Tuesday, 25 October 2005
The Amazing Race 8 (Family Edition), Episode 5 (RFID passports)
New Orleans, LA (USA) - Panama City (Panama)
Just when the families on The Amazing Race 8 finally left the USA in tonight's episode, the USA Department of State today took the latest in its recent series of regulatory actions to make it more difficult for other families like them to take that first step across the borders of the USA, and less likely that they ever will.
[T]he first issuance to the American traveling public [is] slated for early 2006. By October 2006, all U.S. passports, with the exception of a small number of emergency passports issued by U.S. embassies or consulates, will be electronic passports.
We received a total of 2,335 comments on the introduction of the electronic passport.... Specifically, concerns focused as follows: 2019 comments listed security and/or privacy; 171 listed general objections to use of the data chip and/or the use of RFID; 85 listed general objections to use of the electronic passport; 52 listed general technology concerns; and 8 listed religious concerns. Overall, approximately 1% of the comments were positive, 98.5% were negative, and .5% were neither negative nor positive.
As had been rumored (leaked?) over the summer, the State Department has made some changed to its original plan. Most of the data on the RFID chip in the passport (except, crucially, a fixed globally unique serial number) will be encrypted to reduce the risk of identity theft or passport cloning, and "anti-skimming material" (presumably a layer of metal foil or mesh) will be laminated into the passport cover to reduce the risk of surreptitious reading (except, crucially, whenever the passport is opened for even the briefest and most cursory visual inspection).
Those changes might be sufficient to assuage those people whose primary concerns were about the ways RFID passports would facilitate identity theft, fraud, terrorism, passport forgery, smuggling, and other crimes.
But as I've previously reported, those changes fail to address the use of RFID passports for commercial and government surveillance: transaction and position logging, data aggregation, and data mining.
Each RFID chip has to broadcast a unique identification number, in the clear (unencrypted), in response to a query from any reader. (Readers are cheap and widely available, and will get cheaper.) This number is used to initiate communications with the reader, and to manage "collisions" if multiple chips are within range of, and replying to, the same (or another) reader.
The single change to the RFID passport plan that would make the most difference -- dramatically reducing the usability of RFID passports for commercial or government surveillance , while having no effect at all on their use for security purposes -- would be to have the chips to generate and use a different random collision avoidance and session initiation ID in response to each reader query, instead of a serial number fixed for the life of the chip and the passport.
(Under another part of the RFID passport regulations finalized last month, you'll have to get your passport replaced if the RFID chip fails -- at your expense, if you have deliberately disabled the chip.)
As I understand it, there is no technical obstacle to using a dynamic, random (or at past pseudo-random) session ID. The only reason to use a static serial number, as the USA has deliberately chosen to do, is to facilitate the use of RFID passports as part of the travel panopticon of surveillance.
If the regulations published today are put into effect without further change (as they likely will be unless they are successfully challenged in court), the serial number of the RFID chip in your passport will become the international analogue of your Social Security account number: the globally unique personal identification number through which every transaction or event with which it is linked can be positively correlated and compiled into a personal travel history maintained by government(s), or added to the multi-purpose dossier and profile maintained by data aggregators like Choicepoint and Acxiom (and available to anyone willing to pay for it, or to the USA government under the USA Patriot Act provisions for secret demands for commercial records).
The government's plans were set back a year by massive public protest, but this time I think the proposed schedule for beginning to issue at least some RFID passports is real. Barring a successful lawsuit, after the start of 2006, you won't be able to tell when you apply for a new passport whether it will be one of the first ones with an RFID chip.
All you can do to protect yourself is to get a new passport now that will remain valid for the next 10 years. (There's no plan to invalidate existing non-RFID passports until they expire.) You can apply for a new or replacement passport at any time, for any reason, even if your current passport still has several years of validity.
Given that the use as a session initiation and collision avoidance key of a serial number fixed for the life of the chip does not even arguably serve any security purpose, the only reason for the government's choice is to facilitate surveillance. And border guards will be able (regardless of which type of session ID is used) to capture and decrypt the entirety of the personal data on the passport and the chip, including a digital photo. So the only possible reason not to use a different ID number for each "reading" of the chip is to facilitate use of the fixed ID number by entities other than governments, at places other than borders. In other words, this part of the scheme is being forced on us by the USA government solely to make it possible for data aggregators and data miners to track our movements and activities, for their profit. And we'll be required to bear the cost through increased passport fees.
Why would the State Department go out of its way to give businesses a tool for tracking and compiling dossiers about us? Presumably, the government hoped that doing this would get the "buy-in" of the travel industry (and perhaps) others) for the RFID passport plan. It will probably work: the travel industry is eager for "location-based" marketing data and customer profiling as well as business process automation, and this will enable commercial users of RFID passport data to blame the government, instead of having to justify their data demands to their customers.
Already, casinos use RFID frequent gambler "loyalty" cards not just to log the time, place, and amount of each bet, but to analyze the patterns of movement of gamblers on the casino floor and throughout their casino/hotel/restaurant/entertainment/resort complexes, recording in individual logs and profiles such things as when and how often gamblers leave the betting (spending) areas, and where they go: to their hotel room (perhaps to sleep, i.e. rest up to be ready for more gambling), to a restaurant to eat (refuel for more gambling), etc. Theme parks -- where all visitors can be required to carry admission tickets or badges with RFID chips -- are beginning to do the same. Unique fixed ID numbers in RFID chips in passports will make this possible for all businesses on a global scale.
The problem with Social Security account numbers has little to do with how they are used by the Social Security Administration, and everything to do with how they are used for data aggregation by other, mainly commercial entities. The same is largely true of RFID passports, although the potential for direct abuse by governments remains higher for RFID passports than for Social Security account numbers.
The State Department has failed to conduct the Privacy Impact Assessment which, as EFF and others have noted , is required before the proposed rules can take effect. And its limited analysis and response to the comments on the proposal is based on the fundamentally false claims that:
It will not permit "tracking" of individuals. It will only permit governmental authorities to know that an individual has arrived at a port of entry.
Both of these last two sentences are lies, and the State Department knows it. The root of the problem is the continued refusal of the State Department to admit -- even when I directly confronted the head of the Passport Office, Frank Moss, with this question at CFP -- that passports are ever inspected by anyone other than government authorities, or anywhere other than at government border-crossing checkpoints ("ports of entry").
In fact, most passport checks are made by commercial entities, for commercial purposes, at commercial facilities, and are required as a condition of commercial transactions. Passports have to be opened for inspection by airlines, airport security (sometimes they work for and are regulated by the government, sometimes not), banks, currency-exchange offices, hotels, duty-free stores, and other businesses.
Unless you want to travel without ever changing money, staying in a hotel, or using mass transportation (passports -- or national ID credentials of the country, which foreign travellers don't have -- are routinely required for travel by bus, train, and ferry, increasingly in the USA as they have been for years in many other countries), it's impossible to travel around the world without leaving a trail of times, places, and purposes for which your passport has been displayed.
With an RFID passport that responds to any query from any reader with an unencrypted static ID number, you'll have to assume that whenever you open your passport, even momentarily, your position, the date and time, the nature of the facility or reason for the passport check, and the details of any associated transaction will be entered in your permanent file.
Of course that could be done manually with a non-RFID passport, but it would be slow and costly for the business, and you'd probably know it was happening. With an RFID passport, what seems to be a cursory glance at a passport by a bored and inattentive person at a doorway could in really also include the invisible capture of the chip ID number and logging of the event in a central file (to which, in the USA, you yourself have no right of access) of information about you available for sale to all comers, and available to the government for the asking.
"Social network analysis" of that file, in conjunction with others, will enable commercial or government data miners to identify those with whom you associate and the nature of your relationships:
Hmmm. These two people showed their passports to enter this duty-free shop at Heathrow Airport 30 seconds apart in 2007, and to get on the same sailing of a ferry from Hong Kong to Guangzhou three years later. That's probably not a coincidence. If one of them is a suspect, the other one probably should be too. If one of them showed their passport at a money-changers in Maputo in May to convert Mozambican Metacias to South African Rand, there's a good chance the other one of them was nearby. Let's investigate them further.
It's especially problematic that this is happening at the same time that the USA is beginning to require passports, both for USA citizens and visitors, for everyone crossing the borders of the USA including travellers to and from Canada, Mexico, and some Caribbean and Central American countries where passports haven't previously been required.
Along with the abolition of all provisions for transit of the USA without a visa (citizens of all Latin American countries need to pay US$100 and go through an elaborate visa application process just to change planes in the USA en route to or from Europe or Asia), the new rules will further discourage visitation to the USA from Mexico, Canada, and other countries, as well as travel to those countries by USA citizens who don't yet have passports. The USA is seeking comments through next Monday, 31 October 2005 on how much this will cost, but the total value of the lost spending by border crossers will be at least in the billions of U.S. dollars a year, possibly tens of billions.
Welcome to America. Your papers, please.
[Addendum, 29 October 2005: Also this month Norway began issuing unencrypted RFID passports .]
[Further addendum, 3 November 2005: In his column in Wired and an entry in his blog today, Bruce Schneier (who had previously said that "Assuming that the RFID passport works as advertised (a big "if," I grant you), then I am no longer opposed to the idea", now joins me in identifying the static chip ID number as a "fatal flaw" in the privacy and surveillance risk of the RFID passport scheme.]Link | Posted by Edward on Tuesday, 25 October 2005, 23:59 (11:59 PM)