and other crimes.

But as I've previously reported, those changes fail to address the use of RFID passports for commercial and government surveillance: transaction and position logging, data aggregation, and data mining.

Each RFID chip has to broadcast a unique identification number, in the clear (unencrypted), in response to a query from any reader. (Readers are cheap and widely available, and will get cheaper.) This number is used to initiate communications with the reader, and to manage "collisions" if multiple chips are within range of, and replying to, the same (or another) reader.

The single change to the RFID passport plan that would make the most difference -- dramatically reducing the usability of RFID passports for commercial or government surveillance , while having no effect at all on their use for security purposes -- would be to have the chips to generate and use a different random collision avoidance and session initiation ID in response to each reader query, instead of a serial number fixed for the life of the chip and the passport.

(Under another part of the RFID passport regulations finalized last month, you'll have to get your passport replaced if the RFID chip fails -- at your expense, if you have deliberately disabled the chip.)

As I understand it, there is no technical obstacle to using a dynamic, random (or at past pseudo-random) session ID. The only reason to use a static serial number, as the USA has deliberately chosen to do, is to facilitate the use of RFID passports as part of the travel panopticon of surveillance.

If the regulations published today are put into effect without further change (as they likely will be unless they are successfully challenged in court), the serial number of the RFID chip in your passport will become the international analogue of your Social Security account number: the globally unique personal identification number through which every transaction or event with which it is linked can be positively correlated and compiled into a personal travel history maintained by government(s), or added to the multi-purpose dossier and profile maintained by data aggregators like Choicepoint and Acxiom (and available to anyone willing to pay for it, or to the USA government under the USA Patriot Act provisions for secret demands for commercial records).

The government's plans were set back a year by massive public protest, but this time I think the proposed schedule for beginning to issue at least some RFID passports is real. Barring a successful lawsuit, after the start of 2006, you won't be able to tell when you apply for a new passport whether it will be one of the first ones with an RFID chip.

All you can do to protect yourself is to get a new passport now that will remain valid for the next 10 years. (There's no plan to invalidate existing non-RFID passports until they expire.) You can apply for a new or replacement passport at any time, for any reason, even if your current passport still has several years of validity.

Given that the use as a session initiation and collision avoidance key of a serial number fixed for the life of the chip does not even arguably serve any security purpose, the only reason for the government's choice is to facilitate surveillance. And border guards will be able (regardless of which type of session ID is used) to capture and decrypt the entirety of the personal data on the passport and the chip, including a digital photo. So the only possible reason not to use a different ID number for each "reading" of the chip is to facilitate use of the fixed ID number by entities other than governments, at places other than borders. In other words, this part of the scheme is being forced on us by the USA government solely to make it possible for data aggregators and data miners to track our movements and activities, for their profit. And we'll be required to bear the cost through increased passport fees.

Why would the State Department go out of its way to give businesses a tool for tracking and compiling dossiers about us? Presumably, the government hoped that doing this would get the "buy-in" of the travel industry (and perhaps) others) for the RFID passport plan. It will probably work: the travel industry is eager for "location-based" marketing data and customer profiling as well as business process automation, and this will enable commercial users of RFID passport data to blame the government, instead of having to justify their data demands to their customers.

Already, casinos use RFID frequent gambler "loyalty" cards not just to log the time, place, and amount of each bet, but to analyze the patterns of movement of gamblers on the casino floor and throughout their casino/hotel/restaurant/entertainment/resort complexes, recording in individual logs and profiles such things as when and how often gamblers leave the betting (spending) areas, and where they go: to their hotel room (perhaps to sleep, i.e. rest up to be ready for more gambling), to a restaurant to eat (refuel for more gambling), etc. Theme parks -- where all visitors can be required to carry admission tickets or badges with RFID chips -- are beginning to do the same. Unique fixed ID numbers in RFID chips in passports will make this possible for all businesses on a global scale.

The problem with Social Security account numbers has little to do with how they are used by the Social Security Administration, and everything to do with how they are used for data aggregation by other, mainly commercial entities. The same is largely true of RFID passports, although the potential for direct abuse by governments remains higher for RFID passports than for Social Security account numbers.

The State Department has failed to conduct the Privacy Impact Assessment which, as EFF and others have noted , is required before the proposed rules can take effect. And its limited analysis and response to the comments on the proposal is based on the fundamentally false claims that:

It will not permit "tracking" of individuals. It will only permit governmental authorities to know that an individual has arrived at a port of entry.

Both of these last two sentences are lies, and the State Department knows it. The root of the problem is the continued refusal of the State Department to admit -- even when I directly confronted the head of the Passport Office, Frank Moss, with this question at CFP -- that passports are ever inspected by anyone other than government authorities, or anywhere other than at government border-crossing checkpoints ("ports of entry").

In fact, most passport checks are made by commercial entities, for commercial purposes, at commercial facilities, and are required as a condition of commercial transactions. Passports have to be opened for inspection by airlines, airport security (sometimes they work for and are regulated by the government, sometimes not), banks, currency-exchange offices, hotels, duty-free stores, and other businesses.

Unless you want to travel without ever changing money, staying in a hotel, or using mass transportation (passports -- or national ID credentials of the country, which foreign travellers don't have -- are routinely required for travel by bus, train, and ferry, increasingly in the USA as they have been for years in many other countries), it's impossible to travel around the world without leaving a trail of times, places, and purposes for which your passport has been displayed.

With an RFID passport that responds to any query from any reader with an unencrypted static ID number, you'll have to assume that whenever you open your passport, even momentarily, your position, the date and time, the nature of the facility or reason for the passport check, and the details of any associated transaction will be entered in your permanent file.

Of course that could be done manually with a non-RFID passport, but it would be slow and costly for the business, and you'd probably know it was happening. With an RFID passport, what seems to be a cursory glance at a passport by a bored and inattentive person at a doorway could in really also include the invisible capture of the chip ID number and logging of the event in a central file (to which, in the USA, you yourself have no right of access) of information about you available for sale to all comers, and available to the government for the asking.

"Social network analysis" of that file, in conjunction with others, will enable commercial or government data miners to identify those with whom you associate and the nature of your relationships:

Hmmm. These two people showed their passports to enter this duty-free shop at Heathrow Airport 30 seconds apart in 2007, and to get on the same sailing of a ferry from Hong Kong to Guangzhou three years later. That's probably not a coincidence. If one of them is a suspect, the other one probably should be too. If one of them showed their passport at a money-changers in Maputo in May to convert Mozambican Metacias to South African Rand, there's a good chance the other one of them was nearby. Let's investigate them further.

Similar concerns have also been raised in Australia, where the first Australian passport with an RFID chip was issued today to the Foreign Affairs Minister, Alexander Downer.

It's especially problematic that this is happening at the same time that the USA is beginning to require passports, both for USA citizens and visitors, for everyone crossing the borders of the USA including travellers to and from Canada, Mexico, and some Caribbean and Central American countries where passports haven't previously been required.

Along with the abolition of all provisions for transit of the USA without a visa (citizens of all Latin American countries need to pay US$100 and go through an elaborate visa application process just to change planes in the USA en route to or from Europe or Asia), the new rules will further discourage visitation to the USA from Mexico, Canada, and other countries, as well as travel to those countries by USA citizens who don't yet have passports. The USA is seeking comments through next Monday, 31 October 2005 on how much this will cost, but the total value of the lost spending by border crossers will be at least in the billions of U.S. dollars a year, possibly tens of billions.

Welcome to America. Your papers, please.

[Addendum, 29 October 2005: Also this month Norway began issuing unencrypted RFID passports .]

[Further addendum, 3 November 2005: In his column in Wired and an entry in his blog today, Bruce Schneier (who had previously said that "Assuming that the RFID passport works as advertised (a big "if," I grant you), then I am no longer opposed to the idea", now joins me in identifying the static chip ID number as a "fatal flaw" in the privacy and surveillance risk of the RFID passport scheme.]

Link | Posted by Edward on Tuesday, 25 October 2005, 23:59 (11:59 PM) | TrackBack (2)
Comments

here's the article about the passports. Betsy

Posted by: Sylvia, 28 October 2005, 12:33 (12:33 PM)

Edward Hasbrouck writes:

"But as I've previously reported, those changes fail to address the use of RFID passports for commercial and government surveillance: transaction and position logging, data aggregation, and data mining."

If you are concerned, then wrap aluminum foil around your passport 3 times. That should prevent anyone from reading it.

Else, find someone that will mass duplicate the unique unencrypted serial number on an RFID device. Make 100 copies. Give it to all of
your friends. How can they track you when you are in 100 places at the same time?

Posted by: Bruce Barnett, 30 October 2005, 08:45 ( 8:45 AM)

Bruce Barnett wrote:

"If you are concerned, then wrap aluminum foil around your passport 3 times. That should prevent anyone from reading it."

That will only work when the passport is closed and warapped. The point of my original article is that the main problem is reading of the UID when a traveller is required to "show" (and expose for RFID reading) their passport to check in for a flight or hotel, or to engage in banking, currency exchange, or other transactions.

"Else, find someone that will mass duplicate the unique unencrypted serial number on an RFID device. Make 100 copies. Give it to all of your friends. How can they track you when you are in 100 places at the same time?"

This is an interesting spoofing idea. But it would only add "noise" events to the Acxiom or Choicepoint file of the holder of the passport, not erase the "signal" events. And it could caUse that passport to be flagged as suspicious, and the holder subjected to more intrusive scrutiny by governments at border crossings.

Posted by: Edward Hasbrouck, 30 October 2005, 08:58 ( 8:58 AM)

A couple of questions on RFID chips in US passports:

1. Will there be a way to tell when one gets a new passport if it has the chip in it? Will there be some kind of visible code/id number or the like printed on the passport? Can the chip be physically felt?

2. Do you have any hints on how to disable the chip?

3. How will the government know the chip has been disabled versus just going defective?

4. If the chip is not disabled, do you have any hints on how to safeguard oneself against unwanted scanning? (Other than wrapping the passport in aluminum foil.)

5. Will any chip-embedded passports be issued before October 2006?

6. Who/where is the best place to lodge one's oppostion to RFID passports?

Thanks

MP

Posted by: M Latept, 31 October 2005, 21:30 ( 9:30 PM)

M Latept asks:

"1. Will there be a way to tell when one gets a new passport if it has the chip in it? Will there be some kind of visible code/id number or the like printed on the passport?"

Yes. There will be a standard logo on the passport cover to indicate to government authorities at borders that is has an RFID chip. I've seen it, but can't find an image of it online to link to. (If someone finds one, please send me the URL.) This is needed to enable these authorities to determine whether the particular passport is supposed to have a chip. Otherwise, you could disable the chip, and they would just think it was a non-RFID passport.

"Can the chip be physically felt?"

In the 2 samples I was able to handle, it could be felt with difficulty, not so much by thickness as becuase the chip was less flexible than the rest of the passport cover when it was flexed. I don't think one could be certain to detect it by feel.

"2. Do you have any hints on how to disable the chip?"

You can disable it in several ways, but (1) you might damage the rest of the passport, and (2) it will invalidate the passport.

"3. How will the government know the chip has been disabled versus just going defective?"

I don't know how they will try to determine that. This was one of the points explored at length in the comments by EFF, Privacy Activism, RFIDkills.com, et al. on the proposed regulations.

"4. If the chip is not disabled, do you have any hints on how to safeguard oneself against unwanted scanning? (Other than wrapping the passport in aluminum foil.)"

No. I've mentioned previously that something very useful would be an optically transparent Faraday cage (RF shield) that could be wrapped around the visible data page to enable one to diaplay the passport for visual inspection without exposing it to RFID reading. But I haven't seen one or heard anything about whether such exists or could affrodably be mass produced.

"5. Will any chip-embedded passports be issued before October 2006?"

Yes, if the timetable in the regulations is followed. There may be technical delays, but the latest plan is to start issuing RFID diplomatic and official passports by the end of 2005, and regular passports beginning in early 2006.

"6. Who/where is the best place to lodge one's oppostion to RFID passports?"

If you are in the USA, with Congress. Elsewhere, with your national government, particularly your national data protection or privacy authority and whomever appoints your country's representatives to ICAO. Its critical for national data protection authorities to be included in ICAO delegations from national governments.

Posted by: Edward Hasbrouck, 1 November 2005, 07:44 ( 7:44 AM)

It will only permit governmental authorities to know that an individual has arrived at a port of entry.

Posted by: john beck, 4 October 2006, 02:21 ( 2:21 AM)

John Beck comments, "It will only permit governmental authorities to know that an individual has arrived at a port of entry."

Unfortunately, that's not correct: There's nothing to limit the reading of the RFID chip data to governmental authorities or ports of entry. Passports are required to be shown to many other entities (hotels, banks, duty-free shops, etc.) in many other places.

Posted by: Edward Hasbrouck, 4 October 2006, 10:27 (10:27 AM)
Post a comment









Save personal info as cookie?