Forgot your password?
typodupeerror
Privacy United States

American Passports to Have RFID Chips 668

Posted by CowboyNeal
from the big-brother-and-the-watchmen dept.
pr1000 writes "Wired is reporting that the State Department is planned on adding RFID chips to new American passports, starting with diplomat's passports in January. Those worried about the privacy concerns of RFID should take notice, as this rollout could set a precedent."
This discussion has been archived. No new comments can be posted.

American Passports to Have RFID Chips

Comments Filter:
  • Bruce Schneier (Score:5, Informative)

    by Ann Elk (668880) on Friday October 22, 2004 @06:12AM (#10596354)

    Bruce Schneier has made some interesting observations [schneier.com] on the RFID passport plans. Somehow, I do not see how this could possibly make us "safer".

  • Simple solution (Score:5, Informative)

    by polysylabic psudonym (820466) on Friday October 22, 2004 @06:15AM (#10596369) Journal
    Turn your bag into a faraday cage [wikipedia.org], keep your passport in your bag.
  • by faragon (789704) on Friday October 22, 2004 @06:17AM (#10596380) Homepage
    I'm a bit afraid about this, as soon as that mean that everybody bringing passport will be "traceable"... but, why?

    The target of a proposed solution usually it is driven by a defined utility: to speed up a procedure or whatever. But in this case, do will really speed up or improve something? What about passport authentication? For sure can not be 100% automated, as soon as RF ID chips can be, at least, cloned (from the sophisticated data retrieval via millitary X-Ray uC inspection or via amateur hacking, or whatever).

    Summary: a cop/inspector will be still needed to validate your passport, then, there will no be "bottleneck solving" or whatever other problem was intended to be solved.

    This too much control may irritate my civil rights chip... soon here at Europe. Regards.
  • Re:Law Enforcement (Score:4, Informative)

    by polysylabic psudonym (820466) on Friday October 22, 2004 @06:18AM (#10596383) Journal
    Unfortunately RFID tags don't have much range. You'd have to be practically on top of your stuff to find it - that or have the whole town you're in set up to track RFID tags as they move through doorways etc. I think I'd rather lose my passport, cash and credit cards than have that, though.
  • Schneier's Take (Score:3, Informative)

    by Anonymous Coward on Friday October 22, 2004 @06:19AM (#10596388)
    Bruce Schneier's latest CryptoGram newsletter [schneier.com] has an intelligent take [schneier.com] on the idiocy of this idea.
    RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that anyone carrying around an RFID passport is broadcasting his identity.

    Think about what that means for a minute. It means that a passport holder is continuously broadcasting his name, nationality, age, address, and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers, and terrorists can easily -- and surreptitiously -- pick Americans out of a crowd.
    (Personally, I find the garish clothes, arrogant demeanour and lack of any interest in speaking local languages enables us to do this pretty easily anyway).
  • Re:Tracking... (Score:2, Informative)

    by seringen (670743) on Friday October 22, 2004 @06:24AM (#10596414)
    Hate to break it to you, but America is still catching up to Europe when it comes to being spied upon regularily. Just because one can travel freely among European countries doesn't mean you aren't being tracked coming in and out as a non-member. Not to mention the omnipresent video security and tapping abilities of Europe. Just because the US went from pretty much nothing to something doesn't mean the europeans have anything to goad over us.
  • Re:RFID Worries... (Score:5, Informative)

    by frdmfghtr (603968) on Friday October 22, 2004 @06:38AM (#10596469)
    From the article:

    New U.S. passports will soon be read remotely at borders around the world, thanks to embedded chips that will broadcast on command an individual's name, address and digital photo to a computerized reader.

    Any questions?
  • Re:Tracking... (Score:5, Informative)

    by Simon Lyngshede (623138) <[simon] [at] [spiceweasel.dk]> on Friday October 22, 2004 @06:47AM (#10596506) Homepage
    Omnipresent video security? In shops? Or have you been to England? Agreed, the UK have taken video security to the extreme. There are however still nations where the individuals still has rights. Im not always to happy about being Danish, but at least we (still) have some privacy. Tapping phones, forget it, the police really have to have a good case to be allowed to tap you phone. Video cameras? There must be a clear sign saying that you're being taped. Cameras may not be pointed at public spaces.

    When talking about protecting the individuals privacy, the US has a long way to go, and you're moving in the wrong direction, but so Europe. Sure I have a CPR number (Central Person Register) which identify me, but who cares, it doesn't mean that the government can track my every move.

    I personally think that there is a greater chance of the US government and not the Danish government i spying on me.
  • by bentcd (690786) <bcd@pvv.org> on Friday October 22, 2004 @06:53AM (#10596521) Homepage
    Yes. They have protocols specifically to allow for this.
    It might be more of a problem if there are RFID _readers_ all over the place. They might interfere with eachother's attempt at scanning for RFID chips. I have no idea whether the protocols allow for this.
  • Terror (Score:3, Informative)

    by Lucky_Norseman (682487) on Friday October 22, 2004 @06:57AM (#10596539)
    A very very scary thought occurred to me.

    What if some terrorists connected such a transponder to an explosive device?

    Imagine placing a bomb in some public place. A bomb that is totally harmless until a certain number of american passports are in close proximity and then BOOOM!

    I hope someone in counter-terrorrism has thought of that and found a way to prevent it. If not they should do so ASAP.
  • Re:Law Enforcement (Score:3, Informative)

    by Mattcelt (454751) on Friday October 22, 2004 @07:02AM (#10596556)
    The problem is that the range is entirely dependent on the receiving equipment. These are only intended to be read from a few inches/cm away. But the way that RFID works leaves gaping holes for exploitation and abuse.

    Basically, an RFID "chip" is a passive, unpowered radio tranceiver. When it receives a radio transmission of a certain power level and frequency, the antenna resonates, inducing a current within the circuitry. This current is passed through filters - AND/OR/XOR/NOT gates or what not, I'm nott 100% sure - which are unique to the data contained on the chip. By this process, the output power levels and frequency can be modified in accordance with what information the implementers want to be transmitted back. (This is nearly identical technology to the proximity cards and readers many of us have used at work, parking garages, dormitories, etc.)

    The problem is, the chip will respond to any proper wavelength and dB, so there is no practical way (not yet anyway, though the technology is being developed for crypto-enabled RFID) to control to whom the chip will respond. This means that anybody can request the data contained on the chip (or perhaps more importantly, whether or not a chip is present!).

    What's more, the chip simply outputs a certain radio frequency which any radio receiver in the propagation sphere can receive. It's been demonstrated that a properly tuned and sensitive receiver can read the resulting broadcast from an RFID chip from several, if not tens, of meters away.

    There's a rather good article on the subject of RFID passports at Bruce Schneier's blog [schneier.com].
  • by Ingolfke (515826) on Friday October 22, 2004 @07:19AM (#10596617) Journal
    Wrapping a tag in aluminum foil blocks the radio waves and prevents a tag from being identified. -
    RFID Hack Could Allow Retail Fraud [eweek.com]

    Most of the concern seems to be around unauthorized person reading the RFID chip. According to this article blocking RFID chips is very easy to do if you have physical posession of the chip. Just wrap it in tinfoil. It would seem that someone would make a bag/box/pouch that would store your passport and protect it from being read w/o authorization. When you were in an area that required that you show your passport, the airport for example, you would just take the passport out of the bag. Sounds like a $19.95 solution to me.

    I guess if you took your passport out at the hotel or some other place like that you could be "vulnerable". Maybe this solution [wired.com] from RSA woul help?

    It does seem like the solution here is not to say "no RFIDs in the passports", but actually to ensure that there is a way to easily control when the tag is read. And there seem to be several solutions available.
  • Privacy Act of 1974? (Score:1, Informative)

    by Anonymous Coward on Friday October 22, 2004 @07:22AM (#10596632)
    I believe that an RFID tag in a passport is a potential violation of the Privacy Act of 1974, 5 U.S.C. 552a

    "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be--"


    IANAL

    Actually, it's just stupid. A contact-based chip is clearly better for the same purpose.

    Is this a case of the tail (RFID Industry) wagging the dog?
  • by R.Caley (126968) on Friday October 22, 2004 @07:32AM (#10596675)
    US passport authorities are indirectly forcing the rest of the world's governments to include biometrics in their passports

    And crap (well even more crap than the usual crapulatity of biometrics) biometrics at that. BBC report about tests of the system [bbc.co.uk].

    What I can't work out is the motive for enforcing face recognition biometrics. Human beings are so good at face recognition and machines so bad at it that it's hard to believe anyone would propose such a system unless there was some other payoff, but I can;'t think what it might be.

  • Re:RFID Worries... (Score:3, Informative)

    by Algan (20532) on Friday October 22, 2004 @07:46AM (#10596741)
    but who says that data is in the clear?

    Quote from the article:
    "Security experts said the U.S. government decided not to encrypt the data because of the risks involved in sharing the method of decryption with other countries."

    Man, if some people would just RTFA, the world would be such a better place...
  • by Anonymous Coward on Friday October 22, 2004 @08:28AM (#10596943)
    I call BS. I can certify as a long-time resident of Texas that this has all the marks of "I totally made this shit up based on some Texas stereotypes I saw on TV" with (perhaps) a little, "I hate Bush and he's from Texas" thrown in.

    I grew up in Texas and continue to live there (in an oil-rich area, no less), and though I occasionally see people wearing cowboy hats and big belt buckles, I don't know any one personally who would.

    That bit about everything being bigger in Texas was a nice touch. Everyone who's been THROUGH Texas probably believes we all think that. All the gas station/gift shop places lining the interstates are filled with merchandise supporting that conclusion. But, again, I've never met anyone who actually cares. It's just tourist bologna.
  • Re:Tracking... (Score:3, Informative)

    by PaulGrimshaw (605950) <mail.paulgrimshaw@com> on Friday October 22, 2004 @08:51AM (#10597048) Homepage
    Although in england we have CCTV everywhere (including my shop), we also have the right to ask the shop to supply us with a copy of any footage of us. Its all under the data protection act. Paul.
  • by mikerich (120257) on Friday October 22, 2004 @08:58AM (#10597083)
    What I can't work out is the motive for enforcing face recognition biometrics.

    Well for the UK government the reason is 'because it's new and a very nice man from [insert name of big IT company] told us that everyone would want it next year.'

    The British government must be the World's largest consumer of bad IT projects - a magistrates' courts system that had to be abandoned, a procurement system for the Ministry of Defence that didn't procur, passports not being issued, tax refunds not paid, child support payments being delayed that people were left in poverty, an air traffic control that failed basic HCI requirements, the current NHS IT system which could work out so expensive there won't be money to treat patients...

    About the only good thing that can be said about the British government's ability to deliver IT is that the ID card system is probably going to be DOA.

    Best wishes,
    Mike.

  • Re:Bit OT but... (Score:3, Informative)

    by broller (74249) on Friday October 22, 2004 @09:38AM (#10597359)
    ...does anyone know where this idea came from in the bible...

    I did a bit of googling and came up with this page [apocalipsis.org]. It gives a few different theories and possible explainations, from seemingly credible sources.

    Search for "v16" on the page to find the beginning of the discussion about the mark.
  • by Dr.Knackerator (755466) on Friday October 22, 2004 @09:42AM (#10597414) Journal
    never thought about checking out chinatown then (about 1/4 north of there)? or any of the fabulous indian restaurants? next time get the tube or cab east to brick lane, fantasic selection of indian cuisine.

    stay out of chains or anything in very touristy area, they suck.
  • by dubious9 (580994) * on Friday October 22, 2004 @10:02AM (#10597576) Journal
    Ah, a *much* more believable story (than GP) ;). I love stupid turist stories. Anyway, in my travels its always Americans who are the stupid turists. I've hung with Aussies in Norway that would out drunk everybody (an expensive task when a pint will run you like $8) then still be curtious enough on the way home. Asians, well mostly Japanese in my experience, plan well, are quiet and know what to ask for, and almost as fun to drink with. Americans, are, well, loud. Here's some tips.

    1. Like I said, Americans are loud. If you don't want to stick out, shut up.
    2. Don't wear jewelery, especially in countries where it would be an obnoxious display of wealth, not to mention it automatically makes you a target.
    3. If you still want to blend in, don't wear shorts, plaid, flannel, sneakers, or baseball caps. In some countries jeans too, but especially in Europe bluejeans are a fashion statement so your cut up old Levi's won't cut it ;). You'll still stick out, but not as much. Really. In some countries you can pick out Americans from a hundred yards away.
    4. Say you're from Canada if you get into a sticky situation. Most anti-Americanism is directed at the government, but alot is not. It may sound funny, but seriously, and especially if you drink (alcohol+antiAmericanism=not good), you can diffuse a potentially explosive situation if you say you're from Canada. Eh?
    5. Ask a travel agent. I know they're quickly becoming a thing of the past (with on-line booking), but they know what they're talking about. They'll have a lot better tips then I'll ever have.
    6. Learn metric. You automatically sound much smarter. If you frequent pubs as much as I like to do (ok I'm a lush), people will ask you were you are from and then how far it is away from a major city. Pittsburgh? Oh maybe 500km west of Philadelphia. Don't know philly? 200km southwest on NYC. Just ballpark it. And when getting directions be prepared to hear meters.
    7. Be careful of colloquialisms, people won't understand you. Use plain language.
  • by HuskyDog (143220) on Friday October 22, 2004 @10:04AM (#10597583) Homepage
    you *never* have to give fingerprints in the UK unless you've been caught breaking the law

    Not strictly true. In the UK you can be made to give your fingerprints if you are arrested. That is not the same as being caught breaking the law, since plenty of innocent people get arrested. Now, once upon a time this didn't matter a great deal, since the police could only keep your prints if you were subsequently convicted and since most innocent people who are arrested are not convicted the odds were that your prints would be destroyed.

    However, all that changed when Blair and his cronies got into power. First, (a few years ago) the law was changed so that your prints were kept if you were charged. Yes, that's right. You go to court, the jury says "Not guilty" and the police still keep your prints on file! When I was a lad, if you were found not guilty it meant that you hadn't done the crime. Now the government assumes that you did commit the crime, but they just can't prove it.

    Many of us thought it couldn't get worse, but we didn't count on jackboot Blunket who has now allowed the police to keep the prints of anyone who is arrested. Since the police can arrest anyone they want for practically anything, they can now get and keep the prints of anyone they don't like the look of.

    Of course, this is all a moot point since Blunket's proposed compulsary ID card scheme will use fingerprints. Now, when I first heard about this I assumed that they would record perhaps two or three fingers from each person like we do for the readers on some of the secure computers at work, but no, apparently the trials currently being run involve taking all ten prints. Funny that!

  • by lcsjk (143581) on Friday October 22, 2004 @10:08AM (#10597619)
    Last year I worked on designing a longer range RFID for a custom project at a University. Here is some info on RFID.

    The simplest RFID is the magnetic foil in the "don't steal me" package in stores. It has no information, but just notes that "I'm here" by absorbing some power from the transmitter.

    The "smart" RFID with information to send back, receives power from the external interrogator transmitter, turns on, decodes up to 128 bits (privacy) from the incoming signal to determine if it should respond, reads some or all of its memory, and responds as requested. The amount of memory is not limited, so fairly detailed pictures could be there. Units that turn on like a radio receiving signals need a battery. They can potentially transmit longer distances since they contain their own transmitter.

    Circuits on the device must protect from too much received power and turn off until the power decreases.

    The range is based on the frequency and the size of the receiving and /transmitting coil along with the method of operation. Passive types modulate the received signal by drawing power from it. Larger antennas are needed for longer distances, and that is the reason for the big antennas you walk through next to doors in stores. Units with their own battery can transmit further, but are limited by battery life.

    There is obviously a lot more to this, but I just wanted to give a little more information.

  • by Anonymous Coward on Friday October 22, 2004 @10:41AM (#10597949)
    Please don't say your from Canada. It just makes Canadians look bad. Plus, very few people would fall for the switch, I mean if you are Canadaian, you probably weren't being such an ass that you needed to tell anyone that you weren't American in the first place. We certainly have our share of dicks, but even they tend to be polite dicks, especially when traveling.
  • by Anonymous Coward on Friday October 22, 2004 @11:02AM (#10598160)
    Including (optional) anti-skimming measures and PKI.

    Here [icao.int]

    Now go and read into it.
  • by Anonymous Coward on Friday October 22, 2004 @11:42AM (#10598596)
    When I leave the country, I expect to give up my privacy. It's a reasonable tradeoff.

    That is not a reasonable tradeoff to me. If you want to make that tradeoff for yourself, fine, but the government forcing everyone else to make that trade-off makes the country a prison for people who want privacy. The nation's founders fought and died specifically for freedom from excessive government searches among other things. You might as well be pissing on their graves by what you say. Thanks to them, saying it is your right, but, it's disgusting to see a stooge unwittingly pissing away what they fought for you to have.

    My government carefully watching, screening, and fingerprinting its own citizens is unconscionable.

    Wake up! Fingerprints are now required for drivers licenses in California, Colorado, Georgia, Hawaii and Texas. California and Texas are over a fifth of the US population.

  • Don't buy it (Score:3, Informative)

    by deblau (68023) <slashdot.25.flickboy@spamgourmet.com> on Friday October 22, 2004 @12:17PM (#10599018) Journal
    I do believe RFID will make passports harder to forge. That seems clear enough. But why broadcast your name and address? Why not broadcast something like the passport number? Without looking at the info on the inside, they may be able to track you by number, but not get your name, address, or other personally identifying information without the kind of work that they'd have to do right now to get that information. In addition, countries could store databases of just the passport numbers that they want to watch (or pass thru), without the associate personal data. Everyone not in the database gets the standard interview questions.
  • Re:ID... (Score:2, Informative)

    by ProfFalcon (628305) <slashdot.org@cmu ... m minus caffeine> on Friday October 22, 2004 @01:24PM (#10599750)
    RFID is sending out a number only. It is the serial number of your passport. The reader would then have to look this number up in a database for any info. RFID does not and can not send "name, age, photo and home address".

    Despite my knowing that an RFID is sending only the serial number (and only for a few inches and no further), I am still against this. It provides little, if any, benefit and opens up additional levels of exploitation.

    With these new, so-called "safeguards" in place, the customs agents could get to trust that when they see their database show up with the same information as is on the passport that they are looking at the proper person. It offers nothing but a false sense of security. False senses of security are often exploited.
  • Re:ID... (Score:2, Informative)

    by Xoro (201854) on Friday October 22, 2004 @02:36PM (#10601047)

    RFID is sending out a number only. It is the serial number of your passport. The reader would then have to look this number up in a database for any info. RFID does not and can not send "name, age, photo and home address".

    FTFA:

    The RFID passport works like a high-tech version of the children's game "Marco Polo." A reader speaks out the equivalent of "Marco" on a designated frequency. The chip then channels that radio energy and echoes back with an answer.

    But instead of simply saying "Polo," the 64 Kb chip will say the passport holder's name, address, date and place of birth, and send along a digital photograph.

    While none of the information on the chip is encrypted, the chip does also broadcast a digital signature that verifies the chip itself was created by the government. Security experts said the U.S. government decided not to encrypt the data because of the risks involved in sharing the method of decryption with other countries.

    That's not at all what it sound like to me.

There is no distinction between any AI program and some existent game.

Working...