RFID Passports Raise Safety Concerns

CurtMonash writes "CNNMoney.com features a skeptical article about the US State Department's plans to soon issue RFID passports (currently being tested on State Department employees). One fear is that they can be hacked for information about you. And even if they can't, carrying around a little transmitter saying 'I'm an American! I'm an American!' isn't a fun and safe thing to do in all parts of the world." From the article: "Basically, you've given everybody a little radio-frequency doodad that silently declares 'Hey, I'm a foreigner,' says author and futurist Bruce Sterling, who lectures on the future of RFID technology. 'If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes.'"

yeah

[dolson (634094)]

Yeah, that is important because I know when Americans visit say, China or India, they can blend right in with everyone else if they don't have that transmitter.

Re:yeah

[by Anonymous Coward]

Americans aren't the only caucasians out there. RFID nicely allows somebody to identify the hated Americans from the nice Canadians (and most Europeans).

Re:yeah

[MrShaggy (683273)]

And being said Canadian, I am all for making it much easier to spot the difference. GO BUSH GO!

Re:yeah

[afidel (530433)]

According to Schneier [schneier.com] the State Department already plans (and has since sometime last year) to include a RF shield so the chip can only be read while the passport is open and they are encrypting the data on the RFID.

Re:yeah

[feepness (543479)]

Of course the Estadounidenses dont know that because they are happy drinking Tequila and dancing until they fall in their expensive (not a lot for them of course) hotels and "Planet Hollywod" and "Hard Rock Cafe" (I have always wondered *why* do they bother to travel to Cancun if they are going to get into the same places they have in the USA).

Plus I hear they constantly stereotype people from other countries! Stupid Americans!

Sorry, but you don't sound like someone it's particularly worthwhile being "real" friends with. Tell me, how do you treat your "fake" friends? What if I'm one of them and don't know it? Guess I don't need to worry about either, being born in the wrong country and all.

Re:yeah

[Otter (3800)]

As cherished as this notion is among Canadians in particular (after all traveling the world with an enormous maple leaf on your pack and every article of clothing is just the epitome of class and good taste), I've been to four continents in the last year and a half, and have never encountered a shred of anti-Americanism. This whole issue is nonsense driven by 1) idiot Americans who have never left the country, 2) idiot Americans projecting their own disdain for their neighbors onto foreigners and 3) Canadians. Anyway, even if you're concerned about this stuff, why not travel, make a good impression and improve the US's image.

Meanwhile I see some guy here (you'll never guess from what country!) spinning a story of Americans pretending to be Canadian ON A CARIBBEAN FREAKING CRUISE! I'm sorry, if you're that stupid, don't leave home.

Re:yeah

[call -151 (230520)]

Two things:

1) Most people in Europe, Austalia, NZ and Asia that I have met realize that the Americans that they are likely to meet are not the ones who voted for Bush. The coasts have a much higher density of passport holders than the "Heartland," for example. (Active passport holders favored Kerry to Bush 58% to 35% [zogby.com].)

2) The "obnoxious American" stereotype is partly a result of biased sampling. If there are two Americans somewhere, and one is a fat, obnoxious, non-local-language speaking lout with a Hawaiian shirt and a camcorder and the other is a quiet, sensible, local-language speaker, the locals may not even notice that the second is an American, let alone remember the encounter. I am an American, and when I am in Europe, I am frequently mistaken as being Dutch, perhaps because I have a beard, a bicycle and can communicate passibly in any one of about five standard European languages, even if I don't happen to speak the local language. I also usually do not go out of my way to correct this misconception...

Re:yeah

[aclark (5494)]

In that case you either didn't go to Europe, or else you did and walked around with your eyes, ears and mouth shut.

I'd have to say that walking around with your mouth shut, or at least under control, is a pretty good way to avoid looking like an idiot anywhere you go. It saves you from making yourself (and the country you represent) look like an ass.

Having just come back from Europe (Rome, Nice, Paris & London), as an American (from Texas no less), I had nothing but good experiences with everyone I met. I can't say the same about the other idiot Americans who also happened to be staying at my hotel. In typical movie fashion they got louder and louder as the unfortunate hotel clerk tried to help them find a restaurant to eat at late at night. The more she had trouble understanding them they just got more irritated, annoying and bigoted. Standing there at the counter I felt so ashamed.

This isn't to say that Americans don't have a negative image in the world, but overall, people are smart and realize that not everyone conforms to the stereotype. My advice is to remember that you're not at home when you travel. Things don't go according to plan. Understand that you will have a hard time making yourself understood, but be polite. Don't leave the country if you're a rude, pompous, arrogant asshole (or leave and don't come back).

Save tinfoil hat for passport

[f0dder (570496)]

So if I wrap my RFID laden passport in tinfoil I am safe right? right?

Re:Save tinfoil hat for passport

[alanxyzzy (666696)]

Bruce Schneier thinks that it will be OK [schneier.com]

...

The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. More good security.

Assuming that the RFID passport works as advertised (a big "if," I grant you), then I am no longer opposed to the idea.

...

Even if it can be hacked?

[blindbug (979761)]

One fear is that they can be hacked for information about you. And even if they can't...

It can... and it will be... period.

RFID security

[joe 155 (937621)]

I know that having your personal data stolen isn't any fun, it'll be worse if they put biometric data in there as well (I don't know what data the US passports currently have, in the UK we'll be having that put in soon). but for me a bigger concern is that they can be infected with a virus, which could quite easily be used to cause havok with the computers at airports and possibly bring the whole system down... the register reported on the proof of concept here: http://www.theregister.co.uk/2006/03/15/rfid_tags_ infected_by_virus/ [theregister.co.uk]

Just one more justification...

[ralf1 (718128)]

For my new lead lined briefcase. Who cares if it weighs 125 pounds.

What's the range?

[gasmonso (929871)]

How far are you broadcasting in the first place? If its like 10 feet who cares? Now in good practice, whenever I travel I leave my passport in the safe at the hotel. Not really a good idea to walk around with it ;)

http://religiousfreaks.com/ [religiousfreaks.com]

I am a free man

[LiquidCoooled (634315)]

Barring the bloody obvious target painted on you, they say in the article:

They'll have radio frequency identification (RFID) tags and are meant to cut down on human error of immigration officials, speed the processing of visitors and safeguard against counterfeit passports.

Human error will still occur in whichever system a human is involved in.

Couldn't they get all the same benefits with a simple barcode?
Does the RFID hold just your ID number for lookup on the database or is the RFID part now full identification?

I hope this doesn't go ahead (like the UK now isn't going ahead with its ID scheme) because whilst RFID might make tracking warehouse stock easy, its not great for humans.
Just because the technology exists doesn't mean we should use it for everything.

Is This Madness?

[blueZhift (652272)]

Surely they cannot be unaware of how this could be exploited by those wishing to do harm to Americans, therefore I can only reach the conclusion that rfid passports are being pushed as a way for the government to ultimately track people in general. It would begin with being able to track foreigners and later as rfid makes its way into things like driver's licenses and auto plates, it could be used to track citizens. This is probably a goal of governments everywhere these days. First they'll tell you it's to stop terrorists, but with a flick of the switch, tracking citizens will be a breeze. I know the effective range is pretty short, but I can imagine that it would not be too hard for the government to build out an effective network, certainly in the most densely populated cities. It might even be able to piggy back on cell phone tower locations, so ordinary people wouldn't even know it was there. Ironically, true terrorists will be able to easily defeat this kind of tracking.

Good Business Opportunity

[Dr_LHA (30754)]

This gives me a great idea for a new business opportunity! Sell RFID tags to American tourists that broadcast to the world "I AM A CANADIAN".

Get yours now!

[Chris Pimlott (16212)]

US passports are good for 10 years from the date of issue. Get or renew yours now, before RFID becomes required.

Why RFID and not smart cards?

[BeBoxer (14448)]

I just do not understand the insistance/fascination with RFID in this case. Think about the situation when these RFID's are supposed to be used. You are entering a country via immigration, and you hand your passport to the immigration agent. There is no need and no benefit to involving a radio. The agent could just as easily slip your passport into a reader which uses actual metal contacts as wave it over the RFID scanner. It would probably cost less, and would have none of the security concerns (valid or not) that the RFID chips have.

I can only think of two possibilities. One is just good old fashioned corruption. It's no secret that the GOP has pretty much put a 'For Sale' sign out front of the Capital, so it may just be a way to send a bunch of money to a valuable 'doner'. Or they have some requirement which needs RFID, but is being kept secret.

I suppose they could almost completely automate letting US citizens back into the country. Will I be able to use my RFID passport to scan in to the country just like I do with my work badge to get into the machine room or co-lo? I can see benefits for having an express lane at immigration for citizens with RFID passports so we don't have to wait behind all the riff-raff :-) Just walk up to the gate, wave your passport at it, and 'beep', you're back in the country.

Re:Confused?

[Mayhem178 (920970)]

As I understand it, RFID cards don't do anything until they're exposed to an electromagnetic field, which gives them just enough juice to fire off a message, usually an identity code. Unless I've been completely misinformed, you'd have to generate quite the field to even have a chance of reading one of these things at a distance. I know that my RFID card doesn't work until it's within a coupla inches of the appropriate reader.

The whole "it's broadcasting all of your personal information!!!!" hype is a bunch of FUD. The only way it could really be a security risk is if the card itself was stolen, and then it's really no different than having your S.S. card or driver's license stolen.

Re:Confused?

[Bastian (66383)]

You have it right. I used to go to a school which used RFID keycards to open doors. In that particular case, it wasn't even a matter of inches - the card had to be within about two centimeters of the reader.

It would take a heck of a lot more juice than what those readers put out to make something that's actually useful for reading these passport chips remotely. Assuming the effective range on the readers I've used was exactly 2cm, the inverse square law tells us that doubling the power my chip out (and keepin the reader's receiver at the same power) would increase the range to 2.83cm, quadrupling it would get us to 4cm, octupling it would get us up to 5.66cm. . . and by the time you get to the point where a potential passport snooper isn't making himself *really* suspicious by running around an airport waving his briefcase next to everyone's baggage, you've got yourself quite an RFID reader. And then you throw on the shielding that's being put into these RFID passports and it's back to square one.

Not saying it's impossible to make a device that effectively identifies Americans by their passports, just saying that everyone should probably put their tinfoil hats on now because a device like that would probably give you one heck of a headache.

Re:Confused?

[katsiris (779774)]

Since RFID tags use the transmitting signal to send a reply, the strength and therefore distance that it will transmit or echo is dependant largely on the signal of the detector. Obviously the tags themselves can't rebroadcast an infinitely large signal, but the fact that you needed to get close to the doors at your school is a design feature of the doors and not a limitation of the technology. After all, they don't want doors unlocking just because someone is walking by...

Re:Confused?

[Shaper_pmp (825142)]

It's only passive until you bring it within range of a receiver.

That's secure in the same way as an object that's only invisible until you look at it, or a door that's only locked until you try the handle.

Passive RFID chips are likely harder to detect at range than active ones (for obvious reasons), but no-one's answered the question yet: Why do we need ranged querying at all?

Much, much safer would be a normal smart-card chip (like the one in your credit card) that requires physical contact to read anything. Frankly, once somone's got their hands on your passport it doesn't matter if it's a smart-card or normal paper one - they can easily find out things about you from it (or just nick it) at that point.

Allowing ranged querying seems to offer no really compelling benefits, and opens up a whole can of worms on issues like personal security, remotely tracking/identifying people without their knowledge, you name it.

Re:What happens if the RFID doesnt work

[jcupitt65 (68879)]

The UK's ID card regulations include a £1,000 fine if you know your card to be defective but do not report it :-(

You will be required to attend an enrolment centre with some form of identifying material - bank statements, credit cards, driving licence or birth certificate, who knows what. Then you will be fingerprinted, photographed and the iris in your eye will be measured. You will give the authorities 49 pieces of information about yourself. If you don't, you may be fined up to £2,500. Additional fines of up to £2,500 may be levied every time you fail to comply.

If you fail to inform the police or Home Office when you lose your card, or if it becomes defective, you face a fine of up to £1,000. If you find someone else's card and do not immediately hand it in, you may have committed a criminal offence punishable by imprisonment for up to two years, or a fine, or both. And you will be fined £1,000 if you fail to inform the NIR of any change of address. You will also be expected to tell the authorities your previous addresses. Truly the government will be able to say with all the menace of the underworld enforcer: "We know where you live."

If you don't inform the register of significant changes to your personal life, or any errors they have made, you will face a fine of up to £1,000. Astonishingly, you may also face a fine if you fail to submit to being reinterviewed, rephotographed, refingerprinted and rescanned.

http://www.guardian.co.uk/g2/story/0,,1817436,00.h tml [guardian.co.uk]

Re:endangering civilians

[MCraigW (110179)]

Using RFID for passports is not only stupid but completely irresponsible. It would put anyone in danger, especially traveling abroad. It doesn't take alot of brains to imagine the worst how this can be exploited by terrorists and rogue forces. Hopefully our government will recognize and stop this crazy proposal in time.

As I stated in an earlier post, Austrailia, New Zealand and Singapore already have RFID passports. The information that can be obtained from the chip is encrypted, and will only be readable using the public-key which is encoded in a machine readable format inside the passport http://www.dfat.gov.au/dept/passports/ [dfat.gov.au]. The plan in the U.S. is the to do the same thing, as well as putting a metal lining in the cover of the passport so that the RFID cannot be read when the passport is closed. See http://www.aimglobal.org/members/news/anmviewer.as p?a=394&print=no [aimglobal.org]