Advertisement

Archive for Sunday, July 12, 2009

Chips in official IDs raise privacy fears

July 12, 2009

Advertisement

A driver holds up a NEXUS identification card April 9 at a border crossing from Canada into the United States in Blaine, Wash. The NEXUS card, with an embedded radio frequency identification, or RFID, chip that can be read up to 20 feet away, allows pre-screened travelers expedited processing though dedicated traffic lanes between the U.S. and Canada, as well as airports and marine locations.

A driver holds up a NEXUS identification card April 9 at a border crossing from Canada into the United States in Blaine, Wash. The NEXUS card, with an embedded radio frequency identification, or RFID, chip that can be read up to 20 feet away, allows pre-screened travelers expedited processing though dedicated traffic lanes between the U.S. and Canada, as well as airports and marine locations.

EDITOR’S NOTE — This story, part of a series on the growing industry of radio frequency identification technology and its impact on business, government, health and personal privacy in America, explores its use in passports and driver’s licenses.

Climbing into his Volvo, outfitted with a Matrics antenna and a Motorola reader he’d bought on eBay for $190, Chris Paget cruised the streets of San Francisco with this objective: To read the identity cards of strangers, wirelessly, without ever leaving his car.

It took him 20 minutes to strike hacker’s gold.

Zipping past Fisherman’s Wharf, his scanner downloaded to his laptop the unique serial numbers of two pedestrians’ electronic U.S. passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he’d “skimmed” four more of the new, microchipped PASS cards from a distance of 20 feet.

Increasingly, government officials are promoting the chipping of identity documents as a 21st century application of technology that will help speed border crossings, safeguard credentials against counterfeiters, and keep terrorists from sneaking into the country.

But Paget’s February experiment demonstrated something privacy advocates had feared for years: That RFID, coupled with other technologies, could make people trackable without their knowledge.

He filmed his heist, and soon his video went viral on the Web, intensifying a debate over a push by government, federal and state, to put tracking technologies in identity documents and over their potential to erode privacy.

‘Little brother’

Putting a traceable RFID in every pocket has the potential to make everybody a blip on someone’s radar screen, critics say, and to redefine Orwellian government snooping for the digital age.

“Little Brother,” some are already calling it — even though elements of the global surveillance web they warn against exist only on drawing boards, neither available nor approved for use.

But with advances in tracking technologies coming at an ever-faster rate, critics say, it won’t be long before governments could be able to identify and track anyone in real time, 24-7, from a cafe in Paris to the shores of California.

On June 1, it became mandatory for Americans entering the United States by land or sea from Canada, Mexico, Bermuda and the Caribbean to present identity documents embedded with RFID tags, though conventional passports remain valid until they expire.

Among new options are the chipped “e-passport,” and the new, electronic PASS card — credit-card sized, with the bearer’s digital photograph and a chip that can be scanned through a pocket, backpack or purse from 30 feet away.

Alternatively, travelers can use “enhanced” driver’s licenses embedded with RFID tags now being issued in some border states: Washington, Vermont, Michigan and New York. Texas and Arizona have entered into agreements with the federal government to offer chipped licenses, and the U.S. Department of Homeland Security has recommended expansion to non-border states. Kansas and Florida officials have received DHS briefings on the licenses, agency records show.

The purpose of using RFID is not to identify people, says Mary Ellen Callahan, the chief privacy officer at Homeland Security, but “to verify that the identification document holds valid information about you.”

An RFID document that doubles as a U.S. travel credential “only makes it easier to pull the right record fast enough, to make sure that the border flows, and is operational” — even though a 2005 Government Accountability Office report found that government RFID readers often failed to detect travelers’ tags.

Vulnerable to attacks

Critics warn that RFID-tagged identities will enable identity thieves and other criminals to commit “contactless” crimes against victims who won’t immediately know they’ve been violated.

Neville Pattinson, vice president for government affairs at Gemalto, Inc., a major supplier of microchipped cards, is no RFID basher. He’s a board member of the Smart Card Alliance, an RFID industry group, and is serving on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.

In a 2007 article published by a newsletter for privacy professionals, Pattinson called the chipped cards vulnerable “to attacks from hackers, identity thieves and possibly even terrorists.”

RFID, he wrote, has a fundamental flaw: Each chip is built to faithfully transmit its unique identifier “in the clear, exposing the tag number to interception during the wireless communication.”

Once a tag number is intercepted, “it is relatively easy to directly associate it with an individual,” he says. “If this is done, then it is possible to make an entire set of movements posing as somebody else without that person’s knowledge.”

Echoing these concerns were the AeA — the lobbying association for technology firms — the Smart Card Alliance, the Institute of Electrical and Electronics Engineers, the Business Travel Coalition, and the Association of Corporate Travel Executives.

Meanwhile, Homeland Security has been promoting broad use of RFID even though its own advisory committee on data integrity and privacy issued caveats. In its 2006 draft report, the committee concluded that RFID “increases risks to personal privacy and security, with no commensurate benefit for performance or national security,” and recommended that “RFID be disfavored for identifying and tracking human beings.”

For now, chipped PASS cards and enhanced driver’s licenses are not yet widely deployed in the United States. To date, roughly 192,000 EDLs have been issued in Washington, Vermont, Michigan and New York.

But as more Americans carry them “you can bet that long-range tracking of people on a large scale will rise exponentially,” says Paget, a self-described “ethical hacker” who works as an Internet security consultant.

Comments

mutualrespect37 4 years, 9 months ago

Right now these chips are being used in passports by most European Union countries, including the U.S. It's possible they could sooner or later replace scanning devices in stores and be embedded in the products we buy. They also might be added to credit cards to track our purchasing habits or even be implanted within the human body. Already something similiar is being used to identify pets. On issue is that they apparently can be read at a much further distance than advertised. I think a new personal identification number (pin) system is in the works to address the problem of unauthorized use. These RFIDs add a new and potentially frightening and invasive dimension to surveillance technology. Currently a key snag is identity theft.

0

Kryptenx 4 years, 9 months ago

Oh, no! Mark of the beast, 666! Quick, grab my tinfoil hat before the Commies invade my brain with their mind control techniques!

STRS: Lmao, how can you troll around for strict ID checks at voting places and then turn around and bash methods to make ID checks quicker? How does your party, the party of "fiscal responsibility", plan to pay for all the extra labor to pay poll workers for checking validity and authenticity of the ID of every single voter in America? Since you're against RFID so much, just how do you plan to implement such a policy efficiently?

0

notajayhawk 4 years, 9 months ago

SettingTheRecordStraight (Anonymous) says…

"bozo, I know you went to public schools, but even you're smart enough to distinguish ..."

Pretty big leap of faith there, STRS.


You can be tracked by your cell phone. You can be tracked by the LoJack in your car. There are any number of ways we allow our identity, location, & movements to be tracked every day. Most people are aware of this and have no problem with it - it's a minor trade-off against the convenience and benefits provided by those devices. While many people will whine about this non-issue, if they stopped doing it and the lines at the border crossings got longer again, people would be clamoring for the return of the chips.

0

SettingTheRecordStraight 4 years, 9 months ago

bozo,

I know you went to public schools, but even you're smart enough to distinguish between a legitimate need for voters to prove their identities and a push for big government to track our every move.

0

Commenting has been disabled for this item.