Thursday, 14 October 2004
Time to get a new USA passport
Contracts were awarded today to Axalto and three other teams of vendors for the addition of secretly and remotely-readable radio-frequency identification (RFID) chips embedded in the photo and information page (inside front cover) of all new USA passports.
In accordance with the timeline in the Request For Proposals , the winning bidder was required to have built test kits on spec, in order to be prepared to deliver them to the State Department within one day of being awarded the contract, i.e. by tomorrow. Test sample passports must be delivered within 10 days, and testing will be conducted over the next three weeks.
The first RFID passports valid for actual use will be produced in a pilot program limited to the State Department passport office in Washington, DC, and limited to the special (maroon cover) passports issued to Federal government employees, with the first such RFID passports to be issued by mid-December 2004. The first regular (blue cover) RFID passports will be issued "at a single, domestic passport agency no later than Spring 2005," with the RFID passport issuance equipment deployed thereafter to all other USA passport agencies.
"It is expected that all newly issued, full-validity, United States passports will have embedded inlays (IC/antenna assembly in a protective plastic envelope) by the end of calendar 2005."
In testimony to Congress during a hearing on RFID chips on Flag Day, 14 July 2004 , Barry Steinhardt of the ACLU described government tracking as, "The most frightening use of RFID chips":
Most troubling of all are proposals to incorporate RFID tags into government identity documents.
RFIDs would allow for convenient, at-a-distance verification of ID. RFID-tagged IDs could be secretly read right through a wallet, pocket, backpack, or purse by anyone with the appropriate reader device, including marketers, identity thieves, pickpockets, oppressive governments, and others. Retailers might add RFID readers to find out exactly who is browsing their aisles, gawking at their window displays from the sidewalk -- or passing by without looking. Pocket ID readers could be used by government agents to sweep up the identities of everyone at a political meeting, protest march, or Islamic prayer service. A network of automated RFID listening posts on the sidewalks and roads could even reveal the location of all people in the U.S. at all times.
This may sound far-fetched, and I hope that it stays that way. But if we at the ACLU have learned anything over the past decade, it is that seemingly distant privacy invasions that sound right out of science fiction often become real far faster than anyone has anticipated. I give you this scenario as something that I think most Americans would agree is something that should be avoided, and yet is now entirely possible as far as the technology that is available to us. That means that our future is now going to be decided by policy.
Congress has, however, already mandated by law that USA passports contain whatever RFID, biometric, and other devices and data are recommended by the standards of the International Civil Aviation Organization (ICAO), and has pressured other countries to enact these standards into their laws as well.
ICAO spokesperson Denis Chagnon has not responded -- despite several conversations in which he has promised to do so -- to repeated requests over the last three months for comment on when ICAO would make its official decision on whether to adopt the requirement for an RFID chip (referred to in ICAO Document 9303 as a "contactless integrated circuit") as an ICAO standard, or whether ICAO had engaged in any discussions with any privacy or civil liberties organizations or any of the signers of the joint Open Letter to ICAO from Privacy International and other groups requesting such dialogue and opportunity for participation in ICAO decision-making.
As Bruce Schneier and other security experts have pointed out, RFID chips in passports serve no security purpose, only a surveillance purpose. In an op-ed article last month in the International Herald Tribune , Schneier wrote:
Unfortunately, RFID chips can be read by any reader, not just the ones at passport control.... [A]nyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily -- and surreptitiously -- pick Americans or nationals of other participating countries out of a crowd.
It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 30 feet -- 9 meters -- away. Improvements in technology are inevitable.
Security is always a trade-off. If the benefits of RFID outweighed the risks, then maybe it would be worth it. Certainly, there isn't a significant benefit when people present their passport to a customs official. If that customs official is going to take the passport and bring it near a reader, why can't he go those extra few centimeters that a contact chip -- one the reader must actually touch -- would require?
The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.
Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can't be done.
Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.
You could keep an RFID passport in a tin-foil envelope, but because the RFID chip will be embedded in the photo page, it will be exposed for reading whenever you have to display your passport for visual inspection: checking into a hotel, cashing a travellers check, exchanging foreign currency, checking in for an airline flight, etc.
The data on the RFID chip will not be encrypted. [I got this wrong in my initial version of this article. See my follow-up article for more on the lack of encryption, and what it means.] Only a digital "hash" of the data will encrypted and digitally signed by the issuing agency (the USA government), using keys supplied by ICAO under a a no-bid contract with the USA Government Printing Office (GPO).
Eevn if it were encrypted (which it won't be, under the current contract) the data readable from the chip will constitute a unique personal identification number, which will be entered into each such passport holder's Acxiom or Choicepoint file the first time they display their passport during a transaction with a company that shares data with Acxiom or Choicepoint. And if the passport isn't kept in an RF-protective envelope or sleeve, it will be vulnerable to being read, and the location and time and circumstances (such as which other passports are nearby) of the reading sent to and logged by these or other data aggregation companies, not just when it is displayed but each time you pass through a doorway equipped with a hidden reader.
The State Department's passport offices would be swamped if they required the replacement of all outstanding passports with RFID passports, so that isn't likely to be required. Current passports will probably remain valid, although holders of non-RFID passports will probably be given second-class treatment at immigration control, required to stand in longer lines like those who don't have Registered Traveler credentials.
Still, it's worth a little extra time at airports and border crossings to avoid carrying a tracking chip broadcasting your identity to anyone querying it by radio, enabling the creation of a lifetime data trail of your movements around the world.
New regular USA passports are valid for 10 years, and you can still get one without an RFID chip through at least the end of the year. I'll be getting a new passport before the end of this year, even though my current passport doesn't expire for several more years, in order to have a non-RFID passport valid as far into the future as possible. If you value your safety and privacy, and are a citizen of the USA, you should too.
[Correction, 15 October 2004: This article has been updated to correct my error in the intial version of the article on the (lack of) encryption of the data on the RFID chip. See my follow-up article for more on the lack of encryption, and its significance.]Link | Posted by Edward on Thursday, 14 October 2004, 10:27 (10:27 AM) | TrackBack (1)