I always took the foamy conspiracy theories with a grain of salt, but this is one topic that is starting to make me reconsider. The thing is, if you want to upgrade the security of something, the last thing you would want to do is add RF interfaces, which nearly always degrade security. This entire project would have been laudable if they had done it exactly the same way, EXCEPT the data was stored in a 2D barcode instead of on an RFID chip. They must have considered barcodes at some point, because it is the obvious, established technology. Instead, they went for the new, unproven RFID solution; yet, to cut a long story short, when you line up these options side by side, everything about the RFID option is downside. By comparison:
* barcodes are cheaper, and unlike RFID can be easily retro-fitted to existing passports;
* with a barcode, all the surreptitious access concerns would disappear, so they wouldn't have needed the additional expense (and failure modes) of the BAC technology and metallised covers;
* the barcode is already inherently read-and-add (so visas can be added), a feature which the RFID proposal merely hopes to add "eventually";
* RFID has better reliability than a contact chip because it is contactless, BUT the same is true of a barcode;
* but unlike RFID, barcodes are ALSO immune to damage from strong electromagnetic fields;
* contrary to various misleading claims, the highest density 2D barcodes currently in widespread commercial use can store, at a single opening (i.e. double page) slightly MORE data than the proposed RFID solution. Additionally some new 2D barcode formats just coming into use can do 8 times that again;
* otherwise, they can store exactly the same data with exactly the same anti-forgery characteristics, just fewer "side channels" against barcodes.
So what the heck possessed them to choose RFID? I can personally only think of two possibilities. Either a government decision maker is taking bribes from the RFID industry to give them their first big break, or someone in government regards surreptitious access as a feature, not a bug.
* barcodes are cheaper, and unlike RFID can be easily retro-fitted to existing passports;
* with a barcode, all the surreptitious access concerns would disappear, so they wouldn't have needed the additional expense (and failure modes) of the BAC technology and metallised covers;
* the barcode is already inherently read-and-add (so visas can be added), a feature which the RFID proposal merely hopes to add "eventually";
* RFID has better reliability than a contact chip because it is contactless, BUT the same is true of a barcode;
* but unlike RFID, barcodes are ALSO immune to damage from strong electromagnetic fields;
* contrary to various misleading claims, the highest density 2D barcodes currently in widespread commercial use can store, at a single opening (i.e. double page) slightly MORE data than the proposed RFID solution. Additionally some new 2D barcode formats just coming into use can do 8 times that again;
* otherwise, they can store exactly the same data with exactly the same anti-forgery characteristics, just fewer "side channels" against barcodes.
So what the heck possessed them to choose RFID? I can personally only think of two possibilities. Either a government decision maker is taking bribes from the RFID industry to give them their first big break, or someone in government regards surreptitious access as a feature, not a bug.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/189/911#911