US government warned off RFID passports

A plan by the US government to add RFID chips to ID cards has been criticised as a risk fo security and privacy.


A plan by the US government to add RFID chips to ID cards has been criticised as a risk to security and privacy.

The proposed cards would be needed by residents who don't have passports for verifying their identity at land and sea border crossings.

But the Smart Card Alliance, a non-profit industry body representing several large vendors of smart-card and RFID technologies, has formally urged the government to reconsider using RFID in the cards, because of security and privacy concerns.

The response came following an 17 Octover notice in the Federal Register in which the US Department of State announced plans to use RFID chips for a proposed new passport card to be issued as part of the Western Hemisphere Travel Initiative, or WHTI.

Under WHTI, all Americans traveling to Mexico, Canada, the Caribbean and Bermuda will be required to show some form of personal identification approved by Department of Homeland Security when entering the US. The identification could be in the form of a passport or the proposed new passport card and is intended to shore up security at the nation's borders. Passengers traveling by air between the different countries will be required to show such proof of identity starting 1 January 2007 while those travelling by land and sea have until January 2008.

In its notice, the State Department said it would use "vicinity read" RFID technology in the cards rather than the "proximity read" contactless smart-card technology being incorporated into new ePassports. The goal is to have credit-card-size passport cards that can be read from at least 20 to 30 feet away by customs and border-protection officials to speed up the authentication process.

There are several problems with that approach, said Randy Vanderhoof, executive director of the Smart Card Alliance. For instance, long-range RFID technologies are vulnerable to snooping and forgery, Vanderhoof said. Cards built using such chips will have no built-in security features for verifying their authenticity, he added. In contrast, the contactless smart cards used in ePassports support encryption and digital certificate technologies for securing data and verifying authenticity. Because that technology differs from what is being used in the ePassports, US border infrastructures will need to be updated, Vanderhoof explained.

An equally big concern is the potential privacy threat posed by RFID-enabled cards, said David Williams, vice president for policy at Citizens Against Government Waste (CAGW) in Washington. While there is a need to enhance border security, "we do not believe RFID is the best way to do this," Williams said. People carrying such RFID-enabled identity cards could unknowingly be exposed to greater surveillance, he said. Individuals with such cards are also likely to have less control over when they want to be identified and what information is read, stored and shared. "With other forms of identification, you literally have to pull your card out of your wallet. With RFID, you don't know when it is being accessed," Williams said.

Those concerns prompted CAGW to send a letter to the DHS this week urging its Data Privacy and Integrity Advisory Committee to pass an earlier sub-committee draft report that recommends against the use of RFID for personal identification. In that report [pdf], released in May, the DHS sub-committee had argued that RFID use could marginally reduce delay times at borders and checkpoints but carried several risks, including the potential for increased surveillance and erosion of privacy and anonymity.

"In a visual ID-check environment, a person may be briefly identified but then forgotten, rendering them anonymous for practical purposes," the report noted. "In a radio ID-check environment, by contrast, a person's entry into a particular area can easily be recorded and the information permanently stored and repeatedly shared."

The DHS subcommittee is scheduled to meet Wednesday to discuss the issue.

"Recommended For You"

It's the database, stupid Electronic passports have fatal RFID security flaw