Wednesday, July 26, 2006

Proximity Passport Perception Problems Persist

Image Credit: theducks.org/© 1995-2006 Alex Dawson

Radio Frequency Identification (RFID) enabled passports have many inherent benefits, however, some fears of identity theft and other potential information breech perceptions exist.

The confusion and concerns about the potential of anyone being able to retrieve private, personal information "from a distance" may just be a matter of education - says an ABI Research Report.

Excerpts from eWEEK -

Report: DHS Should Soothe RFID Passport Fears
The upcoming U.S. e-passports are still giving rise to privacy concerns; ABI Research recommends that the government speak up about the technology.
By Renee Boucher Ferguson - eWEEK - July 25, 2006


There is a lot of miscommunication regarding the security and privacy of the U.S. government's new RFID-based e-passports, according to ABI Research Analyst Sarah Shah.

ABI Research released a report July 25 that suggests that the Department of Homeland Security, which will issue the e-passports in conjunction with the State Department starting in August, should speak out to reassure the public about the safety of contactless technologies.

The U.S. government plans to implement contactless technology, which is essentially data transmission that is activated by waving a reader over an RFID (radio-frequency identification) chip that has a tiny embedded antenna, in all electronic passports by the end of 2006.

"There are uneducated claims being made by some privacy advocates," said Shah, in Oyster Bay, N.Y. "They make claims such as, 'If you have a contactless chip in your passport [the government] can track you everywhere and they'll know everything about you.' This is simply not true, and the DHS should publicly explain what the technology is capable of, and why it's secure."

Since the State Department announced in 2005 that it would issue RFID-chipped passports by the end of 2006 to all passport agencies, security and privacy advocates have been up in arms.
The concern is that the data stored on the chips - including name, address, nationality and date of birth—will be accessible not only to customs agents, but to anyone with the wherewithal to hook up a reader and go scanning (or skimming, as the case may be) for information. The tiny silicon-based RFID chips that will be embedded in the passports themselves contain embedded antennas, which transmit data once a specially designed RFID reader is waved in front of it. One issue is the range at which the readers can access data.


"Our concerns extend beyond the passports," said privacy advocate Katherine Albrecht, co-author of "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID," during a May 26 interview with eWEEK. "At a recent conference calling for RFID tags in identity documents [some speakers] were talking about the tags being read from 20 to 30 feet away. We were actually quite stunned by that."

Kevin Ashton, the co-founder of MIT's Auto ID-Labs, the research center that essentially founded a global RFID network and standard that has since become EPCglobal, is against the idea of using RFID chips in passports.

"The idea of storing all this sensitive data [in passports] is horrible. You can take the chip off one passport and stick it on another. No one will know the difference," said Ashton, now vice president of marketing at ThingMagic, in Cambridge, Mass., and a professor teaching RFID classes at MIT. "My big issue is it is truly a stupid idea to store any information on an RFID tag other than a unique number. Otherwise there is always the risk of data change."

Ashton suggested that the way the e-passport's RFID technology should work - if it has to be there at all - is to have a chip that stores a unique number that can only be authorized by those people who should have access to it. The number would refer back to data stored in a secure database. The only information anyone should be able to find on the passport, he said, is a photo.

----
Bruce Schneier, a well-known security technologist and author, said during a May 26 interview with eWEEK that eavesdropping will only get easier.

The DHS has implemented some security and privacy devices on the e-passport chips: a metal shielding device on the passport's front cover that prevents the data from being read when it's closed, and BAC [basic access control] technology to prevent skimming and eavesdropping of data. Schneier said the precautions are good, but not good enough.

"Shielding is good. Basic access control is good. Putting a switch would be great," said Schneier, in Mountain View, Calif. "But if you don't have RFID you don't need any of this. I haven't seen any compelling reasons why we are doing this. If we [the government] did it out in the open then everyone would scream."

----
"The public has pretty overwhelmingly said they don't want RFID in documents, yet [the government] plowed ahead with it anyway," Albrecht said.

ABI Research said the bottom line is that the ongoing security and privacy debates probably will not have an impact on the DHS' decision to issue e-passports in August.

"We feel that the DHS should take steps to mitigate public concerns today," Shah said.

Read All>>

RFID may sound like a good idea for automating the process of identification through our nation's checkpoints, but when it comes to the internal security of our country and the protection of our identity ... this just isn't the same application process as a "Mobil Speedpass" or a freeway tollway access payment verification.

Typical, the federal government remains clueless to the real issues that surround the application of this proximity technology.

As in real estate (location, location, location) the axiom for the implementation of a new technology is "application, application, application!"


UPDATE (August 21, 2006):
New US Passports Contain Secure Identification Chips from Infineon; Advanced Technology Meets International Standard for Secure Travel Documents Image Credit: Infineon Technologies AG

Infineon to supply chip for U.S. e-passports
U.S. set to begin issuing passports equipped with RFID chips containing biometric data
By John Blau, IDG News Service - August 21, 2006

German chip maker Infineon Technologies will supply chips for new electronic passports that the U.S. will begin issuing in the coming weeks.

Of the 15 million e-passports to be issued by the end of the year, several million of them will be equipped with Infineon chips, the manufacturer said Monday.

The first wave of U.S. passports with chips, however, comes despite lingering privacy and security concerns. Earlier this month, a German security expert at the Black Hat security conference in Las Vegas demonstrated how e-passports -- equipped with an RFID (radio frequency identification) chip containing biometric data -- could be copied using a laptop computer, an RFID reader and smart card reader software.

The chip contained in each new U.S. passport issued from October will contain personal data, such as the bearer's name, date of birth, validity period, and a digital photo of the individual.

The e-passport, according to Infineon, is designed with multiple security levels, including the basic access control (BAC). This security feature requires the border control inspector to pass the document over a scanner that reads coded information and then authorizes the electronic reader to access the data stored on the chip. Data transmission occurs over a distance of only around four inches, or 10 centimeters.

More than 50 individual security mechanisms are inside the Infineon chip, including sophisticated computing methods for encrypting data. Protective shields on the surface of the chip and sensors also help prevent unauthorized people from being able to read the contents of the chip.

Infineon, which is located in Munich, is supplying chips for e-passport to several other countries, including Germany, Norway, and Sweden.
Link Here>>

No comments: