RFID Passports
<http://www.schneier.com/blog/archives/2004/10/rfid_passports.html>
Since 9/11, the Bush administration -- specifically, the Department of
Homeland Security -- has wanted the world to standardize on
machine-readable passports. Future U.S. passports, currently being
tested, will include an embedded computer chip. This chip will allow
the passport to contain much more information than a simple
machine-readable character font, and will allow passport officials to
quickly and easily read that information. That's a reasonable
requirement, and a good idea for bringing passport technology into the
21st Century. But the administration is advocating radio frequency
identification (RFID) chips for both US and foreign passports, and
that's a very bad thing.
RFID chips are like smart cards, but they can be read from a
distance. A receiving device can "talk" to the chip remotely, without
any need for physical contact, and get whatever information is on
it. Passport officials envision being able to download the information
on the chip simply by bringing it within a few centimeters of a reader.
Unfortunately, RFID chips can be read by any reader, not just the ones
at passport control. The upshot of this is that anyone carrying around
an RFID passport is broadcasting his identity.
Think about what that means for a minute. It means that a passport
holder is continuously broadcasting his name, nationality, age,
address, and whatever else is on the RFID chip. It means that anyone
with a reader can learn that information, without the passport holder's
knowledge or consent. It means that pickpockets, kidnappers, and
terrorists can easily -- and surreptitiously -- pick Americans out of a
crowd.
It's a clear threat to both privacy and personal safety. Quite simply,
it's a bad idea.
The administration claims that the chips can only be read from a few
centimeters away, so there's no potential for abuse. This is a
spectacularly naive claim. All wireless protocols can work at much
longer ranges than specified. In tests, RFID chips have been read by
receivers 20 meters away. Improvements in technology are inevitable.
Security is always a trade-off. If the benefits of RFID outweigh the
risks, then maybe it's worth it. Certainly there isn't a significant
benefit when people present their passport to a customs official. If
that customs official is going to take the passport and bring it near a
reader, why can't he go those extra few centimeters that a contact chip
would require?
The administration is deliberately choosing a less secure technology
without justification. If there were a good reason to choose that
technology, then it might make sense. But there isn't. There's a
large cost in security and privacy, and no benefit. Any rational
analysis will conclude that there isn't any reason to choose an RFID
chip over a conventional chip.
Unfortunately, there is a reason. At least, it's the only reason I can
think of for the administration wanting RFID chips in passports: they
want surreptitious access themselves. They want to be able to identify
people in crowds. They want to pick out the Americans, and pick out
the foreigners. They want to do the very thing that they insist,
despite demonstrations to the contrary, can't be done.
Normally I am very careful before I ascribe such sinister motives to a
government agency. Incompetence is the norm, and malevolence is much
rarer. But this seems like a clear case of the government putting its
own interests above the security and privacy of its citizens, and then
lying about it.