17 December 2006


For months I've been reading about these new passports. And for months I've been meaning to go get a passport, in hopes of getting the old kind. I'm probably already too late.

The new passports have RFID chips in them. RFID stands for radio frequency identifier. An RFID chip is a small device which transmits short-range signals which uniquely identify the transmitter. This sort of thing has been used for years for stuff like electronic toll collection systems. You have an RFID transmitter in your car so that you can roll through the toll booth without stopping to pay. The toll booth electronically records your passage, and you get billed later.

Unfortunately, RFID raises all kinds of security and privacy concerns. RFID tags are useful, because they can be read so easily. No physical connection (like swiping a credit card or ID badge) is required: proximity is sufficient for an information exchange. But this means the information can be collected by someone other than the intended recipient. It's been shown over and over again that information stored in RFID tags can be read surrepticiously with inexpensive, off-the-shelf equipment. A recent example involves RFID chips in sneakers.

And now they're putting these things in passports, and the same kinds of remote information retrieval have been demonstrated. Government agencies implementing these technologies say that it's safe. But what else are they going to say? They've invested a lot of money in these systems, so they're not necessarily objective or fothcoming.

One of the things in my job that really annoys me is the "Ooooh, shiny!" mentality: people see something new, and they want it just because they thing it's cool, not necessarily because it's a good idea. This is the feeling I get about RFID in passports. I think people are jumping on a bandwagon without taking the time and effort to do reasonable risk analysis.

A number of interesting RFID countermeasures have surfaced:
Bruce Schneier has a good write-up about the new passports.

No comments: