, SecurityFocus 2005-04-14
Will the wireless chip in next-generation passports act as a beacon identifying Americans to terrorists or are privacy fears overblown?
"You have to worry about identity theft, you have to worry about cloning without the victims knowledge, you have to worry about tracking and surveillance -- all the things that go with people carrying a beacon that broadcasts their identity."
The concerns focus on the U.S. government's initiative to create machine-readable passports that will be rolled out to the diplomatic corps this year and to the general public starting in 2006. Privacy and security experts criticized the move as ill-considered, saying that the technology would leak data to those with specialized equipment, allowing Americans to be automatically identified by the passports they are carrying.
"You have to worry about identity theft, you have to worry about cloning without the victims knowledge, you have to worry about tracking and surveillance -- all the things that go with people carrying a beacon that broadcasts their identity," Bruce Schneier, chief technology officer for Counterpane Internet Security said on a panel discussion at the Computer, Freedom and Privacy Conference in Seattle.
The concerns revolve around the decision to make passports machine readable by embedded a wireless chip in the documents. The chip, a 64 kilobit contactless device similar to those found in many employee identification cards, would allow data to be read from a passport just by holding the document within 10 centimeters of a reader, said Frank Moss, Deputy Assistant Secretary for the U.S. Department of State's Passport Services group and the only government official on the panel.
Moss called critics' arguments -- warning that terrorists would gain the ability to remotely identify Americans using the chipped passports -- absurd.
"We would not use our own people as test populations if we thought there was any risk associated with this passport," he said. "The idea that you can walk down a hotel hallway and identify the Americans is, quite frankly, poppycock."
Moss added that to reduce the possiblity of any such scenario, the U.S. planned to put a nonmetallic material in the cover of passports that would block wireless signals.
However, privacy and security experts maintain that, much like other wireless technologies, the specified distance at which devices can communicate with the chip could be greatly increased by specialized antennas using more power. In a demonstration using a chip similar to the one specified by current documents, Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union, showed that the passport could be read at a distance of a couple feet. He maintained that readers that could grab the information at greater distances, such as 30 feet, would be possible.
"Whether or not the Department of Homeland Security buys a reader that can read a passport at 10 centimeters or, like mine, at three or four feet, much more powerful antennas and much more powerful equipment are out there," he said.
The concerns come as the United States is leading the charge to move to machine-readable passports, requiring the nearly 30 countries with which the United States maintains a visa waiver agreement to also adopt similar technologies. Privacy experts worry that the move to a radio-frequency identification (RFID) chip will erode civil liberties.
The State Department's Moss maintained that the specification was not created by the United States, but as part of a multi-nation process at the International Civil Aviation Organization (ICAO).
"This is not just the United State's initiative," he said. "This technology is viewed widely to be taking passports to a new generation of security in terms of verifying that the person carrying the passport is the person to whom the passport was issued."
The process to create a standard for the design of a passport with a chip requiring electrical and physical contact would have been onerous, Moss maintained.
A representative of the chip-card industry said that bandwidth considerations also drove the decision to favor a contactless memory chip. The current crop of contactless chips have a read rate eight times higher than contact chips, Chuck Baggeroer, director of government marketing for Datacard Group.
"Contactless chips have considerable higher bandwidth," he said. "You would think that contact chips would have faster data rates -- that is not so."
Yet, the ACLU's Steinhardt argued that the initiative is the latest example of U.S. "policy laundering," where the administration uses an international agency to create a standard that can then be marketed to Congress as a global norm that the nation should follow.
"If you listened to President Bush when he announced the creation of these passports, you would have thought that the U.S. was a bit player in this project to create, what essentially are, these universal identification cards," Steinhardt said. "If you read the documents, it is crystal clear that the U.S. government drove the process, resisted putting in any of the protection measures ... saying that they were not necessary."
The ACLU has pointed to other initiatives, such as the Council of Europe's Cybercrime Treaty, as examples of policy laundering. The organization has started a task force to focus on the political tactic.
If other countries' momentum is any indication, the passport will just be the first document to include the wireless-chip technology, Steinhardt and other privacy and security experts said. Other identification documents will soon be chipoed as well, said Counterpane's Schneier.
"When we look at these RFID chips, they seem to be moving into a plethora of offical documents -- its not going to be just passports," he said. "So even people who don't have passports will be carrying these identity beacons."
The State Department's Moss seemed willing to address the concerns, but ultimately was unmoved by the arguments.
"We are doing it right, we just disagree," Moss said. "If you really think this is a horrible idea, you better start writing to your members of Congress."