Wandering the blogs, part two

Saturday, October 23, 2004

Wandering the blogs, part two

This one came via Fiat Lux.

Security expert Bruce Schneier, writing in his own blog on October 4, describes the desire of the Department for the Security of the Fatherland to get

the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century.

However, he goes on, the Shrub team wants to require use of radio frequency identification (RFID) chips in those passports. This, he says for very good reason, is "a very bad thing."

I've talked about these buggers before and how businesses have proposed using them not only to track inventory but potentially to track individual items and the individual buying histories of customers using their store cards. Now, the government wants to use them to store information about a passport holder, information which can be scanned at a distance by a reader. Not just the ones used by officials at customs. Any reader.

Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily - and surreptitiously - pick Americans or nationals of other participating countries out of a crowd.

It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.

And, it might be added, even if close proximity is required, that still doesn't prevent someone from having a reader in their pocket set to give a signal through, perhaps, an earphone, when it detects a signal that indicates, for example, an American. They then move through the crowds at an airport or a tourist site, brushing close to people as they pass, waiting for someone to trigger their reader.

Considering those clear risks to privacy and safety, why use RFID chips? Why not use chips and scanners that actually have to be in contact? Schneier has his opinion:

The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can't be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.

He may well be right and I certainly wouldn't put it past them. But I have to admit that I suspect the norm of incompetence is at work here: that they were thinking of the convenience of the officials at passport control (and perhaps that of travelers) who would only have to get a passport somewhere close to a reader to scan the information. Doing it that way would require less attention and fractionally less time, which over hundreds of people passing a single scanning point could add up to a significant difference. That is, they didn't do it deliberately to invade privacy or allow secret monitoring but because they just don't think about it, that privacy concerns just don't figure in their plans until and unless they are forced to consider them.

That, however, doesn't make either the risk or the likelihood it would be used that way, regardless of original intention, any less. Using RFID technology in passports is a really, really, really bad idea.

No comments:

Post a Comment

What they are saying

"He writes with sensitivity, passion, intelligence and with an eye to the common good."

"[He is] clearly one of those silly people who believes in 'civilization,' probably along with the Tooth Fairy and justice."

"He lives in a magical fantasy world."

"Powerfully spoken."

"A balanced and sensible view concerning the crazy ideas that often prevail regarding war and freedom."

"You do good work."

"Our political differences are vast and irreconcilable but he earnestly believes what he wants is best for the country; he’s firmly committed to it, makes no apologies for it and won’t settle for less."

"God bless you!"

"SHUT THE FUCK UP."

About Lotus

Lotus has been at various times the newsletter of a local peace group, a column in a different group's newsletter, a stand-alone monthly, and now a blog. Posts appear bi-weekly; posts are drawn from my weekly cable-TV show "The Erickson Report," which can be found here.

Comments either here or by email are encouraged. Comments here must be reasonably relevant and reasonably civil. Spam, trolls, and comments that are merely personal slams on me or another commenter will be deleted without hesitation, warning, or regret.

Note well: Anonymous comments that do not make clear and explicit reference to the post in question will be assumed to be spam.

My email is:

whoviating at aol dot com

Lotus - Surviving a Dark Time

Saturday, October 23, 2004